2003-06-15
| Revision History | ||
|---|---|---|
| Revision 1.0 | 2003-06-15 | la |
| first official release | ||
| Revision History | ||
|---|---|---|
| Revision 1.1 | 2003-06-19 | la |
| minor format corrections | ||
| Revision History | ||
|---|---|---|
| Revision 1.2 | 2003-06-23 | la |
| minor format corrections | ||
Abstract
This how to is designed to help you setup a dial-in server over a phone line for use with a LEAF router.
Table of Contents
This document details the setup of a dial-in server for those wishing to access an existing network from a remote location via a telephone modem connection. This document can also be modified to add shell access or network resource sharing via the connection, but at this point in time only details internet access such as that you would receive via a dial-up ISP.
This document, Sample XML HOWTO, is copyrighted (c) 2003 by Lynn Avants. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html.
Linux is a registered trademark of Linus Torvalds.
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies, that could be damaging to your system. Proceed with caution, and although this is highly unlikely, the author(s) do not take any responsibility.
All copyrights are held by their by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.
In this document, I have the pleasure of acknowledging:
Jon French -who wrote the original LRP/LEAF document that I originally worked from.
Ray Olszewski -who has provided much of the correctness and clarity to this document.... thanks!!!
Feedback is most certainly welcome for this document. Send your
additions, comments and criticisms to the following email address :
<[email protected]>.
This document details the setup of a dial-in server for those wishing to access an existing network from a remote location via a telephone modem connection. This document can also be modified to add shell access or network resource sharing via the connection, but at this point in time only details internet access such as that you would receive via a dial-up ISP.
This mini-HowTo discusses only the use of the Point-to-Point Protocol (PPP) in a "server" configuration (that is, to listen for incoming connections). It does not discuss using PPP in a "client" configuration (that is, initiating a connection). PPP is technically a peer-to-peer protocol, where the 'server' is the end that is listening (answers the phone) and the 'client' is the end that initiates the call and (usually) requests an IP address and related info.
While some of the information here applies to any PPP-server setup, much of it is specific to LEAF, in that it assumes the usual set of LEAF applications is present on the system.
You may also need to modify your firewall ruleset for proper operation. If this is the case, please check with the documentation of your firewall/configuration program to make any necessary changes (that are beyond the scope of this document due to the large variety of firewall programs that exist)".
This document is based from my own experience, the HowTo Jon French wrote for the Linux Router Project (LRP), the PPP HowTo from the Linux Documentation Project, and other various resources on the internet.
In addition to the standard set of LEAF (*.lrp) packages, a PPP server needs these two packages: pppd.lrp and mgetty.lrp. At the present time (June 2003), both can found at: http://leaf.sourceforge.net/devel/thc/files/kwarchive/
A PPP server also needs these three kernel modules: serial.o, slhc.o,
and ppp.o . If they are not already
present on your LEAF system, you will need to get them from the location
appropriate to your LEAF variant and kernel version. For example, the
Dachstein floppy modules are found at http://lrp.steinkuehler.net/files/kernels/2.2.19-3-small/modules/
and the Bering-1.2 modules are located at http://sourceforge.net/project/showfiles.php?group_id=13751.
Follow usual LEAF procedures for installing them in
/lib/modules and adding their names to
/etc/modules.
Several LEAF kernels such as Bering and the Dachstein-normal/large have serial.o compiled in. If the module isn't available, then it is likely compiled into the kernel and will not need to be added or loaded.
None of the LEAF variants has a userid pre-defined for use with PPP. I prefer to add such a dedicated userid, because doing so makes it unnecessary to give dial-in PPP users shell access to the router itself. Instead, you can provide dial-in users with access to the LAN and/or the Internet, but keep the router itself invisible to the dial-up PPP user, hence more secure.
Creating the user is tricky due to the inherent lack of the 'useradd' command in the LEAF variants. Lack of this utility mandates that you create the user by hand. I am using the example user 'ppp' in this configuration, however this will need to be modified for the username that is desired to be logged in with over the dial-in connection. The process of creating the user by hand is as follows:
Add this line to the '/etc/passwd' file:
ppp:x:101:101:ppp:/home/ppp:/usr/sbin/pppd
Add this line to the '/etc/shadow' file:
ppp:*:10091:0:99999:7:::
If you would like to set the password for this user, use the command:
passwd ppp
The method of using 'pppd' for the login shell directly starts the connection automatically and does not give shell access to the user.
To act as a PPP server, the LEAF router must listen for incoming connections on one or more modem (serial port) lines. This process is similar to listening for a shell login from the console, though the details differ.
To listen for an incoming connection, you use the program "mgetty"
to watch a serial device. You set this up in the
'/etc/inittab' file. Some versions of LEAF have
inactive (commented out) lines in inittab for this purpose, but newer
versions do not. So you need either to add or to activate (uncomment) a
line like this one:
T0:23:respawn:/sbin/mgetty ttyS0 -D ttyS0 -s 115200
The numeral '0' is used in 'T0' and 'ttyS0', not the upper-case letter 'O'.
This sample line assumes the model uses the first serial port (Windows' COM1 normally corresponds to Linux's ttyS0) and a line speed of 115200 bps (sometimes called "baud", though this usage is technically inaccurate).
This line tells the init process to have mgetty listen on ttyS0 and
process a connection when one arrives. Next, you need to tell mgetty *how*
to process that connection You do so by editing (or creating) the files
"/etc/mgetty/mgetty.config" and
"/etc/mgetty/login.config'" as follows (suitably
modified if you use a different port or line speed):
# The '/etc/mgetty/mgetty.config' file: # mgetty configuration file port ttyS0 init-chat "" AT&F1&C1&D2 speed 115200 debug 3 data-only y
Modify the '/etc/mgetty/login.config' file:
/AutoPPP/ ppp ttyS0 /usr/sbin/pppd
This section details how to set up the server configuration of the
pppd program with an included example of both the
/etc/ppp/ppp.options and
/etc/ppp/pap-secrets files.
The use of 'PAP' authentication instead of 'CHAP' makes life much
easier (though less-secure) for Win 95/98 machines. You may be hard
pressed to find a 'pppd' package for LEAF that supports MSCHAP, which is
a special compile-time option with PPPd. The
'/etc/ppp/pap-secrets' file also needs to be set to
allow authentication against the system password file (that has already
been configured), which is more secure than PAP-authentication used by
itself. This example shows how to setup PAP-authentication using the
system password utility:
Modify the '/etc/ppp/pap-secrets'
file:
# Secrets for authentication using PAP # client server secret IP addresses * * "login" *
You'll need to manually enter your dns-server(s), netmask, ip
address of the external interface on the router, and the ip address of
the remote computer (the machine dialing-in to the router). This
information will be entered in the
'/etc/ppp/ppp.options' file as shown in the example
in section 6.4 below.
The use of the 'proxy-arp' option in the
'/etc/ppp/ppp.options' file builds a direct
connection to the external interface and bypasses the need to change the
routing table on the router. You can proxy-arp to the internal LAN
interface instead of the external interface and provide access to you
private LAN if desired.
You will also need to make sure that your firewall ruleset is set
to accept traffic from the 'ppp0'
interface and forward where desired (ie.. internet, LAN segment,
etc...).
You can use this sample as a template and substitute the information you have gathered in earlier sections in the appropriate lines.
# /etc/ppp/options dns-addr 192.168.1.254 asyncmap 0 crtscts lock modem netmask 255.255.255.0 -detach +pap -chap debug proxyarp login <external-ip-router>:<ip-to-use-on-remote-machine>
For users that are also using 'ppp' (dial-up) for their outgoing
internet connection, you will want to move any and all conflicting
options from the '/etc/ppp/ppp.options' file to
the respective '/etc/ppp/options.ttyS[n]' file so
that both the client and server configuration work properly
together.
When all the previous configuration has been finished, the
'etc', 'mgetty', and 'pppd' packages will need to be backed-up via the
'lrcfg' menu and added to the
'syslinux.cfg' file on your floppy. You will also
need to reboot the router for all the changes to take effect.
If luck is with you, everything should work first attempt. However if it doesn't you'll need to consult with troubleshooting that is beyond the scope of this document and readily available on the internet or on the leaf-user mailing-list at: http://lists.sourceforge.net/lists/listinfo/leaf-user.
Good luck and enjoy the use of your new dial-in server!
Reference links that were used with writing this document.