Differences between revisions 10 and 11
Revision 10 as of 2008-06-17 00:20:13
Size: 3771
Editor: ?smarenka
Comment:
Revision 11 as of 2008-06-17 00:37:24
Size: 4371
Editor: ?smarenka
Comment:
Deletions are marked like this. Additions are marked like this.
Line 9: Line 9:
 * [#portforward Port Forwarding]
Line 124: Line 125:


[[Anchor(portforward)]]
= Port Forwarding =

If you are running behind a firewall of which you have control, you may wish to be able to access aranym's ssh from the internet. In that case you need to use port forwarding or DNAT.

If you're using {{{shorewall}}} you can use the following in {{{rules}}}.

{{{DNAT net loc:10.0.0.17:22 tcp 4443}}}

If you're using {{{iptables}}} you can use something like the following.

{{{$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE --dport 4443 -j DNAT --to-destination 10.0.0.17:22}}}

Aranym does not require a network, however having one can be terribly useful. How you configure your network depends on your host, network, and your plans for ["Aranym"] use. Buildds are required to have working email, web client access (for source and binary packages), ssh client access (for wanna-buildd), and nearly always have ssh server access (for remote admins).

  • [#tun tun]
  • [#bridge Bridging]
  • [#ptp Point-to-Point]
  • [#mini Mini-Network]
  • [#portforward Port Forwarding]

?Anchor(tun)

Tun

Your host kernel requires CONFIG_TUN support. This is a module on current debian kernels, so you may need modprobe tun.

To verify tun is working.

{{{$ cat /proc/misc 200 tun }}}

Your aranym user needs permission to access /dev/net/tun.

$ ls -l /dev/net/tun
crw-rw---- 1 root uml-net 10, 200 2008-06-16 18:35 /dev/net/tun

In this case the account needs to be added to the uml-net group.

usermod -G uml-net stephen

?Anchor(bridge)

Bridging

Bridging is fairly straightforward to setup and is the only solution that allows aranym to use dhcp for network configuration. It will also significantly alter how your host machine accesses the network. It will seem that br0 has replaced eth0 for such things as ifupdown and ifconfig.

Install bridge-utils. Be warned that aranym recommends ipmasq which messes with the default iptables rules and breaks bridging. Usually I purge ipmasq first thing.

Here are some examples. You will want to change usernames and ip addresses appropriately. Both br0 and tap0 could take dhcp addresses, for instance.

/etc/network/interfaces:

{{{iface eth0 inet manual

auto tap0 iface tap0 inet manual

  • tunctl_user stephen up ifconfig tap0 promisc arp 0.0.0.0 up

auto br0 iface br0 inet static

  • bridge_ports eth0 tap0 bridge_stp off bridge_maxwait 5 address 10.0.0.11 netmask 255.0.0.0 network 10.0.0.0 broadcast 10.255.255.255 gateway 10.0.0.1

}}}

The aranym config has this:

{{{[ETH0] Type = bridge Tunnel = tap0 Mac = 52:54:00:12:01:01 }}}

Where Mac is whatever fake Mac address you want to use, which can be useful for dhcp, and you can skip otherwise.

?Anchor(ptp)

Point-to-Point

Using a point-to-point configuration and some iptables, you can masquerade aranym behind any IP. This is a very common setup.

{{{sudo tunctl -t tap0 -u smarenka sudo aratapif tap0 192.168.0.1 192.168.0.2 255.255.255.0 1500 sudo iptables -D POSTROUTING -t nat -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE >& /dev/null sudo iptables -t nat -s 192.168.0.0/24 -d ! 192.168.0.0/24 -A POSTROUTING -j MASQUERADE }}}

The aranym config has this:

{{{[ETH0] Type = ptp Tunnel = tap0 HostIP = 192.168.0.1 AtariIP = 192.168.0.2 Netmask = 255.255.255.0 }}}

?Anchor(mini)

Mini-Network

Roman Zippel contributed a really interesting setup in http://lists.debian.org/debian-68k/2008/02/msg00160.html. Aranym can only see the local network, so you'll probably need a proxy and/or some port forwarding depending on your uses.

Install uml-utilities.

/etc/network/interfaces:

{{{iface tap0 inet static

  • address 192.168.3.133 netmask 255.255.255.252 tunctl_user roman uml_proxy_arp 192.168.3.134 uml_proxy_ether eth0

}}}

This creates a mini network within the local network. Then ip_forward in /etc/sysctl.conf has to be enabled, so that aranym sees the rest of the network.

The aranym config has this:

{{{[ETH0] Type = ptp Tunnel = tap0 HostIP = 192.168.3.133 AtariIP = 192.168.3.134 Netmask = 255.255.255.252 }}}

?Anchor(portforward)

Port Forwarding

If you are running behind a firewall of which you have control, you may wish to be able to access aranym's ssh from the internet. In that case you need to use port forwarding or DNAT.

If you're using shorewall you can use the following in rules.

DNAT    net     loc:10.0.0.17:22        tcp     4443

If you're using iptables you can use something like the following.

$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE --dport 4443 -j DNAT --to-destination 10.0.0.17:22