Author: Sarma Seetamraju
EMail: (sarma@usa.net)
Date: August 1997
Place: on the Amtrack and Path Trains on the way to Downtown Manhattan.
Notepad Used: a 16-Mhz 386 SX circa 1991 Magnavox notebook running linux.
(Just to show that if you ever complain about linux not running AS IS
on your computer, I am going to shove that computer up your .... )
Reformatted as HTML for: All abnormal people who cannot stand illegible plain text.
Important: SOCKS is a FREE package for UNIX systems.
I doubt its available for OTHER platforms.
If you wish to influence NETSCAPE to keep
supporting SOCKS, email me with your supporting
statement (saying how you are using SOCKS).
This document describes the procedure to set up a NETWORK (INTRANET)
at your home. Then we shall setup up the network such that NETSCAPE Clients
can be used on ANY machine to access the internet...
The network we are talking about,
has TWO or more computers...
wherein, there is ONE (ONLY ONE) linux machine
and the rest are Win95 or WinNT machines.
(I doubt things will be any different for a MACintosh).
Only the LINUX machine has PPP access to the internet. The other
machines MAY have modems. I shall ignore those modems.
if ANY of your clients are UNIX machines, you are perhaps
better off reading the "sockd" package's documentation,
since you may be needing the use of "rlogin", "ftp" etc...
from within the UNIX CLIENTS. This document will not
help you in that aspect.
The computer network is assumed to be TCP/IP over ethernet. No netbeui, etc...
The "single linux" machine will be referred to as the "LINUX SYSTEM". while all others are referred to as "OTHER MACHINES" or also as "CLIENT MACHINES". The linux machine is also referrred to as the "SERVER" sometimes.
If you do not understand the next para, then jump to the FOR NETWORK NOVICES ONLY section. Then come back here...
All of the following assumes that there is an IP address assigned (using "ifconfig") to the eth0 port of your LINUX server.
Also, matter, this document does not restrict you to PPP only (it could be SLIP, PPTP, etc...) The IP address of the "ppp0" port is absolutely irrelevant. This document assumes you have one such port, and that its UP.
WHY WE NEED SUCH AN ARRANGEMENT:
The linux machine is to be used to connect to the world.
Only the linux machine has a REAL-WORLD IP address. (see below).
(see "ON-LINE services" section below).
The linux machine has a non-persistent PPP link to the world.
The other machines in the network have IP addresses that are
either invalid or are unknown to the world.
You need to use the "Other Machines", and NOT the linux machine
to access the internet, VIA NETSCAPE ONLY.
I have no need to "telnet" or FTP directly from the "other m/c"
to the world. If I ever need to, I telnet manually into the
linux machine, and then into the world.
I did NOT want to spend much on a linux m/c that didn't run an X server (much
less any X applications). I bought a 486Dx/4 100 Mhz PCI board (since I didn't
want to be stuck with plain ISA slots), with a $20 SVGA card and a $20
NE2000 compatible card, and an extra 20$ for terminators+co-ax ('cos I didn't
know how to convert a regular Ethernet Hub connecter into a pt-2-pt connector).
And $90 worth of memory (it went all the way to $60 for 16megs) and I had a
fully functional linux system for $270. Don't intend to burden that system
with NT or any other memory-disk-cpu hogging OSes. Ofcourse, my client machine
is a 32-meg P100 machine with two hard disks (one of which was transplanted
as a linux machine's HD) and runs 95.
The linux system is sitting on top of a clean PizzaHut pizza box. I
couldn't affort another $50 for a tower, since I was getting a power supply
module from one of my friends.
The reason I chose NETSCAPE is that I no longer use FTP manually. Its simply, out of fashion. Every ftp site, worth its name and every company, has a web site that lets me use the Netscape browser to access their ftp site. I do need to telnet frequently, but go thru the trouble of going from my win95/winNT4.0 machine to the linux machine, and from there... Secondly, I am hooked to QuickTime and all those net audio sites. And LINUX versions of those tools, do not exist. So, I have to run stuff from Netscape ON windows platforms. And my LINUX machine recvs EMail using sendmail... (remember, I have a fixed IP address. Such fixed IP addresses are better ONLY for things like recving email. Its no benefit for Surfing, Telnetting, etc...)
Lastly, we will never have a "Microsoft Explorer Browser" for linux, and hence I never even considered using Explorer. Also something tells me that its NOT going to be this easy to configure the Explorer as it was to configure the NETSCAPE on the CLIENT machines (i.e., the other machines).
I am not giving directions to installing a PROXY server.
This is about installing a "socks" facility on the LINUX
machine, which NETSCAPE on the client machines can use to access the internet.
NETSCAPE (as far as I know) is the ONLY application that runs on NON-UNIX
machines and is aware of the SOCKS facility.
If you have a TCP/IP network, then you MUST have ATLEAST two IP addresses for the machines (one for the LINUX machine and another for the one of the Client Machines, and more IP addresses if you have more than one client machine).
Read the other HOW-TOs on how to assign IP addresses to ALL your machines on the TCP/IP network. (ESPECIALLY IF YOU DO NOT have a REGISTERED internet domain).
I created a network 10.0.1.x out of the single LINUX machine and the single Win95 machine. They were assigned 10.0.1.1 and 10.0.1.2 respectively. The 10.0.1.1 is the IP address of the ETHERNET port (eth0) of the LINUX machine. The ppp0 port has another IP (which [lucky me] has a fixed IP address). That IP address is irrelevant to us, and also, being withheld for security reasons.
I also have a fixed domain name server on the other end of the PPP link. (University machine).
The linux machine has a modem and CRONTAB entries, that automatically dial up to the internet at fixed times daily. I also manually connect to the internet, when I want to go surfing.
If you connect to the internet via ON-LINE services, see below...
If you connect to the world using ON-LINE services like AOL, Compuserve, Sprynet, Netcom etc... then you may NOT have a fixed IP address. That is of little relevance in getting your intrAnet hooked up to the world. If you do not believe that, I request you to read on... and become a believer...
(For those who are like me and want to know what the hell is happening...). Others may skip this section....
... since you have ONLY one ethernet network, you do NOT need routing within that network. And you perhaps have manually hardcoded the IP addresses ( 10.0.1.1, 10.0.1.2 ) of ALL your machines in /etc/hosts. If you did that, you are smart person. Using "named" for a two or three computer network at home, is like using the bulldozer instead of a spoon to eat.
What we would ideally like, is for ALL IP packets from the client machines to go to the LINUX machine, which will then route accordingly. Problem with this, you are exposing your computer to hackers because if the LINUX machine routes, you DO NOT have firewalling or proxy or whatever. Here in this document, we will do firewalling unintentionally! while trying to get NETSCAPE to access internet from the client machines.
One problem with this "re-routing" desired from the linux machine, is that the clients MUST actually SEND ALL packets to the linux machine, no matter what the destination address. To that end, Win95 and WinNT will ONLY allow "proxy servers" (Which I intend to figure out, and write another document on).
IF you are well versed with various free utils, you may have heard
of "term" package. It was designed simply because its easier
to configure networks being a "simple" user and NOT AS A ROOT/ADMIN (on both
client and server sides). The same logic goes with NETSCAPE on the clients.
It is easier to JUST GET the netscape to access the internet and leave the
rest of the features (FTP, TELNET) unsupported.
If you think, having ONLY netscape access and NOT telnet / ftp
access to internet from the client machines, is a bummer, then
you are a dinosaur. Wake Up, Mr./Ms. Rip Van Winkle.
(TECHNICAL) The "named" which remained unused (as mentioned above)
will be put to use to support NETSCAPE (so that http:/www.sex.org
will be resolved right from the client machine).
(TECHNICAL) You will have to REBUILD your LINUX kernel to disable
IP forwarding. I intend to rebuild my kernel with forwarding
ENABLED and see if the socks package still works (I am betting it will). If
it does, then you will find a newer version of this document.
(What this means, is that, you can use the kernel installed by your
favorite LINUX installation package).
You will need ROOT access on the linux machine :-)
You will need to download the socks package and COMPILE it.
It will NOT compile 'cos the MAKE file is bad.
(TECHNICAL) be prepared to edit the socks.c file, to comment out
ONLY two lines which place an entry in your syslog file (/var/adm)
for every data transfer via socks. For eg: a single page on WWW.CNN.COM
will have 10 pictures atleast and 5 separate text objects. For each of them
you will find an entry in syslog (that it was transferred!). My syslog keeps
filling up. I do NOT like that. Maybe you might not mind.
This sockd package supports CLIENT machines ONLY. All applications
on the LINUX machine DO NOT need the sockd or any other package
to access the internet, since this LINUX machine connects to internet
directly using PPP.
Read the NET-HOW-TO in /usr/doc/faq/howto on your linux machine (if its slakware), or go to the www.linux.org and read the same NET-HOW-TO there...
In that you will find how to down load the socks package and compile it.
You NEED TO READ the instructions there to setup the in-house network.
But you are welcome to read this :-) .
That document spends a lot of time, explaining how to configure UNIX clients. Especially for "rlogin" "telnet" "ftp" etc... If you do not have UNIX clients, then after compiling the SOCKS package, start reading this document again, for using the socks package rather than the readme file in that package.
I placed the tar file in /usr/local/ProxyServer and untarred it, creating a "sockd4.2b" subdirectory within which there is a "Makefile". As mentioned in the howto document, I had to struggle to successfully do a
make on the MAKEFILE.
For your convenience, the MAKEFILE is included at end...
Hopefully, you will have change line # 9 of my copy of the Makefile, only.
Then I moved the sockd directory contents into its parent and changed the
line # 9 and did a make again -- successfully. So I guess I "fixed" the MAKEFILE.
You will find an executable called "sockd" in the sockd subdirectory.
Once you are done compiling, COPY the following files to/usr/local/etc
(They SHOULD be in the same dir as the sockd directory)
sockd (The executable a.k.a daemon)
sockd.conf (configuration file)
sockd.route (configuration file)
socks.conf (configuration file)
# ### make a link called "socks" which points to "sockd" within the same dir.
# cd /usr/local/etc
# ln -s sockd socks
Then edit those three configuration files so that they are similar to the ones given below (these are my settings for a two computer network, made up of a LINUX "server" and a Win95/WinNT client machine).
permit 10.0.1.2 0.0.0.0
deny 0.0.0.0 0.0.0.0 : /usr/ucb/finger @%A | /usr/ucb/mail -s 'SOCKD: rejected -- from %u@%A to host %Z (service %S)' root
#BAD_ID: /usr/ucb/finger @%A | /usr/ucb/mail -s '%U pretends to be %u on host %A' root@%A root
#NO_IDENTD: /usr/ucb/mail -s 'Please run identd on %A' %u@%A root@%A
#[EOF]
NOTE: 10.0.1.2 is my Win95/WinNT client machine's IP address. This sockd.conf file MUST be on your LINUX server (in my case that the ethernet port of the LINUX server has an IP address = 10.0.1.1)
NOTE: This sockd program is for CLIENT machines ONLY. All applications on the LINUX machine DO NOT need the sockd or any other package to access the internet, since this LINUX machine connects to internet directly using PPP.
NOTE: The first IP address is the address of the LINUX machine's eth0 PORT. The second IP number is NOT an IP address -- Its the NETWORK address (basically, convert the last of the FOUR numbers of the IP address into a ZERO).
Step # 1: Check to see if "named" is already running in your system. If it is -- then, you are on your own. Unless you know the concepts of DNS very well, you may not be able to adapt the contents of this document to suit your needs.
Step # 2: Copy the "named.boot" file given below into your machine.
Step # 3: copy the "root.cache" file given below into your machine (follow instructions that come with it).
All programs that run on the LINUX machine WILL (you cannot prevent that) use the resolver libraries -- which depend on the file /etc/host.conf
You must make sure that NONE of these programs ever access the "named" daemon on THAT VERY linux machine. To do that we shall specify to the resolver routines (i.e., routines which convert www.cnn.com into the numerical ip address) that those resolver routines MUST either check the /etc/hosts file and then check the DNS servers mentioned in /etc/resolv.conf
How do we do that? Simply, make sure the /etc/host.conf file is :-
order hosts, bind
multi on
If there is anything else, remove it, unless you know a lot about DNS and "named".
The reason I insist on preventing the LINUX machine's applications from accessing its own "named" server, is because it makes no sense. And from my experience, such a "unnecessaries" may look technically safe and harmless but will cause enough grief sooner or later...
The linux machine is obviously doing just great accessing the internet via the PPP (or whatever link) link. We are installing "sockd" package and the "named" daemon for the client machines. Let's not disturb the LINUX system.
You DO NOT NEED to change the "/etc/gateways" or "/etc/hosts" file or the "hosts.allow" or the "hosts.deny" file in order to get your socks working.
Do not change any file unless someone suggests a change to that file...
I will also assume that you have setup "resolv.conf" properly, to enable your LINUX server to access the internet and the DNS (on the "other end" of the PPP connection). My sample resolv.conf file is available as a sample at the very end.
***********************************************
WARNING
***********************************************
For your own good, I suggest that you setup your
machine through the linux installation programs
(i.e., while installing linux on your computer.)
************************************************
; boot file for name server
forwarders 128.112.129.111
directory /etc
cache . root.cache
primary 1.0.10.in-addr.arpa named_DNS_for_inTi_xwk
^^^^^^^^^^^^^^^^^^^^^^
NOTE: line # 2, contains the IP address of the DNS server in the network to which your LINUX machine connects to using PPP(or whatever).
*** How to determine this IP Address ****
SIMPLE ! on a command prompt type in the command "nslookup". The response you see will CONTAIN such an IP address. (After noting the DNS' IP address, exist "nslookup" using <CTL-D>.
NOTE: The LAST line contains the name of a file called "named_DNS_for_inTi_xwk' which MUST be in the "/etc" directory. The contents of this file, is given below (you are free to give it a better name :-) )
@ IN SOA 10.0.1.0 hostmaster.10.0.1.0 (
1 ; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400) ; Minimum TTL
NS 10.0.1.1
1 PTR MyLinuxMachine
NOTE: The last line (starts with a 1) contains the name "MyLinuxMachine". replace it with the name in /etc/HOSTNAME.
NOTE: Again , as you have been doing so far, replace "10.0.1.1" with that of your LINUX machine eth0 port's address, and replace "10.0.1.0" with that of the network address of that port.
NOTE: I really do not understand every character of the above file. You will be better off statisfying your curiousity by studying the documentation for the NAMED daemon.
# services This file describes the various services that are
# available from the TCP/IP subsystem. It should be
# consulted instead of using the numbers in the ARPA
# include files, or, worse, just guessing them.
# Version: @(#)/etc/services 3.02 02/21/93
# Author: Fred N. van Kempen,
... <lines delete>
socks 1080/tcp # sarma: Sep.15.96: Got this from the ~sockd/include/socks.h file.
... <lines delete>
# End of services.
NOTE: This line is read ONLY by inetd daemon I think. This tells the inetd to invoke the "socks" program for all tcp connections to the port # 1080.
# I am just following instructions from ~sockd/doc/sockd.1 man pages...
socks stream tcp nowait root /usr/local/etc/socks
NOTE: Make sure /usr/local/etc is in the SYSTEMS's default PATH.
NOTE: For more instructions, read the SOCKD package's instruction file. In that this very same line is mentioned, and also you will get to know what it means...
NOTE: As the filename indicates, this file tells the "inetd" daemon where it can find the "socks" program, and what arguments to pass it (always)
etc...
If you have already used your Win95 or WinNT machines to connect to the internet via PPP, this documents is of absolutely NO help to you. Anyways, why bother using linux to connect to the internet when you can do so via the client machine's built-in PPP?
If you haven't been able to connect to the internet via the LINUX server, then stop reading this document and read the other HOW-TO documents to setup your LINUX machine to access the internet via the PPP link.
I hope you know the concept of IP addresses. In short IP addresses have "mnemonics" formats (like www.cnn.com) as well as numeric versions like "198.20.186.4". If you type the former "www.cnn.com" someone must HELP your computer convert that name into the numerical format.
Why the numerical format? 'cos, that numerical format encodes a very efficient system of telling each computer HOW to send out communication capsules to OTHER computers THAT IT WANTS TO communicate to.
So, if you type in "www.cnn.com" on your NETSCAPE browser, then a UNIX computer called a "DNS server" will convert that name into a number for your computer. Then your computer will use that numerical format of the IP address to actually CONNECT to www.cnn.com and show you their latest news.
So, the gist being that : to use the internet you need a DNS server. This document includes instructions on setting up your computer to HOOK up to your NEIGHBORHOOD DNS server.
Your LINUX machine MUST have ALL of the following :-
A modem, through which you can connect to INTERNET *** DIRECTLY ***
An ethernet card, to which you have the ethernet cable hooked up (the other ends of which you have your client machines hooked up to...)
A Working PPP connection.
A Valid DNS server information (use nslookup --- if that program retuns invalid values, stop reading this document. You WILL NOT be able to proceed...)
Netscape 2.0 or later on your client machines.)
The "modem" is technically referred to as the "ppp0 port" as far as this document is concerned. By "port" I mean something similar to a "Sea-Port". This modem or PPP port enables you to "explore the world" (go on a "vacation" from daily chores) :-)
The "ethernet card" is your "eth0" port. That ethernet "port" lets you explore the ethernet network to which its connected.
Since your client machines are connected via the ethernet cable to the LINUX machine, anything that your client machine communicates to the LINUX machine will ONLY REACH the linux machine VIA the "eth0" port. ANything that the outside world sends to your LINUX machine will ONLY REACH via the "ppp0 port". So, its very important that these two ports be given "DIFFERENT ADDRESSES".
To make things easier for you, if you ALREADY successfully connected to the world using PPP, then, you have UNKNOWINGLY (or knowingly) assigned an IP numerical address to your linux machine's PPP port.
NOTE: This script is being provided as a sample. Having this sample is not a guarantee that you will have an internet connection.
#!/bin/csh
#
# ppp-on
#
# Set up a PPP link
set LOCKDIR=/var/spool/uucp
set DEVICE=cua3
set OUR_IP_ADDR=128.000.111.222
if ( -f $LOCKDIR/LCK..$DEVICE ) then
echo 'PPP device is locked'
exit 1
endif
route del default
# Just in case the Ethernetwork (In-House ethernet network) is up....
# if its NOT, then the above command is harmless...
route ## To show that the above was successful...
/usr/lib/ppp/fix-cua $DEVICE
unalias pushd
unalias popd
pushd /usr/lib/ppp
# stty 19200 -tostop
# The original code has been commented out below...
# if chat -l LCK..$DEVICE ABORT "NO CARRIER" ABORT BUSY "" ATZ OK ATs50=255s111=0DT$PHONE CONNECT "" ogin: $USER ssword: \\q$PASSWORD
echo $cwd
ls -l ./comserv.dip
dip ./comserv.dip ## I removed the -v (DEBUG&VERBOSE) option to 'dip'.
set dip_status=$status
# echo the return value of dip is $dip_status
if $dip_status == '0' then
# Now please wait for 10 seconds, while the link is being auto-verified by dip.
echo 'About to fork-off pppd (after a delay of 10 secs)...'
date
echo 'If you see any error msgs below, then we are having SERIOUS problems...'
sleep 10
pppd -detach crtscts defaultroute domain remote.princeton.edu mru 1005 mtu 1005 $OUR_IP_ADDR{}: /dev/$DEVICE 38400 &
###### we dont need this for the previous line... < /dev/$DEVICE > /dev/$DEVICE ) &
# The pppd deamon is FORKED OFF. See the "&" at the END of above line...
# By using "locl" option, I am requesting that /var/spool/uucp be the dir
# in which the LOCKS are created...
echo 'Now wait another 10 seconds, before I auto-verify internet connection.'
sleep 10
cat ~root/@utils/.line
ping -v -c 5 genius.eng.wayne.edu
cat ~root/@utils/.line
traceroute physics.iisc.ernet.in >&! /tmp/$$
cat /tmp/$$
\rm -f /tmp/$$
cat ~root/@utils/.line
exit 0
else
echo 'PPP setup failed'
exit 1
endif
popd
# [EoF]