Aranym does not require a network, however having one can be terribly useful. How you configure your network depends on your host, network, and your plans for Aranym use. Buildds are required to have working email, web client access (for source and binary packages), ssh client access (for wanna-buildd), and nearly always have ssh server access (for remote admins).
Your host kernel requires CONFIG_TUN support. This is a module on current debian kernels, so you may need modprobe tun.
To verify tun is working.
$ cat /proc/misc 200 tun
Your aranym user needs permission to access /dev/net/tun.
$ ls -l /dev/net/tun crw-rw---- 1 root uml-net 10, 200 2008-06-16 18:35 /dev/net/tun
In this case the account needs to be added to the uml-net group.
usermod -G uml-net stephen
Bridging is fairly straightforward to setup and is the only solution that allows aranym to use dhcp for network configuration. It will also significantly alter how your host machine accesses the network. It will seem that br0 has replaced eth0 for such things as ifupdown and ifconfig.
Install bridge-utils. Be warned that aranym recommends ipmasq which messes with the default iptables rules and breaks bridging. Usually I purge ipmasq first thing. (I have removed ipmasq from recommended packages in version 0.9.8beta)
Here are some examples. You will want to change usernames and ip addresses appropriately. Both br0 and tap0 could take dhcp addresses, for instance.
iface eth0 inet manual auto tap0 iface tap0 inet manual tunctl_user stephen up ifconfig tap0 promisc arp 0.0.0.0 up auto br0 iface br0 inet static bridge_ports eth0 tap0 bridge_stp off bridge_maxwait 5 address 10.0.0.11 netmask 255.0.0.0 network 10.0.0.0 broadcast 10.255.255.255 gateway 10.0.0.1
The aranym config has this:
[ETH0] Type = bridge Tunnel = tap0 Mac = 52:54:00:12:01:01
Where Mac is whatever fake Mac address you want to use, which can be useful for dhcp, and you can skip otherwise.
Using a point-to-point configuration and some iptables, you can masquerade aranym behind any IP. This is a very common setup. Roman Zippel commented here that aratapif is little more than ifconfig. and recent kernels require net_admin capabilities. Since you need root anyway, why bother with aratapif.
auto tap0 iface tap0 inet static address 192.168.0.1 pointopoint 192.168.0.2 netmask 255.255.255.255 tunctl_user stephen up iptables -t nat -A POSTROUTING -s 192.168.0.2 -j MASQUERADE down iptables -t nat -D POSTROUTING -s 192.168.0.2 -j MASQUERADE
Bridge really just makes aranym not call aratapif, so the aranym config has this:
[ETH0] Type = bridge Tunnel = tap0
auto eth0 iface eth0 inet static address 192.168.0.2 pointopoint 192.168.0.1 netmask 255.255.255.255 gateway 192.168.0.1
You also need to enable forwarding on the host. echo 1 > /proc/sys/net/ipv4/ip_forward
So far this configuration has aranym only available from the host, not from the network. If you want aranym accessible from the network, you need to add the following to the tap0 stanza. This will make port 3000 on the host computer connect to port 22 of the aranym system.
up iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 192.168.0.2:22 down iptables -t nat -D PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 192.168.0.2:22
iface tap0 inet static address 192.168.3.133 netmask 255.255.255.255 tunctl_user roman uml_proxy_arp 192.168.3.134 uml_proxy_ether eth0
This creates a mini network within the local network. Then ip_forward in /etc/sysctl.conf has to be enabled, so that aranym sees the rest of the network.
The aranym config has this:
[ETH0] Type = ptp Tunnel = tap0 HostIP = 192.168.3.133 AtariIP = 192.168.3.134 Netmask = 255.255.255.252
Pick a free ip address from the local network for aranym.
If you are running behind a firewall of which you have control, you may wish to be able to access aranym's ssh from the internet. In that case you need to use port forwarding or DNAT.
If you're using shorewall you can use the following in rules.
DNAT net loc:10.0.0.17:22 tcp 4443
If you're using iptables you can use something like the following.
$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE --dport 4443 -j DNAT --to-destination 10.0.0.17:22