The purpose of this is to provide step by step instructions on getting a Linux box connected to the @home.com/AT&T cable network. I will try to be as clear as possible, but if something is confusing or incorrect, please tell me about it and I'll fix it.
This howto is available in many formats, including html and text. The newest version can always be retrieved from my site at http://www.dysan.net/linux/howto/. It is highly recommended that you get the most recent version, as this howto is subject to change.
This manual may be reproduced in whole or in part, without fee, subject to the following restrictions:
Exceptions to these rules may be granted for acedemic purposes: Write to the author and ask. These restrictions are here to protect us as authors, not to restrict you as learners and educators. Any souce code (aside from the SGML this document was written in) in this document is placed under the GNU General Public License, available via anonymous FTP from the GNU archive.
Thanks to the wonderful world of Linux and the Internet; and also to those individuals who have given me feedback to make this HOWTO even better.
Much of the layout of this HOWTO was gotten from the HOWTO-HOWTO, written by Mark F. Komarinski. It can be found at http://www.linuxdoc.org/.
Any translations of this document that I recieve go into http://www.dysan.net/linux/howto/trans/. If you would like to translate this howto, please email me at dysan@dysan.net.
This HOWTO assumes you have:
dhcpcd
You will need dhcpcd version 1.3+. You can download it at http://rpmfind.net/linux/RPM/dhcpcd.html.
Or it can be found on the RedHat install cd 6.1 and 6.2 RedHat/RPMS/dhcpcd-1.3.18pl3-1.i386.rpm.
IPchains
You do not need IPchains but it is a nice feature for options I list below. You will need IPchains version 1.3.9+ You can download it at http://rpmfind.net/linux/rpm2html/search.php?query=ipchains.
Or it can be found on the RedHat install cd 6.1 and 6.2 RedHat/RPMS/ip..
If you have kernel (2.2.x), you should already have most needed modules and Masquerading enabled.
If don't know how to update/install or patch your kernel, you should go read the Kernel HOWTO at: http://howto.tucows.com/LDP/HOWTO/Kernel-HOWTO.html
If you want to use IPchains as a firewall on your system, or Masquerading to map a network behind your system then please read http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/IPCHAINS-HOWTO.html and http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/IP-Masquerade-HOWTO.html. Again, this is not necessary for connecting your system to the @Home.com network, but it has nice features.
If you do not have the program installed download it from the location stated above in 3. Files and install it.
Run the daemon from either your init.d scripts, or /etc/rc.d/rc.local
# /sbin/dhcpcd -h [host_name] [interface_name] & Example: # /sbin/dhcpcd -h cc123456-a eth0 &
This daemon needs to run in order to allow your system to connect to the @Home.com
network. If your interface will not connect check to make sure this program is still running "ps -ax |grep dhcpcd".
The options -d will turn on debug mode and -k can be used to restart a running dhcpcd session.
Below are files you will need to configure. This is the main part of the configuration to get your system connected.
File: /etc/resolv.conf
What It Must Contain: The domain name and dns ip's assigned by @home.com.
Though, dhcpcd should auto configure this file for you, it does not hurt to do it anyways.
search Subdomain_name nameserver Primary_DNS_address nameserver Secondary_DNS_address Example: search sac.comcast.home.com nameserver 24.11.22.33 nameserver 24.11.22.34
File: /etc/sysconfig/network
What It Must Contain: All parameters for your networking conventions assigned by @home.com.
NETWORKING="yes" FORWARD_IPV4="yes" HOSTNAME="Host_name" DOMAINNAME="Subdomain_name" GATEWAYDEV="Device_name" Example: NETWORKING="yes" FORWARD_IPV4="yes" HOSTNAME="cr123456-a" DOMAINNAME="sac.comcast.home.com" GATEWAYDEV="eth0"
If you need help getting your network card(s) installed, read the "Linux Ethernet HOWTO". http://www.redhat.com/mirrors/LDP/HOWTO/Ethernet-HOWTO.html
File: /etc/sysconfig/network-scripts/ifcfg-eth0
What It Must Contain: address information of your system. If you have multiple nic cards you may have
to edit ifcfg-eth1, or ifcfg-eth2, etc... If you only have 1 nic card you will edit ifcfg-eth0.
DEVICE="NIC_Device_name" ONBOOT="yes" BOOTPROTO="dhcp" DHCP_HOSTNAME="Your_Host_name" Example: DEVICE="eth0" ONBOOT="yes" BOOTPROTO="dhcp" DHCP_HOSTNAME="cc123456-a"
To enable your changes take down the interface and bring it back up.
# /etc/sysconfig/network-scripts/ifdown eth0 # /etc/sysconfig/network-scripts/ifup eth0
Check if the interface came up with the correct IP information, run "/sbin/ifconfig".
Your connection should connect at this time. If not see section 7. Trouble Shooting.
If you are running more than 1 system or a network of computers behind your Linux server you will need to run Masquerading. This can be done with IPchains.
Create a file /etc/rc.d/rc.firewall and copy the below into it. Then make the file executable, "chmod 755 /etc/rc.d/rc.firewall".
Then add the location of the file at the bottom of /etc/rc.d/rc.local. This will now load every time your system reboots.
#-needed to load modules /sbin/depmod -a #-allow ftp /sbin/modprobe ip_masq_ftp #-allow ip forwarding echo "1" > /proc/sys/net/ipv4/ip_forward #-flush chains /sbin/ipchains -F input /sbin/ipchains -F forward /sbin/ipchains -F output #-masq timeouts /sbin/ipchains -M -S 7200 10 160 #-for dhcp (needed if your cable provider uses dhcp to assign your ip. @home.com does need this) /sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp #-deny's all ip addresses but the ones listed. /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ
NOTE: You will need 2 network interface cards to do this. One card will be plugged in to your cable modem.
The other nic card will plug into a hub or switch where all your other computers will plug into as well. Set the second
nic card to an unroutable ip address; see rfc1918.
Configure the second nic card as the gateway ip address.
File: /etc/sysconfig/network-scripts/ifcfg-eth1
Example: DEVICE="eth1" ONBOOT="yes" BOOTPROTO="static" IPADDR="192.168.0.1" NETMASK="255.255.255.0" BROADCAST="192.168.0.255" NETWORK="192.168.0.0"
Then set all your computers with the gateway of 192.168.0.1 and all traffic will route through your linux server and out to the Internet.
Port forwarding is a great option if you have computers behind your linux system that you want to gain access too. Add the following lines into your /etc/rc.d/rc.firewall file.
#-allow port forwarding. You can forward a port back to another machine. /usr/sbin/ipmasqadm portfw -f /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.11.22.21 80 -R 192.168.0.10 80
The example above will map port 80 on ip 24.11.22.21 to port 80 of the system in your home network with the ip 192.168.0.10.
Now that you have a running Linux system active on the Internet you are subject to hackers attempting to gain entry to your system. It is a good idea then to secure your system as best as you can. Here are some quick and easy things to do, but for more information please read http://www.redhat.com/mirrors/LDP/HOWTO/Security-HOWTO.html.
File: /etc/inetd.conf
Generally I comment (#) all lines in this file unless you want to run things like a ftp or smtp server, but most likely you won't.
Now restart inetd. /etc/rc.d/init.d/inetd restart
Files: /etc/rc.d/init.d/
There are many services in this directory that run by default that you may not need to have running.
gpm, httpd, ident, linuxconf, lpd, portmap, sendmail, and xfs. The quickest way to disable these is change their names to name.dis.
It's not the best way but if your not sure what run level your linux system boots this will do the job.
Reboot your system and run "/bin/netstat -a" it will show you what ports are open on your system.
File: /etc/rc.d/rc.local
Add this line, this will reject all ping requests and make your system appear down.
# refuse the 'ping of death' echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
Even though you have turned off many services to your system, it is still a good idea to setup a firewall. IPchains can also do this, by blocking ports or only allowing certain ones through.
Here are some examples to do with IPchains to firewall your system. Add these to the bottom of the rc.firewall file.
#-Turn on firewall #- allow connections from internal network. /sbin/ipchains -A input -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT #-allow specific ports for inbound connections. #- you can add any port you want here to be publicly accessable. #- allow icmp /sbin/ipchains -A input -p icmp -j ACCEPT #- allow ssh /sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 ssh -j ACCEPT #-deny all inbound tcp packets /sbin/ipchains -A input -p tcp -s ! 192.168.0.0/24 -y -j DENY
Ipchains are a poor man's firewall. It may be a good idea to download a firewall program or put one infront of your network instead of ipchains, but they do the job.
If your interface will not connect to the cable modem check a few things.
1. Reset the cable modem. There should be a small reset button on the modem, push it.
Some cable modems record the MAC address of the nic card it is plugged in to. If your using a different nic card to
try to connect with, then it will not recongize your card until you reset it.
2. Don't run dhcpd (not to be confused with dhcpcd as talked about in this document) to
for your internal network. I've played around with it and it always gave me trouble. If you
can get it to work let me know.
This HOWTO was written with the experience of connecting my system, RedHat Linux 6.1, to the Comcast / @home.com / AT&T cable network. Though it's all the same network you may experience some differences. Please inform me of any differences you find and I'll include them.