Building a Linux Dial-up Server, Part 1

By Carla Schroder | Jun 27, 2003 | Print this Page
http://www.enterprisenetworkingplanet.com/netos/article.php/2228641/Building-a-Linux-Dialup-Server-Part-1.htm

Sometimes it seems that the world has moved entirely to DSL, cable, and other forms of high-speed networking. But the reality is it hasn't -- most of the world is on dial-up, and even in the US the majority of Internet users are still on dial-up. Even in areas where high-speed access is available, dial-up still plays a useful role. For example, a business may not need high-speed access -- and can spend the money saved on hardworking, worthy employees. (Stop laughing, it could happen.) Or dial-up can fill a special need, such as for nightly batch uploads, for remote access, or for building an inexpensive WAN.

In this two-part series we're going to look at both dial-up and dial-in servers. A dial-up server is used to manage and share an Internet connection, whereas a dial-in server is for users to dial in to your network directly. Any Linux distribution comes with all the tools and protocols you'll need, including PPP (Point-to-Point Protocol), dialers, and NAT (Network Address Translation).

PPP is a peer-to-peer protocol; however, it is useful to think of dial-up in terms of client/server. Generally, the client is any machine dialing in to another machine. The PC answering the call and providing authentication is the server. A PC can handle both client and server duties -- a machine on a LAN that shares a dial-up connection, for example. A Linux dial-up/dial-in server will work fine in mixed networks (as a gateway for Windows clients, for example) -- all it does is move bits.

Setting up a dial-up connection should be simple; however, this is the real world, so let's look at the common trouble spots.

Share a Dial-up Internet Account

The dial-up server needs both a modem and a NIC, and of course the configuration information from your ISP. The modem is the "outward" network device, and the Ethernet card the "inward," or the one that connects to the LAN. Give the Ethernet card a static, non-routable IP, and set this as the gateway IP on all the client PCs.

The quickest way to get up and running is to dust off any old 486, and run Freesco on it. This is perfect for building a specialized dial-up server that does not do much else. Freesco is so easy to set up, I won't weary you with needless repetition -- simply visit their Web site and take it from there, or review one of my earlier articles on this "Linux on a single floppy disk."

On any other ordinary modern Linux distribution, first set up your dial-up account. PAP/CHAP protocols are used for authentication. PAP (Password Authentication Protocol) is the simplest; it sends your login in clear text. CHAP (Challenge Handshake Authentication Protocol) is more complex, and more secure. It requires a preset shared "secret" between the client and server, and the exchange is hashed for security during transmission.

Traditionally in Linux, all of this had to be configured manually, creating much anguish, horror, and heartbreak. Fortunately, a number of GUI-based configuration tools have been released to ease your pain. kppp and gnome-ppp are a couple of useful configuration tools. Wvdial is the new kid on the block, and is the quickest and easiest to use. It runs from the command line, which makes it a good choice for a server you don't want to run X on. It's an "intelligent" dialer that figures out what sort of authentication your ISP wants, and writes the appropriate chat scripts. I know it is not always worthy to take the easy way; nevertheless, in this case, this lowly Grasshopper recommends it.

Page 2: Authentication Blues

Authentication Blues

Some ISPs seem to vie for coming up with the weirdest, most non-standard authentication possible. The ISPs that are guilty of this usually provide their own custom Windows connection software to customers, which is no good for the zillions of Unix, Linux, Mac, Solaris, and other users in the world. TCP/IP is meant to be platform-independent; I wag the disapproving finger of shame at vendors who do not treat it this way.

Shiva PAP is an actual patented version of PAP; it is part of Shiva Access Manager, which is commonly found on Windows NT and 2000 servers. Because it is patented, Linux does not support it. Windows servers should support other forms of PAP, assuming they are competently set up. CHAP is where the real fun begins -- variants include CHAP 05, CHAP80, CHAP80-lanman, and CHAP81. CHAP 05 is the standard, generic CHAP, and uses MD5 for hashing. The others are Microsoft CHAPs; pppd 2.4.1 and up support all except CHAP81, the latest Microsoft non-standard.

How can you find out what your ISP uses? Simple, ask. If you run into trouble, see the excellent troubleshooting guide by W.G. Unruh, "How to hook up PPP in Linux." He shares how to figure it out even when your ISP doesn't quite know what's going on, which is not at all uncommon.

PPPD Auth Gotcha

Linux uses pppd (the ppp daemon). Run pppd --version to get the version number. pppd 2.4.1 and up come with the infamous "auth" gotcha. By default, it is configured for server authentication. Most ISPs do not require server authentication on a PAP login; only the client needs to authenticate. If you see error messages like, "The pppd daemon died unexpectedly!" and the logfile says something like, "The remote system is required to authenticate itself, but I couldn't find any suitable secret (password) for it to use to do so," just go into /etc/ppp/options and change the "auth" option to "noauth."

Page 3: Configuring NAT

Configuring NAT

Once your dial-up server can connect to an ISP, the next step is to enable other hosts on your LAN to share the connection. Presumably your LAN is up and running, and all the machines can ping each other. If not, well, we're going to move ahead without you. Please catch up when you can.

iptables takes care of sharing an Internet connection quite nicely. Here is a simple recipe:

# modprobe iptable_nat
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# echo "1" > /proc/sys/net/ipv4/ip_forward

These can be run from the command line or nicely ensconced in a script. The first line loads the NAT kernel module. The second line turns on masquerading. The third line turns on forwarding, which is commonly disabled in the kernel by default. WARNING: There is absolutely zero security in this! None! Do not use this alone! Please see Resources for links on building a firewall. "Linux IP Masquerade HOWTO" is especially useful for this.

To see which netfilter/iptables modules are installed on your system, try:

# grep netfilter /lib/modules/`uname -r`/modules.dep

Note that `uname -r` is surrounded by backticks, not apostrophes. The backtick key should be the lowercase of the tilde, next to the number 1 key on the top row. This demonstrates a lovely feature of the bash shell -- command substitution. To see what kernel modules are loaded, run good ole lsmod.

Well that's enough for today. In part 2 we'll create a dial-in server and set up dial-on-demand.

Resources

Linux PPP HOWTO
Freesco
wvdial
How to hook up PPP in Linux
Linux IP Masquerade HOWTO


» See All Articles by Columnist Carla Schroder