JohnConover_medium.jpg 
john@email.johncon.com
http://www.johncon.com/john/

Knoppix and Coyote Linux Cookbook

Home | John | Connie | Publications | Software | Correspondence | NtropiX | NdustriX | NformatiX | NdeX | Thanks


home.jpg
john.jpg
connie.jpg
publications.jpg
software.jpg
correspondence.jpg
ntropix.jpg
ndustrix.jpg
nformatix.jpg
ndex.jpg
thanks.jpg

I've used Linux since 1994-starting with Slackware 2, with a long stint on Debian 2, and currently Knoppix 3.6, (along with a few instances of Coyote Linux 2, and FreeBSD 4 and 5.)

Need a router/gateway that does network address translation, (NAT,) and stateful firewalling? Coyote Linux works very well for that-with miniscule, (I run it in a decade old Pentium 90 with 16 MB of memory, and a floppy and two Netgear FA310TX NIC cards-at a cost of about $9.00 US each; no hard disk or CDROM drive,) hardware requirements. You can download the floppy disk image, coyote-2.16.tar.gz, from their download page. Here is the Coyote Linux configuration that I use for Comcast's High Speed Internet connection:

  1. gunzip coyote-2.16.tar.gz
  2. tar xvf coyote-2.16.tar
  3. cd coyote
    1. makefloppy.sh
      1. 1.44 MB, 1
      2. standard ethernet connection
      3. change IP settings for the local network, y
        1. local IP address, 10.7.2.1
        2. local netmask, 255.255.255.0
        3. local broadcast, 10.7.2.255
        4. local network number, 10.7.2.0
      4. internet connection is via DHCP, y
        1. no DHCP hostname, Enter
      5. do not install Big Pond software, n
      6. enable the Coyote DHCP server, y
        1. DHCP starting range, 10.7.2.16
        2. DHCP ending range, 10.7.2.31
      7. don't configure DMZ, n
      8. module name for local network card, tulip
      9. no IO address, Enter
      10. no IRQ address, Enter
      11. module name for internet network card, tulip
      12. no IO address, Enter
      13. no IRQ address, Enter
      14. english is fine, n
      15. no syslog server address, Enter
      16. no other copy of this disk, n

Eth1 connects to the cable modem, (an inexpensive Terayon TJ 715X Cable Modem in my case,) and eth0 connects to the local area network, (LAN.) Multiple computers on the LAN can connect to the Internet, simultaneously, through inexpensive hubs and switches that are available at any electronic superstore.

Start the router by booting the machine with the Coyote Linux diskette in the A: drive. The router/firewall is configured via a browser pointed at 10.7.2.1:8180:

  1. DHCP Configuration:
    1. Enable Coyote DNS Cache, yes
    2. Enable Coyote DHCP Server, yes
    3. Submit
  2. Administrative Configs:
    1. Host Name, make up a name-letters only-for your gateway
    2. Domain Name, your domain name, or your ISP's
    3. change the time zone, PST8PDT
    4. Remote Time Server, www.clock.org
    5. disable external SSH access
    6. Submit
  3. System Password
    1. type the password
    2. type the password, again
  4. Configuration Files:
    1. Local Hosts:
      1. add the other host names/IP addresses on your network
      2. OK
  5. Backup Now
  6. Reboot

Its a very adequate-and secure-stateful firewall, gateway, router, and network address translator for connecting a SOHO or small business network to the Internet; it also provides DHCP, (Dynamic Host Configuration Protocol,) and DNS, (Domain Name Services,) services to the computers on the local area network, (LAN.) The LAN uses the private network address space, (see RFC1918 for particulars-its a formidable security concept.)

The router/gateway can be used to register Comcast's High Speed Internet service, too. Knoppix makes a great work station. You can download an image of the Knoppix CDROM, (or purchase it-its about $10US,) from the Knoppix site. Its a live CD, meaning that you do not have to install it, (you can, and I do, but you don't have to); you put the CD in the drive of a PC, boot it, and Knoppix runs entirely off of the CD-it also automatically configures its self with the Coyote router/gateway. After a minute or two to boot, its on the Internet. To register the cable modem with Comcast, (with the Knoppix computer connected to the Coyote computer's eth0 RJ45, and the Coyote's eth1 RJ45 connected to the cable modem):

  1. execute Mozilla, (there is an icon for it on the KDE panel, or use the menus):
    1. Edit->Preferences->Advanced->Proxies
      1. select Manual Proxy Configuration
      2. 5 times, enter IP address 12.242.17.8, port 8000
      3. No Proxy For, enter the two IP addresses, 12.242.17.8 and 12.242.17.9
    2. go to https://12.242.17.8
      1. certificate is ok, OK
      2. encrypted page, OK
      3. register, Next
      4. and continue on with the Comcast registration

The Mozilla configuration sequence is probably quite similar under other operating systems supported by Mozilla.

Should it become necessary to release the DHCP IP address assigned by Comcast to the Coyote system, log into the Coyote system as root, and use the ps(1) command to find the PID of the udhcpc program, then issue a HUP to the udhcpc program using the kill(1) program:

  1. ps eax
  2. kill -1 <PID>

and reboot the Coyote system. (Comcast maintains tables of the cable modems and NIC card pairs attached to their cable system. If, for example, the NIC card in the Coyote system is changed, Comcast's tables would be out of date. This command sequence tells Comcast's equipment to update their table for the cable modem/NIC card pair. Dropped connectivity, when the DHCP IP lease expires, is the symptom of out of date tables.)

As an added note, Knoppix Linux requires no configuration when used with the Comcast service-the CDROM boots and auto-configures the computer for Internet access, all automatically.

A computer running on a live CDROM is modestly secure, since there is no place to write vandal-ware, as long as the computer is not left online unattended and is rebooted frequently. The default port no access action for Knoppix is a REJECT-since no firewall is running-and ports 68, 135, 136, 137, 138, 139, and, 445, are open for DHCP, (Dynamic Host Configuration Protocol,) for auto-configuration. A possible solution is an iptables firewall script, perhaps from a floppy, which would be highly recommended-the iptables firewall script, below, can be modified for DHCP to enhance security, significantly.

However, running Knoppix Linux system(s), (possibly with their own firewall script,) behind a Coyote Linux firewall/NAT/router is the preferred solution, and significantly enhances LAN/computer security.

As a side bar, the Knoppix distribution contains xawtv which allows television to be viewed on a PC. "Refurbished" Hauppauge WinTV-GO PCI television tuner cards are available for under $20 US, street price, and can a use, ~/.xawtv, as a suitable configuration file for Comcast's Western US cable TV distribution.

Here is the Coyote Linux configuration, with a US Robotics V.92 modem on COM port 1, that I use for a backup/emergency dial up connection to the Internet-dial up connections need security, too:

  1. gunzip coyote-2.16.tar.gz
  2. tar xvf coyote-2.16.tar
  3. cd coyote
    1. makefloppy.sh
      1. 1.44 MB, 1
      2. ppp dialup connection, 3
      3. change the IP settings, y
        1. local IP address, 10.7.2.1
        2. local netmask, 255.255.255.0
        3. local broadcast, 10.7.2.255
        4. local network number, 10.7.2.0
      4. do not enable demand dial, n
      5. ISP did not assign a static IP address, n
      6. setting for local PPP interface address, 10.7.2.2
      7. tty device name for modem, ttyS0
      8. ttyS0's port speed, 38400
      9. modem init string, 'AT&F1S2=255S7=90S13=1S19=90&A0&D2&S1E1M0'
      10. name of ISP, isp
      11. number to dial, xxxxxxx
      12. user name, xxxxxxx
      13. password, xxxxxxx
      14. do not login during chat, n
      15. enable the Coyote DHCP server, y
        1. DHCP starting range, 10.7.2.16
        2. DHCP ending range, 10.7.2.31
      16. don't configure DMZ, n
      17. domain name, your domain name, or your ISP's
      18. DNS server 1, xxx.xxx.xxx.xxx
      19. DNS server 2, xxx.xxx.xxx.xxx
      20. syslog server address, Enter key
      21. module name for local network card, tulip
      22. IP address, Enter key
      23. IRQ address, Enter key
      24. english is fine, n

Start the router by booting the machine with the Coyote Linux diskette in the A: drive. The router/firewall is configured via a browser pointed at 10.7.2.1:8180:

  1. Internet Configuration:
    1. modem init string is, 'AT&F1S2=255S7=90S13=1S19=90&A0&D2&S1E1M0'
    2. Submit
  2. DHCP Configuration:
    1. Enable Coyote DNS Cache, yes
    2. Enable Coyote DHCP Server, yes
    3. Submit
  3. Administrative Configs:
    1. Host Name, make up a name-letters only-for your gateway
    2. Domain Name, your domain name, or your ISP's
    3. change the time zone, PST8PDT
    4. Remote Time Server, www.clock.org
    5. disable external SSH access
    6. Submit
  4. System Password
    1. type the password
    2. type the password, again
  5. Configuration Files:
    1. Local Hosts:
      1. add the other host names/IP addresses on your network
      2. OK
    2. PPP Options:
      1. cut and paste from /etc/ppp/options
      2. OK
    3. PPP ISP Chat:
      1. cut and paste from /etc/chatscripts/
      2. OK
    4. PPP Peer Configuration:
      1. cut and paste from /etc/ppp/peers/
      2. OK
    5. PAP Secrets:
      1. cut and paste from /etc/ppp/pap-secrets
      2. OK
    6. Coyote Main Configuration File:
      1. PPP_CONFIG_OTF='NO'
      2. OK
  6. Backup Now
  7. Reboot

I use iptables for the firewall in my personal workstation(s)-running Knoppix 3.6; iptables comes standard with Linux, (Knoppix is a variant of Debian Linux.) The iptables firewall script I use can be tested by putting another PC on the local area network, (LAN,) and booting to Knoppix with the following configuration:

  1. boot to the Knoppix 3.6 CDROM
    1. boot: knoppix lang=us nodhcp
  2. Kmenu->KNOPPIX->Network-Internet->Network Card Configuration
    1. Do not use DHCP broadcast, No
    2. IP Address, 61.1.2.3, OK, (61.0.0.0 is in the APNIC address space)
    3. Network Mask, 255.255.255.0, OK
    4. Broadcast Address for eth0, 61.1.2.255, OK
    5. Default Gateway, 61.1.2.3, OK
    6. Name Server, 10.7.2.1, OK

The local area network, LAN,) looks like it has now been "penetrated" by a "rogue" machine in the APNIC address space, and the nmap program can be used to scan the ports of any machine on the LAN-its a useful procedure for testing firewall rules that will be distributed to all machines on the LAN. (If the "rogue" machine does not have the nmap program, then download it from the nmap site, and compile it; probably making a floppy with the a nmap data directory from /usr/local/share/nmap/, the program, etc., for documentation and replication purposes.)

The command lines to use are:

  1. nmap --datadir ./nmap.data -v -v -sS -sV -P0 -T Polite -p list address
  2. nmap --datadir ./nmap.data -v -v -sT -sV -P0 -T Polite -p list address
  3. nmap --datadir ./nmap.data -v -v -sU -sV -P0 -T Polite -p list address
  4. nmap --datadir ./nmap.data -v -v -sF -sV -P0 -T Polite -p list address
  5. nmap --datadir ./nmap.data -v -v -sX -sV -P0 -T Polite -p list address
  6. nmap --datadir ./nmap.data -v -v -sN -sV -P0 -T Polite -p list address

Where list is a list of ports to scan on the target machine that has IP address, address.

Note that a formidable security/QA procedure would require the use of Ethereal or Snort on the target machine to verify responses, (or more correctly, the lack thereof,) to the "rogue" machine's scan attack to validate the target machine's iptables firewall rules-the only response should be a reply to the Address Resolution Protocol, (ARP,) requests from the "rogue" machine, (and if the target machine sets behind a Coyote Linux router/NAT/firewall, etc., the "rogue" machine won't even get that.)

The live CD/floppy concept has many potential IT uses in the enterprise. The Knoppix master CD can be remastered for custom information appliances. For specifics, see the Knoppix Remastering HOWTO. Its a formidable task. However, the drudgery can be automated. There are two scripts, startremaster, and finishremaster that can be used remaster a custom Knoppix distribution. All they do is load the Knoppix CD to a hard disk, giving access to the source of the Knoppix distribution where modifications can be made, and then a new CD image is created, which is burned to a CD. Be very careful, and do not use a production machine for the remastering-a lot can go wrong, (it should probably be a machine with Knoppix installed on the hard disk, since it only takes 12 minutes to re-install Knoppix.) The documentation on using the scripts is in the script file headers.

A license is hereby granted to reproduce this design for personal, non-commercial use.

THIS DESIGN IS PROVIDED "AS IS". THE AUTHOR PROVIDES NO WARRANTIES WHATSOEVER, EXPRESSED OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, OR FITNESS FOR ANY PARTICULAR PURPOSE. THE AUTHOR DOES NOT WARRANT THAT USE OF THIS DESIGN DOES NOT INFRINGE THE INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY IN ANY COUNTRY.

So there.

Copyright © 1992-2005, John Conover, All Rights Reserved.

Comments and/or problem reports should be addressed to:

john@email.johncon.com

http://www.johncon.com/john/
http://www.johncon.com/ntropix/
http://www.johncon.com/ndustrix/
http://www.johncon.com/nformatix/
http://www.johncon.com/ndex/


Home | John | Connie | Publications | Software | Correspondence | NtropiX | NdustriX | NformatiX | NdeX | Thanks

Copyright © 1992-2005 John Conover, john@email.johncon.com. All Rights Reserved.
Last modified: Thu Oct 13 13:11:40 PDT 2005 $Id: index.html,v 1.0 2005/10/13 20:12:08 conover Exp $
Valid HTML 4.0!