ADSL with Linux

Fortunately (or unfortunately, depending on your relationship with your local telecom company) the telephone company handles most of the heavy lifting during the process of getting Linux to work with an ADSL connection. I went through the process of switching from standard dial-up not too long ago, so the process is fresh in my mind. Here are some of the things I had to do.

1. Call the ISP. This is pretty important. Sometimes they will offer you Internet service and at the same time arrange for the telephone company to come over and install a splitter which allows you to use the same phone line for data and voice transmission. It is also important that you know if you accept their services, you may have to accept the hardware they recommend (or force on you). There are two main connection options; via router and via modem. They may pretty much obligate you to use one or the other, even selling your their own hardware in the process. In the best case scenario, ask if you can use your own choice of hardware and then hope they say yes.
2. Choose a router or modem If a modem isn't forced upon you, then it's a good idea to choose the router option. The basic reason for this is that it is usually platform independent which means that it doesn't matter what OS you're using because you can probably configure it using Telnet (in my case) or even a web browser, which I have also seen done. For example, in my case, I chose a router that had capabilities for filtering out unwanted incoming connections. This is very important for security because you're going to be connected 24 hours a day. This is a great option for a small business because a router allows you to painlessly share the connection between multiple computers.
3. Get an Ethernet card If you go the router route (pardon the pun), you're going to need an Ethernet card. These cards are designed to allow you to connect computers in a Local Area Network (LAN). My card of choice (because it was the only one they sold in my area) is the NE-2000 clones. Realtek 8029 PCI is the one I use in my machines in my home office. This is a good one because most major distributions will detect this (they always have for me) during a standard install of Linux. Plus, even if you've never looked under the hood of your PC you can muster up your courage and install this card yourself. For the faint-hearted, I have even heard of the telecom people doing this for you. You can also call your local guru. I encourage people to do it for themselves. It's a question of using a small screwdriver. What that's in, you connect the router to the Ethernet card so your PC can receive the data. If you've got more than one PC in the house, you should get an Ethernet hub to distribute the connection between PCs.

Putting in all together

A picture speaks a thousand words, so I made a little drawing of my home network to demonstrate what a possible set up might look like. (graphics courtesy of The GIMP It's really too good of a program for my poor artistic skills!)

Two cables (red) come from the splitter. One is for the phone and one goes to my router. One Ethernet cable (green) goes from the router to the hub. Other Ethernet cables (blue) go from the hub to the PCs.

Now, to get on the highway

My home network is a private local area network, so each PC is assigned an IP address which is a number that computers identify themselves with. In case you didn't know, when you go to www.linux.org, you're actually going to a computer that is assigned a number on the Internet. In my home, these numbers start with 192.168. and then have two numbers after these. The numbers 192.168.X.X are reserved for private networks, so you will have to use these. If you used any other numbers, they might conflict with numbers that are actually out there on the Internet. I assigned my PCs the numbers 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.4 respectively.

Now, when the telecom people came to hook me up, I took out my router and connected it to the data line coming from the splitter (see the picture). Then I hooked up the router to the hub and then one of my PCs to the hub. In my case, the manufacturer of the router in the factory assigned the number 192.168.1.1 to the router, so as soon as I turned it on, you could say for all intents and purposes that I had another computer on my local network with the address of 192.168.1.1. The router was equipped with the possibility of using a a program on a CD to configure the Internet connection if I was using Microsoft Windows or Telnet for another OS, like Linux.

Before I used Telnet to access this router, I had to know what address my telecom company had assigned to me for Internet purposes. That is to say, when you use the Internet, you don't identify yourself to other computers with 192.168.X.X. With ADSL you are assigned a unique number with which to connect to other computers. This number has to be unique. It's a lot like running a men's bowling team. If there are 20 members and 7 of them are named Bob then, if someone announces that "e;Bob has the highest score" then there's going to be confusion. In my case, I was given a unique number, let's say it was 20.20.20.20. Then I used Telnet to access the router. I opened a terminal in my PC and typed:

 telnet 

then:

open 192.168.1.1

which was the local numbered address the router came with by default. They also furnished me with a default password which I used to connect to the router.

Once in, I had a text mode menu (the best you can do with Telnet) and going by the router's manual plus my local telecom's instructions, I assigned the router the unique Internet numbered address my telecom had given me and then I changed the address of the actual router to 192.168.0.5, to me more in synch with my local network's numbering scheme and then I changed the password to access the router. I saved the changes and exited. Now, at least, I had ADSL service coming in to the router.

The final step was to tell the PCs where to get their Internet connection from. I was using my workstation to configure the router, so I logically started with that one. I run SuSE Linux on this machine, so I had to change 2 files: /etc/route.conf and /etc/resolv.conf. The changes I had to make took all of 30 seconds.

First, in /etc/route.conf, I had to write the line:

default 192.168.0.5  0.0.0.0 eth0

Which means that 192.168.0.5 is the default "gateway" to the Internet, or where the machine is going to route out of to get to the outside. 0.0.0.0 is the subnet mask (not important for our discussion here) and eth0 stands for your Ethernet card that you installed and is connected to the hub which is connected to the router.

Then I added two lines to my /etc/resolv.conf file.

nameserver 30.30.30.30
nameserver 40.40.40.40

These are not the actual numbers I was given. It's just an example I used to correspond to the numbers that could be given to you by your telecom company. These are the primary and secondary DNS numbers. DNS stands for Domain Name Server. A domain name server is just a machine that has an inventory of other computers on the Internet. That is to say, these computers know that www.linux.org is actually a number out there and they help you find it. Without these numbers, you wouldn't stand a snowball's chance in hell of finding anything on the Internet. I learned this fact in my haste to get the rest of the network set up. When I was configuring the last computer, I forgot to change /etc/resolv.conf file. When I fired up my browser, it basically did nothing until I remembered to change that file.

If you're using Mandrake or Red Hat, instead of /etc/route.conf you'll have to add two lines to /etc/sysconfig/network . These are the lines I added:

GATEWAY=192.168.0.5
GATEWAYDEV=eth0

The changes to /etc/resolv.conf are the same.

You're on line - let's be careful out there

After doing all this, I was on line with all machines going out through the router. I quickly disconnected the hub to all but one machine and following the instructions, and set up some necessary security. This is important because you are a sitting duck for intruders with ADSL. You may not think that your local home network might be important compared to some corporate website (which, it really isn't as far as a target for hard-core hackers/crackers) but there are a lot of mischievous people with time on their hands that go around looking for trouble. These people use tools they get off the Internet to scan numbers at random to see if the machine attached to the number can be "hacked". Most of these people, popularly known as "Script Kiddies" seldom know how the software works and really don't care. They just know they can do harm with it. As they say, a little knowledge is a dangerous thing. IRC chat is a good place to chat with friends and also a good place to inadvertently invite people to take a swipe at your machine. Most people on IRC are there to socialize, seek technical help and even work and collaborate on projects at a distance. But there are a few people with dubious social skills who are just on IRC to be jerks. A lot of these people are script kiddies who like to get in feuds with people on channels. Seeing as IRC can tell a lot about where you are, you are somewhat vulnerable to these socially unacceptable characters and what they may try to do with you. Remember, they don't have to know how the program works, only what it does. Report any threats to the channel operators. Sometimes the person's ISP figures in the information on IRC. Report them to their ISP or the local authorities if they threaten to do harm to your machine.

Security with ADSL

Security in Linux is way out of the scope of this beginners' course on Linux. There are a couple of things that you can do without having to be a guru on security to help secure your Linux box.

A brief explanation of ports

I was lucky in that my router has the ability to filter packets built into it. Packets are the data that comes in and out of your computer when you're connected to a network, like the Internet. The people who designed the big network of networks came up with the concept of ports - or point of entry to computers from the outside. For example, webservers run on port 80. If a user on a network wants to access a web page on a server, their computer makes a request to port 80 on the server to send them the page. That's a pretty safe port. It has to be. The WWW wouldn't function if it didn't. Actually, it isn't the port itself that should be considered safe or unsafe, it's the software running behind it. Apache's webserver is pretty safe. But, as we have seen with the famous CodeRed worm, Microsoft's webserver IIS isn't. Telnet, for example runs on port 23. That's a port that I told the router not to accept connections to. Telnet is a 'shell' - a way to connect to a remote computer. The passwords you send to connect via Telnet, even though you may see little asterisks (or nothing) can be picked up easily by people who 'sniff' these passwords. I also disabled my computer's ability to accept connection via Telnet. I substituted it with SSH or Secure Shell. SuSE Linux's most recent offering, (v. 7.2 at the time of this writing) enables SSH by default. SSH accepts remote connections that are encrypted or coded. That makes it almost impossible for someone who you don't want to to connect and try to do harm to your computer from the outside. SSH runs on port 22. I also have FTP disabled- (port 21).

Firewalls

A firewall is just a barrier between a network that's inside a home or company and the outside world. If your private network didn't have a firewall, people could just connect to it and see what they wanted. It would be like a house made of glass. People would spend the day throwing stones at it.

Any decent network that's connected to the Internet has a firewall. The subject of firewalls goes way beyond the scope of this beginner's course and I don't pretend to explain how to set up a firewall here. Some big corporations pay people big money to set up firewalls in their organizations and then they get hacked anyway. I always think of Goldfinger's comment in the James Bond movie of the same name when he explains his plan to steal the gold from Fort Knox to a bunch of incredulous Mafiosos. 007's red-headed nemesis says: "It is a bank like any other and banks can be, how do you say- 'knocked off'" If you want a good guide to providing security for your PC running Linux, I suggest you read Bob Toxen's Real World Linux Security: Intrusion Prevention, Detection and Recovery, the best selling book on security from a Linux perspective.

Practical protection for the beginner

A good way to protect your Linux machine, when you don't know too much (yet) about security is by making the following very simple changes in two files: /etc/hosts.deny and /etc/hosts.allow

First, in /etc/hosts.deny add the following line:

ALL : ALL

This is meant to block (1st ALL) services that your computer provides from anybody (2nd ALL) that may try to log in to your machine. Then, if you have more than one computer (a small business or home network) you should add this line in /etc/hosts.allow

ALL : 192.168.0.

This will allow local users to access the computer. There's no reason not to let people locally to log in via the SSH program that we mentioned before. This is OK as long as you trust them. If you are a home user you're probably safe but if you are using this to set up a small business network, I would be a bit more careful. There are all kinds of stories about disgruntled employees taking liberties, revenge, extended vacations with company money, etc.

One last word: This ISN'T a substitute for a firewall or a serious security set up. If you are setting this up on a small business network, please read some books or seek a professional security consultant's help.

[Previous] [Next]