ADSL and Linux 2.4

NekoHako

Main

New Site

Tech

WinCE

Software

id3tool

CrossCGI

Telxon1194

xfpd

twiddled

SAIS-xf

Valid XHTML 1.0!

Valid CSS!

ADSL and Linux 2.4 can be done using the Roaring Penguin PPPoE drivers, or by using the new Linux 2.4 kernel PPPoE.

If you want to use the Roaring Penguin client, then use Becsta's ADSL via Roaring Penguin instructions, and skip through to the IP Tables section, otherwise read on!

If you can't follow these instructions - you probably want to use the Roaring Penguin client. Native PPPoE on Linux 2.4 will get easier with time when the patches are `finalised'.

Preparation

You will need to prepare a Linux 2.4 kernel and iptables, and pppd to use the kernel-native PPPoE.

From Source

  1. Download a working 2.4 kernel source, iptables, and the patched PPPD source.

  2. Unpack the kernel source and the iptables source

  3. Configure your kernel (do not build it). Make sure you include Experimental Drivers, PPP, PPPoE, Packet Socket and I strongly advise Socket Filtering too.

  4. If you want to route other machines, then you need to enable Netfilter, connection tracking and NAT. You will also need to enable the TCPMSS match and target modules for iptables.

  5. Now build your kernel and modules, and install them. Also build and install iptables if you plan to use the machine as a router.

  6. Now, unpack and build the patched PPPD, and install it.

    The patched PPPD sources will build the pppd, and the pppoe plugin.

Now you should have all the components ready to get your ADSL link up.

Configuring PPPoE

Now comes the first easy part so far.

  1. edit your /etc/ppp/options file, and append to it:

    plugin /usr/lib/pppd/plugins/pppoe.so
    	

    This configures pppd to use the pppoe plugin to allow you to start PPPoE sessions directly.

  2. Now, create a /etc/ppp/options.<interface> file (where <interface> is the interface name of your ethernet card that is connected to your ADSL modem).

    This is a PPP options file that is specficially for the interface you used in the filename. It overrides the defaults in /etc/ppp/options.

    Your new options file should read (at a minimum):

    name <username>@bigpond
    mtu 1492
    mru 1492
    noipdefault
    defaultroute
    	

    Consult the ppp manpages and use them to decide if you want to add any additional options.

  3. Now you need to set up your /etc/ppp/chap-secrets file.

    The chap-secrets file contains your username/password pairs for use in PPP authentication.

    You should add to this file, a line like:

    "<username>@bigpond" * "<password>"
    	

    The first section (the username) must match the one you used in your ppp options file.

  4. Bring up the interface using:

    # ifconfig <interface> up
    	
  5. Now, you are ready to start the pppd, and bring up the connection.

    You want to start watcing your log files to make sure everything is working, and so you have some idea if something is going wrong. (This nearly worked first time for me, so I don't know what error messages you're likely to see).

    To start PPPoE, type:

    # pppd <interface>
    	

    It should all run through fairly quickly, and if all is well, you should be able to run ifconfig and see the ppp interface running!

IP Tables (Security)

Next, you probably want to instigate some firewalling to protect your machine.

NOTE/DISCLAIMER: This is only intended as a rough guide - You may use these instructions, but if you do, you do so at your own risk. I provide no guaranty of suitability to task, etc.

Thanks to the changes in Linux 2.4's firewall code, its a lot easier to get a functional firewall up quickly using State tracking.

However, iptables is more complicated than ipchains - You should read Rusty's unreliable guide to iptables before proceding.

A fairly safe, basic, ruleset to protect your machine [assuming that your ADSL interface is ppp0] would read:

iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -m limit -j LOG
    

You would need to load at least the ip_conntrack, iptable_filter and ipt_state modules, and would probably want to load the ip_conntrack_ftp module too.

These rules should block incoming traffic which isn't associated to a connection which you've initiated from your machine. It will also log [with rate limiting to prevent overflowing your logs] any other packets sent to your machine.

These rules provide no additional protection for machines routed via your router however.

IP Tables (NAT)

If you want to run a NAT for your machines behind your router, then you want to read Rusty's unreliable guide to Linux 2.4 NAT before proceding.

NAT in linux 2.4 is different to Masquerading in Linux 2.2 - you don't set up the masquerade in the FORWARD chain, but rather, in the NAT tablespace.

However, you still need to configure your FORWARD chain correctly.

The Simplest NAT configuration consists of:

iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
    

which simply applies a Source NAT on any traffic outbound on ppp0 to the address of ppp0, and marks the connections as dead if the interface drops. This is generally what you want when NATing on a dynamically allocated IP.

You'll also need to enable IP forwarding either by editing /etc/sysctl.conf on RedHat 7 or Debian 2.2, or by using:

# echo "1" > /proc/sys/net/ipv4/ip_forward
    

However, due to ADSL icky-ness, you will need to use the TCPMSS module to clamp the TCP MSS so your TCP connections work correctly. (Note: Roaring Penguin PPPoE can do MSS clamping internally - you won't need this rule if you're using Roaring Penguin)

You can do this using the rule:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    

iptables (DNAT)

DNAT replaces ipmasqadm autofw. If you want to run inbound connections to hosts behind your firewall, you now use the DNAT target in the PREROUTING chain in the NAT tablespace.

For example, you can DNAT web connections to a machine inside your subnet using a rule like:

iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to-destination <web server ip>
    

This is better documented in the Rusty's Linux 2.4 NAT howto.

Updates

27 Sep 2002

I'm no longer using PPPoE for ADSL connectivity. I've removed a bit of obsolete information from here, and the very obsolete packages. If you wish to send me corrections, please do and I'll update the page.

1 Jun 2001

Due to recent changes in Telstra's end of the ADSL network, I've found its now necessary to specify the PPPoE server. In North Sydney, I'm using:

pppoe_ac_name nkt1-kent

You can use the Roaring-Penguin client with the -A flag to find out what servers are availible.