Linuxdoc Linux Questions
Click here to ask our community of linux experts!
Custom Search
Next Previous Contents

3. Configuring Networking

OK, by now you have installed Linux on your gateway computer. You may have even configured one of your networking cards, and set up connectivity to the Internet. However, we are going to start from scratch and pretend that nothing is configured at all.

Log in as root. All the instructions given in this document assume you are logged in as root.

The Linux kernel refers to your two ethernet cards as eth0 and eth1, so that is how I'll be referring to them from now on too. The trouble is, which one is which? Here's a "simple" way of figuring out, guaranteed to work at least 50% of the time: lay your computer on the desk with the motherboard horizontal and the back panel facing you (as you would if you were going to open it and do some work on it). The leftmost card is eth0 -- you might want to label it with some masking tape. Now, write down on a piece of paper the make and model of both eth0 and eth1.

OK, let's see if eth0 and eth1 are recognized automatically by the kernel. Type ifconfig eth0 and ifconfig eth1. In both cases, if the kernel is recognizing your card, you should see something like this (bearing in mind that the numbers and whatnot will be different):

eth0   Link encap: Ethernet   HWaddr 00:60:67:4A:02:0A 
       inet addr:0.0.0.0  Bcast:0.0.0.0  Mask:255.255.255.255
       UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
       RX packets:466 errors:0 dropped:0 overruns:0 frame:0
       TX packets:448 errors:0 dropped:0 overruns:0 carrier:0
       collisions:85 txqueuelen:100 
       Interrupt:10 Base address:0xe400
 

If the kernel is not recognizing your network card you will see something like this:

eth0: error fetching interface information: Device not found.
 

3.1 Configuring a Network Driver

If both of your cards were found, skip to the next section. Otherwise, read this section.

OK, so one or both of your cards are not recognized by the kernel. This is not a problem, really. What we're going to have to do is tell the kernel more explicitly how to find your cards. There are lots of twists and turns here, and I'm not going to cover all of them. Remember, when the going gets tough, the tough turn to the Ethernet HOWTO. Here's some summary advice:

Now, since you know what the make and model of eth0 and eth1 are you can go to the compatibility page of the Ethernet HOWTO and look up your card. Take note of the recommended driver, and any information about special options your card may require. Write it down.

It's time to edit a configuration file! The file we will be editing is /etc/conf.modules. Open this file up in the text editor of your choice. Because there are so many possibilities and combinations of things which can go in this file, I'm going to give my own gateway as an example. I have a PCI 10/100Mb card based on the VIA Rhine chip, and a plain-jane 10Mb NE2000 ISA clone. I use the 100Mb card for the internal network and the 10Mb card for the external connection. My /etc/conf.modules file looks like this:

alias parport_lowlevel parport_pc 
alias eth0 ne 
options ne io=0x300 irq=10 
alias eth1 via-rhine 
 

My conf.modules file is laid out as follows:

You will want to ensure that you have alias entries in conf.modules for both your cards, and correct options lines for all your ISA cards. You may already have lines in conf.modules for any ethernet cards you configured during installation.

When you have finished editing conf.modules, try ifconfig eth0 and ifconfig eth1 again. You may have to apply some trial and error if you are messing with IO addresses and IRQs without a manufacturers manual.

Two Identical Network Cards

So, you were really really smart, bought two identical network cards for your Linux gateway, and now you cannot get them to work together? Do not worry, getting them to coexist is just a matter of using the correct syntax in /etc/conf.modules. For this example, the addresses and IRQ numbers are made up, and I will assume that you have bought a matched pair of NE2000 clones (a common choice). Your /etc/conf.modules file should look like this:

alias eth0 ne
alias eth1 ne
options ne io=0x330,0x360 irq=7,9 
 

The addressing options are all given on the same line, and the first number for each addressing type is for eth0, the second number for eth1.

3.2 Configuring the Inside Network

The "inside network" is the network which all your home/office machines will talk on. The "outside network" is the big scary internet on the other side of the Linux box. By and large, the inside network will be completely insulated from the outside network by the Linux box, which will operate as a medium strength firewall.

The Network Device

Now that your drivers are working and you can see both eth0 and eth1 in ifconfig it is time to set up the internal home network. I am assuming that you are going to put your internal network on eth1 and your external device on eth0.

Your internal network is going to be a private network and will therefor be on a special network reserved for internal networking: 192.168.1.0. This is a "private Class C network", in case you want to impress your friends.

First we need to make sure networking is turned on. Edit the file /etc/sysconfig/network and make sure the following lines exist:

NETWORKING=yes 
FORWARD_IPV4=yes
 

The first line tells Linux that we want the network devices brought up at boot time. The second line tells Linux to enable IP forwarding. This is required when we start configuring masquerading in Section 4.

Redhat 6.2 Note: In order to properly support IP forwarding and masquerading, Red Hat 6.2 requires changes to the /etc/sysctl.conf file. Make sure the following lines exist and are set to the correct values:

net.ipv4.ip_forward = 1 
net.ipv4.ip_always_defrag = 1 
 

All the network interface settings for Red Hat and Red Hat derivatives are contained in files in the /etc/sysconfig/network-scripts directory. Enter that directory, and create a new file ifcfg-eth1. Put the following into the ifcfg-eth1 file:

DEVICE=eth1 
IPADDR=192.168.1.1 
ONBOOT=yes
 

This code tells the networking scripts to configure eth1 at boot time and to give it a particular IP address. Activate your network with the new settings with the following command: /etc/rc.d/init.d/network restart

The DHCP Server

A DHCP server will automatically configure devices on your internal home network with IP addresses. This is very useful for people with laptops: they can simply plug their machines in and be immediately properly configured. If you do not want a DHCP server on your internal network, just skip to the next section.

First you need to be sure you have the DHCP server installed. Mount your Linux CD and install the dhcp RPM. Now edit the /etc/dhcpd.conf file and put the following (and only the following) in it:

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.2 192.168.1.60;
  default-lease-time 86400;
  max-lease-time 86400;
  option routers 192.168.1.1;
  option ip-forwarding off;
  option broadcast-address 192.168.1.255;
  option subnet-mask 255.255.255.0;
}
 

If you are going to set up your Linux box as a caching domain name server, insert the following option:

option domain-name-servers 192.168.1.1;
 

If you know your outside DNS addresses and you are not going to use the Linux box for DNS, insert the following option, where x.x.x.x and y.y.y.y are IP numbers of the DNS servers:

option domain-name-servers x.x.x.x, y.y.y.y;
 

If you are going to run Samba file sharing on the Linux box for your Windows computers, add the following options to use the Linux box as the default WINS and browsing server:

option netbios-name-servers 192.168.1.1; 
option netbios-dd-server 192.168.1.1; 
option netbios-node-type 8; 
option netbios-scope "";
 

Configuring Samba and WINS is well beyond the scope of this document. If you need some pointers, start with the SMB HOWTO and go on from there.

There are still a few more steps. Next, edit the /etc/rc.d/init.d/dhcpd file and look for the following line:

/sbin/route add -host 255.255.255.255 dev eth1
 

Windows DHCP clients require a particular broadcast address in DHCP responses, and this command forces the Linux TCP/IP stack to produce it. If you cannot find that line in the file, add it. If you do find a line like that one, make sure that the device it references is eth1.

The next step is to alter the /etc/rc.d/init.d/dhcpd file to use eth1 as the default device. Replace the line:

daemon /usr/sbin/dhcpd
 

With:

daemon /usr/sbin/dhcpd eth1
 

OK, now we are ready to start up DHCP. First start the DHCP server with the command: /etc/rc.d/init.d/dhcpd start.

Finally, we have to make sure that the DHCP server will start at re-boot time. Some RPM packages of the DHCP server do not include directives to ensure the server starts every time, so we'll make sure it gets started by invoking the command chkconfig dhcpd on.

This command causes RedHat to add the dhcp startup script to the various runlevel directories under /etc/rc.d. In runlevels 3 and 5 (multiuser console and multiuser X) the DHCP server is started. In runlevels 0, 1 and 6 (shutdown, single user and reboot) the DHCP server is stopped.

The Client Computers

If you have set DHCP up, configuring your client computers is very easy: just enable DHCP configuration. For Windows computers, this involves opening the "Control Panel" and then the "Networking" option. Find the "TCP/IP" protocol and opt to "Configure" it. Check the box that says to "Configure TCP/IP address automatically", apply your changes, and reboot.

Before you reboot, you might want to type the following command: tail -f /var/log/messages. This will watch the Linux system log continuously. If all goes well, when you reboot your Windows computer, you will see it request an IP address and see the DHCP server respond. Control-C exits the tail -f command.

If you have not set up DHCP, configuration is still fairly easy. Again, open the "Networking" option from the "Control Panel", and choose to configure the TCP/IP protocol. You can assign your client computers any address in the 192.168.1.0 network except 192.168.1.0 (the network address), 192.168.1.255 (the broadcast address) or 192.168.1.1 (your Linux server). Never give two computers the same IP address. Set the "Gateway" address to 192.168.1.1, so that outgoing traffic is routed through your Linux gateway.

The IP Masquerading HOWTO has very detailed information on client configuration in the Configuration Section.

In general, to configure a client computer, either enable DHCP configuration, or manually assign it an address in the 192.168.1.X network with a gateway of 192.168.1.1. Let the DNS server be either 192.168.1.1 if you are running a caching DNS server (see below) or point the DNS at the addresses assigned by your network provider.

The DNS Server

Setting up your Linux box as a caching DNS server will (slightly) improve your netsurfing speed, because commonly used DNS addresses will get cached inside your network and not have to be retrieved from the outside.

If you are interesting in doing full blown DNS, there is a great deal of complexity to be learned. There is a DNS HOWTO available, and the book DNS and BIND is a good (and very comprehensive) paper reference.

In order for your client machines to take advantage of the caching server, they must be configured to use the Linux gateway as their primary DNS server. The DHCP directives given in section 3.2.2 are one way to accomplish this. If you are configuring your client computers by hand, you can change the DNS configurations in the same control tabs you used to set the IP address of the machine.

To install the DNS server, first install the bind RPM, then install the caching-nameserver RPM. At this point, you are almost ready.

As installed, the caching server will work fine, but if you know the IP addresses of the internet providers DNS servers you can improve performance slightly by editing the /etc/named.conf file and adding the following line after the directory line (where x.x.x.x and y.y.y.y are the primary and secondary DNS servers):

forwarders { x.x.x.x; y.y.y.y; }; 
 

This change makes your DNS server first query the ISPs DNS servers before traversing the internet in search of a given address. The ISPs servers often have a rich cache of DNS information and can provide a much faster answer than your server could.

The named daemon has had some security problems over the past 12 months, so it is very important that you have the latest version running, and make some changes to the default settings to enhance security.

  1. Check your version of bind and make sure it is at least 8.2.2. Go to the Red Hat Updates or Mandrake Updates sites to check for the latest version.
  2. Restrict access to your name server to just the local network by adding the line allow-query { 192.168.1/24; 127.0.0.1/32; }; to the /etc/named.conf file after the forwarders line.
  3. Avoid running your name server as root. If your server is running as root, an exploit of the server will grant the exploiter root privledges. If you run the server as a powerless user, like nobody, you can lower the risk of a name server exploit. To run your name server as nobody, edit the /etc/rc.d/init.d/named file and change the line daemon named to daemon named -u nobody -g nobody.

Make sure your DNS server will start at boot time: chkconfig named on. Again, this ensures that the server will start in the usual runlevels (3 and 5) at boot time.

OK, now you can start your DNS server: /etc/rc.d/init.d/named start

Testing the Inside Network

Until we configure the outside network, the DNS service will not work (since it has to communicate with other DNS servers on the internet), but we can test out the basic internal connectivity with the ping program.

On one of your client computers, open up a terminal (MSDOS) window, and type ping 192.168.1.1. This will send out packets to your Linux computer at regular intervals, and your Linux computer will reflect the packets back. If things are working right, you should see a set of packet return times.

3.3 Configuring the Outside Network

Now we're ready to configure the outside network. Sometimes this will be difficult, depending on how well your internet provider supports Linux. If you have difficulty, there is an ADSL mini-HOWTO which covers ADSL issues in some detail. If I can find a Cable Modem HOWTO, I will link to it also.

The main problem with most outside connections is getting an IP address. Some internet providers hand out static IP addresses to cable or ADSL subscribers, and in that case configuration is easy. However, most providers have now moved to dynamic configuration via (you guessed it) DHCP. This means that your Linux computer will likely be a DHCP server on your eth1 interface, and a DHCP client on your eth0 interface.

Additionally, many providers have taken to providing their services in specialized non-standard ways which assume their customers will be using Windows. Some of those cases will be discussed at the end of section 3.3.2.

With a Static IP

If your internet provider has assigned you a static IP address, you are sitting pretty. First, create a new interface configuration file, /etc/sysconfig/network-scripts/ifcfg-eth0 and put the following in it:

DEVICE=eth0
IPADDR=x.x.x.x
NETMASK=y.y.y.y
ONBOOT=yes
 

Just fill in x.x.x.x and y.y.y.y with the values given by your internet provider. Now edit the /etc/resolv.conf file and enter the following information:

search provider_domain_here
nameserver n.n.n.n
nameserver m.m.m.m
 

The provider_domain should be supplied by your internet provider. Also enter the primary and secondary DNS servers in the n.n.n.n and m.m.m.m lines. If you have set up the Linux box as a DNS server, you can add a line before the other nameserver entries: nameserver 127.0.0.1. This will make your Linux server use the caching server before asking the outside servers for DNS information.

With DHCP

If your internet provider uses DHCP configuration, you need to create a new interface configuration file, /etc/sysconfig/network-scripts/ifcfg-eth0and put the following in it:

DEVICE=eth0 
BOOTPROTO=dhcp 
ONBOOT=yes
 

Now make sure that the dhcpcd client daemon is installed on your system. Go to your Linux CD and install the dhcpcd RPM package.

It's time to test your new network configuration. Just use the command /etc/rc.d/init.d/network restart. Now test your outside connection with ping. Ping a computer on the internet, like www.yahoo.com and see if anything comes back.

Quirks and Anomalies

Your situation may differ from the very simple situations described above. Here are some short remarks on the various difficulties and links to more authoritative resources and addressing them. Thanks to John Mellor for supplying the links and impetus for adding this section.

PPP Over Ethernet (PPPoE)

Several ADSL providers (Bell Atlantic, for example) are now insisting that their new customers connect to the service using the "PPP over Ethernet" protocol (PPPoE). To this end, they provide a Windows client program: not very useful for Linux users. Fortunately, PPPoE is a simple protocol and several efforts are underway to support it under Linux.

Stupid DHCP Tricks

One of the favorite tricks network providers play is to tie your service to a unique hostname, or even a unique network interface card. This is presumably to keep you from plugging multiple computers into your ethernet port using a hub (of course, by using Linux and Masquerading you're getting the same effect with better security and the cable company has no way of knowing!).

If the provider has given you a hostname and insisted that you set your Windows box with that name in order you use their service, then you'll have to make sure that your Linux box sends in that hostname when requesting an address from the DHCP server.

The Red Hat DHCP client is called when you set the BOOTPROTO to dhcp in the interface configuration file, but it is called without reference to a hostname. To call the program with a hostname, in Red Hat 6.1, edit the /etc/sysconfig/network file, and change the line:

HOSTNAME=

To read this:

HOSTNAME=your_isp_assigned_name

This may not work in some of the Red Hat variants. If it does not work, check the /sbin/ifup script and see if the call to dhcpcd and pump include a -h $HOSTNAME switch. If they do not, add them, so the calls look like /sbin/dhcpcd -i $DEVICE -h $HOSTNAME and /sbin/pump -i $DEVICE -h $HOSTNAME.

Road Runner

The Road Runner cable service has a special login process which must be run before the server can be used. Fortunately, a detailed Linux Road Runner HOWTO is available.

Looking at the Network Entries

Now you can admire your work. Type ifconfig to see all your configured devices. On my gateway computer, it looks like this:

eth0  Link encap:Ethernet  HWaddr 00:60:67:4A:02:0A 
      inet addr:24.65.182.43  Bcast:24.65.182.255  Mask:255.255.255.0 
      UP BROADCAST RUNNING MULTICAST  MTU:1500 Metric:1 
      RX packets:487167 errors:0 dropped:0 overruns:0 frame:0 
      TX packets:467064 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:89 txqueuelen:100 
      Interrupt:10 Base address:0xe400
eth1  Link encap:Ethernet  HWaddr 00:80:C8:D3:30:2C 
      inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0 
      UP BROADCAST RUNNING MULTICAST  MTU:1500 Metric:1 
      RX packets:284112 errors:0 dropped:0 overruns:0 frame:1 
      TX packets:311533 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:37938 txqueuelen:100 
      Interrupt:5 Base address:0xe800
lo    Link encap:Local Loopback 
      inet addr:127.0.0.1  Mask:255.0.0.0 
      UP LOOPBACK RUNNING  MTU:3924  Metric:1 
      RX packets:12598 errors:0 dropped:0 overruns:0 frame:0 
      TX packets:12598 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:0 txqueuelen:0
 

Note that the eth0 interface has a fancy outside IP address, and the eth1 address has a private internal address.

You can look at the network routes by typing the route command. On my gateway computer it looks like this:

  Kernel IP routing table 
  Destination     Gateway      Genmask         Flags Metric Ref Use Iface 
  255.255.255.255 *            255.255.255.255 UH    0      0     0 eth1 
  192.168.1.0     *            255.255.255.0   U     0      0     0 eth1 
  24.65.182.0     *            255.255.255.0   U     0      0     0 eth0 
  127.0.0.0       *            255.0.0.0       U     0      0     0 lo 
  default         24.65.182.1  0.0.0.0         UG    0      0     0 eth0
 

Here we can see the outside network is set up, the inside network is set up, the local device is set up, the special 255.255.255.255 broadcast address is set up, and the default route is set up to point to the internet providers gateway. Perfect!

Now you have the outside, and the inside. All the remains is to open the door between the two. First though, we have to make sure no monsters can get in from the outside.

3.4 Security

One of the drawbacks of being permanently connected to the internet via ADSL or cable is that your computer is exposed to potential security threats 24 hours a day, 7 days a week. Using Linux as a gateway reduces the risks, because it hides all your other computers: as far as the rest of the internet is concerned, only your Linux box is available for connections. This means that your network is only as secure as your Linux box, so at this point I'll give a few basic tips to make your box more secure.

First, you need to shut out all the bad guys. To do this, edit the file /etc/hosts.deny and make sure it looks just like this:

# 
# hosts.deny  This file describes the names of the hosts which are 
#             *not* allowed to use the local INET services, as decided 
#             by the '/usr/sbin/tcpd' server. 
# 
#            The portmap line is redundant, but it is left to remind you that 
#        the new secure portmap uses hosts.deny and hosts.allow. In particular 
#             you should know that NFS uses portmap! 
ALL: ALL 
 

This tells the "TCP wrappers" -- which control 95% of incoming connections -- to deny all connections from all hosts. That's a pretty good rule! But, it will also keep you from connecting to your Linux box from inside your home network, which is annoying, so we will make one exception. Edit the file /etc/hosts.allow and make sure it looks just like this:

# 
# hosts.allow  This file describes the names of the hosts which are 
#              allowed to use the local INET services, as decided 
#              by the '/usr/sbin/tcpd' server. 
# 
ALL: 127.0.0.1 
ALL: 192.168.1.
 

This tells the "TCP wrappers" that they can allow connections to all services from the local device (127.0.0.1) and from your home network (192.168.1.).

You have now locked the monsters outside, with a strong padlock. If you want to put up bars and alarm systems, you will have to be alot more sophisticated. The Security HOWTO is a good place to start if you want to learn more about securing your Linux box.


Next Previous Contents