|
Niggy (m)
|
@chxta, i use fedora core 4 which is .rpm base. ur ubuntu is .deb. don't know any trick to get around dep prob in .deb, but for my fedora core 4, i will do rpm -Uvh --nodeps <package_name.rpm> This is no really advisible,but it worked for my gcc+ installation when i was complaining for deps. |
|
|
|
|
|
|
|
Niggy (m)
|
iptables here i come!
i love iptables cause i think it's the most important part of linux security. i love linux net filtering /firewall cause you can specifically tell it what to do exactly. i mean you can inspect packets based on their source , type and destination without any depreciation in your system performance. whao menn! l love linux.
so i will try to share my understanding of iptables.
There are two ways to start your policy for iptables
1. everything is denied.
2. everything is allowed
Everything is denied means - all packets are denied by default, so only packets specified are allowed. this is the best policy
Everything is allowed means - every packet is allow into yur network by default and only things you've specified are denied( not too good)
my g/f just worked in.... brb
|
|
|
|
|
|
Niggy (m)
|
A very good thing again is to be able to read or interpret iptable messages.
eg to save your config you'll do,
iptables-save > /etc/sysconfig/iptables
if you just issue the iptables-save command without forwarding it as i did, iptables will still save you config in the default directory with is /etc/sysconfig/iptables
but i like directing my iptables-save to a text file in my home directory like this
iptables-save > /home/niggy/ipsave
and i like viewing it like this
cat /home/niggy/ipsave | less
Then i can view and read the rules and policies writen by my iptables
mind you i've issued a pipe command here with less arguement
it is not advisible to do iptables-save unless you are sure you configuration is working fine
Now back to the beginning of iptables
i m assuming you ve iptables installed not ipchain which is no more in use.
so first start yur iptables bydoin
chkconfig iptables on
or chkconfig --levels 2345 iptables on
you can chek if iptables is running by doing
chkconfig --list iptables| grep iptables
your output is in a column and rows
the column is the run-levels and the rows are the services(daemons) running on your system
for iptables run-levels 2345 must be on.
now start iptables by doin
/etc/init.d/iptables start
other options are stop or restart
your iptables should start successfully with ok prompt
...brb
|
|
|
|
|
|
Niggy (m)
|
i like flushing all my rules first so i can start a fresh config
(this means you are flushing the iptables)
iptables -F
iptables -t nat -F
iptables -t mangle -F
now do
iptables -L
to view your flushing, ok? ok.
You must understand the way iptables work before you can set rules
in iptables we have what we call
1. table
2. rules
3. policy
wait this is my own writing o o don't coat me! i beg . This is the way i understand iptables for now. i'm always updating myself too. any changes or contribution is allowed please. Incase i have any update too contrary to anything i've assumed here,i would be quick enough to have it notified, okay?
ok, we have three tables
1. netfiltering
2 nat
3. mangle
...will continues shortly
|
|
|
|
|
|
Niggy (m)
|
i use the netfiltering and nat most for now
so make my everything short i ll coat my script and explain what each line means , right?
remember we've flushed out default table
so we have to set a default rule for every packet
For my network i like rejecting all packets and accepting only the packets i want to my network so i ll do
iptables -P INPUT DROP|
iptables -P OUTPUT REJECT
iptables -P FORWARD REJECT
let me explain what these do.
any packet coming from either your lan or the outside network is dropped and rejected by default
any packet goin out is reject and no forwarding is done. do you understand?
be careful with the use of drop , reject.
drop means the system trying to connect will not get any message that the packet is dropped
reject means the system connecting is prompted with an error message of denied connection, simple enough, huh?
So we have to start specifying what packet we want on our network, isn't this nice?
...i'm hungry
|
|
|
|
|
|
jogego (m)
|
I just finished installing Mepis Lite on my laptop. I tell you aint nothing like Linux. From my clicking the install button to having a fully functional system took less than 20 minutes. Try that with windoze. Anyhow, here is my stock screen shot without any modification whatsoever
|
|
|
|
|
|
Chxta (m)
|
You are ovbiously a stickler for KDE.
|
|
|
|
|
|
|
|
joftech (m)
|
KDE rules anytime, anyday. One reason why i hate Ubuntu is that it did not support KDE.
If anyone know about any hack to get KDE on Ubuntu share that on this board.
|
|
|
|
|
|
jogego (m)
|
I don't pretty much fancy Ubuntu because they have deviated so much from Debian. You can't really use Debian repositories if you are using Ubuntu. I always get the CDs( they normally send 10 out) but I have never once installed it. If you want the KDE variant, try Kunbuntu. You can check for its details on www.distrowatch.comKDE rocks. Well so its a resource hog, but I can change anything from splash screens to log in screens to desktop to my icons. Name it and I can change it and so many to choose from, just visit www.kde-look.orgI have tried a couple of distros this past few days. Alinux,blag,vector linux,symphony,DSL and the list goes on. Good thing my broadband has unlimited downoads or I woulda been paying through my teeth. I even tried to do an FTP install of Suse 9.3 but I couldnt get it to work. Am really interested in using Suse but I can't imagine downloading 5 different CDs for just one distro. Wonder how long instalation would be. Probably longer than MS? Anyhow seems I will be going back to Simply Mepis and I have yet to make up my mind on the distro going on my second box. |
|
|
|
|
|
Niggy (m)
|
This is a short-cut to bring out the running processes (task manager in windows) in kde 3.4.1
ctl+Esc
To terminate a gui task , do
ctl+alt+Esc
This produce a skull icon in replace of ur mouse icon, move this to the window which is not responding and left-click on it. Be careful,if you click on the desktop is stops ur kde manager!. To reverse this, simply press Esc
It's good to know that with linux , you hardly face hanging-windows problems! or tasks not responding issues!. So you ll rarely use this short-cut,if not at all. i can't remember when i had to kill or stop a non-responding task in fedora core 4. Everything just run smoothly.
My linux firewall configuration tutorial continues shortly. Here i shall touch, DMZ and Virtual Web-hosting, all with the use of the iptables
Does anyone knows where ma squid script and ma transparent proxy config post has disappeared to?
i love fedora core 4
|
|
|
|
|
|
Niggy (m)
|
need a bandwidth manager for linux?Download clarkconnect 3.1 release. www.clarkconnect.org or www.clarkconnect.comI ve been using this since kernel 2.4 release (clarkconnect 2.1) The latest is clarkconnect 3.1 with kernel 2.6. It is basically a gateway, so don't expect kde or gnome desktop manager. it only present you with a text interface or terminal login. i prefer the tty login: It's very efficient and allows a web-configuration throught ur lan. i.e you can configure it via a browser(internet explorer or firefox) using https( secure http).very nice. i preach only fedora core 4 and clarkconnect home edition 3.1 you can configure the bandwidth manager via the web interface only. it allows u to peg the bandwidth of clients on ur lan by their ipaddresses. u can allocate bandwidth for upload and download for any client's ipaddress and also by specifying sites like kaaza, gnutella etc and by protocol ftp, http etc. It's in-built firewall has proven to be very effective. can detect intruders, snoofing , block spams etc. It does NAT, MASQUERADE, Apache, Mail server, Squid, DNS cache, Webcache, DHCP, SAMBA , priint server, ftp, telnet etc. It's basically a Gateway Machine. The size is just 350MB+ Mind u,it's free!! It doesn't have it's own GUI: only a text interface,tty shell login and web-config(GUI via your lan client). So don't expect ur favorite KDE or GNOME or other fancy desktop managers, okay? Installs within 15minutes! i love it. And it's up and running, with default Gateway setting of NAT and dns cache. It's redhat 9 based, so if u understand redhat command line scripting , u can work ur way through clarkconnet command line. i've always been a command line person so i ve never had any problem with any distro i lay ma hands on. i started my journey of linux with redhat 9, and i'm still with fedora- the first born of redhat, mandrake came out from redhat too, but has undergone so many customization and automation as of today(mandriva). i'm currently working on some bandwidth commands for iptables, when i'm through i ll post them to nairaland for test. i love fedora core 4
|
|
|
|
|
|
Niggy (m)
|
I'm currently downloading Elx linux, and write ma review
|
|
|
|
|
|
Niggy (m)
|
one of the easiest things to configure on linux is dhcp (dynamic host configuration protocol)
The script is located in /etc/dhcp.conf
you might not find it there at first so you have to copy it from this location
/usr/share/doc/dhcp-3.X/dhcp.conf.sample
so do
cp -r /usr/share/doc/dhcp-3.X/dhcp.conf.sample /etc/dhcp.conf (replace X with your version number, please)
you must be root to do this , ok?
And mind you, dhcp daemon must be running:
chkconfig --list | grep dhcpd
or
service dhcpd status
if not on do:
chkconfig dhcpd on
or
chkconfig --level 2345 dhcpd on
/etc/init.d/dhcpd start
Incase it fails do
touch /var/lib/dhcp/dhcpd.leases
This creat the dhcpd.leases file needed by dhcpd to work
Here is the script
ddns-update-style interim
ignore client-updates
#Enter you network and subnet mask here
subnet 192.168.0.0 netmask 255.255.255.0 {
# The range of IP addresses the server
# will issue to DHCP enabled PC clients
# booting up on the network
#Here a range of 201 to 220 ipaddresses will be assigned to your client. you can change it to any range you want.
range 192.168.0.2 192.168.0.100;
# Set the amount of time in seconds that
# a client may keep the IP address
# 24hour lease time
default-lease-time 86400;
max-lease-time 86400;
# Set the default gateway to be used by
# the PC clients
# Your gateway ipaddress here
option routers 192.168.0.1;
# Don't forward DHCP requests from this
# NIC interface to any other NIC
# interfaces
# if u have more than 1 NIC card, don't forward please.
option ip-forwarding off;
# Set the broadcast address and subnet mask
# to be used by the DHCP clients
option broadcast-address 192.168.0.255;
option subnet-mask 255.255.255.0;
# Set the DNS server to be used by the
# DHCP clients
option domain-name-servers 192.168.0.50;
# Set the NTP server to be used by the
# DHCP clients
option nntp-server 192.168.0.50;
# If you specify a WINS server for your Windows clients,
# you need to include the following option in the dhcpd.conf file:
option netbios-name-servers 192.168.0.50;
# You can also assign specific IP addresses based on the clients'
# ethernet MAC address as follows (Host's name is "laser-printer":
host laser-printer {
hardware ethernet 06:00:5b:5c:59:83;
fixed-address 192.168.0.120;
}
}
#
# List an unused interface here
#
subnet 192.168.2.0 netmask 255.255.255.0 {
}
Notice that you can map a specific ipaddress to a mac-address like i did, since my printer runs on 192.168.0.120 system.
I ve added some commit, but the script is self-explanatory. So change your client bootup protocol to dhcp and never have to manually configure ipaddresses again.
Enjoy!
In case of any prob let me know,please.
i love fedora core 4
|
|
|
|
|
|
Niggy (m)
|
I forgot to mention this.
Incase u don't understand how dhcp work, u ll need this.
Everytime your client system-with dhcp enabled, boots, it sends a dhcp broadcast packet request to DHCP server with ip address of 255.255.255.255.
If your DHCP server has more than one interface, you have to add a route for this 255.255.255.255 address so that it knows the interface on which to send the reply:if not, it sends it to the default gateway.
Note: You can't run your DHCP sever on multiple interfaces because you can only have one route to network 255.255.255.255. If you try to do it, you'll discover that DHCP serving working on only one interface.
You might escape this if the DHCP server is also the default gateway,.
you can solve this problem temporarily by doing
[root@niggy home]# route add -host 255.255.255.255 dev eth1
eth1 is where your dhcp request is coming from, ok?
You can confirm this by typing
route
This will not stand a reboot, so you have to add it to your startup script
/etc/rc.d/rc.local
Enjoy linux
|
|
|
|
|
|
busybyte
|
From the telecoms end, linux is being used to host GSM protocols because the linux kernel can be custom built and configured for a broad vareity of hardware platforms. For Telecommunications computing, Red Hat is the standard. Specifically, for cell phone operating systems, embedded linux is becoming popular.
Windows is hardly used for teleccom infrastructure
I know it may sound as if I am off point, but computing and telecoms have merged a long time ago.
|
|
|
|
|
|
jogego (m)
|
One more reason to use KDE, Klaptop works very well on my laptop. I have configured the laptop to suspend when I close the Lid so when am not using it, I just close it, and I have not shut down the laptop for up to a week now. At a time, it was on suspend for about two days. Once I open the lid, it just starts working again. It doesnt work in ICE WM or flux box which I also have on the laptop.
|
|
|
|
|
|
Niggy (m)
|
hmm, i ll like to talk about configuring ur linux box to be a DNS server and Mail server for your domain.
i ve found this part interesting after lots of labour to learn them and configure my fedora core 4 to be both a Mail server and DNS server( likewise my fedora is configured to do MASQUERADE, Transparent Proxy, dhcp, web-cache, dns cache, ftp, telnet, samba, ssh, apache, virtual web-hosting
All these in one box? Yeah! I just love linux so i end up using my system as a medium to experiment all i'm reading. Studying DNS and Mail server took me two weeks. Note: DNS is different from dns cache. DNS (BIND in linux) resolve your fully qualified domain name to ip addresses and vise verser, while dns cache just stores dns information of frequently visited sites in a cache. with DNS , you can host other sites and also resolve names for your domain.
so on my system, my DNS resolves names for my web site, mail server, dhcp server, etc
sound interesting?
Mail server and DNs server goes hand-in-hand, so you have to learn both. your mail server will not work without a DNS server, cause you have to enter MX record of your mail server into ur DNS configuration script.
contribution and responses are kindly welcomed.
|
|
|
|
|
|
joftech (m)
|
@niggy, please how can i disable zone replication in BIND 9?
|
|
|
|
|
|
Niggy (m)
|
oops! what do you mean by zone replication?
|
|
|
|
|
|
Niggy (m)
|
DNS is handled by BIND package in linux. and BIND runs under a daemon called named.
fedora core 4 uses bind-chroot.
Let me explain, bind-chroot works like BIND too, only that the directories where bind stores it files are changed. Normally BIND stores it files in two locations
/etc/named.conf
and /var/named/
but bind-chroot stores it files in
/var/named/chroot/etc/named.conf
and /var/named/chroot/var/named/
The reason for the chroot directory is to put Naughty Boys, that might enter your system through bind exploit,in a jail called chroot jail. so they end up not having access to your real /etc/ directory under your root hierrachy. Do you get that? ok
so BIND is still bind-chroot.
|
|
|
|
|
|
Niggy (m)
|
ok, don't know if i have to explain the meaning of host/domain name in your URL. Let me. To access a site u type www.nairaland.com in your URL. Now, let me explain this. www is hostname or an alias of a hostname in a domain nairaland.com which is a zone under whoever is hosting nairaland.com domain. Hope u are not lost? www.nairaland.com is now a fully qualified domain name. The scenerio is that we want nairaland.com to have their own DNS server, to resolve names of their website and mail server. when u type www.nairaland.com is your browser URL, your system analysed it as host/domain name. so it knows the top domain name is .com hence it sends a query to .com which is one of the 13 authoritative root servers eg .com, .net etc. .com now query the domain register under it. let say register.com is hosting nairalan.com. .com DNS now queries register.com for nairaland.com. register.com now queries nairaland.com DNS (which we want to configure soon) for www. since nairaland.com DNS has the record for www. which is an alias for the apache web server with hostname webserver1, it now return the ipaddress of www.nairaland.com to register.com .......down back to .com then back to your web browser. all these happen within a flash. so imagine what your web-brower has to do to get a url resolved. |
|
|
|
|
|
Niggy (m)
|
please i've not read this anywhere. it's what i think so if you have a better explanation, post it.
The question is now, why can't .com give the ipaddress straight off. No it won't , cause i call it division of labor. .com cannot keep all the ipaddress of all the systems in the world. so they have to allow other DNS to do it . The same apply to ur phone book directory.
you can't find lagos phone number under a phone directory meant for USA. U ve to look for Nigeria phone directory. Got it?
Also DNS server has the advantage of hosting ur local network too. with a DNS server within your site, you can now refer to other system by any name you want to call them without having to enter aliases into ur /etc/hosts file. eg seun's system, with hostname of seun, can be referred to as admin.nairaland.com by other users in .nairaland.com domain.
mail server in nairaland.com can be referred to also as mail.nairaland.com instead of the ipaddress for the local users.
let me now talk about forward and reverse lookup
|
|
|
|
|
|
Niggy (m)
|
forward lookup is when u query a DNS for the ipaddress. eg in linux u ll do root@niggy# host www.nairaland.comit returns u with the ipaddress of www.nairaland.comin windows do c:/> nslookup www.nairaland.comreverse lookup is when u query a DNS for the hostname or fully qualified name of an ip address linux do host 83.254.131.57 windows do nslookup 83.254.131.57 |
|
|
|
|
|
Niggy (m)
|
I ll try to make everything brief and explicit as possible.
i work with fedora core 4 so i ll be working in the chroot directory /var/named/chroot
other distro users should know where to find their named.conf file. it's mainly stored in /etc/named.conf and ur records are stored in /var/named/ , okay?
The major config file for BIND is named.conf located in
/var/named/chroot/etc/named.conf fedora distro please
/etc/named.conf other distros
the /etc/named.conf in fedora is only a symbolic link
|
|
|
|
|
|
|
|
joftech (m)
|
I finally got my Ubuntu Cds today. Hurray.
|
|
|
|
|
|
jogego (m)
|
as far as am concerned, Ubuntu is just a lot of hype. You can't even use the normal debian repositories. For instance, on my kanotix box, I can use the package repositories of Mepis and vice versa. But Ubuntu have customised their packages so much that they are complete departures from Debian.
|
|
|
|
|
|
Niggy (m)
|
now straight to editing your named.conf
don't touch the first parts that's for caching name server!
just go down to the end of the script to add yours, ok?
remember our domain is nairaland.com, so we need to create a zone called nairaland.com and point to where you ll store its data like this
zone "nairaland.com" {
type master
notify no
allow-query {any;};
file "nairaland.zone";
};
notice the allow-query part: this means any network is allowed to use your dns server
this can also be edited as allow-query {192.168.0.0/24; };
Again i've indicated my zone file as nairaland.zone
the zone file configuration will be done later. This is where u store forward look ups.
|
|
|
|
|
|
Niggy (m)
|
Note that i'm using a single system for my Firewall, Mail and DNS server here. incase u are not doing this u have to create a DMZ (de-militarized zone) for your servers and do some iptables forwarding and DNAT. i wll cover this later too.
but for now, firewall, mail and DNS server runs on one system, ok?
my WAN -eth0 is 80.88.137.88/29 (assumed ipaddress please i will cover subnetting too later.
my LAN -eth1 is 192.168.0.1/24
now i have to point to my reverse data base in this named.conf for my ip addresses like this
zone "0.168.192.in-addr.arpa" {
type master;
notify no;
file "192-168-0.zone";
};
can y see that the file is 192-168-0.zone
this is where i ll store my reverse lookup of systems under my 192.168.0.0/24 network
for my WAN also, note the (-) in 80-88-137.zone name please
zone "137.88.80.in-addr.arpa" {
type master;
notify no;
file "80-88-137.zone";
};
|
|
|
|
|
|
Niggy (m)
|
now to the zone files they are stored in /var/named/chroot/var/named/ so you have to create two three zone files 1. nairaland.zone 2. 192-168-0.zone and 3.80-88-137.zone i like the vi editor so do CD /var/named/chroot/var/named/ vi nairaland.zone oops! less i forget your /etc/hosts file has to be configured 192.168.0.1 seun.nairaland.com seun 80.88.137.88 www.nairaland.com www ns1 mail 127.0.0.1 localhost.localdomain localhost okay back to our zone files vi nairaland.zone this create a new nairaland.zone text file copy my script and make necessary changes, okay? ;
; Zone file for nairaland.com
;
; The full zone file
;
$TTL 3D
@ IN SOA ns1.nairaland.com. root.nairaland.com. (
200509191 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds
;
NS 80.88.137.88 ; Inet Address of nameserver
nairaland.com. MX 10 mail ; Primary Mail Exchanger
;
localhost A 127.0.0.1
seun A 192.168.0.1
mail A 80.88.137.88
ns1 A 80.88.137.88
www A 80.88.137.88
|
|
|
|
|
|
![Nairaland [Nigerian Forum] Home](http://www.nairaland.com/Themes/default/images/english/home.gif)
Author
snapshot1.jpg (36.29 KB, 1024x768 )
