The purpose of these pages are to provide a cookbook recipe for setting up a private home network on the Stanford campus using a Linux machine as the gateway. Many of the steps outlined here are applicable to any home network, but the scope of these instructions is limited and I will therefore not be covering everything that you would need to know if you were setting up, for instance, a home network whose access to the outside world was through a modem connection. The following hardware requirements are necessary to set up the network as outlined here:
I will be mentioning HOWTO articles throughout these instructions, which normally get installed to your computer during an typical install. HOWTO's are generally installed in /usr/doc/HOWTO and /usr/doc/HOWTO/mini, but if they are not there and you can't find them anywhere else on your computer after the install, you can usually find them on the web - http://howto.tucows.com/ being a good place to check. HOWTO documents tend to be a little more on the technical side, but with a little patience you can usually figure out what is going on. Keep in mind that these documents are mostly put together because someone figured out how to do something and they want to share the knowledge, but they may not be a technical writer, so the documentation is not official documentation and everything in the HOWTO's, like this document, is do at your own risk and your mileage may vary. The following are two examples of ways that you could set up your home network:
The first step is to get Linux installed. Although you can use any flavor of Linux, I suggest, and therefore these instructions are based on, that you install SULinux, a flavor of Linux that comes with several additional packages that tighten the security of your computer, as well as enable you to connect to other Stanford machines more easily. The following is a quick summary of the packages that come with SULinux:
There are good instructions for installing SULinux on the official SULinx site, so I will not duplicate their instructions here. After you have successfully installed Linux and are able to connect to the network, you are ready to proceed to the next step. Also, most of the commands in these instructions require that you have root permissions, so I suggest logging in as the regular user that you set up during the install, and then doing the su command, which allows you to give the root password and have root permissions, but it is generally safer than logging in as root since all the "power" - read dangerous - commands will not be in your path and you will have to type the path to the commands to use them. Not much of a protection, but it might save from needing to reinstall because you really hosed the system.
You will need to decide what IP addresses you are going to use for you network. The Internet Assigned Numbers Authority (IANA) has set aside non-routable addresses just for times like this and people like you (don't you feel special) - they are addresses which you are allowed to use for private networks like we are setting up, but are not allowed to be used as "real" address on the internet. I am going to go off on a little tangent here, and you may choose to read it or not, but you don't need to, and you will not hurt my feelings if you don't:
If that did not make any sense to you, don't worry about it, the cool thing is that you really don't need to know how it works to use it. All you need to do is pick a set of IP address that you want to use from one of the following three groups:
If you know what you are doing, feel free to choose what you want, but I am going to choose for you, for the sake of these instructions, and tell you to use 192.168.1.x, where x can be any number between 2 and 254 inclusive, since we are reserving 1 for the gateway. This will give you more than 250 IP addresses for your little private network, and if you need more than that, then you are way past needing to read these instructions.
Open the Control Panel application - from the command prompt, this can be done with "control-panel" - and click on the Network Configuration button. Then click on the Interfaces button. You should see devices listed as lo, eth0 and eth1 - if you are missing the entry for eth1, then the install process did not find one of your network cards, and you will need to either figure out the problem yourself, or consult your local computer guru. Assuming that during the install of SULinux, you choose dhcp for your means of connecting to the network to download the install files, at least one of eth0 and eth1 should "dhcp" listed under "proto", they both should have "yes" listed under "atboot", and they both should have "active" listed under "active". If they both (or neither) have dhcp listed under "proto", then you are going to need to do some detective work to figure out which network card is connected to the Stanford network, and which is connected to the internal network. If only one network card has dhcp listed, and the other settings are as I said they should be, you may skip the following paragraph.
Ok, so the idea here is that we need to identify which network card is eth0 and which one is eth1. Select eth0, and click on the "edit" button. Make sure that "Activate interface at boot time" option is enabled, and that the interface configuration protocol is "dhcp", and then click done. Select eth1 and click the "edit" button. Make sure that the "Activate interface at boot time" is NOT enabled, and then click done. Reboot the computer and go into "Interactive mode" during boot up and do not run anything to do with AFS. When the machine has rebooted, make sure that you can ping other machines on the Stanford network. If you cannot ping other machines on the network, then we deactivated the network card that is connected to the Stanford network.
Go into the control-panel and click on the Network Configuration button. Go into the Interfaces section and change the settings for the network card that is connected to the Stanford network so that it uses dhcp as the protocol, and make sure that it is enabled at boot time. Change the settings for the interface that will be connected to your private network so that the protocol in "none", it is enabled at boot time, and, assuming that you choose the IP range that I suggested, set the IP address to 192.168.1.1. You will need to reboot the computer at this point.
If you installed SULinux 1.1 with at least the default options that they suggest enabled, you are good to go - if you did not (I told you that you should), then I can make no guarantees about the following steps working - you may need to install IPChains and recompile your kernel. But, you followed the instructions, so you have SULinux installed, so let us forge ahead.
First, you need to enable IP forwarding so that the gateway Linux machine will forward internal packets - you can do this by changing FORWARD_IPV4=false to FORWARD_IPV4=true in the /etc/sysconfig/network file and rebooting.
Second, you will need to tell the IPChains program which packets to forward and which not to, and the following two commands should get the basics working for you:
If you choose a different IP range you will need to change the 192.168.1.0, and if you are using more than just IP addresses that start with 192.168.1, you will need to change the 24 - there is more on exactly how to do this in the HOWTO.
IMPORTANT: these settings need to be made each time the computer boots, so you should put these entries in the /etc/rc.d/rc.local file.
REALLY IMPORTANT: these settings are assuming that you care nothing about the security of your private network - which I hope is not the case - and you really should make some more restrictions on what the IPChains program will allow to happen, but covering that could take another entire paper, so I will just tell you of a few good sources to start to read about tightening security:
You can find further reading and suggestions by searching for "firewall ipchain linux" on your favorite search engine.
DHCP is optional, but it makes setting up the other computers on your network much easier. If you choose not to set up DHCP, you will need to manually configure each of the other computers on your private network with an IP address, default gateway, and the DNS settings for the Stanford network.
First you need to download and install the dhcp server, since SULinux does not include an install (at least at the time of this writing) of the dhcpd server daemon. I got my copy from:
but if you find it somewhere else, go for it. The installation that I am familiar with involves compiling from source and then doing a manual setup, so that is what these instructions will follow, although I know that there is a RPM available on the Redhat site:
First you need to install the server, which you can do with the following:
The server should now be installed and you need to setup the configuration file. The configuration file is usually in /etc and is called "dhcpd.conf". The generic configuration file that should work for you is as follows:
default-lease-time 259200;
max-lease-time 259200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers 171.64.7.99, 171.64.7.55, 171.64.7.77;
option domain-name "Stanford.EDU";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.254;
}
subnet 171.66.0.0 netmask 255.255.0.0 {
}
The lines:
default-lease-time 259200;
max-lease-time 259200;
give a default and max dhcp lease time of 3 days. The lines:
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
assumes that you have chosen the IP range that I suggested. The lines:
option domain-name-servers 171.64.7.99, 171.64.7.55, 171.64.7.77;
option domain-name "Stanford.EDU";
tells the server what the IP addresses of Stanford's DNS servers are, so that it can tell the clients. The lines:
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.254;
}
subnet 171.66.0.0 netmask 255.255.0.0 {
}
assumes that your IP address from Stanford for the gateway machine is in the 171.66.x.x range. The last two lines tell the server to not give out addresses in the range that Stanford owns, and the entry for the 192.168.1.0 subnet tells the server that it can give out ip address 192.168.1.2 through 192.168.1.254. You can change this range if you have some machines on your private network that need a hard coded IP address. The "option routers 192.168.1.1" line tells the server what address to give to the clients as the default gateway, which is, of course, the IP address of the Linux machine that you are building.
You will also need to run the following command:
Now that the configuration file is set up, the server is ready to be started. I am assuming that the network card that is connected to your private network is the eth1 network card - if not, change eth1 as appropriate in the following commands. You can start the server with the following commands:
The first command is not neccessary if you do not have any Windows computers on your private network, but they will not be able to get an IP address if you do not run the command. The "-q" is optional and simply tells the server to start quietly, which is what you want since you are going to be putting these commands into the /etc/rc.d/rc.local file after the commands for the IP Masquerading from above.
Before you start testing, you should double check that you have wired the gateway computer to the Stanford network and the hub, and then give it a clean reboot. Make sure that you can still ping and browse the web from you linux gateway machine. If you can, then you can test the clients.
The clients should be able to be set up by just telling it what the IP address of the dhcp server is (192.168.1.1), and then reboot it, and they should be able to get an IP address. If it does not get an IP address, then use the "ps -ef | grep dhcp" command to see if the dhcp server is running - if it is not, then you can try to start it manually without the "-q" option and see if it tells you why it does not want to start. If it starts without a problem, then verify that you made the correct entry with the correct path in the /etc/rc.d/rc.local file, and that the section where the command is in the file is not within an "if" block. If it has started correctly, you can check the /var/state/dhcpd.leases file to see if an IP address is being offered or not. If an IP address is being offered (an entry is made in the file), then you know that the problem is with the client machine not picking up the IP address. If no entry is being made in the dhcp.leases file, but the server does start, double check all the settings to make sure that you did not miss something.
If you have verified that the clients are getting IP address and are able to ping each other and the gateway machine on 192.168.1.1, but are not able to ping outside machines, then you need to double check the settings for typos and make sure that you turned on IP-Forwarding. Since this is a very basic installation, if all the settings are correct, but you are not able to browse the internet, then you should look into their being a problem with your network cards, since some network cards do not function well doing IP forwarding.
Thanks go to Ambrose Au ambrose@writeme.com and David Ranch dranch@trinnet.net for writing the IP-Masquerading mini HOWTO.
Scott Blomquist
Final Project
Stanford University
Computer Science 197
Winter Quarter 1999- 2000