Cable Modems and Unix

• Why cable modems kick ass
• Considerations regarding Unix on cable modems
• A description of MediaOne's service
• Linux specific info
• SGI specific info
• How do I get my LAN to see the internet thru my Linux gateway?

Why cable modems kick ass

They're fast (800kbs down, 100kbs up).
They're cheap ($40/mo).
They're online 24 hours a day.
They're simple (a box with a 10Base-T Ethernet connection).

Considerations regarding Unix on cable modems

If you hang a unix machine off the internet, you better read up on firewalling.

Not only can crackers and spammers harm you and your data, but they can also harm others, using your machine in such a way that it looks like you're the culprit.

• Make sure you've disabled stuff like NFS and RSH/RLOGIN BOOTP and other 'dangerous' stuff

• Either disable sendmail completely, or carefully configure it to disable mail relaying, so spammers can't use it to relay mail to others.

• catch up on the latest patches (ping of death, sendmail 8.8.8)

• Read up on firewalling

• Disable ip forwarding, or carefully configure it to deny most forms of ip spoofing.

• Use tcpdump on your interfaces, to make sure your system is only trafficing what you THINK you configured it to do.

A description of MediaOne's service

The following is an excerpt from MediaOne, when asked 'Can one hook up a unix machine to the MediaOne cable modem?':
We use TCP/IP protocol that runs over a 10BaseT network connection. If after our field technician leaves your house from installing to a supported OS, you then change your platform to one which we do not support, we probably will not know unless you do something which causes problems on our network. A perfect example of this: you install Linux and by default it leaves ports open on your machine. An enterprising 'outsider' runs a script to find open ports on the network and finds your machine. That person then uses your machine as a gateway to 'spam' the mail server. The effect of this is that other customers of ours have less-than-adequate mail service. Our only solution is to deprovision your service because you are running an unsupported configuration that has caused a problem on our network.

When asked if they support Unix:

When we arrive at your house to install the service, we will only install to operating systems which we will support. These systems include Windows 95, Windows NT Workstation, and MacOS 7.5.3 or higher which run Open Transport. Unfortunately, it is not possible to support all OS environments given the training and support necessary to complete installations, technical support and troubleshooting. The same can be said of LAN's from the point of view of training and support, but in addition to that there are other issues like security to be concerned with. Also, a hub or router will not work with a cable modem.

This last statement about hubs and routers is of special consideration. You cannot just plug the cable modem into your LAN's hub when the installers leave, and expect all the machines on your LAN to see the cable modem.

The cable modem will only want to talk to ONE ethernet card; the one they configured it to talk to. Your cable modem will be intimately associated with your network card's MAC address (aka. ethernet address) when MediaOne configured the modem.

However, you can configure a linux machine to be an IP MASQUERADE router. This means two network cards in the linux machine; one connects to the cable modem, the other to your hub. This is descibed in the section below, 'How do I get my LAN to see the internet..'.

Linux specific info

These are some linux to linux specific info with regards to cable modems:
• Cable Modems - 'How To' documentation, as referenced by www.linux.org.
• DHCP - Dynamic Host Control Protocol used by MediaOne. Info for download/configuration.
• IP Masquerading - getting your home LAN to talk to the Internet (aka. Network Address Translation or NAT)
• IP Masquerade For Dummies - My description of how it works, in layman's terms

SGI specific info

These are some random comments about Cable Modems and SGI's, from various mail I've compiled on the subject.

At one point, I researched hooking up an Irix 5.3 system to a cable modem, which all lead to dead ends. So I opened a case with SGI:

> Greg Ercolano wrote:
> >     Does irix5.3 support DHCP? And if so, what do I have
> >     to do to get it?
>
> --- Forwarded mail from kou@moe.losangeles.sgi.com (Roger H. Kou)
>
> Date: Tue, 31 Mar 1998 13:45:59 -0800
> From: kou@moe.losangeles.sgi.com (Roger H. Kou)
> To: tech@rfx.com
> Subject: I am wrong
>
> 5.3 does not support DCHP.
>
> -RK
> *** CASE CLOSE 02/20/97 09:49:14 jgostin
> DCHP is not supported in 5.3 natively. It requires the use of a package
> that we no longer offer. 6.2 supports it natively. Customer was
> satisfied with answer. Case is closed.
    

The following is a question/answer with someone who has an SGI successfully connected to a cable modem:

I assume I need to have a pc for mediaone to install on, that I can secretly swap to the sgi later, and tell them 'I have a new ethernet number'. (I guess they lock you to one enet #?) MediaOne, as Jennine has probably told you already, wants only a Mac or a PC. Period. You can call their tech support number and have them login into the cable modem and change the MAC address. (Yes they lock you to one MAC address) I guess proclaim/DHCP works around /etc/resolv.conf somehow? In the land of PPP, I often had to automate tweaking it. I don't know if proclaim works around /etc/resolv.conf. I hardcode the /etc/resolv.conf. I have an O2 at home that is on MediaOne's cable modem. Once I chkconfig autoconfig_ipaddress on and proclaim_client (I think) on, things went automatic. Are there any special routing/arp/bcast issues I need to worry about? I edited /etc/config/static_route.options (I think that's the filename) and add the default router. [I think] netmask is default. Many telecommuters I know have both SGIs and PCs. They'll probably want _both_ on the cm. Is it reasonable to think I can have both hang off the cm using a hub, and have the PC use the SGI as a gateway? This is something I want to do, but haven't done. Yes, I think that can be done. I think Jennine has managed to do something like that with the TIS firewall kit. To have the sgi act as a gateway, would it have to masquerade the pc's ip numbers (via socks?) so that mediaone doesn't get confused by the pc's packets? If not, what would I do? You're right. Using socks, the applications on the PC/Mac can have the internet services, but to the outside systems, all the packets are coming from one IP address.

How do I get my LAN to see the internet thru my Linux gateway?

Given a small network, here was what I started with before the cable modem:

                               "firewall"        "howland"         "rotwang"
    Telco  ___________  ppp  _____________     _____________     _____________
     _____| 28K modem |_____|             |   |             |   |             |
          |___________|     | 192.168.10.1|   | 192.168.10.2|   | 192.168.10.3|
                            |_____________|   |_____________|   |_____________|
                                   |eth0             |                 |
                                   |                 |                 |
                                   `--------------.  |  .--------------`
                                               ___|__|__|____
                                              |              |
                                              |   enet hub   |
                                              |______________|
    

..pretty typical; 3 machines on a hub, one of them a linux machine acting as a PPP router to the internet over a telco modem on a POTS line.

For information about why I'm using 192.168.*.* on my private LAN, see RFC 1918 for info on reserved IP numbers for private networks.

Ok, now we get the cable modem. I put WinNT on 'firewall' so that MediaOne has something to test the cable modem. I knew that when they left, the cable modem would be configured to ONLY communicate with that machine's network card. So this is now the 'golden' network card.

When they leave, I blow away WinNT, and install RedHat Linux 5.2. During network configuration stage of RedHat installation, I tell it 'use DHCP'. I also make sure to configure all network daemons OFF, eg. NFS, FTP, sendmail, etc. (I can do this later, too, with chkconfig(1))

After the machine boots, I comment out just about everything in /etc/inetd.conf, and 'killall -HUP inetd' to hash in the changes. I can now talk to the internet with this machine. That's nice. Do a little surfing, and make note of the speed ;)

Now I shutdown, install a SECOND network card, connect it to my hub. Then I reboot, and configure the new card eth1 to be the old IP address of "firewall":

                              "firewall"
          _______            _____________
         |       |          |             |      "howland"         "rotwang"
         | Cable |------eth0| xx.xxx.xx.xx|    _____________     _____________
         | Modem |          |             |   |             |   |             |
         |_______|  .---eth1| 192.168.10.1|   | 192.168.10.2|   | 192.168.10.3|
                    |       |_____________|   |_____________|   |_____________|
                    |                                |                 |
                    |                                |                 |
                    `-----------------------------.  |  .--------------`
                                               ___|__|__|____
                                              |              |
                                              |   enet hub   |
                                              |______________|
    

The new card is shown as 'eth1', and the original card is 'eth0'. The eth0 address is xxx'ed out, because MediaOne changes it regularly via DHCP.

Here are the steps I used to bring up the second ethernet card, and enable routing for my 192.168.10.* network on eth1:

	ifconfig eth1 192.168.10.1 up
	route add -net 192.168.10.0 netmask 255.255.255.0 dev eth1
    

So now the firewall should be able to ping addresses on the internet (via eth0) and ping addresses on my lan (via eth1). Cool, but since the machine was configured to be a firewall, packets from the other machines on my network will not (and SHOULD NOT!) reach the internet.

The trick now, is to hide our unassigned network addresses from the internet, by configuring the firewall to do ip masquerade (ie. NAT, Network Address Translation) packet forwarding. The commands I used:

	ipfwadm -F -p deny
	ipfwadm -F -a m -S 192.168.10.0/255.255.255.0 -D 0.0.0.0/0
	echo 1 > /proc/sys/net/ipv4/ip_forward
    

That's it. All these commands, once tested, would be configured into the boot scripts, ie. /etc/rc.d./rc.local.
(update 07/29/00: I upgraded to RedHat 6.1, and now use an ipchains oriented script to configure my firewall, as well as these tweaks to prevent internet based abuse of my various unix services.)

Now it's just a matter of configuring the other workstations to use "firewall" as their gateway to the internet. For instance, on Linux machine 'rotwang', I configure the /etc/resolv.conf to use MediaOne's nameservers:

	domain mydomain.com
	nameserver 24.xxx.xxx.xxx
	nameserver 24.xxx.xxx.xxx
	nameserver 24.xxx.xxx.xxx
    

..and make sure there is a default route to "firewall", so all internet bound traffic is forwarded to it:

	route add default gw 192.168.10.1
    

At this point, "rotwang" should be able to ping addresses on my lan, and addresses on the internet.

On an SGI, you could use:

	/etc/resolv.conf:
	    # MEDIAONE NAMESERVER
	    hostresorder local bind
	    domain erco.com
	    nameserver 24.xxx.xxx.xxx
	    nameserver 24.xxx.xxx.xxx
	    nameserver 24.xxx.xxx.xxx

	Routing:
	    route add default 192.1.2.3 1
    

If you have a windows machine, it's pretty trivial; just add "firewall" as a gateway (Control Panel -> Network -> Tcp -> Gateway=192.168.10.1, DNS=mediaone nameservers)

The finishing touches:

RJ45 Switch

An RJ45 data switch lets me easily disable the internet connection. (I leave it off as an ultimate means of security ;) Basically, just an A/B switch that has RJ45 connectors on the back, instead of DB-25s, etc.

DNS Caching Nameserver

Configuring a DNS caching nameserver on your firewall will allow you speedier name lookups, and can help simplify handling name server lookups should the provider decide to switch DNS servers on you.

Getting FTP to work

FTP is weird in that, when you start a download, the remote host opens A SECOND connection back to your machine to do the download, which your firewall will of course reject. The result is your PUT/GET commands will hang.

To get FTP to work properly through an ip masqueraded firewall on your clients, you will want to install the ip_masq_ftp.o module as the last command after all your ipfwadm(1) commands in your boot script, eg:

	    # (ipfwadm commands go here)

	    # INSTALL FTP MODULE
	    /sbin/insmod /lib/modules/2.0.37/ipv4/ip_masq_ftp.o
				      ^^^^^^
				     (your OS version number)
	

If you have trouble, RTFM. There's much good documentation on your own machine for routing, ip masquerade (NAT), and DNS configuration. With RedHat 5.2, there's:

	/usr/doc/HOWTO/NET-3-HOWTO
	/usr/doc/HOWTO/mini/IP-Masquerade
	/usr/doc/HOWTO/DNS-HOWTO
    

Good luck!

Reference

Golden Network Card

Use DHCP