Linux Router Project Report by Syed Shahzad Ali

Conditions

/home partition of fs1 should be nfs mounted on fs2
Windows workstation should be able to access only the FTP and HTTP services of fs2. It should not be able to access any services of fs1.
Router is a floppy based router.

Preparing the systems
First we will start by installing the system for our project. We need at least 3 systems for the installation. And one systems used just for router box that has two Ethernet card installed. Two systems are required by Linux system and one is used as Windows client.

HUB
Only one hub is required for the whole setup. We used Netgear 10/100 Mbps hub for our project.

Planning

Choose the IP addresses and subnet masks that you want to assign to the system and proper hostname. This is the basic part of your network planning. So here we choose the IP address scheme as shown in the Fig 1.

Windows 9x/2xxx or Windows NT Client

This system is installed by choosing the default installation option the only thing that we take care of is the TCP/IP protocol selection during installation phase and default gateway. The default gateway would be the IP address that is assigned to the one Ethernet interface of router PC on the 156.26.0.0 network. In our case it is 156.26.0.1. and the ip address is 156.26.0.111.

For our project the ip address and gateway was fixed. And we were not allowed to change that because we don’t have administrative previlages. So we have used this in our project.

Linux Router

This is the most important part of the project. We want to make a bootable router floppy. This floppy contains a small linux kernal and a program called lrcfg that handles routing configuration steps. The difficult part was the installation of two ethernet card in a single system. Because due to IRQ conflicts it was necessary to assign different IRQ to two different cards.

Download files

Download the Idiot Image, Ethernet card modules (8390.o, ne.o, pcnet32.o) and the Rawrite2 program to hard disc.
Rename the file name to image.img for convenience.
Get one error free 3.25" 1.44 MB floppy.
Make sure that the floppy is not write-protected.
Format floppy with c:\> format a: /u.
From the hard disc, run the file rawrite2 it will ask you about the source file.
Enter the name of the Image file that was copied into hard disk and then press enter.
Now it will ask about the target drive. Give it A: as target floppy.
Kernel image will be copied to floppy.
Now bootable floppy is ready. It has s small Linux Kernel and Linux Router Project configuration files.
Copy the three ethernet card modules floppy.

Installing the modules

Boot with floppy.
Linux Router Project screen will appear and your system will boot from floppy with linux kernel.
Don’t forget to choose BIOS system option boot from floppy drive.
After boot process login prompts appear and we just type "root" there.
This will enter us into the lrcfg (Linux Router Configuration) program.
Quit lrcfg program by typing "q".
Create the directory /mnt/floppy if it does not exist
# mkdir /mnt/floppy
Now mount a msdos floppy drive using
# mount –t msdos /dev/fd0 /mnt/floppy
Copy all the three module files from /mnt/floppy to /lib/modules
# cp /mnt/floppy/*.o /lib/modules
Unmount the floppy drive by typing the command

# umount /dev/fd0

Run lrcfg program
Back up the modules by choosing "e" option. Now your configuration file will be saved from RAM Disk to the floppy drive in proper order.
Reboot the system now.

Activating the module from LRP floppy

Boot with floppy again.

In the lrcfg program , at the menu, go to package settings -> modules -> modules.
Add three modules by uncommenting (deleting the # sign) before modules names.

Uncomment ne module as "ne io=0x300" to allow ne to use IO port 300. These module file (/etc/modules) will start the module when your reload. The line appears as follows

ne io=0x300,0x350

and will be changed to

ne io=0x300

and other lines appear as follows.

Pcnet32

8390

Don’t try to give pcnet32.o.
Press "ALT-S, ENTER" to save the configuration.

Back up again by pressing "e" option.
Reboot the system again.

Enabling the interface from LRP floppy

Boot from floopy again.
At the prompt enter root as the user name. It won’t ask you about the password and you will be entered into the lrcfg program again.
From lrcfg menu go to Network settings, then IP, ipfwadm,firewall option. Uncomment the ethernet interface/interfaces you are using. Now back up the disk, reboot the system. This can also be done by editing the etc/init.d/network.sh file.
You can assing the IP addresses and subnet masks by uncommenting the appropriate lines.
Check the ehternet interfaces by running the command

# ifconfig –a

If eh0 and eth1 interfaces are shown in result then it means that they are up and running. Check both interfaces by pinging them from the local machine as well as from the client machine(s).

network.sh file

Some important parts of the network.sh file is shown here.

#Uncomment an interface, and an ifconfig will be performed, and the net added.

#Change the interface name if needed (ethX, wanX, fddiX, etc)

IF0=eth0

IPADDR0=10.1.1.1 ; NETMASK0=255.0.0.0

BROADCAST0=10.255.255.255 ; NETWORK0=10.0.0.0

IF1=eth1

IPADDR1=156.26.0.1 ; NETMASK1=255.255.0.0

BROADCAST1=156.26.255.255 ; NETWORK1=156.26.0.0

#IF2=wan0

IPADDR2=192.168.3.1 ; NETMASK2=255.255.255.0

BROADCAST2=192.168.3.255 ; NETWORK2=192.168.3.0

Enabling Firewall

To enable the firewall option according to the network design we issue following command

# ipfwadm -fI

# ipfwadm –I –a accept –P tcp –D 10.0.0.1 –S 156.26.0.111 21

# ipfwadm –I –a accept –P tcp –D 10.0.0.1 –S 156.26.0.111 80

# ipfwadm –I –a deny –S 156.26.0.111

Debugging steps
We tried changing different ethernet cards and frequently used
# ifconfig –a
command during router installation. The other command we used was
# insmod [module_name]
Above command is important when you don’t want to reboot your system again and again and want to add modules at command line and want to see its result.
The other thing to see is the file, "interrupt" present in /proc/ directory. This file show the interrupt assigned to different devices.
To assign ip address at command promt we also used another command frequently
# ifconfig eth0 10.1.1.1 netmask 255.0.0.0
# ifup eth0 fs1 NFS Server

For the installation of this Linux machine we used Red Hat Linux 6.0 so all commands and directory option during whole of this document is based on the Red Hat Linux 6.0 distribution. Its worth while to mention this fact because different distribution of Linux comes with the slight different directory schemes and changes in command’s parameters.
During the installation phase choose NFS services to be included

Installation
host file configuration in /etc directory

edit host file using vi editor and enter following lines
10.0.0.10 fs1
10.0.0.1 fs2

exports file configuration in /etc directory

Similarly edit the exports file on fs1 and add the following entries.

/home fs2 (rw)

This shows that FS1 ( NFS Server) allows client fs2 to mount its /home partition. And (rw) shows that the partition can be read or written by clients.

host.allow file configuration in /etc directory

In host.allow file we enter following values.

mountd: ALL

portmap: ALL

We can also give the specific ip address of the client if we want to allow only certain client to access the nfs partition /home. But here we are allowing all client to mount the file system. Starting and stopping nfs daemon

After making any changes to the files mentioned in the above section always stop and then restart the nfs services. So that the new settings must take affect.
# /etc/rc.d/init.d/nfs stop
# /etc/rc.d/init.d/nfs start fs2 Cleint NFS System

Installation is normal linux installation
Enable Apache Web Server and Anonymous FTP server during installation phase
Configuration hosts file present in /etc directory

edit host file using vi editor and enter following lines

10.0.0.10	fs1
10.0.0.1        fs2

Mount /home directory on client system

First create a directory for mounting /home partition if it is not created, by using command

# mkdir /mnt/local
To mount the /home partition from the server issue the following command

#mount –t nfs fs1:/home /mnt/local

Now the /home file system is mounted on the /mnt/local mount point on client side.
You can check by listing its contents

#cd /mnt/local
#ls –al

It shows the contents of the /home partition. It means it is properly mounted. Now any file can also be deleted or read from this partition because it is mounted as Read-Write option in /etc/exports file.

add entry in fstab file

fs1:/home 	/mnt/local	nfs	defaults	1 2

Where the mount type is nfs, 1 is the frequency utilized by dump command, and 2 is the fsck ( file system check order).

This entry will always mount the /home file system during boot phase of the system. So we don’t need to issue the mount command again and again.

FTP Server

No extra configuration is required for anonymous FTP server. Choose anonymous FTP server option during installation as discussed above. FTP is started through a daemon inetd. FTP server access files are present in ./etc directory. By putting any user created on linux system in ftp.access file prevent that user form loggin into the system. We can also customize the welcome message a user get when he logs into the system by changing in messages file.

Web Server

Apache is the web server comes with Red hat Linux 6.0. Normally it is installed during standard linux installation. To check if web server is already running or not we issue the command

# ps –aux | grep httpd
  We can also check the server using the command
# lynx localhost

Lynx is a text based browser.

We can also start the httpd process by using setup command and then enable httpd service by putting an "*" infront of it. Web server process is handled by httpd ( HTTP Deamon). This daemon must be running in order to start web server. Web server by default runs on port 80. This configuration may be changed by altering web server’s configuration files that are present in the following directory.

/etc/httpd
The files are present by the names

Httpd.conf

Change the Server Name variable in the file to the domain name that we are using. And choose web server as standalone. User name and group is nobody for our setup and it is also recommended for security reasons.

Srm.conf

For our project we altered few lines just to run web server. We can control too many things.

Mount /home directory on client system

First create a directory for mounting /home partition if it is not created, by using command

# mkdir /mnt/local

To mount the /home partition from the server issue the following command

#mount –t nfs fs1:/home /mnt/local

Now the /home file system is mounted on the /mnt/local mount point on client side.

You can check by listing its contents

#cd /mnt/local

# ls –al

Most frequently used commands/Utilities

grep

Linuxconf
Netconf
Rpm (Red Hat Package Manager)
Find
Ps
Rpcinfo –p

ipfwadm –lI
ipfwadm –O –I deny
ipfwadm –If

Most frequently seen processes

ps –aux | grep nfsd
ps –aux | grep ftpd
ps –aux | grep httpd

Difficulty level

This report is written for a begginer who has atleast installed Linux 2 times and has used some of linux commands like ls, cat , more and grep.

Notes for the installing linux

This report doesn’t cover the one by one installation steps and disccuses the installation steps where necessary.
Don’t try to run X Windows system and any other utilitites related to the X windows system. For instance Gnom or After Steps etc. As a rule of thumb don’t install anything that start with letter "x" or "X".
X Windows system installation just takes extra time, extra hard disk space and burden for our project. This is not necessary for this project at all.
Atleast choose 500 MB for root ( / ) partition.
Swap partition should at least equal to the physical RAM in the system.

For example If you have 64 MB of RAM then choose a swap partition size of 64 MB.

Use fdisk utility to partition

Appendix – A network.sh file
#!/bin/sh

# Some quick bourne shell basics for you novices -

# Everything after a hash mark (#) on the same line, is a comment and is ignored

# You can seperate commands with a semi-colon (;) instead of a new line

# Set a variable like this: VAR="hello"

# Access a variable like this: echo $VAR

# A backslash(s) (\) followed by a newline(s) (return) is used as one full line

# echo \

# "hel\

# lo"

# is treated as:

# echo "hello"

# This: [ "$VAR" ] &&

# Means: test ( [ ] ) this variable ($VAR). If it is true ( && ) do this.

# This: [ ! "$VAR" ] &&

# Means: test false ( [!] ) this variable ($VAR). If it is true ( && ) do this.

# This: command &&

# Means: if command exited without errors (true) do this.

# These can be chained for sequential truth. (&& == boolean AND)

###############################################################################

# All network and routing settings are placed in this file #

###############################################################################

sleep 1

echo -n "Starting network: "

#Uncomment and a default route will be added.

#GATEWAY=192.168.1.1

#Uncomment an interface, and an ifconfig will be performed, and the net added.

#Change the interface name if needed (ethX, wanX, fddiX, etc)

IF0=eth0

IPADDR0=10.1.1.1 ; NETMASK0=255.0.0.0

BROADCAST0=10.255.255.255 ; NETWORK0=10.0.0.0

IF1=eth1

IPADDR1=156.26.0.1 ; NETMASK1=255.255.0.0

BROADCAST1=156.26.255.255 ; NETWORK1=156.26.0.0

#IF2=wan0

IPADDR2=192.168.3.1 ; NETMASK2=255.255.255.0

BROADCAST2=192.168.3.255 ; NETWORK2=192.168.3.0

#IF3=fddi0

IPADDR3=192.168.4.1 ; NETMASK3=255.255.255.0

BROADCAST3=192.168.4.255 ; NETWORK3=192.168.4.0

###############################################################################

#localhost interface configuration - always needed, don't touch!

###############################################################################

ifconfig lo 127.0.0.1 && echo -n "lo " #

route add -net 127.0.0.0 #

###############################################################################

#Interface configuration - You probably don't need to change this.

###############################################################################

[ "$IF0" ] && \

ifconfig $IF0 $IPADDR0 netmask $NETMASK0 broadcast $BROADCAST0 \

&& echo -n "$IF0 "

[ "$IF1" ] && \

ifconfig $IF1 $IPADDR1 netmask $NETMASK1 broadcast $BROADCAST1 \

&& echo -n "$IF1 "

[ "$IF2" ] && \

ifconfig $IF2 $IPADDR2 netmask $NETMASK2 broadcast $BROADCAST2 \

&& echo -n "$IF2 "

[ "$IF3" ] && \

ifconfig $IF3 $IPADDR1 netmask $NETMASK3 broadcast $BROADCAST3 \

&& echo -n "$IF3 "

echo

###############################################################################

# Static Network Routes - Add or modify as needed.

###############################################################################

[ "$IF0" ] && route add -net $NETWORK0

[ "$IF1" ] && route add -net $NETWORK1

[ "$IF2" ] && route add -net $NETWORK2

[ "$IF3" ] && route add -net $NETWORK3

#[ "$IF1" ] && \

#route add -net 208.192.3.192 netmask 255.255.255.192 gw $IPADDR3 metric 1

###############################################################################

# Static Host Routes - Add or modify as needed

###############################################################################

#[ "$IF1" ] && route add -host 208.192.5.1 gw $IPADDR1 metric 1

###############################################################################

# Default Route - You probably don't need to change this.

###############################################################################

[ "$GATEWAY" ] && route add default gw $GATEWAY metric 1

###############################################################################

# Place firewall commands, etc down here. Don't run daemons like routed. #

# Those are run from /etc/init.d/netstd_init #

# Also make sure to check out /etc/init.d/netbase (inetd, portmap) #

###############################################################################

#######################################################################

# Firewall rules

#######################################################################

#Flush all Forward, Input, Output, and Accting rules

#ipfwadm -F -f; ipfwadm -I -f; ipfwadm -O -f; ipfwadm -A -f

ipfwadm -I -f

ipfwadm -I -a accept -P tcp -S 156.26.0.111/32 -D 10.0.0.1/32 21

ipfwadm -I -a accept -P tcp -S 156.26.0.111/32 -D 10.0.0.1/32 80

ipfwadm -I -a deny -S 156.26.0.111/32

#Deny all forwarding - for direct unfirewalled routing comment this out

#ipfwadm -F -p deny

#######################################################################

# IP Masquerade (aka NAT)

#######################################################################

#Typical settings

#[ "$IF1" ] && ipfwadm -F -a m -S "$NETWORK1"/24 -D 0.0.0.0/0

#[ "$IF2" ] && ipfwadm -F -a m -S "$NETWORK2"/24 -D 0.0.0.0/0

#[ "$IF3" ] && ipfwadm -F -a m -S "$NETWORK3"/24 -D 0.0.0.0/0

#######################################################################

# IP Redirection

#######################################################################

#This example will forward any Quake connections to an IP Masq'ed machine

#ipautofw -A -r tcp 26000 26999 -h 192.168.5.80

#ipautofw -A -r udp 26000 26999 -h 192.168.5.80

#######################################################################

# IP Spoof protection #

#######################################################################

echo -n "Setting up IP spoofing protection: "

#echo -n "127.0.0.0/8 "

#[ "$IF0" ] && ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W $IF0 -D 0/0

#[ "$IF1" ] && ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W $IF1 -D 0/0

#[ "$IF2" ] && ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W $IF2 -D 0/0

#[ "$IF3" ] && ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W $IF3 -D 0/0

#You may wish to make these more extensive, or comment some out

#[ "$IF0" ] && ipfwadm -I -i deny -o -P all -S $IPADDR0 -W $IF0 -D 0/0 \

&& echo -n "$IPADDR0 "

#[ "$IF1" ] && ipfwadm -I -i deny -o -P all -S $IPADDR1 -W $IF1 -D 0/0 \

&& echo -n "$IPADDR1 "

#[ "$IF2" ] && ipfwadm -I -i deny -o -P all -S $IPADDR2 -W $IF2 -D 0/0 \

&& echo -n "$IPADDR2 "

#[ "$IF3" ] && ipfwadm -I -i deny -o -P all -S $IPADDR3 -W $IF3 -D 0/0 \

&& echo -n "$IPADDR3 "

echo

#######################################################################

# Additional Commands - Have fun! #

#######################################################################

#arp -i eth0 -Ds ip1 eth0 pub

Appendix – B

LINUX INSTALLATION

We have used CD-ROM based installation methods in our project.

The installation program makes several different kinds of diagnostic messages available to you.

Choosing a Language

Selecting a Keyboard Type

Selecting an Installation Method

Upgrading or Installing

Installation Class

Creating Partitions for Red Hat Linux

Using fdisk

Initializing Swap Space

Formatting Partitions

Selecting Components

Network Installations

Field

Example Value

IP Address

10.0.2.15

Netmask

255.255.255.0

Default Gateway

10.0.2.254

Primary Nameserver

10.0.2.1

Domain Name

redhat.com

Hostname

pooh.redhat.com

Configuring a Mouse

Configuring Networking

Configuring the Time Zone

Selecting Services for Start on Reboot

Setting a Root Password

Authentication Configuration

Enable NIS -- allows you to run a group of computers in the same Network Information Service domain with a

common password and group file. There are two options here to choose from:

NIS Domain -- this option allows you to specify which domain or group of computers your system will belong

to.

NIS Server -- this option causes your computer to use a specific NIS server, rather than ``broadcasting'' a

message to the local area network asking for any available server to host your system.

Enable Shadow Passwords -- provides a very secure method of retaining passwords for you. The /etc/psswd file is

replaced by /etc/shadow which is only readable by root.

MD5 Passwordallows a long password to be used up to 256 characters, instead of the standard eight letters or less.

Creating a Boot Diskette

Installing LILO

Selecting Bootable Partitions

Finishing Up.