Connecting Your Legal Office to the Internet For Only $4.95
A seminar by Jeremy Malcolm for WASCAL presented on 9 June 1999
Introduction to Linux
Linux is the most popular (although not the first) of a number of free Unix-like operating systems. Its development began in 1991 when Linux Torvalds wrote the first Linux kernel as a student at the University of Helsinky. He based the operating system on Unix, which had been developed during the early 1970s but which was most commonly used on larger computers whereas Linux was designed for PCs. The operating system was paired with a suite of free utilities mostly written by the Free Software Foundation or released under its free software licence (the GNU Public License). Now, most Web sites on the Internet have Linux running behind them, and it is making its incursion into legal offices as well.
Some of the benefits of Unix and its derivatives over Windows - apart from the free price and open source code - is that they are more robust, efficient, customisable, scalable and secure. The main disadvantage is that they are less ubiquitous and harder to master. However they are rapidly becoming more user-friendly as their user-base widens, with recent graphical operating environments such as GNOME and KDE having made their debut only within the past year.
There are a variety of different "distributions" of Linux available, some free and some proprietary. The most popular distribution is Red Hat, because of the commercial support it offers included in the price of its boxed product. However this seminar will concentrate on the Debian distribution of Linux, which is an entirely free distribution and is preferred to Red Hat by many experienced Linux users. I think it is also easier to use than Red Hat for the task the subject of this seminar.
Unix filesystem and commands
Unlike a DOS or Windows system, the directory tree of a Unix system is pretty much the same from one system to another. The main top-level directories are:
sbin basic system binaries (analogous to C:\DOS on a DOS PC) bin system utilities (analogous to Norton Utilities) home users' home directories, where they keep their files etc configuration files (analogous to Windows .ini files) usr mainly program files (analogous to Win95's \Program Files) proc a "virtual" filesystem showing system statistics, etc. lib dynamically linked libraries (analogous to \windows\system) tmp temporary files var files that vary in length dev device files (analogous to lpt1 or com1 under DOS)
If the system has more than one hard disk, these directories can be on any hard disk you want. Unlike on a DOS or Windows system, there is only one unified file system although the files may be spread over multiple hard disks (or even multiple computers). Every user of a Unix system has a username and a group, and every file on the system has read/write/execute attributes for the users and/or groups who are allowed to access it. Unlike DOS attributes, "read-only", "read/write", "execute" and any combination of attributes can be set separately for different users.
Here are some other differences between common DOS and Unix commands:
DOS Unix ren or rename mv copy cp del rm dir ls (or "ls -l" for long format) attrib chmod chkdsk fsck type cat find grep edit vi (or "editor" under Debian)
However many other commands are the same or similar (eg. cd, rmdir, mkdir, more, echo, file redirection and pipe commands and symbols). DOS was, after all, largely inspired by Unix. A couple of the more immediately noticeable differences are that in Unix capitalisation matters and directories are referred to with forward / rather than backslashes \.
Network hardware
Ethernet is the standard networking hardware in most offices. If you have RJ45 connectors (big phone jacks) you have a 10 Base T ethernet network and all network devices are plugged into a hub. If you have BNC connectors (T-shaped plugs) you have a 10 Base 2 network and network devices are just plugged together in a chain with a terminator at each end.
If using an old ethernet card for Linux try to get an NE2000-compatible (the most common type available), otherwise there may be some guesswork involved in figuring out what chipset your network card actually uses. If using a newer plug-and-play card you shouldn’t have any problems.
Many types of network protocols can be used over the physical networking hardware including TCP/IP, NetBEUI, Appletalk and IPX. More than one protocol can be used at once, so it doesn't matter what your network is currently using.
TCP/IP Networking
TCP/IP is the name used to describe the networking protocols most commonly used on the Internet. The Internet Protocol (IP) is the underlying protocol and for most purposes the Transmission Control Protocol (TCP) sits on top of that to regulate transmissions across a connection.
Every device on a TCP/IP network has an IP address. IP addresses don't relate to hosts, they relate to network interfaces. You will have one attached to a modem and another to a network card. The modem's IP address is on the ISP's network and the ethernet card's is on the local network. 192.168 is a free B class address range inaccessible from the Internet used for private networks. We will use 192.168.1 as a C class address range.
In setup you will be asked for an IP address, a base address and netmask. The netmask tells you how many IP addresses are available in your network - up to 255 per octet, so for a C-class with 255 addresses the netmask is 255.255.255.0. Mathematically the base address is obtained from the IP address and netmask using "bitwise and" (compare them by bits and the result is the base address). However the setup program will provide defaults for you.
IP Masquerading
You can only access the Internet if you have an IP address on its network. But IP addresses are a scarce commodity, and if you have only an ordinary dial-up Internet connection your ISP will be unlikely to be willing to assign you any. Worse, the single Internet IP address you do receive from your ISP is typically different every time you dial up.
The problem with having only one IP address from your ISP is how can different computers on your network be identified? IP Masquerading differentiates computers that are the source of requests by using different port numbers to make the request from, eg from port 5000 to port 80 (Web), using its own IP address. Linux assigns these port numbers dynamically (and they may be different on the Windows box).
This is all transparent, however, and (unlike comparable Windows-based solutions) the workstations on your network do not require any special configuration such as specification of a proxy server. Debian has an "ipmasq" package to configure IP Masquerading for you but it is just as easy to do it yourself as explained below.
Installation
It is said that a chicken can install Debian, because most of the process is just tapping the "Y" key. The most complicated part is configuring the kernel modules. Go to "ipv4 - Internet Protocol Drivers" and select and ip_masq_*. Under "net" select ppp and slhc (serial line header compression) and your ethernet card device, and under "misc" select serial.
You are asked, "Do you have a network?" - answer "yes". The domain name can be made up unless you intend to have one, the IP address defaults to 192.168.1.1, the netmask defaults to 255.255.255.0 and the broadcast address likewise, all of which are correct. Do you have a gateway - "no", do you have a DNS -"yes" (the ISP's, normally, or it can be set up as its own DNS server which will cache information from the ISP) and you must specify their IP addresses.
Then comes the base system install. This requires 5 disks or a CD, although more creative methods are available for the adventurous. Then packages... none of which are required but recommended options are "Standard", "Server_std", or "Custom" wherein you can choose "Dialup", "Internet tools" (Net_comp or Net_sel), and "Netwok administration" (Netadm). Although none of these are required, you might need "C" if you want to recompile the kernel for IP Masquerading (which you don't need to under Debian).
Or just skip to dselect and choose only what you need. pppconfig is in the base package already but a mail server is always handy (if you don't have a static IP address you can use UUCP mail with your ISP's cooperation), or SAMBA for Windows integration. Thousands of other packages are available.
PPP dial-up
Simple PPP authentication used to be done with entry of a username and password via a terminal login and then running the PPP program manually. But more recently PAP and CHAP have come into use; these send an LCP packet with authentication details. CHAP uses 2 way authentication but Windows doesn't support it so it is not as commonly used.
To set up your ISP run pppconfig and then check /etc/chatscripts, /etc/ppp/peers/provider and /etc/ppp/pap-secrets to see what it came up with. Also note /etc/resolv.conf where your DNS servers have already been added. Then just type "pon" (or "pon providername" if you have set up more than one provider) and it dials up.
The only packages you might want to install are Masqdialler or diald, to enable you to control your dial-up connection. Alternatively you can use demand dialling with kernel 2.2 (using the ppp option "demand" in /etc/ppp/peers/provider, but this requires a static IP address and normally "persist" would suffice in that case to keep the connection up 24 hours). Renaming /etc/ppp/no_ppp_on_boot to /etc/ppp/ppp_on_boot will bring ppp up when the machine boots.
ipfwadm or ipchains
ipfwadm stands for IP firewalling administration (it is also used for firewalling). It looks at every TCP/IP packet that comes into, out of or through the machine and deals with them according to rules you set up. The sets of rules it maintains are: -A accounting -F forwarding -I incoming -O outgoing.
To use it for IP Masquerading you need to compile IP forwarding support into the kernel (which it is in Debian by default) and you need to enable it by ensuring the file /proc/sys/net/ipv4/ip_forward contains the number "1" (which it does under kernel 2.0 but not kernel 2.2).
To add masquerading to the IP forwarding rules, enter:
- ipfwadm -F -p deny
- ipfwadm -F -a accept -m -S 192.168.0.0/24
-a means append (-d is delete, -i is insert). -S means source, -m means masquerading (alternatives are accept, deny or reject (send back a message)). You could also add -D for destination address (implied above is -D 0.0.0.0/0), and also restrict by port etc (which is useful for firewalling). The "24" stands for the subnet mask, and if you have a different subnet mask than 255.255.255.0 you can substitute it for 24 (rather than figuring out what other number to use).
The ipchains version of the above for 2.2+ kernels (the default kernel for Red Hat 6.0, but not for 5.2 and not for any version of Debian up to 2.1) is:
- ipchains -P forward DENY
- ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
You can create a script with these lines in /etc/rc.boot/, or (easier) append them to /etc/init.d/network. (Or to start and stop masquerading depending on whether the modem is connected, create scripts in /etc/ppp/ip-up.d (-down.d) or append to /etc/ppp/ip-up (-down)).
On your network workstations
On your Windows computers, make sure that the TCP/IP protocol is installed in "Network" in Control Panel. On Macintosh, you should have either MacTCP or Open Transport installed. You must then setup the IP address, netmask, gateway and DNS for each computer (the gateway will be 192.168.1.1 and the netmask will be 255.255.255.0; the IP address will vary).
Install Masqdial if you want it to bring the dial-up connection up and down: grab it from http://w3.cpwright.com/win95nt-mclient. The server must be installed via dselect (there are versions in the most recent versions of Debian slink and potato, but not the earlier versions bo or hamm), or compiled from source code. You must edit the configuration file /etc/mserver.conf to grant access to the server from your 192.168.1.0 subnet.
Testing the network
The first thing to do after installation is to dial up to the Internet and see whether you can "ping" other hosts both on the Internet and on the local network. To see what network interfaces are active and what IP addresses they have use ifconfig. Make sure that "eth0" is one of them and that ppp0 is another.
How does a computer know how to get from point "A" (its own IP address) to point "B" (another computer's IP address)? Probably, it doesn't. But a host that it is connected to, or a host that that host is connected to, or further up the chain, will know. So whilst there are a limited number of IP addresses that a computer knows it can reach through a path it knows about directly, most of them it will simply hand to a computer further upstream (called its "default gateway") which will handle the problem of getting the IP packets to their destination.
To see the so-called routing table which shows how the server reaches other computers across the network, simply type "route". (You can add and delete IP routes using the "route" command also.) Near the top you will see that IP addresses that match the pattern "0.0.0.0" will be reached through the a gateway with a number like "203.56.15.2". This is in fact the machine's default gateway, as "0.0.0.0" is shorthand for "any IP address that is not specifically matched below". When you dial up to the Internet, your ISP's dial-up server automatically becomes the machine's default gateway.
Kernel compilation
Strictly speaking, the only thing that is really Linux is the kernel. The rest of the operating system is a hotch-potch of stuff from all over the place, such as GNU (the free Unix project) and BSD Unix. The kernel is a bit like io.sys from MS DOS, it communicates with the hardware at a low level.
It is a good idea to compile a kernel customised for your particular system. Otherwise, you are stuck with the kernel that was compiled by the packager of your distribution, and which contains a lot of junk that you will never need (for SCSI, PCMCIA, ISDN, etc). As the kernel is loaded into memory at all times (except for loadable kernel modules, which are a comparatively recent invention) it is a good idea to keep the kernel lean.
You also may need to recompile the kernel to add masquerading support if you don't have it. In /usr/source/linux type "make menuconfig" (if you get errors here you don't have all the required packages installed). You need to include options for firewalls, masquerading, always defragment, and ask to be prompted for "in development" options because some of these are.
Some applications eg. ftp, RealAudio, Quake, require particular loadable modules to be included before they will work with Masquerading: be sure to "make modules" and "make modules_install" if you need these. To compile the kernel, "make dep; make clean; make zlilo" is quickest, "make zImage" if you just want to create a compressed kernel file that you can copy elsewhere.
Differences between Red Hat and Debian
Installation is a bit different but still reasonably intuitive. Under Red Hat to establish dial-up networking either use the supplied X-Windows utilities (like netcfg and X-ISP) or edit the equivalent of the Debian chatscript and ppp settings files, which are /etc/sysconfig/network-scripts/chat-ppp0 and ifcfg-ppp0. The other files - /etc/ppp/pap-secrets and /etc/resolv.conf - are the same. Instead of pon and poff you use ifup ppp0 and ifdown ppp0. There is no /etc/rc.boot under Red Hat and you won’t find /etc/init.d/network, but you can add the IP Masquerading lines to /etc/rc.d/rc.local instead.
Red Hat uses rpm packages for easy installation of pre-compiled applications (but rpms can also be used with other distributions as Red Hat Software has released the specification to the public domain). Debian uses deb packages, which are similar in concept but can't generally be used with other distributions. The Red Hat package management program is called rpm (there is a graphical front end for it called glint), and the Debian equivalent is called dpkg (there is a friendly front-end called dselect, an improved replacement for which is currently being introduced).
