Linux + Island Net = Fun!

[Nerd
crossing. MIT Museum, Hall of Hacks. Cambridge, MA. May
2000.]

The Linux+Island Net HOWTO

crufted together by Mike Sugimoto

Dizclaimer

This is a brief introduction -- a quick and dirty reference, if you will -- to setting up PPP for use with Island Net and Linux. It is provided with absolutely no warranties of any kind: if you follow the instructions in here and something breaks, you get to keep both pieces. I'm not responsible for anything that happens to you as a result of the information in this file. Back up important files before changing them.

Send updates, suggestions, and complaints to phloem@fumbling.com; put "Island Net HOWTO" in the subject line of the message for faster responses.

What do I need?

You'll need several things to set up PPP on your Linux system. Most of these things come with the average distribution, so there shouldn't be anything you need to get. The minimum amount of stuff you'll need is:

a text editor (I like emacs)
a ppp daemon
the root password (and su or access to the console)
the Island Net configuration information (see below)
your account name and password, which hopefully won't be too hard to come by.

There's more, of course. You may find

the ISP-Hookup HOWTO
the ISP-Connectivity Mini-HOWTO
the pppd(8) manpage
the chat(8) manpage
the dip(8) package

useful, particularly if you're impatient or it turns out I can't communicate clearly.

Where do I get..

.. pppd and chat?

The current pppd on your system can be found by typing which pppd; it usually lives at /usr/sbin/pppd. Version it by typing pppd --version. Ideally, everyone should be at 2.2 or above; if you're running a 2.2.x-series kernel, you will need 2.3.5 as a minimum (there were several changes to the routing code in that kernel update, and older versions of pppd have some Issues. Unless you know that your setup works and is current (ie, you've never messed around with it), probably best to upgrade).

pppd can be fetched from ftp://cs.anu.edu.au/pub/software/ppp/ppp-2.3.5.tar.gz. Read the installation instructions carefully. You'll also need to consult the PPP-HOWTO for more information if you've never done this before.

chat is included in the pppd distribution package.

.. dip?

It's on metalab, at ftp://metalab.unc.edu/pub/Linux/system/Network/serial/dip-3.3.7n-jsi.tgz. There's no easy way to describe the installation process. Your distribution probably came with a copy, actually, so check before you run out and download it.

.. Island Net's configuration information?

Type help ppp at the shell prompt. Or, look here:

Domain Name islandnet.com

Name Server (DNS) 199.175.106.253

Default Gateway 199.175.106.254

Netmask 255.255.255.0

News Server (NNTP) news.islandnet.com

Mail Server (SMTP, POP) mail.islandnet.com

Gopher Server gopher.islandnet.com

WWW Server (HTTP) www.islandnet.com

FTP Server ftp.islandnet.com

Shut up, phloem. I'm in no mood to read all of this.

Alright. Quick start instructions (don't blame me if this doesn't work):

put the nameserver IP in /etc/resolv.conf
make sure your hostname is set properly.
dip -t, then port /dev/modem (or equivalent on your system), term, dial in to Island Net, log in, ppp at the Home prompt, and then ^] to get back, and mode ppp. If everything worked properly, ifconfig will show your ppp0 interface as being up with your IP address listed.
if it doesn't work, read the rest of this file. I warned you.

I'm more patient. How do I do this?

The basic configuration goes something like this:

Configure /etc/hosts.allow and /etc/hosts.deny. This will keep the riffraff out of your box.
- /etc/hosts.deny should contain the line ALL: ALL
- /etc/hosts.allow should contain the line ALL: LOCAL, or if you really want to be pedantic, ALL: 127.0.0.1
Warning: Doing this will break existing network setups unless you've explicitly configured them otherwise. If you have multiple machines connected to your Linux box, you likely know what you want to be in /etc/hosts.allow and /etc/hosts.deny. If in doubt or confused about what you're doing, consult the Linux Network Administrator's Guide (paper versions available, but get it from the network and save $40).
Make sure you understand what you're doing when you do this. Hooking up a Linux box to the Internet, even for short periods of time, puts you at risk for all kinds of weird attacks. Although rare, particularly while coming through Island Net's internal network, you should be aware of the risks involved. This is not intended to be a complete primer on computer security; I highly recommend Garfinkle and Spafford's Practical UNIX & Internet Security, currently in second edition.
Set up your hostname in /etc/HOSTNAME.
You should have given your machine a unique hostname when setting up and installing Linux for the first time; for those of you that were feeling uncreative and left it as the default, now might be a good time to change it. Edit /etc/HOSTNAME and put your choice in there. If it's already set up and you're happy with the name, leave it. It's not worth messing around with; it doesn't really matter in the end.
Set up the DNS resolver.
You'll need to configure a basic DNS resolver in order to ensure your software knows where to go to find IP addresses. If you want to work with numerical addresses only (dotted quad notation), you don't need to do this. However, most humans work better with fully-qualified domain names (foo.baz.com) than they do with IP addresses (18.0.16.75), so setting up the resolver is probably something you'll want to do.
If you've already got some DNS servers configured in /etc/resolv.conf, don't mess with them. Just insert a nameserver line that points to 199.175.106.253, Island Net's DNS server. If you don't have anything interesting in /etc/resolv.conf, put this in it:
```
  search .
  nameserver 199.175.106.253
  <nidx>nameserver
```
Configure /etc/networks.
You'll need to explain to your networking subsystem exactly what's local and what isn't. For example, mine says:
loopback 127.0.0.0 localnet 192.168.1.0 localnet 0.0.0.0
If you have multiple machines talking to your Linux box locally, you will have already done this, so don't change it unless you're missing the localnet 0.0.0.0 line (insert it if you are). Otherwise, you'll need to set up /etc/networks to say something like:
loopback 127.0.0.0 localnet 0.0.0.0
Note that loopback is 127.0.0.0 instead of 127.0.0.1 (as is usually used for the local loopback address).

That's it for configuration? Lemme at it!

First, test your configuration. I recommend logging in manually to check things out. Although this first test should probably not be run as root, I recommend it because of the brain-dead configuration of relevant files.

If you're feeling particularly security conscious, you'll need to check to see who has execute permissions on the dip and pppd executables, and make sure the read-write bits are set on the appropriate entry in /dev. Having said that, and despite my general paranoia at running as root, you'll probably be okay so long as you don't type rm or anything stupid like that.

Here's how the session should look.

lauriel:~# /sbin/dip -t DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96) Written by Fred N. van Kempen, MicroWalt Corporation.

DIP> port /dev/modem DIP> term [ Entering TERMINAL mode. Use CTRL-] to get back ] atdt 3804731 CONNECT 57600 Welcome to Islandnet.com - Vancouver Island's Premier Internet Service! login: megan Password: [password goes here, not echoed for security]

[some deleted data]

Home> ppp

^] [ Back to LOCAL mode. ] DIP> mode ppp lauriel:~#

and from there, you can use pretty much whatever tool you want. Test your connection right away; a simple ifconfig will show you whether the ppp0 interface is up and running. If it is, try ping 199.175.106.253 (or see the part about testing your connection later on in this document). If it works, great. If it doesn't, check your configuration and make sure pppd is running.

What now?

If you took my advice about not running that test as root to heart (despite my use of the root account in that example), you may have some interesting problems to contend with. If you intend to run your PPP connection on an everyday basis, it's probably best you do this from a regular, non-root account. Here are some of the problems you might encounter:

dip lives in /sbin on my system and may not be included in your search path for non-root users, so hunt around a bit and make sure it's executable by non-root users.

If you get a message like

DIP: tty: open(/dev/modem, RW): Permission denied

when you try to set the port in an interactive dip session, you'll need to set the permissions on your serial devices to support non-root use. Alternatively (and this is a far better solution in my opinion), add the user you'd like to have access to dip to the tty group, or the functional equivalent on your system. It's much safer. To do this, open /etc/group and find the tty group -- you'll know which group to look for, because if you do this

lauriel:/dev% ls -l ttyS?

you'll get this

crw-r-----   1 root     tty        4,  64 Jan 15 00:45 ttyS0
crw-rw----   1 root     tty        4,  65 Jul 17  1994 ttyS1
crw-rw----   1 root     tty        4,  66 Jul 17  1994 ttyS2
crw-rw----   1 root     tty        4,  67 Jul 17  1994 ttyS3
crw-rw----   1 root     tty        4,  68 Jul 17  1994 ttyS4
crw-rw----   1 root     tty        4,  69 Jul 17  1994 ttyS5
crw-rw----   1 root     tty        4,  70 Jul 17  1994 ttyS6
crw-rw----   1 root     tty        4,  71 Jul 17  1994 ttyS7
crw-rw----   1 root     tty        4,  72 Jul 17  1994 ttyS8
crw-rw----   1 root     tty        4,  73 Jul 17  1994 ttyS9

In case you were born in the back of the Unix turnip truck yesterday, this is the long listing for the serial devices living in /dev. The first column lists the permission bits, the second lists the number of hard links, the third and fourth columns list the owner's name and the group name.

So in this case, tty is the group. (There's something amiss in this particular example which you might have spotted already, and I'll get to it in a second.) If we want to add user megan to the tty group, we would look for the line that says

tty::5:

and change it so that it says

tty::5:megan

(Obviously, you have to do all this as root.) If there is more than one user you want to let access the ports, separate their names with commas, like this:

tty::5:megan,phloem,frink

Log megan out, then have her log back in and try it again. (Notice how we're out of the root account and back down to a normal user shell in this example.)

lauriel:~% /sbin/dip -t DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96) Written by Fred N. van Kempen, MicroWalt Corporation.

DIP> port /dev/modem DIP: tty: open(/dev/modem, RW): Permission denied lauriel:~%

Huh? We just added megan to the tty groups, so she should have access to the thing, right?

Wrong. Look at this:

lauriel:/etc% ls -l modem

lrwxrwxrwx   1 root     tty             5 May 29  1999 modem -> ttyS0

This tells us that modem is a symlink to ttyS0, so let's look that up.

lauriel:/etc% ls -l ttyS0

crw-r-----   1 root     tty		4,  64 Jan 15 00:45 ttyS0

Oops. Looks like the group readable flag is set, but the group writeable flag isn't. You'll have to fix that before you can go any further; change to the root account and run chmod 660 /etc/ttyS0.

That still doesn't solve all your problems. For instance, most of these tools live in /sbin, which isn't usually in a mortal user's search path (and for good reason). Second, DIP will probably complain after you run mode ppp that DIP: cannot create /etc/dip.pid: Permission denied. This isn't such a big deal (though it does mean you'll have to issue a kill (not a kill -9) to bring down the pppd process); everything still works fine. If you can live with the ugly error message, good for you. Getting rid of said error message, however, means either giving megan write access to /etc (not a good idea unless you trust her completely or it's your account), configuring dip to put its PID somewhere else (a pain), or running all of this as root.

I picked the latter option, though I'm usually a die-hard "never do anything as root" person, having been burned one too many times by a careless command issued as superuser. You can keep the permissions on your devices set the way they were, and if you decide to automate, you won't have problems reading files under /etc in the future. Your own sense of style and personality will be your best guide in all of this.

My own reasons were fairly simple: it's less of a pain than the other methods, I'm using su(8) to get there and back, and I've been around Unix systems long enough that I'm finally starting to trust myself with rootly powers. For a comprehensive discussion about root and why you should use it as little as possible, see a decent sysadmin book (AEleen Frisch's Essential System Administration and/or Evi Nemeth et al's Unix System Administration Handbook come prominantly to mind and are probably the best, if a little dated). Reading these books will tell you a bit more about how you can work around the problem of groups and read/write access to sensitive system areas.

Testing the Connection

However you got there, once dip exits after you've invoked the mode ppp, you'll have to test the connection. /sbin/ifconfig is a good tool to check your interface and IP assignment; you should see a ppp0 interface if all went well. The next step is to test the connection itself using ping: 'ping islandnet.com'. Are you getting packets back? Yes? Great, your connection works. Stop here unless you want to automate this process. If it says

ping: unknown host islandnet.com

then something's wrong with either the nameserver or the connection itself. Ping a numeric IP address: 199.175.106.253. If you get a response, then something's wrong with your /etc/resolv.conf; check to make sure everything's set properly, particularly the IP address you specified there. If, however, you get:

PING 199.175.106.253 (199.175.106.253): 56 data bytes ping: sendto: Network is unreachable ping: wrote 199.175.106.253 64 chars, ret=-1

then something's wrong with the connection, and you might want to check the configuration process again. Having said that, if dip exited cleanly and you invoked PPP at the Home prompt, this shouldn't happen.

The connection works! Do I really have to do all that crap to start a PPP session?

Of course not. Most Unix people are lazy. If a Unix guru has to type more than about 15 keystrokes more than twice, he'll probably spend three hours writing a 100 line program that covers all possible options and does other things at the same time on general principle. (This was the driving force behind the development of Perl.)

So here's how you automate all of this.

Step 1: Edit /etc/ppp/chatscript. Put something that looks like this in it.

  TIMEOUT 5
  "" ATZ
  OK ATDT3804731
  ABORT "NO CARRIER"
  ABORT BUSY
  ABORT "NO DIALTONE"
  ABORT WAITING
  TIMEOUT 45
  CONNECT ""
  TIMEOUT 5
  "login:" megan
  TIMEOUT 5
  "assword:" puppet
  TIMEOUT 10
  "ome>" ppp

This script will work for Island Net users; it requires no modifications other than replacing megan with your username and puppet with your current password. The existence of this file is an excellent reason to run the whole log-on process as root; make sure the permissions on /etc/ppp are set for read/write by owner only. (If you don't want to do that, at least chmod 600 * inside of the directory and make the files readable by root only.)

Step 2: Write a script that will actually initate the connection.

I'm very fond of this one:

exec pppd connect \
     'chat -v -f /etc/ppp/chatscript' \
      -detach crtscts modem defaultroute \
      /dev/modem 56700

Put this in a file, chmod u+x it, and then su to root to run it. There are, however, two problems with this.

The first is that there's no real way to tell when you get connected by watching this program execute. It will run more or less forever until it is killed or the connection drops, and it won't tell you anything useful about what's going on in the background. For that, you'll need another window and tail -f /var/adm/messages; you'll see something that looks like

 Jan 15 01:36:06 lauriel pppd[17981]: pppd 2.3.5 started by megan, uid 1007
 Jan 15 01:36:06 lauriel pppd[17981]: Serial connection established.
 Jan 15 01:36:07 lauriel pppd[17981]: Using interface ppp0
 Jan 15 01:36:07 lauriel pppd[17981]: Connect: ppp0 <--> /dev/tty1

when everything gets going. At this point, you can control-C your way out of tail and do your thing. To bring down the PPP connection, issue a kill PID command, where PID is the process ID of pppd (listed in the square brackets in the log; in this case, it's 17981). If you don't know or can't remember what it is, a ps -x will help you remember. Don't issue a kill -9; that will bring pppd down ungracefully and you may have to disable the interface manually using ifconfig.

The other problem is that once you've killed pppd, you'll log out. This is a very good reason to run your PPP script through su, since you'll just lose that session and won't be forced to log back in. I should mention that doing it this way basically requires you to give up a virtual terminal or a window -- not a big deal, but it is a pain.

To Do

a more advanced discussion about system security
address issues brought up by readers
consider the experience of people non-Slackware distributions (I have no knowledge of RedHat or Debian and I'm used to doing everything by hand, so maybe someone could enlighten me..)
um..

phloem@fumbling.com

Domain Name	islandnet.com
Name Server (DNS)	199.175.106.253
Default Gateway	199.175.106.254
Netmask	255.255.255.0
News Server (NNTP)	news.islandnet.com
Mail Server (SMTP, POP)	mail.islandnet.com
Gopher Server	gopher.islandnet.com
WWW Server (HTTP)	www.islandnet.com
FTP Server	ftp.islandnet.com