Using ADSL with RedHat 5.2 as a Proxy

Ingredients:

• Fresh install of RedHat 5.2 with the updates
• 2.0.36 kernel and its source
• IPFWADM from xos
• Two functioning NICs
• Working knowledge of how to recompile the kernel

After installing the two NICs in your RedHat box, you need to bring up both interfaces. The following pic is a configuration of my two interfaces:

Configuring the NICs

The first thing to check is that both of the devices are working correctly. eth1 is real easy. It gets its address via DHCP from Tranquility ISP. Remember, if you attach your ADSL device directly into your outside world interface, which in our case is eth1, you must use a cross-over cable. eth0 is a little more complicated. I found the easiest way to configure these devices is through linuxconf, but I did it all using ifconfig. You first need to set the IP of the interface to a non-routable address. 192.168.1.254 was the obvious choice. The network is 192.168.1.0, the broadcast is 192.168.1.255, and finally the subnet mask is 255.255.255.0. Once you have both interfaces up and working, make sure they can ping each other. Remember the 192 network is non-routable, which basically means that routers on the Internet will drop 192 packets like a bad habit. So to make a 192 packet reach the outside world, they must be 'masqueraded'. This is where ipfwadm comes into play. After installing it, you just need to type a few commands and the masquerading will begin. First, you need to set up the kernel to support this whole business.

Configuring the Kernel

There are infinite possibilities for what kernel options you may want to add, but there certain network options that I chose for my configuration that are needed for the firewalling and masquerading to work properly. It works fine for me, so here we go:

• Network firewalls
• IP: forwarding/gatewaying
• IP: firewalling
• IP: masquerading
• IP: transparent proxy support
• IP: always defragment

These are to be compiled as part of the kernel, not modules. Also, remember these may not all be necessary, and these are not all the network options I have in my kernel, just the ones that pertain to firewalling and masquerading.

Configuring IPFWADM

This is really easy. You only need to run these two commands:

ipfwadm -F -p deny

ipfwadm -F -a -m -S 192.168.1.0/24 -D 0.0.0.0/0

I don't profess to be a wizard on how the masquerading works, but here are the basics. The easiest way to explain is by a chart, so here you go:

For more extensive information on IPFWADM, check out xos. Now that you have the masquerading setup, test it out. I first ran eth0 into an uplink port in my hub. Then I plugged my laptop into the hub and configured the NIC. I set the IP address to 192.168.1.3, the netmask to 255.255.255.0. For DNS, I used Tranquility's NOC server. Once that machine is up and running, try pinging it from your linux machine. Then try to ping the outside world from that machine. One thing to remember is some port requests don't like to masquerade. One of particular importance is FTP. When you compile your kernel for IP forwarding, modules will be created in /lib/modules/ipv4/ that will solve this problem. Don't forget about this. The first thing I tried when I got the masquerading working was to download a huge file via FTP. Until I read up on this, I was pulling my hair out.

DHCP Option

One of my machines is a laptop that I take to and from work everyday. At work, I use the campus DHCP server and when I would bring my machine home, I found myself reconfiguring my networking everytime. This become annoying quickly. So I decided to run DHCP over eth0. Here's how I did it: On campus we are currently using ISC's implementation of DHCPd. So I went to their site and downloaded DHCP. Compiling and installing it was a snap. Configuring and starting it up was almost as easy. I first had to customize the dhcpd.conf file, which is the following:

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.3 192.168.1.253;
  option broadcast-address 192.168.1.255;
  default-lease-time 1000; max-lease-time 9600;
  option subnet-mask 255.255.255.0;
  option domain-name-servers 206.156.230.1, 206.156.230.2;
  option routers 192.168.1.254;
}

The execution of the daemon is really easy:

There are a lot more options for DHCPd, but I didn't want to go into all of them. One problem that I ran into was a glitch with how Windows clients handle DHCP requests and offers. After looking through the README, I found it was necessary for me to run the following:

Before adding this route, my win98 machine was unable to obtain addresses. Now it's a snap.

Final Tips

• There are lots of ways to do this, so you should experiment. There are also a ton of FAQs on the net for this.
• I added IPFWADM and DHCPd stuff to my rc.local to make sure everything starts if I need to remotely reboot my machine.
• Don't forget about the oddball packets that don't masquerade without assistance. You might also want to add those modules to you rc.local file for convenience.

Back to Home!