Ballantain: Linux Internet-server s masquerading'om na floppy-diske
---------------------------------------------------------------
Origin: http://www.linuxsupportline.com/~router/
---------------------------------------------------------------
IP masquerad on a floppy.
Project Ballantain v1.0.0
Powered by Linux.
(C) 1998 1999 by Serge V. Storozhevykh (svs@hempseed.com)
NOVAYA VERSIYA ot 17-05-99
Q. I chto zhe tam noven'kogo?
A. 1) Ispravlena dosadnaya oshibka v raspoznavanii plat 3COM509,
teper' takie platy rabotayut prevoshodno.
2) Dobavlena migracich na zhestkij disk. Tol'ko lish' zapusti move2hdd.bat
3) Dobavlen prozvon k provajderu po neskol'kim nomeram.
4) Ispravlena oshibka ne pozvolyavshaya vvodit pustye otvety pri nastrojke
chata s provajderom.
5) Dobavlena podderzhka dlya vydelennyh linij.
Vam mozhet pridetsya poredaktirovat' fajl a:\etc\rc_masq pod
konkretnye usloviya podklyucheniya k provajderu.
PRIMECHANIE: |to poslednyaya, final'naya i ispravlennaya versiya routera Ballantain.
Na etom dal'nejshee razvitie Ballantain prekrashcheno.
Proekt Ballantain zakryt.
Mozhet byt' ya tol'ko budu ispravlyat' kakie nibud' oshibki.
Vmesto Ballantain otkryvaetsya novyj proekt - FREESCO,
router dlya setej so staticheskoj marshrutizaciej, podderzhivayushchij
do 3-h ezernet adapterov i do 2-h modemov, opcional'no bridzh
ili dlya samyh umnyh i bridzh i router odnovremenno (kstati ves'ma
prikol'no i nepredskazuemo rabotaet v takoj konfiguracii).
Kak obychno legkij setap i kak obychno pomeshchaetsya na odnom diske 1.44
i kak obychno mozhet zapuskat'sya i s zhestkogo diska.
Vozmozhnost' ispol'zovat' svapfajl, vozmozhnost' starta vsego lish'
v 6 megabatah pamyati i vozmozhnost' rasshireniya dopolnitel'nymi paketami
stavyat FREESCO vne konkurencii.
V techenii mesyaca (ot segodnyashnego dnya 17-05-99) ya vypushchu
al'fa versiyu FREESCO, a poka vy mozhete polyubovat'sya na skrinshoty
administrirovaniya FREESCO cherez telnet i cherez brouzer.
http://from.tsx.org (virtual address)
http://www.linuxsupportline.com/~router (real address)
Q. CHto eto?
A. Ballantain eto sposob podklyuchit' nebol'shuyu lokal'nuyu set' k internetu
cherez odin modem i obespechit' vsem pol'zovatelyam lokal'noj seti
prozrachnyj dostup k internetu.
Ideal'noe sredstvo dlya nebol'shoj seti sostoyashchej iz Windows 95 klientov.
Q. A vse taki chto eto?
A. |to linuks na odnom gibkom diske nastroennyj tak chtoby rabotat' v
kachestve routera. Opcional'no DHCP server dlya dinamicheskoj razdachi IP
adresov v lokal'noj seti.
Eshche koroche: Linux + IP masquerad + diald + dhcpd + telnetd
Q. Kazhetsya zvuchit interesno. A chto mne nado chtoby ispol'zovat' Ballantain?
Lokal'nuyu set' :-), komp'yuter s modemom i setevoj kartoj.
Komp'ter - ne huzhe 386/8+M ram/1.44 fdd/(ostal'noe nevazhno).
Dlya nachal'noj nastrojki sistemy ponadobyatsya monitor i klaviatura, kotorye
v dal'nejshem mozhno budet otklyuchit' i prodat', a den'gi pereslat' mne.
Setevaya karta - ideal'no podojdet ISA 3com509 ili PCI 3com905, eti karty
opoznayutsya avtomaticheski i ne trebuetsya nikakoj nastrojki. Tak zhe horosho
(avtomaticheski) dolzhny opoznavat'sya 3som501, 3com505, 3com507, 3com515,
ne2000 PCI, karty na baze chipa Realtec 8139. Vpolne veroyatno chto budut
rabotat' nekotorye versii Intel EtherExpress Pro 10/100. Horosho rabotayut
s yavnym zadaniem adresa i preryvaniya karty ne2000, bol'shinstvo kart na
chipah Realtec, nekotorye Intel EtherExpress.
Modem - nadeyus' vy znaete chto takoe modem. |to nedorazvivshayasya cveto-
muzykal'naya pristavka k komp'yuteru. Vybirat' nado po kolichestvu cvetnyh
lampochek na perednej paneli.
Sovet - esli u vas ochen' staryj komp'yuter, skoree vsego ego vstroennye
COM porty ne imeyut FIFO ili voobshche nizkoskorostnye, v takom sluchae
ideal'nym vyborom budet vnutrennij modem.
Q. U menya setevaya karta na chipe VLKSM1917 proizvodstva kolhoz Zarya
respubliki Zapolyarnoe Somali. CHto mne delat'?
A. Poprobujte v nastrojkah sistemy ukazat' adres i preryvanie etoj karty,
mozhet byt' ona budet rabotat'. Dlya ISA kart adres budet vyglyadet' kak
0xYYY, dlya PCI 0xYYYY gde YYYY vos'merichnoe chislo.
Preryvanie - desyaterichnoe chislo.
Q. Ne pomoglo. CHto delat'?
A. Kupit' normal'nuyu kartu ili pozaimstvovat' normal'nuyu kartu iz klientskogo
komp'yutera, a na ee mesto postavit' vashu lyubimuyu kartu imeni kolhoza Zarya.
Q. Kak eto vse rabotaet?
A. Pakety ot klientov idushchie v internet popadayut v Ballantain. Ballantain
pri neobhodimosti dozvanivaetsya do provajdera, ustanavlivaet soedinenie,
podmenyaet v etih paketah ishodyashchij IP adres na adres vydannyj vam
provajderom i otsylaet ih naruzhu, s otvetnymi paketami iz interneta
Ballantain delaet obratnuyu podmenu i otsylaet klientu. CHerez nekotoroe
vremya posle prohozhdeniya poslednego paketa Ballantain razryvaet svyaz'
s provajderom i perehodit v rezhim ozhidaniya.
Vsya vasha lokal'naya set' snaruzhi vyglyadit odnim edinstvennym komp'yuterom
podklyuchennym k internetu i etot edinstvennyj komp'yuter - Ballantain.
Takim obrazom klienty napryamuyu nedostupny iz interneta i zashchishcheny ot
vozmozhnyh atak. Nu a Ballantain, a Ballantain eto linuks i on nemnogo
poluchshe zashchishchen ot atak chem Windows.
Q. Vy skazali DHCP server. |to luchshe chem nash novelovskij fajl server?
A. Samuyu malost'. Esli vsya vasha set' sostoit iz Windows 95 klientov
(i vozmozhno Novell servera ili NT servera) vy vidimo ispol'zuete
protokol NETBEUI i/ili IPS/SPX. Dlya raboty c internetom vam ponadobitsya
protokol TCP/IP, vot tut to vam i oblegchit zhizn' DHCP server.
On prednaznachen dlya avtomaticheskoj konfiguracii protokola TCP/IP na
klientskih komp'terah, vam nado budet vsego lish' dobavit' etot protokol
na Windows komp'yuterah i ukazat' chto klient poluchaet IP adres
avtomaticheski, obo vsem ostal'nom pozabotitsya DHCP.
Q. Horosho, u menya est' fajl ipmasq.vXX (ipmasqf.vXX) i trebuemyj komp'ter,
chto dal'she?
A. Dlya pol'zovatelej DOS/Windows programmoj rawrite.exe zapishite fajl
ipmasq.vXX na gibkij disk.
YUniksoidy delayut inache: dd if=ipmasq.vXX of=/dev/fd0
Zagruzites' s poluchennogo diska. V otvet na podskazku zagruzchika OS
boot: napishite setup i kogda vam nadoest sidet' i zhdat' nazhmite klavishu
ENTER (samaya bol'shaya posle probela).
Kstati pisat' eng ili rus uzhe net smysla raz uzh vy chitaete etot tekst.
Nastrojka sistemy.
Posle zagruzki vy uvidite menyu:
1) modem settings
2) ISP settings
3) miscellanous settings
4) <bring up link> rules
5) network settings
0) exit
Voprosy delyatsya na 3 kategorii:
zelenye - te na kotorye neobhodimo otvetit'
zheltye - mozhno otvechat', mozhno propuskat'. Sil'nogo vliyaniya na
rabotosposobnost' sistemy ne okazyvaet
krasnye - luchshe ne trogajte poka vy tochno ne uvereny chto delaete.
1. Nastrojka parametrov modema.
Vy uvidite kakie parametry byli do nachala nastrojki, potom setup
popytaetsya najti modemy v vashej sisteme i vyvedet spisok najdennyh.
Esli spisok budet pustym znachit u vas problemy s modemom. Poka vy ih
ne reshite net smysla prodolzhat' dal'she.
(*** kstati na etom meste moj testovyj 386/8M komp'yuter inogda glyuchit.
*** i kstati testovyj 14400 modem tozhe - opoznaetsya na 115200,
no rabotaet tol'ko esli postavit' emu skorost' 19200)
Vyglyadit nastrojka primerno tak:
Previous settings:
==================
# Modem part of diald.cong for Ballantain
#
# com1 - cua0, com2 - cua3 etc.
device /dev/cua0
speed 115200
#
# Modem initialization string for connece
# Yes. It's commented, but we really use it
#MDMINI="ATZ"
===================
Modem(s) found on:
/dev/cua3 at 0x2e8 (irq = 3) is a 16550A (spd_vhi)
Modem connected to /dev/cuaX. 0, 1, 2, 3. [3]?
Skoree vsego vash modem budet opredelen i v voprose k kakomu portu
podklyuchen modem otvet po umolchaniyu uzhe budet sootvetstvovat'
poslednemu najdennomu modemu i mozhno budet prosto nazhat' ENTER.
Max baud rate of this port. 115200, 57600, 38400, etc. [115200]?
Otvet po umolchaniyu tozhe skoree vsego budet sootvetstvovat' istine.
(esli u vas vneshnij modem i medlennyj port bez FIFO ili skorost'
modema <=14400 postav'te skorost' pomen'she)
Modem init string. Usually ATZ or AT&F. [ATZ]?
S etim po moemu vse yasno. Esli neyasno to prosto nazhmite ENTER.
2. Nastrojki svyazannye s vashim provajderom.
Na ekran opyat' budut vyvedeny predydushchie nastrojki, no ne vse.
Naprimer te gde figuriruet imya i parol' na ekran ne vyvodyatsya.
Previous settings:
==================
# network part of diald.conf for Ballantain
#
dynamic # if your ISP supplies us with dynamic IP, then:
local 127.0.0.2 # fake local side ppp IP addr
remote 127.0.0.3 # fake remoute side ppp IP addr
==================
Previous settings:
==================
# ISP related stuff
#
PHONUM="T4004444 D5005333"
DNS="194.170.1.6" # usually your ISP DNS addr
LOGIN=script # login type: script, pap, chap
==================
Does your ISP supply you with dynamic IP addr [y]?
Skoree vsego vam nado budet nazhat' prosto ENTER v otvet na etot vopros.
Esli vse taki u vas est' postoyannyj IP adres otvet'te n i vvedite adresa,
vash i provajdera.
!!! |ta nastrojka takzhe ispol'zuetsya dlya sluchaya routera na vydelennoj linii.
Dialing method and ISP phone number [T4004444]?
Esli vasha telefonnaya liniya pozvolyaet ispol'zovat' tonal'nyj nabor vperedi
telefonnogo nomera provajdera ukazhite T, inache - P.
Vpishite stol'ko nomerov provajdera skol'ko nado razdeliv ih probelami.
DNS address [194.170.1.6]?
Adres Domain_Name_Server provajdera.
Login type. PAP, CHAP, script. [script]?
Metod obmena parolem s provajderom.
Esli vy vyberete metod "skript" vam nado budet opisat' vsyu posledovatel'-
nost' dialoga s provajderom.
Razberem na primere moego provajdera.
Posle soedineniya provajder vydaet sleduyushchie podskazki i voprosy:
**** Emirates Internet ****
Username: AHMED
Password: xxxxxxx
emirates-twb> ppp
Skript budet takim:
zhdem podskazki "name:" - otvechaem "AHMED"
zhdem podskazki "assword:" - otvechaem "PASSWORD"
zhdem podskazki ">" - otvechaem "ppp"
posle etogo na storone provajdera zapuskaetsya protokol ppp.
Vernemsya k nashemu setup i opishem dannyj dialog.
!!! Teper' razreshen vvod pustyh otvetov i v svyazi s etim net
otvetov po umolchaniyu, t.e. pri nazhatii na ENTER v kachestve
otveta budet ispol'zovana pustaya stroka.
0 Wait for []?
Esli napisat' name:--name to sistema budet zhdat' podskazki name: ,
po istechenii nekotorogo vremeni esli ne dozhdetsya budet posan
simvol <CR> i opyat' ozhidanie name:
0 Reply with [ahmed]?
eto to chto by sobiraemsya otvetit' na pervuyu podskazku.
1 Wait for [assword:]?
opyat' zhdem ot provajdera magicheskoe slovo assword :-)
1 Reply with [xxxxxx]?
v otvet napishem PASSWORD
2 Wait for [>]?
zhdem podskazki >
2 Reply with [ppp]?
dlya zapuska protokola nam nado vvesti ppp
3 Wait for []?
bol'she my nichego ne zhdem ot provajdera i poetomu ostavlyaem eto pole
pustym.
3 Reply with []?
bol'she my nichego ne budem posylat' provajderu i poetomu ostavlyaem eto
pole pustym.
Dlya luchshego ponimaniya pochitajte man na programmu chat.
Vy mozhete ispol'zovat' minicom dlya togo chto by dozvonit'sya do provajdera
i posmotret' chto on vyvodit i chto ozhidaet, pri vy mozhete uvidet' vmesto
vnyatnogo teksta nekij musor eto skoree vsego budet oznachat' chto so
storony provajdera protokol ppp startuet avomaticheski i vam nado ispol'-
zovat' PAP ili CHAP metod autentifikacii.
Esli vy vyberete metody PAP ili CHAP voprosy budut polegche:
Login name. []?
Password. []?
3. Prochie nastrojki sistemy.
Edinstvennaya prochaya nastrojka eto vremya cherez kotoroe dolzhen srabotat'
screen saver i pogasit' ekran:
Previous settings:
==================
# Misc system wide settings.
#
BLANK=0 # Turn off screen after 0-60 min. 0 - never.
==================
Po umolchaniyu 0 t.e. ne gasit' ekran.
Ili vam zhalko monitor ot etogo starogo dohlogo 386 komp'yutera?
Kstati na 5-oj konsoli vyvoditsya sistemnyj log s nekotorym kolichestvom
poleznoj informacii i stroka s sostoyaniem modema i ppp interfejsa.
4. Pravila dozvonki do provajdera.
Previous settings:
==================
# Rules part of diald.conf for Ballantain
#
accept any 600 any # bring up the link for any packets for xxx sec
#include /etc/filter.cfg # or use customizable filter
==================
Bring up link for 0-xxx sec. 0 - use filter.cfg. [600]?
Variantov 2 i v to zhe vremya beskonechnoe mnozhestvo.
Po umolchaniyu predlagaetsya podnimat' liniyu dlya lyubogo paketa idushchego
naruzhu i derzhit' liniyu podnyatoj 600 sekund posle poslednego paketa.
|to ne vsegda horosho i vy mozhete poprobovat' vtoroj variant ili
dazhe poredaktirovat' fajl pravil podnyatiya linii. Redaktirovat' luchshe
vsego iz zapushchennoj sistemy komandoj: edit /mnt/etc/filter.cfg
(potom nado perezagruzit' sistemu). Estestvenno pered redaktirovaniem
nado pochitat' dokumentaciyu na diald chto by hot' nemnogo ponimat' chto
tam nado menyat'.
Vidimo budet horoshej ideej sdelat' na klientskih Windows komp'yuterah
osnovnym protokolom NETBEUI ili IPX/SPX, a TCP/IP ispol'zovat' tol'ko
dlya intereta, togda Ballantain ne budet dozvanivatsya do provajdera po
lyubomu povodu.
5. Nastrojka seti.
Previous settings:
==================
# Network configuration. Ethernet part.
#
NE_IO="io=0x300" # Ethernet card I/O port addr
NE_IRQ="irq=11" # Ethernet card IRQ
NETWORK=10.0.0.0
NETMASK=255.0.0.0
MASKBIT=8
BRCAST=10.255.255.255
IPADDR=10.10.10.1
DHCPD=y
RTRTYPE=dialup # dialup or leased line router
==================
Network. 10.0.0.0, 172.22.0.0, 192.168.0.0 [10.0.0.0]?
Subnet mask. [255.0.0.0]?
Subnet mask bits. [8]?
IP address of this computer on local network. [10.10.10.1]?
|to kstati budet adres vashego gateway v internet.
Ethernet card I/O port address. [0x300]?
Ethernet card IRQ line. [11]?
Do you want DHCP server y/n [y]?
Do you want dialup or leased line router. [dialup]?
YA ne budu raspisyvat' zdes' chto vse eto znachit. Esli vy ne ponimaete
sami chto tut k chemu vam nado v pervyj klass nachal'noj shkoly po TCP/IP.
Mogu tol'ko dobavit' chto nastrojki po umolchaniyu na moj vzglyad dostatochno
udovletvoritel'ny dlya bol'shinstva sluchaev.
0. Vyhod.
Posle okonchaniya nastrojki sistemy vyberite vyhod, sistema perezagruzitsya
i vozmozhno budet uzhe gotova k rabote. (he-he-he. mozhet byt':)
Zagruzite Ballantain i prosledite chto na ekrane ne bylo nikakih soobshchenij
o tom chto vam nado skonfigurirovat' setevuyu kartu.
Sotrite pot so lba - vam kazhetsya povezlo s setevoj kartoj.
Proverim soedinenie s provajderom? Vvedite komandu ping www.aha.ru
(da prostit menya za eto moj samyj pervyj provajder).
V 5-oj (ALT+F5) konsoli v sistemnom loge mozhno uvidet' kak proishodit
process ustanovleniya soedineniya s provajderom. Predpolozhim vam eshche raz
povezlo - soedinenie s provajderom ustanovleno, pingi poshli. Mozhno
poprobovat' telnet . Rabotaet? Pozdravlyayu bol'shaya chast' sdelana.
Zajmemsya konfiguraciej klientov - Windows 95.
Esli vy razreshili rabotu DHCP servera pri konfiguracii Ballantain vse
budet ne prosto, a ochen' prosto. Vsego lish' dobav'te protokol TCP/IP
i otmet'te chto etot komp'yuter poluchaet IP adres avtomaticheski.
Perezagruzite Windows, zapustite programmu winipcfg i ubedites' chto vash
Windows klient poluchil vse neobhodimye adresa ot DHCP servera, teper'
prover'te chto pingi hodyat ot klienta do Ballantain. V DOS okne vypolnite
komandu ping 10.10.10.1 (ili kakoj vy tam dali adres Ballantain)
Sluchaj ruchnoj nastrojki TCP/IP Windows 95 my ne budem rassmatrivat' v
raschete chto vy dostatochno prodvinuty chto by sami eto sdelat' pri
neobhodimosti.
Esli vy ispol'zuete DHCP server budet horoshej ideej nikogda ne vyklyuchat'
komp'yuter s Ballantain kak i lyuboj drugoj server.
Vot sobstvenno i vse. Zapustite naprimer Internet Explorer i popytajtes'
otkryt' kakuyu nibud' stranicu. Skoree vsego pervyj paket ot Internet
Explorer budet s'eden i vam pridetsya povtorno obratit'sya k etoj stranice.
Upravlyat' povedeniem diald (demona kotoryj dozvanivaetsya po zaprosu do
provajdera) mozhno komandoj control ili iz lokal'noj seti cherez telnet.
Pereklyucheniya mezhdu konsolyami Linux Alt+F1, Alt+F2, Alt+F5.
Adres i nomer preryvaniya dlya plug&play kart 3com prosto ignoriruyutsya,
tak chto ne bespokojtes' o nih.
Q. Kuda, komu i skol'ko mne nado zaplatit' za eto?
A. Esli vy zhivete v lyuboj tochke mira krome Ob'edinennyh Arabskih |miratov
platit' nichego ne nado. Inache govorya halyava, to est' darom.
Nu a esli vam ne povezlo i vy zhivete v UAE... nu vobshchem vam ne povezlo...
pishite pis'ma, dogovorimsya.
Q. A kak u vas s security?
A. Po raznomu. Sistema maksimal'no zashchishchena (naskol'ko ya smog sdelat':) so
stotony interneta i nemnogo s vnutrennej storony.
Zashchita so storony interneta obuslovlena otsutstviem kakih libo servisov
(inetd, in.ftpd etc) i zhestkimi pravilami forwarding/masquerading.
Est' tol'ko dva servisa telnetd i dhcpd, no oba rabotayut tol'ko na
lokal'nuyu set'.
S vnutrennej storony slabaya parol'naya zashchita ot chajnikov, tak chto
est' smysl ne podpuskat' nikogo k komp'yuteru s Ballantain (vprochem kak
i k lyubomu drugomu serveru) i uzh konechno zhe nikomu ne davat' disk s
nastroennym Ballantain (vsegda davajte druz'yam tol'ko original).
Paroli hranyatsya v zabzip2ovannom vide v fajlah:
access.cfg - paroli dlya dostupa s konsoli i cherez telnet
dvuh pol'zovatelej: root i user.
root estestvenno imeet vse prava,
user - tol'ko upravlenie diald
Ishodnye paroli (v distributive) - root i user
Pomenyat' mozhno komandoj passwd
chat.cfg
pap.cfg - zabzip2ovannyj parol' dlya dostupa k provajderu.
menyaetsya pri nastrojke ISP v setup.
Q. A ya vot nashel oshibku i eshche hotel by predlozhit' .... CHto delat'?
A. Napisat' avtoru svs@hempseed.com
Q. A vot mne by hotelos' chto by Ballantain rabotal eshche i v kachestve
fajl servera. YA slyshal est' takoj emulyator Novell nazyvaetsya mars,
vy ne mogli by ego vstroit' v Ballantain?
A. Net ne mogli by. Vo pervyh sistema itak uzhe s trudom rabotaet na
komp'yutere s 8M pamyati, a vo vtoryh Ballantain byl sozdan dlya resheniya
vpolne konkretnoj zadachi chto on i delaet. Esli vam nado chto to bol'shee
kupite 40M zhestkij disk i postav'te na nego menee igrushechnyj linuks :)
Q. A mne vse ravno chego to v Ballantain nehvataet, mozhet vtorogo ezerneta?
A. Proekt Ballantain zakryt okonchatel'no, poprobujte obratit' svoj vzglyad
na proekt FREESCO - router dlya setej so staticheskoj marshrutizaciej.
FREESCO budet podderzhivat' do 3-h ezernet adapterov i do dvuh modemov,
odin dlya vhodyashchih/vyhodyashchih zvonkov, drugoj tol'ko dlya vhodyashchih.
V dannyj moment (17-05-99) FREESCO eshche ne gotov, no na domashnej stranichke
uzhe lezhit neskol'ko skrinshotov. YA nadeyus' vypustit' FREESCO v svet v
techenii mesyaca.
Nemnogo tehnicheskoj informacii.
Kernel - v2.0.35 + IP masquerad + FPP emulation
Filesystems - ext2, msdos
diald - v0.16.5
pppd - v2.3.5
umount - ot RedHat 5.1
Utilites - v osnovnom iz postavok Slackware '96,'97
Last-modified: Wed, 19 May 1999 15:55:47 GMT