Serial Networking: Masquerading your RISC OS machine through a Linux PC with dial-on-demand connection to the Internet

Note: The method and instructions for this guide have been very kindly provided by Jérôme Mathevet for inclusion on this website. Many thanks Jérôme.

You can contact Jérôme with the following email address: speedsterh@DUMPTHISBITyahoo.com

This is how I used my 486DX66 PC as a router to the internet for my home LAN. I used a null-modem connection from my A5000 to the PC, a RedHat 6.0 distribution (it's necessary as earlier versions don't have ipchains or don't have dial-up on-demand pppd). The PC is connected to the modem (If you have two serial ports on your PC and you use a serial mouse, then you'll have fit another serial port to the computer since one serial port is connected to the modem and the other to the A5000).

Masquerading is the process of making machines on a LAN access transparently the Internet, by rewriting packets headers. If you want to know more about this, read the IP-Masq HOWTO from your linux distribution.

The benefits of doing this include:

• All machines on the LAN can share simultaneously the connection to the Internet without having to use separate ISP accounts (no proxy is needed, but a local proxy is an advantage for web browsing).

• Unixlib programs don't lock up the machine while using PPP (e.g. !CVS)

• You can do DHCP, which isn't supported for RISC OS widely (for connecting cable modems, etc)

• It's far better than Win98 masquerading, which makes your connection slower, and doesn't work for things like IRC DCC file transfers.

• You can sort out PPP incompatibilities between your ISP and your machine (Acorn's PPP being very old now). Some new commands were introduced in the later versions of pppd and I guess the protocol has changed a little (?). That's how I can explain why I cannot logon to my ISP except with my Linux box, anyway.

• The transfer rates are a little better (I use an A5000 limited to 19200 whereas the PC can go up to 57600 and more).

There was (and there still is) a tool called diald to do dial-on-demand but the dial-on demand code has been included in pppd, so there's no need to use diald anymore. Secondly, although a lot of people recommend using wvdial (command-line or GUI utility ?) for manual connection, wvdial wouldn't integrate well with demand pppd, so I have to stick to chat and pppd.

The set-up is like this:

I will assume that you have already set up your RISC OS computer, according to the instructions on this website.

1) Prevent unsolicited access to your machine services (on the linux box)

First up, you have to make sure you're not opening your hard-drives (or worse) to the rest of the world, you can never know. This is not an issue on a RISC OS machine, because very few servers are available for it (but if you run Nahavo, SmbServer or other such software, disable them). On Linux though, you almost certainly already run some telnet or ftp server. This can be dangerous.

packages to install: tcp-wrapper, ipchains, ...

(i) Disable SMB service with Linuxconf

If you had Samba running while connected to your ISP, someone could potentially read the shared files, which is not what you want obviously. SMB must be started with the inetd daemon. So make sure you have the netbios services defined in /etc/services:

netbios-ssn 139/tcp
netbios-ns 137/udp

and the following in /etc/inetd.conf:

# Samba netbios-ssn stream tcp nowait root /usr/sbin/tcpd smbd
netbios-ns dgram udp wait root /usr/sbin/tcpd smbd

(ii) Only allow connections from your LAN machines

By default, all services provided by your machines are accessible to anyone who requests it (telnet, ftp, etc ...). You can restrict access to such services by editing the files /etc/hosts.allow and /etc/hosts.deny.

/etc/hosts.allow must contain one line:

ALL: 192.168.1.

This will serve all the machines on your LAN (192.168.1. means the C-class network 192.168.1.0/24)

/etc/hosts.deny must contain one line:

ALL: ALL

This will block any machine not authorised in the /etc/hosts.allow

(iii) Setup a masquerading firewall

There's a ready-to-use example in the IP-MASQUERADING Howto provided in the RedHat distribution. All you've got to do is adapt it to your needs (in particular, watch out for the internal/external range of adresses and the interface names). In the following example, ppp0 refers to the interface for the internal LAN, ppp1 refers to the interface used for dial-up connection to your ISP. On my machine, it looks like this (file /etc/ppp/MASQ.firewall): (Changes indicated by bold type)

#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall
# ruleset.
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented from loading.

# Needed to initially load modules
# (Very processor intensive, and I think it's optional - must be done already
# at startup I think)
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT
# method
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
#/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc

# Supports the masquerading of Quake and QuakeWorld by default. This
# modules is for for multiple users behind the Linux MASQ server. If you are
# going to play Quake I, II, and III, use the second example.
#
# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
# ----- kernel that has bugs in it. Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive

#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# Specify your Static IP address here.
#
# If you have a DYNAMIC IP address, you need to make this ruleset
# understand your IP address everytime you get a new IP. To do this,
# enable the following one-line script. (Please note that the different
# single and double quote characters MATTER).
#
#
# DHCP users:
# -----------
# If you get your TCP/IP address via DHCP, **you will need ** to enable
# the ed out command below underneath the PPP section AND replace the word
# "ppp0" with the name of your EXTERNAL Internet connection (eth0, eth1,
# etc) on the lines for "ppp-ip" and "extip". It should be also noted that
# the DHCP server can change IP addresses on you. To fix this, users
# should configure their DHCP client to re-run the firewall ruleset
# everytime the DHCP lease is renewed.
#
# NOTE #1: Some newer DHCP clients like "pump" do NOT have this ability
# to run scripts after a lease-renew. Because of this, you need to replace
# it with something like "dhcpcd" or "dhclient".
#
# NOTE #2: The syntax for "dhcpcd" has changed in recent versions.
#
# Older versions used syntax like:
# dhcpcd -c /etc/rc.d/rc.firewall eth0
#
# Newer versions use syntax like:
# dhcpcd eth0 /etc/rc.d/rc.firewall
#
#
# PPP users:
# ----------
# If you aren't already aware, the /etc/ppp/ip-up script is always run when
# a PPP connection comes up. Because of this, we can make the ruleset go
# and get the new PPP IP address and update the strong firewall ruleset.
#
# If the /etc/ppp/ip-up file already exists, you should edit it and add a
# line containing "/etc/rc.d/rc.firewall" near the end of the file.
#
# If you don't already have a /etc/ppp/ip-up script, you need to create the
# following link to run the /etc/rc.d/rc.firewall script.
#
# ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
# * You then want to enable the #ed out shell command below *
#
#
# PPP and DHCP Users:
# -------------------
# Remove the # on the line below and place a # in front of the line
# after that.
extip="`/sbin/ifconfig ppp1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
# For PPP users with STATIC IP addresses:
#
#extip="your.static.PPP.address"

# ALL PPP and DHCP users must set this for the correct EXTERNAL interface
# name
extint="ppp1"

# Assign the internal IP
intint="ppp0"
intnet="192.168.1.0/24"
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec
# firewall timeout in ICQ itself
) #
ipchains -M -S 7200 10 60
#############################################################################
# Incoming, flush and set default policy of reject. Actually the default
# policy is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F input
ipchains -P input REJECT
# local interface, local machines, going anywhere is valid
#
ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#
ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# remote interface, any source, going to permanent PPP address is valid
#
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
# loopback interface is valid.
#
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#############################################################################
# Outgoing, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F output
ipchains -P output REJECT
# local interface, any source going to local net is valid
#
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
# outgoing from local net on remote interface, stuffed masquerading, deny
#
ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# anything else outgoing on remote interface is valid
#
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid.
#
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#############################################################################
# Forwarding, flush and set default policy of deny. Actually the default
# policy is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F forward
ipchains -P forward DENY
# Masquerade from local net on local interface to anywhere.
#
ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
#
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#End of file.

and make it executable for root-only with:

chmod 700 /etc/ppp/MASQ.firewall
chown root /etc/ppp/MASQ.firewall
chgrp root /etc/ppp/MASQ.firewall

2) Prepare connection scripts

(i) Prepare the connection script /etc/ppp/isp_connect (<username> refers to the name you're known to your ISP, /dev/ttyS0 is the serial port where your modem is connected to):

exec /usr/sbin/pppd connect '/usr/sbin/chat -v -f /etc/ppp/chat-isp' \
-detach crtscts modem defaultroute user <username> \
/dev/ttyS0 lock 115200 idle 90 mtu 1500

This script will only be used for a manual connection to the Internet. Once everything works as expected, you don't need it anymore.

(ii) The file /etc/ppp/chat-isp will contain the strings to be expected and to send. Replace the number following the ATDT line with your ISP phone number:

TIMEOUT 5
"" AT&B1&N0&S1&Y1&D2&C1M0
OK ATDT4125678
ABORT "NO CARRIER"
ABORT BUSY
ABORT "NO DIALTONE"
ABORT WAITING
TIMEOUT 60 CONNECT ""

Remark: The AT sequence on line 2 is the init string of my modem. You may have to use something else in your case (ATZ for instance)

(iii) Create or edit the file /etc/ppp/pap-secrets (replace username and password with the one your ISP gave you):

# Secrets for authentication using PAP
# client server secret IP addresses
<username> * <password>

(iv) Edit the file /etc/ppp/options-net:

connect '/usr/sbin/chat -v -f /etc/ppp/chat-isp'
-detach
57600
demand
lock
crtscts
defaultroute
10.0.0.1:10.0.0.2
ipcp-accept-local
ipcp-accept-remote
idle 60
modem
user joe
name joe

Note: Replace joe with your ISP account. The important options here are demand and the ipcp-accept*.

(v) Create or edit the file /etc/ppp/ip-up.local:

extif="`ifconfig ppp1`"
case "$extif" in
ppp1*)
/etc/ppp/MASQ.firewall
;;
*)
echo "Firewall not enabled"
;;
esac

and make it executable for root-only with:

chmod 700 /etc/ppp/ip-up.local chown root /etc/ppp/ip-up.local chgrp root /etc/ppp/ip-up.local

Why is there a 'case' will you ask ? Well, the trouble is, in this setup, the ppp0 interface is brought up first, so /etc/ppp/ip-up.local is run already once when the RISC OS machine connects to the Linux one. This means the firewall is not properly set (because it relies on the ppp1 i/f being present to get the dynamic IP address of your ISP) and all outgoing packets fall into a bucket. And dial-on demand fails. With a test in /etc/ppp/ip-up.local, things work like a dream.

(vi) From now on, if all goes well, you can make a connection to your ISP with (under root): /etc/ppp/isp_connect. Test this before going any further.

(vii) If the manual connection to your ISP works, add the following line to your /etc/rc.d/rc.local file:

/usr/sbin/pppd /dev/ttyS0 file /etc/ppp/options-net
/etc/ppp/MASQ.firewall
/etc/ppp/MASQ.firewall.down

(viii) Reboot now as this will make things easier.

3) Check the masquerading works from your RISC OS machine

(i) Run !Internet, and run !System.Modules.Network.Resolver if it's not done already. Type under CLI:

*Set Inet$Resolvers <IPs_of_your_ISP_name_servers>
*Resolverconfig

Your RISC OS machine should be ready to transparently access the internet (Write a small obey file to do the above automatically, or insert the lines in a sensible place in !Internet.!Run).

(ii) Type ping <any_web_site> to see if you can access the Internet. Normally, your modem's LEDs will turn on and a connection to your ISP will initiate. A while later, your ping will either output an error or you will get timings for the packet coming back from your ISP. Now, you will pobably be able to telnet to your provider (with !FreeTerm). Ftp to your favourite place and even try browsing the internet. If everything works as expected, congratulations, your PC is now a router to the internet.

(iii) When no packets are sent or received by the modem for a while (idle time set to 60 s in /etc/ppp/options-net), the connection will be disabled. You can also manually switch your modem off. Normally, you should be able to reconnect to your ISP with a ping, but there's a snag: the firewall is not valid anymore and prevents packets to reach your ISP. If you know how to disable the firewall when pppd shuts down the connection, please tell me. At the moment, my various workarounds are: either rebooting the linux box (!) or telnetting to the linux box and manually disabling the firewall with a script.

4) Any comments ? If you want to contact me for improving this text or otherwise, use the email at the top of the page.