Contents
This HOWTO explains a quick and easy way to take a KNOPPIX CD, a piece of PC hardware, and end up with a router/proxy/whatever (not needing the CD anymore).
This page is here mainly because this way I can cut'n'paste it when I need it somewhere, myself. :-) It doesn't contain any particularly new information.
A PC with KNOPPIX/Debian installed on the hard disk, and some services like Squid, Bind, etc.
fdisk
or cfdisk
to create one EXT2 (type 82) and one SWAP (type 83) partition on the HDD. You do not need to format them. When I did it, those were the only partitions of those types (i.e., no other 82/83 partitions were present).knx2hd
and follow the dialog. Tell it to use the MBR for the boot record. knx2hd creates a boot loader that will recognize your other partitions and present a boot menu. But make a backup beforehand - knx2hd
says it is experimental code. In my case, there was no data to worry about, and it worked fine./etc/init.d/isdnutils start
or /etc/init.d/isdnutils stop
to initialize or shutdown your ISDN subsystem./etc/init.d/isdnutils start
does not bring up the connection immediately, there has to occur network traffic. Use ping www.heise.de
to check if ISDN comes up.xisdnload
or xmonisdn
to see your connection state./etc/isdn/ipppd.ippp0
; the password is in /etc/ppp/pap-secrets
./etc/isdn/ipppd.ippp0
, enable kernel debugging, and check dmesg
for what's going on.Using the KNOPPIX ethernet wizard somehow seemed to go wrong; it tries to create a default route for the ethernet card, and to do some other things which seemed not to be compatible with the ISDN connection.
Therefore, I simply issue this command to bring up the ethernet interface (I put this in the boot.sh
script, see below):
ifconfig eth0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
I assume the usual small local network:
ln -s /etc/init.d/bind9 /etc/rc5.d/S50bind9
TODO: describe how to configure bind. It is really optional anyway, its only purpose is so you don't have to enter real DNS server on all clients. You won't need it if you're only using the server to proxy HTTP requests, or if you use NAT to let the clients connect to foreign DNS servers directly.
ln -s /etc/init.d/squid /etc/rc5.d/S50squid
Squid listens on port 3128 by default, so you have to enter that port on your clients (together with the IP address 192.168.0.1).
Edit /etc/squid/squid.conf
and add these two lines in the appropriate places:
acl localnet 192.168.0.0/255.255.255.0 http_access allow localnet
The first line goes behind all the other "acl" lines; the second line goes behing all the other "http_access allow" lines (and before the "http_access deny all").
I have an additional script that is executed after boot; it's main purpose is to display a sound when the machine is ready (no screen...).
#!/bin/bash beep -f 440 -l 100 beep -f 880 -l 100 beep -f 660 -l 100
ln -s /root/boot.sh /etc/rc5.d/S99boot
You should probably not put this script in /root
, but in /etc/init.d
; I like to have all my little scripts in /root
on machines which I visit only seldomly, so I know at a glance where I have my own stuff.
The "beep" command is not available after initially installing KNOPPIX, but you can get it easily:
apt-get update apt-get install beep
If the box has no screen attached, you can use "beep" in strategic places...
#!/bin/bash for f in 220 330 440 550 660 770 880 ; do beep -f $f -l 100 done
#!/bin/bash for f in 880 770 660 550 440 330 220 ; do beep -f $f -l 100 done
The machine I use has X disabled (rm /etc/rc5.d/S??kdm
), and displays a "dialog"-based menu after startup, so non-Linux-savvy people can easily control the main functions of the server. This menu is a simple shell script which is run by init
on tty1
.
The technique is the same as shown in the KNOPPIX scripting HOWTO:
1:12345:respawn:/bin/bash -login -c /root/shell.sh >/dev/tty1 2>&1 </dev/tty1
This line needs to replace the old line starting with 1:...
.
To get a working shell.sh
, take this one shell.sh and edit it to your needs. Useful entries are "bring up ISDN", "bring down ISDN", "start NAT", "stop NAT", "halt" or whatever you can think of.
I made it so that my machine has no screen attached to it, but I know which letters are in the "dialog" menu. So I can press that letter + Enter blindly.
TODO: add a real shell.sh
Big security risk, don't use it if you don't trust everyone with physical access to the machine; it's a local root login without password protection.
The script state_http.pl is a small HTTP server; it needs no Apache or further server software. It allows to bring connections up or down, and to halt/reboot the machine.
5:12345:respawn:/usr/bin/perl /root/state_http.pl
Big security risk, don't use it.
TODO
So far, no routing happens, that is the other PCs on the local network can't connect to servers over the ISDN connection. They can use the Squid proxy for HTTP browsing though.
In any case, packet filtering makes sure that nobody from outside can connect to the Linux machine:
TODO
ln -s /root/packetfiltering.sh /etc/ppp/ip-up.d ln -s /root/packetfiltering.sh /etc/init.d/rc5.d/S20packetfiltering
If everything is done right, then ShieldsUp or other similar services should not find anything to worry about on the machine.
TODO
If you're using this server in a high-risk situation (i.e., for a company, or with sensitive data on the local network), then you should "harden" it a bit more, even beyond the packet filtering. This is outside of the scope of this document though.
Clients using this server will enter 192.168.0.1 as their default gateway, DNS and HTTP proxy, that's it.