Q: Maybe you can help. I want to set up my Mandrake 7.2 machine as a router and proxy with a 3Com 56K Message Modem (serial) as dialup-on-demand and a 3Com 3c509 Ethernet card.

A: Setting up a router and proxy is a huge subject, but I will give you the basics and some pointers to get you started. There are a couple of technical terms that you have to be familiar with. The first is "IP-Masquerading." If you refer to the IP-Masq-HOWTO located at the Linux Documentation Project Website (see Resources), it will tell you in Section 1.1: Introduction to IP Masquerading (or IP Masq for short) that:

IP Masq is a form of Network Address Translation, or NAT, that allows internally connected computers that do not have one or more registered Internet IP addresses to have the ability to communicate to the Internet via your Linux box's single Internet IP address. It is possible to connect your internal machines to the Linux host with LAN technologies like Ethernet, Token Ring, FDDI, as well as other kinds of connections such as dialup PPP or SLIP links. This document uses Ethernet for the primary example since it is the most common scenario.

In other words, you may use a single network interface to provide general Internet access to a private network. IP MASQ, then, is the baby brother of NAT.

NAT is different, though. It allows you to map external addresses or ports to internal addresses or ports. For example: I have a machine that is on a private network, but I want to allow the Internet direct access to the machine. You can use NAT to allocate a real IP address (say, 64.81.28.144) to your machine that is really located locally on 192.168.1.5. If you did this, anyone who connected to 64.81.28.144 would actually connect to the machine on 192.168.1.5. This can be very useful if you map specific ports.

Here are the basic steps that you will need to create an IP Masq gateway. I warn you, though, that these steps are basic and will do the job, but you will need to secure the firewall machine. I am not going to talk about how to make the PPP connection. If you are unsure about how to do this, take a look at the PPP-HOWTO (see Resources). I suggest using kppp or LinuxConf to set up the machine. Nor am I going to talk about setting up a basic network. If you are looking for information on that, you can refer to the Linux Networking HOWTO (see Resources).

Setting up IP Masq

IP Masq is very simple to set up. There are many ways to do it, so I'll show you the way I do it on the machines I manage. First, you'll want to open your rc.local file. It is located in /etc/rc.d/. At the bottom of the file, insert the following lines:

# Begin IP-MASQ settings
#
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Setting the default policy to deny"
/sbin/ipchains -P forward DENY

echo "Masquerading for private network"
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
#
#
#
# End IP-MASQ settings

The lines you just typed in will execute every time the machine reboots. The first line turns on the ip_forward function within the Linux kernel. You can also set this within the /etc/sysctl.conf file. The third line tells ipchains that the default firewall policy is DENY. In other words, everything for the forward policy is denied by default. The fifth line turns on a forward policy for the source class C network of 192.168.1.0, and allows the forwarded packets to masquerade.

The next thing you need to do is start the routed daemon. You can do this by executing the following command: service routed start. You will also want to verify that you have enabled the routed service to start at run level 3. You can do this by typing the command: chkconfig --list routed. If you need more information on runlevels or chkconfig, take a look at previous Ask the Geek articles on the subject (see Resources).

Again, I want to emphasize that the above masquerading setup is not secure. I repeat, the above masquerading set up is not secure. It is only the absolute minimum required to get masquerading to work. For a basic secure firewall tool, take a look at Guarddog. Guarddog is a reasonably complete point-and-click X application that enables and disables ports and services within Linux's firewall capabilities. (See Resources for more on Linux Firewalls.)

Guarddog also allows you to manage some commonly used ports such as ICQ, Real Audio, or Napster.

When you use IP Masq there will be some functionality that won't work correctly for machines that are not directly connected to the Internet. Software such as Real Audio streaming and FTP will not work without loading an appropriate masquerading kernel module.

Below are some common modules that can be loaded with the kernel:

• FTP: ip_masq_ftp.o
• Real Audio: ip_masq_raudio.o
• VDO Live: ip_masq_vdolive.o
• CU See Me: ip_masq_cuseeme.o
• IRC: ip_masq_irc.o
• Quake: ip_masq_quake.o

The Linux kernel modules are loaded and managed in a number of ways, including from the /etc/conf.modules and /etc/modules files, through kerneld, or simply through insmod statements on each module in your rc.local.

In closing, I would like to make an addendum to the last edition of Ask the Geek. I made a blanket statement that Linux does not like PCI Modems. This is still generally true, but US Robotics has since contacted me and provided a list of PCI modems that work with Linux, along with configuration instructions. These instructions come directly from Robert_Mikul@usr.com at US Robotics.

US Robotics PCI modems that work with Linux:

• 00560900
• 00561000
• 00561001
• 03CP5610
• 3CP5610A
• 03CP5613

You must have kernel version 2.2.14 or higher and follow this procedure:

After Linux starts, log in as the root user. At a console, type: cat /proc/pci

Scroll down until you find the data for the serial controller. Mine looks like:

Bus  0, device  15, function  0:
Serial controller: Unknown vendor Unknown device (rev 1).
Vendor id=12b9. Device id=1008.
Medium devsel.  IRQ 10.
I/O at 0xfff0 [0xfff1].

Make a note of the values for IRQ and I/O port. In my case they were 10 and 0xfff0, respectively.

Then type: setserial /dev/ttyS1 irq 10 port 0xfff0 autoconfig where irq and port are the values of the information you found from viewing the /proc/pci file. Then create a symbolic link between /dev/modem and /dev/ttyS1 with the ln command: ln /dev/ttyS1 /dev/modem

Then type: minicom

If you do not have minicom you can try cu or seyon, as well.

At this point, you will need to use the setserial command each time you reboot your machine. To make it automatic, enter the setserial command at the end or your rc.local file so that it is executed automatically each time you reboot.

To do this, in the terminal window type: cd /etc/rc.d/ then hit enter.

Now open rc.local with your favorite text editor. Scroll down to the bottom of the file using the arrow keys and type in:

# US Robotics PCI Controller Based Modem Initializing Setup
setserial /dev/ttyS1 irq 10 port 0xfff0 autoconfig

Again, the irq and port are what you got from your cat /proc/pci listing.

You can now save the file and exit. The setserial program will run on each reboot.

• Run levels revisited

• Linux IP Masquerade HOWTO
• Linux Networking HOWTO
• Linux PPP HOWTO
• "Installing a Firewall, Part 1," Sam Mikes and Danielle Michaels
• "Linux Firewall Survey, Part 1: Open Source Product Roundup," Pa
• Guarddog firewall