To set up the network for an Argos you will need ethernet bridging and the tun/tap driver enabled on your Linux box. This requires that you are running the right Linux kernel, and that you have the Ethernet bridge management utilities installed.
What you need is:
In the rare case that you only wish to enable outgoing connections from the argos guest, you could set up iptables and use NAT to forward connections from the guest OS to the Internet, but not the other way around. In this case you will not need the bridge utilities, but you will still need tun/tap support for your Linux kernel.
Enable the `Universal TUN/TAP device driver in your Linux configuration. In 2.6 kernels it is located under Device Drivers--->Network Device Support.
Enable the `802.1d Ethernet Bridging' option in your Linux configuration. In 2.6 kernels it is located under Networking--->Networking Options.
If you would also like to firewall the Ethernet bridge there are some extra options available under Networking--->Networking Options--->Network packet filtering-->Bridge: Netfilter Configuration.
Now you will need to recompile your kernel + modules, and reboot with it.
Binary packages for bridge utilities are provided by most Linux distributions. If you are unlucky enough you will have to download the source from the link provided above and compile it yourself.
To use iptables you will need to enalbe network packet filtering in the Linux kernel, as well as have the iptables package installed in your system. To enable Network Packet Filtering in 2.6 kernels enable the options under Networking--->Networking Options--->Network Packet Filtering--->IP: Netfilter Configuration
You will need to recompile your kernel + modules.
Again, if you are unlucky enough and no iptable package is available on your system you can get it from: http://www.netfilter.org/
First copy the file `argos-ifup' found in the argos source package into `/etc'. This shell script is run to configure every virtual network interface of Argos. The default script shown bellow uses sudo (run a program as root) to add the virtual interface ($1) to a default Ethernet bridge (br0). It then enables the virtual interface.
argos-ifup:
#!/bin/sh sudo /sbin/brctl addif br0 $1 sudo /sbin/ifconfig $1 0.0.0.0 up
To enable a user to run the script using sudo and without providing a password, you can run visudo as root and add the following line:
username ALL=(ALL) NOPASSWD: /sbin/ifconfig, /sbin/brctl
If you do not have sudo installed, or just want to run Argos as root, simply remove sudo from the above script.
Before starting Argos you need to have an Ethernet bridge up and running at the host. Every distribution has different specifics on setting up an Ethernet bridge at start-up. Manual configuration assuming your network interface is `eth0' can be done as follows (replace `XXX.XXX.XXX.XXX' with your own IP and `XXX.XXX.XXX.1' with your gateway):
ifconfig eth0 down brctl addbr br0 brctl addif br0 eth0 ifconfig eth0 0.0.0.0 promisc up ifconfig br0 XXX.XXX.XXX.XXX up route add default gw XXX.XXX.XXX.1 dev br0
When using ethernet bridging, eth0 (or any other interface you are using to access the Internet) cannot be directly used any more. The bridge interface is used instead, as shown above.
In the same spirit, dhcp can also be used to configure br0.
More information on ethernet bridge can be found here.
First replace the content of the `argos-ifup' script with the following:
#!/bin/sh sudo /sbin/ifconfig $1 172.20.0.1 up
Running the following script as root will enable NAT, and forwarding at the host so that the guest OS can access the Internet.
In the following shell script set variable EXTIF to the network interface that is used to access the network, and variable INTIF to the tun/tap interface (tap0 unless explicitly changed).
#!/bin/sh PATH=/usr/sbin:/sbin:/usr/local/sbin IPTABLES=iptables MODPROBE=modprobe EXTIF="eth1" INTIF="tap0" echo -en "ip_tables, " $MODPROBE ip_tables #Load the IPTABLES filtering module - "iptable_filter" # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " $MODPROBE ip_conntrack #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " $MODPROBE iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp #Loads the IRC NAT functionality into the core IPTABLES code # Required to support NAT of IRC DCC requests # # Disabled by default -- remove the "#" on the next line to activate # #echo -e "ip_nat_irc" #$MODPROBE ip_nat_irc echo "----------------------------------------------------------------------" # Just to be complete, here is a partial list of some of the other # IPTABLES kernel modules and their function. Please note that most # of these modules (the ipt ones) are automatically loaded by the # master kernel module for proper operation and don't need to be # manually loaded. # -------------------------------------------------------------------- # # ip_nat_snmp_basic - this module allows for proper NATing of some # SNMP traffic # # iptable_mangle - this target allows for packets to be # manipulated for things like the TCPMSS # option, etc. # # -- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # echo -e " Done loading modules.\n" #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP (REJECT is not a valid policy) # # Isn't ACCEPT insecure? To some degree, YES, but this is our testing # phase. Once we know that IPMASQ is working well, I recommend you run # the rc.firewall-*-stronger rulesets which set the defaults to DROP but # also include the critical additional rulesets to still let you connect to # the IPMASQ server, etc. # echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-iptables v$FWVER done.\n"
Configure the guest OS as you would normally do. You can use both dhcp or a static IP address.
Note that in case you use iptables and not bridging you should statically assign the IP address 172.20.0.2 (has to correspong with the address used in `argos-ifup').
The MAC address of the virtual interface used by the guest is fixed. If you need to change it you can do that by supplying `-net nic,macaddr=00:11:22:33:44:55 -net tap' when running argos.
If you wish to have more than one interface you will have to run argos with the following options for each virtual interface: `-net nic -net tap'.