Olaf Kirch - Linux Network Administrator Guide, Second Edition

The disciplines available are listed in Table 7.1. A special pseudo-discipline is available called adaptive, which causes the kernel to automatically detect which type of SLIP encapsulation is being used by the remote end.

Table 7.1: Linux Slip-Line Disciplines

Note that you must use the same encapsulation as your peer. For example, if cowslip uses CSLIP, you also have to do so. If your SLIP connection doesn't work, the first thing you should do is ensure that both ends of the link agree on whether to use header compression or not. If you are unsure what the remote end is using, try configuring your host for adaptive slip. The kernel might figure out the right type for you.

slattach lets you enable not only SLIP, but other protocols that use the serial line, like PPP or KISS (another protocol used by ham radio people). Doing this is not common, though, and there are better tools available to support these protocols. For details, please refer to the slattach(8) manual page.

After turning over the line to the SLIP driver, you must configure the network interface. Again, you do this using the standard ifconfig and route commands. Assume that we have dialed up a server named cowslip from vlager . On vlageryou would execute:

# ifconfig sl0 vlager-slip pointopoint cowslip

# route add cowslip

# route add default gw cowslip

The first command configures the interface as a point-to-point link to cowslip , while the second and third add the route to cowslip and the default route, using cowslip as a gateway.

Two things are worth noting about the ifconfig invocation: The pointopoint option that specifies the address of the remote end of a point-to-point link and our use of vlager-slip as the address of the local SLIP interface.

We have mentioned that you can use the same address you assigned to vlager 's Ethernet interface for your SLIP link, as well. In this case, vlager-slip might just be another alias for address 172.16.1.1 . However, it is also possible that you have to use an entirely different address for your SLIP link. One such case is when your network uses an unregistered IP network address, as the Brewery does. We will return to this scenario in greater detail in the next section.

For the remainder of this chapter we will always use vlager-slip to refer to the address of the local SLIP interface.

When taking down the SLIP link, you should first remove all routes through cowslip using route with the del option, then take the interface down, and send slattach the hangup signal. The you must hang up the modem using your terminal program again:

# route del default

# route del cowslip

# ifconfig sl0 down

# kill -HUP 516

Note that the 516 should be replaced with the process id (as shown in the output of ps ax) of the slattach command controlling the slip device you wish to take down.

You will remember from Chapter 5, Configuring TCP/IP Networking, that the Virtual Brewery has an Ethernet-based IP network using unregistered network numbers that are reserved for internal use only. Packets to or from one of these networks are not routed on the Internet; if we were to have vlager dial into cowslip and act as a router for the Virtual Brewery network, hosts within the Brewery's network could not talk to real Internet hosts directly because their packets would be dropped silently by the first major router.

To work around this dilemma, we will configure vlager to act as a kind of launch pad for accessing Internet services. To the outside world, it will present itself as a normal SLIP-connected Internet host with a registered IP address (probably assigned by the network provider running cowslip ). Anyone logged in to vlager can use text-based programs like ftp, telnet, or even lynx to make use of the Internet. Anyone on the Virtual Brewery LAN can therefore telnet and log in to vlager and use the programs there. For some applications, there may be solutions that avoid logging in to vlager . For WWW users, for example, we could run a so-called proxy server on vlager , which would relay all requests from your users to their respective servers.

Having to log in to vlager to make use of the Internet is a little clumsy. But apart from eliminating the paperwork (and cost) of registering an IP network, it has the added benefit of going along well with a firewall setup. Firewalls are dedicated hosts used to provide limited Internet access to users on your local network without exposing the internal hosts to network attacks from the outside world. Simple firewall configuration is covered in more detail in Chapter 9, TCP/IP Firewall. In Chapter 11, IP Masquerade and Network Address Translation, we'll discuss a Linux feature called "IP masquerade" that provides a powerful alternative to proxy servers.

Assume that the Brewery has been assigned the IP address 192.168.5.74 for SLIP access. All you have to do to realize that the setup discussed above is to enter this address into your /etc/hosts file, naming it vlager-slip . The procedure for bringing up the SLIP link itself remains unchanged.

Now that was rather simple. Nevertheless, you might want to automate the steps previously described. It would be much better to have a simple command that performs all the steps necessary to open the serial device, cause the modem to dial the provider, log in, enable the SLIP line discipline, and configure the network interface. This is what the dip command is for.

dip means Dialup IP . It was written by Fred van Kempen and has been patched very heavily by a number of people. Today there is one strain that is used by almost everyone: Version dip337p-uri, which is included with most modern Linux distributions, or is available from the metalab.unc.edu FTP archive.

dip provides an interpreter for a simple scripting language that can handle the modem for you, convert the line to SLIP mode, and configure the interfaces. The script language is powerful enough to suit most configurations.

To be able to configure the SLIP interface, dip requires root privilege. It would now be tempting to make dip setuid to root so that all users can dial up some SLIP server without having to give them root access. This is very dangerous, though, because setting up bogus interfaces and default routes with dip may disrupt routing on your network. Even worse, this action would give your users power to connect to any SLIP server and launch dangerous attacks on your network. If you want to allow your users to fire up a SLIP connection, write small wrapper programs for each prospective SLIP server and have these wrappers invoke dip with the specific script that establishes the connection. Carefully written wrapper programs can then safely be made setuid to root . [44] diplogin must be run as setuid to root, too. See the section at the end of this chapter. An alternative, more flexible approach is to give trusted users root access to dip using a program like sudo.