CONFIGURING THE EDGE FIREWALL TO PUT A PPTP SERVER BEHIND IT
Table of Contents
1-5 Editing the Edge txt files
1-8 Navigating and copying files
1-10 Creating a Startup script
1-12 Changing the Owner of the files
1-13 Running chmod to change files
1-15 Microsoft’s PPTP Server links and notes
1-1 The Objective Back to Top
The object of this document is to show and teach some of the architecture and commands for Linux by adding the ability to run a PPTP server behind the Firewall.
The reason we are doing this is because the Edge Firewall software as is, doesn’t have the ability to have a PPTP server behind it. After you have a working Edge System, you will need to add ipfwd to forward the GRE protocol to an internal machine. The program portfw is sufficient to forward tcp ports but will not forward Protocol 47 (GRE).
The following instructions have been written in two parts. The first part is very verbose and the second part is point form: telling you exactly what to do.
1-2 The Provisions Back to Top
There are some previsions to this document. I used Edge version 0E and I am told that Alpha 22 works, but the version between these two will not work. The first part of this document has been written to accommodate those of us who are not familiar with Linux. I have not explained how to set up a PPTP server nor do I explain how to configure one. I have added a section at the end with some great hyperlinks to some good documents concerning PPTP configuration. In this section I have added some notes relating to Microsoft’s implementation of PPTP server.
I assume one has some prior knowledge of computers and operating systems. The reader should also know how to create the Edge boot disk, and should be familiar with windows.
1-3 The Author Back to Top
The author of this document is Timothy E Dyke. I have been an MCSE since 1997. My current job title is Technical Specialist I with the Workers’ Compensation Board of BC. At WCB we work exclusively with Windows NT 4.0 and SMS 2.0. Therefore my limited knowledge of Linux is all self taught. That is why I decided to do some research and document the process. I hope others find this document useful. Please comment to timdyke@home.com
I would like to give credit where it is due. I could not have written this document without the Hard work from the Edge Fireplug group. I would also like to give credit to the two individuals on the Edge mailing list, who helped me with the technical details: Jeffery Jones and David Fallin.
I also used a book that was recommended to me: Unix System Administration Handbook, Prentice Hall
by Nemeth, Snyder, Seebass, and Hein
ISBN 0-13-151051-7
I used one other book called Absolute Beginner’s Guide to Unix
By Lisa Stapleton
ISBN 0-672-30460-0
1-4 List of Commands Used Back to Top
ls echo mkdir
cd cat rmdir
chmod mount cp
chown umount pwd
1-5
Editing the Edge text files Back to Top
Using your favourite windows editor, you will need to make some changes to 2 of the files in the config directory. A recommendation is to use WordPad as an editor. Some Windows Programs add different end-of-line and end-of-file characters that Linux doesn’t understand. Notepad seems to show a bunch of weird characters while WordPad doesn’t do this. Just make sure you save the file as a text file.
The two files that need changing are portfw.txt and userin.txt. Append to the end of the portfw.txt file:
1723 tcp 192.168.1.2 1723 #PPTP forwarding to NT
You will need to make the following change to the Userin.txt file as follows:
#PPTP
tcp -d 0.0.0.0/0 1723
Also in this directory I would like to point out a file called map.txt. This file is used by the syslinux system to copy the configuration files over the syslinux files. This was done as a way to make it easier to configure syslinux by non-Linux users. If you have other configuration changes that you would like to do, but there is no corresponding text file, you can create a text file with your changes and amend the map.txt file so your new configuration file will over write the one in syslinux.
To continue on, you will also have to obtain a copy of the ipfwd file. Once you have a copy. Save it to a new disk. You can get a copy from
http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/
1-6
Syslinux (Edge) Prep Back to Top
You will need to boot your edge system up with the edited edge disk. Once the system is up and running, log on as root. Once you are logged on, you can remove the disk, as it is not required to run syslinux. The Edge Firewall is being run wholly from a RAM disk that was created during the boot and loading process. Next you will want to insert the disk that has the copy of ipfwd on it into the floppy drive
1-7
Using the Floppy Drive Back to Top
Unlike windows where you can put a floppy in the drive and read it right away, Linux or Unix requires the floppy to be mounted into the file system before it become available to Unix processes. The mount point can be any directory. A good explanation comes from the book called “Unix System Administration Handbook” published by Prentice Hall.
“The file tree is composed of chunks called filesystems, each of which consists of one directory and its subdirectories and files. Filesystems are attached to the file tree with the mount command. [The] mount [command] maps a directory within the existing tree, called the mount point, to the root of the new filesystem. The previous contents of the mount point become inaccessible as long as a filesystem is mounted there. Mount points are usually empty directories.” UAHB page 57
If you do a directory listing of / on the syslinux, you will see a directory called /mnt I believe this directory is used as a mount point for the floppy.
One way an administer can configure the system, is to use the /etc/fstab file. This file is read by mount, umount, swapon, and fsck commands. You can configure the /etc/fstab file to set physical devices to already created mount points. An example fstab file:
/dev/hd0 / 4.2 rw 0 1
/dev/fd0 /mnt vfat rw 0 2
The first field gives the device name. The second field specifies the mount point. The third field is the file system type. The forth field is the access rights to the file system. The fifth field is not used by Linux and the last field specifies the pass in which fsck should check the file systems.
The commands mount and umount use the fstab file to figure out what you want done if you specify only a partition name or a mount point on the command line. For example, using the command
mount /mnt
with the above fstab file would be interpreted as
mount /dev/fd0 /mnt
Unfortunately, syslinux doesn’t set the floppy in the fstab file, most likely due to the fact that you wouldn’t want to be restricted to using a single file system type. So, to use the floppy you will need to first create a directory in the file system that will point to the floppy. The command for making directories in Linux is mkdir. The syntax is mkdir dirname. So at the command prompt in Linux type:
mkdir /floppy
This will add a directory off the root called floppy. The next thing to do is to connect the floppy drive to the directory. We do this using the mount command. At the command prompt type:
mount –t vfat /dev/fd0 /floppy
This has taken the diskette in drive 0 using a FAT file system and connected it
to the directory called /floppy
At this point you can access the diskette.
1-8
Navigating and copying files Back to Top
To move around in Linux is much the same as windows. We use the cd for (change directory) command. You can type cd /floppy and your prompt will be in that directory.
If you would like to know where you are in the file tree, use the command pwd. This stands for print working directory.
If you want to get a listing of the directory you can run the command ls. Here is the syntax of that command.
ls [-acdfgilqrstu1CFLMR] name... Notice that the switches are case sensitive.
Here is an explanation of the switches.
-a Lists all entries
-c Use time when file status was last changed
-d If the argument is a directory, it will list only its name
-f Force each argument to be interpreted as a directory and list the name found in each slot. This option turns off –l –t –s and –r
-g Include the group ownership of the file
-i Print the inumber in the first column of the report
-l List in long format
-r reverse the order of sort
-s give the size in KB of each file
-t Sort by time modified (latest first)
-u Use the time of last access instead o last modification
-C Force multicolumn output
-F Cause directories t be market with a trailing /, sockets with a trailing =, symbolic links with a trailing @, and executable files with a trailing *
-L If the argument is a symbolic link, list the file or directory of the link references rather than the link itself
-M List in Macintosh format
-R Recursively list subdirectories encountered
-1 Force one-entry-per-line output format.
Taken from the Absolute Beginners Guide to Unix
I tend to stick with the ls –l command to do my directory listings
From here we can copy the ipfwd file to the desired location. The file needs to reside in the /sbin directory.
The Unix file system is organized as a file tree. The root / file system includes the root directory and a minimal set of files and subdirectories. Some of the common directories and their contents are as follows:
/ The root directory
/bin or /sbin Commands needed for minimal system operability
/dev Device entries for terminals, disks, modems, etc
/etc Critical startup and configuration files
/lib libraries for the c-compiler
/tmp temporary files that disappear between reboots
/proc images of all running processes
/usr/bin executable files
/usr/adm accounting and log files
/usr/sbin maintenance commands
The /sbin directory seems to be the best place to put the file so we need to copy the ipfwd file to the /sbin directory. We can copy the file using the cp command. The syntax is cp [-ip] file1 file2. The switch i can be used if you want to be prompted whether or not a file will be overwritten by the copy. The switch p will preserve the modes and modification times. In our case we did as follows:
cp /floppy/ipfwd /sbin
This will copy the file to the sbin directory. At this point you no longer require the floppy any more. There is a process to remove the floppy that I will explain in 1.6
1-9
Removing the floppy Back to Top
To remove a floppy isn’t as simple as pressing the floppy eject button. There are a few things you need to do first in Linux. You cannot unmount a filesystem that is busy, or has any open files or processes running there. If you used cd to change the directory there, you will have to cd back the root first before removing the directory. You can remove the /floppy directory by issuing the rmdir command as follows:
rmdir /floppy
Once the directory is gone now you can unmount the disk. Please note that the command is umount. It only has 1 n in it. The command is run as follows:
umount /dev/fd0
Now the diskette no longer exists in your system, and can be safely removed from the drive.
If you want to start the ipfwd command manually you can log on as root and run the command ipfwd --masq ipaddress 47&, but you would have to do that each and every time that the machine was booted. A better way would be to add the command to one of the start up scripts so it will start automatically when the system is booted. I will explain how this is done in 1-10
1-10 Creating a
Startup Script Back
to Top
Unix has organized the startup scripts into directories so they can be run during the operation of the system. It looks as if syslinux has organized their startup scripts along the same lines as ATT does.
In this version of Linux, there is and rc directory, and you will see subdirectories like
rc1.d, rc2.d, rc3.d etc. Each one of these directories represents different run levels. Linux has different run levels depending on where it is in the system. For example. The rc1.d run level is the initial load, The rc2.d run level is after the machine is up an running but before any user has logged on. The 3rd run level is a user run level, the 4th run level is used in case the machine has an error, it will run all the scripts in that directory. The rc6.d run level is the shutdown runlevel, where all the scripts in the rc6.d will be run when the machine gets a shutdown instruction.
You will see a lot of the files in those directories starting with an S. This is used to signify that it is a startup script, you may also notice that there are files that start with a K, those are scripts that kill processes, and are usually used when shutting a system down. The prefix is usually followed by a number, and the files get run in alphanumeric order.
I have chosen to add the startup script to the rc2.d directory so the ipfwd program will start after the machine loads and before anyone gets to logon.
To create the file I chose to use the echo and redirector commands. The echo command is similar to the one that was used in DOS. This command repeats what you have typed, to the default location. The default location is usually the terminal, or monitor. The > is a redirector. In the following command I have redirected the echo to a file. Notice that in the first line there is only one > symbol. This is redirecting the echo to a NEW file. Any file that is already there with the same name will be overwritten. The second line uses double >>. This is used to append to an existing file or new file.
From the command prompt type:
echo #!/bin/sh > /etc/rc/rc2.d/S75ipfwd
echo ipfwd --masq 192.168.1.2 47 & >> /etc/rc/rc2.d/S75ipfwd
If you want to view the contents of the file you just created, you can use the command cat. The syntax is cat filename. In our case we would type cat /etc/rc/rc2.d/S75ipfwd
The reply would be:
#!/bin/sh
ipfwd --masq 192.168.1.2 47 &
Now when the system is started the program will automatically start the ipfwd program. You will see a nice message starting that ipfwd started OK.
We now have the files where we want it to be but how do we keep it there once the machine is rebooted? The Edge people created a process that backs up the files on the system into a tgz file. We will use that process to include the file we just added. I’ll tell you how in 1-11
1-11
Creating a List File Back to Top
The Edge people created a process that Backs up the system into a compressed file, called config.tgz. This file is un compressed into the RAM drive each time the system is booted.
In order for those files to be saved to the floppy we will have to create a list file. In the /var/lib/config directory there are a group of files which dictate to the backup_config utility which files should be included in the compressed file. The backup_config utility uses the contents of the list files to create the backup. So all we have to do is create a list file containing the 2 files we need to save. So all I did was:
echo sbin/ipfwd > /var/lib/config/ipfwd.list
echo >> /var/lib/config/ipfwd.list
echo /etc/rc/rc2.d/S75ipfwd >> /var/lib/config/ipfwd.list
echo >> /var/lib/config/ipfwd.list
The last thing that we need to do is make sure that the files have the right owner and rights. I explain how this is done in 1-12 and 1-13
1-12
Changing the Owner of the files Back to Top
The next thing to do is make sure that the .list file has the correct owner and permissions. The way we change the owner, is to run the chown command. The syntax of the command is chown user.group filename. Run the command below for both the ipfwd and the ipfwd.list files:
chown root.root /sbin/ipfwd
chown root.root /var/lib/config/ipfwd.list
The next thing we need to do is make sure the files have the correct rights.
1-13
Running chmod to change files Back to Top
Now you have to make sure that the correct permissions are set. We can set the permissions by using the command chmod. Only the owner of a file can change the permissions. The command uses the octal notation, or you can use binary. I will attempt to explain the octal syntax. The permissions look like this:
-rwxrwxrwx
You can see a repeating pattern of 3 rwx. The r is for read permission, the w is for write, and the x is for execute permission. The first set is for the owner, the second is for the group, and the third is for everyone else. I have attached a grid to help you determine the correct octal notation. Notice where there is a 1 in the binary notation, the corresponding permission is on, and where there is a 0 the corresponding permission is off.
|
Octal |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
|
Binary |
000 |
001 |
010 |
011 |
100 |
101 |
110 |
111 |
|
Perms |
--- |
--x |
-w- |
-wx |
r-- |
r-x |
rw- |
rwx |
So an example of permissions and syntax for chmod is:
chmod 755 /sbin/ipfwd
This gives all permissions to the owner and read & execute to everyone else.
We also need to make sure that the script file has the correct permissions as well, but it only needs to be set to RW for the owner and R for everyone else so run the following:
chmod 644 /var/lib/config/ipfwd.list
Now, there is only 1 more step to do and the whole thing is finished. You need to run backup_config.
1-14
Finishing up Back to Top
Put your Edge diskette back in the disk drive and run Backup_config and the system will back up all the changes you have done to it and include it in the config.tgz file
Now you can create your PPTP server and set it at the ip address of 192.168.1.2. Once this is done you will be able to have an external person connect using RAS to your PPTP server.
All will be up and running. Remember this process can be used to add any program to the edge box and you can kick off the program automatically if you wish
1-15 Microsoft’s PPTP
Server links and notes Back to Top
This link is for general information about PPTP
http://www.microsoft.com/TechNet/winnt/Winntas/technote/pptpwp.asp
The Best link is to a White Paper Microsoft wrote called Microsoft Windows NT Server Installing, Configuring, and Using PPTP with Microsoft Clients and Servers. Unfortunately I couldn’t find a link to this document.
This Link concerns How to Log on to a Windows NT Domain Using PPTP Connection
http://support.microsoft.com/support/kb/articles/Q176/5/75.ASP
This link is for the document called How to Join a Domain from a Windows NT Workstation Using RAS
http://support.microsoft.com/support/kb/articles/Q125/8/56.asp
This link is for the document called PPTP Registry Entries
http://support.microsoft.com/support/kb/articles/Q154/6/74.asp
A couple of things I have noticed:
I haven’t gone into much detail since the configuration of the PPTP server is outside the scope of this document. These are just a few things I noticed that I thought was worth mentioning, to save you some grief.
When you are dialling the PPTP server from a remote LAN, you want to use the ip address of the Edge box, not the ip address of the server behind it. The PPTP protocol and Gre will be forwarded to the PPTP Server.
You may find that you can connect to the PPTP server and become authenticated, but you can’t browse the network neighbourhood. The problem with this lies with resolving ip addresses with NetBIOS names. You may want to consider running a WINS server. You also have to make sure that the remote machine belongs to the local domain.
If you can’t connect using the NetBIOS name, try using the IP address instead.
If you are having problems connecting, make sure that the security authentication methods are the same on the clients as well as the Server.
One main problem people may find, is that many Cable systems only allow dynamic ip addresses. This may cause a problem as there is no guarantee that you will have the same ip address tomorrow. If this is a problem you should look into DynamicDNS, where you can register your Fully Qualified Domain Name (FQDN) and the DynamicDNS service will resolve the dynamic ip address to your Domain Name. Here is a link to a Dynamic DNS site that ranks Dynamic DNS providers
2.1 Point Form Back to Top
Point form version on how to add a PPTP server behind the edge
First obtain the ipfwd from the
following link
http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/
Edit the Portfw.txt on the
floppy using windows 95 and add the following line:
1723 tcp 192.168.1.2 1723 # pptp forwarding to NT
Edit the Userin.txt file on the
floppy using Windows 95 and add the following:
# PPTP (not tested)
tcp -d 0.0.0.0/0 1723
mkdir /floppy
mount -t vfat /dev/fd0 /floppy
cp /floppy/ipfwd /sbin
chown root.root /sbin/ipfwd
chmod 755 /sbin/ipfwd
rmdir /floppy
umount /dev/fd0
echo #!/bin/sh >
/etc/rc2.d/S75ipfwd
echo ipfwd –192.168.1.2 47& >> /etc/rc2.d/S75ipfwd
echo >> /etc/rc2.d/S75ipfwd
echo sbin/ipfwd >
/var/lib/config/ipfwd.list
echo >> /var/lib/config/ipfwd.list
echo etc/rc2.d/S75ipfwd >> /var/lib/config/ipfwd.list
echo >> /var/lib/config/ipfwd.list
backup_config