The Problem

An office which has only a single Ethernet port has two systems which need to communicate with the Internet. One system is a Linux box (ac01) and the other is a Windows box (ac04).

Two potential solutions were considered and tested. They are described below.

Config 1: Ethernet Bridge

In this configuration, both ac01 and ac04 have 10BaseT Ethernet connections to an Ethernet hub. (The hub used is a 5-port hub from Linksys, but any 10BaseT hub with an uplink port will do.) ac01 was connected to port 3, ac04 was connected to port 4, and the uplink port was connected to the Ethernet port in the wall. No configuration changes were needed for either ac01 or ac04.

The advantage of this configuration is that it is easy to set up, and that it works for all traffic (i.e., IP and NetBEUI). The disadvantages are:

• It might not work consistently. Ethernet bridges using cheapo hubs can only be nested two (or sometimes three) layers deep. Because we don't know or control what is "behind the wall", Ethernet integrity cannot be guaranteed.



• System administrators hate it when users mess with their network layout. If they don't control the number and connections of all hubs, they can't be sure their network will be stable. Any problems they do have will be difficult to track down.



• Two IP addresses must be assigned by the system administrator (one each for ac01 and ac04).

Config 2: IP Masquerade

In this configuration, there are two Ethernet cards in the Linux box (ac01), with one card connected to the Ethernet port in the wall and the other to port 3 of a local Ethernet hub. (The hub used is a 5-port hub from Linksys, but any 10BaseT hub will do.) The Windows box (ac04) has one Ethernet card, which is connected to port 4 on the local Ethernet hub. The IP configuration of each system is changed as described below.

The advantage of this approach is that it does not affect the campus Ethernet network layout and does not require any system administrator participation or even knowledge of the setup (assuming one IP address has already been assigned, which is expected since the office has an Ethernet port). The disadvantages are that it requires some significant configuration work, particularly on the Linux system, and that only IP will work on the Ethernet system (NetBEUI will not be forwarded).

The following steps were followed to add a second Ethernet card to ac01, install and configure IP Masquerade (via IP Chains), and configure the IP address on ac04. Note that this procedure assumes the Linux system is running the 2.2 kernel. Systems running Linux 2.3 or 2.4 should use the NetFilter utility to configure IP masquerading. See http://ipmasq.cjb.net/ for more information.

1. Shutdown ac01 and install a second Ethernet card in the system. If you already have two cards installed and recognized in your Linux system, skip to configuring IP on the second Ethernet. In the test system, a 3COM 3C509 Ethernet adapter was used; the DOS device configuration utility I used didn't seem to work with other 3COM adapters.



2. Put a DOS boot diskette in the diskette drive and boot off it. (You may need to reconfigure the boot device during booting to get the system to boot off the diskette.)



3. Put a 3COM Configuration Diskette in the diskette drive. Enter A:\menu.bat to start the configuration utility. Set the IRQ and IO address to unused values.
   
   
   It took a number of tries for me to find IRQ and IO addresses that did not conflict with other devices. Even when the utility reported no conflict, I got conflicts after booting Linux. The values that finally worked were IRQ 7 and IO address 0x380. Your mileage may vary.



4. Remove the diskette from the drive, and reboot (off the hard disk). When the "boot:" prompt is displayed, enter the following:
   
        linux ether=9,0xff00,eth0 ether=7,0x380,eth1
   
   where the first set of parameters is determined by your first ethernet card and the second set by the one you just installed. If you don't know the parameters of the first card, try the above or IRQ 10 and IO address 0x300.



5. When linux has finished booting, log in and bring up a terminal window.



6. Edit the /etc/conf.modules file to add:
   
   alias eth1 3c509
   options eth1 irq=7
   
   
   Note: If both ethernet adapters use the same driver (3c509), then you must rename them so that the system doesn't try to load both under the same name. Replace the options line above with:
      options eth0 -o 3c509-0
      options eth1 -o 3c509-1 irq=7



7. Enter "/sbin/modprobe eth1". It should execute without errors. Check whether both Ethernet devices are recognized by:
   
   
   • Enter "/sbin/lsmod". Both Ethernet drivers should be listed.
   • Enter "/sbin/ifconfig -a". Both Ethernet interfaces should be listed, although eth1 is not yet configured.



8. Configure IP on the new Ethernet adapter. This is the "internal" interface; it will connects to the local, internal Ethernet hub. Therefore a local IP address can be used. Any address may be used as long as it starts with 10. It is common to use the same address as for the other (external) interface, but with 10 replacing the first set of digits (i.e., if the first interface uses address 125.59.108.34, use 10.59.108.34 for the second interface):
   
   /sbin/ifconfig eth1 10.59.108.34 broadcast 10.59.108.255 netmask 255.255.255.0
   
   If it says "resource temporarily unavailable" then there is probably an IRQ or IO address conflict.



9. Reboot the system. Both Ethernet ports should be automatically recognized and IP brought up on both.



10. Download IP Chains (which is what implements IP Masquerade) from netfilter.filewatcher.org/ipchains. I used version 1.3.10.



11. Unpack ipchains:
    • gzip -d ipchains-1.3.10.tar.gz
    • tar -xvf ipchains-1.3.10.tar
    • cd ipchains-1.3.10



12. Compile ipchains. If you don't have a compiler installed, copy the file /sbin/ipchains from a system that does (such as ac01.enmu.edu).
    • mv ipchains ipchains.orig
    • make all
    • make install



13. Create an ipchains ruleset. Either copy /etc/rc.d/rc.firewall from a working system (such as ac01.enmu.edu) or go to ipmasq.cjb.net, click on the IP Masquerade HOWTO, go to Section 3.2, and copy the sample ruleset to a local file. Then modify the last line of the ruleset to:
    
        /sbin/ipchains -A forward -i eth0 -s 10.59.108.0/24 -j MASQ
    
    The file should then be copied to /etc/rc.d/rc.firewall and the file permissions changed to rwx for owner only:
    
        chmod 700 /etc/rc.d/rc.firewall
    



14. Make sure the firewall starts on reboots by editing /etc/rc/rc.local to add the following lines:
    
       echo "Loading the rc.firewall ruleset..."
       /etc/rc.d/rc.firewall
    



15. Reboot the system.



16. On the Windows system (ac01), bring up the networking configuration window (My Computer->Control Panel->Network) and select TCP/IP and Properties. Change the IP address to an address beginning with 10. I used 10.59.108.108.



17. Change the Gateway address to be the address given to the internal port on the Linux system (such as 10.59.108.34).



18. Reboot the Windows system



19. At this point, you should be able to use a browser or other interface to access the Internet from either system.

ENMU Home Department Home Contacts