I've finally updated it. The 0.3 version was based on the 2.4.7 kernal. I've now used a 2.4.17 kernel. The ppp over atm patch is now incorporated into the kernel. Other changes are iptables 1.2.4 compiled as a single executable. ReiserFS has been ditched in favour of ext3 for any extra filesystems (the root fs is also ext3, but still mounted read only).
IntroductionThis is my attempt at a pre-packaged firewall/gateway based on Linux and the Alcatel Speedtouch USB modem (the weird bluey green thing). This will allow you to connect a home LAN through to an ADSL internet connection.
Network card driver modules included
InstallationYou need 3 floppy disks for the install. You should probably format them first. They are just normal 1.44MB format floppies. If you have a linux box with 'superformat' you can do this:
superformat /dev/fd0 hd sect=18Download and extract the following tar.gz file:
dd if=disk1.bin of=/dev/fd0 bs=1k dd if=disk2.bin of=/dev/fd0 bs=1k dd if=disk3.bin of=/dev/fd0 bs=1kIf you're doing this from Windows then you should get Rawrite for Windows available here.
Label disks as 1 ,2 and 3.
Insert disk 1 into your soon-to-be-firewall and boot it up. Disk one is a linux boot/root disk, so you should see an initial LILO prompt, a long pause while it loads the kernel ... then loads the compressed ramdisk contents. Eventually you should get a prompt asking you to press ENTER to login.
At the '#' prompt type 'setup'. This now goes through all the setup steps and prompts you as appropriate. Here are the main steps:
OperationBoot up the PC. If you're using a serial console, make sure you have an appropriate serial terminal (or PC running a terminal program) plugged in. The usual settings are hardware handshaking/8 bits/no parity and whatever baud rate you set.
The screen output can be messy, but hopefully you should get something like:
Waiting for ADSL negotiation Starting Stingray Modem. Waiting to sense USB attachment .usb_control/bulk_msg: timeout usbdevfs: USBDEVFS_BULK failed dev 2 ep 0x85 len 512 ret -110 . (none) login: ..............The USB errors appear to be OK. I just always get them. The string of dots is printed as the PC waits for the Modem initialisation message. This can take minutes so be patient. The next thing you should see is:
Terminated Starting pppd PPP is upDon't worry about the 'Terminated'. Its supposed to happen. Now you should be able to press ENTER and get a login prompt. Login and try pinging some known address (eg. ping yahoo.com). It should work. DNS server information is automatically retrieved from the ppp connection.
In order to use a PC on your internal LAN, you'll need to specify a default
gateway (on the PC) that corresponds to the LAN card on the firewall PC. You also need to
specify the DNS servers. To find these out from the firewall PC, just login to
it (using ssh) and
There is a default firewall config script that is run during boot. It is not reconfigured based on the IP address info you entered (maybe in the next version). So unless you set up your internal network like mine, you probably won't get far. Basically, my setup is to have 3 network cards on addresses 10.0.0.5, 10.0.1.5 and 10.0.2.5 (all with netmask 255.255.255.0). Each card just has a crossover cable going to a PC. The firewall script will allow most traffic from these 3 subnets to go out via the ADSL connection. The important variable assignments in the /etc/rcFirewall script are all at the top of the script.
Firewall Boot SequenceThis is the first time I've used Busybox's init to start up a system. Its syntax is different and the way it works is slightly odd too ... but it gets there in the end. Here's the typical inittab:
::sysinit:/etc/rcS ::once:/opt/ssh/sbin/sshd ::once:/etc/rcStartStingray ::once:/etc/rcADSL ::respawn:/sbin/agetty 38400 tty1 linuxThere are no run levels. The first thing that gets run is the 'sysinit' part. This performs the bulk of the startup. next would be the 'wait' items but I don't have any and then the 'once' items. The 'once' items are launched asynchronously (ie. Busybox's init doesn't wait for them to complete). And lastly to get a console login, there's a respawn item that launches an agetty.
This performs the following:/opt/ssh/sbin/sshd
Originally, sshd was launched from rcS. The problem with this is that as soon as the rcS script finishes, it kills any child processes (ie. sshd). The way to get around this is to launch sshd directly from init using a 'once' line./etc/rcStartStingray
If you've read the other Howto's you'll know that the typical command sequence to kick the SpeedTouch into life is to :insmod speedtch speedmgmt &I've put the insmod into the main kernel module load routine, so that just leaves running speedmgmt. This turned out to not be a trivial task. Because you are meant to launch speedmgmt in the background (ie. it cannot fork by itself), it means its attached to the controlling terminal. I tried putting it in the main rcS routine, but as soon as rcS finished, speedmgmt would die because the script would exit. By putting this script as a 'once' item in init, it means that its launched asynchronously and can potentially run forever. So basically we just:exec speedmgmt, so it replaces and gets rid of the ash shell that launched it and leaves it running forever. We do have to do one other thing before launching it though. Make sure the 'USB plugin' event for the modem has been registered. Even though the USB modules are all loaded in rcS, there seems to be a delay before the SpeedTouch device is actually sensed that its plugged in. If speedmgmt is started before the 'USB plugin' event then it gracefully dies. Most people use the 'hotplug' system to get around this. I just look at /proc/usb/bus/devices and grep for 'speedtouch'. If its not there I go to sleep for a second and try again.
This is also a 'once' script as it needs to be launched around the same time as the rcStartStingray script. When speedmgmt starts (in rcStartStingray) it will talk to the modem and the LEDs will flash for some time while the ADSL link is negotiated. Eventually it will finish and say something like:The gettyModem initialised at 2208 kbit/s downstream and 800 kbit/s uptreamThis gets written into /var/adm/messages. There is no point starting pppd until we get this message, rcADSL, just looks at the messages going into /var/adm/messages and waits for the Modem intitialised string. Once its got it it starts pppd. This should now quickly connect and we have a connection
The last line in inittab is to start up a getty either on the normal virtual console or on a serial line.But there's more
The last major thing init does is to start up pppd. pppd should connect within seconds and will automatically run the ip-up script in /etc/ppp. ip-up then calls /etc/rcFirewall script. This script sets up some simple firewall rules involving doing MASQUERADING from the internal LAN cards onto the ADSL connection.
Setting up a Web ServerYou may have noted that mini_httpd is included with StingLin. The idea is that you can utilise some of your spare disk space (you didn't use up the whole disk for StingLin's partition did you?) for web server content. Unlike, the root fs that is permanently read-only, the web server content file system will need to be read/write (technically it doesn't have to be but its a lot more flexible). Now, because the system was designed so you could just turn it off without shutdown procedures, the web server filesystem needs to be recoverable through and unclean shutdown. Prevously, I used reiserfs, but now that ext3 is getting more mainstream I'm using it. Its seems a lot more simpler, recovers quickly (unlike reiserfs) and doesn't require that enormous mkreiserfs binary.
Here's what you might do:
mke2fs -j /dev/hda4 mount -t ext3 /dev/hda4 /mnt cd /mnt mini_httpd -rNow to mount it at boot time, you could just put the following in /etc/rcS:
mount -t ext3 /dev/hda4 /mntIf you want to do this mount in the background (just in case it does take a long time), then create an /etc/rcHttp startup script and launch it asynchronously.
Change /etc/inittab so that it looks like:
::sysinit:/etc/rcS ::once:/etc/rcHttp ::once:/opt/ssh/sbin/sshd ::once:/etc/rcStartStingray ::once:/etc/rcADSLNow create the /etc/rcHttp file as:
#!/bin/ash mount -t ext3 /dev/hda4 /mnt cd /mnt exec /sbin/mini_httpdAnd make sure its executable (ie. chmod 700 /etc/rcHttp).
So now when the box starts up it will begin the motions of connecting to your ISP, but at the same time it will trying to mount your ext3 partition. If you're lucky the mount will have completed and mini_httpd will have started by the time the ISP connection is made.
pablo , 2002-11-18 11:22:42