lemoncube.com Search: (normal)
Articles
Links
News
Projects

Disclaimer

StingLin Alcatel SPeedtouch USB Firewall for Linux

News

25.10.2002 v0.6
Now running on a 2.4.19 kernel. I've ditched the official Alcatel driver as I think Benoit Papillault's driver works better. Openssh is now at v3.4p1. I'm now using rudimentary hotplugging to detect the modem. There's a real cron daemon. I'm using a normal SySV init instead of busybox's init. There's also support to mount a USB disk drive (in my case a Sony Camera's memory stick)

If you want to look at the old docs for the old version based on the Alcatel driver, then go to here

12.1.2002 v0.4
I've finally updated it. The 0.3 version was based on the 2.4.7 kernal. I've now used a 2.4.17 kernel. The ppp over atm patch is now incorporated into the kernel. Other changes are iptables 1.2.4 compiled as a single executable. ReiserFS has been ditched in favour of ext3 for any extra filesystems (the root fs is also ext3, but still mounted read only).

Introduction

This is my attempt at a pre-packaged firewall/gateway based on Linux and the Alcatel Speedtouch USB modem (the weird bluey green thing). This will allow you to connect a home LAN through to an ADSL internet connection.

Requirements

  • A system with USB ports. This generally means anything from a Pentium 1 generation machine up. I'm using a Pentium 166 with 128mb of RAM. This is overkill. I used to use a P75 with a PCI USB card ( as it had no built in USB ports).
  • An IDE hard disk with at least 12MB of free disk space.
  • An Alcatel SpeedTouch USB modem.
  • At least one LAN card
  • Probably 16mb of RAM mimimum, though I haven't tried it with 8mb.
  • A floppy drive to install from. You could potentially borrow one from another PC, as you won't need it after the install.

Features

  • Allows multiple PCs to connect to the internet.
  • Works like an appliance. Turn the PC on, it boots up and automatically connects to your provider. Turn it off when you're finished with it. No need for fancy shutdown procedures.
  • Utilises an old junky PC
  • Can utilise a few different cheap LAN cards, so the box acts like a 'sort of hub'. This is what I do. I'm too cheap to buy a hub, so all the machines on the home LAN have cross-over cables directly plugged into the gateway machine.
  • Can login via a serial console.
  • Can login via SSH.
  • Contains a minimal set of firewall rules.
  • ext3 support is included if you want to have a web server or general dump area mounted that you need to survive power off/on events.

Software Included

Network card driver modules included

  • 3c59x/3c90x Vortex/Boomerang
  • 3c509 EtherLink III
  • SMC-Ultra
  • SMC WD80*3
  • NE2000 PCI
  • NE2000 ISA
  • AMD PCNet32 PCI
  • CS89x0
  • Davicom DM910x/DM980x
  • EtherExpressPro/100
  • Realtek RTL 8139 10/100

Installation

You need 3 floppy disks for the install. You should probably format them first. They are just normal 1.44MB format floppies. If you have a linux box with 'superformat' you can do this:
   superformat /dev/fd0 hd sect=18
Download and extract the following tar.gz file: There are 3 raw disk images. If you have a unix/linux system you can create the floppies with:
   dd if=disk1.bin of=/dev/fd0 bs=1k
   dd if=disk2.bin of=/dev/fd0 bs=1k
   dd if=disk3.bin of=/dev/fd0 bs=1k
If you're doing this from Windows then you should get Rawrite for Windows available here.

Label disks as 1 ,2 and 3.

Insert disk 1 into your soon-to-be-firewall and boot it up. Disk one is a linux boot/root disk, so you should see an initial LILO prompt, a long pause while it loads the kernel ... then loads the compressed ramdisk contents. Eventually you should get a prompt asking you to press ENTER to login. You can safely ignore the errors about not being able to write to tty5.

At the '#' prompt type 'setup'. This now goes through all the setup steps and prompts you as appropriate. Here are the main steps:

  • Run fdisk. you need to set up one partition on /dev/hda that is at least 12mb in size and is of type 'Linux native' (fdisk will create any new partitions as this type). If you want, you can also set up a Linux Swap partition too. Swap is purely optional. You should only really have a swap partition if you intend to add some memory hungry software to the firewall later on. Make sure you 'w'rite the partition table before you exit. You may have to make the linux partition the 'a'ctive boot partition.
  • Copy the kernel, libc and mke2fs off disk 1 (ie. don't eject disk 1 yet).
  • Put in disk 2 when prompted.
  • Put in disk 3 when prompted.
  • Fixes /etc/fstab so your root partition is named correctly.
  • Set up LILO. If you want a serial console you should say so here. You can specify what baud rate to use for your serial console. The default is 38400. Other posibilities are 9600, 19200, 57600, 115200
  • Generate ssh host keys. You can skip this step as it can take a minute or so on slower machines, but you won't be able to login via SSH.
  • Set the root password.
  • Enable simple status messages to go to an attached LCD display. This uses the lcdtext program. Have a look here. I chose it over LCD progrrams since it will talk to the LCD using 4 bit mode.
  • Add multiple network cards. You now get a nicish menu. Just keep on selecting cards until you are (d)one.
  • Set up PPP login information. You'll need to enter your ADSL login and password for your provider as well as your VCI.VPI pair.
  • Eject any floppies and reboot.

Operation

Boot up the PC. If you're using a serial console, make sure you have an appropriate serial terminal (or PC running a terminal program) plugged in. The usual settings are hardware handshaking/8 bits/no parity and whatever baud rate you set.

The screen output can be messy, but hopefully you should get something like:

Waiting for ADSL negotiation
Starting Stingray Modem.
Waiting to sense USB attachment
                               .usb_control/bulk_msg: timeout
usbdevfs: USBDEVFS_BULK failed dev 2 ep 0x85 len 512 ret -110
.
(none) login:
The USB errors appear to be OK. I just always get them.
PPP up
Its supposed to happen. Now you should be able to press ENTER and get a login prompt. Login and try pinging some known address (eg. ping yahoo.com). It should work. DNS server information is automatically retrieved from the ppp connection.

In order to use a PC on your internal LAN, you'll need to specify a default gateway (on the PC) that corresponds to the LAN card on the firewall PC. You also need to specify the DNS servers. To find these out from the firewall PC, just login to it (using ssh) and cat /etc/resolv.conf.

There is a default firewall config script that is run during boot. It is not reconfigured based on the IP address info you entered (maybe in the next version). So unless you set up your internal network like mine, you probably won't get far. Basically, my setup is to have 3 network cards on addresses 10.0.0.5, 10.0.1.5 and 10.0.2.5 (all with netmask 255.255.255.0). Each card just has a crossover cable going to a PC. The firewall script will allow most traffic from these 3 subnets to go out via the ADSL connection. The important variable assignments in the /etc/rcFirewall script are all at the top of the script.

Firewall Boot Sequence

I'm now using a SySV init which simplifies things enormously. Here is what you'll probably have:
# Default runlevel. (Do not set to 0 or 6)
id:3:initdefault:
# System initialization (runs when system boots).
si:S:sysinit:/etc/rcS
# Script to run when going multi user.
rc:2345:wait:/etc/rcM
#c1:1235:respawn:/sbin/agetty 38400 tty1 linux
#c2:1235:respawn:/sbin/agetty 38400 tty2 linux
c1:1235:respawn:/sbin/agetty 38400 tty1 linux
Basically /etc/rcS runs first and then /etc/rcM. None of these initalise the modem. Its all managed from /sbin/hotplug.

/etc/rcS

This performs the following:
  • Mounts the 512K ramdisk on /var and then sets up the directory structure within it. These are things like /var/tmp, /var/adm etc. it also creates a /var/ppp which /etc/ppp symlinks to. /etc/ppp-master (on the hard disk) is then copied into /var/ppp so that the pppd config files are present when pppd eventually starts.
  • Start klogd and syslogd (the Busybox ones) which log just about everything to /var/adm/messages
  • Mount /proc and /dev/pts
  • Load the main device modules
  • Configure the network interfaces
/etc/rcM
This just starts the openssh server and the cron daemon.
/sbin/hotplug
It just checks for an 'add' event and checks that the product id matches the one for an Alcatel Stingray modem. If it does it runs /etc/InsertStingray
etc/rcInsertStingray
This is pretty simple. modem_run loads the modem firmware and waits for the ADSL line to initialise. Then pppd starts up the ppp link.

But there's more

The last major thing init does is to start up pppd. pppd should connect within seconds and will automatically run the ip-up script in /etc/ppp. ip-up then calls /etc/rcFirewall script. This script sets up some simple firewall rules involving doing MASQUERADING from the internal LAN cards onto the ADSL connection.

Setting up a Web Server

You may have noted that mini_httpd is included with StingLin. The idea is that you can utilise some of your spare disk space (you didn't use up the whole disk for StingLin's partition did you?) for web server content. Unlike, the root fs that is permanently read-only, the web server content file system will need to be read/write (technically it doesn't have to be but its a lot more flexible). Now, because the system was designed so you could just turn it off without shutdown procedures, the web server filesystem needs to be recoverable through and unclean shutdown. Prevously, I used reiserfs, but now that ext3 is getting more mainstream I'm using it. Its seems a lot more simpler, recovers quickly (unlike reiserfs) and doesn't require that enormous mkreiserfs binary.

During the installation procedure for Stinglin it asks if you want to setup another partition. If you didn't then here is what you might do: Here's what you might do:

   mke2fs -j /dev/hda4
   mount -t ext3 /dev/hda4 /mnt
   cd /mnt
   mini_httpd -r
Now to mount it at boot time, you could just put the following in /etc/rcS:
   mount -t ext3 /dev/hda4 /mnt
Edit /etc/rcM and add the lines to start the web server:
/sbin/crond
# Start mini_httpd
cd /mnt
/sbin/mini_httpd -r

Notes

  • The root partition is mounted read-only. If you need to make changes to any files you will need to log in as root and remount the root fs read/write , make the changes, then remount it read-only:
       eg.   mount -o remount,rw /
             vi /etc/hosts
             mount -o remount,ro /
    
  • When you first try to login using ssh it may hang for a long time. It's trying to do a reverse lookup on the machine that you're connecting from. If you don't want the delay then add the name and ip of your ssh client system into /etc/hosts:
       10.0.0.99    mypc
    
    For that matter, you should probably add in names and IPs for each LAN card you have on the system.
  • The firewall rules in /etc/rcFirewall are only meant as a starting point. I suggest you search the web for more information and amend the rules as appropriate. In fact you may have problems connecting anywhere until you change them.

pablo , 2002-11-17 09:45:32