P. 1
linux-home-networking

linux-home-networking

|Views: 2,939|Likes:
Published by paramaguru85

More info:

Published by: paramaguru85 on Mar 09, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/15/2013

pdf

text

original

Sections

  • Chapter 1
  • Adding Linux Users
  • Who Is The Super User?
  • How To Add Users
  • How To Change Passwords
  • How To Delete Users
  • How To Tell The Groups To Which A User Belongs
  • Chapter 2
  • Using Sudo
  • What is sudo?
  • Download and Install The sudo Package
  • The visudo Command
  • The /etc/sudoers File
  • General Guidelines
  • Simple Examples
  • How To Use sudo
  • Using syslog To Track All sudo Commands
  • Chapter 3
  • Installing RPM Software
  • Where To Get Commonly Used RPMs
  • RPMs On Your Installation CDs
  • RPMs Downloaded From Redhat
  • RPMs Downloaded From Speakeasy
  • How to Easily Access CD RPMs With Automount
  • Downloading RPMS To Your Linux Box
  • Getting RPMs Using Web Based FTP
  • RedHat
  • Speakeasy
  • Getting RPMs Using Command Line Anonymous FTP
  • How To Install The RPMs
  • Using Downloaded Files
  • Using CDROMs
  • How to Install Source RPMs
  • Newer Linux Versions
  • Older Linux Versions
  • How To List Installed RPMs
  • How Uninstall RPMs
  • RedHat Up2date
  • Some Necessary Facts About up2date
  • Chapter 4
  • The Linux Boot Process
  • The RedHat Boot Sequence
  • Determining The Default Boot runlevel
  • Get A GUI Console
  • Get A Basic Text Terminal Without Exiting The GUI
  • Using A GUI Terminal Window
  • Using Virtual Terminals
  • System Shutdown And Rebooting
  • Halt / Shutdown The System
  • Reboot The System
  • How To Set Which Programs Run At Each runlevel
  • Chkconfig Examples
  • Use Chkconfig To Get A Listing Of Sendmail's Current Startup Options
  • Switch Off Sendmail Starting Up In Levels 3 and 5
  • Doublecheck That Sendmail Will Not Startup
  • Turn it back on again
  • Final Tips On chkconfig
  • Chapter 5
  • Why Host Your Own Site?
  • Network Diagram
  • Alternatives To Home Web Hosting
  • Factors To Consider Before Hosting Yourself
  • Home Based Websites
  • Pros
  • Cons
  • Small Office Based Websites
  • How To Migrate From An External Provider
  • Chapter 6
  • Introduction To Networking
  • What Is TCP/IP?
  • What is TCP?
  • What is UDP?
  • What are TCP / UDP Ports?
  • What is a TTL?
  • What is ICMP?
  • What Do IP Addresses Look Like?
  • Private IP Addresses
  • What Is Localhost?
  • What Is A Subnet Mask?
  • How Many Addresses Do I Get With My Mask?
  • What’s The Range Of Addresses On My Network?
  • Manual Calculation
  • Calculation Using A Script
  • What Is Duplex?
  • What Is A Hub?
  • What Is A Switch?
  • What Is A LAN?
  • What Is A Router?
  • What Is A Gateway?
  • What Is A Route?
  • What Is A Default Gateway?
  • What Is A NIC?
  • What Is A MAC Address?
  • What Is ARP?
  • What Is A Firewall?
  • What Is NAT?
  • What Is Port Forwarding With NAT?
  • What Is DHCP?
  • What Is DNS?
  • How Can I Check The IP Address For A Domain?
  • How Do I Get My Own DNS Domain Name?
  • Static or Dynamic DNS?
  • What is FTP?
  • Regular FTP
  • Anonymous FTP
  • Where is Linux Help?
  • Finding General Information On A Command
  • Search For All Instances Of A Word
  • Chapter 7
  • Troubleshooting Linux With Syslog
  • Troubleshooting Linux With Syslog
  • Syslog
  • About syslog
  • Syslog Facilities
  • Activating Changes To The syslog Configuration File
  • How To View New Log Entries As They Happen
  • Logging Syslog Messages To A Remote Linux Server
  • Configuring the Linux Syslog Server
  • Configuring the Linux Client
  • Syslog Configuration and Cisco Network Devices
  • Syslog and Firewalls
  • Logrotate
  • The /etc/logrotate.conf File
  • Sample contents of /etc/logrotate.conf
  • The /etc/logrotate.d Directory
  • The /etc/logrotate.d/syslog File (For General System Logging)
  • The /etc/logrotate.d/apache File (For Apache)
  • The /etc/logrotate.d/samba File (for SAMBA)
  • Activating logrotate
  • Chapter 8
  • Linux Networking
  • How To Configure Your NIC's IP Address
  • Determining Your IP Address
  • Changing Your IP Address
  • network-scripts File Formats
  • Multiple IP Addresses On A Single NIC
  • IP Address Assignment For A Direct DSL Connection
  • Some Important Files Created By adsl-setup
  • Simple Troubleshooting
  • How To Change Your Default Gateway
  • How Configure Two Gateways
  • How To Delete A Route
  • How To View Your Current Routing Table
  • How To Convert Your Linux Server Into A Router
  • Configuring Your /etc/hosts File
  • Your NIC's /etc/hosts File Format
  • Chapter 9
  • Simple Network Troubleshooting
  • How To See MAC Addresses
  • How To Use "Ping" To Test Network Connectivity
  • Using "traceroute" To Test Connectivity
  • Possible Traceroute Messages
  • Always Get A Bidirectional Traceroute
  • Ping & Traceroute Troubleshooting Example
  • Possible Reasons For Failed Traceroutes
  • Viewing Packet Flow With TCPdump
  • Possible TCPdump Messages
  • Useful TCPdump Expressions
  • Chapter 10
  • Linux Wireless Networking
  • Wireless Linux Compatible NICs
  • The Linksys WMP11 NIC and Linux
  • Pre Version 2.7 WMP 11 Card
  • The WMP 11 Version 2.7 Card
  • Linux-WLAN Preparation
  • PCMCIA Type Card Specific Information
  • Installing The Linux-WLAN Drivers
  • Linux-WLAN Installation - Using RPMs
  • Determining The Kernel Type
  • Determining The OS Version
  • Determining The Kernel Version
  • Linux-WLAN Installation – Using TAR files
  • Install the Kernel Source Files
  • Download And Install The Linux-WLAN TAR File
  • Configure The New wlan0 Interface Driver (PCI Cards)
  • Configure The New wlan0 Interface Driver (PCMCIA Cards)
  • Post Installation Steps
  • Configure The New wlan0 Interface
  • Disable Your Existing Ethernet NIC
  • Select the Wireless mode and SSID
  • Simulate a Reboot
  • PCI Cards – Installed Using RPMs
  • PCI Cards – Installed Using TAR Files
  • PCMCIA Cards
  • Check For Interrupt Conflicts
  • Linux-WLAN Encryption For Security
  • De-activating Encryption
  • Troubleshooting Your Wireless LAN
  • Chapter 11
  • Linux Firewalls Using iptables
  • What Is iptables?
  • Download And Install The Iptables Package
  • How To Get iptables Started
  • Packet Processing In iptables
  • Processing For Packets Routed By The Firewall
  • Packet Processing For Data Received By The Firewall
  • Packet Processing For Data Sent By The Firewall
  • Targets And Jumps
  • Descriptions Of The Most Commonly Used Targets
  • Important Iptables Command Switch Operations
  • General Iptables Match Criteria
  • Common TCP and UDP Match Criteria
  • Common ICMP (Ping) Match Criteria
  • Common Match Extensions Criteria
  • Using User Defined Chains
  • Sample iptables Scripts
  • Basic Initialization
  • Allowing DNS Access To Your Firewall
  • Allowing WWW And SSH Access To Your Firewall
  • Allowing Your Firewall To Access The Internet
  • Allow Your Home Network To Access The Firewall
  • Masquerading (Many to One NAT)
  • Port Forwarding Type NAT (DHCP DSL)
  • Static NAT
  • Logging & Troubleshooting
  • Chapter 12
  • Telnet, TFTP and XINETD
  • Telnet
  • What is Telnet?
  • Setting Up A Telnet Server
  • TFTP
  • What is TFTP?
  • Setting up a TFTP server
  • Configuring Cisco Devices for TFTP
  • Cisco PIX firewall
  • Cisco Switch Running CATOS
  • Cisco Router
  • Cisco CSS 111000 "Arrowpoints"
  • Using TFTP To Restore Your Router Configuration
  • Chapter 13
  • Linux FTP Server Setup
  • FTP Overview
  • FTP Control Channel - TCP Port 21
  • FTP Data Channel - TCP Port 20
  • Active FTP
  • Passive FTP
  • Problems With FTP And Firewalls
  • Client Protected By A Firewall Problem
  • Solutions
  • Server Protected By A Firewall Problem
  • How To Download And Install The VSFTP Package
  • How To Get VSFTP Started
  • Testing To See If VSFTP Is Running
  • What Is Anonymous FTP?
  • The /etc/vsftpd.conf File
  • FTP Security Issues
  • The /etc/vsftpd.ftpusers File
  • Anonymous Upload
  • FTP Greeting Banner
  • Using SCP As Secure Alternative To FTP
  • Example #1:
  • FTP Users With Only Read Access To A Shared Directory
  • Sample Login Session To Test Funtionality
  • Chapter 14
  • Secure Remote Logins And File Copying
  • Using Secure Shell As A Replacement For Telnet
  • Testing To See If SSH Is Running
  • The etc/ssh/sshd_config File
  • Using SSH To Login To A Remote Machine
  • User “root” Logs In To smallfry As User “root”
  • User “root” Logs In To smallfry As User “peter”
  • Using default port 22
  • Using port 435
  • What You Should Expect To See When You Log In
  • Deactivating Telnet once SSH is installed
  • Using SCP as a more secure replacement for FTP
  • Copying Files To The Local Linux Box
  • Copying Files To The Remote Linux Box
  • Chapter 15
  • Windows, Linux And Samba
  • Download and Install Packages
  • How To Get SAMBA Started
  • Configuring SWAT
  • Samba and PC Firewall Software
  • Zone Alarm
  • The Windows XP Built In Firewall
  • How To Create A Samba PDC Administrator User
  • Create The Administrator’s User Group and Directories
  • Create The Administrator User Under Linux
  • Adduser’s Command Switches
  • Create An Administrator Domain Password
  • Make The Administrator One Of The Samba Admin Users
  • How to Configure a Samba PDC
  • Create A Samba PDC
  • Create Your PC Machine Trusts
  • Manual Creation Of Machine Trust Accounts (NT Only)
  • Dynamic Creation Of Machine Trust Accounts
  • Make Your PC Clients Aware Of Your Samba PDC
  • Windows 95/98/ME
  • Windows NT
  • Windows 2000
  • Windows XP
  • How To Add Users To Your Samba Domain
  • Add The Users In Linux
  • Map The Linux Users To An smbpassword
  • Map A Drive Share
  • Mapping Using “My Computer”
  • Mapping From The Command Line
  • Domain Groups And Samba
  • How To Delete Users From Your Samba Domain
  • Delete The Users In Linux
  • Delete The Users Using smbpasswd
  • Chapter 16
  • Sharing Resources With Samba
  • Adding A Printer To A Samba PDC
  • Adding The Printer To Linux
  • Make Samba Aware Of The Printer
  • Configure The Printer Driver On The Workstations
  • Creating Group Shares in SAMBA
  • Create The Directory And User Group
  • Configure The Share In SWAT
  • Map The Directory Using “My Computer”
  • Windows Drive Sharing With Your SAMBA Server
  • Windows Setup
  • Windows 98/ME
  • Test Your Windows Client Configuration
  • Create A ZIP Drive Mount Point On Your Samba Server
  • Prompted For Password Method
  • Not Prompted For Password Method
  • Using The smbmount Command Method
  • Chapter 17
  • Configuring DNS
  • What Is BIND?
  • When To Use A DNS Caching Nameserver
  • When To Use A Regular DNS Server
  • When To Use Dynamic DNS
  • How To Download and Install The BIND Packages
  • How To Get BIND Started
  • The /etc/resolv.conf File
  • Configuring A Caching Nameserver
  • Configuring A Regular Nameserver
  • Configuring named.conf
  • Configuring The Zone Files
  • The SOA Record
  • NS, MX, A And CNAME Records
  • Sample Forward Zone File
  • Sample Reverse Zone File
  • What You Need To Know About NAT And DNS
  • Loading Your New Configuration Files
  • Make Sure Your /etc/hosts File Is Correctly Updated
  • Configure Your Firewall
  • Fix Your Domain Registration
  • How To Migrate Your Website In-House
  • DHCP Considerations For DNS
  • Chapter 18
  • Dynamic DNS
  • What Is Dynamic DNS?
  • Dynamic DNS And NAT Router/Firewalls
  • Dynamic DNS Prerequisites
  • Sign Up With A DDNS Provider
  • Update Your DNS Registration
  • Installing And Using ez-ipupdate
  • The /etc/ez-ipupdate.conf File
  • ez-ipupdate And NAT
  • Installing And Using DDclient
  • The /etc/ddclient.conf File
  • Testing Your Dynamic DNS
  • Testing Port Forwarding
  • Chapter 19
  • The Apache Web Server
  • Download and Install The Apache Package
  • How To Get Apache Started
  • Configuring DNS For Apache
  • General Configuration Steps
  • Named Virtual Hosting
  • IP Based Virtual Hosting
  • A Note On Virtual Hosting And SSL
  • Disabling SSL – (Not Recommended)
  • Use Wild Cards Sparingly
  • Configuration – Multiple Sites And IP Addresses
  • A Note On Virtual Hosting And DNS
  • Using Data Compression On Web Pages
  • Compression Configuration Example
  • Apache Running On A Server Behind A Firewall
  • File Permissions And Apache
  • How To Protect Web Page Directories With Passwords
  • Issues When Upgrading To Apache 2.0
  • Incompatible /etc/httpd/conf/http.conf files
  • Chapter 20
  • Monitoring Server Performance
  • SNMP
  • What is SNMP?
  • SNMP on a Linux Server
  • MRTG
  • What is MRTG?
  • Download and Install The MRTG Packages
  • Configuring MRTG
  • RedHat Version 8.0 and Indexmaker
  • Using MRTG To Monitor Other Subsystems
  • Webalizer
  • What Is Webalizer?
  • How To View Your Webalizer Statistics
  • The Webalizer Configuration File
  • Make Webalizer run in Quiet Mode
  • Chapter 21
  • Configuring Linux Mail Servers
  • Configuring Sendmail
  • An Overview Of How Sendmail Works
  • Installing And Starting Sendmail
  • Restart Sendmail After Editing Your Configuration Files
  • Errors With The Newaliases Command
  • Errors With The m4 Command
  • Errors When Restarting sendmail
  • The /var/log/maillog File
  • The /etc/mail/sendmail.mc File
  • Why Sendmail Only Listens On The Loopback Interface By Default
  • Edit /etc/mail/sendmail.mc To Make Sendmail Listen On NICs Too
  • Regenerate The sendmail.cf File
  • Restart sendmail to load the new configuration
  • Now Make Sure Sendmail Is Listening On All Interfaces
  • A General Guide To Using The sendmail.mc File
  • The /etc/hosts File
  • Symptoms Of A Bad /etc/hosts File
  • The /etc/mail/relay-domains File
  • The /etc/mail/access File
  • The /etc/mail/local-host-names File
  • Which User Should Really Receive The Mail?
  • The /etc/mail/virtusertable file
  • The /etc/aliases File
  • Simple Mailing Lists Using Aliases
  • An Important Note About The /etc/aliases File
  • Sendmail Masquerading Explained
  • Configuring masquerading
  • Testing Masquerading
  • Other Masquerading Notes
  • A Simple PERL Script To Help Stop SPAM
  • Configuring Your POP Mail Server
  • Installing Your POP Mail Server
  • How To Configure Your Windows Mail Programs
  • How to handle overlapping email addresses
  • Chapter 22
  • Configuring The DHCP Server
  • Download and Install The DHCP Package
  • The /etc/dhcp.conf File
  • Upgrading Your DHCP Server
  • How to get DHCP started
  • Modify Your Routes for DHCP on Linux Server
  • Temporary solution
  • Permanent Solution
  • Configuring Linux clients to use DHCP
  • Error Found When Upgrading From Redhat 7.3 To 8.0
  • Chapter 23
  • The NTP Server
  • What is NTP?
  • Download and Install The NTP Package
  • The /etc/ntp.conf File
  • How To Get NTP Started
  • Determining If NTP Is Synchronized Properly
  • Configuring Cisco Devices To Use An NTP Server
  • Cisco IOS
  • CAT OS
  • Firewalls and NTP
  • Chapter 24
  • Configuring Cisco PIX Firewalls
  • Network Address Translation (NAT)
  • Accessing the PIX command line
  • Via The Console Port
  • Via Telnet
  • Sample PIX Configuration: DSL - DHCP
  • Configuring PPPoE
  • NAT Configuration
  • Dynamic DNS Port Forwarding Entries
  • How To Get Static IPs For DSL Cheaply
  • Sample PIX configuration: DSL - Static IPs
  • Outgoing Connections NAT Configuration
  • Incoming Connections NAT Configuration
  • Chapter 25
  • Configuring Cisco DSL Routers
  • An Introduction to Network Address Translation (NAT)
  • Introduction to accessing the router command line
  • Sample Configurations
  • DSL Router With Built-In Modem - DHCP
  • DSL Router With Built-In Modem - Static IP
  • DSL Router With External Modem - Static IP
  • Other NAT Topics
  • Commonly Used TCP And UDP Ports
  • How To Verify That NAT Is Working Correctly
  • How To Troubleshoot NAT
  • Appendix I
  • Miscellaneous Topics
  • VPN Terminologies
  • Authentication
  • Encryption
  • IPSec
  • Authentication Header (AH)
  • Encapsulating Security Protocol (ESP)
  • Transport mode VPNs
  • Transport mode AH packet format
  • Transport mode AH / ESP packet format
  • Tunnel mode VPNs
  • Tunnel mode AH packet format
  • Tunnel mode AH / ESP packet format
  • Authentication methods
  • Encryption methods
  • Internet Key Exchange (IKE)
  • IKE authentication methods
  • Public key cryptography using RSA encryption
  • Shared keys
  • IKE's role in creating Security Associations
  • Transforms
  • IKE and ISAKMP
  • VPN Security And Firewalls
  • VPN User Authentication Methods For Temporary Connections
  • Types Of Dial Up VPN Authentication
  • Running Linux Without A Monitor
  • Preparing To Go “Headless”
  • Configuration Steps
  • Make Your Linux Box Emulate A VT100 Dumb Terminal
  • Syslog Configuration and Cisco Devices
  • Cisco Routers
  • Catalyst CAT Switches running CATOS
  • Cisco Local Director
  • Cisco PIX Filewalls
  • Cisco CSS11000 (Arrowpoints)
  • The Sample Cisco syslog.conf File
  • Disk Partitioning Explained
  • What Is A Partition?
  • What Is A Filesystem?
  • How Linux Links Filesystems And Partitions
  • What Partitions Are Mandatory?
  • The mandatory partitions are:
  • "/", Also Known As "root"
  • /boot
  • swap
  • Recommended Sizes For Disk Partitions
  • Some Recommended Partition Sizes
  • How Much Space Do I Have On My Partitions?
  • What Can I Do When I Run Out Of Disk Space?
  • The OSI Networking Model
  • The Seven OSI Layers
  • TCP/IP Packet Format
  • Contents Of The IP Header
  • Contents Of The TCP Header
  • Contents Of The UDP Header
  • Appendix II
  • Codes, Scripts and Configurations
  • Codes, Scripts and Configurations...293
  • Subnet Calculator Script
  • Apache File Permissions Script
  • Sendmail SPAM Filter Script
  • The mail-filter.accept File
  • The mail-filter.reject File
  • The mail-filter Script
  • IPtables FTP Client
  • IPtables FTP Server
  • IPtables NTP Server
  • IPtables Complex script
  • DNS Zone File For my-site.com
  • ; Zone file for my-site.com
  • DNS Zone File For my-other-site.com
  • ; Zone file for my-other-site.com
  • Forward Zone File For A Home Network Using NAT
  • Reverse Zone File For A Home Network Using NAT
  • Sendmail Sample /etc/mail/access File
  • Sendmail Sample /etc/aliases File
  • Sendmail Sample /etc/mail/local-host-names File
  • Sendmail Sample /etc/mail/sendmail.mc File
  • Sendmail Sample /etc/mail/virtusertable File
  • ICMP Codes
  • Cisco PIX Firewall - DHCP DSL Configuration
  • Cisco PIX Firewall - Static DSL Configuration
  • Appendix III
  • Bibliography
  • Wireless Linux
  • Cisco Router Configuration Examples
  • Cisco PIX Firewall Configuration Examples
  • Netfilter - iptables Configuration
  • General Home Networking Resource Pages
  • SSH Servers and SSH Clients
  • The Windows SCP client called WinSCP
  • FTP Server and FTP Clients
  • DHCP Server
  • Apache Web Server Software
  • Sendmail Mail Configuration
  • Static DNS
  • NTP Server
  • POP Mail Server
  • Samba - Linux as a Windows File Server
  • General Linux Resource Pages
  • Disk Partitioning
  • Network Monitoring
  • My Other Sites

Linux Home Networking

Grief Relief For The Home And Small Office

Peter Harrison
www.linuxhomenetworking.com
May 3, 2003

To Diana: “Turn off the PC and go to bed”

Copyright
© Peter Harrison 2002-2003, All rights reserved. ISBN 0-9729355-0-9 Unless otherwise stated, the material published within this document is copyright of the author, Peter Harrison. No part of of this document, including page design, interior design, cover design and icons may be reproduced or transmitted in any form, by any means, (electronic, photocopying, recording, or otherwise) without the prior consent of the publisher/author.

Disclaimer – The Website and Manual
While every effort will be made to ensure that the information contained within the is website and manual is accurate and up to date, the author makes no warranty, representation or undertaking whether expressed or implied, nor does it assume any legal liability, whether direct or indirect, or responsibility for the accuracy, completeness, or usefulness of any information.

Disclaimer - Other sites
Hypertext links to sites outside this website are provided as a convenience to users and should not necessarily be construed as an endorsement. Although every care is taken to provide links to suitable material from this site, the nature of the Internet prevents the author from guaranteeing the suitability or accuracy of any of the material that this site may be linked to. Consequently, the author can accept no responsibility for unsuitable or inaccurate material that may be encountered and accepts no liability whether direct or indirect for any loss or damage a person suffers because that person had directly or indirectly relied on any information stored in the hypertext links. Further, the author is not and can not be responsible for the accuracy or legitimacy of information found elsewhere on the Internet and there is therefore no guarantee or warranty that any of the sites listed will be available at any particular time. The author does not guarantee or warrant any services that might be announced - use at your own risk. The author makes no warranty, representation or undertaking whether expressed or implied nor does it assume any legal responsibility for the accuracy, completeness of usefulness of the information in the hypertext links.

Introduction During the “.com” gold rush, I decided to set up a small website dedicated to Caribbean art. The
company I used made it really easy, all I had to do was copy my files to the web server using the username and password they provided. One day at work I overheard some friends saying that they were hosting their websites from home using their DSL line. I suddenly decided to do the same and moved www.simiya.com literally “in-house”. Of course, it wasn’t as easy as they had made it seem. I generally found a majority of Linux resources on the web to be either too detailed or too vague or just inaccurate. There were many excellent articles on specific topics, but they were usually part of a general interest publication, and information on related topics on the site was sometimes hard to find. There just wasn’t a site out there for intermediate Linux home users who wanted to get their feet wet in web hosting, nor did there seem to be any similar sites targeting the poor I.T. people who are told to “get Linux working by tomorrow”. After a few months I decided that no one should have to repeat my pain and I added some technical pages to the site. Soon, www.linuxhomenetworking.com was born. This manual assumes you have a few weeks of Linux experience and understand the basics, such as file management and the use of text editors such as “vi”. This approach was taken in order to keep its focus on the intermediate user who requires a compact guide. It’s ironic to know that in the beginning I learned from the web as I just wasn’t prepared to buy too many Linux books, now I’ve created this manual because web users were constantly asking me to write one. If you like this manual, feel free to visit the site and let me know. Without your encouragement it wouldn’t have happened at all. Peter

................................i Table Of Contents Chapter 1 .......................................................................29 Using Downloaded Files ........................................................................................................................................21 Using syslog To Track All sudo Commands .................................................................................................................................................................................................................26 Getting RPMs Using Command Line Anonymous FTP .......................................................................................................................34 Chapter 4 ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................15 How To Change Passwords.............................26 RedHat.........................................24 RPMs Downloaded From Speakeasy .....................................20 The /etc/sudoers File ............................................................................................................................................................................................................................................................................15 How To Add Users.............................................................................................................29 Newer Linux Versions ..................................................................................... 23 Where To Get Commonly Used RPMs.......................................................................... 15 Who Is The Super User? .....................................................20 General Guidelines .............................21 Chapter 3 .........................................................16 How To Delete Users ..................................................................................... 19 Using Sudo.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................24 Downloading RPMS To Your Linux Box...........................................................................................................................................17 How To Tell The Groups To Which A User Belongs ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................31 How Uninstall RPMs.............................................................................................................................................................................................20 Simple Examples ...........30 Older Linux Versions ..........................................................29 Using CDROMs.....................................................................................................................24 RPMs Downloaded From Redhat....................17 Chapter 2 ........................................................................................................................................................20 How To Use sudo ............................................................................................................................................................................19 Download and Install The sudo Package .........................................................................26 How To Install The RPMs ........32 Some Necessary Facts About up2date ..........................................................................................................................23 RPMs On Your Installation CDs .......................................................................................................................................................................................................................................... 19 What is sudo?.............. 37 ......................................... 15 Adding Linux Users .................................................................................................................................................24 How to Easily Access CD RPMs With Automount ......................................................25 Getting RPMs Using Web Based FTP.................................................................................................................................................................31 How To List Installed RPMs ..................................................................................................................................26 Speakeasy ...................................................................................................20 The visudo Command ................................................29 How to Install Source RPMs................................................................... 23 Installing RPM Software ..................32 RedHat Up2date ..............

...................39 Using A GUI Terminal Window ....................................................................................39 How To Set Which Programs Run At Each runlevel ..........................................................................................................................................................................................................................................................................................................44 Cons.........................................................................................................................................................................................................................................39 Halt / Shutdown The System.........................................................................39 Using Virtual Terminals ............................................................................................................................37 Determining The Default Boot runlevel....................................................................................54 What Is A NIC?.................................................................................................................................40 Switch Off Sendmail Starting Up In Levels 3 and 5 ....................................................................................................................................................................45 How To Migrate From An External Provider ...............52 What Is Duplex? ....................................................................................................................................... 47 What Is TCP/IP? ...........................................................................................................................................38 Get A GUI Console ................................................................................................44 Factors To Consider Before Hosting Yourself ..............................................43 Alternatives To Home Web Hosting ............... 43 Network Diagram ..........38 Get A Basic Text Terminal Without Exiting The GUI ..........................................................................................................................................41 Final Tips On chkconfig........................................ 37 The RedHat Boot Sequence ............................................45 Cons....................................................................................................................................................44 Home Based Websites...................................................................................................................53 What Is A LAN?...................................................................................................................................................................................................................................49 What is ICMP?........................................................................................................................................................................................................................................................................................... 43 Why Host Your Own Site?..................................................................................................................................................................................................................................................com The Linux Boot Process .................................................................................................................................................................................40 Chkconfig Examples................................................................................................................40 Doublecheck That Sendmail Will Not Startup.............52 What Is A Switch?.......................................................................................................................................51 What’s The Range Of Addresses On My Network? ..........................................................................................................................44 Small Office Based Websites........................................................................................................................................................54 What Is A Route? ...................................................................................45 Pros ..................................................................................................................................................39 Reboot The System .......................................................................................53 What Is A Gateway?..................................................................51 Manual Calculation ...48 What are TCP / UDP Ports?..............................................................48 What is a TTL? ....................................................................................44 Pros .................................................................................................................................................................................................................................................. 47 Introduction To Networking.......ii www.........50 How Many Addresses Do I Get With My Mask? ...............................................................................................................................................51 Calculation Using A Script ...............................50 What Is Localhost? ..........................................................................................................................................................................................................................................................................................................................48 What is UDP? ......................................................................................................................................linuxhomenetworking..............................................................................................................................52 What Is A Hub? .............................................................................49 What Do IP Addresses Look Like?...48 What is TCP?..................................................................................................................................................................................................................................................................................................................................................54 What Is A Default Gateway? ........................................................................................................................................................................................................................................................................................................................................................................................................53 What Is A Router?...................46 Chapter 6 ..39 System Shutdown And Rebooting.......................................................................49 Private IP Addresses ..............................................................................................................................41 Chapter 5 .........55 ..................................................................................................................................50 What Is A Subnet Mask? ................40 Use Chkconfig To Get A Listing Of Sendmail's Current Startup Options ....................................................................................................................................................................................................................................................40 Turn it back on again ................................................................................................................................

.....................................................................................................................................................................................................................................................................................................................................................79 How To Delete A Route .........................59 Regular FTP....60 Search For All Instances Of A Word .........................................................................................................................................................................................55 What Is A Firewall?............................................................................................................................................................69 The /etc/logrotate.........................................80 How To Convert Your Linux Server Into A Router ...........59 Static or Dynamic DNS? .............................................................................................................................57 How Can I Check The IP Address For A Domain?.......................................................................................................................................................................................................................................................................................................................................................68 The /etc/logrotate.....................................................................................................69 Chapter 8 ..................................................82 Your NIC's /etc/hosts File Format...............................................................55 What Is ARP? ..........................................................................65 Configuring the Linux Client .....59 What is FTP? ...................60 Finding General Information On A Command ..................67 Sample contents of /etc/logrotate......................................................................................71 Determining Your IP Address............................................................................................................................................................................d/samba File (for SAMBA) ...................................................................................................................................................................................................................................................................................................................81 Configuring Your /etc/hosts File...........................59 Anonymous FTP ...........................74 Some Important Files Created By adsl-setup .............................................conf .......................64 Activating Changes To The syslog Configuration File............................................................................................................63 About syslog ...........................................68 The /etc/logrotate...............................................................................................d/syslog File (For General System Logging)...................................................................................................................................................................................d Directory......... 63 Troubleshooting Linux With Syslog.......73 IP Address Assignment For A Direct DSL Connection................................................................82 ..........................79 How Configure Two Gateways .........................67 Logrotate .................................................................. 71 Linux Networking .........................................................................................................................................................................................................................................................................................................Table Of Contents iii What Is A MAC Address? ...................................................................................72 network-scripts File Formats .......................56 What Is Port Forwarding With NAT? .......................................................................60 Chapter 7 ..........................................................................................................................................................................................................................................................................68 The /etc/logrotate.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................67 The /etc/logrotate.....................................................................................................................................................................d/apache File (For Apache) ......................................................................................................................................................................................65 Configuring the Linux Syslog Server............................................................................................................................................................................................................................................................................................................................................................67 Syslog and Firewalls...................................56 What Is DHCP? .........................57 What Is DNS?............................73 Multiple IP Addresses On A Single NIC ..................................................................................................................................................................................................71 Changing Your IP Address ............................69 Activating logrotate ...........................................................................................................................................................................56 What Is NAT? ..78 How To Change Your Default Gateway ......................................................................... 71 How To Configure Your NIC's IP Address .............................................................................. 63 Syslog .......................................80 How To View Your Current Routing Table ...59 Where is Linux Help? ...................................................................................................................................................................65 How To View New Log Entries As They Happen...................63 Syslog Facilities.........................................................................................65 Logging Syslog Messages To A Remote Linux Server ................................................................conf File ..58 How Do I Get My Own DNS Domain Name? .....................................................................................................................66 Syslog Configuration and Cisco Network Devices....................................................................................77 Simple Troubleshooting .......................................................................................................

.................................................................................101 Download And Install The Linux-WLAN TAR File .....................................................................................................................................................................................................................................108 Troubleshooting Your Wireless LAN .................. 97 Wireless Linux Compatible NICs ...................................101 Install the Kernel Source Files ..................................................................................................................................... 85 How To See MAC Addresses .......112 How To Get iptables Started .117 ...........................................................................................................100 Determining The Kernel Version...........107 De-activating Encryption .......................................................................................................................................................................................................................................................................................................................85 How To Use "Ping" To Test Network Connectivity ...............................104 Disable Your Existing Ethernet NIC .....99 Linux-WLAN Installation ............................................................................................................................iv www....................117 Descriptions Of The Most Commonly Used Targets ......................................................... 85 Simple Network Troubleshooting ...............................................................105 Linux-WLAN Encryption For Security .....................................................................................................105 PCI Cards – Installed Using RPMs ............................................................................................................................................................................................................................92 Possible TCPdump Messages ..........104 Simulate a Reboot ..............................................................................116 Targets And Jumps.....................................97 The Linksys WMP11 NIC and Linux .....................................................................................105 PCI Cards – Installed Using TAR Files.....................................................................................105 Check For Interrupt Conflicts.............................................................................................................................................................................................................................................................................................................................................................114 Packet Processing For Data Received By The Firewall.............................................98 Pre Version 2......................................................................................7 Card .................................................................................................................................................................................................................Using RPMs ...................................................................................................................................................................................................88 Always Get A Bidirectional Traceroute .....................................................................................99 PCMCIA Type Card Specific Information ....................................................................................................................................................................................................................................98 The WMP 11 Version 2....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................99 Determining The Kernel Type ...........................................................................................................112 Packet Processing In iptables ....................................................104 Select the Wireless mode and SSID .......................................................................112 Download And Install The Iptables Package ..............................com Chapter 9 ....................................101 Configure The New wlan0 Interface Driver (PCI Cards) .................................89 Ping & Traceroute Troubleshooting Example ...........................................................................104 Configure The New wlan0 Interface....... 111 Linux Firewalls Using iptables..............................................................92 Useful TCPdump Expressions .....................................98 Linux-WLAN Preparation ............................105 PCMCIA Cards ................... 97 Linux Wireless Networking.....................................................................................................................................................................................................100 Linux-WLAN Installation – Using TAR files .....................86 Using "traceroute" To Test Connectivity............................................................115 Packet Processing For Data Sent By The Firewall ..................................................linuxhomenetworking.............................................................................................................................................................................................91 Viewing Packet Flow With TCPdump ...7 WMP 11 Card..........................................................................................................................................................................................................102 Configure The New wlan0 Interface Driver (PCMCIA Cards) ...............................................................................................................................................................................................................................................112 Processing For Packets Routed By The Firewall..........................99 Determining The OS Version ..............................109 Chapter 11...................87 Possible Traceroute Messages..................................................................................................................................................................................................................90 Possible Reasons For Failed Traceroutes ...........................................................99 Installing The Linux-WLAN Drivers ..........................................................................................................................93 Chapter 10...................................................................103 Post Installation Steps.................................... 111 What Is iptables?............................

.......................................................138 Using TFTP To Restore Your Router Configuration ......................................130 Logging & Troubleshooting.......................134 What is Telnet? ......................................131 Chapter 12......................................................................................................................................................................................................141 FTP Control Channel ..........144 Solutions........................................................................................................................120 Common ICMP (Ping) Match Criteria ....119 General Iptables Match Criteria .........................................................................148 Example #1: .................142 Active FTP..............................148 The /etc/vsftpd...............135 Setting up a TFTP server.................................................................................................................146 Testing To See If VSFTP Is Running..........................................................................................136 Configuring Cisco Devices for TFTP........................................................................................................................................................................................TCP Port 21 ............................................................................................................TCP Port 20........................................................................................................................................................................................................................................................127 Port Forwarding Type NAT (DHCP DSL) ......................................................................................................................................................................................................................................................................................................................................................Table Of Contents v Important Iptables Command Switch Operations.................................................142 Passive FTP................................................................................................................................................. TFTP and XINETD ................................................................................................................................................................................................................................................................................................................................................................................121 Using User Defined Chains ..ftpusers File ..........................................................................................................................................................................................................128 Static NAT ................................145 How To Get VSFTP Started .......................................................................................135 TFTP ..................................... 133 Telnet..........................143 Server Protected By A Firewall Problem ...............................137 Cisco PIX firewall ...........................................................................................................................................125 Allowing WWW And SSH Access To Your Firewall.....................................................................................................................................................................................................121 Common Match Extensions Criteria..........................................................................................................................................144 How To Download And Install The VSFTP Package....................................................................143 Problems With FTP And Firewalls...........................................................................................................................................................148 Using SCP As Secure Alternative To FTP ..........................................................conf File.....................................................................146 What Is Anonymous FTP?...............................................................................143 Solutions....................................................................................................126 Allowing Your Firewall To Access The Internet......................137 Cisco Router .........................................................138 Cisco CSS 111000 "Arrowpoints"............................................... 141 FTP Overview...............137 Cisco Switch Running CATOS.................148 FTP Greeting Banner ........................................................................................................................................................................................................143 Client Protected By A Firewall Problem.....................................................142 FTP Data Channel ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................135 What is TFTP?.......................................................................................................127 Masquerading (Many to One NAT) ................................................................................................. 141 Linux FTP Server Setup........... 133 Telnet .......................................................................................................................................................................................................................................................................................................................................................................................................138 Cisco Local Director........................................................................................................................................................................................148 Anonymous Upload ...................................................................................................................................................................124 Allowing DNS Access To Your Firewall ..........................................................................147 The /etc/vsftpd..................................................................................................................................................................................................................126 Allow Your Home Network To Access The Firewall ...........................................................................................................................................................................................123 Sample iptables Scripts....139 Chapter 13..............................................................149 .................................................119 Common TCP and UDP Match Criteria ........................................................................................................................................................................134 Setting Up A Telnet Server.........................................................................................124 Basic Initialization.........................147 FTP Security Issues .........................................

........................................164 Make The Administrator One Of The Samba Admin Users.....................................169 Add The Users In Linux........................163 Create An Administrator Domain Password ............................ Linux And Samba ...........................................................................................................................................171 Delete The Users In Linux ...............166 Dynamic Creation Of Machine Trust Accounts...............................................................155 Deactivating Telnet once SSH is installed ..............................................................................................167 Windows 95/98/ME ........................ 173 Sharing Resources With Samba...........................................161 Samba and PC Firewall Software...........................................vi www...155 User “root” Logs In To smallfry As User “root”.................................................................................................155 What You Should Expect To See When You Log In ....................................................................................................................................169 Mapping Using “My Computer” .....................................157 Chapter 15...............................................................................................................................................................................................168 Windows 2000 ..................................................................153 Testing To See If SSH Is Running ...........................................................................................................................................................................................160 Configuring SWAT ...157 Copying Files To The Local Linux Box ................................................................ 153 Secure Remote Logins And File Copying...............................................................171 Chapter 16.........................................166 Manual Creation Of Machine Trust Accounts (NT Only)..................................................................................................................169 Mapping From The Command Line........................................................................................................... 159 Download and Install Packages............................ 173 ......................................................................linuxhomenetworking.................................................................................................................................................................155 User “root” Logs In To smallfry As User “peter” .......................................................................................................................................................170 Domain Groups And Samba ..........................................com FTP Users With Only Read Access To A Shared Directory ........................................150 Chapter 14...149 Sample Login Session To Test Funtionality...........................................162 How To Create A Samba PDC Administrator User ................................................................................. 159 Windows................................................................................................................154 Using SSH To Login To A Remote Machine ...............................................................................................................................................................................................................168 How To Add Users To Your Samba Domain ..............................................................................................................................................................................................................................................................................................170 How To Delete Users From Your Samba Domain ...........................................................................................................................................162 Create The Administrator’s User Group and Directories ..............................................................................................................................................................................................................................................................................................................................................................................................................................................................164 Create A Samba PDC .....................................155 Using port 435 .......................................................................................................................................................................167 Windows NT...............................162 The Windows XP Built In Firewall.........................................................................................................................................................................................................................................169 Map The Linux Users To An smbpassword ...............................................162 Create The Administrator User Under Linux..........................................161 Zone Alarm................156 Using SCP as a more secure replacement for FTP..........................................................................................................................................................................................164 How to Configure a Samba PDC ...........................................................................................................................................................................................................163 Adduser’s Command Switches ..........160 How To Get SAMBA Started ...............................................................167 Make Your PC Clients Aware Of Your Samba PDC................................................................................................................................................................................................................................................................................................................................ 153 Using Secure Shell As A Replacement For Telnet ....................................................................................................................................................154 The etc/ssh/sshd_config File.................................................................157 Copying Files To The Remote Linux Box..........................................................................................................................................................................................................................................................................................................................................168 Windows XP.........................171 Delete The Users Using smbpasswd..................................................................................................169 Map A Drive Share.........................155 Using default port 22 ..164 Create Your PC Machine Trusts.............................................................................................

..........................................................................181 When To Use A DNS Caching Nameserver ................conf ..........................................................................................................................185 The SOA Record......................................................................................................................................................177 Windows Setup ...............................................................................................................................................................................................................................199 Installing And Using ez-ipupdate ..............................................................................................................................................................................................................................................................................................................................................................182 When To Use A Regular DNS Server.........................................................................................193 How To Migrate Your Website In-House....................177 Windows XP.................................................................... 181 Configuring DNS...................................................................................................................................................................................................................174 Configure The Printer Driver On The Workstations ................................189 Loading Your New Configuration Files .................................................................................................................................................................................198 Dynamic DNS And NAT Router/Firewalls ........................................................................................................................ A And CNAME Records ................................................................................................................183 Configuring A Caching Nameserver.................................................................................182 How To Download and Install The BIND Packages ........................................................... 197 What Is DNS?........198 Dynamic DNS Prerequisites.........................................................................................................176 Configure The Share In SWAT ...............................................................................................................................................................................................................181 What Is BIND?...............................................................................................................................................192 Make Sure Your /etc/hosts File Is Correctly Updated...........................................................................................................................................................................................................173 Adding The Printer To Linux........................184 Configuring The Zone Files .........................................................................................182 The /etc/resolv...................................................................................188 Sample Reverse Zone File .................................................................................176 Create The Directory And User Group ................................179 Not Prompted For Password Method............................................................................178 Test Your Windows Client Configuration.....197 What Is Dynamic DNS? ............199 The /etc/ez-ipupdate.......... 181 What Is DNS?....192 Configure Your Firewall...............................................................................................194 Chapter 18.......................178 Prompted For Password Method ....................................................................................conf File..........................................................................................................................................................................................................................................179 Using The smbmount Command Method.................................................................................................................179 Chapter 17................................187 Sample Forward Zone File ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................184 Configuring named..............................................................................................................................177 Windows 2000 ............................................................. 197 Dynamic DNS............................................................185 NS................................................................................................................182 When To Use Dynamic DNS.............................Table Of Contents vii Adding A Printer To A Samba PDC ..........................................................200 ez-ipupdate And NAT .......................................................................................................... MX.............................................................184 Configuring A Regular Nameserver ..........................................................................................conf File...............173 Make Samba Aware Of The Printer .........................................................................199 Update Your DNS Registration ..................................................................................................182 How To Get BIND Started ..........................................................................................................................................200 ...................................................................................................................................................................................................199 Sign Up With A DDNS Provider ...................176 Map The Directory Using “My Computer”..........................................177 Windows Drive Sharing With Your SAMBA Server .......................................................................................................................189 What You Need To Know About NAT And DNS ...192 Fix Your Domain Registration ....................................................................................................................................177 Windows 98/ME ............................................................................................175 Creating Group Shares in SAMBA ..........................................................................................................................................................................................................................193 DHCP Considerations For DNS...................................................................................178 Create A ZIP Drive Mount Point On Your Samba Server .......................................................................................

..............................conf File...............................................................223 Errors When Restarting sendmail.....................................................................224 The /var/log/maillog File ...........................................................................................................................................................................mc File ..................0..........................223 Errors With The Newaliases Command.........................................conf files .............................................................................................................................218 Webalizer ....................................................................................................206 A Note On Virtual Hosting And DNS ............210 How To Protect Web Page Directories With Passwords .................................................................................212 Incompatible /etc/httpd/conf/http...............................................................216 RedHat Version 8.......................................222 Installing And Starting Sendmail....................................................218 Make Webalizer run in Quiet Mode .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................209 Apache Running On A Server Behind A Firewall........................................................................................................................................................................................................ 203 The Apache Web Server ....................................................................................................................................................................................................................................................................................................................................................224 Why Sendmail Only Listens On The Loopback Interface By Default ....................................204 Named Virtual Hosting ..........................................................................................................................201 Testing Your Dynamic DNS ...............................................................................208 Compression Configuration Example ..................................................................................................217 Using MRTG To Monitor Other Subsystems ................218 How To View Your Webalizer Statistics .............. 203 Download and Install The Apache Package ..................205 A Note On Virtual Hosting And SSL.........................................215 What is MRTG?............................................................................................................................................................................................................206 Use Wild Cards Sparingly..............................................................................................................................................................................................................................com Installing And Using DDclient........................................................215 Configuring MRTG ..........................................................................................200 The /etc/ddclient..................................................................................................202 Chapter 19..........................................................204 Configuring DNS For Apache.........212 Chapter 20.......................................................................206 Configuration – Multiple Sites And IP Addresses........................213 SNMP on a Linux Server .....................................................................210 Issues When Upgrading To Apache 2...................................................................................213 MRTG .........................................................................................................................224 The /etc/mail/sendmail..............................................................................................................218 What Is Webalizer?.........222 Restart Sendmail After Editing Your Configuration Files ................................................................... 221 Configuring Sendmail ................................................................................................................................................................... 213 SNMP..........................................................................................................................................viii www.....................................................................................................................................................................................................................................223 Errors With The m4 Command ............................................................................................................ 221 Configuring Linux Mail Servers ..........................................................................................................215 Download and Install The MRTG Packages ................................................................................221 An Overview Of How Sendmail Works ............................................................................................................... 213 Monitoring Server Performance ......linuxhomenetworking........0 and Indexmaker......................................210 File Permissions And Apache .202 Testing Port Forwarding............................................................................................................................................................................................205 Disabling SSL – (Not Recommended) ...........205 IP Based Virtual Hosting .............................................................................................................................................................................................................................................................................................................218 The Webalizer Configuration File ..............................................................218 Chapter 21..........204 General Configuration Steps ..................................................................................................224 ...208 Using Data Compression On Web Pages .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................221 Configuring DNS .....................................................................203 How To Get Apache Started ......................................................................................................................................213 What is SNMP? .......

............................................................................ 251 Configuring Cisco PIX Firewalls....................................................................................0.......... 245 What is NTP?.......................................243 Chapter 23.............................................................................................252 ......................................247 Determining If NTP Is Synchronized Properly ................................251 Accessing the PIX command line ..........................................................................................................................................................................................................................229 The /etc/mail/local-host-names File...................................................................................240 Upgrading Your DHCP Server ........................................................mc File.......................................243 Configuring Linux clients to use DHCP .......................243 Error Found When Upgrading From Redhat 7.....................................230 The /etc/mail/virtusertable file ...................................249 Chapter 24.............................................................................................................................................................................................................................................................................................................................................................................mc To Make Sendmail Listen On NICs Too.................................................................................................................................................................226 A General Guide To Using The sendmail......................232 An Important Note About The /etc/aliases File ...............................................................................................................225 Restart sendmail to load the new configuration .........................................225 Regenerate The sendmail.........................242 Temporary solution .......................................................................................................................................................................242 Modify Your Routes for DHCP on Linux Server ............231 Simple Mailing Lists Using Aliases....................241 How to get DHCP started .....................................................................................................................................................246 The /etc/ntp......................................................................................235 Configuring Your POP Mail Server..........................234 Other Masquerading Notes ....................................237 Chapter 22......................................................conf File............................................................................... 239 Configuring The DHCP Server ...........................245 Download and Install The NTP Package.....................................227 The /etc/mail/relay-domains File............................................................................................................................233 Configuring masquerading.....................242 Permanent Solution ................................................................................... .......................................................................................................................248 Cisco IOS ...............................................................230 Which User Should Really Receive The Mail? ..................................234 A Simple PERL Script To Help Stop SPAM....................................................................................................... 239 Download and Install The DHCP Package .........................................................................................................................................................................................252 Via The Console Port ..................................................................................................................................................................................................................................................................................3 To 8.........233 Sendmail Masquerading Explained........................................................................................................................................236 How To Configure Your Windows Mail Programs.........conf File ..................................................................................................................................................................................................................cf File..................................................................................................................................................................................................... 251 Network Address Translation (NAT) .....239 The /etc/dhcp..............................................................................................237 How to handle overlapping email addresses............................................................................................................................................................................233 Testing Masquerading............................................248 Configuring Cisco Devices To Use An NTP Server.................................................................226 The /etc/hosts File........................................................................................................................................................................................................................228 The /etc/mail/access File ............................248 CAT OS ....................Table Of Contents ix Edit /etc/mail/sendmail.......................................................................................236 Configuring Your POP Mail Server......................................................................................................................................................................................................................................................................................................................................... 245 The NTP Server ....................................................................................231 The /etc/aliases File............235 Installing Your POP Mail Server ...............................227 Symptoms Of A Bad /etc/hosts File................................................................................................................................................................................................................226 Now Make Sure Sendmail Is Listening On All Interfaces.......................................................................................................................................................................................................................................249 Firewalls and NTP....................................................................................................................................................................................................246 How To Get NTP Started ..............................................................................................................252 Via Telnet ............................................................................................................

............................................................................................................................................................................................270 Transport mode VPNs.......................................................x www...............................................................274 Running Linux Without A Monitor .................................................linuxhomenetworking..................................................... 269 Miscellaneous Topics...............................................................................................................260 DSL Router With Built-In Modem ......................................................................................................................................................273 Types Of Dial Up VPN Authentication .............................................................272 Public key cryptography using RSA encryption..............................................270 IPSec ...........................Static IPs ...........267 Appendix I .271 Internet Key Exchange (IKE)..............................................................271 IKE authentication methods........271 Tunnel mode AH packet format ...............................266 Commonly Used TCP And UDP Ports.......................................................Static IP .............................................................................................................254 Sample PIX configuration: DSL ..........................DHCP...Static IP ........................................................................................................................................................................................................................................................................................................275 Preparing To Go “Headless” ..............................................................................................................................................271 Tunnel mode AH / ESP packet format...277 ...............................................................253 NAT Configuration ..........................................................................................273 Shared keys .............................................................................................................................270 Authentication Header (AH).........271 Authentication methods.....................................................................................275 Configuration Steps ..................................................................................................................................................................................................................................................................264 Other NAT Topics ....................270 Transport mode AH / ESP packet format ................................................................................................. 257 Configuring Cisco DSL Routers .....................................................................................................................258 Sample Configurations..................................................................................273 VPN User Authentication Methods For Temporary Connections .................................................................................................................................................................................................................................... 257 An Introduction to Network Address Translation (NAT) ............270 Encapsulating Security Protocol (ESP) ........................................................................273 Transforms ........................258 Introduction to accessing the router command line .............................266 How To Verify That NAT Is Working Correctly ........................................................................................................................................... 269 VPN Terminologies.............................................................................273 VPN Security And Firewalls............................................................................................................................................................................254 Dynamic DNS Port Forwarding Entries ...................270 Transport mode AH packet format ...........................................................................258 Via The Console Port ..............................................................................................................................................DHCP......................................................................................................................253 Configuring PPPoE................258 Via Telnet ...................272 IKE's role in creating Security Associations ..................................................255 Chapter 25...............................................................................................................................................................................................................................................................262 DSL Router With External Modem ..........................................................................................................................................................................277 Configuration Steps ...................................................................................................................................269 Authentication ...............................................................................272 Shared keys ............................................................................................................................com Sample PIX Configuration: DSL ..............................260 DSL Router With Built-In Modem ....................................................................................................275 Make Your Linux Box Emulate A VT100 Dumb Terminal.....................................................................................................270 Tunnel mode VPNs......................................................................254 How To Get Static IPs For DSL Cheaply ...................................273 IKE and ISAKMP.........................................................................................................255 Incoming Connections NAT Configuration .........................................................................................................................................................................................................................................................................................................................................................................................................................................271 Encryption methods ............................................................................................................................................................................................................................................................................266 How To Troubleshoot NAT ..........................................................................................................................................................................................................................................255 Outgoing Connections NAT Configuration .................................................................................................269 Encryption .....................................................................................................................................................................................................................................................

..................................................................................................................mc File ..................................................................................................................................................................................................................................................................................305 DNS Zone File For my-site....................................................................................................................................................................................................................................................................................................................................................................................................334 Cisco Router Configuration Examples...........................................326 ICMP Codes..............................................................................................................................284 What Is A Partition? ...............................................................................................................................................................................................280 Catalyst CAT Switches running CATOS...............................................................................................................................................................................................................................................................289 Contents Of The TCP Header.......................296 Sendmail SPAM Filter Script ............................................................DHCP DSL Configuration................................................................................................................283 Disk Partitioning Explained......................................................Static DSL Configuration....com ............................................................................................................................287 What Can I Do When I Run Out Of Disk Space?.........................................................................................................290 Contents Of The UDP Header .................................................................................................................................................282 The Sample Cisco syslog...........................................................................284 What Is A Filesystem?.........................................................334 ...................... Also Known As "root"...............................................................298 IPtables FTP Client...................323 Sendmail Sample /etc/mail/sendmail..............................................................................................................................................................................................................................................285 Some Recommended Partition Sizes ........ 293 Codes..........................................285 /boot ........................................................................................................................................................................................................................ Scripts and Configurations .....................................................324 Sendmail Sample /etc/mail/virtusertable File...........329 Cisco PIX Firewall ...............................304 IPtables NTP Server...............................................................................................................................................................................................334 Cisco PIX Firewall Configuration Examples............................................320 Sendmail Sample /etc/mail/access File ......................................................................................285 swap.................................................................305 IPtables Complex script ................................................................................290 Appendix II..................................................................................................................................................................................................................................................................................................................................................................................................................282 Cisco CSS11000 (Arrowpoints) ...........................................................................................................330 Appendix III..........284 What Partitions Are Mandatory?............................................. 333 Wireless Linux ...............................................................................................298 The mail-filter Script........................................................................................................294 Apache File Permissions Script ........................303 IPtables FTP Server .........................320 Reverse Zone File For A Home Network Using NAT .....288 The Seven OSI Layers .....................................................................................................................................................................................................................322 Sendmail Sample /etc/aliases File .............................................................................................reject File........................... 293 Subnet Calculator Script ...........................................................accept File.........................298 The mail-filter................................................................................com ............................................................................................conf File ..........................288 TCP/IP Packet Format ..........................................................286 How Much Space Do I Have On My Partitions?........................................................................285 Recommended Sizes For Disk Partitions..........................Table Of Contents xi Syslog Configuration and Cisco Devices .........................................................................................................................................................................327 Cisco PIX Firewall ......................................................................................................................................................................................................................................284 How Linux Links Filesystems And Partitions .........................289 Contents Of The IP Header .................................................................................................280 Cisco Routers ............319 Forward Zone File For A Home Network Using NAT .............................................................................297 The mail-filter....................................285 "/"........................................................................................................................................................................................................................................................287 The OSI Networking Model ...................................................................................................................................................280 Cisco PIX Filewalls .............................................319 DNS Zone File For my-other-site........................................................................................................................................ 333 Bibliography .........................280 Cisco Local Director.....................................................................................322 Sendmail Sample /etc/mail/local-host-names File .......

..........................................................................................................................................................................................................337 POP Mail Server ............................................................337 Static DNS.................................................338 Disk Partitioning ....................................................................................337 NTP Server .................................................................................................................................Linux as a Windows File Server ...............................................335 SSH Servers and SSH Clients.........................................................................................................................................................................................................................................335 General Home Networking Resource Pages..........336 DHCP Server ..............................338 General Linux Resource Pages ...336 Apache Web Server Software...........339 .........................................................................................................xii www..............................................................................................................................................................................................................................................................................Hosting Your Website at Home .......................336 Dynamic DNS ....................iptables Configuration .......................................................................................339 Network Monitoring.......................................................................................................336 FTP Server and FTP Clients .................................................................................................................................................................................................................339 My Other Sites......................................................................338 Samba ...........................................................................................................................................................................................................................com Netfilter ........................336 Sendmail Mail Configuration .......................335 The Windows SCP client called WinSCP...................................................................................................linuxhomenetworking.

Table Of Contents xiii .

linuxhomenetworking.xiv www.com .

.15 Chapter 1 Adding Linux Users =========================================== In This Chapter Chapter 1 Adding Linux Users Who Is The Super User? How To Add Users How To Change Passwords How To Delete Users How To Tell The Groups To Which A User Belongs © Peter Harrison. Who Is The Super User? The super user with unrestricted access to all system resources and files is the user named "root". "children" and "soho". www. You will need to log in as user root to add new users to your Linux box How To Add Users Adding users takes some planning. A more detailed description of the process is beyond the focus of this book. read through the steps below before starting: • Arrange your list of users into groups by function. I have included some simple examples to provide a foundation for future chapters.com =========================================== One of the most important activities in administering a Linux box is the addition of users.linuxhomenetworking. In this example there are three groups "parents". You may use the command “man useradd” to get the help pages on adding users with the useradd command or the “man usermod” to become more familiar with modifying users with the usermod command.

com Parents Paul Jane • Children Alice Derek Soho Accounts Sales Add the Linux groups to your server: [root@bigboy tmp]# groupadd parents [root@bigboy tmp]# groupadd children [root@bigboy tmp]# groupadd soho • Add the Linux users.linuxhomenetworking. they will be prompted for their new permanent password. RedHat Linux will create a group with the same name as the user you just created. You will be prompted once for your old password and twice for the new one. New password: Retype new password: . This is done with the "passwd" command. The directory name will be the same as their user name.16 www. • User "root" changing the password for user "paul" [root@bigboy root]# passwd paul Changing password for user paul. • Each user's personal directory will be placed in the /home directory. When each new user first logs in. [root@bigboy tmp]# ll /home drwxr-xr-x 2 root root drwx-----2 accounts soho drwx-----2 alice children drwx-----2 derek children drwx-----2 jane parents drwx-----2 paul parents drwx-----2 sales soho [root@bigboy tmp]# ll /home 12288 1024 1024 1024 1024 1024 1024 Jul Jul Jul Jul Jul Jul Jul 24 24 24 24 24 24 24 20:04 20:33 20:33 20:33 20:33 20:33 20:33 lost+found accounts alice derek jane paul sales How To Change Passwords You’ll need to create passwords for each account. assign them to their respective groups [root@bigboy [root@bigboy [root@bigboy [root@bigboy [root@bigboy [root@bigboy tmp]# tmp]# tmp]# tmp]# tmp]# tmp]# useradd useradd useradd useradd useradd useradd -g -g -g -g -g -g parents parents children children soho soho paul jane derek alice accounts sales If you don't specify the group with the "-g".

Here is how unprivileged user "paul" would change his own password.Chapter 1 : Adding Linux Users 17 passwd: all authentication tokens updated successfully. New password: your new password Re-enter new password: your new password Password changed. [root@bigboy root]# • Users may wish to change their passwords at a future date. [paul@bigboy paul]$ How To Delete Users • The userdel command is used. maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. The "-r" flag removes all the contents of the user's home directory [root@bigboy tmp]# userdel -r paul How To Tell The Groups To Which A User Belongs • Use the "groups" command with the username as the argument [root@bigboy root]# groups paul paul : parents [root@bigboy root]# . [paul@bigboy paul]$ passwd Changing password for paul Old password: your current password Enter the new password (minimum of 5.

com .linuxhomenetworking.18 www.

What is sudo? • Sudo is a command that allows users defined in the /etc/sudoers configuration file to have temporary root access to run certain privileged commands. • When running the command you will be prompted for your regular password before it is executed.linuxhomenetworking. here's how. www.com =========================================== You can give selected users temporary "root" privileges using the "sudo" command. • The command you want to run must first begin with the word "sudo" followed by the regular command syntax.Chapter 1 : Adding Linux Users 19 Chapter 2 Using Sudo =========================================== In This Chapter Chapter 2 Using Sudo What is sudo? Download and Install The sudo Package The visudo Command The /etc/sudoers File How To Use sudo Using syslog To Track All sudo Commands © Peter Harrison. .

com • You may run other privileged commands using sudo within a five minute period without being reprompted for a password • All commands run as sudo are logged in the log file /var/log/messages Download and Install The sudo Package Fortunately the package is installed by default by RedHat The visudo Command • "visudo" is the command used to edit the /etc/sudoers configuration file.20 www. It is not recommended that you use any other editor to modify your sudo parameters. If you run out of space on a line. The NOPASSWD keyword provides access without you being prompted for your password Simple Examples o Users "paul" and "mary" have full access to all privileged commands paul. Spaces are considered part of the command. • "visudo" is best run as user "root" The /etc/sudoers File General Guidelines o The /etc/sudoers file has the general format: usernames/group o o o o o o o target-servername = command Groups are the same as user groups and are differentiated from regular users by a % at the beginning The "#" at the beginning of a line signifies a comment line You can have multiple usernames per line separated by commas Multiple commands can be separated by commas too. mary ALL=(ALL) ALL . groups.linuxhomenetworking. The keyword "ALL" can mean all usernames. commands and servers. you can end it with a "\" and continue on the next line. "visudo" uses the same commands as the "vi" text editor.

user "paul" attempts to view the contents of the /etc/sudoers file [paul@bigboy paul]$ more /etc/sudoers /etc/sudoers: Permission denied [paul@bigboy paul]$ • Paul tries again using sudo and his regular user password and is successful [paul@bigboy paul]$ sudo more /etc/sudoers Password: . Here is sample output from the above example. [root@bigboy tmp]# grep sudo /var/log/messages Nov 18 22:50:30 bigboy sudo(pam_unix)[26812]: authentication failure. COMMAND=/bin/more sudoers [root@bigboy tmp]# .. . . [paul@bigboy paul]$ Using syslog To Track All sudo Commands All sudo commands are logged in the log file /var/log/messages.Chapter 2 : Using Sudo 21 o Users with a groupid of "operator" has full access to all commands and won't be prompted for a password when doing so. %operator ALL=(ALL) NOPASSWD: ALL How To Use sudo • In this example. logname=paul uid=0 euid=0 tty=pts/0 ruser= rhost= user=paul Nov 18 22:51:25 bigboy sudo: paul : TTY=pts/0 . PWD=/etc ...... USER=root .

com .22 www.linuxhomenetworking.

Where To Get Commonly Used RPMs Here are three commonly used sources for RPMs: . www. and source RPMs for non standard installations.com =========================================== A lot of Linux system software is available using RPM packages for default Linux installs. thereby making life easier for the software developer who wrote the package. they more easily installed across a wide variety of Linux flavors.linuxhomenetworking. As the procedure for installing source RPMs involves compiling source code.23 Chapter 3 Installing RPM Software =========================================== In This Chapter Chapter 3 Installing RPM Software Where To Get Commonly Used RPMs How to Easily Access CD RPMs With Automount Downloading RPMS To Your Linux Box Getting RPMs Using Web Based FTP Getting RPMs Using Command Line Anonymous FTP How To Install The RPMs How to Install Source RPMs How To List Installed RPMs How Uninstall RPMs RedHat Up2date © Peter Harrison.

rpmfind. FTP downloading it’ll be explained later.7-33 [root@bigboy tmp]# • You can then ensure that it runs when the system boots using the chkconfig command. [root@bigboy tmp]# chkconfig --level 345 autofs on [root@bigboy tmp]# .net/ How to Easily Access CD RPMs With Automount Using the Linux installation CDs is usually easier. RPMs Downloaded From Redhat Advanced searches for all versions of RedHat can be done using this web link: http://www.com. ftp.24 www. Always remember to select the RPM that matches your version of Linux http://speakeasy. A good general purpose source is RPMfind. don’t worry. start your search in the /pub/redhat/linux/ directory and move down the directory tree.redhat. This will make your Linux system act more like Windows. You can check this using the following commands.com/apps/download/advanced_search. though you run the risk of some of the packages being obsolete due to newer releases on the RedHat website. It is usually simplest to configure your system to Automount your CDROM.html RedHat also has a highly used FTP site. This makes the files on it immediately accessible whenever you access it without having to use the "mount" command. See the section about using Automount to easily access your CDROM drive to obtain RPM files. • Autofs is the package that supports Automount is installed by default with newer versions of RedHat Linux.linuxhomenetworking. If you’re new to FTP.redhat. [root@bigboy tmp]# rpm -qa | grep autofs autofs-3.1. RPMs Downloaded From Speakeasy RedHat only has their approved software on their site.com RPMs On Your Installation CDs This is usually easier than having to download files from a remote website.

Chapter 3 : Installing RPM Software

25

• There are two automount configuration files in /etc, one called auto.master and the other called auto.misc. My auto.master looks like this: /misc /etc/auto.misc --timeout 60

The default version of this file normally has this line commented out so you’ll have to remove the "#" at the beginning of the line for the configuration to take effect when autofs is restarted. The first entry is not the mount point. It's where the set of autofs mount points will be. The second entry is a reference to the default map file /etc/auto.misc and the third option says that the mounted filesystems can try to unmount themselves 60 seconds after use. • You can create mount points for each of your removable devices, "floppy", "cdrom" and "zip" with the following commands. [root@bigboy [root@bigboy [root@bigboy [root@bigboy total 3 drwxr-xr-x 2 drwxr-xr-x 2 drwxr-xr-x 2 [root@bigboy tmp]# tmp]# tmp]# tmp]# mkdir /misc/cdrom mkdir /misc/floppy mkdir /misc/zip ll /misc

root root 1024 Nov 10 16:06 cdrom root root 1024 Nov 10 16:06 floppy root root 1024 Nov 10 16:06 zip tmp]#

• Edit your auto.misc file to include the CDROM. It should have an entry like this. cdrom -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom You'll find other entries such as "floppy" and "zip" commented out with a "#". If you need them, just delete the "#". The first column (the "key") is the mount point under directory /misc, so in this case you'll be doing auto mounting when you access /misc/cdrom. • Restart autofs. [root@bigboy /tmp]# /etc/init.d/autofs restart Stopping automount:[ OK ] Starting automount:[ OK ] [root@bigboy /tmp]#

Downloading RPMS To Your Linux Box
For casual searching and installing, I recommend using the http links above. If you are doing industrial strength stuff, then use a real FTP client such as (WSFTP or CuteFTP for GUI) or the command line.

26

www.linuxhomenetworking.com

Getting RPMs Using Web Based FTP
Let’s say you are running RedHat 8.0 and need to download an RPM for the DHCP server.

RedHat
• • • • • • • Use your web browser to go to the RedHat link above Type in dhcp in the search box Click the search button Scroll down for the RPM you need for the DHCP server Click on the appropriate "download" link Click on the FTP link Save the file to Linux box's hard drive

Speakeasy
• • • • • • • Go to the Speakeasy link Type in dhcp in the search box Click the search button Scroll down for the RPM that matches your version of RedHat The right hand column has the links with the actual names of the rpm files Click the link Save the file to Linux box's hard drive

It is best to download RPMs to a directory named "RPM", so you can find them later.

Getting RPMs Using Command Line Anonymous FTP
The Web based method above transparently uses anonymous File Transfer Protocol (FTP). Anonymous FTP allows you to log in and download files from a FTP server using the username “anonymous” and a password that matches your email address. This way anyone can access the data. • Let's try to FTP the SSH package from ftp.redhat.com [root@bigboy tmp]# ftp ftp.redhat.com Trying 66.77.185.38... Connected to ftp.redhat.com (66.77.185.38).

Chapter 3 : Installing RPM Software

27

220 Red Hat FTP server ready. All transfers are logged. Name (ftp.redhat.com:root): anonymous 331 Please specify the password. Password: 230 Login successful. Have fun. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (66,77,185,38,50,122) 150 Here comes the directory listing. drwxr-xr-x 5 0 0 4096 Jun 09 04:20 pub 226 Directory send OK. ftp> • Let's see the available help commands ftp> help Commands may be abbreviated. Commands are: ! $ account append ascii bell binary bye case cd cdup chmod close cr delete ftp> • The commands you'll most likely use are: FTP Commands Command binary cd dir exit Description Copy files in binary mode Change directory on the FTP server List the names of the files in the current remote directory Bye bye debug dir disconnect exit form get glob hash help idle image lcd ls macdef Mdelete mdir mget mkdir mls mode modtime mput newer nmap nlist ntrans open prompt passive proxy sendport put pwd quit quote recv reget rstatus rhelp rename reset restart rmdir runique send site size status struct system sunique tenex tick trace type user umask verbose ?

28

www.linuxhomenetworking.com

Command get lcd ls mget mput passive put pwd

Description Get a file from the FTP server Change the directory on the local machine Same as dir Same as get, but you can use wildcards like "*" Same as put, but you can use wildcards like "*" Make the file transfer passive mode Put a file from the local machine onto the FTP server Give the directory name on the local machine

• By using the search feature on the website ahead of time, I know that the RedHat 8.0RPMs are located in the pub/redhat/linux/8.0/en/os/i386/RedHat/RPMS directory. ftp> cd pub/redhat/linux/8.0/en/os/i386/RedHat/RPMS 250 Directory successfully changed. ftp> ls open* 227 Entering Passive Mode (66,77,185,38,45,180) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 11191 Sep 03 21:32 open-1.4-16.i386.rpm -rw-r--r-- 1 0 0 2006950 Sep 03 21:32 openh323-1.9.3-4.i386.rpm -rw-r--r-- 1 0 0 256971 Sep 03 21:32 openh323-devel-1.9.3-4.i386.rpm ... ... -rw-r--r-- 1 0 0 217326 Sep 03 21:33 openssh-3.4p1-2.i386.rpm ... ... 226 Directory send OK. ftp> • Get the file we need and place it in the local directory /usr/rpm. Also print "#" hash signs on the screen during the download. ftp> hash Hash mark printing on (1024 bytes/hash mark). ftp> lcd /usr/rpm Local directory now /usr/rpm ftp> ftp> get openssh-3.4p1-2.i386.rpm local: openssh-3.4p1-2.i386.rpm remote: openssh-3.4p1-2.i386.rpm 227 Entering Passive Mode (66,77,185,38,57,102) 150 Opening BINARY mode data connection for openssh-3.4p1-2.i386.rpm (217326 bytes). ##################################################################### #####################################################################

Chapter 3 : Installing RPM Software

29

#################################################################### 226 File send OK. 217326 bytes received in 87.7 secs (2.4 Kbytes/sec) ftp> • Bye bye ftp> exit 221 Goodbye. [root@bigboy tmp]#

How To Install The RPMs
Using Downloaded Files
• • Download the source RPMs which usually have a file extension ending with (.rpm) into a temporary directory such as /tmp As user root, issue the following command: [root@bigboy tmp]# rpm -Uvh filename.rpm

Using CDROMs
• Insert the CDROM and check the files in /misc/cdrom/RedHat/RPMS [root@bigboy tmp]# cd /misc/cdrom/RedHat/RPMS [root@bigboy RPMS]# ls filename* filename.rpm [root@bigboy RPMS]# rpm -Uvh filename.rpm • When finished, eject the CDROM [root@bigboy RPMS]# cd /tmp [root@bigboy tmp]# eject cdrom [root@bigboy tmp]#

How to Install Source RPMs
Sometimes the packages you want to install need to be compiled in order to match your kernel version. This requires you to use source RPM files. • Download the source RPMs or locate them on your CD collection. They usually have a file extension ending with (.src.rpm)

30

www.linuxhomenetworking.com

• Run the following commands as root:

Newer Linux Versions
Compiling and installing source RPMs with newer RedHat Linux versions can be done simply with the rpmbuild command

[root@bigboy tmp]# rpmbuild --rebuild filename.src.rpm

o

Here is an example in which we install the tacacs plus package. [root@bigboy rpm]# rpmbuild --rebuild tac_plus-4.0.3-2.src.rpm Installing tac_plus-4.0.3-2.src.rpm Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.61594 + umask 022 + cd /usr/src/redhat/BUILD + cd /usr/src/redhat/BUILD + rm -rf tac_plus-4.0.3 + /usr/bin/gzip -dc /usr/src/redhat/SOURCES/tac_plus-4.0.3.tgz + tar -xvvf drwxr-xr-x nsen/25 0 1999-08-04 00:33:15 tac_plus-4.0.3/ -rw-r----- root/root 9029 1999-04-02 22:03:45 tac_plus4.0.3/CHANGES ... ... ... ... ... ... Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/tacacsd Wrote: /usr/src/redhat/RPMS/i386/tac_plus-4.0.3-2.i386.rpm Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.60207 + umask 022 + cd /usr/src/redhat/BUILD + cd tac_plus-4.0.3 + rm -rf /var/tmp/tacacsd + exit 0 Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.60207 + umask 022 + cd /usr/src/redhat/BUILD + rm -rf tac_plus-4.0.3 + exit 0 [root@bigboy rpm]#

o

Here we see that the regular RPM file, not the source RPM, has been installed correctly. [root@bigboy rpm]# rpm -qa | grep tac_plus tac_plus-4.0.3-2 [root@bigboy rpm]#

4p1-2 openssh-clients-3. [root@bigboy [root@bigboy [root@bigboy [root@bigboy [root@bigboy tmp]# rpm -Uvh filename. You then have to install the new RPM file from this directory.2.4-9 e2fsprogs-1.src.rpm o How To List Installed RPMs • The rpm –qa command will list all the packages installed on your system [root@bigboy tmp]# rpm –qa perl-Storable-1. regardless of case (“-i” meaning ignore case) [root@bigboy tmp]# rpm -qa | grep -i ssh openssh-server-3.2-7 audiofile-0.14-15 smpeg-gtv-0.4p1-2 openssh-askpass-gnome-3.4p1-2 openssh-3.4.4p1-2 [root@bigboy tmp]# .3-3 … … … [root@bigboy tmp]# • You can also pipe the output of this command through the grep command if you are interested in only a specific package. o o The source files are first exported into the directory /usr/src/redhat/SPECS with the rpm command.rpm SPECS]# cd /usr/src/redhat/SPECS SPECS]# rpm –ba filename tmp]# cd /usr/src/redhat/RPM/i386 i386]# rpm -Uvh filename. You then have to run the rpm command again to compile the source files into a regular RPM file which will be placed in either the /usr/src/packages/RPMS/i386/ or the /usr/src/redhat/RPMS/i386/ directories.Chapter 3 : Installing RPM Software 31 Older Linux Versions The process is more complicated with older RedHat Linux versions as can be seen below.0.27-9 libstdc++-3.4p1-2 openssh-askpass-3. In this example we are looking for all packages containing the string “ssh” in the name.

linuxhomenetworking. Without it. run the following as root: rpm --import /usr/share/rhn/RPM-GPG-KEY [root@bigboy tmp]# • Issue the rpm command to get the keys [root@bigboy tmp]# rpm --import /usr/share/rhn/RPM-GPG-KEY [root@bigboy tmp]# . It will prompt you to change the initial settings. debug No 1. To install the key.com How Uninstall RPMs • The rpm –e command will erase an installed package. The package name given must match that listed in the rpm –qa command as the version of the package is important. depslist [] … … … Enter number of item to edit <return to exit. q to quit without saving>: Your GPG keyring does not contain the Red Hat. isatty Yes 2. Here’s what to do: • After installing the operating system issue the up2date command. Inc. [root@bigboy tmp]# up2date 0. Just quit by typing “q” and up2date will give you the command to run to get the encryption keys from RedHat. [root@bigboy tmp]# rpm –e package-name RedHat Up2date RedHat has a program called up2date which will update your Linux installation with the latest revisions of the RPMs from the RedHat website via a HTTPS/SSL connection running in the background. you will be unable to verify that packages Update Agent downloads are securely signed by Red Hat.32 www. public key. Your Update Agent options specify that you want to use GPG.

0Pkg name/pattern [root@bigboy tmp]# .. This is done with the up2date –u command. 1:cups-libs 2:cvs 3:cyrus-sasl … … … ########################################### [100%] ########################################### [100%] ########################################### [100%] The following Packages were marked to be skipped by your configuration: Name Version Rel Reason --------------------------------------------------------------------kernel 2.. ######################################## Fetching Obsoletes list for channel: redhat-linux-i386-8.4...17-0.r ########################## Done.2.0... ######################################## Fetching rpm headers..1. This is what it looks like: [root@bigboy tmp]# up2date -u Fetching package list for channel: redhat-linux-i386-8.18 24..Chapter 3 : Installing RPM Software 33 • Issue the up2date command again and it will prompt you through a number of registration screens which will ask for information such as: o o o The login name & password of your choice Your.. address and email address A profile name for your server • It will then present you with a list of all the packages installed on your server and ask you whether you want to register this software information with RedHat • The up2date updater will then register your system and exit back to the command prompt. ######################################## cups-libs-1.8.i386.. • Now you have to actually update the software using up2date.0. … … … Preparing ########################################### [100%] Installing. name. ####################################### Testing package set / solving RPM inter-dependencies.

redhat. Here is a sample script that you can run weekly using cron #!/bin/sh # # Updates system every week # up2date -p up2date -u o . All additional profiles under the login name have an annual fee. up2date uses HTTPS/SSL to do its updating. The “–u” switch will update all packages and the “-p” will register any additional packages you have installed without using up2date.linuxhomenetworking.com Some Necessary Facts About up2date o o You can update your contact information afterwards using the link http://www. You can write a small script to periodically update your system. You can selectively update the package mentioned in each email using the command: [root@bigboy tmp]# up2date package-name o o o o Only one profile per login name is free. you will need TCP port 443 access to the internet Updating packages could cause programs written by you to stop functioning especially if they rely on the older version’s features or syntax. Some RPMs won’t install unless other RPMs have been installed previously. up2date automatically figures out these package inter-dependencies and will install all the required foundation packages as well.34 www.com/network RedHat will regularly send you emails with the packages you need to update. If you have a firewall protecting your system.

Chapter 3 : Installing RPM Software 35 .

com .36 www.linuxhomenetworking.

The RedHat Boot Sequence When RedHat boots. This stage is known as “single user mode”.d/rc1.37 Chapter 4 The Linux Boot Process =========================================== In This Chapter Chapter 4 The Linux Boot Process The RedHat Boot Sequence Determining The Default Boot runlevel Get A GUI Console Get A Basic Text Terminal Without Exiting The GUI System Shutdown And Rebooting How To Set Which Programs Run At Each runlevel © Peter Harrison. These are listed below. You can alter it to change the type of login screen you get and also which programs get started.com =========================================== The way Linux boots up is very important information to know.d. www. the boot process will run scripts in only one of the other directories depending on the startup mode (aka.d which provides only the most basic functionality and the ability to only handle a single user. After completing this first phase. run level). The boot process first runs the scripts found in /etc/rc.linuxhomenetworking. . the boot process will run a number of scripts located in subdirectories under directory /etc/rc.

if you do not have networking) # 3 .d /etc/rc.d Run Level Description Halt Single-user mode Not used (user-definable) Full multi-user mode (No GUI interface) Not used (user-definable) Full multi-user mode (With GUI interface) Reboot Determining The Default Boot runlevel The default boot runlevel is set in the file /etc/inittab with the "initdefault" variable. Get A GUI Console You have two main options if your system comes up in a text terminal mode on the VGA console and you want to get the GUI: • Manual Method: You can start the X terminal GUI application each time you need it by running the “startx” command at the VGA console.d/rc1.d /etc/rc.d /etc/rc. Here is a sample snippet of the file: (Delete the initdefault line you don't need) # Default runlevel.d/rc4.Single user mode # 2 .d/rc3.d /etc/rc.d /etc/rc.unused # 5 . The runlevels used by RHS are: # 0 .d/rc6.reboot (Do NOT set initdefault to this) # id:3:initdefault: # Console Text Mode id:5:initdefault: # Console GUI Mode • Most home users boot up with a Windows like GUI (Run Level 5) • Most techies will tend to boot up with a plain text based command line type interface (Run level 3) • Changing "initdefault" from 3 to 5 or vice-versa will only have an effect upon your next reboot. you get the GUI.38 www.com Mode/Run Level 0 1 2 3 4 5 6 Directory /etc/rc. the system boots up with the text interface on the VGA console.d/rc5. when set to “5”.halt (Do NOT set initdefault to this) # 1 . Remember that when you log out you will get the regular text based console again.d /etc/rc.Full multiuser mode # 4 . See the section below on how to get a GUI login all the time until the next reboot.d/rc2.X11 # 6 . without NFS (The same as 3. .Multiuser. When set it to “3”.linuxhomenetworking.d/rc0.

o o o Sessions one through six are text sessions. Click on Systems Tools.Chapter 4 : The Linux Boot Process [root@bigboy tmp]# startx • Automatic Method: You can have Linux automatically start the X terminal GUI console for every login attempt until your next reboot by using the init command. You can step through each text session by using the <CTL> <ALT> <F1> through <F6> key sequence. You'll get a new login prompt for each attempt. You can get the GUI login with the sequence <CTL> <ALT> <F7>. You will need to edit your “initdefault” variable in your /etc/inittab file as mentioned in the preceding section to keep this functionality even after you reboot. or if the GUI is running after launching "startx" System Shutdown And Rebooting The "init" command will allow you to change the current runlevel. then Terminal Using Virtual Terminals Linux actually has seven virtual console sessions running on the VGA console. If the GUI is running. only in run level 5. Halt / Shutdown The System [root@bigboy tmp]# init 0 Reboot The System [root@bigboy tmp]# init 6 . it will run under session number seven. [root@bigboy tmp]# init 5 Get A Basic Text Terminal Without Exiting The GUI Using A GUI Terminal Window You can open a GUI based window with a command prompt inside by doing the following: o o Click on the “Red Hat” Start button in the bottom left hand corner of the screen.

d/rc. .com How To Set Which Programs Run At Each runlevel Most RedHat packages place a startup script in the directory /etc/init. Let’s change it so that Sendmail doesn't startup at boot.. • Use this command to get a full listing of packages listed in /etc/init. Here we see Sendmail will start with a regular startup at runlevel 3 or 5...linuxhomenetworking. 5:on 5:on 5:on 5:on 5:on 5:on 5:on 5:on 5:on 5:on 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off 6:off Chkconfig Examples You can use chkconfig to change runlevels for particular packages.d and the runlevels at which they will be "on" or "off" [root@bigboy tmp]# chkconfig --list keytable 0:off 1:on 2:on 3:on 4:on atd 0:off 1:off 2:off 3:on 4:on syslog 0:off 1:off 2:on 3:on 4:on gpm 0:off 1:off 2:on 3:on 4:on kudzu 0:off 1:off 2:off 3:on 4:on wlan 0:off 1:off 2:on 3:on 4:on sendmail 0:off 1:off 2:off 3:on 4:off netfs 0:off 1:off 2:off 3:on 4:on network 0:off 1:off 2:on 3:on 4:on random 0:off 1:off 2:on 3:on 4:on .40 www. Use Chkconfig To Get A Listing Of Sendmail's Current Startup Options [root@bigboy tmp]# chkconfig --list | grep mail sendmail 0:off 1:off 2:off 3:on 4:off 5:on 6:off [root@bigboy tmp]# Switch Off Sendmail Starting Up In Levels 3 and 5 [root@bigboy tmp]# chkconfig --level 35 sendmail off [root@bigboy tmp]# Doublecheck That Sendmail Will Not Startup [root@bigboy tmp]# chkconfig --list | grep mail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@bigboy tmp]# ..d and place symbolic links (pointers) to this script in the appropriate /etc/rc.X directory. The typical home/SOHO user doesn't have to be a scripting / symbolic linking guru to make sure everything works right because RedHat comes with a nifty utility called "chkconfig" to do it for you.

d directory. Don't add/remove anything to other runlevels unless you absolutely know what you are doing. it just configures them to be started or ignored when the system boots up. Chkconfig doesn’t start the programs in the /etc/init. . The commands for starting and stopping the programs covered in this book are covered in each respective chapter.Chapter 4 : The Linux Boot Process Turn it back on again [root@bigboy tmp]# chkconfig --level 35 mail on [root@bigboy tmp]# chkconfig --list | grep mail sendmail 0:off 1:off 2:off 3:on 4:off 5:on 6:off [root@bigboy tmp]# Final Tips On chkconfig • • • In most cases you'll want to modify runlevels 3 and 5 simultaneously AND with the same values. Don't experiment.

42 www.linuxhomenetworking.com .

www. Before you do. Network Diagram .43 Chapter 5 Why Host Your Own Site? =========================================== In This Chapter Chapter 5 Why Host Your Own Site? Network Diagram Alternatives To Home Web Hosting Factors To Consider Before Hosting Yourself How To Migrate From An External Provider © Peter Harrison. you should at least weigh the merits of such a move.linuxhomenetworking.com =========================================== We have assumed you want to host your website in your home or home office using a topology similar to that in the diagram below.

• Upload your web pages to your private virtual hosting directory. You should be able to buy this equipment second hand for about $100. DNS. • Test viewing your site using your IP address in your web browser. The steps are fairly straight forward: • Sign up for the virtual hosting service.com. load balancing. many will also provide an e-commerce feature which will allow you to have a shopping cart and customer loyalty programs. redundant hardware. Factors To Consider Before Hosting Yourself Virtual hosting is the ideal solution for many small websites.com.linuxhomenetworking. For the home based website these are usually not big issues. Availability: Reliable virtual hosting facilities may not be available in your country and/or you may not have access to the foreign currency to host your site abroad. There are a number of reasons why you may want to move your website to your home or small office. A website can be hosted on this data circuit for the only additional hardware cost of a network switch and a web server.44 www. So for a savings of $10 per month the project should pay for itself in less than a year. New Skills: There is also the additional benefit of learning the new skills required to set up the site.com. It takes about 3-4 days for DNS to propagate across the Web.com. The virtual hosting provider will also offer free backups of your site. with companies like Register. You must make sure your new domain name’s DNS records point to the DNS server of the virtual hosting company. . They will provide you with a login name and password. security audits. a number of email addresses and an easy to use web based GUI to manage your settings. Home Based Websites Pros o Cost: It is possible to host a website on most DSL connections. Verisign or RegisterFree. such as www. so you’ll probably have to wait at least that long before you’ll be able to view your site using your domain. For an additional charge. o o Cons o Lost Services: You lose the convenience of many of the services such as backups. technical support.my-site.com Alternatives To Home Web Hosting It is easy to find virtual hosting companies on the Web which will offer to host a simple website for about $10 per month. Changes can be made with little delay. data base services and technical support offered by the virtual hosting company. the IP address of your site plus the name of a private directory on a shared web server in which you’ll place your web pages. If your home already has DSL there would be no additional network connectivity costs. • Register your domain name.my-site. www.

Technical Ability: Your service provider may have more expertise in setting up your site than you do. Cost: The cost of using an external web hosting provider will increase as you purchase more systems administration services. These services may be more difficult to implement at home. you will have to consider the following: In-house Web Hosting Savings • • Monthly out sourced web hosting fee Elimination of the cost of delays to implement desired services. You will eventually be able to justify hosting your website inhouse based on this financial fact. • • • • • Costs New hardware & software Possible new application development. The chapter on the Linux iptables firewall should help make the decision easier. There is a chapter on the iptables Linux firewall and general security policies for Linux servers to help you overcome these shortcomings. time) Cons o o Lost Services: You won’t have access to the services provided by your old service provider. Technical Ability: You may have to incur additional training costs to ensure that your IT staff has the necessary knowledge to do the job internally.Chapter 5 : Why Host Your Own Site? 45 o Security: One important factor to consider is the security of your new server. Security: Always weigh the degree of security maintained by your hosting provider with that which you expect to provide in-house. Hosting providers may provide software patches to fix security vulnerabilities on your web servers and may even provide a firewall to protect it. which may have been highly desirable and cost effective. Training The percentage of IT staff’s time installing and maintaining the site Potential cost of the risks (% likelihood of failure per month X cost of failure) • • Risks Likelihood of a failure and expected duration The cost of both the failure and post failure recovery (Hardware. o Small Office Based Websites Pros o o o Increased Control: You will be able to manage all aspects of your website if it is hosted on a server based either in-house or within your control at a remote data center. In order to determine the break even point of the proposal. o . data restoration. software. Availability: Reliable virtual hosting facilities may not be available in your country and you may not have access to the foreign currency to host your site abroad. Proceed with the server migration only if you feel your staff can handle the job.

You should also read the sections on mail and web server configuration to help provide a more rounded understanding of the steps involved.com How To Migrate From An External Provider The chapter on DNS has a detailed explanation of the steps involved in migrating your website from an external hosting provider to your home or small office.46 www.linuxhomenetworking. .

www. .47 Chapter 6 Introduction To Networking =========================================== In This Chapter Chapter 6 Introduction To Networking What Is TCP/IP? What Is An IP Addresses? What Is Localhost? What Is A Subnet Mask? How Many Addresses Do I Get With My Mask? How Can I Figure Out My Broadcast Address? What Is Duplex? What Is A Hub? What Is A Switch? What Is A LAN? What Is A Router? What Is A Gateway? What Is A Route? What Is A Default Gateway? What Is A NIC? What Is A MAC Address? What Is ARP? What Is A Firewall? What Is NAT? What Is Port Forwarding With NAT? What Is DHCP? What Is DNS? How Can I Check The IP Address For A Domain? How Do I Get My Own DNS Domain Name? What is FTP? Where is Linux Help? © Peter Harrison.com =========================================== This chapter briefly explains some basic networking concepts for the home user.linuxhomenetworking.

Programs that use TCP therefore have a means of detecting connection failures and requesting the retransmission of missing packets. Usually when a connection is made from a client computer requesting data to the server machine that contains the data: . TCP is a good example of a “connection oriented” protocol. What is UDP? UDP is a connectionless protocol. the data is usually split into multiple pieces or “packets” each with its own error detection bytes in the control section or “header” of the packet. Ports below 1024 are reserved for privileged system functions. It then passes the data to the program that expects to receive it. but both the UDP and the TCP datagram headers track the “port” being used. What is TCP? TCP opens up a connection between client and server programs running on separate computers so that multiple and/or sporadic streams of data can be sent over an indefinite period of time. Only the TCP datagram header contains sequence information. For example. port 80. TCP keeps track of the packets sent by giving each one a sequence number with the remote server sending back “acknowledgement” packets confirming correct delivery. How does the computer know what program needs the data? Each IP packet also contains a piece of information in its header called the “type” field. For manageability.com What Is TCP/IP? TCP/IP is a universal standard suite of protocols used to provide connectivity between networked devices.linuxhomenetworking. It is also used when data needs to be broadcast to all available servers on a locally attached network where the creation of dozens of TCP connections for a short burst of data is considered resource hungry. This informs the computer receiving the data about the type of transportation mechanism being used. It is part of the larger OSI model upon which most data communications is based. The source/destination port combination defines the program on the computer that sent/received the data.48 www. is reserved for HTTP web traffic and port 25 is reserved for SMTP email. Certain programs are assigned specific that are internationally recognized. Data is sent on a “best effort” basis with the machine that sends the data having no means of verifying whether the data was correctly received by the remote machine. What are TCP / UDP Ports? So the data portion of the IP packet contains a TCP or UDP datagram sandwiched inside. The remote computer then receives the packets and reassembles the data and checks for errors. You could look at it as a combination used to create a connection ID number. One component of TCP/IP is the Internet Protocol (IP) which is responsible for ensuring that data is transferred between two addresses without being corrupted. The two most popular transportation mechanisms used on the Internet are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). those above 1024 are generally reserved for non system third party applications. UDP is usually used for applications in which the data sent is not mission critical.

It will then issue an ICMP reject message to the original sending machine that the data should be resent. TTLs help to reduce the clogging of data circuits with unnecessary traffic. four numbers with dots in between. it helps to uniquely identify a user of the system. 1095 and query the server on port 80 (HTTP) The server recognizes the port 80 request as an HTTP request and passes on the data to be handled by the web server software. For example. electrical interference or even misconfiguration. IP packets will occasionally arrive at a server with corrupted data due to any number of reasons including. and informational messages for use by the operating system.25.12. the client will use a source port of say. The server sending the packet sets the TTL value and each network device that the packet passes through then reduces this value by “1”. Just like a telephone number. • IP addresses are in reality a string of binary digits or "bits". This mechanism helps to ensure that bad routing on the Internet won’t cause packets to aimlessly loop around the network. • The numbers between the dots are frequently referred to as "octets" • Some groups of IP addresses are reserved for use only in private networks and are not routed over the Internet. The server will usually detected this by examining the packet and correlating the contents to what it finds in the IP header’s error control section. it tells the TCP application to respond back to port 1095 of the client using a source port of port 80. When the web server software replies to the client. o The client keeps track of all its requests to the server's IP address and will recognize that the reply on port 1095 isn't a request initiation for "Nicelink" (See the Bibliography for a link to a TCP/IP port listing). These are: . IP addresses have 32 bits in total. • For ease of use. What is ICMP? There is another commonly used protocol called the Internet Control Message Protocol (ICMP). What is a TTL? Each IP packet has a Time to Live (TTL) section that keeps track of the number of network devices the packet has passed through to reach its destination. then the network device will discard the packet. More information on ICMP messages can be found in both the Appendix and the chapter on network troubleshooting. IP addresses are written in what is called a "dotted decimal" format. ICMP provides a suite of error. but TCP/IP based applications use it frequently.65. Each bit is either a 1 or a 0. None of the numbers between the dots may be greater than 255. What Do IP Addresses Look Like? • All devices connected to the Internet have an Internet Protocol (IP) address. If the TTL value reaches “0”. If it is an HTTP request. An example of an IP address would be 97. but a response to the initial port 80 HTTP query. a bad connection. It is not strictly a TCP/IP protocol. control. ICMP also includes echo and echo reply messages used by the Linux “ping” command to confirm network connectivity.Chapter 6 : Introduction To Networking 49 o the client selects a random unused "source" port greater than 1024 and queries the server on the "destination" port specific to the application.

0. • Subnet masks allow you to specify how long you want the area code to be (network portion) at the expense of the number of telephones in that are in the area code (Host portion) • Most home networks use a subnet mask of 255.255.192.255. such as (808) 225-2468.1 and the server or host would be device #25 on that network.1.253.158.253.1.158. The (808) represents the area code.253.253.0 . and host #255 (192.255 • Home networking equipment / devices usually are configured in the factory with an IP address in the range 192.25 and a subnet mask of 255.248 that defines 8 IP addresses.255 172.255.27 .1 to 192.168. This IP address is defined as 127.Available 97.255.255 192.158.253. then the network portion would be 192. host #0 (192.0.255) is reserved for broadcast traffic intended to reach all hosts on the network at the same time.255.50 www. Each "255" means this octet is for the area code (network portion).26 .253. You can then use IP addresses from #1 to #254 on your "private" network. • In this example. So if your server has an IP address of 192. What Is Localhost? Whether or not your computer has a network interface card it will have a “built in” IP address with which network aware applications can communicate with one another.0.0 .Available .0.com Private IP Addresses 10.172. a subnet mask of 255. the 225-2468 represents the telephone within that area code.0. then they will most likely provide you with a subnet mask of 255.1.0) is reserved to represent the network itself.255.16.255.168. For example if the ISP provides you with a "public" network address of 97.168.168.168.linuxhomenetworking.158.1 and is frequently referred to as “localhost” What Is A Subnet Mask? • Subnet masks are used to tell which part of the IP address represents: • The network on which the computer is connected (Network portion) • The computer's unique identifier on that network (Host portion) • A simple analogy would be a phone number. then your IP addresses will be: • • • • • 97.168.255.255.1.0.255.28 .Available 97.0 .168.158.0.255.158.10.1. • If you purchased a DSL service from your Internet service provider (ISP) that gives you fixed IP addresses.24.168.255.0.255.24 – Network base address 97.Gateway 97.248 and a gateway of 97.158.253.31.24. • You can check the Linux networking topics page on how to configure the IP address of your Linux box.25 .

Multiply this result by the result of step 1 to get the network address (8 x 3 = 24). (256 . how do you determine the network address and the broadcast address. Think of it as "This is the third subnet with 8 addresses in it". 224. 2.253.255.1 = 63.0.3.75 with a mask of 255. 4. 192.Available 97.28 and a subnet mask of 255.248.32 32 + 32 . 128. • There are only 7 possible values for the last octet of a subnet mask. in other words the boundaries of my network? Here are the steps: Manual Calculation o o Subtract the last octet of the subnet mask from 256 to give the number of IP addresses in the subnet.240 = 16 .31 o o Let's do this for 192.168. Think of it as "The broadcast address is always the network address plus the number of IP addresses in the subnet minus 1". don't bother with the remainder (28/8 = 3). These are 0. 256 .168.255.253. 248.30 .3.158. (24 + 8 -1 = 31). Therefore the network base address is 192.255.253. 3.158.Chapter 6 : Introduction To Networking 51 • • • 97.158.248) = 8 Divide the last octet of the IP address by the result of step 1.56 with a mask of 255. Therefore the broadcast address is 192.158.240 1.Broadcast How Many Addresses Do I Get With My Mask? The method described in this section only works for subnet masks that start with “255.255.29 .255.253.31 .24 The broadcast address is the result of step 3 plus the result of step 1 minus 1.158. The broadcast address is 97.224 = 32 56 / 32 = 1 32 x 1 = 32. This will give you the theoretical number of subnets of the same size that are below this IP address.3.253.192) What’s The Range Of Addresses On My Network? If someone gives you an IP address of 97.224 1.192 then you have 64 IP addresses in your subnet (256 .168. 252 • You can calculate the number of IP addresses for each of the above values by subtracting the value from 256 • So for example.255. if you have a subnet mask of 255.63 Let's do this for 10.Available 97.255” which should be sufficient for your home network. 240.255.253. 256 .255. The Network address is therefore 97.158.255.0.

Hubs physically cross-connect all their ports with one another which causes all traffic sent from a server to the hub to be blurted out to all other servers connected to that hub whether they are the intended recipient or not.sh 216. Therefore the broadcast address is 10. It is for this reason that duplex settings aren’t usually a problem for Linux servers. Calculation Using A Script There is a BASH script in the Appendix which will do this for you. Once again.151. • Full duplex uses separate pairs of wires for transmitting and receiving data so that incoming data flows don't interfere with outgoing data flows.255.0. 3.92 Network Base Address : 216. 4. Error detection and retransmission mechanisms ensure that data reaches the destination correctly even if it were originally garbled by multiple devices starting to transmit at the same time.92 /28 IP Address : 216.193. • Most modern network cards can auto-negotiate duplex with the device on the other end of the wire.80 Broadcast Address : 216. It will accept subnet masks in dotted decimal format or "/value" format [root@bigboy tmp]# .151. the last octet of your network base address must be divisible by the “256 minus the last octet of your subnet mask” and leave no remainder.193.linuxhomenetworking. Here is a sample of how to use it.95 Subnet Mask Subnet Size [root@bigboy tmp]# : 255. 75 / 16 = 4 16 x 4 = 64.151. What Is A Hub? • A hub is a device into which you can connect all devices on a home network so that they can talk together.240 : 16 IP Addresses What Is Duplex? • Duplex refers to the ability of a device to transmit and receive data at the same time.0.com 2. just provide the IP address followed by the subnet mask as arguments.79 Note: As a rule of thumb. Devices that want to transmit information have to wait their turn until the "coast is clear" at which point they send the data./subnet-calc. If you are sub-netting a large chunk of IP addresses it’s always a good idea to lay it out on a spreadsheet to make sure there are no overlapping subnets.193. Therefore the network base address is 10. and another device at the other end of the cable set to half duplex.0.64 64 + 16 -1 = 79. this only works with subnet masks that start with 255.255.193.52 www.255.151.255. • Half duplex uses the same pairs of wires for transmitting and receiving data. .0. • Data transfer speeds will be low and error levels will be high if you have a device at one end of a cable set to full duplex.

after a random time interval. A good rule of thumb is to have only one network per LAN. They can also filter traffic based on the TCP port section of each packet. traffic sent from Server A to Server B will only be received by Server B. What Is A LAN? • A Local Area Network (LAN) is a grouping of ports on a hub. The only exception is broadcast traffic which is blurted out to all the servers simultaneously. Routers therefore direct and regulate traffic between separate networks. For example. Simple home switches can be connected in a chain formation to create a LAN with more ports. What Is A Router? • As stated before. • It is for these reasons that devices that plug into hubs should be set to half duplex. When this happens the servers try again. and allow all other traffic between them. • Switches regulate traffic. much like a traffic policeman. What Is A Switch? • A switch is also a device into which you can connect all devices on a home network so that they can talk together. • Larger. • Devices that plug into switches should be set to full duplex to take full advantage of the dedicated bandwidth coming from each switch port. Unlike a hub. • Routers will connect into multiple switches to allow these networks to communicate with one another. • Routers can also be configured to deny communication between specific servers on different networks. It is possible for multiple servers to speak at once with all of them receiving garbled messages. more expensive switches can be configured to assign only certain ports to pre-specified Virtual LANs or (VLANs) chosen by the network administrator. The router is also capable of filtering traffic passing between the two LANs therefore providing additional security. Switches therefore provide more efficient traffic flow. In this case. switches and hubs usually only have servers connected to them that have been configured as being part of the same network. • It is possible to have LANs that span multiple switches. A router is still needs to be connected to each VLAN for inter-network communication. • Pure switches provide no access control between servers connected to the same LAN. switch or tied to a wireless access point (WAP) that can only communicate with each other. . until the message gets through correctly. • Communication to devices on another LAN requires a router directly connected to both LANs.Chapter 6 : Introduction To Networking 53 • Hubs have none or very little electronics inside and therefore do not regulate traffic. it is possible to deny communication between two servers on different networks that intend to communicate on TCP port 80. This is why network administrators group trusted servers having similar roles on the same LAN. thereby eliminating the possibility of message garbling. This is often called “daisy chaining”. the switch houses ports on multiple LANs. They will also ensure that they don’t mix servers on different IP networks on the same LAN segment.

1.168. and can therefore intelligently redirect traffic to bypass failed network links. Each router along the way may also be referred to as a hop.0.X Go to network 10. Home Linux boxes frequently don't run a dynamic routing protocol and therefore rely on "static" routes issued by the system administrator at the command line or in configuration files to determine the next hop to all desired networks. What Is A Gateway? • Another name for a router. What Is A Default Gateway? • A default gateway is really a gateway of last resort. . • Usually when we speak about a route on a Linux box. you must reserve an IP address for a router and make sure that the router is directly connected to the LAN associated with that network.46.1. Say for example: o o o You have two routers R1 and R2 R1 is connected to both your SOHO home network (192. • The Linux network topics page shows how to add static routes to your Linux box and also how you can convert it into a simple router.0 via router R2 Go to everything else via router R1.0. • You can check the Linux networking topics page on how to configure the default gateway on your Linux box. we are referring to the IP address of the first hop needed to reach the desired destination network. a route refers to the path data takes to traverse from its source to its destination.0) and your credit card transaction payment the network (10. It is assumed that this first hop will know how to automatically relay the packet.com • If you intend to route between networks. your default gateway would be the router / firewall connected to the Internet. routers most frequently provide connectivity to the Internet using network address translation or NAT. What Is A Route? • In the broader networking sense.0) and the internet R2 is connected to both your SOHO home network (192.168. • Routers are designed to exchange routing information dynamically.0.linuxhomenetworking. then for each network.0.0) which is also connected to other corporate networks with addresses starting with 10.54 www. • In home networks.123.0 255.X. R1 therefore would be considered your default gateway • You could put a route on your SOHO servers that states: o o • For most home networks.X.

When a server needs to communicate with another server it does the following steps: • The server first checks its routing table to see which router provides the next hop to the destination network.168. Every IP packet is sent out of your NIC wrapped inside an Ethernet frame which uses MAC addresses to direct traffic on your locally attached network. the ARP table only contains the MAC addresses of devices on the locally connected network. As the packet hops across the Internet. the server will issue an ARP request asking that router 192. • The Linux network topics page shows how to see your ARP table and the MAC addresses of your server's NICs. If there is an ARP entry. its source/destination IP address stays the same. • The server will not send the data to its intended destination unless it has an entry in its ARP table. the packet is sent and the ARP table is subsequently updated with the new MAC address.1. . If there is no ARP entry.168. What Is ARP? The Address Resolution Protocol (ARP) is used to map MAC addresses to network IP addresses.1. let's say with an IP address of 192.Chapter 6 : Introduction To Networking 55 What Is A NIC? Your network interface card is frequently called a NIC. The ARP table is queried. it will in turn continue with the ARP-ing process to relay the packet to the final destination. but the MAC addresses are reassigned by each router on the way using a process called ARP. an ARP request is made asking the target server for its MAC address. the server checks it's ARP table to see whether it has the MAC address of the router's NIC. Once a reply is received. If no entry is available. • If the target server is on the same network as the source server. As each router in the path receives the packet. MAC addresses therefore only have significance on the locally attached network. the packet is sent and the ARP table is subsequently updated with the new MAC address. Currently. Once a reply is received. ARP entries are not permanent and will be erased after a fixed period of time depending on the operating system used. • As can be expected. the most common types of NIC used in the home are Ethernet and wireless Ethernet cards. a similar process occurs.1. If it doesn't. the server sends the IP packet to its NIC and tells the NIC to encapsulate the packet in a frame destined for the MAC address of the router. the application needing to communicate will issue a timeout or "time exceeded" error. What Is A MAC Address? The media access control address (MAC) can be equated to the serial number of the NIC. • If there is a valid router.1 respond with its MAC address so that the delivery can be made.

This greatly increases the number of devices that can access the Internet without running out of "public" IP addresses. NAT protects your home PCs by assigning them IP addresses from “private” IP address space that cannot be routed over the internet.56 www.com What Is A Firewall? Firewalls can be viewed as routers with more enhanced abilities to restrict traffic. There are many good reasons for this. This arrangement works well with a single NAT IP trying to initiate connections to many Internet addresses. The reverse isn’t true. This prevents hackers from directly attacking your home systems as packets sent to the “private” IP will never pass over the Internet. Specifically. As there normally has been no prior connection association . Connections initiated from the Internet to the “public” IP address of the router / firewall face a problem. the two most commonly stated are: • No one on the Internet knows your true IP address. You can configure NAT to be “one to one” in which you assign multiple IP addresses to the outside “public” interface of your firewall and pair each of these addresses to a corresponding server on the inside network. Basic NAT testing will require you to ask a friend to try to connect to your home network from the Internet. You can also use “many to one” NAT in which the firewall maps a single IP address to multiple servers on the network. This is called network address translation (NAT) and is often also called IP masquerading in the Linux world. firewalls can detect malicious attempts to subvert the TCP/IP protocol. As the router / firewall is located at the “border crossing” to the Internet it can easily keep track of all the various outbound connections to the Internet by monitoring: • The IP addresses and TCP ports used by each home based server and mapping it to • The TCP ports and IP addresses of the Internet servers with which they want to communicate. and not a “private” IP address. Examples of NAT may be found in the IP masquerade section of the Linux iptables firewall chapter and also in the Cisco PIX firewall chapter. not just by port and IP address like routers. • Hundreds of PCs and servers behind a NAT device can masquerade as a single "public" IP address. you won’t be able to access the public NAT IP addresses from servers on your home network. What Is Port Forwarding With NAT? In our simple home network.linuxhomenetworking. all servers accessing the Internet will appear to have the single “public” IP address of the router / firewall because of “many to one” NAT. As a general rule. A short list of capabilities includes: • Throttling traffic to a server when two many unfulfilled connections are made to it • Restricting traffic being sent to obviously bogus IP addresses • Providing network address translation or NAT What Is NAT? Your router / firewall will frequently be configured to make it appear to other devices on the Internet that the servers on your Home network have a valid “public” IP address.

linuxhomenetworking. • The router / firewall will then redirect the DNS queries from your computer to the DNS name server of your Internet service provider (ISP). The DHCP client sends out a query requesting a DHCP server which in turn provides the client PC with its IP address. Most home router / firewalls are configured in the factory to be DHCP servers for your home network. to make your Linux box provide the DHCP addresses for the other machines on your network. You can check the chapter on Linux networking topics page on how to configure your Linux box to get its IP address via DHCP. Port forwarding is a method of counteracting this. DNS server and default gateway information. you can configure your router / firewall to forward TCP port 80 (Web/HTTP) traffic destined to the outside NAT IP to be automatically relayed to a specific server on the inside home network As you may have guessed. (and) to deliver TCP/IP stack configuration parameters such as the subnet mask and default router”. You can also check the chapter on Configuring a DHCP Server. once it has a fixed IP address.com into an IP address that can be used behind the scenes by your computer. the router / firewall has no way of telling which of the many home PCs behind it should receive the relayed data.dhcp.com" DNS name servers which will then redirect the query to the "linuxhomenetworking. • Home router / firewall providing DHCP services often provides its own IP address as the DNS name server address for home computers. port forwarding is one of the most common methods used to host websites at home with DHCP DSL. DHCP can be used to automatically assign IP addresses. • The "linuxhomenetworking. What Is DHCP? According to www.com As you can imagine. Here step by step description of what happens with a DNS lookup. You can also make your Linux box into a DHCP server.com" name server will then respond with the IP address for www.Chapter 6 : Introduction To Networking 57 between the Internet server and any protected server on the home network.linuxhomenetworking. For example. The assignment usually occurs when the DHCP configured machine boots up. or regains connectivity to the network. Each server in the chain will store the most frequent DNS name to IP address lookups in a memory cache which helps to speed up the response. subnet mask. • Most home computers will get the IP address of their DNS server via DHCP from their router / firewall. • The root server will then redirect your query to one of the Internet's ". The most commonly used form of DSL will also assign the outside interface of your router / firewall with a single DHCP provided IP address. You can make your Linux box into a caching DNS server for your home network too. .org. • Your ISP's DNS server will then probably redirect your query to one of the 13 "root" name servers. "The Dynamic Host Configuration Protocol (DHCP) is an Internet protocol for automating the configuration of computers that use TCP/IP. What Is DNS? The domain name system (DNS) is a worldwide server network used to help translate easy to remember domain names like www.com" name server. this process can cause a noticeable delay when you are browsing the web.

arpa nameserver = dns2.com has address 216.151.0. then you can use either the nslookup command or host command to get the associated IP address.92 [root@bigboy tmp]# You can also use the nslookup and host commands to get the reverse information.0.1 Address: 127.net.216.151. [root@bigboy tmp]# nslookup www. Server: 127. nslookup will be removed from future releases of Linux.elan.0.193.net internet address = 216.arpa nameserver = dns1.58 www.elan. Consider using the `dig' or `host' programs instead.92 92.193. Authoritative answers can be found from: 193.151. Run nslookup with the `-sil[ent]' option to prevent this message from appearing.151.0.elan.193.net.151.com www.193.1 [root@bigboy tmp]# [root@bigboy tmp]# host 216.linuxhomenetworking.151. dns1. Consider using the `dig' or `host' programs instead.net.192. [root@bigboy tmp]# nslookup 216.216.0.216.0.151. Server: 127.216.com How Can I Check The IP Address For A Domain? If you have the domain.linuxhomenetworking. 193. but can still be used with Windows .in-addr.arpa name = extra193-92.151. [root@bigboy tmp]# .1#53 Non-authoritative answer: 92.in-addr.linuxhomenetworking.193.net.1#53 Name: www.92 [root@bigboy tmp]# host www.in-addr.com Note: nslookup is deprecated and may be removed from future releases.151.in-addr.elan. Run nslookup with the `-sil[ent]' option to prevent this message from appearing.linuxhomenetworking.0.1 Address: 127.193.elan.arpa domain name pointer extra193-92.linuxhomenetworking.92 Note: nslookup is deprecated and may be removed from future releases.0.com Address: 216.

There are a number of commercially available GUI based clients you can load on your PC to do this. If you bought static IP addresses. after you follow the steps below.Chapter 6 : Introduction To Networking 59 How Do I Get My Own DNS Domain Name? • There are many companies that provide DNS name registration. The remote FTP server will prompt you for a username. there are another two categories. Regular FTP o o This is used primarily to allow specific users to download files to their systems. You also FTP from the command line as shown in the RPM chapter. then static DNS is the way to go. These are active and passive FTP which is covered in more detail in the FTP Chapter. then your router is probably getting its "public" Internet IP address via DHCP from your ISP. You can use them to determine whether the name you want is available and you can purchase the domain you want using a credit card with your web browser. The password is usually your valid email address. The password will be your regular password for your user account. . don't worry you can do this later. • If you don't have the names and/or IP addresses for you primary name servers. From the remote user's perspective. From the systems administrator's perspective. Static or Dynamic DNS? o If you didn't specifically reserve static IP addresses from your ISP. • The registration process will prompt you for your two primary DNS servers. there are two types of FTP. at which point the user will be the username you normally use to log into the FTP server. The remote FTP server will prompt you for a username. at which point the user will type "anonymous". Anonymous FTP o o This is used primarily to allow any remote user to download files to their systems. RegisterFree is the one I use. o What is FTP? This is one of the most popular applications used to copy files between computers via a network connection. In this case you'll want to use a dynamic DNS service. This helps DNS root servers know exactly where to get the information for the IP address for your new website. such as WSFTP and CuteFTP.

manipulate Tcl objects . More secure forms such as SFTP (Secure FTP) and SCP (Secure Copy) are available as a part of the Secure Shell package that is normally installed by default on RedHat. If you want to search all the man pages for a keyword.60 www. then use the man command with the –k switch.linuxhomenetworking. [root@bigboy tmp]# man -k ssh Tcl_DecrRefCount [Tcl_IsShared] (3) . Where is Linux Help? Linux help files are accessed using the “man” or manual pages. It is intended to replace rlogin and rsh. Here are some examples: Finding General Information On A Command Here we get information on the ssh command: [root@bigboy tmp]# man ssh SSH(1) BSD General Commands Manual SSH(1) NAME ssh . then you’d use the command “man ssh”.com It is good to remember that FTP isn't very secure as usernames. and provide secure encrypted … … … … [root@bigboy tmp]# Search For All Instances Of A Word Here we discover that the search string ssh can be found in the TCL man pages and also in a variety of ssh related pages including ssh. to narrow your help search. If you want to get information on the ssh command. Using this information you can use the man command.OpenSSH SSH client (remote login program) SYNOPSIS ssh [-l login_name] hostname | user@hostname [command] ssh [-afgknqstvxACNPTX1246] [-b bind_address] [-c cipher_spec] [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R port:host:hostport] [-D port] hostname | user@hostname [command] DESCRIPTION ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. ssh-add and ssh-agent. passwords and data are sent across the network unencrypted. From the command line you issue the man command followed by the Linux command or file you wish to get information about. without the –k.

authentication key generation.OpenSSH SSH daemon configuration file [root@bigboy tmp]# .manipulate Tcl objects Tcl_IsShared [Object] (3) .manipulate Tcl objects Tcl_IsShared [Tcl_NewObj] (3) .adds RSA or DSA identities to the authentication agent ssh-agent (1) .ssh helper program for hostbased authentication ssh_config (5) .manipulate Tcl objects Tcl_IncrRefCount [Tcl_IsShared] (3) .authentication agent ssh-keygen (1) .Chapter 6 : Introduction To Networking 61 Tcl_DuplicateObj [Tcl_IsShared] (3) .OpenSSH SSH client (remote login program) ssh-add (1) .gather ssh public keys ssh-keysign (8) .manipulate Tcl objects Tcl_NewObj [Tcl_IsShared] (3) . management and conversion ssh-keyscan (1) .OpenSSH SSH client configuration files sshd (8) .manipulate Tcl objects Tcl_InvalidateStringRep [Tcl_IsShared] (3) .manipulate Tcl objects Tcl_IsShared [Tcl_IncrRefCount] (3) .OpenSSH SSH daemon sshd_config (5) .manipulate Tcl objects Tcl_IsShared (3) .manipulate Tcl objects Tcl_IsShared [Tcl_InvalidateStringRep] (3) .manipulate Tcl objects Tcl_IsShared [Tcl_DuplicateObj] (3) .manipulate Tcl objects Tcl_IsShared [Tcl_DecrRefCount] (3) .OpenSSH SSH client (remote login program) ssh [slogin] (1) .manipulate Tcl objects ssh (1) .

com .linuxhomenetworking.62 www.

Each system message sent to the syslog server has two descriptive labels associated with it that makes the message easier to handle. There are eight in all and they are listed below: o . applications such as mail and cron generate messages with easily identifiable facilities named "mail" and "cron".com =========================================== This chapter will show you how to troubleshoot problems not only on your Linux box but also on remote networking devices using syslog. www. o The first describes the function (facility) of the application that generated it. Syslog About syslog Syslog is a utility for tracking and logging all manner of system messages from the merely informational to the extremely critical.63 Chapter 7 Troubleshooting Linux With Syslog =========================================== In This Chapter Chapter 7 Troubleshooting Linux With Syslog Syslog Logrotate © Peter Harrison. The second describes the degree of severity of the message.linuxhomenetworking. For example.

com Syslog Facilities Severity Level 0 1 2 3 4 5 6 7 Keyword emergencies alerts critical errors warnings notifications informational debugging Description System unusable Immediate action required Critical condition Error conditions Warning conditions Normal but significant conditions Informational messages Debugging messages The files to which syslog will write each type of message received is set in the /etc/syslog.authpriv.info. This may be more suitable for troubleshooting.none.linuxhomenetworking.mail.conf file. cron or authentication facilities/subsystems. *.debug /var/log/messages Certain applications will additionally log to their own application specific log files and directories independent of the syslog.conf file is configured to put most of the messages the file /var/log/messages. RedHat's /etc/syslog.64 www. all messages of severity "info" and above are logged.cron.conf configuration file. Here is a sample: . the first lists the facilities and severities of messages to expect and the second lists the files to which they should be logged. This file consists of two columns.none /var/log/messages In this case.none. By default. but none from the mail. Here are some common examples: Files: /var/log/maillog /var/log/httpd/access_log : Mail : Apache web server page access logs . You can make this logging even more sensitive by replacing the line above with one that captures all messages from debug severity and above in the /var/log/messages file.

conf file is very sensitive to spaces. Here is an example: [root@bigboy tmp]# more /var/log/messages Logging Syslog Messages To A Remote Linux Server Configuring the Linux Syslog Server By default syslog doesn’t expect to receive messages from remote clients.d/syslog restart How To View New Log Entries As They Happen If you want to get new log entries to scroll on the screen as they occur.Chapter 7: Configuring Syslog 65 Directories: /var/log /var/log/samba /var/log/mrtg /var/log/httpd : Samba messages : MRTG messages : Apache webserver messages NOTE: The /etc/syslog.conf will not take effect until you restart syslog. Activating Changes To The syslog Configuration File Changes to /etc/syslog. you can pipe it through the "more" command so that you only get one screen at a time. then you can use this command: [root@bigboy tmp]# tail -f /var/log/messages Similar commands can be applied to all log files. [root@bigboy tmp]# grep string /var/log/messages | more You can also just use the plain old "more" command to see one screen at a time of the entire log file without filtering with "grep". Spaces in the file will cause unpredictable results. . Another good command to use apart from "tail" is "grep". This is probably one of the best troubleshooting tools available in Linux. Here’s how to configure your Linux server to start listening for these messages. Only use tabs on lines that don't start with the "#" comment character. Issue this command to do so: [root@bigboy tmp]# /etc/init. Here is an example. Grep will help you search for all occurrences of a string in a log file.

0:514 0. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0 -r" # Options to klogd # -2 prints all kernel oops messages twice. You now have to configure your remote Linux client to send messages to it. [root@bigboy tmp]# netstat -a | grep syslog udp 0 0 *:syslog *:* [root@bigboy tmp]# netstat -an | grep 514 udp 0 0 0.0.com As we saw previously. This is done by editing the /etc/hosts file on the Linux client named smallfry. .conf file to determine the expected names and locations of the log files it should create.0.1. # Options to syslogd # -m 0 disables 'MARK' messages.0:* [root@bigboy tmp]# Configuring the Linux Client The syslog server is now expecting to receive syslog messages.168.com bigboy loghost fully-qualified-domain-name hostname "loghost" Server "bigboy" has now become the remote logging server as its /etc/hosts entry has an alias "loghost" which indicates to syslog that this is a remote syslog server.66 www. and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-2" You will have to restart syslog on the server for the changes to take effect. Remember to restart syslog to make these changes take effect. syslog checks its /etc/syslog.my-site.100 bigboy. The server will now start to listen on UDP port 514 which you can verify using either one of the following netstat command variations.linuxhomenetworking. It also checks the file /etc/sysconfig/syslog to determine the various modes in which it should operate. Syslog will not listen for remote messages unless the SYSLOGD_OPTIONS variable in this file has a “–r” included in it as shown below. once for klogd to decode.0.0. Here are the steps: • • Determine the IP address and fully qualified hostname of your remote logging host Add an entry in the /etc/hosts file in the format IP-address Example: 192.

firewalls and load balancers each logging with a different facility can each have their own log files for easy troubleshooting. PIX firewalls. The /etc/logrotate. allowing for daily updates.. CSS arrowpoints and LocalDirectors. [root@bigboy tmp]# Syslog Configuration and Cisco Network Devices Syslog reserves facilities "local0" through "local7" for log messages received from remote servers and network devices. Logrotate Logrotate is a Linux utility that renames and reuses system error log files on a periodic basis so that they don't occupy excessive disk space... Linux Client [root@smallfry tmp]# /etc/init. o You can specify either “weekly” or “daily” rotation parameter.. The chapter on Miscellaneous Topics has examples of how to configure syslog to do this with Cisco devices using separate log files for the routers. .. In the case below the weekly option is "commented out" with a "#".conf File This is logrotate’s general configuration file in which you can specify the frequency with which the files are reused.d/lpd restart Stopping lpd: [ OK ] Starting lpd: [ OK ] [root@smallfry tmp]# Linux Server [root@bigboy tmp]# tail /var/log/messages . .Chapter 7: Configuring Syslog 67 You can now test to make sure that the syslog server is receiving the messages with a simple test such as restarting the lpd printer daemon and making sure the remote server sees the messages. you'll have to allow traffic on this port to pass through the security device. switches. Apr 11 22:09:35 smallfry lpd: lpd shutdown succeeded Apr 11 22:09:39 smallfry lpd: lpd startup succeeded . Routers. Syslog and Firewalls Syslog listens by default on UDP port 514. switches.. ... If you are logging to a remote syslog server via a firewall.

3 logfile.1 logfile. The /etc/logrotate.5 logfile. The "create" parameter creates a new log file after each rotation Therefore our sample configuration file will create daily archives of ALL the logfiles and store them for seven days.conf # rotate log files weekly #weekly # rotate log files daily daily # keep 4 weeks worth of backlogs #rotate 4 # keep 7 days worth of backlogs rotate 7 # create new (empty) log files after rotating old ones create The /etc/logrotate.com o o The "rotate" parameter specifies the number of copies of log files logrotate will maintain.linuxhomenetworking.d Directory Most Linux applications that use syslog will put an additional configuration file in this directory to specify the names of the log files to be rotated. The files will have the following names with "logfile" being current active version: logfile logfile.pid 2> /dev/null` 2> /dev/null || true endscript } . In the case below the 4 copy option is "commented out" with a "#".log /var/log/cron { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.d/syslog File (For General System Logging) /var/log/cisco/* /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot. while allowing 7 copies.0 logfile.6 Sample contents of /etc/logrotate.2 logfile.68 www. It is a good practice to verify that all new applications that you want to use the syslog log have configuration files in this directory.4 logfile. Here are some sample files which define the specific files to be rotated for each application.

pid 2> /dev/null` 2> /dev/null || true endscript } Activating logrotate The above logrotate settings will not take effect until you issue the following command to do so: [root@bigboy tmp]# logrotate –f If you want logrotate to reload only a specifc configuration file.log { notifempty missingok sharedscripts copytruncate postrotate /bin/kill -HUP `cat /var/lock/samba/*. then issue the logrotate command with just that filename as the argument like this: [root@bigboy tmp]# logrotate -f /etc/logrotate. and not all of them.pid 2>/dev/null` 2> /dev/null || true endscript } The /etc/logrotate.d/samba File (for SAMBA) /var/log/samba/*.d/apache File (For Apache) /var/log/httpd/access_log /var/log/httpd/agent_log /var/log/httpd/error_log /var/log/httpd/referer_log { missingok sharedscripts postrotate /bin/kill -HUP `cat /var/run/httpd.d/syslog .Chapter 7: Configuring Syslog 69 The /etc/logrotate.

com .70 www.linuxhomenetworking.

this device is called "eth0".com =========================================== This chapter covers how to configure your Linux box’s networking features. www. How To Configure Your NIC's IP Address Determining Your IP Address Most modern PCs come with an ethernet port. You can determine the IP address of this device with the "ifconfig" command.linuxhomenetworking. When Linux is installed.Chapter 7: Configuring Syslog 71 Chapter 8 Linux Networking =========================================== In This Chapter Chapter 8 Linux Networking How To Configure Your NIC's IP Address How To Change Your Default Gateway How Configure Two Gateways How To Delete A Route How To View Your Current Routing Table How To Convert Your Linux Server Into A Router Configuring Your /etc/hosts File © Peter Harrison. [root@bigboy tmp]# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:08:C7:10:74:A8 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 .

1 netmask 255. you could give this eth0 interface an IP address using the ifconfig command.d/rc.0 You can see that this command gives good information on the interrupts used by each card. Interface wlan0 has an IP address of 192.4 Mb) TX bytes:43209032 (41.255 Mask:255.255.1.99 Bcast:192.linuxhomenetworking.255.0 b) TX bytes:0 (0.0 b) Interrupt:11 Base address:0x1820 lo Link encap:Local Loopback inet addr:127.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Memory:c887a000-c887b000 [root@bigboy tmp]# In this example..1. eth1 uses ifcfg-eth1 .100 Bcast:192. [root@bigboy tmp]# ifconfig eth0 10. Interface eth0 has a file called ifcfg-eth0.7 Kb) TX bytes:82644 (80.168.local file.168.2 Mb) Interrupt:11 Memory:c887a000-c887b000 wlan0:0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5 inet addr:192. etc.1 Mask:255.1.0.0.72 www.0. To make this permanent each time you boot up you'll have to add this command in your /etc/rc. eth0 has no IP address as this box is using wireless interface wlan0 as it's main NIC.1.7 Kb) wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5 inet addr:192.0. .0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:47379 errors:0 dropped:0 overruns:0 frame:0 TX packets:107900 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:4676853 (4. Linux also makes life a little easier with interface configuration files located in the /etc/sysconfig/network-scripts directory.168. This can also be found in less detail in the file /proc/interrupts Changing Your IP Address If you wanted.255.168.168.1. Here are two samples for interface eth0.0 up The "up" at the end of the command activates the interface. one assumes the interface has a fixed IP address.255.255.0..255.255. the other assumes it requires an IP address assignment using DHCP.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:787 errors:0 dropped:0 overruns:0 frame:0 TX packets:787 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:82644 (80.255 Mask:255.100 and a subnet mask of 255. You can place your IP address information in these files which are then used to auto-configure your NICs when Linux boots.com collisions:0 txqueuelen:100 RX bytes:0 (0.

Interface wlan0:0 is actually a "child" of interface wlan0.Chapter 8: Linux Networking 73 network-scripts File Formats Fixed IP Address [root@bigboy tmp]# cd /etc/sysconfig/network-scripts [root@bigboy network-scripts]# more ifcfg-eth0 DEVICE=eth0 BROADCAST=192. You can read more about netmasks and DHCP on the introduction to networking chapter. Once you change the values in the configuration files for the NIC you'll have to deactivate and activate it for the modifications to take effect. where "X" is the sub-interface number of your choice. One's named wlan0 and the other wlan0:0. The ifdown and ifup commands can be used to do this.255. a virtual sub-interface also known as an "IP alias".1.168. IP aliasing is one of the most common ways of creating multiple IP addresses associated with a single NIC. [root@bigboy network-scripts]# ifdown eth0 [root@bigboy network-scripts]# ifup eth0 Multiple IP Addresses On A Single NIC In the previous "determining your IP address" section you may have noticed that there were two wireless interfaces.255 IPADDR=192.168. Aliases have the name format "parent-interface-name:X".100 NETMASK=255.168.1. .0 NETWORK=192.1.0 ONBOOT=no [root@bigboy network-scripts]# Getting the IP Address using DHCP [root@bigboy tmp]# cd /etc/sysconfig/network-scripts [root@bigboy network-scripts]# more ifcfg-eth0 DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes [root@bigboy network-scripts]# As you can see eth0 will be activated on booting as the parameter ONBOOT has the value "yes" and not "no".255.

The PPPOE configuration will create a software based virtual interface named ppp0 that will use the physical Internet interface eth0 for connectivity. RedHat Linux installs the rp-pppoe RPM software package required to support this.com The process for creating an IP alias is very similar to the steps outlined for the real interface in the previous "changing your IP address" section.4-7. By default. Here’s what you need to do: . The latest version of the RPM for RedHat 8. configure it with the IP address. as of version 8. then the configuration steps are the same as those outlined above. Install the package using the following command: [root@bigboy tmp]# rpm -Uvh rp-pppoe-3. First ensure the "parent" real interface exists Verify that no other IP aliases with the same name exists with the name you plan to use. Remember that you may also need to configure your DNS server correctly.0 is rp-pppoe-3. ########################################### [100%] 1:rp-pppoe ########################################### [100%] [root@bigboy tmp]# You’ll then need to go through a number of steps to complete the connection.rpm Preparing. o o o IP Address Assignment For A Direct DSL Connection If you are using a DSL connection with fixed or “static” IP addresses.0 up o You then have the choice of creating a /etc/sysconfig/network-scripts/ifcfg-wlan0:0 file or adding the ifconfig command used above to your /etc/rc.local file to ensure the IP address is assigned properly when you reboot. then the process is different..255. Your ISP will provide you with a PPPoE “username” and “password” which will allow your computer to login transparently to the Internet each time it boots up.i386.74 www. broadcast address and gateway information provided by your ISP and you should have connectivity once you restart your interface. If you need a refresher.99 \ netmask 255.i386.168. the chapter on RPMs covers how to do this in detail. If you are using a DSL connection with a DHCP or “dynamic” IP address assignment.linuxhomenetworking..255.0. Downloading and installing RPMs isn’t hard.d/rc.4-7. subnet mask. In this we want to create interface wlan0:0 Create the virtual interface with the ifconfig command [root@bigboy tmp]# ifconfig wlan0:0 192. You plug your ethernet interface into the DSL modem.rpm.1.

For Linux.. lower-case. [root@bigboy [root@bigboy [root@bigboy ifcfg-eth0 [root@bigboy tmp]# tmp]# cd /etc/sysconfig/network-scripts/ network-scripts]# ls ifcfg-eth0 network-scripts]# cp ifcfg-eth0 DISABLED. I will run some checks on your system to make sure the PPPoE client is installed properly. [root@bigboy network-scripts]# ifdown eth0 [root@bigboy network-scripts]# o Run the adsl-setup configuration script [root@bigboy network-scripts]# adsl-setup o It will prompt you for your ISP username. First. If you want the link to stay up permanently. enter the idle time in seconds after which the link should be dropped. where 'X' is a number. DEVICE=eth0 ONBOOT=no o Shutdown your eth0 interface..Chapter 8: Linux Networking 75 o Make a backup copy of your ifcfg-eth0 file. LOGIN NAME Enter your Login Name (default root): bigboy-login@isp INTERFACE Enter the Ethernet interface connected to the ADSL modem For Solaris. You may have some problems with demand-activated links.) NOTE: Demand-activated links do not interact well with dynamic IP addresses. Enter the demand value (default no): . (default eth0): Do you want the link to come up on demand. enter 'no' (two letters. Welcome to the ADSL client setup. the interface to be used (eth0) and whether you want to the connection to stay up indefinitely.ifcfg-eth0 o Edit your ifcfg-eth0 file to have no IP information and also to be deactivated on boot time. We’ll use defaults wherever possible. this is likely to be something like /dev/hme0. it will be ethX. or stay up continuously? If you want it to come up on demand.

I will assume you know what you are doing and not modify your DNS setup. Note that these rules are very basic.MASQUERADE: Appropriate for a machine acting as an Internet gateway for a LAN Choose a type of firewall (0-2): 0 . ftp. or the more comprehensive one found in the Appendix. enter 'server' (all lower-case) here. You are responsible for ensuring the security of your machine. DNS server nor mail server. If you just press enter.76 www.STANDALONE: Appropriate for a basic stand-alone web-surfing workstation 2 . You are STRONGLY recommended to use some kind of firewall rules. If you are running any servers on your machine. I’d recommend selecting “none” and using a variant of the basic script samples in the firewall chapter.NONE: This script will not set any firewall rules.conf file.com o It will then prompt you for your DNS server information. you must choose 'NONE' and set up firewalling yourself. the firewall rules will deny access to all standard servers like Web. the rules will block outgoing SSH connections which allocate a privileged source port.) if you want to allow normal user to start or stop DSL connection (default yes): o The rp-pppoe package has two sample ipchains firewall scripts located in the /etc/ppp directory named firewall-standalone and firewall-masq. etc. e-mail. FIREWALLING Please choose the firewall rules to use. 1 . these will provide basic security. This step will edit your /etc/resolv. If your ISP claims that 'the server will provide dynamic DNS addresses'. If you want your ISP to automatically provide the IP address of its DNS server then enter the word “server”.linuxhomenetworking. Enter the DNS information here: o The script will then prompt you for your ISP password PASSWORD Please enter your Password: Please re-enter your Password: o Then it will ask whether you want regular users (not superuser “root”) to be able to activate/deactivate the new ppp0 interface USERCTRL Please enter 'yes' (two letters. If you’re running BIND on your server in a caching DNS mode then you may want to leave this option blank. If you are using SSH. lower-case. DNS Please enter the IP address of your ISP's primary DNS server. Otherwise. They are very basic and don’t cover rules to make your Linux box a web server. You are strongly encouraged to use a more sophisticated firewall setup. The firewall choices are: 0 . however.

** Summary of what you entered ** Ethernet Interface: eth0 User name: bigboy-login@isp Activate-on-demand: No DNS: Do not adjust Firewalling: NONE User Control: yes Accept these settings and adjust configuration files (y/n)? y Adjusting /etc/sysconfig/network-scripts/ifcfg-ppp0 Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets (But first backing it up to /etc/ppp/chap-secrets. Start this connection at boot time Do you want to start this connection at boot time? Please enter no or yes (default no):yes o Just before exiting. Most people would say “yes”. The first is the ifcfgppp0 file with interface’s link layer connection parameters [root@bigboy network-scripts]# more ifcfg-ppp0 USERCTL=yes BOOTPROTO=dialup NAME=DSLppp0 DEVICE=ppp0 TYPE=xDSL ONBOOT=yes PIDFILE=/var/run/pppoe-adsl. it should be all set up! Type '/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0'to bring it down. The above example recommends using the adsl-status command with the name of the PPPoE interface configuration file.bak) o At the very end it will tell you the commands to use to activate /deactivate your new ppp0 interface and to get a status of the interface’s condition. Type '/sbin/adsl-status /etc/sysconfig/network-scripts/ifcfg-ppp0' to see the link status. This command defaults to show information for interface ppp0 and therefore listing the ifcfg-ppp0 filename won’t be necessary in most home enviornments.bak) (But first backing it up to /etc/ppp/pap-secrets.pid FIREWALL=NONE .Chapter 8: Linux Networking 77 o You’ll then be asked whether you want the connection to be activated upon booting. Congratulations. Some Important Files Created By adsl-setup • The adsl-setup script creates three files that will be of interest to you. you’ll get a summary of the parameters you entered and the relevant configuration files will be updated to reflect your choices when you accept them.

[root@bigboy tmp]# ifup ppp0 [root@bigboy tmp]# adsl-status adsl-status: Link is up and running on interface ppp0 ppp0: flags=8051<UP.com PING=. the interface appears to work correctly. . There are some good tips there on how to avoid problems with VPN clients. but ppp0 is down [root@bigboy tmp]# • After activation. [root@bigboy network-scripts]# more /etc/ppp/pap-secrets # Secrets for authentication using PAP # client server secret IP addresses "bigboy-login@isp" * "password" [root@bigboy network-scripts]# Simple Troubleshooting • You can run the adsl-status command to determine the condition of your connection.78 www.linuxhomenetworking.com).roaringpenguin. [root@bigboy tmp]# adsl-status Note: You have enabled demand-connection. adsl-status may be inaccurate.RUNNING. In this case the package has been installed but the interface hasn’t been activated.POINTOPOINT. adsl-status: Link is attached to ppp0. PPPOE_TIMEOUT=20 LCP_FAILURE=3 LCP_INTERVAL=80 CLAMPMSS=1412 CONNECT_POLL=6 CONNECT_TIMEOUT=60 DEFROUTE=yes SYNCHRONOUS=no ETH=eth0 PROVIDER=DSLppp0 USER= bigboy-login@isp PEERDNS=no [root@bigboy network-scripts]# • The others are the duplicate /etc/ppp/pap-secrets and /etc/ppp/chap-secrets files with the username and password needed to login to your ISP.MULTICAST> mtu 1462 inet … … … [root@bigboy tmp]# • For further troubleshooting information you can visit the website of rp-ppoe at Roaring Penguin (www.

local.168. Let's assume that this router has an IP address of 192.1 is connected to the same network as interface wlan0 ! Once done. This example uses a newly installed wireless interface called wlan0.1 Some people don't bother with this step and just place the "route add" command in the file /etc/rc.254 Some people don't bother with this step and just place the "route add" command in the file /etc/rc.0 to 10.168.0 netmask 255.0 netmask 255. This file is used to configure your default gateway each time Linux boots.d/rc.0.1.0. You may be most likely using interface eth0.254 wlan0 The file etc/sysconfig/static-routes will also have to updated so that the route is reinstated when you reboot. you'll need to update your /etc/sysconfig/network file to reflect the change.168. Here's a typical scenario: • You have one router providing access to the Internet which you'd like to have as your default gateway (See the default gateway example above) • You also have another router providing access to your corporate network using addresses in the range 10.168.1.0 gw 192.254 The Linux box used in this example uses interface wlan0 for its Internet connectivity.255.Chapter 8: Linux Networking 79 How To Change Your Default Gateway This can be done with a simple command. .0.0.255. Add the new route as follows: route add -net 10. please adjust your steps accordingly.0 gw 192.0.local How Configure Two Gateways Some networks may have multiple router / firewalls providing connectivity.0.0.1. [root@bigboy tmp]# route add default gw 192. NETWORKING=yes HOSTNAME=bigboy GATEWAY=192.d/rc.168. make sure that the router / firewall with IP address 192. wlan0 net 10. Here is a sample.1.1 wlan0 In this case.1.0.255.168.0.1.0. most PCs would be using the standard ethernet interface eth0. A more complicated /etc/sysconfig/static-routes file is located in a following section.

1.0 are usually directly connected to the interface.com How To Delete A Route Here's how to delete the routes added in the previous section.224 172.255 which is usually added on DHCP servers.69.0 255.135 255.0.0.0 netmask 255.0 127.128 0.224 172.254 How To View Your Current Routing Table The netstat -nr command will provide the contents of the touting table.0 192.168.16.255.16.0 255.0 255.255.69.240.0 [root@bigboy tmp]# Flags UH U U UG MSS 40 40 40 40 Window 0 0 0 0 irtt 0 0 0 0 Iface wlan0 wlan0 lo wlan0 • In this example.255.0 172.0.0.0.0 172.16.16.255 0.67.0. there are multiple gateways handling traffic destined for different networks on different interfaces. Delete the line that reads: wlan0 net 10.16. Server bigboy is a DHCP server in this case. the default and one to 255.69.0.80 www.0 gw 192.0.0.16.68.255 192.0 0.0.69.0.168.0.0 255.168.255.0. • In this example there are two gateways.0 gw 192.0.0.255.0 172.255.68.255.0 172.0 netmask 255.192 0.255.255. route del -net 10. [root@bigboy tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask 172.16.193 0.0.0.16.11.255.0 255.0.32 172. [root@bigboy tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask 255.16.0.0.224 172. Networks with a gateway of 0.255.0.255.0.67.193 255.0.168.1.0.16.255.193 255.0.0 127.96 172.255.0 0.1.128 172.254 wlan0 The file etc/sysconfig/static-routes will also have to be updated so that when you reboot the server will not reinsert the route.160.64 172.224 172.255.0. As no gateway is needed to reach your own directly connected interface then an address of 0.67.0 [root@bigboy tmp]# Flags UG UG UG UG U U UG UG U UG MSS 40 40 40 40 40 40 40 40 40 40 Window 0 0 0 0 0 0 0 0 0 0 irtt 0 0 0 0 0 0 0 0 0 0 Iface eth1 eth1 eth1 eth0 eth1 eth0 eth0 eth0 lo eth1 • Here is what the static routes file looks like for this multi-homed (Multiple NICs) server .255.16.255.1 0.255.0.linuxhomenetworking.0.131 255.0 0.0.0 255.0.0 172.0.0.16.0.16.255.0.67.0.0.0 0.0.255.0.0.193 255.0.67.135 255.16.0.255.192 172.69.0.1.0 seems appropriate.0 0.0.

In simple terms packet forwarding lets packets flow through the Linux box from one network to another. The best way to do this is put the commands above in your /etc/rc.16.0 netmask 255.0. Before # Disables packet forwarding #net.255.ip_forward=1 This will only enable it when you reboot at which time Linux will create a file in one of the subdirectories of the special RAM memory based /proc filesystem.160.conf.224 gw 172.135 eth0 net 172.ip_forward=1 After # Disables packet forwarding net. The router will reply with its MAC address which the server will use when forwarding the packet to the router.0 netmask 255.68. This example is for interfaces eth0 and wlan0.0 gw 172.135 eth1 net 172.16.255.193 eth1 net 172.224 gw 172.16.69.0 gw 172.68.16.240.11.193 [root@bigboy tmp]# How To Convert Your Linux Server Into A Router For your Linux server to become a router.0 netmask 255.16.16.224 gw 172.16.255.67.67.67. [root@bigboy tmp] echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp [root@bigboy tmp] echo 1 > /proc/sys/net/ipv4/conf/wlan0/proxy_arp (You can determine your network interface names with the ifconfig -a command) There is no purpose built configuration file to force Linux to do proxy ARP on booting.224 gw 172.local file .ipv4.69. To activate the feature immediately you have to create a single lined text file called /proc/sys/net/ipv4/ip_forward and it only contain the value "1".64 netmask 255. Here is how it's done: [root@bigboy tmp] echo 1 > /proc/sys/net/ipv4/ip_forward The next step needed will be activating proxy ARP. Remove the "#" from the line related to packet forwarding.d/rc.16.ipv4. All computers that need to communicate with a computer on another network send out an ARP request to get the Ethernet MAC address (separate from the IP address) of the most desirable router in their routing table. Proxy ARP activation needs to be done for each ethernet interface on your Linux box.255.131 eth0 net 172.67.32 netmask 255.0.16. you have to enable packet forwarding.255.255.0.Chapter 8: Linux Networking 81 [root@bigboy tmp]# more /etc/sysconfig/static-routes eth0 net 172.193 eth1 net 172.69. Proxy ARP has to be enabled for the Linux box to answer ARP requests.16.96 netmask 255. The configuration parameter to activate this is found in the file /etc/sysctl.16.255.255.255.

you'll have to update file.linuxhomenetworking.com echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/wlan0/proxy_arp Remember to configure a default route on your Linux box to point to your Internet gateway. and also the local host's name and use the centralized DNS server handle the rest.0. The Netfilter iptables pages show how to do this.1 localhost. Configuring Your /etc/hosts File The /etc/hosts lists the name and IP address of local hosts. if the IP address for that host changes. if the name is found with a corresponding IP address then DNS won't be queried. For ease of management. then you have to add another entry in this file. First determine what your true hostname is: [root@bigboy mail]# hostname bigboy [root@bigboy mail]# o Add the corresponding entry in the /etc/hosts file for the NIC's IP address o Your NIC's /etc/hosts File Format Your machine's name is NOT listed with a DNS server IP-address hostname. You may also want to convert your new Linux router into a firewall to protect your home network.82 www. Your server will typically check this file before referencing DNS. • The /etc/hosts file has the following format: ip-address fully-qualified-domain-name alias1 alias2 alias3 etc • The very first line should always look like this with "localhost" being the only alias: 127.localdomain hostname Your machine's name is listed with a DNS server IP-address hostname.0. Unfortunately.my-site.com hostname Here are some examples: . it is best to limit entries in this file to just the loopback interface.localdomain localhost • If you have a NIC card in the server.

1.1.com with corresponding entries in the DNS zone file for my-site.168.100 isn't part of any DNS domain 192.com 192.168.168.localdomain bigboy • Host bigboy with an IP address of 192.1.com bigboy mail www Note: Only have one line per IP address in this file.168.100 bigboy.100 is the mail and web server for domain my-site.1. .my-site. If you server has multiple names.100 bigboy. then just put the two or three aliases that you feel are most important.Chapter 8: Linux Networking 83 • Host bigboy with an IP address of 192.

84

www.linuxhomenetworking.com

Chapter 8: Linux Networking

85

Chapter 9

Simple Network Troubleshooting
===========================================

In This Chapter Chapter 9
Simple Network Troubleshooting
How To See Your ARP Table How To Use "Ping" To Test Network Connectivity Using "traceroute" To Test Connectivity Viewing Packet Flow With TCPdump © Peter Harrison, www.linuxhomenetworking.com ===========================================

You will eventually find yourself trying to fix a network related problem. Here are some troubleshooting
tips to help you discover what the problem could be.

How To See MAC Addresses
There are times when you lose connectivity with another server that is directly connected to your local network. Taking a look at the ARP table of the server from which you are troubleshooting will help determine whether or not the remote server’s NIC is responding to any type of traffic from your Linux box. Lack of communication at this level may mean: • Either server may be disconnected from the network • There may be bad network cabling • A NIC may be disabled or the remote server may be shut down Here is a description of the commands you may use to determine ARP values • The "ifconfig -a" command will show you both the NIC's MAC address and the associated IP addresses of the server which you are currently logged in to.

86

www.linuxhomenetworking.com

[root@bigboy tmp]# ifconfig -a wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:47379 errors:0 dropped:0 overruns:0 frame:0 TX packets:107900 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:4676853 (4.4 Mb) TX bytes:43209032 (41.2 Mb) Interrupt:11 Memory:c887a000-c887b000 wlan0:0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5 inet addr:192.168.1.99 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Memory:c887a000-c887b000 [root@bigboy tmp]# Here you can see the wlan0 interface has two IP addresses 192.168.1.100 and 192.168.1.99 tied to the NIC hardware MAC address of 00:06:25:09:6A:B5 • The "arp -a" command will show you the MAC addresses in your server's ARP table. Here we see we have some form of connectivity with the router at address 192.168.1.1 [root@bigboy root]# arp -a bigboypix (192.168.1.1) at 00:09:E8:9C:FD:AB [ether] on wlan0 ? (192.168.1.101) at 00:06:25:09:6A:D7 [ether] on wlan0 [root@bigboy root]# • You should also check the ARP table of the remote server to see whether it is populated with acceptable values too.

How To Use "Ping" To Test Network Connectivity
Whether or not your troublesome server is connected to your local network it is always a good practice to force a response from it. One of the most common methods used to test connectivity across multiple networks is the "ping" command. Ping sends ICMP “echo” type packets that request a corresponding ICMP “echo-reply” response from the device at the target address. As most servers will respond to a ping query it becomes a very handy tool. A lack of response could be due to: • A server with that IP address doesn't exist • The server has been configured not to respond to pings • A firewall or router along the network path is blocking ICMP traffic • You have incorrect routing. Check routes on the local, remote servers and all routers in between. A classic symptom of bad routes on a server is the ability to only ping servers on your local network and nowhere else. There are a variety of ICMP response codes which can help in further troubleshooting. See the appendix for a full listing of them.

Chapter 9: Simple Network Troubleshooting

87

The Linux ping command will send continuous pings, once a second, until stopped with a <Ctrl-C>. Here is an example of a successful ping to the server bigboy at 192.168.1.100 [root@smallfry tmp]# ping 192.168.1.101 PING 192.168.1.101 (192.168.1.101) from data. 64 bytes from 192.168.1.101: icmp_seq=1 64 bytes from 192.168.1.101: icmp_seq=2 64 bytes from 192.168.1.101: icmp_seq=3 64 bytes from 192.168.1.101: icmp_seq=4

192.168.1.100 : 56(84) bytes of ttl=128 ttl=128 ttl=128 ttl=128 time=3.95 time=7.07 time=4.46 time=4.31 ms ms ms ms

--- 192.168.1.101 ping statistics --4 packets transmitted, 4 received, 0% loss, time 3026ms rtt min/avg/max/mdev = 3.950/4.948/7.072/1.242 ms [root@smallfry tmp]# You may get a "Destination Host Unreachable" message if your router or server knows that the target IP address is part of a valid network, but is getting no response from the target server. The network device sends an ICMP reply type 3 which triggers the message. [root@smallfry tmp]# ping 192.168.1.105 PING 192.168.1.105 (192.168.1.105) from 192.168.1.100 : 56(84) bytes of data. From 192.168.1.100 icmp_seq=1 Destination Host Unreachable From 192.168.1.100 icmp_seq=2 Destination Host Unreachable From 192.168.1.100 icmp_seq=3 Destination Host Unreachable From 192.168.1.100 icmp_seq=4 Destination Host Unreachable From 192.168.1.100 icmp_seq=5 Destination Host Unreachable From 192.168.1.100 icmp_seq=6 Destination Host Unreachable --- 192.168.1.105 ping statistics --8 packets transmitted, 0 received, +6 errors, 100% loss, time 7021ms, pipe 3 [root@smallfry tmp]#

Using "traceroute" To Test Connectivity
Another tool for network troubleshooting is the traceroute command. It gives a listing of all the router hops between your server and the target server. This helps you verify that routing over the networks in between is correct. Traceroute works by sending a UDP packet destined to the target with a TTL of "0". The first router on the route recognizes that the TTL has already been exceeded and discards or “drops” the packet, but also sends an ICMP "time exceeded" message back to the source. The traceroute program records the IP address of the router that sent the message and knows that that is the first hop on the path to the final destination. The traceroute program tries again, with a TTL of "1". The first hop, sees nothing wrong with the packet, decrements the TTL to 0 as expected, and forwards the packet to the second hop on the path. Router 2, sees the TTL of "0", drops the packet and replies with an ICMP time exceeded message. Traceroute now knows the IP address of the second router. This continues around and around until the final destination is reached.

88

www.linuxhomenetworking.com

Here is a sample output for a query to 144.232.20.158: [root@bigboy root]# traceroute 144.232.20.158 traceroute to 144.232.20.158 (144.232.20.158), 30 hops max, 38 byte packets 1 adsl-67-120-221-110.dsl.sntc01.pacbell.net (67.120.221.110) 14.304 ms 14.019 ms 16.120 ms 2 dist3-vlan50.sntc01.pbi.net (63.203.35.67) 12.971 ms 14.000 ms 14.627 ms 3 bb1-g1-0.sntc01.pbi.net (63.203.35.17) 15.521 ms 12.860 ms 13.179 ms 4 bb2-p11-0.snfc21.pbi.net (64.161.124.246) 13.991 ms 15.842 ms 15.728 ms 5 bb1-p14-0.snfc21.pbi.net (64.161.124.53) 16.133 ms 15.510 ms 15.909 ms 6 sl-gw11-sj-3-0.sprintlink.net (144.228.44.49) 16.510 ms 17.469 ms 18.116 ms 7 sl-bb25-sj-6-1.sprintlink.net (144.232.3.133) 16.212 ms 14.274 ms 15.926 ms 8 * * * 9 * * [root@bigboy root]# If there is no response within a 5 second timeout interval a "*" is printed for that probe. Possible causes of this and other traceroute status messages are listed below:

Possible Traceroute Messages
Traceroute Symbol *** Description Time exceeded. Could be caused by: • A router on the path not sending back the ICMP "time exceeded" messages • A router or firewall in the path blocking the ICMP "time exceeded" messages • The target IP address not responding Host, network or protocol unreachable Communication administratively prohibited. A router Access Control List (ACL) or firewall is in the way Source route failed. Source routing attempts to force traceroute to use a certain path. Failure may be due to a router security setting

!H, !N, or !P !X or !A !S

Some devices will prevent traceroute packets directed at their interfaces, but will allow ICMP packets. Using traceroute with a “-I” flag forces traceroute to use ICMP packets that may go through. In this case the "* * *", status messages disappear. [root@bigboy root]# traceroute -I 144.232.20.158 traceroute to 144.232.20.158 (144.232.20.158), 30 hops max, 38 byte packets 1 adsl-67-120-221-110.dsl.sntc01.pacbell.net (67.120.221.110) 14.408 ms 14.064 ms 13.111 ms

Chapter 9: Simple Network Troubleshooting

89

2 dist3-vlan50.sntc01.pbi.net (63.203.35.67) 13.018 ms 12.887 ms 13.146 ms 3 bb1-g1-0.sntc01.pbi.net (63.203.35.17) 12.854 ms 13.035 ms 13.745 ms 4 bb2-p11-0.snfc21.pbi.net (64.161.124.246) 16.260 ms 15.618 ms 15.663 ms 5 bb1-p14-0.snfc21.pbi.net (64.161.124.53) 15.897 ms 15.785 ms 17.164 ms 6 sl-gw11-sj-3-0.sprintlink.net (144.228.44.49) 14.443 ms 16.279 ms 15.189 ms 7 sl-bb25-sj-6-1.sprintlink.net (144.232.3.133) 16.185 ms 15.857 ms 15.423 ms 8 sl-bb23-ana-6-0.sprintlink.net (144.232.20.158) 27.482 ms 26.306 ms 26.487 ms [root@bigboy root]#

Always Get A Bidirectional Traceroute
It is always best to get traceroutes from the source IP to the target IP and also from the target IP to the source IP. This is because the packet's return path from the target is sometimes not the same as the path taken to get there. A high traceroute time equates to the round trip time for both the initial traceroute query to each “hop” and the response of each “hop”. Here is an example of one such case, using disguised IP addresses and provider names. There was once a routing issue between telecommunications carriers FastNet and SlowNet. When a user at IP address 40.16.106.32 did a traceroute to 64.25.175.200, a problem seemed to appear at the 10th. hop with OtherNet. However, when a user at 64.25.175.200 did a traceroute to 40.16.106.32, latency showed up at hop 7 with the return path being very different. In this case, the real traffic congestion was occurring where FastNet handed traffic off to SlowNet in the second trace. The latency appeared to be caused at hop 10 on the first trace not because that hop was slow, but because that was the first hop at which the return packet traveled back to the source via the congested route. Remember, traceroute gives the packet round trip time. Trace route to 40.16.106.32 from 64.25.175.200 1 0 ms 0 ms 2 0 ms 0 ms 3 0 ms 0 ms [207.174.144.169] 4 0 ms 0 ms 5 0 ms 0 ms 6 0 ms 0 ms 7 0 ms 0 ms 8 30 ms 30 ms 9 30 ms 30 ms 10 1252 ms 1212 ms 11 1252 ms 1212 ms 12 1262 ms 1212 ms 13 1102 ms 1091 ms 0 0 0 0 0 0 0 30 30 1202 1192 1192 1092 [64.25.175.200] [64.25.175.253] border-from-40-tesser.boulder.co.coop.net [64.25.128.126] p3-0.dnvtco1-cr3.othernet.net [4.25.26.53] p2-1.dnvtco1-br1.othernet.net [4.24.11.25] p15-0.dnvtco1-br2.othernet.net [4.24.11.38] p15-0.snjpca1-br2.othernet.net [4.0.6.225] p1-0.snjpca1-cr4.othernet.net [4.24.9.150] h0.webhostinc2.othernet.net [4.24.236.38] [40.16.96.11] [40.16.96.162] [40.16.106.32]

Trace route to 64.25.175.200 from 40.16.106.32 1 2 3 4 1 1 2 1 ms ms ms ms 1 1 1 1 ms ms ms ms 1 1 1 1 ms ms ms ms [40.16.106.3] [40.16.96.161] [40.16.96.2] [40.16.96.65]

slownet.net [4.24.253] [64.175. Ping statistics for 186.40.inet.17.confusion. Average = 0ms G:\>tracert 186.9.17.94] .40.40.40.slownet.net rtr-2.slownet.49.33] sjo-core-01.9.52.175. transit.64. Lost = 0 (0% loss).94 and 186. transit.ge0-1-net2. Each “bounce” causes the TTL to decrease by a count of one until the TTL reaches zero at which point you get the timeout.223.net [186.94] [186.26.0.net [208.othernet.94] [186.confusion.net [4.confusion.6.fastnet.64.inet. transit.22.17.94: 186.net [205.153 gave a “TTL timeout” message.17.171.9.33.64.61] p9-0.snjpca1-br1.19.153 with 32 bytes of data: Reply Reply Reply Reply from from from from 186.171.7.40.64.net ms ms ms ms ms ms ms ms ms ms ms ms ms ms sjo-edge-03.17.snjpca1-br2.othernet.64.37] p1-0.coop.confusion. Received = 4.99] [64.25.200] Ping & Traceroute Troubleshooting Example In this example. G:\>ping 186.net [64.othernet.153] over a maximum of 30 hops: 1 2 3 4 5 6 <10 60 70 60 70 60 ms ms ms ms ms ms <10 70 71 70 70 70 ms ms ms ms ms ms <10 60 70 60 70 61 ms ms ms ms ms ms 186.25.11.5.fastnet.64.com 5 2 ms 2 [216.30] p4-3.52.94: 186.153 Pinging 186.64. The routing loop was confirmed by the traceroute in which the packet was proven to be bouncing between routers at 186.64.171.40.94: 186.64.othernet.65] 7 993 ms 961 8 1009 ms 1008 9 985 ms 947 10 1028 ms 1010 11 989 ms 988 12 1002 ms 1001 13 1031 ms 989 14 1031 ms 1017 15 1027 ms 1025 16 1045 ms 1037 17 1030 ms 1020 18 1038 ms 1031 19 1050 ms 1094 20 1050 ms 1094 ms 1 ms 1 ms ms ms ms ms ms ms ms ms ms ms ms ms ms 999 971 983 953 985 973 978 1017 1023 1050 1045 1045 1034 1034 ms border8.confusion.128.net rtr-1.othernet.othernet.13] p6-0.54] gw234.217.net ms core1.40. Ping TTLs will usually only timeout if there is a routing loop in which the packet bounces between two routers on the way to the target.24.93] [186.inet.sfj.93.net [4.confusion.1 rtr-2.130] p3-0.64.40.153 Tracing route to lostserver.24.dnvtco1-br2.net [4.11. a ping to 186.64.9.24.40.94: TTL TTL TTL TTL expired expired expired expired in in in in transit.40.net [4.net rtr-1.dnvtco1-cr3.webh02-1.othernet.net [186.net [4.40.linuxhomenetworking.205.2.0.boulder.26] p0-0.dnvtco1-br1.25.90 www.25. Approximate round trip times in milli-seconds: Minimum = 0ms.co.net rtr-2.sfj.46.9.97] [205.226] p15-0.cointcorp.29] svl-core-03.93] [186.9.net [205. Maximum = 0ms.153: Packets: Sent = 4.p4-2.net [4.17.9.77] 6 2 ms 1 [216.paix-bi1.

.40.net [186.confusion. The router immediately after the last visible one is usually the culprit. The traceroute will probably fail at the bad router on the return path. It’s usually good to check the routing table and/or other status of this next hop device. The last visible hop being the last hop in which the packets return correctly.64. If this works: Routing to the target server is OK.94] rtr-1. .40.net [186.) The network on which you expect the target host to reside doesn’t exist in the routing table of one of the routers in the path (!H or !N messages may be produced. or turned off.93] rtr-2. If it doesn’t work: Test the routing table and/or other status of all the hops between it and your intended target. It could be disconnected.) You may have a typographical error in the IP address of the target server You may have a routing loop in which packets bounce between two routers and never get to the intended destination.64. The constant activity eventually corrupted the routing tables of one of the routers.confusion. Trace complete.Chapter 9: Simple Network Troubleshooting 91 7 70 ms 70 ms 8 60 ms 70 ms 9 70 ms 70 ms . The target server doesn’t exist on the network. these include: o Traceroute packets are being blocked or rejected by a router in the path.40. The router immediately after the last visible one is the one at which the routing changes. Do a traceroute back to your source server.net [186. (!H or !N messages may be produced. Look at the routing table to determine what the next hop is to your intended traceroute target. Note: If there is nothing blocking your traceroute traffic... or the last router that has a valid return path to the server issuing the traceroute. The problem was initially triggered by an unstable network link that caused frequent routing recalculations. o o o o o . Log on to this next hop router... Possible Reasons For Failed Traceroutes Traceroutes can fail to reach their intended destination for a number of reasons. Do a traceroute from this router to your intended target server. It’s usually good to: log on to the last visible router. The packets don’t have a proper return path to your server.. 70 ms 60 ms 70 ms rtr-1. then the last visible router of an incomplete trace is either the last good router on the path.93] This problem was solved by resetting the routing process on both routers..64.confusion.

These act as filters to limit the volume of data presented on the screen.linuxhomenetworking.92 www. One of the most common uses of tcpdump is to determine whether you are getting basic two way communication. then tcpdump will use the lowest numbered interface that is UP Don't print a timestamp at the beginning of each line You can also add expressions after all the command line switches. interfaces of devices in the packet flow • The server not listening on the port because the software isn't installed or started Analyzing tcpdump in much greater detail is beyond the scope of this section.com Viewing Packet Flow With TCPdump Tcpdump is one of the most popular packages for viewing the flow of packets through your Linux box's NIC card. Lack of communication could be due to: • Bad routing • Faulty cables. Some useful expressions include: . If this is not specified. tcpdump uses command line switches to modify the output. Listen on interface. You can also use keywords such as "and" or "or" between expressions to further fine tune your selection criteria. It is installed by default on RedHat linux and has very simple syntax. Like most Linux commands. especially if you are doing simpler types of troubleshooting. Some of the more useful command line switches would include: Possible TCPdump Messages tcpdump command switch -c -i -t Description Stop after viewing count packets.

my-site.my-site.968556 bigboy.com: 21:48:58.928365 bigboy.943926 smallfry > bigboy.com > smallfry: 21:48:58.963966 bigboy.com: 21:48:58.com > smallfry: 21:48:58.927510 bigboy.my-site.com > smallfry: 21:48:58.962244 bigboy.my-site.com > smallfry: 21:48:58.my-site.com: 21:48:58. The second column of data shows the packet source then destination IP address or server name of the packet The third column shows the packet type Two way communication is occurring as each echo gets an echo reply icmp: icmp: icmp: icmp: icmp: icmp: icmp: icmp: icmp: echo echo echo echo echo echo echo echo echo request (DF) reply request (DF) reply request (DF) reply reply reply reply .928257 smallfry > bigboy.944034 bigboy.com > smallfry: 21:48:58.my-site.com > smallfry: 9 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]# Explanation o o o o The first column of data is a packet time stamp.my-site.my-site.my-site.927091 smallfry > bigboy.Chapter 9: Simple Network Troubleshooting 93 Useful TCPdump Expressions tcpdump command expression host host-address icmp tcp port port-number Description View packets from the IP address host-address View icmp packets View TCP packets with packets with either a source or destination TCP port of portnumber View UDP packets with either a source or destination UDP port of port-number udp port port-number Example: tcpdump used to view ICMP "ping" packets going through interface wlan0 [root@bigboy tmp]# tcpdump -i wlan0 icmp tcpdump: listening on wlan0 21:48:58.

com.nop.timestamp 75227931 0x10] bigboy.32938: 0x10] bigboy.wscale 0> (DF) [tos R 0:0(0) ack 1 win 0 (DF) [tos R 0:0(0) ack 1 win 0 (DF) [tos bigboy.com.nop.com Example: tcpdump used to view packets on interface wlan0 to/from host 192.my-site.ssh > smallfry.168.com.sackOK.my-site.my-site.com.wscale 0> (DF) [tos R 0:0(0) ack 2013297021 win 0 S 2013297020:2013297020(0) win 0.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] bigboy.com.32938 > bigboy.timestamp 75227931 0x10] bigboy.my-site.com.timestamp 75227931 0x10] bigboy.com.my-site.my-site. Two way communication is occuring .ssh: 5840 <mss 1460.32938: (DF) [tos 0x10] smallfry.ssh > smallfry.ssh: 5840 <mss 1460.com.ssh > smallfry.168.nop.wscale 0> (DF) [tos R 0:0(0) ack 1 win 0 (DF) [tos S 2013297020:2013297020(0) win 0.32938 > bigboy.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] 9 packets received by filter 0 packets dropped by kernel [root@bigboy root]# Explanation o o o o The first column of data shows the packet source then destination IP address or server name of the packet The second column shows the TCP flags within the packet The client named "bigboy" is using port 32938 to communicate with the server named "smallfry" on the TCP SSH port 22.1.ssh: 5840 <mss 1460.sackOK.32938 > bigboy.linuxhomenetworking.my-site.102 on TCP port 22 with no timestamps in the output [root@bigboy root]# tcpdump -i wlan0 -t host 192.my-site.102 and tcp port 22 tcpdump: listening on wlan0 smallfry.sackOK.94 www.com.ssh > smallfry.32938: 0x10] S 2013297020:2013297020(0) win 0.1.ssh > smallfry.my-site.32938: 0x10] smallfry.

Chapter 9: Simple Network Troubleshooting 95 .

96 www.linuxhomenetworking.com .

or have upgraded your RedHat distribution’s kernel then you can refer to the sections on how to install WLAN from universally usable tar files.linux-wlan.97 Chapter 10 Linux Wireless Networking =========================================== In This Chapter Chapter 10 Linux Wireless Networking Wireless Linux Compatible NICs Linux-WLAN Preparation Installing The Linux-WLAN Drivers Post Installation Steps Linux-WLAN Encryption For Security Troubleshooting Your Wireless LAN © Peter Harrison. If you are not running RedHat Linux. .linuxhomenetworking. You have to download and install them after installing Linux. www. For this reason it is best to check the Linux-WLAN group’s website at www. Wireless Linux Compatible NICs Not all wireless NIC cards work with Linux-WLAN. RedHat did not ship with the Linux Wireless driver set (Linux-WLAN) installed. As of version 8.com =========================================== This chapter will show you how to configure wireless NIC cards on your Linux box. For this reason it may be good to keep your regular Ethernet NIC installed in the machine to provide connectivity to the web until you get the wireless NIC to work.org for the latest hardware compatibility list. or you could ask someone to burn a CD with the files needed for installation.0.

4.98 www. Even so. You may find more information in syslog or the output from dmesg Dec 1 01:28:14 bigboy insmod: /lib/modules/2.7 WMP 11 Card This card uses the Linux-WLAN compatible Intersil chipset and doesn’t have any version number stamped on it. You can determine whether you have this model by looking for the “V2. non-prefetchable) [size=3D8K] Capabilities: [40] Power Management version 2 Installing the WMP11 v2.18-14/net/prism2_pci.0 Network controller: BROADCOM Corporation: Unknown device 4301 (rev01) Subsystem: Unknown device 1737:4301 Flags: bus master.7 Card In September 2002.org site's hardware compatibility page now lists the WMP v2.4. The older version of the card that uses the Intersil chipset works with Linux.o: insmod wlan0 failed . The linux-wlan. Aug 25 21:07:06 hostname kernel: p80211knetdev_hard_start_xmit: Tx attempt prior to association.7” which is very clearly stamped on the front side of these cards.7 card using a Broadcom chipset will not. The WMP 11 Version 2. Linksys launched a Version 2. IRQ 5 Memory at f4000000 (32-bit.7 with the linux-WLAN tarball using RPMs will give the following error message on the screen: Dec 1 01:28:14 bigboy insmod: /lib/modules/2. Pre Version 2. Be careful as this message can also be due to you using an SSID in your configuration files that doesn’t match the SSID of your WAP / wireless router. Installing the WMP11 v2. You’ll have to download and install the latest firmware for a card from the Linksys website. your Linux box may not detect your NIC card at all and you will get kernel error messages like this one in /var/log/messages after you finish installing the software. then install the card in a windows box and upgrade the firmware. the original WMP won’t work without upgrading the firmware.o: init_module: No such device Dec 1 01:28:14 bigboy insmod: Hint: insmod errors can be caused by incorrect module parameters. including invalid IO or IRQ parameters.7) model of the WMP11 card using a Broadcom chipset. fast devsel. frame dropped. but the newer version 2.7 (or v2. latency 64.com The Linksys WMP11 NIC and Linux You have to be especially carefull with Linksys WMP series of wireless PCI cards. If you don't.18-14/net/prism2_pci.7 as being an incompatible device.7 with the linux-WLAN tarball will give the following error in the log file /var/log/messages 00:0c.linuxhomenetworking.

Once configured. This is good to know in order to avoid confusion when troubleshooting.1. OS version and kernel version. The syslog chapter will also show you how to set up syslog error logging to be more sensitive to error types.raleigh. this will have to be done from a source RPM.Using RPMs 2. If you need a refresher. If you need a refresher. The latest version as of this writing was: kernel-pcmcia-cs-3. the RPM chapter covers how to do this in detail. Determining The Kernel Type Use the "uname -p" command. Installing The Linux-WLAN Drivers Linux-WLAN Installation .nc. [root@bigboy tmp]# uname -p i586 [root@bigboy tmp]# .Chapter 10: Linux Wireless Networking 99 Linux-WLAN Preparation All devices on a wireless network must use the same “Network Identifier” or SSID in order to communicate with each other. It is a good source of information. The default SSID for Linux-WLAN is “linux-wlan”. RPM versions of the driver files can be found at http://prism2. This step isn't necessary for true PCI cards such as the Linksys WMP11. but as a “wlan” device. The Bigboy server discussed in the Topology chapter is running a i586 version of Linux. The Linux version may not match the CPU you have installed.unixguru. According to the linux-wlan documentation.rpm Downloading and installing RPMs isn’t hard. always use the uname version. PCMCIA Type Card Specific Information Before installing the linux-wlan software for PCMCIA type cards such as the (Linksys WPC11) you will need to install the RedHat Linux "pcmcia-cs" RPM package. the RPM chapter covers how to do this in detail. You may get "device unknown" or "no such device" errors related to the wlan device in the /var/log/messages file if you use older unpatched versions of the Linux-WLAN software. Download the latest version of linux-wlan RPM. Always be prepared to check your syslog /var/log/messages file for errors if things don't work. Always use the most recent versions to reduce the installation mental stress.i386. the default SSID for your windows NIC cards may be different. Linux-WLAN doesn’t identify the wireless NIC as an Ethernet “eth” device. Downloading and installing RPMs isn’t hard.31-9.us. It’s a good idea to decide on a common SSID and stick with it. Remember to download the files for the correct kernel type.

daily]# more /etc/issue Red Hat Linux release 8.18-14 [root@bigboy tmp]# If you upgrade the version of your Linux.i586. error messages are there for a reason.140.rpm If you get any error messages during the installation. Installing the rpm with --force and --nodeps switches does the trick by forcing the installation while not checking for dependencies. Once you have all this information.rpm [root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-pci-0.linuxhomenetworking. Here are examples for a i586 installation using a PCI card on Redhat 8.100 www. The combined Linux / Linux-WLAN upgrade will also create new versions of your /etc/sysconfig/network-scripts/ifcfg-wlan0.com Determining The OS Version One of the easiest ways is to view the /etc/issue file. module and interface packages.18-14 [root@bigboy tmp]# uname -r 2.rh80.0 [root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-0. Always remember that under normal circumstances this wouldn’t be a good idea.i586. .1.4.155. then you're doing something wrong.daily]# Determining The Kernel Version You can use the "uname -r" command to do this. Bigboy is running version 8. I have seen the kernel-wlan-ng-pcmcia rpm installation give errors stating that the kernel-pcmcia-cs rpm hadn't been previously installed even when it had been. you'll have to do these steps all over again.1.0 (Psyche) Kernel \r on an \m [root@bigboy cron. Bigboy is running version 2.i586.155.1.4.conf and /etc/pcmcia/wlanng.0 [root@bigboy cron.rpm [root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-modules-rh80.rh80.rh80.opts files which you may have to restore from the automatically saved versions. you’ll need to download and install the base.15-5. However. In this case. 3. /etc/wlan.

14]# make clean linux-wlan-ng-0. Adjust accordingly.. ACHTUNG! ATTENTION! WARNING! YOU MUST configure /etc/pcmcia/wlan-ng.org.1.1.i686.4.15-6. The most recent version as of this writing was: linux-wlan-ng-0.18-3..gz tmp]# tar -xvf linux-wlan-ng-0.gz Unzip and install the Linux-WLAN files [root@bigboy [root@bigboy [root@bigboy [root@bigboy [root@bigboy tmp]# gunzip linux-wlan-ng-0.1.14 linux-wlan-ng-0. Remember that if you upgrade your Linux version or kernel.14]# make config . For RedHat version 7.rpm error: Failed dependencies: kernel-pcmcia-cs is needed by kernel-wlan-ng-pcmcia-0.1.18-3.156. [root@bigboy tmp]# rpm -Uvh kernel-source-2.1. The default wlan0 network configuration is DHCP. you'll probably have to do these steps all over again Install the Kernel Source Files Installing Linux-WLAN using TAR files involves compiling the software to make it match the particular flavor of the Linux kernel you are running. Starting PCMCIA services: modules cardmgr. Shutting down PCMCIA services: cardmgr modules.1. then you’ll need to use the TAR file installation method.1. It is therefore important to install your kernel sources files.tar.rpm Preparing. ########################################### [100%] 1:kernel-wlan-ng-pcmcia ########################################### [100%] Adding prism2_cs alias to /etc/modules.3 it was version 2..15-6 [root@smallfry tmp]# rpm -Uvh --force --nodeps kernel-wlan-ngpcmcia-0.opts to match WAP settings!!! [root@smallfry tmp]# Linux-WLAN Installation – Using TAR files If you are running a non standard version of your RedHat kernel or using a version of Linux that is incompatible with RPMs.i386.i686.1.linux-wlan.rpm Download And Install The Linux-WLAN TAR File Download the latest version of Linux-WLAN from www.14-pre1.14-pre1.tar tmp]# cd linux-wlan-ng-0.conf file.1.14-pre1.tar.Chapter 10: Linux Wireless Networking 101 [root@smallfry tmp]# rpm -Uvh kernel-wlan-ng-pcmcia-0.4. If you are running standard RedHat Linux use the RPMs unless you have excess patience..

and usb driver questions (PCMCIA cards only) Say 'y' to pcmcia and 'n' to pci. You can also test these commands from the command line to see if they work. Add the following 4 lines to the file.com =========================================== Running “make config” command will prompt you for information: o o o (PCI cards only) Say 'y' to pci and 'n' to pcmcia. plx.102 www.linuxhomenetworking.1.d directory [root@bigboy tmp]# vi /etc/init.1. Select only a single module directory as using more than one can lead to future "make" problems. Get a directory listing of /lib/modules/ beforehand to make sure you are providing the correct kernel directory that both matches your kernel version and that also actually has files in it.d/wmp11 3. and usb driver questions When you are prompted for the "Module install directory" enter /lib/modules/”linux-kernelversion”. plx. Use other defaults =========================================== [root@bigboy linux-wlan-ng-0. Edit /etc/modules. Create a startup driver configuration file called wmp11 (or whatever you NIC card is named) in the /etc/init. where “linux-kernel-version“ is the version of the kernel. The response should be: .14]# make install o Configure The New wlan0 Interface Driver (PCI Cards) 1.conf and insert the following line to load the driver on booting: alias wlan0 prism2_pci 2.14]# make all [root@bigboy linux-wlan-ng-0. #!/bin/bash modprobe prism2_pci wlanctl-ng wlan0 lnxreq_ifstate ifstate=enable wlanctl-ng wlan0 lnxreq_autojoin ssid=linux_wlan authtype=opensystem exit 0 Remember to modify the SSID in the above commands to match that of your WAP.

[root@bigboy tmp]# chmod 755 /etc/init. the "Link" LED on your NIC card will come on solid.d/rc.Chapter 10: Linux Wireless Networking 103 message=lnxreq_autojoin ssid=linksys authtype=opensystem resultcode=success If you get a resultcode=error or something else.local file instead and save yourself a lot of grief. At this time.d/wmp11 S09wmp11 tmp]# cd /etc/rc5. as it has established a link with the WAP11 access point. When booting. You will need to create a symbolic link called "S09wmp11" to make /etc/init. The next step is to create a link to this file in the startup directories.d/rc. Locate the lines containing "ssid=linux_wlan" and set the SSID to whatever value you’ve decided to use on your wireless LAN. /etc/pcmcia/wlan-ng. [root@bigboy [root@bigboy filename) [root@bigboy [root@bigboy [root@bigboy tmp]# cd /etc/rc3.d is named "S10network".local. Make the file executable so that it will be able to run on the next system reboot./init. it may not matter and you could put these commands in your /etc/rc. . the system needs to load the drivers for the interface before it will activate the interface.d and /etc/rc5.d/rc. If you don’t want to use the /etc/rc.conf. which won't work. which is the default setting for the applications above. This may not be a problem for many installations. but this makes the driver load at the end of the booting process and the wlan0 interface will be inactive till then.d tmp]# ln -s . In RedHat the default network startup script link in /etc/rc3.. If your applications are set to promiscuous listening. 4.d/wmp11 S09wmp11 Configure The New wlan0 Interface Driver (PCMCIA Cards) Open and edit the configuration options file. and also it will cause the system to try to bring up wlan0 before the PCMCIA services. Some web sites recommend putting the driver loading commands in /etc/rc.opts.d/wmp11 5. DHCP server.d tmp]# ls *network* (Verify the "network" tmp]# ln -s . DNS (named) and SSH. when configured to specifically run on the IP address of your interface./init. then start over making sure you are using the latest versions of the Linux-WLAN software. NOTE: Never alias for the PCMCIA cards in /etc/modules.d/wmp11 be run before "S10network" during the boot process.local file then you need to ensure that you run your custom driver script before the Linux "network" script starts up the wlan0 interface device you will create later. may fail to start if the interface is down. as it is not neccessary. but applications such as Samba..

168.1. netmask. eg.1.opts file (PCMCIA type NICs) configuration file.0 NETWORK=192. Select the Wireless mode and SSID Edit your /etc/wlan. Also modify the IS_ADHOC option to make your NIC either support "adhoc" mode for peer to peer networks or "infrastructure" mode if you are using a WAP. Locate the lines containing "ssid=linux_wlan" and set the SSID to whatever value you’ve decided to use on your wireless LAN.0 ONBOOT=yes In the fixed IP version you will also need to: Substitute your selected IP.1.255 IPADDR=192. .linuxhomenetworking. GATEWAY=192. broadcast address with those above. This will disable the interface on reboot or when /etc/init.168.1.168. network.d/network is restarted.conf file (PCI type NIC) or your /etc/pcmcia/wlan-ng.255.168.104 www.100 NETMASK=255. Make sure you have correct gateway statement in your /etc/sysconfig/network file.1 o o Disable Your Existing Ethernet NIC You may want to disable your existing eth0 Ethernet interface after installing the drivers.255. Edit /etc/sysconfig/network-scripts/ifcfg-eth0 file to have an ONBOOT=no entry.com Post Installation Steps Configure The New wlan0 Interface Edit /etc/sysconfig/network-scripts/ifcfg-wlan0 to include the following lines: DHCP Version ============ DEVICE=wlan0 USERCTL=yes ONBOOT=yes BOOTPROTO=dhcp Fixed IP Version ================= DEVICE=wlan0 BROADCAST=192.

adhoc. or otherwise eliminate the conflict by disabling the conflicting device if you don’t really need it. Insert the card in an empty slot in your Linux box and reboot.. If there is a conflict there will usually be a warning. y ." message. or "IRQ also used by. If that is the case. .infrastructure #=======INFRASTRUCTURE STATION START=================== # SSID is all we have for now AuthType="opensystem" # opensystem | sharedkey (requires WEP) # Use DesiredSSID="" to associate with any AP in range DesiredSSID="linksys" Simulate a Reboot Run the following commands and test for errors in the file /var/log/messages: PCI Cards – Installed Using RPMs [root@bigboy tmp]# /etc/init.d/network restart Now check to see IP address of the wlan interface is OK [root@bigboy tmp]# ifconfig -a [root@bigboy tmp]# ping <gateway-address> Check For Interrupt Conflicts Before installing the software you should ensure that the wireless NIC card doesn’t have an interrupt that clashes with another device in your computer.d/wmp11 [root@bigboy tmp]# /etc/init. #=======SELECT STATION MODE=================== IS_ADHOC=n # y|n.. n .Chapter 10: Linux Wireless Networking 105 Here is a sample snippet.d/init.d/network restart PCMCIA Cards [root@bigboy tmp]# /etc/rc.d/pcmcia restart [root@bigboy tmp]# /etc/init. Inspect your /var/log/messages file again: [root@bigboy tmp]# tail -300 /var/log/messages Look carefully for any signs that the card is interfering with existing card IRQs. move the card to a different slot.d/wlan restart PCI Cards – Installed Using TAR Files [root@bigboy tmp]# /etc/init.

1.0.1.com After you’ve installed the software.255.5 Mb) TX bytes:126738425 (120.168.8 Mb) Interrupt:11 Memory:c887a000-c887b000 [root@bigboy tmp]# .168. the base memory address which was used by Linux to communicate with the cards were different.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:88418 errors:0 dropped:0 overruns:0 frame:0 TX packets:88418 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:7678679 (7.255 Mask:255.0 b) Interrupt:11 Base address:0x1820 lo Link encap:Local Loopback inet addr:127. eth0 [root@bigboy tmp]# more /proc/interrupts 11: 4639 XT-PIC wlan0 (bad) (good) Interrupt conflicts are usually more problematic with old style PC-AT buses.255.0 b) TX bytes:0 (0. The above (bad) /proc/interrupts example came from a functioning PCI based Linux box. newer PCI based systems generally handle conflicts better. You can check both the interrupts and base memory of your NIC cards after doing the software installation by using the "ifconfig -a" command: [root@bigboy tmp]# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:08:C7:10:74:A8 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.100 Bcast:192.3 Mb) wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5 inet addr:192. the reason why it worked was that though the interrupt was the same.0.linuxhomenetworking.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:215233 errors:0 dropped:0 overruns:0 frame:0 TX packets:447594 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:39394014 (37. you can also inspect your /proc/interrupts file for multiple devices having the same interrupt [root@bigboy tmp]# more /proc/interrupts 11: 4639 XT-PIC wlan0.106 www.3 Mb) TX bytes:7678679 (7.1 Mask:255.0.

you have to set the "dot11PrivacyInvoked" parameter to "true" and state which of the keys will be used as the default starting key via the "dot11WEPDefaultKeyID" parameter. Only migrate to an encrypted design after you are satisfied that the unencrypted design works satisfactorily. dot11WEPDefaultKey0= # format: xx:xx:xx:xx:xx or dot11WEPDefaultKey1= # xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx dot11WEPDefaultKey2= # e. Once you have the four sets of keys. the client must have a membership encryption password which can also be represented as a series of Wireless Encryption Protocol (WEP) keys. in AP this means WEP # is required for all STAs # If PRIV_GENSTR is not empty. you can use the /sbin/nwepgen program to generate the keys once you provide your easy to remember key generator string.opts) file and set the PRIV_GENSTR parameter to "". Neesus compatible PRIV_KEY128=false # keylength to generate PRIV_GENSTR="ketchup" # or set them explicitly.conf file (PCI type NIC) or the /etc/pcmcia/wlanng. "ketchup" is the password used to automatically generate the keys. 01:20:03:40:05 or dot11WEPDefaultKey3= # 01:02:03:04:05:06:07:08:09:0a:0b:0c:0d Not all devices on your network will use the same algorithm method to generate the encryption keys. Set genstr or keys. In the example below. use PRIV_GENTSTR to generate # keys (just a convenience) PRIV_GENERATOR=/sbin/nwepgen # nwepgen. Settings only matter if PrivacyInvoked is true lnxreq_hostWEPEncrypt=false # true|false lnxreq_hostWEPDecrypt=false # true|false dot11PrivacyInvoked=true dot11WEPDefaultKeyID=1 dot11ExcludeUnencrypted=true # true|false.g. You may find the same generator string will not create the same keys. #=======WEP=========================================== # [Dis/En]able WEP. To invoke encryption. With encryption.Chapter 10: Linux Wireless Networking 107 Linux-WLAN Encryption For Security One of the flaws of wireless networking is that all the wireless clients can detect the presence of all available network SSIDs and have the option of joining any of them. you'll have to add them them individually and in sequence to the /etc/wlan. Here is how you can use nwepgen to create the keys with a generator string of "ketchup". not both. and intra-network communication will be impossible. You then have the option of either providing a key generating string (simple password) or all four of the keys.conf (or /etc/pcmcia/wlan-ng. Note: I must strongly recommend that you first set up your network without encryption.opts file (PCMCIA type NICs) file is also used to activate this feature. If this is the case. The /etc/wlan. [root@bigboy tmp]# /sbin/nwepgen ketchup 64:c1:a1:cc:db 2b:32:ed:37:16 b6:cc:9e:1b:37 d7:0e:51:3f:03 [root@bigboy tmp]# .

The steps to reverse encryption are: o o Set the configuration file parameter "dot11PrivacyInvoked" to "false" Stop Linux-WLAN and disable the wireless wlan0 interface [root@bigboy tmp]# /etc/init. NIC cards without full Linux-WLAN compatibility will freeze up after a number of hours of working with encryption. and remove the Linux-WLAN related entries using rmmod [root@bigboy tmp]# lsmod Module Size … … prism2_pci 66672 p80211 20328 … … Used by Not tainted 1 1 (autoclean) [prism2_pci] [root@bigboy tmp]# rmmod prism2_pci [root@bigboy tmp]# rmmod p80211 o Restart Linux-WLAN and reactivate the wlan0 interface and you should be functional again.d/wlan stop Shutting Down WLAN Devices:message=lnxreq_ifstate ifstate=disable resultcode=success [root@bigboy tmp]# ifdown wlan0 o Even though you have done these two steps. Your next steps will be to list all the active drivers in memory with the lsmod command. though not active. not both.conf file would look like this: PRIV_GENSTR="" # or set them explicitly. [root@bigboy tmp]# /etc/init. the driver is still loaded in memory.linuxhomenetworking. dot11WEPDefaultKey0= 64:c1:a1:cc:db dot11WEPDefaultKey1= 2b:32:ed:37:16 dot11WEPDefaultKey2= b6:cc:9e:1b:37 dot11WEPDefaultKey3= d7:0e:51:3f:03 Remember that all devices on your network will need to have the same keys and default key for this to work.d/wlan start Starting WLAN Devices:message=lnxreq_hostwep resultcode=no_value decrypt=false encrypt=false [root@bigboy tmp]# ifup wlan0 . Set genstr or keys.108 www.com In this case your /etc/wlan. This includes all wireless NICs and WAPs De-activating Encryption In some cases.

Chapter 10: Linux Wireless Networking 109 o If you fail to reload the driver modules you’ll get errors like these below in your /var/log/messages file. result=110 Troubleshooting Your Wireless LAN Always check the /var/log/messages file for possible errors arising from the software installation. Jan 2 18:11:18 bigboy kernel: hfa384x_drvr_start: Failed. Jan 2 18:11:12 bigboy kernel: prism2sta_ifstate: hfa384x_drvr_start() failed. You can also check to see if your Linux box is out or range of the WAP. The chapter on logging covers how to do this in more detail. frame dropped. then check your /etc/sysconfig/network-scripts/ifcfg-wlan0 file for a correct IP configuration and your routing table to make sure your routes are OK. . p80211 Kernel errors in /var/log/messages usually point to an incorrectly configured SSID Nov 13 22:24:54 bigboy kernel: p80211knetdev_hard_start_xmit: Tx attempt prior to association. Jan 2 18:11:18 bigboy kernel: hfa384x_drvr_start: Initialize command failed. reg=0x8021.result=-110 Jan 2 18:11:18 bigboy kernel: hfa384x_docmd_wait: hfa384x_cmd timeout(1). If there are no errors in /var/log/messages and you can’t ping your gateways or obtain an IP address.

110 www.com .linuxhomenetworking.

linuxhomenetworking. www. This page shows how to convert your Linux box into: .com =========================================== You can convert your Linux box into a firewall using the IPtables package.111 Chapter 11 Linux Firewalls Using iptables =========================================== In This Chapter Chapter 11 Linux Firewalls Using iptables What Is iptables? Download And Install The Iptables Package How To Get iptables Started Packet Processing In iptables Iptables Packet Flow Diagram Processing For Packets Routed By The Firewall Packet Processing For Data Received By The Firewall Packet Processing For Data Sent By The Firewall Targets And Jumps Descriptions Of The Most Commonly Used Targets Important Iptables Command Switch Operations General Iptables Match Criteria Common TCP and UDP Match Criteria Common ICMP (Ping) Match Criteria Common Match Extensions Criteria Using User Defined Chains Sample iptables Scripts Basic Initialization Allowing DNS Access To Your Firewall Allowing WWW And SSH Access To Your Firewall Allowing Your Firewall To Access The Internet Allow Your Home Network To Access The Firewall Masquerading (Many to One NAT) Port Forwarding Type NAT Static NAT Logging & Troubleshooting © Peter Harrison.

iptables is considered a faster and more secure alternative.112 www.rpm.2. . • A router that will use NAT and port forwarding to both protect your home network and have another web server on your home network while sharing the public IP address of your firewall What Is iptables? Originally. the chapter on RPMs covers how to do this in detail. As a result of this. the primary one being that it ran as a separate program and not as part of the kernel. iptables has now become the default firewall package installed under RedHat Linux.d/iptables stop [root@bigboy tmp]# /etc/init. the most popular firewall / NAT package running on Linux was ipchains. Each of these queue is dedicated to a particular type of packet activity and is controlled by an associated packet transformation / filtering chain. the chart and graphic below describe the steps taken by iptables when a packet traverses the firewall.linuxhomenetworking. Don’t worry if this all seems confusing. The Netfilter organization decided to create a new product called iptables in order to rectify this shortcoming.i386. Download And Install The Iptables Package Most RedHat Linux software products are available in the RPM format.d/iptables restart To get iptables configured to start at boot: [root@bigboy tmp]# chkconfig --level 345 iptables on Packet Processing In iptables All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Install the package using the following command: [root@bigboy tmp]# rpm -Uvh iptables-ipv6-1.2. It had a number of limitations..6a-2.0 is iptables-ipv6-1.com • A firewall while simultaneously being your home website's mail.rpm Preparing. The latest version of the RPM for RedHat 8.6a-2. there’ll be tables and examples of how the concepts are all interlinked. For example. web and DNS server..d/iptables start [root@bigboy tmp]# /etc/init. If you need a refresher.i386. Downloading and installing RPMs isn’t hard. ########################################### [100%] 1:iptables ########################################### [100%] [root@bigboy tmp]# How To Get iptables Started You can start/stop/restart iptables after booting by using the following commands: [root@bigboy tmp]# /etc/init.

Chapter 11: Linux Firewalls Using iptables 113 Iptables Packet Flow Diagram .

(Rarely used) Destination network address translation (DNAT) N/A Determines whether the packet is destined to a local application or should be sent out another NIC interface Packet filtering: Packets destined for servers accessible by another NIC on the firewall. Source network address translation (SNAT) N/A Packet enters the NIC and is passed to iptables Mangle Nat PREROUTING Packet passed to the Linux routing engine N/A N/A Packet passed back to iptables Filter FORWARD Nat POSTROUTING Packet transmitted out the other NIC N/A N/A .com Processing For Packets Routed By The Firewall Packet flow Intercepted by iptables chain (Queue) Packet transformation table associated with this queue PREROUTING Description of possible modifications by iptables using this transformation table Modification of the TCP packet quality of service bits.114 www.linuxhomenetworking.

.Chapter 11: Linux Firewalls Using iptables 115 Packet Processing For Data Received By The Firewall Packet flow Actions by Operating System Packet intercepted by iptables table (Queue) Packet transformation chain associated with this queue PREROUTING Description of possible modifications by iptables using this transformation table Modification of the TCP packet quality of service bits. (Rarely used) Packet destined for firewall Packet enters the NIC from remote server. The routing engine passes the packet to the target application via the iptables filter queue filter INPUT The application receives the packet from iptables then processes it. The packet is intercepted by the iptables mangle. then nat queues mangle nat PREROUTING Destination network address translation (DNAT) Packet filtering: Packets destined for the firewall. The packet is then passed from iptables to the Linux routing engine.

(Rarely used) nat OUTPUT Source network address translation (Rarely used) Packet filtering: Packets destined for other servers / devices.linuxhomenetworking. Source network address translation (SNAT) filter OUTPUT The packet is then passed to the Linux routing engine which forwards the packet out the correct NIC The packet is intercepted by the iptables nat table nat POSTROUTING Packet transmitted out a NIC . nat and filter tables mangle OUTPUT Modification of the TCP packet quality of service bits.com Packet Processing For Data Sent By The Firewall Packet flow Actions by Operating System Packet intercepted by iptables table (Queue) Packet transformation chain associated with this queue Description of possible modifications by iptables using this transformation table The application sends data to a remote server Packet originating from firewall The packet is intercepted by iptables which then processes it in the mangle.116 www.

the targets/jumps tell the rule what to do with a packet that matches the rule perfectly. • The packet is handed over to the end application or the operating system for processing • iptables stops further processing. but will also return an error message to the host sending the packet that was blocked N/A Most common options DROP N/A LOG --log-prefix "string" Tells iptables to prefix all log messages with a user defined string. These can be accessed by making them the targets of "jumps" in the built-in chains. These include: icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-reply DNAT • Used to do Destination Network Address Translation. • The packet is blocked • The packet information is sent to the syslog daemon for logging • iptables continues processing with the next rule in the table • As you can't LOG and DROP at the same time. it is common to have two similar rules in sequence.rewriting the destination IP address of the --to-destination ipaddress Tells iptables what the destination IP . ie. Frequently used to tell why the logged packet was dropped REJECT --reject-with qualifier The qualifier tells what type of reject message is returned. the second will DROP it. you can create your own chains. • Works like the DROP target.Chapter 11: Linux Firewalls Using iptables 117 Targets And Jumps You don't have to rely solely on the built-in chains provided by iptables. There are a number of built-in targets that most rules may use. Descriptions Of The Most Commonly Used Targets Target ACCEPT Description • iptables stops further processing. The first will LOG the packet. So in summary.

ie.linuxhomenetworking.rewriting the source IP address of the packet • By default the source IP address is the same as that used by the firewall's interface MASQUERADE [--to-ports <port>[-<port>]] Specifies the range of source ports the original source port can be mapped to. ie.rewriting the source IP address of the packet • The source IP address is user defined • Used to do Source Network Address Translation.com Target packet SNAT Description Most common options address should be --to-source <address>[<address>][:<port>-<port>] Specifies the source IP address and ports to be used by SNAT. • Used to do Source Network Address Translation.118 www. .

Deletes all the rules in the selected table Match protocol. the possible built-in tables include: filter. mangle Append rule to end of a chain Flush.1.168. then the filter table is assumed.168. tcp. Match "output" interface on which the packet exits -A -F -p <protocol-type> -s <ip-address> -d <ip-address> -i <interface-name> -o <interface-name> Example: iptables -A INPUT -s 0/0 -i eth0 -d 192. icmp.Chapter 11: Linux Firewalls Using iptables 119 Important Iptables Command Switch Operations We’ll now explore how to use iptables command switches used to create your firewall.1 -p TCP -j ACCEPT In this example iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192. As discussed before. nat.1. all Match source IP address Match destination IP address Match "input" interface on which the packet enters. udp.1 . General Iptables Match Criteria iptables command Switch -t <table> Description If you don't specify a table. Types include.

The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http) .1.58 that is reachable via interface eth1.linuxhomenetworking.168.120 www. not a new connection request --sport <port> TCP source port Can be a single value or a range in the format: starting-port:endingport Description switches used with -p udp Description --dport <port> --dport <port> TCP destination port Can be a single value or a range in the format: starting-port:endingport --syn Example: iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.58 -o eth1 -p TCP \ -sport 1024:65535 -dport 80 -j ACCEPT In this example iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.1.com Common TCP and UDP Match Criteria switches used with -p tcp --sport <port> TCP source port Can be a single value or a range in the format: start-portnumber:end-portnumber TCP destination port Can be a single value or a range in the format: starting-port:endingport Used to identify a new connection request ! --syn means.

port> . port> --dport <port. accept the expected ICMP echo-replies.Chapter 11: Linux Firewalls Using iptables 121 Common ICMP (Ping) Match Criteria Matches used with ---icmp-type --icmp-type <type> The most commonly used types are echo-reply and echo-request Description Example: iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT In this example iptables is being configured to allow the firewall send ICMP echo-requests (pings) and in turn. port> A variety of TCP/UDP source ports separated by commas A variety of TCP/UDP destination ports separated by commas A variety of TCP/UDP ports separated by commas. Description --dport <port. Source and destination ports are assumed to be the same. Common Match Extensions Criteria TCP/UDP match extensions used with -m multiport --sport <port.

Example: iptables -A FORWARD -s 0/0 -i eth0 -d 192. or an ICMP error.58 -i eth1 -p TCP \ -m state --state ESTABLISHED -j ACCEPT This is an expansion on the previous example.168.168.58 -o eth1 -p TCP \ -sport 1024:65535 -m multiport -dport 80. .122 www. The source port is in the range 1024 to 65535 and the destination ports are port 80 (www/http) and 443 (https).1. Here iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.443 -j ACCEPT iptables -A FORWARD -d 0/0 -o eth0 -s 192. We are also allowing the return packets from 192.1. This is a common feature of protocols such as an FTP data transfer.168.58 to be accepted too. it is sufficient to allow packets related to established connections using the -m state and --state ESTABLISHED options. Instead of stating the source and destination ports.com Match extensions used with -m state --state <state> Description The most frequently tested states are: ESTABLISHED The packet is part of a connection which has seen packets in both directions NEW The packet is the start of a new connection RELATED The packet is starting a new secondary connection.1.1.linuxhomenetworking.58 that is reachable via interface eth1.168.

110.Chapter 11: Linux Firewalls Using iptables 123 Using User Defined Chains As stated in the introduction. iptables can be configured to have user-defined chains.2 -j fast-input-queue iptables -A OUTPUT -o eth0 -s 206.229.229. Example: iptables -A INPUT -i eth0 -d 206. In other words.2 -j fast-output-queue iptables -A fast-input-queue -p icmp -j icmp-queue-in iptables -A fast-output-queue -p icmp -j icmp-queue-out iptables -A icmp-queue-out -p icmp --icmp-type echo-request \ -m state --state NEW -j ACCEPT iptables -A icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT In this example we have six queues with the following characteristics to help assist in processing speed: Chain INPUT Description The regular built-in INPUT chain in iptables The regular built-in OUTPUT chain in iptables Input chain dedicated to specific protocols Output chain dedicated to specific protocols Output queue dedicated to ICMP Intput queue dedicated to ICMP OUTPUT fast-input-queue fast-output-queue icmp-queue-out icmp-queue-in . it is possible to have a chain that determines the protocol type for the packet and then hands off the actual final processing to a protocol specific chain. For example. you can replace a long chain with a main stubby chain pointing to multiple stubby chains thereby shortening the total length of all chains the packet has to pass through. This feature is frequently used to help streamline the processing of packets. instead of having a single chain for all protocols.110.

and if all packets that don't match the "nat" and "mangle" rules are DROP-ped. It is best to invoke these from your /etc/rc. #!/bin/bash #--------------------------------------------------------------# Load modules for FTP connection tracking and NAT – You may need # them later #--------------------------------------------------------------modprobe ip_conntrack_ftp modprobe iptable_nat #--------------------------------------------------------------# Initialize all the chains by removing all the rules # tied to them #--------------------------------------------------------------iptables --flush iptables -t nat --flush . This chapter also includes other snippets that will help you get basic functionality. It shows you how to allow your firewall to: • Be used as a Linux Web / Mail / DNS server • Be the NAT router for your home network • Prevent various types of attacks using corrupted TCP. The "filter" table's INPUT. Additional ALLOW rules should be added to the end of this script snippet.124 www. The "basic initialization" script snippet should also be included in all your scripts to ensure the correct initialization of your chains should you decide to restart your script after startup. UDP and ICMP packets. It should be a good guide to get you started.linuxhomenetworking.d/rc. it is not good policy to make your "nat" and "mangle" tables DROP packets by default. then they will not reach the the INPUT. This is because these tables are queried before the "filter" table. to initialize your chain and table settings with known values. You then can use the Appendix to find a detailed script once you feel more confident. FORWARD and OUTPUT chains and won't be processed. in any iptables script you write. Pay special attention to the logging example at the end. • Outbound passive FTP access from the firewall There are also simpler code snippets in the Appendix for: • Inbound and outbound FTP connections to / from your firewall Basic Initialization It is a good policy. However. FORWARD and OUTPUT chains should DROP packets by default for the best security.local file so that the firewall script is run every time you boot up.com Sample iptables Scripts Here are some sample scripts you can use to get iptables working for you.

We'll recreate them in the next step #--------------------------------------------------------------iptables --delete-chain iptables -t nat --delete-chain iptables -t mangle --delete-chain #--------------------------------------------------------------# If a packet doesn't match one of the built in chains. then # The policy should be to drop it #--------------------------------------------------------------iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP #--------------------------------------------------------------# The loopback interface should accept all traffic # Necessary for X-Windows and other socket based services #--------------------------------------------------------------iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT Allowing DNS Access To Your Firewall You’ll almost certainly want your firewall to make DNS queries to the Internet. The following statements will apply not only for firewalls acting as DNS clients but also for firewalls working in a caching or regular DNS server role. Most home networks # / websites using a single DNS server won’t require TCP statements # #--------------------------------------------------------------iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \ -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \ -j ACCEPT . #--------------------------------------------------------------# Allow outbound DNS queries from the FW and the replies too # # .Interface eth0 is the internet interface # # Zone transfers use TCP and not UDP. the user defined # chains should be deleted.Chapter 11: Linux Firewalls Using iptables 125 iptables -t mangle --flush #--------------------------------------------------------------# Now that the chains have been initialized.

Interface eth0 is the internet interface #--------------------------------------------------------------iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED. It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed.126 www.Interface eth0 is the internet interface #--------------------------------------------------------------iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED.443 --sport 1024:65535 #--------------------------------------------------------------# Allow previously established connections # .linuxhomenetworking. HTTPS is also used by RedHat Linux servers using up2date. Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection. #--------------------------------------------------------------# Allow port 80 (www) and 443 (https) connections to the firewall #--------------------------------------------------------------iptables -A OUTPUT -j ACCEPT -m state --state NEW \ -o eth0 –p tcp -m multiport --dport 80. TCP port 80 is used for HTTP traffic and port 443 is used for HTTPS (secure HTTP frequently used for credit card transactions). #--------------------------------------------------------------# Allow previously established connections # .RELATED -i eth0 –p tcp \ .com Allowing WWW And SSH Access To Your Firewall This sample snippet is for a web server that is managed remotely by its system administrator via secure shell (SSH) sessions. Connections initiated by persons logged into the webserver will be denied as outbound NEW connection packets aren't allowed.RELATED \ -j ACCEPT #--------------------------------------------------------------# Allow port 80 (www) and 22 (SSH) connections to the firewall #--------------------------------------------------------------iptables -A INPUT -p tcp -i eth0 --dport 22 –sport 1024:65535 \ -m state –state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 80 –sport 1024:65535 \ -m state –state NEW -j ACCEPT Allowing Your Firewall To Access The Internet The following iptables sample script allows a user on the firewall to use a web browser to surf the Internet.

168.Chapter 11: Linux Firewalls Using iptables 127 If you want all TCP traffic originating from the firewall to be accepted then you can remove the following section from the snippet above: -m multiport --dport 80. packets related to NEW and ESTABLISHED connections will be allowed outbound to the Internet.0/24 -i eth1 -j ACCEPT -p all -d 192.1.1. traffic from all devices on one or more protected networks will appear as if it originated from a single IP address on the Internet side of the firewall. In other words. More specifically. types of connections and possibly even remote servers to have access to your firewall and home network. while only packets related to ESTABLISHED connections will be allowed inbound. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed. Further rules will be needed for the interface connected to the Internet to allow only specific ports.0/24 -o eth1 Masquerading (Many to One NAT) As explained in the Introduction to Networking chapter. eth1 is directly connected to a home network using IP addresses from the 192.Interface eth1 is the private network interface #--------------------------------------------------------------iptables -A INPUT iptables -A OUTPUT -j ACCEPT -p all -s 192.1.443 --sport 1024:65535 Allow Your Home Network To Access The Firewall In this example. This is done using the FORWARD chain of the "filter" table. Masquerading also depends on the Linux operating system being configured to support routing between the internet and private network interfaces of the firewall.0 network.168. iptables requires the iptables_nat module to be loaded with the "modprobe" command for the masquerade feature to work. masquerading is another word for what many call "many to one" NAT. Once masquerading has been achieved using the POSTROUTING chain of the "nat" table.168. #--------------------------------------------------------------# Allow all bidirectional traffic from your firewall to the # protected network # . iptables will have to be configured to allow packets to flow between the two interfaces. An example follows: . This is done by enabling "IP forwarding" or routing by giving the file /proc/sys/net/ipv4/ip_forward the value "1" as opposed to the default disabled value of "0". This helps to protect the home network from persons trying to initiate connections from the Internet.

then if should be the used as the default gateway for all your servers on the network. the iptables_nat module will have to be loaded and routing enabled for port forwarding to work.0/24 -d 0/0 \ -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward #--------------------------------------------------------------# Prior to masquerading. Routing too will have to be allowed in iptables with the FORWARD chain.RELATED iptables -A FORWARD -t filter -i eth0 -m --state ESTABLISHED. If their Linux firewall is their interface to the Internet and they want to host a website on one of the NAT protected home servers then they will have to use the “port forwarding” technique. this would include all NEW inbound connections from the Internet matching the port forwarding port plus all future packets related to the ESTABLISHED connection in both directions. # Allowed outbound: New.RELATED state \ -j ACCEPT state \ -j ACCEPT Note: If you configure your firewall to do masquerading.128 www. established and related connections # Allowed inbound : Established and related connections #--------------------------------------------------------------iptables -A FORWARD -t filter -i eth1 -m --state NEW.ESTABLISHED.linuxhomenetworking.Interface eth0 is the internet interface # .1. An example follows: . the packets are routed via the filter # table's FORWARD chain. Here the combination of the firewall's single IP address. Port Forwarding Type NAT (DHCP DSL) In many cases home users may get a single DHCP public IP address from their ISP. All traffic that matches a particular combination of these factors may then be forwarded to a single server on the private network.Interface eth1 is the private network interface #--------------------------------------------------------------iptables -A POSTROUTING -t nat -o eth0 -s 192. the remote server’s IP address and the source/destination port of the traffic can be used to uniquely identify a traffic flow.com #--------------------------------------------------------------# Load the NAT module #--------------------------------------------------------------modprobe iptable_nat #--------------------------------------------------------------# Allow masquerading # Enable routing by modifying the ip_forward /proc filesystem file # .168. As in masquerading. Port forwarding is handled by the PREROUTING chain of the "nat" table.

200 \ --dport 8080 --sport 1024:65535 -m state --state NEW -j ACCEPT iptables -A FORWARD -t filter -i eth1 -m state \ --state NEW.1.Chapter 11: Linux Firewalls Using iptables 129 #--------------------------------------------------------------# Load the NAT module #--------------------------------------------------------------modprobe iptable_nat #--------------------------------------------------------------# Get the IP address of the Internet interface eth0 (linux only) # # You'll have to use a different expression to get the IP address # for other operating systems which have a different ifconfig output # or enter the IP address manually in the PREROUTING statement # # This is best when your firewall gets its IP address using DHCP.Interface eth0 is the internet interface # .168. #--------------------------------------------------------------iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192. # The external IP address could just be hard coded (“typed in # normally”) #--------------------------------------------------------------external_int="eth0" external_ip="`ifconfig $external_int | grep 'inet addr' | \ awk '{print $2}' | sed -e 's/.Interface eth1 is the private network interface #--------------------------------------------------------------iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip \ --dport 80 --sport 1024:65535 -j DNAT --to 192.*://'`" #--------------------------------------------------------------# Allow port forwarding for traffic destined to port 80 of the # firewall’s IP address to be forwarded to port 8080 on server # 192.1.200:8080 echo 1 > /proc/sys/net/ipv4/ip_forward #--------------------------------------------------------------# After DNAT.ESTABLISHED.168.RELATED -j ACCEPT .168. # Connections on port 80 to the target machine on the private # network must be allowed.RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state \ --state ESTABLISHED.1. the packets are routed via the filter table's # FORWARD chain.200 # # Enable routing by modifying the ip_forward /proc filesystem file # .

Interface eth0 is the internet interface # .com Static NAT In this example.158.27 -i eth0 \ DNAT --to-destination 192.253.1.1.443 and 22 are allowed through by the FORWARD chain.28 Anywhere 192.Interface eth1 is the private network interface #--------------------------------------------------------------iptables -t -j iptables -t -j iptables -t -j nat -A PREROUTING -d 97.253.168. is NAT-ted to a single server on the protected subnet.168. Note that though the "nat" table NATs all traffic to the target servers (192.1. MASQUERADE isn't recommended to be used as it will force masquerading as the IP address of the primary interface and not any of the alias IP addresses it may have.253.253.253.168.100 # 97.158.168.102 iptables -A POSTROUTING -s 192. #--------------------------------------------------------------# Load the NAT module #--------------------------------------------------------------modprobe iptable_nat #--------------------------------------------------------------# Enable routing by modifying the ip_forward /proc filesystem file #--------------------------------------------------------------echo 1 > /proc/sys/net/ipv4/ip_forward #--------------------------------------------------------------# NAT ALL traffic: # # TO: FROM: MAP TO SERVER: # 97.1.29 iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192. As the firewall has more than one IP address.168.100 to 102).1.linuxhomenetworking.29 # # .253.158.100 \ .158.168.100 nat -A PREROUTING -d 97. all traffic to a particular public IP address.1.158.158.1.101 # 97.168.102 # # SNAT is used to NAT all other outbound connections initiated # from the protected network to appear to come from # IP address 97.0/24 \ -j SNAT -o eth1 --to-source 97.27 Anywhere 192.1.101 nat -A PREROUTING -d 97.168.253. only connections on ports 80. SNAT is therefore used to specify the alias IP address to be used for connections initiated by all other servers in the protected net.26 -i eth0 \ DNAT --to-destination 192.28 -i eth0 \ DNAT --to-destination 192. not just to a particular port.158.1.158.26 Anywhere 192.253.168.130 www.

102 \ -m multiport --dport 80.1. o .RELATED -j ACCEPT Logging & Troubleshooting You track packets passing through the iptables list of rules using the LOG target.RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state \ --state ESTABLISHED.Chapter 11: Linux Firewalls Using iptables 131 -m multiport --dport 80.1.22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A FORWARD -t filter -i eth1 -m state \ --state NEW.443. You should be aware that the LOG target: o o will log all traffic that matches the iptables rule in which it is located.22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.102 on the home network. Therefore if you want to log only unwanted traffic then you have to add a matching rule with a DROP target immediately after the LOG rule. #--------------------------------------------------------------# Log and drop all other packets to file /var/log/messages # Without this we could be crawling around in the dark #--------------------------------------------------------------iptables -A OUTPUT -j LOG iptables -A OUTPUT -j LOG iptables -A FORWARD -j LOG iptables -A INPUT -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP Here are some examples of the output of this file: Firewall denying replies to DNS queries (UDP port 53) destined to server 192.168.168. you’ll find yourself logging both desired and unwanted traffic with no way of discerning between the two as by default iptables doesn’t state why the packet was logged in its log message.22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.443.101 \ -m multiport --dport 80. automatically writes an entry to the /var/log/messages file and then executes the next rule.1.443. You can use the contents of this file to determine what TCP/UDP ports you need to open to provide access to specific traffic that is currently stopped.ESTABLISHED. If you don’t. This example logs a summary of failed packets to the file /var/log/messages.168.

42.113 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56 Note: The traffic in all these examples isn’t destined for the firewall.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 o Firewall denying Network Time Protocol (NTP UDP port 123) Feb 23 20:58:48 bigboy kernel: IN= OUT=wlan0 SRC=192.30 DST=192.168. then follow the steps in the Network Troubleshooting chapter to determine whether the data is reaching your firewall at all.100 DST=192. OUTPUT statements If nothing shows up in the logs. FORWARD and NAT related statements.1.200. If the firewall’s IP address is involved. OUTPUT. Basic NAT testing will require you to ask a friend to try to connect to your home network from the Internet.com Feb 23 20:33:50 bigboy kernel: IN=wlan0 OUT= MAC=00:06:25:09:69:80:00:a0:c5:e1:3e:88:08:00 SRC=192. the location your network that could be causing the problem.93.132 www.1. then you should focus on the INPUT.168.102 DST=207. Troubleshooting NAT: As a general rule. and if it is not.81. You can then use the logging output in /var/log/messages to make sure that: o o the translations are occurring correctly and iptables isn’t dropping the packets after translation occurs .1. Therefore you should check your INPUT.168.linuxhomenetworking. you won’t be able to access the public NAT IP addresses from servers on your home network.168.1.102 LEN=220 TOS=0x00 PREC=0x00 TTL=54 ID=30485 PROTO=UDP SPT=53 DPT=32820 LEN=200 o Firewall denying Windows NetBIOS traffic (UDP port 138) Feb 23 20:43:08 bigboy kernel: IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:09:6a:b5:08:00 SRC=192.

www. are installed by default in RedHat Linux. The configuration files for each of the network programs xinetd controls are located in the /etc/xinetd. Xinetd is pre-installed in newer RedHat versions and is configured to startup automatically at boot time. TFTP and XINETD Telnet TFTP © Peter Harrison. [root@bigboy tmp]# /etc/init.com =========================================== Xinetd is a program used to start and stop a variety of Linux data communication applications. . such as Telnet.133 Chapter 12 Telnet. TFTP and XINETD =========================================== In This Chapter Chapter 12 Telnet.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@bigboy tmp]# Remember that you will also be restarting all the other xinetd controlled processes. others such as TFTP.d directory. need to be installed afterwards.linuxhomenetworking. If you are logged into your Linux box via Telnet and then restart xinetd you will disconnect your self from your Linux server as Telnet would be restarted too. Once you have edited the configuration files you’ll have to restart xinetd to make the configurations take effect. Some of these applications.

168.255.255.134 www.com Telnet What is Telnet? Telnet is a program that allows users to log into your server and get a command prompt just as if they were logged into the VGA console.18-14 (smallfry..168.1.0..0 255. [root@bigboy root]# telnet 192. [root@bigboy root]# .0.168.com) (10:35 on Sunday.168.0.255. Telnet is installed and enabled by default on RedHat Linux.1.0.105.1.1. One of the disadvantages of Telnet is that the data is sent as clear text. You enter the word "telnet" and then the IP address or server name to which you want to connect.0.168.105 Trying 192.0. Here is an example of someone logging into a remote server named "smallfry" from server "bigboy".0 Flags UH U U UG MSS 40 40 40 40 Window 0 0 0 0 irtt 0 0 0 0 Iface wlan0 wlan0 lo wlan0 [peter@smallfry peter]$ exit logout Connection closed by foreign host.255 192. A more secure method for remote logins would be via Secure Shell (SSH) which uses varying degrees of encryption.0 0. Escape character is '^]'.0. The command to do remote logins via telnet from the command line is simple.255.1.0 0.0 Gateway 0. This means that it is possible for someone to use a network analyzer to peek into your data packets and see your username and password.0 0.105. [peter@smallfry peter]$ [peter@smallfry peter]$ netstat -nr Kernel IP routing table Destination 255. 05 January 2003) Login: peter Password: Last login: Fri Nov 22 23:29:44 on ttyS0 You have new mail.0. The user looks at the routing table and then logs out.0.0 0. Connected to 192.0.255 255.0 192.255. Linux 2.0.0 127.1 Genmask 255.0.0.255.0.4.my-site.linuxhomenetworking.

service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes } You'll then have to restart xinetd for the new settings to take effect. The reverse is also true. .Chapter 12: Telnet. A common use of this reverse TFTP is the application of access control lists (ACLs) and even passwords from a centralized file. # default: on # description: The telnet server serves telnet sessions. it uses \ # unencrypted username/password pairs for authentication.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@bigboy tmp]# TFTP What is TFTP? Cisco and other networking equipment manufacturers allow you to backup live configurations from routers and switches to workstations via the TFTP protocol.d/telnet and set the disable parameter to "yes". A remotely stored configuration file is always good to have. You can test whether the Telnet process is running with the following command which is used to check the TCP/UDP ports on which your server is listening: [root@bigboy root]# netstat -a | grep telnet tcp 0 0 *:telnet *:* [root@bigboy root]# LISTEN If you want to disable Telnet then edit the file /etc/xinetd. TFTP and XINETD 135 Setting Up A Telnet Server By default Telnet is installed enabled on RedHat Linux. configurations can be loaded from the server to the network device. [root@bigboy tmp]# /etc/init.

linuxhomenetworking. Downloading and installing RPMs isn’t hard.d/tftp and set disable to "no".1. service tftp { socket_type = dgram protocol = udp wait = yes user = root only_from = 192. Create a /tftpboot directory with global read write privileges [root@bigboy tmp]# chmod 777 /tftpboot o Restart xinetd [root@bigboy tmp]# /etc/init. If you need a refresher. You can extend this list with commas in between or just comment it out al together for global access. Here are the steps to setting up the software: Install the package using the following command: [root@bigboy tmp]# rpm -Uvh tftp-server-0.1.29-3. the chapter on RPMs covers how to do this in detail.i386.168.com Setting up a TFTP server Most RedHat Linux software products are available in the RPM format.168. \ # and to start the installation process for some operating systems.136 www.1 server = /usr/sbin/in.29-3. xinetd will only allow the TFTP server to accept connections from the router / switch / firewall with an address of 192.0 is tftp-server0. # default: off # description: The tftp server serves files using the trivial # file transfer \ # protocol. The latest TFTP server version of the RPM for RedHat 8. download configuration files to # network-aware printers.tftpd server_args = -s /tftpboot disable = no per_source = 11 cps = 100 2 } In this example.1.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@bigboy tmp]# o o . The tftp protocol is often used to boot diskless \ # workstations.rpm o Edit the file /etc/xinetd.

1 [root@bigboy tmp]# touch /tftpboot/pixfw-config tmp]# chmod 666 /tftpboot/pixfw-config tmp]# ll /tftpboot/ root root 3011 Oct 29 14:09 pixfw-config tmp]# Configuring Cisco Devices for TFTP You'll now have to configure your Cisco router / firewall to use the TFTP server. TFTP write '/pixfw-config' at 192.. Cryptochecksum: 3af43873 d35d6f06 51f8c999 180c2342 [OK] pixfw# • Save the configuration to the TFTP server pixfw# write network Building configuration.. Use 'write network all' to show both default and non-default .1. get into enable mode and then enter the TFTP commands ciscoswitch> (enable) wr net This command shows non-default configurations only.. TFTP and XINETD 137 o Each device must have a configuration file in the /tftpboot directory.1.168.168..100 /pixfw-config pixfw(config)# exit • Save the configuration to non volatile memory pixfw# write memory Building configuration.Chapter 12: Telnet. The following examples assume that the TFTP server's IP address is 192.1.100 Cisco PIX firewall • Log onto the device. Here's an example of what to do for a SOHO firewall with the name "pixfw" and a configuration filename that matches cisco's standard naming scheme of "devicename"-config [root@bigboy [root@bigboy [root@bigboy total 1631 -rw-rw-rw.100 on interface 1 [OK] pixfw# Cisco Switch Running CATOS • Log onto the device. get into enable mode and then enter the TFTP commands pixfw> enable Password: ******** pixfw# configure terminal pixfw(config)# tftp-server inside 192.168.

138

www.linuxhomenetworking.com

configurations. IP address or name of remote host? [192.168.1.100] Name of configuration file?[ciscoswitch-config] Upload configuration to ciscoswitch-config on 192.168.1.100 (y/n) [n]? y ......... Finished network upload. (30907 bytes) ciscoswitch> (enable)

Cisco Router
• Log onto the device, get into enable mode, then configure mode and then enter the TFTP commands ciscorouter> enable ciscorouter#write net Remote host [192.168.1.100]? 192.168.1.100 Name of configuration file to write [ciscorouter-config]? ciscorouter-config Write file ciscorouter-config on host 192.168.1.100? [confirm] y ciscorouter# exit

Cisco CSS 111000 "Arrowpoints"

Log onto the device and then enter the tftp commands ciscocss# copy running-config tftp 192.168.1.100 ciscocss-config Working..(\) 100% Connecting (/) Completed successfully. ciscocss# exit

Cisco Local Director
• Log onto the device, get into enable mode, then configure mode and then enter the TFTP commands ciscold> ena Password: ciscold# write net 192.168.1.100 ciscold-config Building configuration... writing configuration to //ciscold-config on 192.168.1.100:69 ... [OK] ciscold# exit

Chapter 12: Telnet, TFTP and XINETD

139

Using TFTP To Restore Your Router Configuration
One of the benefits of having a TFTP server is that you can save your configuration files on a remote server's hard disk. This can be very useful in the event of a router failure after which you need to reconfigure the device from scratch. One of the simplest ways of doing this using TFTP is to: o o o o o Connect your router to the local network of the TFTP server Give your router the bare minimum configuration that allows it to ping your TFTP server. (No access controls or routing protocols) Use the copy command to copy the backup configuration from the TFTP server to your startup configuration in NVRAM. Disconnect the router from the network Reload the router without saving the live running configuration to overwrite the startup configuration. On rebooting, the router will copy the startup configuration stored in NVRAM into a clean running configuration environment Log into the router via the console and verify the configuration is OK Reconnect the router to the networks on which it was originally connected

o o

Here are the commands: ciscorouter> enable Password: ******** ciscorouter# write erase ciscorouter# copy tftp:file-name startup-config ciscorouter# reload Please be aware that the "write erase" command erases your NVRAM startup configuration and should always be used with great care.

140

www.linuxhomenetworking.com

141

Chapter 13

Linux FTP Server Setup
===========================================

In This Chapter Chapter 13
Linux FTP Server Setup
FTP Overview Problems With FTP And Firewalls How To Download And Install The VSFTP Package How To Get VSFTP Started Testing To See If VSFTP Is Running What Is Anonymous FTP? The /etc/vsftpd.conf File FTP Security Issues Example #1: © Peter Harrison, www.linuxhomenetworking.com ===========================================

This chapter will show you how to convert your Linux box into an FTP server using the VSFTP package.
The RedHat software download site runs on VSFTP.

FTP Overview
File Transfer Protocol (FTP) is a common method of copying files between computer systems. Two TCP ports are used to do this:

142

www.linuxhomenetworking.com

FTP Control Channel - TCP Port 21
All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file data in either direction) will go over the data connection.

FTP Data Channel - TCP Port 20
Used for all data sent between the client and server.

Active FTP
Active FTP works as follows: o o Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this connection. Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port on the client. Thus the 'ls' listing that you asked for comes back over the "port 20 to high port connection", not the port 21 control connection. FTP active mode data transfer therefore does this in a counter intuitive way to the TCP standard as it selects port 20 as it's source port (not a random high port > 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.

o o

Chapter 13: Linux FTP Server Setup

143

o

Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.

Passive FTP
Passive FTP works as follows: o o Your client connects to the FTP server by establishing a FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over that connection. Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server. Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Passive FTP works better for clients protected by a firewall as the client always initiates the required connections.

o o

Problems With FTP And Firewalls
FTP frequently fails when the data has to pass through a firewall as FTP uses a wide range of unpredictable TCP ports and firewalls are designed to limit data flows to predictable TCP ports. There are ways to overcome this as explained in the following sections. The Appendix has examples of how to configure the iptables Linux filewall to function with both active and passive FTP.

Client Protected By A Firewall Problem
Typically firewalls don't let any incoming connections at all, this will frequently cause active FTP not to function. This type of FTP failure has the following symptoms: o The active ftp connection appears to work when the client initiates an outbound connection to the server on port 21. The connection appears to hang as soon as you do an "ls" or a "dir" or a "get". This is because the firewall is blocking the return connection from the server to the client. (From port 20 on the server to a high port on the client)

Solutions
Here are the general firewall rules you'll need to allow FTP clients through a firewall:

Required Rules for FTP Method Source Address Source Port Destination Address Destination Port Connection Type Allow outgoing control connections to server Control Channel FTP client/ network FTP server** High FTP server** 21 New 21 FTP client/ network High Established* Allow the client to establish data channels to remote server Active FTP FTP server** 20 FTP client /network FTP server** High New FTP client/ network Passive FTP FTP client/ network FTP server** High 20 Established* High FTP server** High New High FTP client/ network High Established* *Many home based firewall/routers automatically allow traffic for already established connections. Server Protected By A Firewall Problem o Typically firewalls don't let any connections come in at all. ** in some cases. not just a specific client server or network.linuxhomenetworking.144 www. This rule may not be necessary in all cases. FTP server failure due to firewalls in which the active ftp connection from the client doesn't appear to work at all Solutions Here are the general firewall rules you'll need to allow FTP severs through a firewall . you may want to allow all Internet users to have access.com Client Protected by Firewall .

In version 8. • Now download the file to a directory such as /tmp and install it using the “rpm” command: .1.0-1. the VSFTP RPM file is named: vsftpd-1.Required Rules for FTP Method Source Address Source Port Destination Address Destination Port Connection Type Allow incoming control connections to server Control Channel FTP client/ network** FTP server High FTP server 21 New 21 FTP client/ network** High Established* Allow server to establish data channel to remote client Active FTP FTP server 20 FTP client/network** FTP server High New FTP client/ network** Passive FTP FTP client/ network** FTP server High 20 Established* High FTP server High New High FTP client/ network** High Established* *Many home based firewall/routers automatically allow traffic for already established connections. not just a specific client server or network.rpm Downloading and installing RPMs isn’t hard. ** in some cases.i386. the RPM chapter covers how to do this in detail. This rule may not be necessary in all cases. How To Download And Install The VSFTP Package • As explained previously.0 of the operating system. If you need a refresher. you may want to allow all Internet users to have access. RedHat software is installed using RPM packages.Chapter 13: Linux FTP Server Setup 145 Server Protected by Firewall .

d directory. so you’ll have to edit this file to start the program. Testing To See If VSFTP Is Running You can always test whether the VSFTP process is running by using the netstat –a command which lists all the TCP and UDP ports on which the server is listening for traffic.linuxhomenetworking.. Make sure the contents look like this. VSFTP is deactivated by default. to disable VSFTP once again.com [root@bigboy Preparing. service ftp { disable = no socket_type = stream wait = no user = root server = /usr/sbin/vsftpd nice = 10 } You will then have to restart xinetd for these changes to take effect using the startup script in the /etc/init. The example below shows the expected output. The disable feature must be set to "no" to accept connections.1.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@aqua tmp]# Naturally. 1:vsftpd [root@bigboy tmp]# rpm -Uvh vsftpd-1.i386.d/vsftpd file.rpm ########################################### [100%] ########################################### [100%] tmp]# How To Get VSFTP Started The starting and stopping of VSFTP is controlled by xinetd via the /etc/xinetd. [root@bigboy root]# netstat -a | grep ftp tcp 0 0 *:ftp [root@bigboy root]# *:* LISTEN .d/vsftpd. set “disable” to “yes” and restart xinetd. you’ll have to edit /etc/xinetd. there would be no output at all if VSFTP wasn’t running..0-1.146 www. [root@aqua tmp]# /etc/init.

...Chapter 13: Linux FTP Server Setup 147 What Is Anonymous FTP? Anonymous FTP is used by web sites that need to exchange files with numerous unknown remote users. Unlike regular FTP where you login with a userspecific username. By default. The /etc/vsftpd. you will # obviously need to create a directory writable by the FTP user.. Also by default. Remove/add the "#" at the beginning of the line to "activate/deactivate" the feature on each line.. #anon_upload_enable=YES . using anonymous FTP as a remote user is fairly straight forward. Common uses include downloading software updates and MP3s to uploading diagnostic information for a technical support engineer’s attention. I would suggest turning this off. VSFTP doesn't allow remote users to create directories on your FTP server and it logs FTP access to the /var/log/vsftpd.. . . # Allow anonymous FTP? anonymous_enable=YES .. By default VSFTP only allows anonymous FTP downloads to remote users. As seen in the chapter on RPMs. . anonymous FTP only requires a username of "anonymous" and your email address for the password.... # Uncomment to allow the anonymous FTP user to upload files. # Uncomment this to allow local users to log in.log log file. Also. # (Needed even if you want local users to be able to upload files) write_enable=YES . This only # has an effect if global write enable is activated. not uploads from them.. so you’ll have to restart xinetd each time you edit the file in order for the changes to take effect.. VSFTP can be configured to support user based and or anonymous FTP in its configuration file... VSFTP runs as an anonymous FTP server. The configuration file’s anonymous_enable instruction can be commented out using a “#” to disable this feature.conf configuration file when it starts. . # Uncomment this to enable any form of FTP write command. local_enable=YES .conf File VSFTP only reads the contents of its /etc/vsftpd. This file uses a number of default settings you need to know. The configuration file is fairly straight forward as you can see in the snippet below... you’ll automatically have access to only the default anonymous FTP directory /var/ftp and all its subdirectories.. Unless you want any remote user to log into to your default FTP directory. # Uncomment this if you want the anonymous FTP user to be able to create # new directories. Once logged in to a VSFTP server.

.. # Activate logging of uploads/downloads. Anonymous Upload If you want remote users to write data to your FTP server then it is recommended you create a write-only directory within /var/ftp/pub.com #anon_mkdir_write_enable=YES . Do not delete entries from the default list. it is best to add. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection.. a feature that FTP does.. SCP however does not support anonymous services. .log FTP Security Issues The /etc/vsftpd.conf to make it harder for malicious users to determine the type of system you have..148 www.. # You may override where the log file goes if you like. #xferlog_file=/var/log/vsftpd.linuxhomenetworking. ftpd_banner= New Banner Here Using SCP As Secure Alternative To FTP One of the disadvantages of FTP is that it does not encrypt your username and password.. This will allow your users to upload.ftpusers File For added security you may restrict FTP access to certain users by adding them to the list of users in this file. Secure Copy (SCP) provides encryption and could be considered as an alternative to FTP for trusted users. # The default is shown# below. but not access other files uploaded by other users. . Here are the commands to do this: [root@bigboy tmp]# mkdir /var/ftp/pub/upload [root@bigboy tmp]# chmod 733 /var/ftp/pub/upload FTP Greeting Banner Change the default greeting banner in /etc/vsftpd. .. xferlog_enable=YES .

but a group of trusted users need to have read only access to a directory for downloading files.d/vsftp and set the disable value to "no". Comment out the anonymous_enable line in the /etc/vsftpd. In this case we’ll use "/home/ftp-users" and a user group name of "ftp-users” for the remote users.conf file like this: o o # Allow anonymous FTP? # anonymous_enable=YES o Enable individual logins by making sure you have the local_enable line uncommented in the /etc/vsftpd. Here are the steps: Enable FTP. [root@bigboy tmp]# chmod 750 /home/ftp-docs [root@bigboy tmp]# chown root:ftp-users /home/ftp-docs o Add users. [root@bigboy tmp]# groupadd ftp-users [root@bigboy tmp]# mkdir /home/ftp-docs o Make the directory accessible to the ftp-users group. local_enable=YES o Create a user group and shared directory. and make their default directory /home/ftp-docs [root@bigboy [root@bigboy [root@bigboy [root@bigboy [root@bigboy [root@bigboy [root@bigboy [root@bigboy o tmp]# tmp]# tmp]# tmp]# tmp]# tmp]# tmp]# tmp]# useradd -g ftp-users useradd -g ftp-users useradd -g ftp-users useradd -g ftp-users passwd user1 passwd user2 passwd user3 passwd user4 -d -d -d -d /home/ftp-docs /home/ftp-docs /home/ftp-docs /home/ftp-docs user1 user2 user3 user4 Copy files to be downloaded by your users into the /home/ftp-docs directory . Edit the /etc/xinetd.Chapter 13: Linux FTP Server Setup 149 Example #1: FTP Users With Only Read Access To A Shared Directory In this example. Disable anonymous FTP. anonymous FTP is not desired.conf file like this: # Uncomment this to allow local users to log in.

168. [root@bigboy tmp]# /etc/init.181.1.1 root root 0 Jan 4 09:08 testfile [root@smallfry tmp]# o Connect to bigboy via FTP [root@smallfry tmp]# ftp 192.100:root): user1 331 Please specify the password. ftp> o We can view and download a copy of the VSFTP RPM .1.1.100.100 (192. break me) Name (192. If you absolutely don't want any FTP users to be able to write to any directory then you should comment out the write_enable line in your /etc/vsftpd. 220 ready. ftp> o As expected. we can't do an upload transfer of "testfile" to bigboy. dude (vsFTPd 1. Have fun.168.150 www.168.168.100).conf file like this: #write_enable=YES o Restart vsftp for the configuration file changes to take effect. Remote system type is UNIX.1. Password: 230 Login successful.1.168. [root@smallfry tmp]# ll total 1 -rw-r--r-.1. ftp> put testfile local: testfile remote: testfile 227 Entering Passive Mode (192. Using binary mode to transfer files.linuxhomenetworking.com o Change the permissions of the files in the /home/ftp-docs directory for read only access by the group [root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/* [root@bigboy tmp]# chmod 740 /home/ftp-docs/* Users should now be able to log in via ftp to the server using their new user names and passwords.0: beat me.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@bigboy tmp]# Sample Login Session To Test Funtionality o Check for the presence of a test file on the ftp client server.210) 553 Could not create file.100 Connected to 192.

tmp local: vsftpd-1.1.rpm 226 Directory send OK.0-1. we can't do anonymous ftp. [root@smallfry tmp]# .5e+02 Kbytes/sec) ftp> exit 221 Goodbye.i386.168.0: beat me. 226 File send OK.100 Connected to 192.168.100.168. 76288 bytes received in 0.0-1.i386.rpm 227 Entering Passive Mode (192. ftp> quit 221 Goodbye. -rwxr----.1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.rpm (76288 bytes).Chapter 13: Linux FTP Server Setup 151 ftp> ls 227 Entering Passive Mode (192.1.499 secs (1. [root@smallfry tmp]# o As expected.35. Login failed.1. break me) Name (192. Password: 530 Login incorrect.1.1.100:root): anonymous 331 Please specify the password. [root@smallfry tmp]# ftp 192.rpm.1.168.tmp remote: vsftpd-1.0-1.173) 150 Here comes the directory listing.168.1.1.i386.rpm vsftpd-1. 220 ready. ftp> get vsftpd-1.1.168.i386.0-1.0-1.156) 150 Opening BINARY mode data connection for vsftpd-1.1.i386.i386.100 (192.1.100.rpm.1. dude (vsFTPd 1.44.100).

com .152 www.linuxhomenetworking.

SSH and SCP could be the right choice for you. so all your activities can be monitored. Similar programs such as Telnet and FTP can be security hazards as they do not encrypt their passwords. H Using Secure Shell As A Replacement For Telnet When you use Telnet to remotely log into a Linux box you run the risk of people being able to eavesdrop on your network wire to see your username and password as unencrypted text.com =========================================== ere is some information on how to both remotely log in and copy files using a secure encrypted connection with Secure Shell (SSH) and Secure Copy (SCP). None of the data flow in Telnet is encrypted. www.linuxhomenetworking. .153 Chapter 14 Secure Remote Logins And File Copying =========================================== In This Chapter Chapter 14 Secure Remote Logins And File Copying Using Secure Shell As A Replacement For Telnet Testing To See If SSH Is Running The etc/ssh/sshd_config File Using SSH To Login To A Remote Machine What You Should Expect To See When You Log In Deactivating Telnet once SSH is installed Using SCP as a more secure replacement for FTP © Peter Harrison.

0. . such as port 435 • First make sure your system isn't listening on port 435.d/sshd start [root@bigboy tmp]# /etc/init. then you can change port 22 to something else that won't interfere with other applications on your system.1 #ListenAddress 0.d/sshd restart Remember to restart the SSH process every time you make a change to the configuration files for the changes to take effect on the running process. #Port 22 #Protocol 2.154 www. By default SSH listens on all your NICs and uses TCP port 22.com RedHat Linux comes standard with Secure Shell (SSH) installed. using the "netstat" command and using "grep" to filter out everything that doesn't have the string "435". see the references in the bibliography. [root@bigboy tmp]# chkconfig --level 35 sshd on • You can also start/stop/restart SSH after booting by running the sshd initialization script.d/sshd stop [root@bigboy tmp]# /etc/init. but leave them commented. There are GUI based SSH clients available for Windows.linuxhomenetworking. See the configuration snippet below: # # # # The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible. You should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep sshd The etc/ssh/sshd_config File The SSH configuration file is called /etc/ssh/sshd_config. Uncommented options change a default value. Testing To See If SSH Is Running You can test whether the SSH process is running with the following command. • You can get SSH configured to start at boot by using the chkconfig command. [root@bigboy tmp]# /etc/init. When logging in from another Linux/UNIX machine you use the "ssh" command. This provides an encrypted data stream for you to use when you log in from one machine to another.0 #ListenAddress :: If you are afraid of people trying to hack in on a well known TCP port.0.

User “root” Logs In To smallfry As User “root” [root@bigboy tmp]# ssh smallfry User “root” Logs In To smallfry As User “peter” Using default port 22 [root@bigboy tmp]# ssh -l peter smallfry Using port 435 [root@bigboy tmp]# ssh -l peter -p 435 smallfry What You Should Expect To See When You Log In The first time you log in.Chapter 14: Secure Remote Logins And File Copying 155 [root@bigboy root]# netstat -an | grep 435 [root@bigboy root]# • No response. If port 435 is being used. Change the Port line in /etc/ssh/sshd_config to mention 435 and remove the "#" at the beginning of the line. Port 435 • Restart SSH [root@bigboy tmp]# /etc/init.0.d/sshd restart • Check to ensure SSH is running on the new port [root@bigboy root]# netstat -an | grep 435 tcp 0 0 192.0.0:* [root@bigboy root]# LISTEN Using SSH To Login To A Remote Machine Using SSH is similar to Telnet. your username will not change. Here are some examples for a server named “smallfry” in your /etc/hosts file. If you leave out the "-l".1. pick another port and try again. Something like this: .100:435 0. OK. To login from another Linux box use the "ssh" command with a "-l" to specify the username you wish to login as.168. you will get a warning message saying that the remote host doesn't know about your machine.

d/telnet and set the disable parameter to "yes". [root@bigboy tmp]# /etc/init. Are you sure you want to continue connecting (yes/no)? yes Host 'smallfry' added to the list of known hosts.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@bigboy tmp]# . [root@smallfry tmp]# Deactivating Telnet once SSH is installed Now you need to switch off Telnet. It is !! highly advisable to turn StrictHostKeyChecking to "yes" and !! manually copy host keys to known_hosts. ssh1 protocol is vulnerable to an !! attack known as false-split. Xinetd is installed by default in RedHat 7. which makes it relativily easy to !! hijack the connection without the attack being detected.com [root@bigboy tmp]# ssh smallfry Host key not found from the list of known hosts.98 No mail.telnetd log_on_failure += USERID disable = yes } Now restart xinetd.156 www. The configuration files for each of the network programs it controls is located in the /etc/xinetd.linuxhomenetworking.d directory. Edit the file /etc/xinetd. it uses \ # unencrypted username/password pairs for authentication. The Telnet server is controlled by the xinetd network security program.1.168.3 and newer. !! If host key is new or changed. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in. # default: on # description: The telnet server serves telnet sessions. root@smallfry's password: Last login: Thu Nov 14 10:18:45 2002 from 192.

passwords and data are sent across the network unencrypted. [root@bigboy tmp]# scp /etc/hosts root@192.Chapter 14: Secure Remote Logins And File Copying 157 Using SCP as a more secure replacement for FTP From a networking perspective. More secure forms such as SFTP (Secure FTP) and SCP (Secure Copy) are available as a part of the Secure Shell package that is normally installed by default on RedHat. FTP isn't very secure as usernames.cz/eng/ Secure Copy (SCP) is installed in parallel with SSH and they always run simultaneously on the same TCP port. Copying Files To The Local Linux Box Command Format: scp username@address:remotefile localdir Example: Copy file /tmp/software.168.rpm on the remote machine to the local directory /usr/rpm [root@bigboy tmp]# scp root@smallfry:/tmp/software.1.rpm /usr/rpm Copying Files To The Remote Linux Box Command Format: scp filename username@address:remotedir Example: Copy file /etc/hosts on the local machine to directory /tmp on the remote server. SCP doesn't support anonymous downloads like FTP.103:/tmp . There is a windows scp client called WinSCP which can be downloaded at: http://winscp.vse.

linuxhomenetworking.com .158 www.

com =========================================== Samba is a suite of utilities that allows your Linux box to share files and other resources such as printers with Windows boxes. but this simple explanation should be enough. • A PDC stores the login information in a central database on its hard drive. Linux And Samba =========================================== In This Chapter Chapter 15 Windows. This chapter describes how you can make your Linux box into a Windows Primary Domain Controller (PDC) or a server for a Windows Workgroup. www.linuxhomenetworking. Either configuration will allow everyone at home to have: • their own logins on all the home windows boxes while having their files on the Linux box appear to be located on a new Windows drive • shared access to printers on the Linux box • shared files accessible only to members of their Linux user group. What’s the difference between a PDC and Windows Workgroup member? A detailed description is beyond the scope of this chapter. This allows each user to have a universal username and password when logging in from all PCs on the network.159 Chapter 15 Windows. each PC stores the usernames and passwords locally so that they are unique for each PC. • In a Windows Workgroup. . Linux And Samba Download and Install Packages How To Get SAMBA Started Configuring SWAT Samba and PC Firewall Software How To Create A Samba PDC Administrator User How to Configure a Samba PDC How To Add Users To Your Samba Domain Domain Groups And Samba How To Delete Users From Your Samba Domain © Peter Harrison.

Download and Install Packages Samba is comprised of a suite of RPMs that come on the RedHat CDs.conf with a text editor if you subsequently use SWAT to edit it. Linux functionality doesn’t disappear when you do this. Install all the packages in this order: [root@bigboy [root@bigboy [root@bigboy [root@bigboy tmp]# tmp]# tmp]# tmp]# rpm rpm rpm rpm -Uvh -Uvh -Uvh -Uvh samba-2.i386. If you need a refresher.d/smb restart • Remember to restart the smb process every time you make a change to the conf file for the changes to take effect on the running process.rpm samba-client-2.i386.2.160 www.5-10.0 was version 2. You can create your own smb.com This chapter will only cover the much more popular PDC methodology used at home. As of this writing.2. By default. Samba Domains and Linux share the same usernames so you can log into the Samba based Windows domain using your and immediately gain access to files in your Linux user’s home directory.rpm samba-swat-2. the RPM chapter covers how to do this in detail.2. For added security you can make your Samba and Linux passwords different.5-10.conf to determine its various modes of operation. the latest version of the Samba suite for RedHat 8.5-10. Explanations of how to use both SWAT and a text editor to configure Samba are given in this chapter.conf using a text editor or using the easier web based SWAT utility. • You can test whether the smb process is running with the following command.2.i386.rpm Downloading and installing RPMs isn’t hard.5-10.rpm samba-common-2.d/smb start [root@bigboy tmp]# /etc/init. How To Get SAMBA Started • You can configure Samba to start at boot time using the chkconfig command: [root@bigboy tmp]# chkconfig --level 35 smb on • You can start/stop/restart Samba after boot time using the smb initialization script as in the examples below: [root@bigboy tmp]# /etc/init.d/smb stop [root@bigboy tmp]# /etc/init. Keep in mind that you will lose all your comments inserted in /etc/samba/smb. you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep smb . When Samba starts up it reads the configuration file /etc/samba/smb.i386.linuxhomenetworking.5-10.2. Samba mimics a Windows PDC in almost every way needed for simple file sharing.

service swat { port socket_type protocol wait user server log_on_failure disable only_from } = 901 = stream = tcp = no = root = /usr/sbin/swat += USERID = no = localhost The formatting of the file is fairly easy to understand.0.1. 192. Linux And Samba 161 Configuring SWAT SWAT is a very intuitive web based Samba configuration tool that allows you to configure Samba without all the memorization of the keywords needed for text based configuration. The URL must point to your localhost IP address on port 901 (http://127.1. • The disable parameter must be set to "no" to accept connections.3 and localhost: only_from = localhost. you may want to create a Samba administrator user that has no root privileges whatsoever or do your configuration using the configuration files.Chapter 15 : Windows. This may be a security concern in a corporate environment. Here is a sample.0. • By default.1.168.100:901 Samba and PC Firewall Software Firewall software installed on Windows PCs may cause Samba to not function. Here are some ways to solve the problem with two popular packages.100 from PC 192.3 using the URL http://192. .d/swat.168.1. especially as there are only two entries of interest.168.168. Here’s an example of an entry to allow connections only from 192.3 Therefore in this case you can also configure Samba on your Linux server "Bigboy" IP with address 192. starting and stopping of SWAT is controlled by xinetd via a configuration file named /etc/xinetd. The enabling/disabling.168. Unfortunately it doesn't encrypt your login password.0:901) as defined by the only_from and port parameters. You can make SWAT accessible from other servers by adding IP address entries separated to the only_from parameter.1. Because of this. you can only log into SWAT from the VGA console as user "root".

x. instead of an Internet network and ZoneAlarm should cease to interfere with Samba. The NetBIOS traffic that Samba uses to communicate with the PCs on the network will therefore be considered as hostile traffic. The Windows XP Built In Firewall You may also need to disable the firewall feature of Windows XP by doing the following: o o o o o Bring up Control Panel Go through the Network and Internet Connections and then Network Connections menus. The easiest way around this is to configure Zone Alarm to consider your home network as a trusted network too. Right click your on your LAN connection icon and select Properties Click on the Advanced tab.x/255. Uncheck the Internet Connection Firewall box and it will be turned on.com Zone Alarm The default installation of Zone Alarm assumes that your PC is directly connected to the Internet.255. Make this network a trusted network. you may want to experiment with the firewall software settings to optimize your security with the need to maintain a valid relationship with the SAMBA server How To Create A Samba PDC Administrator User To do both SWAT and user administration with Samba you'll need to create an Administrator account on the Samba PDC Linux box. This can be done by clicking on the firewall tab and editing the settings for your home network that will most likely have a 192.255. This means that the software will deny all inbound connections that attempt to connect with your PC.162 www.168.0 type entry.linuxhomenetworking. Once you get SAMBA to work. Here is how it's done: Create The Administrator’s User Group and Directories o First create a Linux group for administrators: [root@bigboy tmp]# /usr/sbin/groupadd sysadmin o Then create a Linux directory to house all the administrator directories: [root@bigboy tmp]# mkdir /home/sysadmin [root@bigboy tmp]# chgrp sysadmin /home/sysadmin [root@bigboy tmp]# chmod 0770 /home/sysadmin .

Usually default login scripts. (Redundant in this case) -m -d dir_path -k /etc/skel. In this case the administrator user has been made a member of the sysadmin group.smb to the users new home directory. Adduser’s Command Switches useradd command switch -g group Description Sets the group to which the user should be added.smb -n administrator o As this user may not need a real Linux login.Chapter 15 : Windows. create a Linux user with the adduser command: [root@bigboy tmp]# /usr/sbin/adduser -d \ /home/sysadmin/administrator \ -g sysdmin -m -k /etc/skel. especially if you’re using SWAT. Tells RedHat NOT to create a default group with the same name as the user. we won’t assign a real Linux password. The table below explains what each of the adduser command switches used. Linux And Samba 163 Create The Administrator User Under Linux o For each administrator user. This provides an added level of security.smb -n . Forces linux to create the directory specified with the -d switch Home directory for the new user Tells adduser to copy the contents of the directory /etc/skel.

then you'll have to use the Linux passwd command to give this user a Linux (not a Samba domain) password.101) # Date: 2002/11/10 19:54:45 # Global parameters [global] ## ## The name I want to give my DOMAIN ## workgroup = HOMENET .101 (192.linuxhomenetworking. Log into SWAT and click on the “globals” section and make sure the key highlighted parameters below are set correctly. [root@bigboy tmp]# /usr/bin/smbpasswd -a administrator password The -a adds the user administrator to the /etc/smbpasswd file.168. Make The Administrator One Of The Samba Admin Users Edit /etc/samba/smb. How to Configure a Samba PDC Create A Samba PDC By far the easiest way to configure a Samba PDC is by using SWAT.164 www.conf file and add the sysadmin group to the list of Samba system administrator users. Note: If you want user "administrator" to be able to log into the Linux box as a regular user via Telnet or SSH. [global] admin users = @sysadmin This can also be set via SWAT in the expanded “global settings” section. Samba domain logins use the smbpasswd password.1. This is done with the smbpasswd command.com Create An Administrator Domain Password The Linux Administrator now needs a Samba password to log into the Windows domain.1.168. Use a generic password then have users change it immediately from their workstation the usual way. # Samba config file created using SWAT # from 192. You’ll need to restart Samba for this to take effect.

Chapter 15 : Windows.cmd ## ## My user’s Linux login directory will always appear ## to be Windows drive H: ## logon drive = h: ## ## Activate domain type logins and make ## Linux box be the master Windows server ## in all domain type functions ## domain logons = Yes os level = 99 preferred master = True domain master = True local master = True dns proxy = No . (Usually blank) ## logon script = logon. Linux And Samba 165 ## ## The name of my Linux Box ## server string = BigBoy ## ## Make sure passwords are always encrypted ## encrypt passwords = Yes ## ## Samba will log errors via syslog to ## directory /var/log/samba ## log file = /var/log/samba/%m. Ie administer the PDC and do activities on the local PC like software installation.log max log size = 0 ## ## The command Samba uses to add new printers ## directory /var/log/samba ## addprinter command = /usr/bin/addprinter ## ## ## ## ## ## ## ## ## Only domain users in the sysadmin group can act as universal administrators.cmd in the Linux user’s home directory ## will be run whenever the user logs in. but they wont be PDC administrators to do things like adding new PCs to the domain domain admin group = @sysadmin ## ## The script logon. You can also have local administrator accounts on PCs to do software installation.

linuxhomenetworking. Pay careful attention to the "$" at the end and replace machine_name with the name of the Windows client machine. Manual Creation Of Machine Trust Accounts (NT Only) When manually creating a machine trust account you need to manually create the corresponding Unix account in /etc/passwd and /etc/smbpasswd files. Samba can create these “Machine Trusts” in two ways. Here you will use the drop down menu to edit the netlogon and profiles shares [netlogon] ## ## Store all Samba PDC overhead data in the directory ## /home/netlogon (or whatever you desire) ## path = /home/netlogon write list = administrator guest ok = Yes [profiles] ## ## Store user profiles in this directory ## path = /home/ntprofile read only = No create mask = 0600 directory mask = 0700 guest ok = Yes browseable = No Click on the “Status” button at the top of the screen and restart Samba to make your settings take effect.166 www.com ## ## Only users in the sysadmin group can use SWAT ## to modify Samba and ## admin users = @sysadmin printer admin = @sysadmin printing = lprng Next you will have to use SWAT to click on the “shares” button. [root@bigboy nickname" -s [root@bigboy [root@bigboy tmp]# /usr/sbin/useradd -g 100 -d /dev/null -c "machine /bin/false machine_name$ tmp]# passwd -l machine_name$ tmp]# smbpasswd -a -m machine_name . Create Your PC Machine Trusts PDCs will only accept user logins from trusted PCs that have been placed in its PC client database. either manually or automatically.

Click all the OK buttons and reboot! .Chapter 15 : Windows. Windows 95/98/ME Windows 9x machines do not implement full domain membership and therefore don't require machine trust accounts • • • • • • Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel>Network) Select the Configuration tab Highlight "Client for Microsoft Networks" Click the Properties button. This information is stored in the netlogon directory. How to configure the netlogon directory is beyond the scope of this chapter. Linux And Samba 167 This is the only way to configure machine trusts using Windows NT. [global] # <. Check "Log onto Windows NT Domain". defining your wall paper and setting the way dates are formatted..conf to automatically add the required users. the PDC will send your new client PC a list of universal “look and feel” related features that may have been previously set by the Administrator. These include things like suppressing the splash screen. but suffice it to say that the directory must be created on the Linux box for Samba to operate correctly.remainder of parameters.. Dynamic Creation Of Machine Trust Accounts The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client joins the domain. [root@bigboy tmp]# mkdir /home/netlogon [root@bigboy tmp]# chmod 0755 /home/netlogon You’ll then have to log into each PC client and do the following steps depending on their operating system. This method is also referred to as making a machine account "on the fly". This can be done by editing /etc/samba/smb.. and enter the domain name.> add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u This is probably easier to do if you use SWAT in the “Global” menu Make Your PC Clients Aware Of Your Samba PDC When you log into the domain..

In our case that would be user "administrator" with the corresponding smbpasswd password. then go through the following steps: • • • • • • Press Windows-key Break-key simultaneously to get the System Properties dialogue box Click on the 'Network Indentification' tab on the top Click the "Properties" button Click on the “Member of Domain” button Also enter your domain name and computer name and then click "OK" You will now be prompted for a user account and password with rights to join a machine to the domain.) You should then get a confirmation that you’ve been added with a "Welcome to <DOMAIN>" message. then go through the following steps: • Press Windows-key Break-key simultaneously to get the System Properties dialogue box . then go through the following steps: • • • • Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel>Network ) Select the “identification” tab Click the "change" button Enter the domain name and computer name.com Windows NT Create a manual SAMBA machine trust account as explained above. Click "OK" You should then get a confirmation that you’ve been added with a "Welcome to <DOMAIN>" message. do not check the box "Create a Computer Account in the Domain." In this case. • • • • Windows 2000 Create a dynamic SAMBA machine trust account as explained above. This should be your Samba administrator. Log in using any account in the /etc/smbpasswd file with your domain as the domain name. Log in using any account in the /etc/smbpasswd file with your domain as the domain name. • • • Windows XP Create a dynamic SAMBA machine trust account as explained above. Reboot.linuxhomenetworking. Reboot. the existing machine trust account is used to join the machine to the domain.168 www. (See this note before proceeding.

Linux And Samba 169 • • • • • Click on the 'Computer Name' tab on the top Click on the 'Change' button Click on the “Member of Domain” button Also enter your domain name and computer name and then click "OK" You will now be prompted for a user account and password with rights to join a machine to the domain. Mapping Using “My Computer” If the auto-mapping doesn't work then do the following: • • • • Let the user log into the domain Right click on the "My Computer" icon on the desktop Click on "Map Network Drive" Select a drive letter .Chapter 15 : Windows. Samba will automatically give each user logged into the domain an H: drive that really maps to the /home/username directory on the Linux box. Reboot. This should be your Samba administrator. Passwords won’t be necessary unless you want the users to log in to the Samba server via Telnet or SSH. Log in using any account in the /etc/smbpasswd file with your domain as the domain name. • • How To Add Users To Your Samba Domain Add The Users In Linux First go through the process of adding users in Linux just like you would normally do. In our case that would be user "administrator" with the corresponding smbpasswd password. Map A Drive Share By default. Map The Linux Users To An smbpassword Next you need to create Samba domain login passwords for all users [root@bigboy tmp]# /usr/bin/smbpasswd -a username password The -a adds the user to the /etc/smbpasswd file. Use a generic password then have users change it immediately from their workstation the usual way.

but this is not currently supported in Samba. For example: domain admin group = <USER1> <USER2> @<GROUP> .com • • Browse to the HOMENET domain.linuxhomenetworking.rpmfind. you’ll have to convert the file to the Windows format. to make the change permanent Mapping From The Command Line If you find the "My Computer" method too time consuming for dozens of users or if the PC doesn't have the feature available. The domain admin group parameter specifies users who will have domain admin rights. Click on the check box "Reconnect at Logon". then the user’s home directory.net ) [root@bigboy tmp]# todos /home/samba/netlogon/administrator.bat • Linux and Windows format text files slightly differently. but will be interpreted bay a Windows machine.bat • The next page will show you how to add regular users to your new SAMBA domain Domain Groups And Samba Samba supports domain groups which will allow users who are members of the group to be able to have Administrator rights on each PC in the domain. then you can do the following and possibly make it into a script. Domain Groups also have the ability to join machines to the domain. REM administrator net use P: \\bigboy\administrator • Make the file world readable: [root@bigboy tmp]# chmod +r /home/samba/netlogon/administrator. (You can get this package from http://speakeasy. In Windows.bat • Add the following contents to mount the user's share as drive P: (for 'private'). This requires the 'todos' program to be installed. This will allow them to do such things as add software and configure network settings. The argument is a space-separated list of user names or group names (group names must have an @ sign prefixed). • Create a master logon batch file for administrator users. We will add the contents of this file to all administrator's logon scripts.170 www. [root@bigboy tmp]# vi /home/netlogon/administrator. As the file resides on a Linux box. then the Samba server.

Here we are deleting the user zmeekins and all zmeekin’s files from the Linux server: [root@bigboy tmp]# userdel -r zmeekins Delete The Users Using smbpasswd Next. use the smbpasswd command with the "-x" switch [root@bigboy tmp]# smbpasswd -x zmeekins Deleted user zmeekins. Linux And Samba 171 How To Delete Users From Your Samba Domain Delete The Users In Linux First go through the process of deleting users in Linux just like you would normally do.Chapter 15 : Windows. [root@bigboy root]# .

linuxhomenetworking.com .172 www.

N Adding A Printer To A Samba PDC Sharing printers amongst all your PCs is one of the advantages of creating a home network. This may be OK for a small home network but may be impractical for a huge corporate network. Here are the menus to use: o o o o Click on the RedHat icon in the bottom left hand corner of the screen Click on System Settings Click on Printing Click on New . you may want to allow users to share resources such as floppy drives. We’ll assume the printer is locally attached to the parallel port. Here’s how to connect your printer directly to your PDC and make it available to all your windows workstations.linuxhomenetworking. This makes your Samba PDC a print server too! The method explained here requires the Windows printer driver to be loaded on every client machine. www. The way to get a GUI on the console is outlined in the runlevels chapter.173 Chapter 16 Sharing Resources With Samba =========================================== In This Chapter Chapter 16 Sharing Resources With Samba Adding A Printer To A Samba PDC Creating Group Shares in SAMBA Windows Drive Sharing With Your SAMBA Server © Peter Harrison. Adding The Printer To Linux By far the easiest way to add a printer in Linux is to use the GUI from the VGA console.com =========================================== ow that you have Samba up and running. Here’s how to do it all. directories and printers via the Samba server.

If this isn't the case. If this is the case. o o o . I called the printer queue EpsonC60) Click the local printer button Click "forward" You'll get the "Configure a Local Printer" menu Select /dev/lp0 as I assume the printer is on the parallel port (not USB) You'll get the "Select Print Driver" menu Scroll to the printer Double click on the name Select the driver Click "forward" You'll get the "Finish and Create the New Print Queue" menu Click finished Click "Apply" Do a test print to make sure all is OK o o o o o Make Samba Aware Of The Printer The easiest way to do this is using the Samba SWAT web interface. restart Samba and go to the next section. Once you are in SWAT: o o o Select the "Printers" button Find your printer in the drag down menu If the printer name has a [*] beside it. Click on the “Status” tab at the top of the screen and restart smbd and nmbd to restart Samba. edit/create the printer Click on the “Commit Changes” button to create an updated /etc/samba/smb. (My printer is an Epson Stylus C60.com o You'll now get the "Add a New Print Queue" menu Click "forward" You'll get the "Set the Print Queue name and Type" menu Give the printer an easy to remember name.linuxhomenetworking. but may not be visible on your network because Samba hasn't been restarted since creating the printer.conf file. then it has been auto configured by Samba.174 www.

Chapter 16: Sharing Resources With Samba 175 Configure The Printer Driver On The Workstations o Download the Windows printer driver from the manufacturer and install it. Select "Yes" or "No" depending on your preference Click the "Next" button The "Completing the Add Printer Wizard" menu will appear Click the "Finish" button o o o o o o o o . you pre installed the driver Click the "OK" button The "Add Printer Wizard" will appear Select the manufacturer of your printer Select the printer model Click the "OK" button The "Add Printer Wizard" will prompt you whether you want to use this new printer as the default printer. Click next so you can browse for your printer You should be on the "Browse for Printer" menu Double Click on the name of your Linux Samba Box You should see the new printer Click on the printer name Click the "Next" button You may get a message stating "The server on which the printer resides does not have the correct printer driver installed. Go to the Add printer menu Click the "Next" button Select the "Network Printer" button to get the "Local or Network Printer" menu Click the "Next" button You should be on the "Locate Your Printer" menu Don't enter a name. Fortunately. If you want to install the driver on your local computer. click OK".

Click on the “Status” tab at the top of the screen and restart smbd and nmbd to restart Samba. you might want to change the chown statement to make them owner [root@bigboy tmp]# mkdir /home/parent-files [root@bigboy tmp]# chown parents /home/parent-files [root@bigboy tmp]# chmod 0770 /home/parent-files o Next we add the group members to the new group. let's add user "father" to the group. Click on the “Commit Changes” button to create a new /etc/samba/smb. Create The Directory And User Group o Create a new Linux group parents: [root@bigboy tmp]# /usr/sbin/groupadd parents o Create a new directory for the group's files. let’s say “onlyparents”. For instance. create the share in Samba using SWAT. parents working in a home office environment may need a place where they can share. subgroups of a family need a share that is fully accessible by all members of the group. Click on the shares button then enter the name of the share you want to create. distribute or collaboratively work on documents. . o Creating Group Shares in SAMBA On occasion. For example. Make sure the path maps to “/home/parent-files” and make the valid users be @parents. Click on the “Create Share” button.com o The new printer should now show up on the Windows Printers menu in "Control Panel" Send a test print.conf file.176 www. where parents is the name of the Linux user group.linuxhomenetworking. Here’s how it’s done. [root@bigboy tmp]# /usr/sbin/usermod -G parents father Configure The Share In SWAT o o o o o Finally. If one user is designated as the leader.

conf file should have an entry like this at the end: # Parents Shared Area [only-parents] path = /home/parent-files valid users = @parents Map The Directory Using “My Computer” o o o o o o Let the user log into the domain from a remote PC Right click on the "My Computer" icon on the desktop Click on "Map Network Drive" Select a drive letter Browse to the HOMENET domain. In this section we’ll attempt to share a ZIP drive. Windows 98/ME • • • • Double click 'My Computer' Right click on the ZIP drive and choose 'Sharing' Set the Share Name as 'zip' with the appropriate access control Restart windows Windows 2000 • • • • Double click 'My Computer' Right click on the ZIP drive and choose 'Sharing' Set the Share Name as 'zip' and the appropriate access control Logout and login again as normal using your current login . floppy or hard drive installed on a Windows Client from the Samba server. The next step is to make the ZIP drive shared. DVD. to make the change permanent Windows Drive Sharing With Your SAMBA Server You can also access a CD. then the share named only-parents Click on the check box "Reconnect at Logon".Chapter 16: Sharing Resources With Samba 177 Your /etc/samba/smb. Windows Setup The Windows client box should first be setup as a member of a Samba domain or workgroup. then the Samba server. ZIP.

0.1.1] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------. Here’s how to do it.1.------Note: You could have got the same result using the following command.0.255.255.0 Got a positive name query response from 192.com Windows XP • • • • Double click 'My Computer' Right click on the ZIP drive and choose 'Sharing and Properties' Set the Share Name as 'zip' and the appropriate access control Logout and login again as normal using your current login Test Your Windows Client Configuration Use the smbclient command to test your share.168.255 nmask=255.0.1.linuxhomenetworking.1.255.253 ( 192.100 bcast=192.168.---.0 added interface ip=127.------Workgroup Master --------.255. You should get output like this when using the username's corresponding password: [root@bigboy tmp]# smbclient -L WinClient -U username added interface ip=192.253 ) Password: Domain=[HOMENET] OS=[Windows 5. . though it is less secure: [root@bigboy tmp]# smbclient -L WinClient -U username%password Create A ZIP Drive Mount Point On Your Samba Server You’ll need to create the mount point on the Linux server in order to mount and access the ZIP floppy.168. You should substitute "WinClient" with the name of your widows client PC and "username" with a valid workgroup/domain username that normally has access to the Windows client.0.178 www.------IPC$ IPC Remote IPC D$ Disk Default share print$ Disk Printer Drivers SharedDocs Disk zip Disk Printer2 Printer Acrobat PDFWriter ADMIN$ Disk Remote Admin C$ Disk Default share Server Comment --------.1 bcast=127.168.255 nmask=255.

password=password //winclient/zip /mnt/zip Using The smbmount Command Method Some versions of Linux support the smbmount command to mount the remote drive. Incompatible versions will give errors like this: [root@bigboy tmp]# smbmount //winclient/zip /mnt/zip -o username=username Password: 27875: session setup failed: ERRDOS .ERRnoaccess (Access denied.) SMB connection failed .Chapter 16: Sharing Resources With Samba 179 Prompted For Password Method [root@bigboy tmp]# mkdir /mnt/zip [root@bigboy tmp]# mount -t smbfs -o username=username //winclient/zip /mnt/zip Not Prompted For Password Method [root@bigboy tmp]# mkdir /mnt/zip [root@bigboy tmp]# mount -t smbfs -o username=username.

linuxhomenetworking.180 www.com .

What Is DNS? As explained on the introduction to networking concepts chapter. the daemon that responds to DNS queries from remote machines. the Domain Name System (DNS) is the way in which a URL or domain like www.linuxhomenetworking. The most well known program in BIND is "named". www. here’s how.com is converted to an IP address. .linuxhomenetworking. What Is BIND? BIND is an acronym for the "Berkeley Internet Name Domain" project which maintains the DNS related software suite that runs under Linux.181 Chapter 17 Configuring DNS =========================================== In This Chapter Chapter 17 Configuring DNS What Is DNS? What Is BIND? When To Use A DNS Caching Nameserver When To Use A Regular DNS Server When To Use Dynamic DNS How To Download and Install The BIND Packages How To Get BIND Started The /etc/resolv.com =========================================== You can make your Linux box into your home network's DNS nameserver.conf File Configuring A Caching Nameserver Configuring A Regular Nameserver How To Migrate Your Website In-House DHCP Considerations For DNS © Peter Harrison.

When To Use Dynamic DNS Your DSL ISP will assign IP addresses to your home either with an unchanging. When To Use A Regular DNS Server If you host your own website at home with full control of all the web domains and your ISP provides you with a “fixed” or “static” IP address. If you need a refresher. Once you have set up your caching DNS server you will then have to configure each of your home network PCs to use it as their DNS server. A caching DNS nameserver is only used as a reference. This chapter assumes that you are using “static” Internet IP addresses. Note: Regular nameservers are also caching nameservers by default. If your router/firewall is getting its Internet IP address using DHCP then you must consider dynamic DNS.182 www.0 was version 9.2. How To Download and Install The BIND Packages Most RedHat Linux software products are available in the RPM format. In this case a separate DNS server is unnecessary. If you want to advertise your website www.1-9. the most frequently requested information to reduce the lookup overhead of subsequent queries.1-9. It comes standard with the RedHat installation CDs. Downloading and installing RPMs isn’t hard.i386. regular nameservers are used as the authoritative source of information.com When To Use A DNS Caching Nameserver DNS caching servers should be used by the machines on your network to provide DNS information that it has learned from the authoritative DNS servers of the Internet. “fixed” or “static” IP address or via a changing “DHCP” method. then a regular DNS server is what you require. Off the shelf router/firewall appliances used in most home networks will usually act as both the caching DNS and DHCP server. then you will have to configure your DHCP server to make it aware of the IP address of your new DNS server. If your home PCs get their IP addresses using DHCP.2.com to the rest of the world. then a regular DNS server would be the way to go. As of this writing the latest version of the BIND suite for RedHat 8.linuxhomenetworking. the chapter on RPMs covers how to do this in detail. Caching DNS servers then store (or cache).rpm How To Get BIND Started • You can use the chkconfig command to get BIND configured to start at boot: . Setting up a caching DNS server is fairly straightforward and will work whether or not your ISP provides you with a static or dynamic Internet IP address.my-site. [root@bigboy tmp]# rpm -Uvh bind-9.

net and my-site. Domain • Search • Here is a sample configuration in which: • The client server’s main domain is my-site.com. you’ll need to have multiple “nameserver” lines. Here is a list of keywords: Keyword Nameserver • Value IP address of your DNS nameserver.168.100 and 192.com If you refer to another server just by its name without the domain added on.conf File This file is used by DNS clients (servers not running BIND) to determine both the location of their DNS server and the domains to which they belong.com net my-site.1.d/named start [root@bigboy tmp]# /etc/init. domain my-site.102 .168. The domains in this list must separated by spaces.1.1.com search my-site. If there is more than one nameserver.d/named stop [root@bigboy tmp]# /etc/init. The local domain name to be used by default. If the server is bigboy.net my-site.org which should be searched for short hand references to other servers. • Two nameservers.org nameserver 192. There should be only one entry per “nameserver” keyword. 192. The /etc/resolv. the first contains a keyword and the second contains the desired value(s) separated by commas.com.d/named restart • Remember to restart the BIND process every time you make a change to the conf file for the changes to take effect on the running process. DNS on your client will append the server name to each domain in this list and do an nslookup on each to get the remote servers’ IP address. This is a handy time saving feature to have so that you can refer to servers in the same domain by only their servername without having to specify the domain.168.1.my-site. It generally has two columns.102 provide DNS name resolution. but it also is a member of domains my-site. then the entry would just be my-site.Chapter 17: Configuring DNS 183 [root@bigboy tmp]# chkconfig --level 35 named on • To start/stop/restart BIND after booting [root@bigboy tmp]# /etc/init.168.100 nameserver 192.

The only file you have to edit is /etc/resolv.255.255.conf file. There are usually two zone areas in this file: Forward zone file definitions which list files to map domains to IP addresses Reverse zone file definitions which list files to map IP addresses to domains In this example the forward zone for www.253. o .0.com Configuring A Caching Nameserver The RedHat default installation of BIND is configured to convert your Linux box into a caching nameserver.0.168.1 New Entry # nameserver 192.conf o The main DNS configuration is kept in the file /etc/named. Configuring named. the file my-site.168. though not explicitly stated.conf which is used to tell BIND where to find the configuration files for each domain you own.158. the subnet that has been assigned to you by your ISP is 97.1.184 www.com is being set up by placing the following entries at the bottom of the /etc/named. The zone file is named my-site.conf in which you’ll have to comment out the reference to your previous DNS server (most likely your router) with a "#" or make it point to the server itself using the universal localhost IP address of 127. notify no.zone and.248 (/29).0.0.1 The next step is to make all the other machines on your network point to the caching DNS server as their primary DNS server. zone "my-site.linuxhomenetworking.1 Old Entry nameserver 192.1.zone should be located in the default directory of /var/named.1 or: nameserver 127.my-site.com" { type master.24 with a subnet mask of 255. Configuring A Regular Nameserver For the purposes of this tutorial.

97.158. . file "253. This is rarely done for home based sites.158. Though you would normally think a record would be a single line.158. file "my-site. A and CNAME) which govern different areas of BIND. }. I’ll explain of them below and then follow it all up with an example. }. MX.zone.Chapter 17: Configuring DNS 185 allow-query { any.conf file to reference other web domains you host. }.in-addr. It just makes you able to do an nslookup query on the 97.” character then typing in the text of your comment.253. }. the rest of the records are relatively straight forward. zone "253. notify no.com using a zone file named myother-site.zone".x IP address and get back the true name of the server assigned that IP address. allow-query { any. By default.arpa" { type master. NS. your zone files are located in the directory /var/named. The SOA Record The very first record is the Start of Authority (SOA) record which contains general administrative and control information about the domain. notify no. o The reverse zone definition below is optional for a home / SOHO DSL based web site. file "my-other-site.97". Each zone file contains a variety of records (eg.zone". Note: the reverse order of the IP address in the zone section is important. Configuring The Zone Files o o o In all zone files. }.com" { type master. You can also insert additional entries in the /etc/named. It is the most counter-intuitive of them all. you can place a comment at the end of any line by inserting a semi-colon “. Here is an example for my-other-site. the SOA format spans several. zone "my-other-site. SOA. It is especially difficult to do this with your DSL ISP if you have less than 256 static IP addresses (also known as a "Class C" block of addresses).

Total amount of time a slave will retry to contact the master before expiring the data it contains. The regular "@" in the e-mail address must be replaced with a "." instead. The email address must also be followed by a ". 4 1 Retry • 5 1 Expire • 6 1 Minimum TTL • • 2 “)“ • . Must be followed by a ".186 www. Signifies that we’re all finished with the variables.linuxhomenetworking. 2. The amount of time external caching DNS servers should keep your DNS information before flushing the data from the cache." Signifies that we’re about to define some performance related variables." The email address of the nameserver administrator. The slave's retry interval to connect the master in the event of a connection failure.com SOA Record Format Line # 1 Column # 1. 3 4 5 Name @ IN SOA Nameserver Email • • • • • • 6 2 1 “(“ Serial • • • 3 1 Refresh • Description Signifies that the SOA record is about to begin Fully qualified name of your primary nameserver. As of BIND version 9 this value is overridden by the $TTL command at the very top of the configuration file. Slaves aren't really used in home / SOHO environments. Usually in the date format YYYYMMDD with single digit incremented number tagged to the end. Tells the slave DNS server how often it should check the master DNS server. A serial number for the current configuration. Slaves aren't really used in home / SOHO environments. Slaves aren't really used in home / SOHO environments.

MX.my-site." at the end of a host name in a SOA. A and CNAME Record Formats Record Description First Column Second Column Third Column IP address or CNAME of the nameserver Mail server priority Fourth Column NS Lists the name of the nameserver for the domain Lists the mail servers for your domain such as mysite." after the domain in the MX record for my-site.com. A And CNAME Records Unlike the SOA record. but if you forget to put the ". A and CNAME records each occupy a single line and the records each have a very similar layout. So an "A" record with "www" will be assumed to refer to www. This may be OK in most cases. NS.0.Chapter 17: Configuring DNS 187 NS.my-site. MX.com.mysite. . BIND will attach the my-site.com o Note: If you don't put a ". Server name "A" IP address of server CNAME "alias" or "nickname" for server "CNAME" "A" record name for server N/A **The Fully Qualified Domain Name (FQDN) is the full DNS name of the server such as mail." N/A A Maps an IP address to each server in your domain.1 Provides additional alternate "alias" names for servers listed in the "A" records.com at the end. MX. NS. the NS.0.com Blank "NS" N/A MX Domain. BIND will automatically tack on the domain name.com. and you will find your mail server only accepting mail for the domain my-site. A or CNAME record. There must always be an entry for localhost 127.com. followed by a "." "MX" CNAME of mail server or the mailserver's FQDN** followed by a ".

refresh.1 97.com.my-site. Primary Mail Exchanger A A CNAME 127.26 97.158. . .125 o o o The serial number is extremely important. .0.com.my-site. Zone file for my-site. seconds 3600 ) .158. Primary nameservers are more commonly called “ns1” and secondary nameservers “ns2”.com points to the server named mail. The full zone file . NS www . So here we have an example of the nameserver.com. retry. expire. So remote DNS caching servers will store learned DNS information from your zone for 3 days before flushing it out of their caches. localhost www mail MX 10 mail .my-site. The minimum TTL is set to 3600 seconds.253. If they were all different machines.158.134 97. .com "mail" is actually a CNAME or "alias" for the web server "www". www mail ns o A A A 97. You MUST increment it after editing the file or else BIND will not apply the changes you made when you restart "named".com.com.188 www.com is nameserver for my-site. then you’d have an "A" record entry for each like the example below. . Inet Address of nameserver my-site. but the overriding $TTL value is 3 days. seconds 3600 .253.my-site.253.253. but in the home / SOHO environment it is not necessary to differentiate.linuxhomenetworking. mail server and web server being the same machine. serial# 3600 . In corporate environments there may be a separate nameserver for this purpose. minimum. hostmaster. $TTL 3D @ IN SOA www. The MX record for my-site.26 www Notice that in this example: o Server www. seconds .0.158. seconds 3600 .com Sample Forward Zone File Here is a working example of the zone file for my-site. ( 200211152 .com .

Zone file for 192.my-site.168.my-site.my-site. .1.1.158. dhcp-32.com. 192. What You Need To Know About NAT And DNS The above examples assume that the queries will be coming from the Internet with the zone files returning information related to the external 97.253.1. dhcp-34. seconds retry.my-site. dhcp-35. serial number refresh.com.32 to 192. . . Here is a sample reverse zone file for our network. Nameserver Address Note: I have included entries for addresses 192.my-site.36 which are the addresses our DHCP server issues. SMTP mail relay wouldn’t work for PCs that get their IP addresses via DHCP if these lines weren’t included.my-site. 200303301 8H 2H 4W 1D ) hostmaster.zone .com. $TTL 3D @ IN SOA ( www.my-site. seconds minimum.com.my-site. reggae. ochorios. This is because NAT won’t work properly if a PC on your home network attempts to connect to the external 97. dhcp-33. seconds expire.com.x .com.my-site. NS .com.my-site.com. .168. .168. . Most home DSL sites wouldn’t qualify. This is very important if you are running a mail server on your network as sendmail typically will only relay mail from hosts whose IP addresses resolve correctly in DNS.1.26 address of the webserver.my-site. 100 103 102 105 32 33 34 35 36 PTR PTR PTR PTR PTR PTR PTR PTR PTR bigboy. What do the PCs on your home network need to see? They need to see DNS references to the real IP address of the webserver.253.158. Unfortunately ISP’s won’t usually delegate this ability for anyone with less than a “Class C” block of 256 IP addresses.com.168. www .26 NAT IP address of your webserver.100. Filename: 192-168-1. You may also want to create a reverse zone file for the public NAT IP addresses for your home network. .Chapter 17: Configuring DNS 189 Sample Reverse Zone File Now we need to make sure that we can do an nslookup query on all our home network’s PCs and get their correct IP addresses. . .com.com. smallfry. dhcp-36. seconds .

zone for lookups related to the 97. file "localhost.local".zone file is fairly easy. Remember to increment your serial numbers! Here is a sample configuration snippet for the /etc/named. }.253. }. zone "0.0. This is done by first defining access control lists (ACLs) and then referring to these lists within each view section with the match-clients statement.conf file in one of two “views” sections.X network which Internet users would see.168. allow-update { none.zone". There are some built-in ACLs: “localhost” which refers to the DNS server itself. // ACL statement acl "trusted-subnet" { 192.158. }." IN { type hint. The views feature allows you to force BIND to use pre-defined zone files for queries from certain subnets.X with references to 192. Note: You must place your “localhost”. Here’s a summary of how it’s done: o Place your zone statements in the /etc/named.1. }. }.X o You must also tell the DNS server which addresses you feel are “internal” and “external”. localhost. allow-update { none. The creation of the my-site-home.17/24.253. file "named.zone file and replace all references to 97. "trusted-subnet".in-addr.arpa" IN { type master.127.conf file I use for my home network. Just copy it form the my-site.0 network.ca". “0.zone for lookups by home users on the 192.1. You could also have a file called my-site-home.linuxhomenetworking. }.0. “localnets” which refers to all the networks to which the DNS server is directly connected. All the statements below were inserted after the “options” and “controls” sections in the file.168. .com Don’t worry.190 www. This means it’s possible to use one set of zone files for queries from the Internet and another set for queries from your home network. zone ". This /etc/named.in-addr.conf entry would be inserted in the “external” section. view "internal" { // What the home network will see match-clients { localnets. }.arpa” and ". file "named. The second view called “external” will list the zone files to used for Internet users. This entry would be inserted in the “internal” section. BIND has a way around this called “views”." zone statements in the “internal” views section. zone "localhost" IN { type master. For example. The first section will be called “internal” and will list the zone files to be used by your internal network. “any” which is self explanatory. you could have a reference to a zone file called my-site.127.158.168.

zone "my-other-site. notify no. allow-query { any. Note: In the above example I included an ACL for network 192.zone".0 /24).168. this is purely an example. file "my-site. }.com" { type master. allow-query { any. zone "my-site. So in this case the local network (192. file "my-other-site-home. notify no.zone".192. recursion no.1. Once the ACL was defined.168.in-addr. zone "my-other-site. I then inserted a reference to the “trusted-subnet” in the match-clients statement in the “internal” view.arpa" IN { type master. Our network won’t need the “trustedsubnet” section in the match-clients line either. allow-query { any. allow-query { any. file "my-other-site. }. zone "my-site. }.168. file "my-site-home. .zone". }. }. view "external" { // What the Internet will see match-clients { any. }.com" { type master. }.17.zone". notify no.Chapter 17: Configuring DNS 191 zone "1.17. }. notify no.zone".com" { type master.0 /24 called “trusted-subnet” to help clarify the use of ACLs in more complex environments.com" { type master. the other trusted network (192. }. allow-update { none. The home network we have been using doesn’t need to have the ACL statement at all as the built in ACLs “localnets” and “localhost” are sufficient. }. file "192-168-1.0) and localhost will get DNS data from the zone files in the “internal” view. }. }. Remember.168. }.

26. If your firewall is a Linux box.local my-site.1 -rw-r--r-.1 -rw-r--r-.1 [root@bigboy [root@bigboy [root@bigboy total 6 -rw-r--r-.253.158.100.zone named.ca named.1.192 www. The actual IP address of the server is 192.d/named restart Make Sure Your /etc/hosts File Is Correctly Updated The chapter covering Linux networking topics explains how to do this. which is a private IP address. Configure Your Firewall The sample network we're using assumes that the BIND nameserver and Apache web server software run on the same machine protected by a router/firewall.1 -rw-r--r-.linuxhomenetworking.zone The configuration files above will not be loaded until you issue the following command to restart the named process that controls DNS (Make sure to increment your configuration file serial number before doing this): [root@bigboy tmp]# /etc/init.local my-site. . You'll have to employ NAT in order for Internet users to be able to gain access to the server via the Public IP address we chose. namely 97.ca named.1 [root@bigboy o tmp]# cd /var/named named]# ll named named 195 Jul 3 named named 2769 Jul 3 named named 433 Jul 3 root root 763 Oct 2 named]# chown named * named]# chgrp named * named]# ll named named named named named named named named named]# 195 2769 433 763 Jul Jul Jul Oct 3 3 3 2 2001 2001 2001 16:23 localhost.1 -rw-r--r-.1 -rw-r--r-. you may want to consider taking a look on the iptables chapter on how to do the NAT and allow DNS traffic trough to your nameserver.zone named.168.1 -rw-r--r-.zone 2001 2001 2001 16:23 localhost.com Loading Your New Configuration Files o Make sure your file permissions and ownership are OK in /var/named [root@bigboy [root@bigboy total 6 -rw-r--r-. Some programs such as sendmail require a correctly configured /etc/hosts file even though DNS is correctly configured.

You’ll therefore have to wait about this amount of time before you’ll start noticing people hitting your new website site.com • Once testing is completed.com domain.com and not my-site-test.com or www.my-site.com • Test web traffic to www.158. Your best alternative will be to request your existing service provider to set the TTL on my-site. you can then revert to the old configuration.com or whatever your nameserver is called.26 in this case ). but different name. At the very least it should include the following steps: • There is no magic bullet which will allow you to tell all the caching DNS servers in the world to flush their caches of your zone file entries. • Test your applications using server.my-site-test.26 to map to ns. • Ask your existing web hosting provider to add a DNS entry for your new server in the my-site. and different name.com to handle your domain. (This screen will prompt you for both the server's IP address and name) Then you'll have to assign ns. it will take only 1 minute to see the results of the final DNS configuration switch to your new server.com • Test mail to users @my-site-test. Now your server will be a part of both my-site. so that at least one of the nameservers is your new nameserver. it will take at least 3-5 days for all remote DNS servers to recognize the change. or whatever it is. for example www. • Set up your server in house using a different domain. If you only have one.my-site-test. (This screen will prompt you for the server name only) o Sometimes. Domain registrars such as Verisign and RegisterFree usually provide a web interface to help you manage your domain.my-site.com". How To Migrate Your Website In-House It is important to have a detailed migration plan if you currently use an external company to host your website and wish to move the site to a server at home or in your office. the registrar will require at least two registered nameservers per domain.253. It normally takes about 3-4 days for your updated DNS information to be propagated to all 13 of the world’s root (“super duper”) nameservers. knowing it will rapidly recover within minutes rather than days. say 1 minute. Give your web server a second IP address using an IP alias. As the TTL is usually set to 3 days. you've logged in with the registrar's username and password. If anything goes wrong.Chapter 17: Configuring DNS 193 Fix Your Domain Registration Remember to edit your domain registration for "my-site.my-site. ( 97.com and my-site-test.158.com in the DNS zone file to a very low value. Once the propagation is complete.com. Also set the TTL on this domain to 1 minute. You'll have to do the following two steps: o First.com. you'll have to create a new nameserver record entry for the IP address 97. create a second NAT entry on your firewall and then create the second nameserver record entry with the new IP address. convert all the server configuration files to reference my-site. Once.com Restart all the relevant applications.253. .my-site. then you could either: o o Create a second nameserver record entry with the same IP address.

You can then decide whether the change will be permanent once you have failed over back and forth a few times. then you may need to refer to the DHCP server chapter. Remember. you don't have to host DNS or mail in-house. . You can migrate these services in-house later as your confidence in hosting becomes greater. you'll be able to see results of the migration within minutes.com • Coordinate with your web hosting provider to simultaneously update you domain registration’s DNS records to point to your new DNS server.linuxhomenetworking. If your Linux box is the DHCP server. if you have concerns that your service provider won’t co-operate then you could explain to them that you want to test their failover capabilities to a duplicate server that you host in-house. DHCP Considerations For DNS If you have a DHCP server on your network. • As both TTLs were set to 1 minute previously. you can set the TTL back to 3 days to help reduce the volume of DNS query traffic hitting your DNS server. this could be left in the hands of your service provider. you'll need to make it assign the IP address of the Linux box as the DNS server it tells the DHCP clients to use. • Once complete.194 www. Finally.

Chapter 17: Configuring DNS 195 .

com .linuxhomenetworking.196 www.

DNS is the way in which a URL or domain like www. Your DNS server acts as the authoritative source of information for your my-site.com domain.com domain.197 Chapter 18 Dynamic DNS =========================================== In This Chapter Chapter 18 Dynamic DNS What Is DNS? What Is Dynamic DNS? Dynamic DNS And NAT Router/Firewalls Dynamic DNS Prerequisites Installing And Using ez-ipupdate Installing And Using DDclient Testing Your Dynamic DNS © Peter Harrison.com is converted to an IP address. You can consider static DNS as the “traditional” or “regular” form of DNS. If you want to host a website at home you have two DNS options: Static DNS: This is used when your ISP provides you with unchanging “fixed” or “static” Internet IP addresses. www.com =========================================== What Is DNS? As explained on the introduction to networking chapter. Dynamic DNS: Used when you get a changing “dynamic” Internet IP addresses via DHCP from your ISP.linuxhomenetworking. .linuxhomenetworking. You will have to use the services of a third party DNS provider to provide DNS information for your my-site.

The web masters then register their domains with companies such as Verisign and RegisterFree and tells these registrars to direct queries to www. most cable modem providers may not allow you to host sites at home.mysite. you'll have to also configure your router / firewall to do port forwarding to make all HTTP traffic destined for the IP address of the router / firewall to be exclusively NAT-ed and forwarded to a single server on your home network.com in which the IP address is dynamically assigned.com to the servers of the DDNS provider. • register your domain name and read your DDNS provider's instructions on how to use their name servers.org offers a service to overcome this limitation.linuxhomenetworking. DDNS works by having webmasters register their DDNS sites on the DDNS provider's servers. most home router / firewalls will use Network Address translation (NAT) to map a single public DHCP obtained IP addresses to the many private IP addresses within your network. The reported value is therefore invalid.com What Is Dynamic DNS? In many home networking environments. This chapter describes how to configure the most popular Linux based DDNS software ez-ipupdate and DDclient in the following two configurations: • on a Linux box directly connected to the Internet • on a Linux box when protected by a NAT router / firewall Remember that unlike DSL. An example of port forwarding with a Cisco PIX firewall is given in both the Cisco PIX firewall chapter and Net-Filter chapters.198 www. or else it will not work • be prepared for slower response times for your home based site than if you were using a static IP and a regular DNS service. If the Linux box is being protected behind a NAT router / firewall then the NIC will report in its data stream to the DDNS provider a private IP address which no one can reach directly via the Internet. in order to conserve the limited number of IP addresses available for internet purposes. Dynamic DNS (DDNS) allows you to host a website such as www.my-site. Once this is done. The webserver itself then has a DDNS client program running that updates the DDNS providers name servers with the most current DHCP IP address of the site. Some DDNS providers use more intelligent clients such as DDclient which can be configured to let the DDNS provider record the public IP address from which the data stream is originating. the software can only report the true IP address of the Linux box's NIC interface. NAT can fool the operation of some DDNS client software. In these cases. Before considering using a dynamic DNS solution for hosting a website at home with dynamic IPs: • you must make sure your DSL provider will allow inbound connections. the DSL IP address is provided by DHCP and therefore changes from time to time. dynDDS. specifically HTTP. Dynamic DNS And NAT Router/Firewalls As discussed in the introduction to networking chapter. .

The ez-ipupdate installation will put the executable file in /usr/local/bin and all the files in the /tmp/filename directory will become extraneous. Most DDNS providers assume you are going to create a sub domain of their main domain. you'll have to do a little extra work.Chapter 18: Dynamic DNS 199 Dynamic DNS Prerequisites Sign Up With A DDNS Provider First you'll have to register with a DDNS provider.registerfree.com and update the nameserver entries for your domain to point to the name servers of your DDNS provider. you'll have to return to www.verisign.my-site.com or www. You can give your machine's name or you can name the machine "www" to create a combined domainsubdomain of www. The miniDNS registration for your own domain requires you to use the "add DNS Record" link on the registration page to create your own domain. o o Update Your DNS Registration If you have your own domain. This chapter focuses on the services of miniDNS and DynDNS. If you want to create your own domain such as my-site. For example miniDNS.com.org you'll have to go with their paid service to get a customized domain name. Then you must add a host record. Installing And Using ez-ipupdate Download the tar/gzip file to your server’s /tmp directory from the ez-ipupdate site listed in the Bibliography. .com will eventually query RegisterFree or Verisign which will then refer the query to your DDNS providers name servers which will have the most current IP address of your site because of the DDNS client software you are running at your home site.verisign. The cost is about US$20 per year. They call it Custom DNS and it doesn't support ez-ipupdate.minidns. [root@bigboy]tmp]# gunzip zip-tar-filename [root@bigboy]tmp]# tar –xvf tar-filename [root@bigboy]tmp]# cd /tmp/filename Follow the install instructions for doing the “make” or program compilation.net will default to a domain such as machine-name. First you add your domain such as my-site. some of which are listed on the Bibliography.com which would be more intuitive to use.org. You'll have to register your domain with a DNS registrar such as www.com. Use the following commands to extract the contents into a new subdirectory.registerfree.com or www.com. With dynDNS. DNS queries for my-site.net. you'll need DDclient in this case.

2/COPYING … .com The /etc/ez-ipupdate. It then communicates this information to your dynamic DNS provider.2/ ddclient-3. Check the Bibliography for the DDclient URL. If your Linux server is protected behind a firewall using NAT then the IP address of the NIC won't match that of the public IP address of the firewall and DDNS won't work properly. [root@bigboy tmp]# gunzip ddclient.2/COPYRIGHT ddclient-3.6. the DDclient script can also log in and parse out the external IP address of the router.200 www. DDclient has a simple "web" update mode which tells your DDNS provider to use the source IP address of the data stream used to update your DDNS record.conf in which you must specify: o o o Your registration username and password The host name you have selected for your Linux box The NIC interface which is connected to your DSL line. read the README file to give you an idea of what to do.my-site. In cases where "web" mode doesn't work.tar.com interface=eth0 Note: The service-type line is specific to your dynamic DNS provider which will often provide a customized /etc/ez-ipupdate.tar ddclient-3.gz [root@bigboy tmp]# tar -xvf ddclient.6.conf File ez-ipupdate uses a configuration file named /etc/ez-ipupdate.6. Before installing DDclient. The developer of DDclient has recognized the limitations of using ez-ipupdate with NAT.linuxhomenetworking. some routers such as the netgear line may provide automatic DDNS service and you may not have to download the software. Remember. Here is a sample: service-type=justlinux user=registration-username:registration-password host=servername. Installing And Using DDclient Another highly used solution is DDclient. ez-ipupdate And NAT The ez-ipupdate software runs as a daemon in memory continuously checking the IP address of your NIC. In most Home / SOHO environments this will be the same as that of the firewalls external NAT IP address. Here is an example of the steps used to install it.conf file for you to use. you’ll have to use a client like DDclient which doesn’t have this limitation. DDclient claims to offers support for a wide variety of routers from different manufacturers.

2]# cp sample-etc_rc.1 use=if.org. if=lo address is 127. You can then configure your /etc/ddclient. web=dyndns address is 97.conf in which you must specify: o o o Your registration username and password The host name you have selected for your Linux box.1 root root 869 Jan 3 2002 COPYRIGHT … … … [root@bigboy ddclient-3.mx. if=eth0 # via interfaces login=your-login # default login password=your-password # default password custom=yes \ server=members.2]# /sbin/chkconfig --add ddclient [root@bigboy ddclient-3. \ protocol=dyndns2 \ your-domain.redhat /etc/rc.dyndns.top-level # Your domains here Before updating the file you can use DDclient with the "-query" option to tell you which is the best mode to use.d/ddclient [root@bigboy ddclient-3.6.1.100 use=web. This is referenced on the line labeled “server”. Here is a sample using interface eth0: ## dyndns.26 [root@bigboy ddclient-3.2]# cp ddclient /usr/sbin/ The /etc/ddclient.168.conf File DDclient uses a configuration file named /etc/ddclient.2]# ddclient -daemon=0 -query use=if.d_ddclient.d/init.158. [root@bigboy ddclient-3. if=eth0 # via interfaces .your-other-domain.1 root root 18007 Jan 3 2002 COPYING -rw-r--r-.0.6.6.0.2]# ll -rw-r--r-.Chapter 18: Dynamic DNS 201 … … [root@bigboy tmp]# cd dd* [root@bigboy ddclient-3.d_init. Here is an example.6.2]# In this case.backupmx) ## use=if.6.253. if=wlan0 address is 192. the simple web mode provides an acceptable value for your external IP address. The NIC interface which is connected to your DSL line.top-level.6.org custom addresses ## ## (supports variables: wildcard.conf file to use "web" #use=if.

you will get an error message like this: [root@bigboy tmp]# nslookup www.my-site.net Address: 202.214#53 > www.my-site. Test it by asking a friend to access your web server by pointing their browser to the external IP address of your router / firewall.com use=web # via web Testing Your Dynamic DNS You can test your dynamic DNS by: • Looking at the status page of your DNS provider and making sure the IP address that matches your "www" site is the same as your router / firewall's public IP address.minidns.com command from your Linux command prompt and see whether you are getting a valid response.96 > Testing Port Forwarding Remember to read the configuration manual of your router / firewall to activate port forwarding.64.net Default server: ns1.com Server: ns1. If you failed to add your host record. The example below queries the miniDNS name server: [root@bigboy tmp]# nslookup > server ns1.com Address: 12.0.0.com: NXDOMAIN Note: This error could also be due to the fact that your domain hasn't propagated fully throughout the Internet.net Address: 202. .194. • Using the nslookup www.my-site.0.64.minidns.linuxhomenetworking.51.214#53 Name: www.my-site.my-site. You can test to make sure everything is OK by forcing NS lookup to query the nameservers directly.202 www.235.1 Address: 127.1#53 ** server can't find www.com Server: 127.minidns.0.51.

The Apache online documentation gets a little complicated. the RedHat 8.40-8.0 RPM as of this writing was: httpd-2. If you need a refresher.0 © Peter Harrison. www. It is best to use the latest version of Apache.rpm . Downloading and installing RPMs isn’t hard.0.linuxhomenetworking. the chapter on RPMs covers how to do this in detail.i386.com =========================================== This is page outlines how to create multiple websites using a single IP address for a basic home configuration.203 Chapter 19 The Apache Web Server =========================================== In This Chapter Chapter 19 The Apache Web Server Download and Install The Apache Package How To Get Apache Started Configuring DNS For Apache General Configuration Steps Configuration – Multiple Sites And IP Addresses Using Data Compression On Web Pages Apache Running On A Server Behind A Firewall File Permissions And Apache How To Protect Web Page Directories With Passwords Issues When Upgrading To Apache 2. • For example. Download and Install The Apache Package Most RedHat Linux software products are available in the RPM format.

linuxhomenetworking. you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep httpd Configuring DNS For Apache Remember that you will never receive the correct traffic unless you have configured DNS for your domain to make your new Linux box web server the target of the DNS domain's www entry.0. See either the Static DNS or Dynamic DNS pages on how to do this.204 www. General Configuration Steps The configuration file used by Apache is /etc/httpd/conf/httpd.conf.i386.d directory to start/stop/restart Apache after booting [root@bigboy tmp]# /etc/init.d/httpd start [root@bigboy tmp]# /etc/init. .d/httpd stop [root@bigboy tmp]# /etc/init. Apache expects its HTML files to be located in the /var/www/html directory How To Get Apache Started • Use the chkconfig configure Apache to start at boot: [root@bigboy tmp]# chkconfig --level 35 httpd on • Use the httpd init script in the /etc/init.40-8.d/httpd restart • You can test whether the Apache process is running with the following command. Examples of this will follow.com • Install the package using the rpm command [root@bigboy tmp]# rpm -Uvh httpd-2.rpm By default.

This makes configuration easier. A Note On Virtual Hosting And SSL It is common for system administrators to replace the IP address in the <VirtualHost> and NameVirtualHost directives with the “*” (all IP addresses) wildcard character.158. When you use wild cards. As explained on the apache website: "When a request arrives. and you must only have a single <VirtualHost> section per IP address. the server will first check if it is using an IP address that matches the NameVirtualHost.26> Directives for site #1 </VirtualHost> <VirtualHost 97. then it will look at each <VirtualHost> section with a matching IP address and try to find one where the ServerName or ServerAlias matches the requested hostname. The NameVirtualHost directive in the /etc/httpd/conf/httpd. Here is the format: NameVirtualHost 97.158. which is used frequently in credit card and shopping cart web pages.Chapter 19: The Apache Webserver 205 Named Virtual Hosting You can make your web server host more than one site per IP address by using Apache's "named virtual hosting" feature." IP Based Virtual Hosting The other virtual hosting option is to have one IP address per website which is also known as IP based virtual hosting. If it is. then it uses the configuration for that server. If you installed Apache with support for secure HTTPS / SSL. You must specify the IP address for which each <VirtualHost> section applies. If no matching virtual host is found.253.253. You can also list secondary domain names which will serve the same content as the primary ServerName using the ServerAlias directive.158.253.26 The <VirtualHost> sections in the file then tell Apache where it should look for the web pages used on each web site. The Apache SSL module demands at least one explicit <VirtualHost> directive for IP based virtual hosting. then wild cards won’t work. Here is the format: <VirtualHost 97. then the first listed virtual host that matches the IP address will be used.conf file is used to tell Apache the IP addresses which will participate in this feature. Apache interprets it as an overlap of name based and IP based <VirtualHost> directives and will give errors like this because it can’t make up its mind about which method to use: . In this case you will not have a NameVirtualHost directive for the IP address. The directory where the index page for that site is located is defined with the DocumentRoot directive. If it finds one.26> Directives for site #2 </VirtualHost> Within each <VirtualHost> section you then specify the primary website domain name for that IP address with the ServerName directive.

In this case we load only the php and perl modules. By default.d/*. In this scenario: . Configuration – Multiple Sites And IP Addresses What follows are snippets of the section of the /etc/httpd/conf/httpd.conf file: Include conf.d/php.206 www. Include conf.mixing * ports and non-* ports with a NameVirtualHost address is not supported. Run Apache with more careful use of wildcards Disabling SSL – (Not Recommended) If you wish to host a basic home SOHO website in which secure connections for credit card payments are unnecessary then you have the option of disabling SSL altogether.d directory. proceeding with undefined results If you try to load any webpage on your web server you’ll also notice an error like this: Bad request! Your browser (or proxy) sent a request that this server could not understand.conf file you'll need to edit. all the modules in this directory are loaded with the following directive in the /etc/httpd/conf/httpd. The only exception would be the very first <VirtualHost> directive which defines the web pages to be displayed when matches to the other <VirtualHost> directives cannot be found.conf Include conf. This can be done by not loading all the modules from the /etc/httpd/conf. If you think this is a server error. o o Continue using wildcards and disable SSL.conf You will then have to restart Apache for the changes to take effect. Use Wild Cards Sparingly The other choice is not to use virtual hosting statements with wild cards.com Starting httpd: [Sat Oct 12 21:21:49 2002] [error] VirtualHost _default_:443 -. please contact the webmaster You have two options to overcome this problem.linuxhomenetworking.d/perl.conf You can therefore do a listing of all the files in this directory and specifically load all except ssl.

test-site. • Traffic to www.158.my-site.253. A NameVirtualHost directive for 97. • Traffic going to www.253.253.27 Site3 Site1 Name Based IP Based IP address 97.com to map to an IP address 97.my-other-site.com www.com must get content from sub-directory site3. www.com and www.253.158.com. www.253. The last section of this configuration snippet has some additional statements to ensure read-only access to your web pages with the exception of web based forms using POSTs (pages with “submit” buttons).com. my-site.com www.default-site.158.html in this directory.158.158.my-site.com 97.com www.default-site.my-cool-site.253.253.com.com All other domains www.com.26 is therefore required.158. Site www.com must get content from subdirectory site2.my-other-site.158.26 on this web server. Remember to restart Apache every time you update the conf file for the changes to take effect on the running process.com was also configured to point to alias IP address 97.test-site.158.com.my-cool-site.conf file is listed below.my-site. The statements listed would normally be found at the very bottom of the file where virtual hosting statements normally reside.com and so traffic going to this domain • All other domains pointing to this server that don’t have a matching ServerName directive will get web pages from the directory defined in the very first <VirtualHost> section.26 Directory Site2 Type of Virtual Hosting Name Based A sample snippet or a working httpd.test-site.253. Web Hosting Scenario Summary Domain www.26 97. The domain www. my-site.26 as in this case we have a single IP address serving different content for a variety of domains. www.my-other-site.default-site.26 # # Match a webpage directory with each website # <VirtualHost *> DocumentRoot /var/www/html/site1 . • Traffic to www. ServerName localhost NameVirtualHost 97. • There is no ServerName directive for www. In this case is directory site1.com will get content from directory site4.158.27. • Named virtual hosting will be required for 97.com falls in this category.default-site.26 Site1 Name Based 97.com my-site.253.Chapter 19: The Apache Webserver 207 • The systems administrator for the server has previously created DNS entries for www.my-cool-site. Hitting these URLs will cause Apache to display the contents of file index.

208

www.linuxhomenetworking.com

</VirtualHost> <VirtualHost 97.158.253.26> DocumentRoot /var/www/html/site2 ServerName www.my-site.com ServerAlias my-site.com, www.my-cool-site.com </VirtualHost> <VirtualHost 97.158.253.26> DocumentRoot /var/www/html/site3 ServerName www.test-site.com </VirtualHost> <VirtualHost 97.158.253.27> DocumentRoot /var/www/html/site4 ServerName www.my-other-site.com </VirtualHost>

# # Make sure the directories specified above # have restricted access to read-only. # <Directory "/var/www/html/*"> Order allow,deny Allow from all AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS> Order deny,allow Deny from all </LimitExcept> </Directory>

A Note On Virtual Hosting And DNS
You will have to configure your DNS server to point to the correct IP address used for each of the websites you host. The chapter on static DNS shows you how to configure multiple domains such as my-site.com and my-other-site.com on your DNS server.

Using Data Compression On Web Pages
Apache also has the ability to dynamically compress static web pages into gzip format and then send the result to the remote web surfers’ web browser. Most current web browsers support this format and will transparently uncompress the data and present it on the screen. This can significantly reduce bandwidth charges if you are paying for internet access by the megabyte.

Chapter 19: The Apache Webserver

209

First you need to load Apache version 2’s deflate module in your httpd.conf file and then use Location directives to specify what type of files to compress. After making these modifications and restarting Apache you will be able to verify from your /var/log/httpd/access_log file that the sizes of the transmitted HTML pages has shrunk. Here is a comparison of the file sizes in the Apache logs and the document directory, 78,350 bytes shrunk to 15,190 bytes, almost 80% compression. Log File

67.119.25.115 - - [15/Feb/2003:23:06:51 -0800] "GET /dns-static.htm HTTP/1.1" 200 15190 "http://www.siliconvalleyccie.com/sendmail.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; AT&T CSM6.0; YComp 5.0.2.6)" Corresponding Directory Listing [root@ bigboy tmp]# ll /web-dir/dns-static.htm -rw-r--r-1 user group 78350 Feb 15 00:53 /home/www/ccie/dns-static.htm [root@bigboy tmp]#

Compression Configuration Example
You can insert these statements just before your virtual hosting section of your httpd.conf file to activate the compression of static pages. Remember to restart Apache when you do.

LoadModule deflate_module modules/mod_deflate.so <Location /> # Insert filter SetOutputFilter DEFLATE # Netscape 4.x has some problems... BrowserMatch ^Mozilla/4 gzip-only-text/html # Netscape 4.06-4.08 have some more problems BrowserMatch ^Mozilla/4\.0[678] no-gzip # MSIE masquerades as Netscape, but it is fine BrowserMatch \bMSIE !no-gzip !gzip-only-text/html # Don't compress images SetEnvIfNoCase Request_URI \ \.(?:gif|jpe?g|png)$ no-gzip dont-vary

# Make sure proxies don't deliver the wrong content Header append Vary User-Agent env=!dont-vary

210

www.linuxhomenetworking.com

</Location>

Apache Running On A Server Behind A Firewall
If your webserver is behind a firewall, and you are logged on a machine behind the firewall as well, then you may find problems when trying to access www.mysite.com of www.my-other-site.com. The reason for this is that due to NAT (Network Address translation), firewalls frequently won't allow access from their protected network to IP addresses that they masquerade on the outside. For example, in this case, Linux web server bigboy has an internal IP address of 192.168.1.100, but the firewall presents it to the world with an external IP address of 97.158.253.26 via NAT/masquerading. If you are on the inside, 192.168.1.X network, you may find it impossible to hit URLs that resolve in DNS to 97.158.253.26. The solution to this can also be solved with virtual hosting. You can configure Apache to serve the correct content when accessing www.mysite.com or www.my-other-site.com from the outside, and also when accessing the specific IP address 192.168.1.100 from the inside. Fortunately Apache allows you to specify multiple IP addresses in the <VirtualHost> statements to help you overcome this problem. Here is an example:

NameVirtualHost 192.168.1.100 NameVirtualHost 97.158.253.26 <VirtualHost 192.168.1.100 97.158.253.26> DocumentRoot /www/server1 ServerName www.my-site.com ServerAlias bigboy, www.my-site-192-168-1-100.com </VirtualHost>

File Permissions And Apache
Remember that if you get a "permissions" error in your web browser after trying to browse your newly configured website, then you need to ensure that you allow "others" to have read access to the directory all the way from the root directory "/" to the target sub-directory. The appendix has a short script that you can use to recursively set the file permissions in a directory to match those expected by Apache. You may also have to use the "Directory" directive to make Apache serve the pages once the file permissions have been correctly set. If you have your files in the default /var/www/html directory then this second step becomes unnecessary.

How To Protect Web Page Directories With Passwords
You can password protect content in both the main and sub-directories of your DocumentRoot fairly easily. I know of cases where persons will allow normal access to their regular web pages, but require passwords for directories / pages that show MRTG or Webalizer data. In this example we'll show how to password protect the /var/www/html directory.

Chapter 19: The Apache Webserver

211

• Apache has a password utility called "htpasswd" which can create "username password" combinations independent of your system login password for web page access. You have to specify the location of the password file, and if it doesn't yet exist, you'll have to include a "-c" or "create" switch on the command line. I recommend placing the file in your /etc/httpd/conf directory, away from the DocumentRoot tree where web users could possibly view it. Here is an example for a first user named "peter" and a second named "paul": [root@bigboy tmp]# htpasswd -c /etc/httpd/conf/.htpasswd peter New password: Re-type new password: Adding password for user peter [root@bigboy tmp]# [root@bigboy tmp]# htpasswd /etc/httpd/conf/.htpasswd paul New password: Re-type new password: Adding password for user paul [root@bigboy tmp]# • Make the .htpasswd file readable by all users. [root@bigboy tmp]# chmod 644 /etc/httpd/conf/.htpasswd • Create a .htaccess file in the directory to which you want password control with the following entries. Remember this will password protect this directory and all its sub directories. AuthUserFile /etc/httpd/conf/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require user peter • • The AuthUserFile tells Apache to use the “.htpasswd” file The "require user" tells Apache that only user "peter" in the “.htpasswd” file should have access. If you wanted all “.htpasswd” users to have access then you'd replace this line with require valid-user "AuthType Basic" instructs Apache to accept basic unencrypted passwords from the remote users web browser.

• Set the correct file protections on your new .htaccess file in the directory /var/www/html. [root@bigboy tmp]# chmod 644 /var/www/html/.htaccess • Make sure your /etc/httpd/conf/http.conf file has an AllowOverride statement in a <Directory> directive for any directory in the tree above /var/www/html. In the example below, we want all directories below /var/www/ to require password authorization.

212

www.linuxhomenetworking.com

<Directory /var/www/html/*> AllowOverride AuthConfig </Directory> • You must also ensure that you have a <VirtualHost> directive that defines access to /var/www/html or another directory higher up in the tree. <VirtualHost *> ServerName 97.158.253.26 DocumentRoot /var/www/html </VirtualHost> • Restart Apache. Try accessing the web site and you'll be prompted for a password.

Issues When Upgrading To Apache 2.0
Incompatible /etc/httpd/conf/http.conf files
Your old configuration files will be incompatible when upgrading from Apache version 1.3 to Apache 2.X. The new version 2.X default configuration file is stored in /etc/httpd/conf/httpd.conf.rpmnew. For the simple virtual hosting example above, it would be easiest to: Save the old httpd.conf file with another name, httpd.conf-version-1.x for example. Copy the ServerName, NameVirtualHost, and VirtualHost sections from the old file and place them in the new file httpd.conf.rpmnew Copy the httpd.conf.rpmnew file an name it httpd.conf Restart Apache

o

o o

213

Chapter 20

Monitoring Server Performance
===========================================

In This Chapter Chapter 20
Monitoring Server Performance
SNMP MRTG Webalizer © Peter Harrison, www.linuxhomenetworking.com =========================================== Monitoring your system’s web performance can be done quite easily with a number of graphical tools available for Linux. These include MRTG for raw network traffic which is based on SNMP and Webalizer that monitors web site hits.

SNMP
What is SNMP?
Most routers and firewalls keep their operational statistics in Management Information Blocks (MIBs). Each statistic has an Object Identifier (OID) and can be remotely retrieved from the MIB via the Simple Network Management Protocol (SNMP). However, as a security measure, you need to know the SNMP password or "community string" to do so. There are a number of types of community strings, the most commonly used ones are the "Read Only" community string that only provides access for viewing statistics and system parameters. In many cases the "Read Only" community string or password is set to "public". There is also a "Read Write" community string for not only viewing statistics and system parameters but also for updating the parameters too.

SNMP on a Linux Server
By default, RedHat Linux has the NetSNMP package installed to provide SNMP services. NetSNMP uses a configuration file /etc/snmp/snmpd.conf in which the community strings may be set. The version of the configuration file that comes with Net-SNMP is quite complicated. I suggest

3 = INTEGER: 3 IF-MIB::ifDescr. [root@bigboy root]# /etc/init.2 = INTEGER: 2 IF-MIB::ifIndex. .0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.conf.....18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586 SNMPv2-MIB::sysObjectID...25 SNMPv2-MIB::sysContact. • Save the old configuration file [root@bigboy snmp]# cd /etc/snmp/ [root@bigboy snmp]# mv snmpd.0 = STRING: bigboy .old [root@bigboy snmp]# vi snmpd..4.conf • Enter the following line in the new configuration file to set the Read Only community string to "craz33guy" rocommunity craz33guy • Configure Linux to start SNMP services on each reboot with the chkconfig command: [root@bigboy root]# chkconfig --level 345 snmpd on [root@bigboy root]# • You can then start SNMP to load the current configuration file. ....com archiving it and using a much simpler version with only a single line containing the keyword "rocommunity" followed by the community string. . [root@bigboy snmp]# . Here is an example of how to do that.d/snmpd start Starting snmpd: [ OK ] [root@bigboy root]# • Test whether SNMP can read the "system" and "interface" information MIB [root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost system SNMPv2-MIB::sysDescr.10 SNMPv2-MIB::sysUpTime.linuxhomenetworking..214 www.0 = STRING: root@localhost SNMPv2-MIB::sysName.. [root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost interface IF-MIB::ifNumber.conf snmpd.1 = INTEGER: 1 IF-MIB::ifIndex.0 = Timeticks: (425) 0:00:04. .1 = STRING: lo IF-MIB::ifDescr.0 = INTEGER: 3 IF-MIB::ifIndex.3 = STRING: eth0 .0 = STRING: Linux bigboy 2.2 = STRING: wlan0 IF-MIB::ifDescr.

d/httpd start [root@bigboy tmp]# /etc/init.d/httpd restart .17-8.11. we can configure a SNMP statistics gathering software package such as MRTG to create online graphs of your traffic flows.X.9.d/httpd stop [root@bigboy tmp]# /etc/init. Install apache using the following command. The product is available from the MRTG website and also on your distribution CDs.17-8. You can easily create graphs of traffic flow statistics through your home network's firewall / router or even your Linux box's NIC cards using MRTG. All you need is the IP address and SNMP read only string and you’ll be able to get similar results. This is available from the RedHat website or your installation CDs. The latest version of the RPM for RedHat 8. MRTG What is MRTG? MRTG (Multi Router Traffic Grapher) is a public domain package for producing graphs of various types of router statistics via a web page.0 is: mrtg-2.rpm o MRTG runs automatically upon startup. The most current version as of this writing was apache 1.3.i386. Download and Install The MRTG Packages Most RedHat Linux software products are available in the RPM format.i386.23-14. If you need a refresher.rpm o You can install the package like this: [root@bigboy tmp]# rpm -Uvh mrtg-2. the chapter on RPMs covers how to do this in detail. The RedHat RPM version seems to work with Apache 1. You can poll any SNMP aware network device with SNMP enabled. Now that we know SNMP is working correctly on your Linux server.rpm o You will also need to have a webserver package installed for MRTG to work.i386. [root@bigboy tmp]# rpm -Uvh apache-1.3. but you’ll need to configure Apache to start at boot using the chkconfig command: [root@bigboy tmp]# chkconfig --level 35 httpd on o Here’s how to start/stop/restart Apache after booting: [root@bigboy tmp]# /etc/init. Downloading and installing RPMs isn’t hard.23 .9.Chapter 20: Monitoring Server Performance 215 Note: In this case we were polling localhost.

0.0.1.0. Configuring MRTG By default.png” image files into it.100 --> 2 --snpo: confcache craz33guy@localhost: Type 24 --> 1 --snpo: confcache craz33guy@localhost: Type 6 --> 2 --snpo: confcache craz33guy@localhost: Type 6 --> 3 (duplicate) --snpo: confcache craz33guy@localhost: Eth --> 1 --snpo: confcache craz33guy@localhost: Eth 00-06-25-09-6a-b5 --> 2 --snpo: confcache craz33guy@localhost: Eth 00-08-c7-10-74-a8 --> 3 --base: Get Interface Info --base: Walking ifIndex --base: Walking ifType --base: Walking ifSpeed --base: Walking ifAdminStatus --base: Walking ifOperStatus --base: Writing /etc/mrtg/localhost. MRTG will place its HTML files in /var/www/html/mrtg. All data files will be placed in the directory /var/www/html/mrtg/stats. [root@bigboy mrtg]# mkdir /var/www/html/mrtg/stats .0. There are ways to specify other OIDs such as CPU and memory usage. We’ll be discussing the default configuration. MRTG will map the inbound and outbound data throughput rates on the device it is polling.cfg [root@bigboy tmp]# o Next create the /var/www/html/mrtg/stats directory and copy all of MRTG’s standard “.cfg for the server "bigboy" using a read only community string of craz33guy. but this is beyond the scope of this book. In this example we'll use MRTG’s cfgmaker command to create a configuration file named localhost.1 --> 1 --snpo: confcache craz33guy@localhost: Ip 192. [root@bigboy tmp]# cfgmaker --output=/etc/mrtg/localhost.216 www.168.cfg \ -ifref=ip --global "workdir: /var/www/html/mrtg/stats" \ craz33guy@localhost o --base: Get Device Info on craz33guy@localhost: --base: Vendor Id: --base: Populating confcache --snpo: confcache craz33guy@localhost: Descr lo --> 1 --snpo: confcache craz33guy@localhost: Descr wlan0 --> 2 --snpo: confcache craz33guy@localhost: Descr eth0 --> 3 --snpo: confcache craz33guy@localhost: Ip 0. Here are the steps you need to go through to create new configuration files.linuxhomenetworking.com By default Apache expects the HTML files for your website to be located in /var/www/html. When the MRTG RPM is installed it creates a directory called /etc/mrtg in which all future configuration files are stored.0 --> 3 --snpo: confcache craz33guy@localhost: Ip 127.

don’t be fooled. This would most likely include the loopback interface L0: with the IP address of 127.0.1.old updating log file Rateup WARNING: /usr/bin/rateup Can't rename localhost_192. Once this is done. MRTG has no data files to move.100.cfg” files in your /etc/mrtg directory.cfg configuration file.cfg [root@bigboy mrtg]# o You'll then want to use MRTG’s indexmaker command to create a combined index page to see all the graphs defined in all the various “. # 0-59/5 * * * * root /usr/bin/mrtg /etc/mrtg/mrtg. you can point your browser to http://ip-address/mrtg/ to get a graphical listing of all the monitored interfaces.0 and Indexmaker RedHat version 8 gives an error like this when running indexmaker.png /var/www/html/mrtg/stats [root@bigboy mrtg]# o Edit /etc/mrtg/localhost.1.100 Rateup WARNING: /usr/bin/rateup The backup log file for localhost_192.log to localhost_192.cfg device2.cfg and comment out the one pointing to mrtg. Note: The indexmaker command creates a very generic index page which is very similar to the MRTG home page.100 was invalid as well Rateup WARNING: /usr/bin/rateup Can't remove localhost_192.1.old updating log file [root@bigboy mrtg]# mrtg /etc/mrtg/localhost. The format of the command is: indexmaker --output=filename device1.168.cfg Rateup WARNING: /usr/bin/rateup could not read the primary log file for localhost_192. the first time it is run.1 When the MRTG RPM is installed it places an entry in the /etc/crontab file to make MRTG run every 5 minutes using the default /etc/mrtg/mrtg.168. you will find your devices at the very bottom.1.1.1.html /etc/mrtg/localhost.cfg Can't locate package $VERSION for @MRTG_lib::ISA at /usr/bin/indexmaker line 49 .0.168.cfg. Add a new line referring to /etc/mrtg/localhost.100. and naturally.cfg Rateup WARNING: /usr/bin/rateup Can't remove localhost_192.100.168.Chapter 20: Monitoring Server Performance 217 [root@bigboy mrtg]# cp /var/www/html/mrtg/*.cfg o Run MRTG using /etc/mrtg/localhost. [root@bigboy mrtg]# mrtg /etc/mrtg/localhost.cfg and remove the sections related to interfaces you don't need to monitor.100.cfg etc RedHat Version 8.168.168. [root@bigboy mrtg]# indexmaker --output=index.cfg as your argument three times. You'll get an error the two times as MRTG tries to rename old data files.cfg 0-59/5 * * * * root /usr/bin/mrtg /etc/mrtg/localhost.old updating log file [root@bigboy mrtg]# mrtg /etc/mrtg/localhost.

Webalizer What Is Webalizer? Webalizer is a web server log file analysis tool that comes installed by default on RedHat Linux. monthly and yearly statistics for your interfaces./lib/mrtg2/MRTG_lib.db You can make the software run in quite mode by editing the /etc/cron. so if you have a default Apache installation you’ll be able to view your data by visiting http://www. Using MRTG To Monitor Other Subsystems MRTG will generate HTML pages with daily.pm line 49 eval {. weekly. You can then add links to all the html files in the /var/www/html/mrtg/stats directory.mrtg. How To View Your Webalizer Statistics By default webalizer places its index page in the directory /var/www/html/usage.pm line 49 [root@bigboy mrtg]# You have a couple choices here: • • Run a version of indexmaker from an older version of RedHat Create your own custom index page to replace the default one in /var/www/html/mrtg. Webalizer reads your Apache log files and creates a set of web pages that allow you to view websurfer statistics for your site. The MRTG website www.my-site.com main::BEGIN() called at /usr/bin/. Each night. Make Webalizer run in Quiet Mode Webalizer has a tendency to create this message in your logs which according to the Webalizer site’s documentation is non-critical.} called at /usr/bin/.conf.daily/00webalizer script file and adding the –Q (Quiet) switch to the webalizer command like this: . By default MRTG provides only network interface statistics.com/usage The Webalizer Configuration File Webalizer stores its configuration in the file /etc/webalizer.. The default settings should be sufficient for your web server./lib/mrtg2/MRTG_lib. Error: Unable to open DNS cache file /var/lib/webalizer/dns_cache.org has links to other sites that show you how to monitor other sub-systems on a variety of devices and operating systems.218 www. The information provided includes a list of your web site’s most popular pages sorted by “hits” along with traffic graphs showing the times of day when your site is most popular.linuxhomenetworking. but you may want to adjust the directory in which Webalizer places your graphic statistics. This can be adjusted with the OutputDir directive in the file....

. then /usr/bin/webalizer -Q fi exit 0 Once you’ve done this.Chapter 20: Monitoring Server Performance 219 #! /bin/bash # update access statistics for the web site if [ -s /var/log/httpd/access_log ] . Webalizer will function with few annoyances. however be aware that running in quiet mode could hide deeper problems that could occur in future.

linuxhomenetworking.com .220 www.

Windows users also have the option of either keeping or deleting the mail on the mail server after it has been downloaded. If the mail is destined for a local user then sendmail will place the message in that person’s mailbox so that they can retrieve it using one of the methods above.com =========================================== This chapter will help to show you how to set up a mail server for your home network. then sendmail will attempt to relay it to the appropriate destination mail server via the Simple Mail Transport Protocol or SMTP. www. If the mail isn't destined for the mailbox of a local user.linuxhomenetworking.221 Chapter 21 Configuring Linux Mail Servers =========================================== In This Chapter Chapter 21 Configuring Linux Mail Servers Configuring Sendmail Configuring Your POP Mail Server © Peter Harrison. It covers Sendmail which is responsible for relaying your mail to a remote user’s mailbox and also POP mail which is used to retrieve the mail from the mail box to your local PC via a mail client such as outlook Express. Configuring Sendmail An Overview Of How Sendmail Works Sendmail is the most popular Linux program for processing mail. Once the mail arrives on the mail server it can be read in a number of ways: o o Linux users logged into the mail server can read their mail directly using a text based client such as "mail" or a GUI client such as Evolution. One of The process is different when sending mail via the mail server: o o . Windows users can use an email client such as "Outlook" or "Outlook Express" to download the mail to their local PC via POP.

d/sendmail restart o Remember to restart the sendmail process every time you make a change to the configuration files for the changes to take effect on the running process. Simple sendmail security is outlined on this page.d/sendmail stop [root@bigboy tmp]# /etc/init.i386.12.com the main advantages of mail relaying is that when a PC user "A" sends mail to another user "B" on the Internet.12. the PC of user "A" can delegate the SMTP processing to the mail server.d/sendmail start [root@bigboy tmp]# /etc/init.5-7 .i386.rpm [root@bigboy tmp]# rpm -Uvh sendmail-8.5-7. You can also test whether the sendmail process is running with the pgrep command.12.rpm [root@bigboy tmp]# rpm -Uvh sendmail-devel-8.rpm o You can use the chkconfig command to get Sendmail configured to start at boot: [root@bigboy tmp]# chkconfig --level 35 sendmail on o To start/stop/restart sendmail after booting [root@bigboy tmp]# /etc/init. If you need a refresher. o It is best to use the latest version of sendmail as older versions have had a number of security holes.5-7 . Install all the packages in this order: [root@bigboy tmp]# rpm -Uvh sendmail-cf-8. Installing And Starting Sendmail Most RedHat Linux software products are available in the RPM format. the chapter on RPMs covers how to do this in detail.5-7 . Note:If mail relaying is not configured properly then your mail server could end up relaying SPAM.linuxhomenetworking. you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep sendmail .i386. Configuring DNS Remember that you will never receive mail unless you have configured DNS for your domain to make your new Linux box mail server the target of the DNS domain's MX record.12. Downloading and installing RPMs isn’t hard.222 www. As of this writing the latest version of the sendmail suite was version 8. See either the Static DNS or Dynamic DNS pages on how to do this.

if not. This must be installed.m4: No such file or directory [root@bigboy mail]# . This may not be a good idea in a production system.mc > /etc/mail/sendmail. #!/bin/bash cd /etc/mail make m4 /etc/mail/sendmail. but it has been included so that you don’t forget. This little script encapsulates all the required post configuration steps.cf newaliases /etc/init.cf /etc/mail/sendmail.5 supports version 10.mc file.cf file is version 0 No local mailer defined QueueDirectory (Q) option must be set [root@bigboy mail]# Errors With The m4 Command [root@bigboy mail]# m4 /etc/mail/sendmail.cf m4 /etc/mail/sendmail.0+ Errors With The Newaliases Command [root@bigboy mail]# newaliases Warning: . chmod 700 filename You’ll need to run the script each time you change any of the sendmail configuration files described in the sections to follow.12. The line in the script that restarts sendmail is only needed if you have made changes to the /etc/mail/sendmail. .3# RH Ver 8. Both the newaliases and m4 commands depend on the sendmail-cf RPM package.d/sendmail restart Use this command to make the script executable.mc > /etc/sendmail.mc > /etc/mail/sendmail. Delete the appropriate "m4" line depending on your version of RedHat.Chapter 21: Configuring Linux Mail 223 Restart Sendmail After Editing Your Configuration Files In this chapter we’ll see that Sendmail uses a variety of configuration files which require different treatments in order for their commands to take effect.mc:8: m4: Cannot open /usr/share/sendmailcf/m4/cf.cf file is out of date: sendmail 8. you'll get errors like this when running the script: # RH Ver 7.

d/sendmail restart Shutting down sendmail: [ OK ] Shutting down sm-client: [FAILED] Starting sendmail: 554 5. The two most basic steps in configuring a Sendmail server are to modify this file to enable Sendmail to listen on the NIC interface and to make Sendmail to accept mail from valid web domains.0.0. SSH or console windows.0 QueueDirectory (Q) option must be set [FAILED] Starting sm-client: [ OK ] [root@bigboy mail]# The /var/log/maillog File Sendmail throws all its status messages in the /var/log/maillog file. then the return value will be blank.com Errors When Restarting sendmail [root@bigboy mail]# /etc/init. and not a client.224 www.1. To become a server. Work in one of them and monitor the sendmail status output in the other using the command [root@bigboy tmp]# tail -f /var/log/maillog The /etc/mail/sendmail. Sendmail needs to be also configured to listen for messages on the NIC interface.0 No local mailer defined 554 5. Sendmail therefore uses the loopback address to send mail to users on the local box.linuxhomenetworking. .mc File Most of sendmail's configuration parameters are set in this file with the exception of mailing list and mail relay security features. It is always good to monitor this file whenever you are doing changes.0. Open two telnet. If it isn't running. Fortunately in most cases you won't have to edit this file very often. We can verify that sendmail is running by first using the pgrep command which will return the sendmail process ID number once sendmail is running. As mail must be sent to a target IP address even when there is no NIC in the box. Why Sendmail Only Listens On The Loopback Interface By Default All Linux systems have a virtual loopback interface that only lives in memory with an IP address 127.0. It is often viewed as an intimidating file with its series of structured "directive" statements that get the job done.

cf for versions up to 7. so we use "netstat" and "grep" for "25" to see a default configuration listening only on IP address 127. In our sample network.cf file and restart sendmail. sendmail. . /etc/sendmail. However.0. The sendmail.0. dnl This changes sendmail to only listen on the loopback device 127. Comment this out if you want dnl to accept email over the network.cf File Once finished editing the file. Name=MTA') dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires dnl a kernel patch dnl DAEMON_OPTIONS(`port=smtp.cf for versions 8. Note: When sendmail starts.1.1:25 0.0.1 (loopback).0.0 and higher. Sendmail listens on TCP port 25. dnl FEATURE(`accept_unresolvable_domains')dnl dnl FEATURE(`relay_based_on_MX')dnl You need to be careful with the accept_unresolvable_names feature. Family=inet6') dnl We strongly recommend to comment this one out if you want to protect dnl yourself from spam. it reads the file sendmail.cf file is located in different directories dependent on the version of RedHat you use.Chapter 21: Configuring Linux Mail 225 [root@bigboy tmp]# pgrep sendmail 22131 [root@bigboy tmp]# We can also see the interfaces on which Sendmail is listening with the “netstat” command. the laptop and users on computers that do dnl not have 24x7 DNS do need this. It is also good practice to take precautions against SPAM by not accepting mail from domains that don't exist by commenting out the "accept_unresolvable_domains" feature too. The chapter on DNS shows how to create your own internal domain just for this purpose.mc To Make Sendmail Listen On NICs Too To correct this you'll have to comment out the daemon_options line in the /etc/mail/sendmail. [root@bigboy tmp]# netstat -an | grep :25 | grep tcp tcp 0 0 127.Addr=::1.Addr=127.0.0:* LISTEN [root@bigboy tmp]# Edit /etc/mail/sendmail.mc file with "dnl" statements.cf for its configuration. Regenerate The sendmail.0.0. dnl DAEMON_OPTIONS(`Port=smtp.0.0. bigboy the mail server will not accept email relayed from any of the other PCs on your network if they are not in DNS.1 dnl and not on any other network devices. we have to regenerate a new sendmail.3. See the italicized lines in the example below. and /etc/mail/sendmail.mc is a more user friendly configuration file and really is much easier to fool around with without getting burned.0. Name=MTA-v6.

0+ [root@bigboy tmp]# m4 /etc/mail/sendmail. Having easily identifiable modifications in this file will make post upgrade reconfiguration much easier.linuxhomenetworking.0.3 [root@bigboy tmp]# m4 /etc/mail/sendmail.0:* LISTEN [root@bigboy tmp]# A General Guide To Using The sendmail.mc File The sendmail. To make it less cluttered I usually create two easily identifiable sections in it with all the custom commands I've ever added.0.0.226 www.0.mc > /etc/sendmail. Sometimes sendmail will archive this file when you do a version upgrade.0) [root@bigboy tmp]# netstat -an | grep :25 | grep tcp tcp 0 0 0.0.0:25 0.mc > /etc/mail/sendmail. The first section is near the top where the FEATURE statements usually are.0.mc file can seem jumbled. Here is a sample: dnl ***** Customised section 1 start ***** dnl dnl FEATURE(delay_checks)dnl FEATURE(masquerade_envelope)dnl FEATURE(allmasquerade)dnl FEATURE(masquerade_entire_domain)dnl dnl dnl dnl ***** Customised section 1 end ***** .com Redhat versions up to 7.cf Restart sendmail to load the new configuration [root@bigboy tmp]# /etc/init.d/sendmail restart Shutting down sendmail: [ OK ] Starting sendmail: [ OK ] [root@bigboy tmp]# Now Make Sure Sendmail Is Listening On All Interfaces Sendmail should start listening on all interfaces (0. and the second section is at the very bottom.cf Redhat versions 8.

02(BFLITEMAIL4A). Here is a brief example: 127.221.com.com.my-site.com> 250 <example@another-site.. a poorly configured /etc/hosts file can make mail sent from your server to the outside world appear as if it came from users at localhost. Symptoms Of A Bad /etc/hosts File As discussed above. [root@bigboy tmp]# sendmail -v example@another-site. pleased to meet you 250 HELP >>> MAIL From:<root@localhost. example@another-site.. Sat. 220 ltmail.168.another-site.localdomain and not bigboy.com (Wrong!!!) Sendmail would assume the server's name was my-site and that the domain was all of ".com Hello [67.. Sender Ok >>> RCPT To:<example@another-site.com test text test text . If bigboy had an entry like this: 192.localdomain>.com.localdomain localhost bigboy. via esmtp. Use the sendmail program to send a sample email to someone in verbose mode..1.1..1 192.mysite.another-site.my-site.106].com" domain and would ignore the security features of the access and relay-domains files we'll describe below." all by itself on the last line.com.0.. Enter some text after issuing the command and end your message with a single ". Connecting to mail.com>. then you run the risk of having all your mail appear to come from localhost.localdomain and not bigboy.domain (bigboy.168.my-site.com bigboy mail www Here the IP address is followed by the hostname. Sendmail uses this file to determine: o o The system name The domains it is responsible for relaying Sendmail looks for the IP address of your NIC in /etc/hosts and then assumes the first name after it is the fully qualified domain name of the server such as bigboy. The server would therefore be open to relay all mail from any ". Recipient Ok >>> DATA .100 my-site. If you fail to put the IP address of your NIC in the /etc/hosts file altogether.localdomain 250-mx.0. 05 Oct 2002 06:48:44 -0400 >>> EHLO localhost.Chapter 21: Configuring Linux Mail 227 The /etc/hosts File It is very important to have a correctly configured /etc/hosts file..com) followed by the hostname and all the DNS CNAMEs assigned to the server's IP address.localdomain> 250 <root@localhost.100 localhost.com.com".my-site..120.com LiteMail v3.another-site.

fix $j in config file [root@bigboy tmp]# newaliases WARNING: local host name (bigboy) is not qualified. my-super-duper-site.com 354 Enter mail.localdomain on PC1 and is rejected. If mail sent from computer PC1 to PC2 appears to come from a user at localhost. fix $j in config file [root@bigboy tmp]# With the accompanying error in /var/log/maillog log file that looks like this: Oct 16 10:23:58 bigboy sendmail[2582]: My unqualified host name (bigboy) unknown. >>> QUIT [root@bigboy tmp]# Localhost.com .linuxhomenetworking.localdomain and will think that the rejected email should be sent to a user on PC2 that may not exist. You will probably get an error like this in /var/log/maillog if this happens: Oct 16 10:20:04 bigboy sendmail[2500]: g9GHK3iQ002500: SYSERR(root): savemail: cannot save rejected email anywhere Oct 16 10:20:04 bigboy sendmail[2500]: g9GHK3iQ002500: Losing ..com. end with ". in this example "root".. The contents of the relay-domains file should be limited to those domains that can be trusted not to originate spam.com. An error in the script could cause this type of message too.228 www." on a line by itself >>> .com and not destined for this mail server will be forwarded.another-site. sleeping for retry The /etc/mail/relay-domains File The /etc/mail/relay-domains file is used to determine domains from which it will relay mail. all mail sent from my-super-duper-site. Sent (Message accepted for delivery) Closing connection to mail. By default.localdomain. it is therefore an illegal internet domain. this file does not exist in a standard RedHat install. for example a script based on the PERL module Mail::Audit. PC2 will see that the mail originated from localhost.localdomain is the domain that all computers use to refer to themselves. or creating a new alias database file. Another set of tell tale errors caused by the same problem can be generated when trying to send mail to a user ./qfg9GHK3iQ002500: savemail panic Note: You may also get this error if you are using a SPAM prevention program. In this case. (The newalias command will be explained later): [root@bigboy tmp]# sendmail -v root WARNING: local host name (bigboy) is not qualified. 250 Message accepted for delivery example@another-site. the rejected email will be returned to localhost.

such as restricting relaying by IP address or network range and is more commonly used. localhost).17 192. The /etc/mail/access file has more capabilities. Configuring the /etc/mail/access file will not stop SPAM coming to you. Remember that a server will only be considered a part of my-site.localdomain localhost 127.1. Sendmail has to be restarted after editing this file for the changes to take effect.168. In the sample file below.X network. REJECT. OK (not ACCEPT) and DISCARD. then relay access is fully determined by the /etc/mail/access file.0. That is to say.2 my-site. two client PCs on your home 192.168. the mail server will only relay mail for those PCs on your network that have their email clients configured to use the mail server as their "outgoing SMTP mail server".0. There is no third column to state whether the IP address or domain is the source or destination of the mail.1.db. Keywords include RELAY.com.16 192. only SPAM flowing through you.2. Despite this.com RELAY RELAY RELAY RELAY RELAY RELAY RELAY You'll then have to convert this text file into a Sendmail readable database file named /etc/mail/access.168. The first lists IP addresses and domains from which the mail is coming or going. everyone on your 192. Sendmail will REJECT all other attempted relayed mail that doesn't match any of the entries in the /etc/mail/access file.X network and everyone passing email through the mail server from servers belonging to my-site.168.0. .0.1 192. Here are the commands to do that: [root@bigboy tmp]# cd /etc/mail [root@bigboy mail]# make Remember that the relay security features of this file may not work if you don't have a correctly configured /etc/hosts file. The second lists the type of action to be taken when mail from these sources / destinations is received.168.com if its IP address can be found in a DNS reverse zone file: localhost. my experience has been that control on a per email address basis is much more intuitive via the /etc/mail/virtusertable file. If you delete /etc/mail/relay-domains. you may find your server being used to relay mail for SPAM email sites.Chapter 21: Configuring Linux Mail 229 One disadvantage of this file is that it can only control mail based on the source domain which can be spoofed by SPAM email servers. (In Outlook Express you set this using: Tools Menu -> Accounts -> Properties -> Servers) If you don't take the precaution of using this feature. we allow relaying for only the server itself (127. Sendmail assumes it could be either and tries to match both. The /etc/mail/access file has two columns.1. The /etc/mail/access File You can make sure that only trusted PCs on your network have the ability to relay mail via your mail server by using the /etc/mail/access file.1.

It uses the /etc/mail/local-host-names file to do this.com my-other-site.com. .my-site.com and my-other-site. . o o The first lists the destination to which the original sender intended to send the mail.com Which User Should Really Receive The Mail? Sendmail uses two different methods to determine who the ultimate mail recipient will be. The /etc/aliases file This file has two columns too. if this mail server was to accept mail for the domains my-site. It checks these methods in this order: The /etc/mail/virtusertable file This file has two columns. This file has a list of hostnames and domains for which sendmail will accept responsibility.com.com" DNS zonefile point to my-site. a mailing list entry in the /etc/aliases file or the email address of someone on some other mail server to which the mail should be automatically forwarded. The second column lists the single true destination. Here is an example (Remember each ".com. it needs a way of determining whether it is responsible for the mail it receives. then sendmail assumes the recipient is on the local box. Primary Mail Exchanger for my-other-site. For example.com and the host server.com The /etc/mail/local-host-names File When sendmail receives mail. o o o If the mailing list member doesn't have an "@" in the name. If it doesn't find a duplicate. MX 10 mail.my-site. It could be viewed as a mailing list file. it assumes the recipient is a local user. It will then search the first column of the aliases file to see if the recipient isn't on yet another mailing list.com then the file would look like this: my-site.com In this case. The true destination in the eyes of the mail server could be a local Linux user.linuxhomenetworking. remember to modify the MX record of the "my-other-site." is important): my-other-site. The first column has the mailing list name (sometimes called a virtual mailbox) and the second column has the members of the mailing list separated by commas.230 www.

The /etc/mail/virtusertable file This file contains a set of simple instructions on what to do with received mail.these MUST be present. mail sent to: o o o o webmaster@my-other-site.Chapter 21: Configuring Linux Mail 231 o If the recipient is a mailing list. "sales" at my-site. you can see that mail sent to users "bin".com will go to the sales department at my-othersite.com finance@my-site. all other mail to my-other-site.com @my-other-site.com paul@my-site. mailer-daemon: postmaster postmaster: root # General redirections for pseudo accounts.com will go to local user "marc". # Basic system aliases -. In the example below. etc by system processes will all be sent to user (or mailing list) "root". The first column lists the target email address and the second column lists the local user’s mail box or remote email address to which the email should be forwarded.com @my-site.com.com. "named". Note: The default /etc/aliases file installed with RedHat has the last line of this sample commented out with a "#". "shutdown". In the example below. In this case "root" is actually an alias for a mailing list consisting of user "marc" and webmaster@my-site. and members of the mailing lists in the second column..com goes to local user (or mailing list) "paul" all other users at my-site.com sales@my-site. Here are the commands to do that: [root@bigboy tmp]# cd /etc/mail [root@bigboy mail]# make The /etc/aliases File This file is really a list of email aliases for local users. "apache". "lp".com receive a "bounce back" message stating "User unknown" webmaster@my-other-site. "paul" and "finance" at my-site. you may want to delete the comment and change user "marc" to another user.. "daemon". then it goes through the process all over again to determine each individual in the mailing list and when it is all finished. they will all get a copy of the email message.com webmasters marc sales@my-other-site.com paul paul error:nouser User unknown After editing this file you'll have to convert it into a sendmail readable database file named /etc/mail/virtusertable.db.com will go to local user (or mailing list) "webmasters". It contains a list of virtual mail boxes (or mailing lists) in the first column. .

Another is that all subscriptions and unsubscriptions have to be done manually by the mailing list administrator. Mail to "directors@my-site. "paul" and "mary".brother. If either of these are a problem for you. then consider using a mailing list manager like majordomo.com Notice that there are no spaces between the mailing list entries for “root”. .com" goes to users "peter".232 www. Here are a few more list examples for your /etc/aliases file. This is important as you will get errors if you add spaces. # Directors of my SOHO company directors: peter. Despite this. mail sent to "root" actually goes to user account "marc" and webmaster@my-site.linuxhomenetworking. The advantage of using mailing list files is that the admin-list file can be a file that trusted users can edit.webmaster@my-site. Here is the command to do that: [root@bigboy tmp]# newaliases Simple Mailing Lists Using Aliases In the simple mailing list example above. One is that bounce messages from failed attempts to broadcast goes to all users. there are some problems with mail reflectors.sister Mail sent to admin-list gets sent to all the users listed in the file /usr/home/admin/admin-list. After editing this file you'll have to convert it into a sendmail readable database file named /etc/aliases.paul.mary Mail sent to "family@my-site. "brother" and "sister" # My family family: grandma.com.com bin: daemon: lp: shutdown: mail: apache: named: system: manager: abuse: root root root root root root root root root root # trap decode to catch security attacks decode: root # Person who should get root's mail root: marc.db.com" goes to users "grandma". user “root” is only needed update the aliases file.

com.my-site. you may find yourself dumping legitimate mail.Chapter 21: Configuring Linux Mail 233 # My mailing list file admin-list: ":include:/home/mailings/admin-list" After editing this file.com Sendmail Masquerading Explained If you want your mail to appear to come from user@mysite. When sendmail sends email to a local user.mc configuration file and adding some masquerading commands and directives. it will have no "to:" in the email header.com. try making root have an alias for a user with a fully qualified domain name. These are explained below: . we made bigboy the mailserver for the domain my-site. no matter which server originated the email. In other words you may want your mail server to handle all email by assigning a consistent return address to all outgoing mail.com. such as Outlook Express. This isn't terrible. it will appear to come from mail.mc that all outgoing mail originating on bigboy should appear to be coming from my-site. This can be solved by editing your sendmail.db.com then you have two choices: o o Configure your email client. based on our settings in the /etc/hosts file.com. Here is an example: # Person who should get root's mail root: webmaster@my-site. To get around this. This explained later in this chapter in the POP Mail section. but you may not want your website site to be remembered with the word "mail" in front of it. If you then use a mail client like Outlook Express with a SPAM mail filtering rule to reject mail with no to: in the header. Here is the command to do that: [root@bigboy tmp]# newaliases An Important Note About The /etc/aliases File By default your system uses sendmail to mail system messages to local user "root". if not.mysite. to set your email address to user@mysite. Set up masquerading to modify the domain name of all traffic originating from and passing trough your mail server. Configuring masquerading In the DNS configuration. you'll have to convert it into a sendmail readable database file named /etc/aliases. this will force sendmail to insert the correct fields in the header. You now have to tell bigboy in the sendmail configuration file sendmail.com and not user@bigboy.

only when you are sure you have the authority to do this. The email header is what email clients. even if the mail is sent from a user on the mail server to another user on the same mail server.com)dnl • • The MASQUERADE_AS directive will make all mail originating on bigboy appear to come from a server within the domain my-site.com. • • • • Testing Masquerading The best way of testing masquerading from the Linux command line is to use the "mail -v username" command. It is easy to fake the header. and *my-other-site. user "root" will not be masqueraded.com. I have noticed that "sendmail -v username" ignores masquerading altogether. the other recipient will see a cc: to an address he knows instead of one on localhost. You should also tail the /var/log/maillog file to verify that the masquerading is operating correctly and check the envelope and header of test email received by test email accounts. as Spammers often do. If you cc: yourself on an outgoing mail.localdomain. In other words. it is detrimental to email delivery to fake the envelope.com.com would be masqueraded. Other Masquerading Notes By default.')dnl MASQUERADE_DOMAIN(`my-site. Feature "masquerade_entire_domain" makes sendmail masquerade servers named *my-site. This is achieved with the: .mysite. Use this with caution. The email envelope contains the "to:" and "from:" used by mailservers for protocol negotiation.234 www.com as my-site. Feature "always_add_domain" will always masquerade email addresses. Feature "allmasquerade" will make sendmail rewrite both recipient addresses and sender addresses relative to the local machine. The "to:" and "from:" in the header is what is used when you use Outlook Express to do a "reply" or "reply all".com domain appear to come from the MASQUERADE_AS domain of my-site.com would be masqueraded too. mail from sales. It is the envelope's "from:" which is used when email rejection messages are sent between mail servers.com. such as Outlook Express.com by rewriting the email header.com FEATURE(always_add_domain)dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl MASQUERADE_AS(`my-site. then only servers named mysite. Feature "masquerade_envelope" will rewrite the email envelope just as "MASQUERADE_AS" rewrote the header.com and my-othersite. If this wasn't selected.')dnl MASQUERADE_AS(my-site.linuxhomenetworking.com. The MASQUERADE_DOMAIN directive will make mail relayed via bigboy from all machines in the my-other-site. say the "to:" and "from:" should be.

Chapter 21: Configuring Linux Mail 235 EXPOSED_USER(`root')dnl command in /etc/mail/sendmail. Configuring Your POP Mail Server Sendmail will just handle mail sent to your "my-site.accept. This is fairly simple to do as sendmail always checks the “. The most important modules are: o o o o MailTools IO-Stringy MIME-tools Mail-Audit I have written a script called mail-filter. It will then deny everything else. You'll also have to make your Linux box a POP mail server. PERL doesn’t come with modules that are able to check email headers and envelopes so you will have to download them from CPAN (www. o Update your “.forward” file and place an entry in /etc/smrsh Mail-filter will first reject all email based on the “reject” file and will then accept all mail found in the “accept” file. mail-filter. which specifies the subjects and email addresses to accept. Sendmail then looks for the filename in the directory /etc/smrsh and executes it.mc.pl that effectively filters out SPAM email for my home system.forward” file in your home directory for the name of this script. There are a few steps required to make the script work: o o o Install PERL and the PERL modules listed above. I have included a simple script with instructions on how to install the PERL modules in the Appendix.com" domain.org). If you want to retrieve this mail from your Linux box's user account. By default. You can comment this out if you like with a "dnl" at the beginning of the line and recompiling / restarting sendmail A Simple PERL Script To Help Stop SPAM It is possible to limit the amount of unsolicited commercial email (UCE or SPAM) SPAM you receive by writing a small script to intercept your mail before it is written to your mailbox. . Each user on your Linux box will get mail sent to their account's mail folder. then you have a few more steps.cpan. using a mail client such as Microsoft Outlook or Outlook Express.reject that specifies those that you should reject. Place an executable version of the script in your home directory and modify the script’s $FILEPATH variable point to your home directory Update the two configuration files: mail-filter.

mutt.d/xinetd restart Remember to restart the POP mail process every time you make a change to the configuration files for the changes to take effect on the running process Configuring Your POP Mail Server The starting and stopping of POP Mail is controlled by xinetd via the /etc/xinetd.d/xinetd stop [root@bigboy tmp]# /etc/init. \ # or fetchmail. POP Mail is deactivated by default.d]# vi ipop3 # default: off # description: The POP3 service allows remote users # to access their mail \ # using an POP3 client such as Netscape Communicator.d like this: [root@bigboy tmp]# /etc/init.com Installing Your POP Mail Server Most RedHat Linux software products are available in the RPM format.rpm o POP mail is started by xinetd. [root@bigboy tmp]# chkconfig --level 35 xinetd on o To start/stop/restart POP mail after booting you can use the xinetd init script located in the directory /etc/init. service pop3 { socket_type = stream wait = no user = root server = /usr/sbin/ipop3d log_on_success += HOST DURATION log_on_failure += HOST disable = no } . Therefore to get POP mail configured to start at boot you have to use the chkconfig command to make sure xinetd starts up on booting. so you’ll have to edit this file to start the program.d [root@bigboy xinetd. Follow the steps below and set the "disable" parameter to "no". The disable feature must be set to "no" to accept connections. o The IMAP/POP mail suite comes standard with the RedHat installation CDs.236 www. You can install the RPM with this command: [root@bigboy tmp]# rpm -Uvh imap-2001a-15. [root@bigboy tmp]# cd /etc/xinetd.linuxhomenetworking.d/xinetd start [root@bigboy tmp]# /etc/init. Downloading and installing RPMs isn’t hard. the chapter on RPMs covers how to do this in detail.i386.d/ipop3 file. Make sure the contents look like this. If you need a refresher.

both users will get sent to the Linux user account "john". If the users insist on overlapping names then you may need to modify your virtusertable file. If you have a user overlap. Create Linux accounts "john1" and "john2". you’ll have to edit the /etc/xinetd. Create the user accounts "john1" and "john2".com pointing to account "john1" and john@my-other-site.Chapter 21: Configuring Linux Mail 237 You will then have to restart xinetd for these changes to take effect using the startup script in the /etc/init. Here’s how: POP Mail Set your POP mail server to be the IP address of your Linux mail server. You have two choices: o Make the user part of the email address is different. set “disable” to “yes” and restart xinetd. John Smith (john@my-site. to disable POP Mail once again.com pointing to account "john2". Use your Linux user username and password when prompted. For example: john1@my-site. eg.com. How to handle overlapping email addresses.com) and John Brown (john@my-other-site. o .com and john2@my-other-site. You can now configure your email client such as Outlook Express to use your use your new POP / SMTP Mail Server quite easily. How To Configure Your Windows Mail Programs All your POP email accounts are really only regular Linux user accounts in which Sendmail has deposited mail. Naturally.d/ipop3 file.d directory. Have a virtusertable entries for john@mysite. SMTP Set your SMTP mail server to be the IP address / domain name of your Linux mail server.com). The POP configuration in Outlook Express for each user should POP using "john1" and "john2" respectively. by default.

com .linuxhomenetworking.238 www.

The configuration of a Linux DHCP client that gets its IP address from a DHCP server is covered in the Linux Networking Topics chapter.conf File Upgrading Your DHCP Server How to get DHCP started Modify Your Routes for DHCP on Linux Server Configuring Linux clients to use DHCP Error Found When Upgrading From Redhat 7. N Download and Install The DHCP Package Most RedHat Linux software products are available in the RPM format. This chapter only covers the configuration of a DHCP server that provides IP addresses.linuxhomenetworking. . You can choose to disable the DHCP server feature on your home router and set up a Linux box as the DHCP server.239 Chapter 22 Configuring The DHCP Server =========================================== In This Chapter Chapter 22 Configuring The DHCP Server Download and Install The DHCP Package The /etc/dhcp. www. If you install a home cable/DSL router between your modem and home network your PC will most likely get its IP address at boot time from the home router instead.0 © Peter Harrison.com =========================================== ormally if you have a cable modem or DSL you get your home PC's IP address dynamically assigned from your service provider. the RPM chapter covers how to do this in detail. If you need a refresher.3 To 8. Downloading and installing RPMs isn’t hard.

It uses the commands here to configure your network. # Set the default gateway to be used by # the PC clients option routers 192.1.1.com • For example.255.0 netmask 255.sample Here is a quick explanation of the dhcp. there must be a "subnet" section for each interface on your Linux box.i386.conf.0 { # The range of IP addresses the server # will issue to DHCP enabled PC clients # booting up on the network range 192.conf.conf in the following directory which you can always use as a guide.168.rpm • Install the package using the following command: [root@bigboy tmp]# rpm -Uvh dhcp-3. # Set the amount of time in seconds that # a client may keep the IP address default-lease-time 86400.220.0 RPM as of this writing was: dhcp-3.linuxhomenetworking.168. # Don't forward DHCP requests from this # NIC interface to any other NIC # interfaces option ip-forwarding off.conf file: Most importantly.168.168. the RedHat 8. .0pl1-9.240 www.rpm The /etc/dhcp.i386.1. max-lease-time 86400.1.1.conf File When DHCP starts it reads the file /etc/dhcp.0pl1-9.201 192.0+ subnet 192. ddns-update-style interim # Redhat Version 8.255. /usr/share/doc/dhcp-<version-number>/dhcpd. Normally you can find a sample copy of dhcpd.

168.1.100. Check the dhcp-options man page after you do your install.100.255.168.222.100.Chapter 22: Configuring The DHCP Server 241 # Set the broadcast address and subnet mask # to be used by the DHCP clients option broadcast-address 192. in Redhat Version 8.0 (dhcpd version 3. For example.0 netmask 255. # you need to include the following option in the dhcpd.1.255. } # # List an unused interface here # subnet 192.1.conf file: option netbios-name-servers 192.1.255.2. # Set the NTP server to be used by the # DHCP clients option nntp-server 192.168. # If you specify a WINS server for your Windows clients. # Set the DNS server to be used by the # DHCP clients option domain-name-servers 192.255. fixed-address 192.1.168.0b2pl11) you will need to add the line at the very top of the config file or else you will get errors:: ddns-update-style interim . option subnet-mask 255. } There many more options statements you can use to configure DHCP.0.255. These include telling the DHCP clients where to go for services such as finger and IRC.0 { } # You can also assign specific IP addresses based on the clients' # ethernet MAC address as follows (Host's name is "smallfry": host smallfry { hardware ethernet 08:00:2b:4c:59:23.168.168. The command to do this follows: [root@bigboy tmp]# man dhcp-options Upgrading Your DHCP Server Always refer to this sample file after doing an upgrade as new required commands may have been added.

Note: More information on adding Linux routes and routing may be found in the Linux Networking chapter.255.leases • Use the chkconfig command to get DHCP configured to start at boot: [root@bigboy tmp]# chkconfig --level 35 dhcpd on • Use the /etc/init. always remember to set your PC to get its IP address via DHCP. It does this by sending a standardized DHCP broadcast request packet to the DHCP server with a source IP address of 255.d/dhcpd start [root@bigboy tmp]# /etc/init.242 www. you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep dhcpd • Finally. You also can test whether the DHCP process is running with the following command.linuxhomenetworking. Modify Your Routes for DHCP on Linux Server When a DHCP configured PC boots.255. Temporary solution o Add the route to 255.leases" to create the file if it does not exist. . (In both examples below.255. it will request its IP address from the DHCP server.255. it will fail unless there is an existing dhcpd.leases file.d/dhcpd script to start/stop/restart DHCP after booting [root@bigboy tmp]# /etc/init.d/dhcpd stop [root@bigboy tmp]# /etc/init. [root@bigboy tmp]# touch /var/lib/dhcp/dhcpd.com How to get DHCP started • Before you start the DHCP server for the first time. Use the command "touch /var/lib/dhcp/dhcpd.255. we’re assuming that DHCP requests will be coming in on interface eth0). You will have to add a route for this address on your Linux DHCP server so that it knows the interface on which to send the reply.d/dhcpd restart • Remember to restart the DHCP process every time you make a change to the conf file for the changes to take effect on the running process.255 from the command line.

255 dhcp Then. try: eth0 host dhcp Configuring Linux clients to use DHCP Remember to have your Linux based clients configured to have DHCP obtained IP addresses Error Found When Upgrading From Redhat 7.3 To 8.conf.0pl1 Copyright 1995-2001 Internet Software Consortium.255.0 This dhcpd startup error is caused by not having the following line at the very top of your /etc/dhcpd.255.255 o If this doesn't work properly try adding the following entry to your /etc/hosts file: 255.255.isc.255 dev eth0 o If the message 255. try: route add -host dhcp dev eth0 Permanent Solution o Edit /etc/sysconfig/static-routes.255.255: Unknown host appears then try adding the following entry to your /etc/hosts file: 255. For info.255.255. All rights reserved. which is read on booting.255. please visit http://www.255.org/products/DHCP ** You must add a ddns-update-style statement to /etc/dhcpd. .255 dhcp Then.Chapter 22: Configuring The DHCP Server 243 [root@bigboy tmp]# route add -host 255.255. and add the following line: eth0 host 255.255.conf file: ddns-update-style interim Sample error: Starting dhcpd: Internet Software Consortium DHCP Server V3.

If you intend to request help from the dhcp-server@isc.org and have not yet read the README. please read it before requesting help.org and install that before requesting help.linuxhomenetworking.isc. [FAILED] .com To get the same behaviour as in 3.isc.244 www.isc." Please read the dhcpd. Please do not under any circumstances send requests for help directly to the authors of this software . ** If you did not get this software from ftp.org mailing list.0b2pl11 and previous versions. add a line that says "ddns-update-style ad-hoc. If you did get this software from ftp. please read the section on the README about submitting bug reports and requests for help. please get the latest from ftp.org. exiting.conf manual page for more information.please send them to the appropriate mailing list as described in the README file.

245 Chapter 23 The NTP Server =========================================== In This Chapter Chapter 23 The NTP Server What is NTP? Download and Install The NTP Package The /etc/ntp.com =========================================== You can keep accurate time under Linux by synchronizing your system clock with a Network Time Protocol (NTP) Server. . A list of available servers may be found at: http://www. It is good practice to have at least one server on your network be the local time server for all your other devices.linuxhomenetworking. this makes the correlation of system events on different systems much easier.edu/~mills/ntp/servers.eecis. www. There are a number of "Stratum 1" (NTP sites using an atomic clock for timing) and "Stratum 2" (NTP sites with slightly less accurate time sources) sites that allow the general public to synchronize with them.conf File How To Get NTP Started Determining If NTP Is Synchronized Properly Configuring Cisco Devices To Use An NTP Server Firewalls and NTP © Peter Harrison.udel.html What is NTP? Network Time Protocol (NTP) is a protocol used to help synchronize your system clock with an accurate time source.

gov # A stratum 1 server at server.168.i386.rpm The /etc/ntp. restrict otherntp.conf File This is the main configuration file for Linux NTP in which you place the IP addresses of the stratum 1 and stratum 2 servers you want to use. If you need a refresher.1-1.255.rpm • Install the package using the following command: [root@bigboy tmp]# rpm -Uvh ntp-4.255 nomodify notrap noquery mask 255.1-1. • Now list the NTP clients on our home network which should be querying our server for the time (notice that the noquery has been removed): restrict 192.research.org # A stratum 2 server at research.1. In this example we’re not allowing them to modify or query our Linux NTP server.255.server.1.255.255.246 www.0 mask 255.1. • The latest version of the RPM for RedHat 8.0 notrust nomodify notrap .255.server. You can use them to practice with your new NTP server.research.gov mask 255. Download and Install The NTP Package Most RedHat Linux software products are available in the RPM format.i386.linuxhomenetworking.org restrict ntp. the chapter on RPMs covers how to do this in detail.255.gov • Then we restrict the type of access you allow these servers. Here is a sample of a home configuration using a pair of sample Internet based NTP servers: • First we specify the servers we’re interested in: server server otherntp.255.com There are a number of freely available NTP client programs for Windows.255 nomodify notrap noquery The mask statement 255. Downloading and installing RPMs isn’t hard.255 is really a subnet mask limiting access to the single IP address of the remote NTP servers.org ntp.255.0 is: ntp-4.

266188 sec [root@bigboy tmp]# ntpdate otherntp.1 • Last.research.d/ntpd restart Remember to restart the NTP process every time you make a change to the conf file for the changes to take effect on the running process • You can test whether the NTP process is running with the following command. It will override all other restrict statements and you’ll find your NTP server will only be communicating properly with itself.20.Chapter 23: The NTP Server 247 In this case the mask statement has been expanded to include all 255 possible IP addresses on our local network. but most importantly.000267 sec How To Get NTP Started • To get NTP configured to start at boot: [root@bigboy tmp]# chkconfig --level 35 ntpd on • To start/stop/restart NTP after booting: [root@bigboy tmp]# /etc/init. comment it out like this: #restrict default ignore • Save the file • Do the following commands twice for each new server added to /etc/ntp.research.20.0.0.10 offset 15. • We also want to make sure that localhost (The universal IP address used to refer to a Linux server itself) has full access without any restricting keywords: restrict 127.gov 24 Mar 18:16:36 ntpdate[10254]: step time server 200.100.gov 24 Mar 18:16:43 ntpdate[10255]: adjust time server 200.10 offset -0.conf [root@bigboy tmp]# ntpdate otherntp.d/ntpd start [root@bigboy tmp]# /etc/init.d/ntpd stop [root@bigboy tmp]# /etc/init. you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep ntpd . you need to make sure the default restrict statement is removed.100. If the line is there.

psc.1.edu gandalf.cs.000 0.com Determining If NTP Is Synchronized Properly • Use the following command to see the servers with which you are synchronized: [root@bigboy tmp]# ntpq -p Sample output: remote refid st t when poll reach delay offset jitter ============================================================================== -jj.168.trim 0.wisc.100 .979 0.264 1.1. An explanation of the commands used follows.000 4000.00 snvl-smtp1.642 *clock.cc.0 16 u 64 0 0.100 and 192.127 3.047 -ntp0.000 0.000 0.net .conf file not being commented out.0.mcs.274 -5.000 0. 2 u 972 1024 377 38.379 0.534 ntp1.cs.aol-ca.wisc.sigmaso 3 u 95 1024 377 31.206 19.201.549 1.edu ntp1.0 16 u .008 ntp-cup.conectiv.externa 0.cis.edu 2 u 454 1024 347 54.018 2.1024 0 0.0.0 16 u 64 0 0. 1 u 426 1024 377 107.0 16 u 64 0 0.168.0.linuxhomenetworking.umb.0.424 -3.anl.navy.392 -mailer1.333 +taylor.go ntp0.000 4000.cs.248 www.681 -18.cs. ben.000 0.wis ben.0.000 0.589 28.098 3.via.00 • A telltale sign that you haven’t got proper synchronization is when all the remote servers have jitters of 4000 with delay and reach values of zero.0.00 nist1.0.strath harris.wisc.00 This could be caused by: o o The restrict default ignore statement in the /etc/ntp.993 -15.000 4000.cs.000 4000.mcs.c 0.025 1. remote refid st t when poll reach delay offset jitter ============================================================================== LOCAL(0) LOCAL(0) 10 l 64 7 0. A firewall blocking access to your Stratum 1 and 2 NTP servers Configuring Cisco Devices To Use An NTP Server Cisco IOS Here are the commands you would use to make your router synchronize with NTP servers with IP addresses 192.go 2 u 818 1024 125 41.edu 2 u 502 1024 357 55.strat 3 u 507 1024 377 115.028 -dr-zaius.168.GPS.1.572 milo.usno. ciscorouter> enable password: ********* ciscorouter# config t ciscorouter(config)# ntp update-calendar ciscorouter(config)# ntp server 192.tr 0.anl.0.

168. Unlike most UDP protocols.1. .201.1. You'll have to allow UDP traffic on source/destination port 123 between your server and the Stratum 1/2 server with which you are synchronizing.1.168. greater than 1023). A sample Linux iptables firewall script snippet is in the Appendix.100 and 192.201 ciscorouter(config)# exit ciscorouter# wr mem o o ntp server: Forms a server association with another system.1. CAT OS Here are the commands you would use to make your router synchronize with NTP servers with IP addresses 192.1.168.100 ciscoswitch# ntp server 192.168.100 ciscoswitch# exit o o o ntp server: Forms a server association with another system. the source port isn't a high port (ie. An explanation of the commands used follows. ntp update-calendar: Configures the system to update its hardware clock from the software clock at periodic intervals. ciscoswitch> enable password: ********* ciscoswitch# set ntp client enable ciscoswitch# ntp server 192. but 123 also. set ntp client enable: Activate the NTP client Firewalls and NTP NTP servers communicate with one another using UDP with a destination port of 123.168.Chapter 23: The NTP Server 249 ciscorouter(config)# ntp server 192.

linuxhomenetworking.com .250 www.

later on this page.com =========================================== Sometimes you may have a Cisco PIX 501 firewall protecting your DSL based home network. Network Address Translation (NAT) Network address translation is a method used to help conserve the limited number of IP addresses available for internet purposes.Static IPs © Peter Harrison. www.DHCP How To Get Static IPs For DSL Cheaply Sample PIX configuration: DSL . We will return to the NAT discussion. This chapter covers how to configure it and in addition. specifically how to configure it.linuxhomenetworking. . but first a very basic introduction on how to configure and use the PIX. The introduction to networking page explains the concept in more detail in addition to other fundamental topics.251 Chapter 24 Configuring Cisco PIX Firewalls =========================================== In This Chapter Chapter 24 Configuring Cisco PIX Firewalls Network Address Translation (NAT) Accessing the PIX command line Sample PIX Configuration: DSL . there is a sample configuration in the appendix.

100 bigboy mail.localdomain localhost 192.1. # 127.168.1. # wr term Building configuration.my-site.0.linuxhomenetworking.. Escape character is '^]'.com o Once connected to the network you can access the PIX via telnet [root@bigboy tmp]# telnet pixfw Trying 192.1.. You will want to change your "password" and "enable password" right after completing your initial configuration.. pixfw> enable Password: ******** pixfw# o Use the "write terminal" command to see the current configuration. User Access Verification Password: Type help or '?' for a list of available commands. Here you list all the IP addresses of important devices that you may want to access with a corresponding nickname.1 pixfw 192.1.1. There is no password in a fresh out of the box PIX and simply hitting the "Enter" key will be enough.168.252 www.168.1 localhost. Via Telnet o One easy way to get access to any device on your network is using the /etc/hosts file. you should get a similar prompt too. or various programs # that require network functionality will fail. Here is a sample in which the PIX firewall "pixfw" has the IP address 192. Once you’ve set up all your PIX with an IP address you’ll be able to access it via Telnet.0.1: # Do not remove the following line.com Accessing the PIX command line Via The Console Port Your Cisco PIX will come with a console cable that will allow you to configure your PIX using terminal emulation software such as Hyperterm. Connected to pixfw. If you are directly connected to the console. o You'll be prompted for a password and will need another password to get into the privileged "enable" mode.168. ..

authentication type to a profile.. by issuing the "configure terminal" command from enable mode prompt. you can permanently save your changes by using the "write memory" command: pixfw# wr mem Building configuration. in this case "ISP".. pixfw# conf t pixfw(config)# "Enter commands here" pixfw(config)# exit pixfw# o One of the first things you should do is change the default paswords for the PIX. ask customer service for the URL. (Remember to be in config mode) ip address outside pppoe setroute . Cryptochecksum: 3af43873 d35d6f06 51f8c999 180c2342 [OK] pixfw# Sample PIX Configuration: DSL .. You should substitute this username and password for "dsl-username" and "dsl-password" below.. The VPDN group statements just assign a username. o ALL PIX configuration commands need to be done in configuration mode.Chapter 24 : Configuring Cisco PIX Firewalls 253 : Saved : PIX Version 6. password.DHCP Configuring PPPoE o DHCP and DSL require you to get a pppoe password and username from your ISP. The configuration steps are relatively straight forward. pixfw# conf t pixfw(config)# enable password "enable password here" pixfw(config)# passwd "console password here" pixfw(config)# exit pixfw# o When you've finished configuring. ... Most ISPs have a homepage where you can register to get the username and password.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password dsjf5sdfgsjrgjwk encrypted passwd sdffg8324dgrggjd encrypted hostname pixfw fixup protocol ftp 21 .

168.1. Once configured.158.253.158.255. and it becomes bundled in free.0.outside) tcp interface www 192.255. you will have to set the default gateway on all your servers to be 192.com ip address inside 192. NAT Configuration Here we allow any traffic coming in on the inside (private/protected) interface to be NAT-ted to the IP address of the outside (Public/unprotected) interface of the firewall.12.253. Due to competition they'll even throw in a DSL modem and even a router for free. They probably won't ask about the modem and/or router.168.168.1. from your protected PCs.0 vpdn group ISP request dialout pppoe vpdn group ISP localname dsl-username vpdn group ISP ppp authentication pap vpdn username dsl-username password dsl-password In this example.255 How To Get Static IPs For DSL Cheaply Many ISP DSL providers offer cheap DHCP (dynamic IP) service.1.100 on port 80 (www).0.1.linuxhomenetworking. will appear to be coming from address 97. .2 or greater for this to work.1 You must be using PIX IOS version 6.1.DHCP has assigned an address of 97.168.100 www netmask 255. global (outside) 1 interface nat (inside) 1 0. If you really want static IP addresses and are willing to pay the higher monthly fee.0 0.255. As the PIX will be acting as your default gateway to the internet. eg: http://firewall-outside-ip-address access-list inbound permit icmp any any access-list inbound permit tcp any any eq www access-group inbound in interface outside static (inside. you may be able to hit your website using PCs behind your firewall using the firewall's outside interface's IP address as the destination.1 255. If DSL .0.254 www.255. This service frequently isn't available for users with static IPs which the ISPs frequently feel are businesses.0. the IP address of the PIX is 192.12 then the traffic passing through the firewall.0 0 0 Dynamic DNS Port Forwarding Entries Here we allow all incoming www traffic (on TCP port 80) destined for the firewall's interface to be forwarded to the web server at 192. then you can reduce your installation costs by: • Ordering DHCP DSL first with the free modem and/or router • Upgrade to static IPs a week later.1.168.

You'll have to ask a friend t check it out.253.158.253. As the PIX will be acting as your default gateway to the internet.100 netmask 255. The IP address selected for the PIX is 97.158.253.158. we then allow all incoming traffic to be forwarded to the protected web server which has an IP address of 192.255. Once configured.26 eq 53 access-list inbound permit udp any host 97.1. Once you go for static IPs.255 to be NAT-ted to the IP address of the outside (Public/unprotected) interface of the firewall which is 97.255.168.253.1.26.255.255. Only www and DNS (Port 53) traffic is allowed to access it via an access control list applied to the outside interface.26 192.0 route outside 0.255. access-list inbound permit tcp any host 97.168.30 If you are converting from dynamic to static IP addresses. you will have to set the default gateway on all your servers to be 192.168.158. the default gateway is 97.outside) 97. the vpdn statements won’t be required.248 (/29).248 ip address inside 192.158. you won't be able to hit your website from PCs behind your firewall using the public IP address assigned to your web server as the destination.158.158.1.0 97.1 Outgoing Connections NAT Configuration Here we allow connections originating coming from servers connected to the inside (private/protected) interface with an IP address in the range 192.253. you do not need the vpdn PIX command statements for static IPs ip address outside 97.26 eq www access-list inbound permit tcp any host 97.255.0.253.100.168.25 255.255.253.253.25 : global (outside) 1 interface nat (inside) 1 192.Static IPs PPOE authentication is only required for DSL DHCP.0 to 192. In this example internet subnet that has been assigned is 97.0 255.255.30 In this example.158.1.253.1.255.1.0. namely 97.158.255.168.168.255 0 0 .1.25.0 0 0 Incoming Connections NAT Configuration Here we allow the firewall to handle traffic to a second IP address.253.168.0 0.168.253.Chapter 24 : Configuring Cisco PIX Firewalls 255 Sample PIX configuration: DSL .1.26 eq 53 access-group inbound in interface outside static (inside.158.1 255.158.0.24 with a mask of 255.1.0. the IP address of the PIX is 192.

256 www.com Here are some additional TCP ports you may be interested in: Protocol FTP SMTP Mail POP3 Mail HTTPS / SSL Port 20. 21 25 110 443 .linuxhomenetworking.

This page should be suitable for the following Cisco routers: With Built In DSL Modems • 800 series • 1700 / 2600 / 3600 series with the ADSL WIC installed With External DSL Modems • 1700 / 2600 / 3600 series .linuxhomenetworking.com =========================================== This is a simple guide on how to set up your Cisco DSL router for DHCP using PPPoE. www.257 Chapter 25 Configuring Cisco DSL Routers =========================================== In This Chapter Chapter 25 Configuring Cisco DSL Routers An Introduction to Network Address Translation (NAT) Introduction to accessing the router command line Sample Configurations Other NAT Topics © Peter Harrison. The examples in this chapter also show how to configure NAT so you can also have a home / SOHO based website.

Once you’ve set up all your router with an IP address you’ll be able to access it via Telnet.1: # Do not remove the following line. Introduction to accessing the router command line Via The Console Port Your Cisco router will come with a console cable that will allow you to configure your PIX using terminal emulation software such as Hyperterm.258 www. There is no password in a fresh out of the box Cisco router and simply hitting the "Enter" key will be enough.1. specifically how to configure it. We will return to the NAT discussion.168. Here is a sample in which the router "ciscorouter" has the IP address 192.localdomain localhost 192.com An Introduction to Network Address Translation (NAT) Network address translation is a method used to help conserve the limited number of IP addresses available for internet purposes.1.1. but first a very basic introduction on how to configure and use Cisco DSL routers.1 ciscorouter 192.168. Here you list all the IP addresses of important devices that you may want to access with a corresponding nickname. User Access Verification Password: Type help or '?' for a list of available commands.0. If you are directly connected to the console. # 127.. o You'll be prompted for a password and will need another password to get into the privileged "enable" mode. later in this chapter. Escape character is '^]'.168.. Via Telnet o One easy way to get access to any device on your network is using the /etc/hosts file.100 bigboy mail. Connected to ciscorouter.1.com o Once connected to the network you can access the router via telnet [root@bigboy tmp]# telnet ciscorouter Trying 192.1 localhost. The introduction to networking page explains the concept in more detail in addition to other fundamental topics. you should get a similar prompt too.168.0. ciscorouter> enable Password: ******** . or various programs # that require network functionality will fail.linuxhomenetworking.my-site.1.

. . you can permanently save your changes by using the "write memory" command: ciscorouter# wr mem Building configuration.. ciscorouter# show run Building configuration.Chapter 25: Configuring Cisco DSL Routers 259 ciscorouter# o Use the "show running" command to see the current configuration. by issuing the "configure terminal" command from enable mode prompt..1 no service pad service timestamps debug uptime service timestamps log datetime localtime service password-encryption ! hostname ciscorouter ! no logging console no logging monitor logging trap debugging .. You will want to change your "password" and "enable password" right after completing your initial configuration.. ! version 12. ciscorouter# conf t ciscorouter(config)# enable secret ciscorouter(config)# line con 0 ciscorouter(config-line)# password ciscorouter(config-line)# line vty ciscorouter(config-line)# password ciscorouter(config-line)# ^z ciscorouter# o "enable password here" "console password here" 0 4 "telnet password here" When you've finished configuring.. Cryptochecksum: 3af43873 d35d6f06 51f8c999 180c2342 [OK] ciscorouter# .. o ALL router configuration commands need to be done in configuration mode.. ciscorouter# conf t ciscorouter(config)# "Enter commands here" ciscorouter(config)# exit ciscorouter# o One of the first things you should do is change the default paswords for the router.. ..

then putting an Internet accessible web server on your home network would be impossible using the routers mentioned above in this configuration.260 www. Most ISPs have a homepage where you can register to get the username and password.this interface: !--. ask customer service for the URL.value not necesarily "1/1" ! interface ATM0 o o o .255.Your ISP may provide you with a different pvc !--.2) is the inside "private" interface ! interface FastEthernet0 ip address 192. Remember to be in "config" mode to enter these commands and remember to do a "write memory" at the end to permanently save the configuration Cisco DSL Router With Built-in Modem Configuration (DHCP) ! vpdn enable no vpdn logging !--.1 255. You should substitute this username and password for PPP "username" and "password" listed below.Configure the home / SOHO network interface's !--.The "ip nat" statement tells your router that !--.DHCP o DHCP and DSL requires you to get a pppoe password and username from your ISP.can setup a session with the ISP ! vpdn-group pppoe request-dialin protocol pppoe !--. Some of the commands listed are part of Cisco's default settings.1) uses NAT !--.0 ip nat inside !--. If this is so.Configure the DSL interface !--.com Sample Configurations DSL Router With Built-In Modem . Here is a sample configuration for a Cisco home router.linuxhomenetworking.1. Do the "show run" command before starting to configure your router to see what commands you'll really need. Cisco IOS doesn’t support DHCP DSL and NAT.255.IP address !--.168.Configure the router's PPPoE client so that it !--.

the PPPoE header overhead.2) is the outside "public" interface ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp dialer pool 1 !--!--!--!--!--! ppp ppp ppp ! Here are the commands to configure authentication with with your ISP.Cisco prefers to run the PPPoE client on a virtual !--.Chapter 25: Configuring Cisco DSL Routers 261 no ip address no atm ilmi-keepalive bundle-enable dsl operating-mode auto hold-queue 224 in ! interface ATM0. This example uses the "CHAP" method.1.168.1) uses NAT !--.The "ip nat" statement tells your router that !--.this interface: !--. ! !--. Commands for using the "PAP" method are included at the end of this box authentication chap callin chap hostname <username> chap password <password> !--!--!--!--!--- Tells the router to NAT all traffic that passes through it: 1) From the inside to the outside. The default ethernet MTU !--.1 point-to-point pvc 1/1 pppoe-client dial-pool-number 1 !--.This is tied to the real ATM DSL interface with the !--"dialer pool" command.size has been reduced from 1500 to accommodate !--. 2) And whose IP address is in the 192."dialer" interface !--.0 network as given in access list 1 .

in your home network.1 service timestamps debug uptime service timestamps log uptime ! hostname ciscorouter ! ip subnet-zero no ip domain-lookup ! bridge irb o o . Remember to be in "config" mode to enter these commands and remember to do a "write memory" at the end to permanently save the configuration Cisco DSL Router With Built-in Modem Configuration (Static IP) Current Configuration: ! version 12.255 If your ISP tells you that you need to do the PAP.0.0 0. This example also shows how to use NAT so you can have a web server / mail server / FTP server etc.0.0.0. Do the "show run" command before starting to configure your router to see what commands you'll really need.1 0. and not the CHAP.262 www. type of authentication then you'll have to replace the lines: ppp authentication chap callin ppp chap hostname <username> ppp chap password <password> with only these two: ppp authentication pap callin ppp pap sent-username <username> password <password> o DSL Router With Built-In Modem .168.0.3) Giving it an outside "public" address that is the !--same as interface Dialer1 gets from the PPPoE !--connection ! ip nat inside source list 1 interface Dialer1 overload ip classless ip route 0.linuxhomenetworking.0 dialer1 no ip http server ! access-list 1 permit 192.com !--. Some of the commands listed are part of Cisco's default settings.0.Static IP o Here is a sample configuration for a Cisco home router with a built-in modem.

26 port 80 (www) will be .158.same as interface BVI1 ! ip nat inside source list 1 interface BVI1 overload !--. !--.Cisco prefers to run the PPPoE client on a virtual !--."bridge-group" command above.255.1) From the inside to the outside.interface: !--.1 255.168.(The BVI number always matches the bridge-group number) !--.0 network !--as given in access list 1 !--.The "ip nat" statement tells your router that this !--.1.168.2) is the inside "private" interface ! interface Ethernet0 ip address 192.3) Must get an outside "public" address that is the !--.2) And whose IP address is in the 192.translation for the Web server.through it: !--. With this statement.248 ip nat outside !--.1) uses NAT !--.25 255.0 ip nat inside ! interface ATM0 no ip address no atm ilmi-keepalive pvc 0/35 encapsulation aal5snap ! bundle-enable dsl operating-mode auto bridge-group 1 ! !--.255. !--.The "ip nat" statement tells your router that !--.this interface: !--. !--.255.Tells the router to NAT all traffic that passes !--.Configure the home / SOHO network interface's IP address !--."BVI" interface !--.This is tied to the real ATM DSL interface with the !--.Chapter 25: Configuring Cisco DSL Routers 263 !--.253.158.1) uses NAT !--.255.This statement performs the static address !--.users trying to reach 97.2) is the outside "public" interface ! interface BVI1 ip address 97.1.253.

0.0 97.1.(www).com !--.automatically redirected to 192.255 bridge 1 protocol ieee bridge 1 route ip ! end DSL Router With External Modem .1 service timestamps debug uptime service timestamps log uptime ! hostname ciscorouter ! ip subnet-zero no ip domain-lookup ! !--!--!--!--Configure the home / SOHO network interface's IP address The "ip nat" statement tells your router that this interface: 1) uses NAT o o .0. Some of the commands listed are part of Cisco's default settings.168.168. in your home network.253. !--! ip nat inside source static tcp 192.158.0.264 www.100 port 80 !--. Do the "show run" command before starting to configure your router to see what commands you'll really need.1. which in this case is the Web server.0 0.253.100 80 97.Set your default gateway as provided by your ISP ! ip classless ip route 0.0 0.Static IP o Here is a sample configuration for a Cisco home router with an external modem.0.linuxhomenetworking.30 ! access-list 1 permit 192.158. This example also shows how to use NAT so you can have a web server / mail server / FTP server etc.1. Remember to be in "config" mode to enter these commands and remember to do a "write memory" at the end to permanently save the configuration Cisco Router Connected to DSL via External Modem Configuration (Static IP) Current Configuration: ! version 12.0.0.168.26 80 extendable !--.

through it: !--.0 0.255.192.168.255.255 ! end .0.3) Must get an outside "public" address that is the !--same as interface ethernet1 ! ip nat inside source list 1 interface ethernet1 overload !--.1.2) is the inside "private" interface ! interface Ethernet0 ip address 192.100 port 80 (www).30 ! access-list 1 permit 192.port 80 (www) will be automatically redirected to !--.0 0.168.This statement performs the static address translation !--.Tells the router to NAT all traffic that passes !--.With this statement.168.26 !--.0.2) And whose IP address is in the 192.Set your default gateway as provided by your ISP ! ip classless ip route 0.1.158. !--.253.0 network !--as given in access list 1 !--.0.0.1) From the inside to the outside.0.255.248 ip nat outside !--.100 80 97.168. !--. !--! ip nat inside source static tcp 192.for the Web server.1.253.158.0 97.158.255. users trying to reach 97.26 80 extendable !--.158.0.Chapter 25: Configuring Cisco DSL Routers 265 !--. which in this case !--.168.1 255.25 255.is the Web server.253.1.1.0 ip nat inside ! interface Ethernet1 ip address 97.253.

regardless of port.100 25 97.168.1.100 53 97.168. the command for SMTP mail would be: ip nat inside source static tcp 192.253.253.168.158.100.1.linuxhomenetworking. to be NAT-ted to 192.158.com Other NAT Topics Commonly Used TCP And UDP Ports Here are some additional TCP ports you may be interested in for NAT "ip nat inside source static" statements: Protocol FTP SMTP Mail POP3 Mail HTTPS / SSL DNS Port 20.25 How To Verify That NAT Is Working Correctly You can use the show ip nat translation command to determine whether NAT is actually occurring as expected: .26.1.100 97.1.158.266 www.26 25 extendable o DNS requires a UDP type NAT statement such as: ip nat inside source static udp 192.158. then you can use the command: ip nat inside source static 192.253.253.168.25 53 extendable o To have all traffic trying to reach 97. 21 25 110 443 53 Type TCP TCP TCP TCP UDP o So for example.

The Inside global address is the IP address of the server presented to the Internet after NAT.6 was communicating with the inside global address of 97.34.1.. The example below shows that translation occurs for port 80 traffic (HTTP / www) from address 97.168.100:80 67. in this case. The Inside local address is the actual IP address of the local server on your home network. and more specifically that remote host 67.26 03:29:49: NAT: Allocated Port for 192.6:5698 Outside Cisco uses the following terms for the various IP addresses you’ll find in any NAT translation process.26: wanted 80 got 80 03:29:49: NAT: o: tcp (198.26 to 192.158.217.217.26:80 192.100.158. The Outside local the actual IP address of the remote computer on its local network.100 on the home network How To Troubleshoot NAT To troubleshoot NAT after you have logged into the router via Telnet requires you to first activate logging to the telnet terminal with the terminal monitor command and then using the debug ip nat detailed command to visualize the translation process.253.158.133.158. 80) [0] .1.253.6:5698 ciscorouter# Outside local --. The Outside global the IP address of the remote computer as presented on the Internet.168.26. o o o o As you can see.100 -> 97...253..219.253.26.34. .158. NAT seems to be functioning properly for the web server 192.100:80 tcp 97. ciscorouter> enable Password: ******** ciscorouter#term mon ciscorouter#debug ip nat detailed IP NAT detailed debugging is on ciscorouter# 03:29:49: NAT: creating portlist proto 6 globaladdr 97. .253.Chapter 25: Configuring Cisco DSL Routers 267 ciscorouter> enable Password: ******** ciscorouter#show ip nat translation Pro Inside global Inside local global tcp 97.253.1.158..34.168.168.253. . 5698) -> (97.158.26:80 192.217.1.1.1.168.--67..

268 www.linuxhomenetworking.com .

com =========================================== We briefly discuss some miscellaneous topics in this chapter that are beyond the scope of this book with the intention that you will be stimulated to consider utilizing some of the technologies discussed to improve your website and / or your SOHO network. www.269 Appendix I Miscellaneous Topics =========================================== In This Chapter Appendix I Miscellaneous Topics VPN Terminologies Running Linux Without A Monitor Make Your Linux Box Emulate A VT100 Dumb Terminal Syslog Configuration and Cisco Devices Disk Partitioning Explained The OSI Networking Model TCP/IP Packet Format © Peter Harrison. VPN Terminologies A Virtual Private Network (VPN) provides security for transmission of sensitive information over unprotected networks such as the Internet.linuxhomenetworking. What follows is an introduction to VPN terminology Authentication The process of ensuring that the VPN data received is both unchanged and from the expected source. VPN relationships are established between trusted sites on the Internet making the public network appear to be virtually the same as a private network to the VPN members. .

Provides authentication. Encapsulating Security Protocol (ESP) The other IPSec security protocol.com Encryption The process of encoding VPN data to protect it from unauthorized viewing except by the intended recipient who has the decoder key. It does this by encrypting the data within the packet and then adding its own security header to the original IP packet. encryption. without encryption. Authentication Header (AH) One of two IPSec security protocols. AH and an ESP are often used in combination with each other.linuxhomenetworking.270 www. It does this by adding its own security header to the original IP packet. Provides authentication and anti-replay services. Here are some examples of what transport mode VPN IP packets will look like. As ESP headers don't authenticate the outer IP header like AH headers. and anti-replay services. IPSec The name given to a number of data communications protocols designed to authenticate and encrypt VPN data to protect it from unauthorized viewing or modification as it is transmitted across a network. Transport mode VPNs The original source and destination address of the data being sent over the VPN is unchanged. please refer to the OSI model page) Transport mode AH packet format Inserted Original Original DATA IP Header AH Header TCP Header Transport mode AH / ESP packet format Inserted Inserted Original Original DATA IP Header AH Header ESP Header TCP Header . This is called Transport Adjacency. (For more information on the IP protocol.

The original packet is frequently encrypted.Appendix I : Miscellaneous Topics 271 Tunnel mode VPNs The original source and destination address of the data being sent over the VPN is changed by encapsulating the original IP packet within another IP packet. Encryption methods IPSec usually uses one of two methods to encrypt data: o o The Data Encryption Standard (DES) using a 56-bit encryption key Triple DES using a 168-bit encryption key. negotiates IPSec security associations. Here are some examples of what tunnel mode VPN IP packets will look like. Internet Key Exchange (IKE) IKE provides authentication of the IPSec peers. header and all in an effort to provide an additional layer of security by not revealing the true identities of the servers communicating with each other. (For more information on the IP protocol. . and establishes IPSec keys. please refer to the OSI model page) Tunnel mode AH packet format New Inserted Original Original DATA IP Header AH Header IP Header TCP Header Tunnel mode AH / ESP packet format New Inserted Inserted Original Original DATA IP Header AH Header ESP Header IP Header TCP Header Authentication methods IPSec data integrity is usually provided by one of two Hashed Message Authentication Code (HMAC) methods: o o Message Digest 5 (MD5) Secure Hash Algorithm (SHA-1).

the VPN peers authenticate by sending each other the certificate issued to them by the CA. It will also contain a copy of the entity's public key. . but encrypted using their private key. Once the the certificates received from the CA and the other peer match. This allows you to create a signature when the message is encrypted with a sender's private key. A successful exchange requires the receiver to have a copy of the sender's public key and knowing with a high degree of certainty that it really does belong to the sender. A CA can either be a trusted public third party. making it difficult for large scale implementations. there is no CA to provide an impartial audit trail of VPN connection initiations. CA overview A digital certificate contains information that identifies a user or device. serial number. authentication is complete. each VPN device must be pre-configured with the certificate generated for them by the CA. The disadvantage is that each pair of VPN connections need set of keys. As the message could be decrypted using the sender's public key means that the holder of the private key created the message. The VPN devices will also be pre-configured with the CA's certificate.com IKE authentication methods There are two main methods of establishing a trusted relationship between two devices that want to create a VPN between themselves: Public key cryptography using RSA encryption RSA overview Each VPN device has its own public and private keys. The receiver verifies the signature by decrypting the message with the sender's public key. Anything encrypted with one of the keys can only be decrypted with the other. Certificates are managed and issued by Certification authorities (CAs). company. During the key exchange. Unlike the RSA method. such as VeriSign. or a "in-house" private server that you establish within your organization. department. Each peer then uses the pre-installed CA certificate they have to authenticate with the CA and securely receive the other peer's certificate from the CA using public key cryptography. and not to someone pretending to be the sender. Each peer then extracts the public key from the certificate they receive from the CA and then uses it to decrypt the certificate they just received from the other peer. or IP address. Shared keys The devices at each end of the VPN use a shared key or password. Prior to installing a certificate based VPN.272 www. such as a name.linuxhomenetworking. This is done using Certification Authorities.

IKE is then used by the VPN peers to negotiate the security associations (SAs) to be used at each end point. This must also be allowed to pass through unimpeded. IKE and ISAKMP IKE uses special ISAKMP IP packets using "protocol 50" to establish an Security Association. In permanent VPNs. o VPN User Authentication Methods For Temporary Connections The above sections have been slanted towards a permanent connection between purpose built VPN devices. Unusually. (SAs are permanent for when manually established) Shared keys The actual keyword used by the encryption and authentication to protect the data. SAs are comprised of two factors: Transforms Describes how the data will be transformed by the VPN to provide the desired security. VPN Security And Firewalls o o All security devices in the path of a VPN connection will have to allow "protocol 50" between the two VPN devices to ensure that IKE works properly.Appendix I : Miscellaneous Topics 273 IKE's role in creating Security Associations Once authentication is complete. Frequently the device at the other end of the connection is a PC. the source and destination port is 500. This includes: • • • • • Packet encryption methods Packet authentication methods Transport versus tunnel mode AH and or ESP usage SA lifetime before it is renegotiated. The VPN uses a separate channel through which the encrypted data passes. This uses UDP packets using port 500. Here are some authentication methods used in such . you may have to open up these ports and protocols to the CA as well.

In order to login.com Types Of Dial Up VPN Authentication Method IKE-XAUTH secured RADIUS Description Usernames and passwords entered into the VPN remote login software are relayed by the VPN device at the remote end to a trusted RADIUS server. Remote home user authentication relies on the same username / password combination of the Windows Domain Controller that the user would normally use to login when they are at work. the user not only has to enter the username & password. Software uses a username. Valid usernames and passwords are configured into the VPN device at the other end of the VPN ACE/SecurID Windows Domain Local user database . If the username / password combination is valid for remote login then the RADIUS server will authorize the VPN device to continue with the IKE interchange. password in conjunction with a digital key FOB whose authentication serial number changes every few minutes for a login to occur. but also the PIN tied to the FOB plus the FOB's dynamic serial number which is synchronized with the authentication server at the other end of the VPN.274 www.linuxhomenetworking.

Operating costs may not be important at home.com at friends’ homes and felt badly about borrowing their monitors. A brief configuration guide for minicom follows the section below. the COM1 and COM2 ports are controlled by a program called "agetty". then you'll need a FULL modem cable and testing will have to be done using a dial up connection. connect the other end to the client PC running "Hyperterm" or whatever terminal emulation software you are using. This creates what is also known as a “headless” system. locking out network access. In such cases. You will also need to make sure that you have activated your COM ports in your BIOS settings. Here is a table that lists the physical ports to their equivalent Linux device names. For non-modem connectivity (PC to PC) connect a NULL modem cable to the COM port you want to test. but will be in a corporate environment with large numbers of Linux servers racked in data centers. and I need to get to it by using: • A notebook PC with a console cable connected to the COM port. but "agetty" usually isn't activated when you boot up unless its configuration file /etc/inittab is modified. In other versions of Linux. I’ve included this section as I have occasionally hosted the website www. Port Linux "agetty" Device Name ttyS0 ttyS1 COM1 COM2 .Appendix I : Miscellaneous Topics 275 Running Linux Without A Monitor You can reduce the cost of ownership of your Linux system by not using a VGA monitor. o o o Configuration Steps In RedHat Linux. Unfortunately your BIOS may halt the system during the Power On Self Test (POST) if it doesn't detect a keyboard. Make sure you disable this feature in the BIOS setup of your PC before proceeding. "agetty" may be called just plain "getty". This feature can usually be found on the very first screen under the “Halt On” option. Having access via the COM ports has also helped me in both the home and business situations. access to the Linux box can be more cheaply provided via the COM port. The most common occurrence is when the system is hung.linuxhomenetworking. • A modem connected to the COM port • Telnet to login to a terminal server that has one of its ports connected to the Linux box’s COM port Preparing To Go “Headless” o One of the advantages of this method is that you don't need a keyboard either. One popular Linux equivalent to Hyperterm is “minicom”. If you're using a modem for connectivity.

3 or 5. when the system enters runlevels 2. To do this you'll have to edit the /etc/securetty file which contains the device names of tty lines on which root is allowed to login.linuxhomenetworking. this option should be omitted if you are connecting the port to a modem. user "root" will not be able to log in from a terminal. Just add ttyS0 and ttyS1 to the list if you need this access. The next step is to restart the "init" process to re-read /etc/inittab [root@bigboy tmp]# init q Now you need to configure the terminal client such “as Hyperterm” to match the speed settings in /etc/inittab.276 www. The respawn means that agetty will restart automatically if. The "-L" means ignore modem control signals. for whatever reason.18-14 on an i586 bigboy login: Note: By default. . Hit "enter" a couple times. "agetty" must attach itself to devices ttyS0 and ttyS1 and emulate a VT102 terminal running at 19200 baud.0 (Psyche) Kernel 2.com The following lines added to /etc/inittab will configure your COM ports for terminal access: # Run COM1 and COM2 gettys in standard runlevels S0:235:respawn:/sbin/agetty -L 19200 ttyS0 vt102 S1:235:respawn:/sbin/agetty -L 19200 ttyS1 vt102 In summary. these lines mean: o o o At boot time. and celebrate when you see something like this: Red Hat Linux release 8. it dies.4. Connect the console / modem cable between the client and your Linux box.

COM1 will therefore be used for outbound minicom connections to other systems. It is simple to use mainly because it uses a text based GUI. (This section will focus on the notebook scenario. You therefore have to disable the agetty configuration for the port on which you wish to run minicom. In other words a “headless” system cannot be used to access another “headless” system using the “headless” COM port. Here are the steps you’ll need to go through to get it working. You can make your Linux box emulate a dumb terminal quite easily. o o You will first need to go through all the relevant steps listed in the “Preparing to go Headless” section of this chapter to ensure you have the right type of cable and correct BIOS settings.) Configuration Steps The most commonly used Linux terminal emulation program is minicom.Appendix I : Miscellaneous Topics 277 Make Your Linux Box Emulate A VT100 Dumb Terminal Dumb terminals can be loosely defined as devices that allow you to log in to your system via the COM port. Other systems using minicom can use COM2 to access this system. Minicom will clash with your agetty configuration explained in the previous section. not the use of using Linux to dial a modem. We then need to restart the init process to reload the new /etc/inittab settings. There are a number of reasons to do this: • You run Linux on a notebook and you need to use it to access a hung “headless” Linux server via the COM port • You need to gain access to a modem connected to the COM port. In the case below we disable agetty on COM1 by commenting out the ttyS0 agetty statements in the /etc/inittab file. Edit /etc/inittab # Run COM1 and COM2 gettys in standard runlevels #S0:235:respawn:/sbin/agetty -L 19200 ttyS0 vt102 S1:235:respawn:/sbin/agetty -L 19200 ttyS1 vt102 Restart init [root@bigboy tmp]# init q o Run minicom in setup mode using the minicom –s command [root@bigboy tmp]# minicom –s o You will get the setup menu .

16:41:20. then X Non “root” users will get a “permission denied” message if they use minicom as the COM ports are not normally accessible to regular users. | | Exit | | Exit from Minicom | ---------------------------o Select the serial port setup menu item.Hardware Flow Control : No | | G .0 OPTIONS: History Buffer. The way to get around this is for user “root” to . ------------------------------------------| A Serial Device : /dev/ttyS0 | | B .Lockfile Location : /var/lock | | C Callin Program : | | D .. then Z. Search History Buffer.Software Flow Control : No | | | | Change which setting? | ------------------------------------------o o o o Select the “Modem and dialing” option and make sure the “Init string” and “Reset string” settings are blank. I18n Compiled on Jun 23 2002. Press CTRL-A Z for help on special keys bigboy login: o o To exit minicom you type CTRL-A.linuxhomenetworking. F-key Macros. Connect the cables between the systems Re-enter minicom. Make the speed match that of the remote “headless” system and make sure the correct serial COM device is chosen. Select the “Save setup as dfl” to make this your saved default setting and then “Exit from Minicom” Make sure the other system is correctly configured for headless operation. Also make sure that flow control is off. this time without the “-s” [root@bigboy tmp]# minicom o Hit enter and you should get a login prompt Welcome to minicom 2.00.com ------[configuration]------| Filenames and paths | | File transfer protocols | | Serial port setup | | Modem and dialing | | Screen and keyboard | | Save setup as dfl | | Save setup as. Device /dev/ttyS0 is COM1 and /dev/ttyS1 is COM2.278 www.Callout Program : | | E Bps/Par/Bits : 19200 8N1 | | F .

or add selected trusted users to your sudo configuration. [root@bigboy tmp]# chmod o+rw /dev/ttyS0 .Appendix I : Miscellaneous Topics 279 either give everyone read/write access using the chmod command below. Remember that minicom will reset the privileges to the COM port each time you change the configuration with “minicom –s” so you may find yourself having to run chmod from time to time.

100 level all 5 server severity 6 Cisco Local Director Local Directors use the "syslog output" command to set their logging facility and severity. therefore making routers and switches log to the same file. firewalls and load balancers each logging with a different facility can each have their own log files for easy troubleshooting.100 which we set up in the previous section. service timestamps log datetime localtime no logging console no logging monitor logging 192. but we can tell the router to timestamp the messages and make the messages have the source IP address of the loopback interface. set set set set logging logging logging logging server enable server 192.1.168. switches.SS (facility.linuxhomenetworking. We won't set the facility in this case.com Syslog Configuration and Cisco Devices Syslog reserves facilities "local0" through "local7" for log messages received from remote servers and network devices.100 Catalyst CAT Switches running CATOS By default Cisco switches also send syslog messages to their logging server with a default facility of local7.168. then you may also want to switch off all logging to /var/log/messages as suggested above for the home/SOHO environment. Cisco Routers By default Cisco routers send syslog messages to their logging server with a default facility of local7.severity) using the numbering scheme below: . The following examples will show how to have a different log file for each class of device.1. The value provided must be in the format FF.1.280 www. In all the network device configuration examples below we are logging to the remote Linux logging server 192. If you have a large data center. We won't change this facility either. Routers.168.

Appendix I : Miscellaneous Topics 281 Facility local 0 local 1 local 2 local 3 local 4 local 5 local 6 local 7 FF Value 16 17 18 19 20 21 22 23 Severity System unusable Immediate action required Critical condition Error conditions Warning conditions Normal but significant conditions Informational messages Debugging messages SS Value 0 1 2 3 4 5 6 7 Here we using facility LOCAL4 and logging debugging messages and above.168.1.7 no syslog console syslog host 192. syslog output 20.100 .

com Cisco PIX Filewalls PIX firewalls use the following numbering scheme to determine their logging facilities. We're sending log messages to facility LOCAL3 with a severity level of 5 (Notification) set by the "logging trap" command. You specify the facility with an intuitive number using the "logging host" command and set the severity with the "logging subsystem" command.168. Facility Logging Facility Command Value 16 17 18 19 20 21 22 23 local 0 local 1 local 2 local 3 local 4 local 5 local 6 local 7 This configuration example assumes that the logging server is connected on the side of the "inside" protected interface.linuxhomenetworking.1. logging logging logging logging logging logging on standby timestamp trap notifications facility 19 host inside 192.100 facility 6 set logging subsystem all info-6 logging commands enable .168.100 Cisco CSS11000 (Arrowpoints) This configuration for this is more straight forward. This example shows the CSS11000 logging facility LOCAL 6 and severity level 6 (Informational) logging host 192.1.282 www.

debug /var/log/cisco/ciscofw # # All LOCAL4 messages (debug and above) go to the Local Director file ciscold # local4.conf File # # All LOCAL3 messages (debug and above) go to the firewall file ciscofw # local3.debug ciscoacl # # LOCAL7 messages (notice and above) go to the ciscoinfo # This excludes ACL logs which are logged at severity debug # local7.notice /var/log/cisco/ciscoinfo local7.notice ciscoinfo .debug /var/log/cisco/ciscoacl local7.debug /var/log/cisco/ciscold # # All LOCAL6 messages (debug and above) go to the CSS file ciscocss # local6.debug /var/log/cisco/ciscocss # # All LOCAL7 messages (debug and above) go to the ciscoacl # This includes ACL logs which are logged at severity debug # local7.Appendix I : Miscellaneous Topics 283 The Sample Cisco syslog.

Most Windows users would be familiar with the analogous terms "folders" and "subfolders". Linux partitions handle all files in the subdirectory of your choice. Partitions cannot be moved or resized without destroying the data on them.284 www. a disk with two partitions would most likely find itself with a "C:" drive and a "D:" drive each with a separate set of folders. Linux and Windows. In other words. In Linux. If you create a file system called "/var" and another called "/var/log". This allows you to be able to boot different operating systems from the same disk. each of which is treated as a separate disk by your operating system. everything appears to be a single set of "folders" or directories. whereas Linux users would be familiar with the terms "directories" and "sub-directories". The directory allocation will be: Partition /var/log /var Directory Allocation All files in directory /var/log and all the subdirectories underneath /var/log All files in /var except the contents of directory /var/log and all the subdirectories underneath /var/log .com Disk Partitioning Explained Here’s some interesting information on how Linux handles hard drives and their partitions. the partitions hide underneath unseen to the regular user.linuxhomenetworking. for example. What Is A Partition? A partition is a means of dividing your hard disk into multiple sections. How Linux Links Filesystems And Partitions In Windows. What Is A Filesystem? Filesystems can be considered as being the directory structures on a disk partition that contains all the files. The choice of which subdirectories belong in which partition is made when you partition the hard drive.

RedHat automatically creates this partition and usually makes it about twice the amount of system RAM.com The RedHat default partitioning scheme used during the Linux installation should be sufficient for most home / SOHO systems. there is a high possibility that you will lose all your data. In most cases. not only for controlling the boot process. Recommended Sizes For Disk Partitions Here are some allocation suggestions that may be useful.Appendix I : Miscellaneous Topics 285 What Partitions Are Mandatory? The mandatory partitions are: "/". If all your files are located in a root filesystem that becomes corrupted. Redhat Linux creates this partition automatically. /boot The /boot partition contains the Linux kernel which is the "master control program". Most Linux systems then will then become multi-user systems by changing their runlevel and executing the associated startup scripts including those that will mount the remaining file systems. Usually recovery requires reformatting the root file system and doing a Linux reinstall. It is for this reason that you should consider placing similar files in dedicated partitions. especially if you have more than 4GB. . you may look at the bottom of the table to see the settings I used for the 4GB hard disk I used to first run www. This is a generous guide. This reduces the need to reformat the "root" partition if it becomes corrupted. but also the normal functioning of Linux.linuxhomenetworking. a corrupted root filesystem will make your system unbootable from the hard drive. Also Known As "root" The root filesystem ("/") contains the files necessary for the system to boot up in single user mode with the bare minimum of functionality. swap Used as a location to place data temporarily if RAM memory becomes full.

linuxhomenetworking.0+ GB 500+ 1.0+ GB 250+ /usr /var /var/log /var/spool /var/spool/mail /tmp 2. Contains the system kernel files. Remember MP3s fill disks quickly.0+ GB 750+ 500+ 750+ N/A 250+ Third party software Man pages (Help files) Error log files Print queues (Needed only if you plan to do printing) Mail queues Temporary files Multiply the expected number of users by the amount of disk space you want to assign per user. / Usually called "root" /boot Automatically determined by RedHat 50 (approx) Automatically determined by RedHat 50 (approx) 1.286 www. /home Variable Variable .5+ GB 500 4.com Some Recommended Partition Sizes Partition Size Workstation / Home Web Server (MB) Swap 2X Physical Memory 100 Size Mail Server (MB) Purpose of the Partition 2X Physical Memory 100 Used as a location to place data temporarily if RAM memory becomes full Base system program files Configuration files Libraries Device drivers Assigned automatically by RedHat.

you can ask users to delete unnecessary files such as downloaded software and MP3s If it is in the /var partition. These are the settings I used for the hard disk I used to first run this site. See the logging page for a description of the log files and how you can use the "logrotate" command to help reduce their size.Appendix I : Miscellaneous Topics 287 How Much Space Do I Have On My Partitions? You can use the "df" command. You may want to also consider backing up files and then deleting them. [root@bigboy root]# df -k Filesystem 1K-blocks /dev/hda3 505636 /dev/hda1 46636 /dev/hda5 505605 /dev/hda7 830104 /dev/hda2 4633108 /dev/hda6 256667 [root@bigboy root]# Used Available Use% Mounted on 90002 389529 19% / 9164 35064 21% /boot 87915 391586 19% /home 17632 770304 3% /tmp 1797504 2600252 41% /usr 169577 73838 70% /var What Can I Do When I Run Out Of Disk Space? o o If it is in the /home partition. then you can consider deleting some of your log files in /var/log. o .

IP and ARP can be found in the Introduction to Networking chapter. • Also allows you to select your own numbering scheme for the global network independent of the MAC address which in rare cases could also be duplicated.com The OSI Networking Model The Open System Interconnection (OSI) protocol suite acts as a framework for designing network based applications. • Also provides the option of having multiple addresses of the same networking protocol being assigned to the same MAC address. • Manages continuing requests and responses between the applications at both ends over the various established connections. UDP. In the home environment. Detailed descriptions of TCP. email text entered into Outlook express being converted into SMTP mail formatted data.288 www. • Error control and timing of bits speeding down the wire between two directly connected devices. It consists of layers of sub-applications. Correctly re-sequences data packets that arrive in the wrong order. • Used as a means of not tying the address of the server to its MAC address.linuxhomenetworking. For example. each building on the lower ones to provide a complete connectivity solution. The Seven OSI Layers Layer Name Description Application 7 Applicati on Presentat ion • The user interface to the application Telnet FTP Sendmail 6 • Converts data from one presentation format to another. • Defines the electrical and physical characteristics of the network cabling and interfacing hardware TCP UDP 5 Session 4 Transport 3 Network IP ARP 2 Link Ethernet ARP 1 Physical Ethernet . • Manages the establishment and tearing down of a connection. Your network address can stay the same if the NIC is replaced. • Handles the routing of data between links that are not physically connected together. data is frequently sent using the MAC addresses of the NIC cards of the communicating devices. Ensures that unacknowledged data is retransmitted. Each layer generally has "hooks" into the layer immediately above and below it so that the data can flow smoothly through the sub-applications designed to handle each layer.

Appendix I : Miscellaneous Topics 289 TCP/IP Packet Format The TCP/IP packet contains an IP header followed by a TCP or UDP header followed by the TCP/UDP data. The server sending the data usually sets the TTL to a value high enough to reach it's destination without being discarded. 17 = UDP Used to ensure that the header contents are error free. MF Bit Fragment Offset TTL Protocol Header checksum Source Address Destination Address Indicates the IP address of the server sending the data Indicates the IP address of the server intended to receive the data . is the current version used by most devices on the Internet. For example. This value is decremented by each router through which the packet has passes. Time to live. The TTL decrement feature is used by routers as an additional precaution to prevent the packet from mistakenly being routed around the Internet in an infinite loop due to a routing error. Version 6. Internet Header Length. the packet is discarded by the router. Total length of the IP header Total length of the IP packet IHL Total Length DF Bit Indicator to tell whether the data in the packet may be fragmented into smaller packets due to limitations of the communications line Indicator to tell whether this data in this packet is the last one of a stream of fragments. then this specifies where in the complete datagram the data in this packet should be inserted. 6 = TCP. is a newer format which allows for a much more vast range of addresses. If this packet is part of a fragmented datagram. Version 4. When the value reaches zero. Defines the type of protocol header to expect at the end of this header. IP Header TCP/UDP Header DATA Contents Of The IP Header Field IP Version Description The version of IP being used.

Specifies the length of the UDP header and data Used to ensure that the header contents are error free. and the FIN bit used for connection termination. . Specifies the size of the sender's receive window (that is. Usually specifies the number assigned to the first byte of data in the current message.290 www. including the SYN and ACK bits used for connection establishment. Contains the sequence number of the next byte of data the sender of the packet expects to receive. the buffer space available for incoming data) Used to ensure that the header contents are error free. Length of the TCP header. Contains upper-layer information Acknowledgment Number Data Offset Flags Window Checksum Data Contents Of The UDP Header Field Source and Destination Port Length Checksum Description Identifies points at which upper-layer source and destination processes receive TCP services. In the connection-establishment phase.com Contents Of The TCP Header Field Source and Destination Port Sequence Number Description Identifies points at which upper-layer source and destination processes receive TCP services. this field also can be used to identify an initial sequence number to be used in an upcoming transmission. Carries a variety of control information.linuxhomenetworking.

Appendix I : Miscellaneous Topics 291 .

linuxhomenetworking.292 www.com .

.....................................................................................................................................................................................................................305 IPtables Complex script ...........................................................319 DNS Zone File For my-other-site................................304 IPtables NTP Server..........................................................................................329 Cisco PIX Firewall ......................linuxhomenetworking..............................................................................327 Cisco PIX Firewall ...........................................................................................................................................294 Apache File Permissions Script ......Static DSL Configuration....................................................303 IPtables FTP Server ..............................326 ICMP Codes.............. www.............................................................................................330 © Peter Harrison................................... 293 Codes.................DHCP DSL Configuration................................................................................297 IPtables FTP Client.................................................................. Scripts and Configurations ..............com ........................................................................................................................................................296 Sendmail SPAM Filter Script .......................................... 293 Subnet Calculator Script ...............293 Appendix II Codes......................................................................................... ..324 Sendmail Sample /etc/mail/virtusertable File...........................................................................................................................................320 Reverse Zone File For A Home Network Using NAT ......................................................305 DNS Zone File For my-site................................................................................................................................................. Scripts and Configurations =========================================== In This Chapter Appendix II..............................................com ............................................................com =========================================== Here we have samples of all the scripts used in the previous chapters.........................................................................322 Sendmail Sample /etc/aliases File ..........................................................................................................................................................................................................320 Sendmail Sample /etc/mail/access File ......................................................323 Sendmail Sample /etc/mail/sendmail.mc File ...319 Forward Zone File For A Home Network Using NAT .........................................................................................................................................................................................322 Sendmail Sample /etc/mail/local-host-names File ............................

255.linuxhomenetworking. then netmask="255.255. then netmask="255.255.255.255.224" fi if [ "$netmask" = "/26" ].128" fi .com Subnet Calculator Script #/bin/bash # # subnet-calc.com # # # Get the IP address.255.255. the subnet mask and broadcast address of # the external interface # IPADDR=$1 netmask=$2 # # Convert "/" notation to dotted decimal # if [ "$natmask" = "/30" ].Calculates subnets given an IP address and subnet mask # The subnet mask must begin with “255.sh .255. then netmask="255.255” or in # the range /24 to /30 # # Usage: # # subnet-calc.sh IP-address subnet-mask # # (c) SiliconValleyCCIE.248" fi if [ "$netmask" = "/28" ]. then netmask="255.255.255.255.252" fi if [ "$netmask" = "/29" ].192" fi if [ "$netmask" = "/25" ]. then netmask="255.294 www. then netmask="255.255.255.240" fi if [ "$netmask" = "/27" ].

then subnet_base="0" else subnet_base=$[$IPADDR_octet_4/$subnet_size] subnet_base=$[$subnet_base*$subnet_size] fi SUBNET_BASE=$IPADDR_octet_1. then netmask="255.255.$IPADDR_octet_2.255./ 's/\. Scripts and Configurations 295 if [ "$netmask" = "/24" ].0" fi # # Get the last octet of the subnet mask # netmask_octet_4="`echo $netmask | sed -e 's/255.Appendix II : Codes.$IPADDR_octet_3.//g'`" # # Get first three octets of the IP address # IPADDR_octet_1="`echo IPADDR_octet_2="`echo IPADDR_octet_3="`echo IPADDR_octet_4="`echo $IPADDR $IPADDR $IPADDR $IPADDR | | | | sed sed sed sed -e -e -e -e 's/\./ 's/\.$[$subnet _base-1+$subnet_size] echo echo echo echo echo echo echo echo "IP Address : "$IPADDR "Network Base Address : "$SUBNET_BASE "Broadcast Address : "$SUBNET_BROADCAST "Subnet Mask "Subnet Size : "$netmask : "$subnet_size IP Addresses ./ 's/\.$IPADDR_octet_2.$IPADDR_octet_3.$subnet_base SUBNET_BROADCAST=$IPADDR_octet_1./ /g' /g' /g' /g' | | | | awk awk awk awk '{print '{print '{print '{print $1}'`" $2}'`" $3}'`" $4}'`" # # Get the size of the subnet # subnet_size=$[256-$netmask_octet_4] # # Get the last octet of the network address # if [ "$netmask_octet_4" = "0" ].

then chmod 755 $i echo $i else chmod 644 $i echo $i fi done ...Recursively fixes file permissions in a www directory # so that Apache may serve the pages correctly # # (c) SiliconValleyCCIE.htm .. [root@bigboy tmp]# .com # for i in `find $1` do if [ -d $i ] .296 www..sh . .linuxhomenetworking. [root@bigboy tmp] Here’s how it’s done: #!/bin/sh # # fix-www-perms. The script will print out a list of all the files it’s modified to the screen./fix-www-perms.com Apache File Permissions Script The first argument of the script is the target directory and must have a trailing "/".htm /home/www/webpages/file2..sh /home/www/webpages/ /home/www/webpages/ /home/www/webpages/file1.. .

[root@bigboy mailuser]# cd /etc/smrsh [root@bigboy smrsh]# ln –s /home/mailuser/ mail-filter. Scripts and Configurations 297 Sendmail SPAM Filter Script One of the good things about having a Linux box at home is that you can create your own customized SPAM filter.log.pl in your $HOME directory (default login directory) • Use the “chmod” command to make it executable [root@bigboy mailuser]# chmod 700 mail-filter.pl • Go to directory /etc/smrsh and create a logical link to the mail-filter. it then reads the accept file and accepts any matching emails. Each file has two columns. Here is a summary of its operation: • This script is called mail-filter. You do not have to have an “@” sign in the configuration files’ entries.org to download and install a variety of PERL modules beforehand.forward file in your home directory with the following text: . “BCC:” emails are therefore denied.cpan.pl • Create a . Here’s how to install the script: • The script runs using the PERL scripting language which is installed by default on RedHat. The CPAN modules page also has a link on how to install the modules. then it denies everything else. The script will match on a partial address too. File mail-filter. • You will have to go to www.pl • It uses two configuration files.reject lists all the mail to reject.pl will log all accepted and denied emails in a file called mail-filter. • The script is very tolerant of email addresses. “FROM:” or “CC:”. IO-Stringy. o o o Click on the CPAN home page's "modules” link Click the "All Modules" listing and download and install the MailTools.Appendix II : Codes. • Place mail-filter.pl file there. • The first column has either the word “subject:” or “address:” and the second column has either a subject string (inclusive of spaces) or a single address entry. put the name of the mailing list in your “accept” file. • Mail-filter. Look at this file from time to time as you may find yourself rejecting too much traffic which will require you to modify the configuration files. If you receive emails as part of mailing lists. • The script reads the “reject” file and rejects any matching emails.accept lists all the mail to accept and file mailfilter. • The script will reject emails in which your email address doesn’t appear in the “TO:”. MIME-tools & Mail-Audit modules in that order. Here is a sample I’ve used at home for some time. • The script will match addresses in both the TO: and FROM: of the received email.

cpan. # # Spam filter variables # .accept File address: my-address@mysite.html # # PERL modules needed from http://www.298 www.linuxhomenetworking.org/modules/01modules.org/writings/mail-audit.com #!/bin/bash | ~/mail-filter.com subject: porn The mail-filter Script #!/usr/bin/perl # # # Mail-filter .reject File address: spammer@spammer.pl # use Mail::Audit.pl • You should then be ready to go! The mail-filter. IO-Stringy.cpan.forward file with the following line in it # #/bin/bash # | ~/mail-filter.com address: cnn subject: Alumni Association The mail-filter.PERL Script # # by Peter Harrison © www.com # # Reference pages # # http://search.html # # Need to install the following modules: # # MailTools.index.1/Audit.LinuxHomeNetworking. MIME-tools & Mail-Audit in this order # # Need to have: # # a logical link to this file in /etc/smrsh # .org/author/SIMON/Mail-Audit-2.pm # http://simon-cozens.

"mail-filter. } } close (REJECT_FILE). "". $ITEM->to(). # # Get the bad subjects / address # if ($type =~ /subject/i){ $badsubjects{$value} = "$type". "$REJECT_FILE"). (). $TO. . sub Mail_Filter { my my my my %badsubjects %badaddresses %goodsubjects %goodaddresses = = = = (). $FILEPATH . exit. study $FROM. study $SUBJECT. "mail-filter. $SUBJECT). chomp($DATE = `date '+ %m/%d/%Y %H:%M:%S'`). #################### Don't edit below here ################### $ITEM $FROM $TO $CC $SUBJECT $DATE $INBOX_LOG $ACCEPT_FILE $REJECT_FILE = = = = = = = = Mail::Audit->new. $FILEPATH .Appendix II : Codes. $ITEM->cc(). study $CC. $CC. (). (). &Mail_Filter. while(<REJECT_FILE>){ my $record = $_.accept". "mail-filter. $type) = &Strip_Record($record). } if ($type =~ /address/i){ $badaddresses{$value} = "$type". $ITEM->subject().reject". Scripts and Configurations 299 $FILEPATH = "/home/mailuser/".log". study $TO. chomp($FROM. $ITEM->from(). my ($value. # # Read in the configuration files # open (REJECT_FILE. = $FILEPATH .

$type) = &Strip_Record($record). # # Get the good subjects / address # if ($type =~ /subject/i){ $goodsubjects{$value} = "$type". my ($value. &Reject_Mail("yes"). } # # Accept some subject lines # for my $criteria (keys %goodsubjects) { next unless $SUBJECT =~ /$criteria/i. # # Reject by subject # foreach my $criteria (keys %badsubjects) { next unless $SUBJECT =~ /$criteria/i. &Reject_Mail("no"). } if ($type =~ /address/i){ $goodaddresses{$value} = "$type". } } close (ACCEPT_FILE). } # # Reject email to/from these addresses # foreach my $criteria (keys %badaddresses) { next unless ($TO =~ /$criteria/i) or ($CC =~ /$criteria/i) or ($FROM =~ /$criteria/i).300 www.linuxhomenetworking. &Reject_Mail("yes"). "$ACCEPT_FILE"). while(<ACCEPT_FILE>){ my $record = $_. } # # Accept emails to/from these addresses # for my $criteria (keys %goodaddresses) { .com open (ACCEPT_FILE.

} else{ return ($fields[1].$record).Appendix II : Codes. Scripts and Configurations 301 next unless ($TO =~ /$criteria/i) or ($CC =~ /$criteria/i) or ($FROM =~ /$criteria/i). open (LOG. "address"). $fields[1] =~ s/^\s*(. "address"). } . $domain. return ($person . # # Log message receipt to file # if ($ok =~ /yes/i){ print LOG "REJECT $DATE To: $TO From: $FROM Subject: $SUBJECT\n". "subject"). } } } sub Reject_Mail { my $ok = shift(@_). my @fields = split(/\:/. $fields[1]). } elsif ($fields[0] =~ /address/i){ if ($fields[1] =~ /\@/){ my ($person. } sub Strip_Record{ my $record = shift(@_). # # Split out the fields in the record and strip out #leading/trailing white space # chomp $record. $ITEM->reject. ">> $INBOX_LOG").*?)\s*$/$1/. $domain) = split(/\@/. # # Return the subjects / addresses # if ($fields[0] =~ /subject/i){ return ($fields[1]."\@" . } # # Reject everything else # &Reject_Mail("yes"). &Reject_Mail("no").

302 www. } .linuxhomenetworking. } close(LOG).com else{ print LOG "ACCEPT $DATE To: $TO From: $FROM Subject: $SUBJECT\n". $ITEM->accept. exit.

RELATED -j ACCEPT #=============================================================== #=============================================================== # Select one of the following two #=============================================================== #=============================================================== #--------------------------------------------------------------# FTP connections from your Linux server # Active FTP data connection established back from remote server #--------------------------------------------------------------iptables -A -m state iptables -A -m state INPUT -i eth0 -p tcp --sport 20 --dport 1024:65535 \ --state NEW -j ACCEPT OUTPUT -o eth0 -p tcp --dport 20 --sport 1024:65535 \ --state ESTABLISHED.RELATED -j ACCEPT .Interface eth1 is the private network interface modprobe ip_conntrack_ftp #--------------------------------------------------------------# FTP connections from your Linux server # Outbound FTP requests on control connection (port 21) #--------------------------------------------------------------iptables -A -m state iptables -A -m state OUTPUT-o eth0 -p tcp --sport 1024:65535 --dport 21 \ --state NEW -j ACCEPT INPUT -i eth0 -p tcp --sport 21 --dport 1024:65535 \ --state ESTABLISHED. Scripts and Configurations 303 IPtables FTP Client # .Interface eth0 is the internet interface # .Appendix II : Codes.RELATED -j ACCEPT #--------------------------------------------------------------# FTP connections from your Linux server # Passive FTP data connection established from your Linux server #--------------------------------------------------------------iptables -A -m state iptables -A -m state OUTPUT -o eth0 -p tcp --dport 1024:65535 --sport 1024:65535 \ --state NEW -j ACCEPT INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 \ --state ESTABLISHED.

Interface eth0 is the internet interface # .RELATED -j ACCEPT .304 www.com IPtables FTP Server # .Interface eth1 is the private network interface modprobe ip_conntrack_ftp #--------------------------------------------------------------# FTP connections to your Linux server # Inbound FTP requests on control connection (port 21) #--------------------------------------------------------------iptables -A -m state iptables -A -m state INPUT -i eth0 -p tcp --dport 21 --sport 1024:65535 \ --state NEW -j ACCEPT OUTPUT-o eth0 -p tcp --dport 1024:65535 --sport 21 \ --state ESTABLISHED.RELATED -j ACCEPT #--------------------------------------------------------------# FTP connections to your Linux server # Passive FTP data connection established to your Linux server # from remote client #--------------------------------------------------------------iptables -A -m state iptables -A -m state INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 \ --state NEW -j ACCEPT OUTPUT -o eth0 -p tcp --dport 1024:65535 --sport 1024:65535 \ --state ESTABLISHED.RELATED -j ACCEPT #=============================================================== #=============================================================== # Select one of the following two #=============================================================== #=============================================================== #--------------------------------------------------------------# FTP connections to your Linux server # Active FTP data connection established back to client from # your server #--------------------------------------------------------------iptables -A -m state iptables -A -m state OUTPUT -o eth0 -p tcp --sport 20 --dport 1024:65535 \ --state NEW -j ACCEPT INPUT -i eth0 -p tcp --dport 20 --sport 1024:65535 \ --state ESTABLISHED.linuxhomenetworking.

1. and web servers running on a firewall used as \ # the Internet NAT gateway for a home network # modprobe ip_conntrack_ftp modprobe iptable_nat #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= # # The variables in this section are site specific and should be # changed to match your network # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= EXTERNAL_INT="eth1" INTERNAL_INT="eth0" private network EXTERNAL_IP="97.253.158.Appendix II : Codes.Interface eth1 is the private network interface iptables -A OUTPUT -o eth0 -p udp -m multiport --ports 123 \ -j ACCEPT iptables -A INPUT -i eth0 -p udp -m multiport --ports 123 \ -j ACCEPT IPtables Complex script #!/bin/bash # # DNS.158.0/24" address space # Internet-connected interface # Interface connected to the # your IP address # ISP network segment base # network segment broadcast # NOC subnet that monitors the # Test webserver for port # Protected internal network . Scripts and Configurations 305 IPtables NTP Server # .255" address NOC_SUBNET="180.1.7.101" forwarding and masquerading INTERNAL_NET="192.253.0/24" firewall with pings WEBSERVER="192.253.168.168.25" EXTERNAL_SUBNET_BASE="97. mail.Interface eth0 is the internet interface # .168.0" address EXTERNAL_SUBNET_BROADCAST="97.158.

0.127" server TIME_SERVER2="65.38.0/4" RESERVED_IP_FUTURE="240.0.0/16" RESERVED_IP_172_SPACE="172.linuxhomenetworking.203.16.81.0.0.60.0/8" RESERVED_IP_192_SPACE="192.306 www.168.0.0/8" networks RESERVED_IP_MULTICAST="224.6.200.0/12" networks RESERVED_IP_10_SPACE="10.206" server TIME_SERVER3="207.0.0.com TIME_SERVER1="192.113" server # address of a remote time # address of a remote time # address of a remote time #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= # # The variables below should not normally be changed as they # are not site specific # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= LOOPBACK="127.0.0.Clear and recreate existing chains prior to # adding rules to the chains # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= .0/5" use HIGH_PORTS="1024:65535" clients using servers # reserved loopback address range # class C private networks # RFC1918 172 space B private # RFC1918 10 space private # Multicast addresses # IP addresses reserved for future # High TCP/UDP ports used by #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= # # Define the names of the user defined chains we'll be using # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= ADDITIONAL_CHAINS="INPUT-external OUTPUT-icmp-external local-tcp-client local-ntp-client valid-tcp-flags valid-source-address LOG-and-drop" OUTPUT-external \ INPUT-icmp-external \ remote-tcp-client \ remote-ntp-server \ established-connection \ valid-destination-address \ #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= # # Prepare Chains .0.

#--------------------------------------------------------------iptables iptables iptables iptables --flush -t filter --flush -t nat --flush -t mangle --flush #--------------------------------------------------------------# Delete all the user defined chains.Appendix II : Codes. do iptables -N $i . Scripts and Configurations 307 #--------------------------------------------------------------# Delete all entries in the built-in tables. # We'll recreate them in the next step #--------------------------------------------------------------iptables iptables iptables iptables --delete-chain -t filter --delete-chain -t nat --delete-chain -t mangle --delete-chain #--------------------------------------------------------------# If a packet doesn't match one of the built in chains. then # The policy should be to drop it #--------------------------------------------------------------iptables iptables iptables iptables iptables --policy INPUT DROP --policy OUTPUT DROP --policy FORWARD DROP -t nat --policy POSTROUTING ACCEPT -t nat --policy PREROUTING ACCEPT #--------------------------------------------------------------# The loopback interface should accept all traffic #--------------------------------------------------------------iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #--------------------------------------------------------------# Re-create our user-defined chains #--------------------------------------------------------------for i in $ADDITIONAL_CHAINS.

linuxhomenetworking.Port 25 # SSH .113 \ --syn -m state --state NEW -j ACCEPT #--------------------------------------------------------------# Passive FTP data.308 www.21.Remote machines initiating connections to # local server # # TCP responses from the local server are handled # by the established-connection chain # .Port 21 #--------------------------------------------------------------iptables -A local-tcp-client -p tcp \ -m multiport --dport 25.com done #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # TCP Rules . initiated from local machine to # remote server #--------------------------------------------------------------iptables -A local-tcp-client -p tcp --dport $HIGH_PORTS \ --syn -m state --state NEW -j ACCEPT #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # TCP Rules .Port 113 # FTP control .Local machine initiating connections to a # remote server # # TCP responses from the remote server are handled # by the established-connection chain # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# iptables -A OUTPUT-external -p tcp --sport $HIGH_PORTS \ -j local-tcp-client #--------------------------------------------------------------# Local client rules for: # # SMTP .22.Port 22 # AUTH (ident) .

Port 22 # POP mail .Source and Destination port the same (123) #--------------------------------------------------------------iptables -A OUTPUT-external -p udp -m multiport --ports 123 \ -j local-ntp-client iptables -A INPUT-external -p udp -m multiport --ports 123 \ -j remote-ntp-server iptables -A local-ntp-client -p udp -d $TIME_SERVER1 \ -j ACCEPT iptables -A local-ntp-client -p udp -d $TIME_SERVER2 \ -j ACCEPT iptables -A local-ntp-client -p udp -d $TIME_SERVER3 \ .Port 21 #--------------------------------------------------------------iptables -A remote-tcp-client -p tcp -m state --state NEW \ -m multiport --dports 80.Port 25 # SSH .Port 113 # FTP control . Scripts and Configurations 309 #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# iptables -A INPUT-external -p tcp --sport $HIGH_PORTS \ -j remote-tcp-client #--------------------------------------------------------------# Local server rules for: # # HTTP (www) .22.110 \ -j ACCEPT #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # UDP Rules # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #--------------------------------------------------------------# NTP time client .Appendix II : Codes.443.Port 80 # HTTPS .Port 110 # DNS .53.21.25.Port 443 # SMTP .Port 53 # AUTH (ident) .

com -j ACCEPT iptables -A remote-ntp-server -p udp -s $TIME_SERVER1 \ -j ACCEPT iptables -A remote-ntp-server -p udp -s $TIME_SERVER2 \ -j ACCEPT iptables -A remote-ntp-server -p udp -s $TIME_SERVER3 \ -j ACCEPT #--------------------------------------------------------------# DNS server to DNS server queries via UDP #--------------------------------------------------------------iptables -A OUTPUT-external -p udp -m multiport --ports 53 \ -j ACCEPT iptables -A INPUT-external -p udp -m multiport --ports 53 \ -j ACCEPT #--------------------------------------------------------------# Remote DNS clients querying local DNS server via UDP #--------------------------------------------------------------iptables -A INPUT-external -p udp --sport $HIGH_PORTS --dport 53 \ -j ACCEPT iptables -A OUTPUT-external -p udp --sport 53 --dport $HIGH_PORTS \ -j ACCEPT #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Port forwarding statements # # (FORWARD statements related to ESTABLISHED and RELATED traffic # is covered in the CORE Chains section) # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #--------------------------------------------------------------# Allow port forwarding on port 8080 to port 80 on server $WEBSERVER #--------------------------------------------------------------iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL_INT -d $EXTERNAL_IP \ .310 www.linuxhomenetworking.

Scripts and Configurations 311 --dport 8080 --sport 1024:65535 -j DNAT --to $WEBSERVER:80 #--------------------------------------------------------------# After DNAT. # Connections on port 80 to the target machine on the private # network must be allowed.Start #=# #=# #=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Install the User-defined Chains on the built-in # INPUT and OUTPUT chains # .Appendix II : Codes. #--------------------------------------------------------------iptables -A FORWARD -p tcp -i $EXTERNAL_INT -o $INTERNAL_INT -d $WEBSERVER \ --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Rules in the section below should not normally be changed # for most firewalls. the packets are routed via the filter table's FORWARD chain. They include not responding to packets with # the following bad characteristics: # # 1) Incorrect TCP flags in the header # 2) Attempts to connect or respond to bogus IP addresses # 3) Attempts to connect or respond to applications not suitable # for use over the Internet # # All the user defined chains are also tied to the built in # INPUT and OUTPUT chains in this section # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=# #=# #=# CORE Chains .

312 www.linuxhomenetworking.com #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #--------------------------------------------------------------# Check TCP packets for invalid state flag combinations #--------------------------------------------------------------iptables -A INPUT -p tcp -j valid-tcp-flags iptables -A OUTPUT -p tcp -j valid-tcp-flags #--------------------------------------------------------------# Verify valid source and destination addresses for all packets #--------------------------------------------------------------iptables iptables iptables iptables -A -A -A -A INPUT -p ! tcp -j valid-source-address INPUT -p tcp --syn -j valid-source-address INPUT -j valid-destination-address OUTPUT -j valid-destination-address #--------------------------------------------------------------# Already established connections should be allowed #--------------------------------------------------------------iptables -A INPUT -j established-connection iptables -A OUTPUT -j established-connection #--------------------------------------------------------------# Start the protocol specific rules #--------------------------------------------------------------iptables -A INPUT -i $EXTERNAL_INT -d $EXTERNAL_IP -j INPUT-external iptables -A OUTPUT -o $EXTERNAL_INT -s $EXTERNAL_IP -j OUTPUT-external #--------------------------------------------------------------# Allow all bidirectional traffic from your firewall to the protected network #--------------------------------------------------------------iptables -A INPUT -j ACCEPT -p all -s $INTERNAL_NET -i $INTERNAL_INT iptables -A OUTPUT -j ACCEPT -p all -d $INTERNAL_NET -o $INTERNAL_INT #--------------------------------------------------------------# Allow masquerading # Enable routing by modifying the ip_forward /proc filesystem file #--------------------------------------------------------------- .

The default policy will also drop them #--------------------------------------------------------------iptables -A INPUT -j LOG-and-drop iptables -A OUTPUT -j LOG-and-drop #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=# #=# #=# CORE Chains .Stop #=# #=# #=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Check for incorrect TCP state flags # # # All state bits zeroed .RELATED -j ACCEPT iptables -A FORWARD -t filter -i $EXTERNAL_INT -m state \ --state ESTABLISHED.Appendix II : Codes. Scripts and Configurations 313 iptables -A POSTROUTING -t nat -o $EXTERNAL_INT -s $INTERNAL_NET \ -d 0/0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward #--------------------------------------------------------------# Prior to masquerading.ESTABLISHED. # Allowed outbound: New. established and related connections # Allowed inbound : Established and related connections # # These statements handle both FORWARD-ing for both MASQUERADE # and port forwarding # #--------------------------------------------------------------iptables -A FORWARD -t filter -i $INTERNAL_INT -m state \ --state NEW. the packets are routed via the filter # table's FORWARD chain.RELATED -j ACCEPT #--------------------------------------------------------------# Log all other packets.

314 www.255.0/16 -j DROP 192.com # FIN set ACK cleared # PSH set ACK cleared # URG set ACK cleared # SYN and FIN set # SYN and RST set # FIN and RST set # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# iptables iptables iptables iptables iptables drop iptables drop iptables drop -A -A -A -A -A valid-tcp-flags valid-tcp-flags valid-tcp-flags valid-tcp-flags valid-tcp-flags -p -p -p -p -p tcp tcp tcp tcp tcp --tcp-flags --tcp-flags --tcp-flags --tcp-flags --tcp-flags ALL NONE -j LOG-and-drop ACK.URG URG -j LOG-and-drop SYN.0.PSH PSH -j LOG-and-drop ACK.0.RST -j LOG-and-A valid-tcp-flags -p tcp --tcp-flags FIN.255 -j DROP 169.RST FIN.255.FIN -j LOG-and- -A valid-tcp-flags -p tcp --tcp-flags SYN.254.linuxhomenetworking.FIN FIN -j LOG-and-drop ACK.0.0.RST SYN.0/8 -j DROP 255.2.0/24 -j DROP $EXTERNAL_IP -j DROP iptables -A valid-destination-address -d $EXTERNAL_SUBNET_BASE -j DROP iptables -A valid-destination-address -d $EXTERNAL_SUBNET_BROADCAST -j DROP iptables -A valid-destination-address -d $RESERVED_IP_MULTICAST -j DROP .RST -j LOG-and- #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Source and Destination Address Sanity Checks # # Drop packets from networks covered in RFC 1918 (private nets) # Drop packets from external interface IP # Drop directed broadcast packets # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables -A -A -A -A -A -A -A -A -A -A -A valid-source-address valid-source-address valid-source-address valid-source-address valid-source-address valid-source-address valid-source-address valid-source-address valid-source-address valid-source-address valid-source-address -s -s -s -s -s -s -s -d -s -s -s $RESERVED_IP_10_SPACE -j DROP $RESERVED_IP_172_SPACE -j DROP $RESERVED_IP_192_SPACE -j DROP $RESERVED_IP_MULTICAST -j DROP $RESERVED_IP_FUTURE -j DROP $LOOPBACK -j DROP 0.FIN SYN.

Parameter problem # .Destination unreachable .Appendix II : Codes. Scripts and Configurations 315 #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # ICMP # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# iptables -A INPUT-external -p icmp -j INPUT-icmp-external iptables -A OUTPUT-external -p icmp -j OUTPUT-icmp-external #--------------------------------------------------------------# Drop fragmented ICMP packets #--------------------------------------------------------------iptables -A INPUT-icmp-external --fragment -j LOG-and-drop iptables -A OUTPUT-icmp-external --fragment -j LOG-and-drop #--------------------------------------------------------------# Allow outbound pings #--------------------------------------------------------------iptables -A OUTPUT-icmp-external -p icmp --icmp-type echo-request \ -m state --state NEW -j ACCEPT iptables -A INPUT-icmp-external -p icmp --icmp-type echo-reply -j ACCEPT #--------------------------------------------------------------# Allow inbound pings from the NOC #--------------------------------------------------------------iptables -A INPUT-icmp-external -p icmp -s $NOC_SUBNET \ --icmp-type echo-request -m state --state NEW \ -j ACCEPT iptables -A OUTPUT-icmp-external -p icmp --icmp-type echo-reply \ -d $NOC_SUBNET -j ACCEPT #--------------------------------------------------------------# Accept the following ICMP Messages # # .Time exceeded # .Fragmentation needed # .Source quench # .

RELATED -j ACCEPT iptables -A established-connection -m state --state INVALID \ -j LOG-and-drop #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # OS supplied protection # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# #--------------------------------------------------------------- .linuxhomenetworking.316 www.com #--------------------------------------------------------------iptables -A unreachable iptables -A ACCEPT iptables -A ACCEPT iptables -A ACCEPT iptables -A ACCEPT iptables -A -j ACCEPT iptables -A ACCEPT INPUT-icmp-external -p icmp --icmp-type destination-j ACCEPT INPUT-icmp-external -p icmp --icmp-type parameter-problem -j INPUT-icmp-external -p icmp --icmp-type time-exceeded -j INPUT-icmp-external -p icmp --icmp-type source-quench -j OUTPUT-icmp-external -p icmp --icmp-type source-quench -j OUTPUT-icmp-external -p icmp --icmp-type fragmentation-needed OUTPUT-icmp-external -p icmp --icmp-type parameter-problem -j #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Log and drop chain # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# iptables -A LOG-and-drop -j LOG --log-ip-options --log-tcp-options \ --log-level debug iptables -A LOG-and-drop -j DROP #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Already ESTABLISHED connections accepted # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# iptables -A established-connection -m state \ --state ESTABLISHED.

Scripts and Configurations 317 # Disable routing triangulation. not another.Appendix II : Codes. Helps to maintain state # Also protects against IP spoofing #--------------------------------------------------------------echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter #--------------------------------------------------------------# Enable logging of packets with malformed IP addresses #--------------------------------------------------------------echo 1 > /proc/sys/net/ipv4/conf/all/log_martians #--------------------------------------------------------------# Disable redirects #--------------------------------------------------------------echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects #--------------------------------------------------------------# Disable source routed packets #--------------------------------------------------------------echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route #--------------------------------------------------------------# Disable acceptance of ICMP redirects #--------------------------------------------------------------echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects #--------------------------------------------------------------# Turn on protection from Denial of Service (DOS) attacks #--------------------------------------------------------------echo 1 > /proc/sys/net/ipv4/tcp_syncookies #--------------------------------------------------------------# Disable responding to ping broadcasts #--------------------------------------------------------------echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts . Respond to queries out # the same interface.

com exit 0 .318 www.linuxhomenetworking.

com . The full zone file . refresh.com.my-othersite.0. refresh.158.com . ( 200211151 .Appendix II : Codes. Scripts and Configurations 319 DNS Zone File For my-site. $TTL 3D @ IN SOA www. ( 200211152 . localhost www mail MX 10 mail . seconds 3600 ) . The full zone file . NS www .com. . seconds 3600 . seconds 3600 . NS www . seconds .26 www DNS Zone File For my-other-site. seconds 3600 . . Zone file for my-other-site. minimum.com.0. Primary Mail Exchanger A A CNAME 127.com. minimum.my-other-site. serial. $TTL 3D @ IN SOA www. . hostmaster. seconds 3600 . retry. hostmaster. .my-site.my-site. expire. Zone file for my-site. Inet Address of name server my-site.253.com . seconds . seconds 3600 ) . .com. retry. serial. todays date + todays serial # 3600 .com . expire.1 97. . todays date + todays serial # 3600 . Inet Address of name server .

.168. seconds 3600 .1 bigboy A 192. expire.my-site-internal.1.100 smallfry A 192.my-site-internal. you could access it as mail. There is also an entry for one of the home PCs named smallfry which you can now additionally access as smallfry.com which maps to 192.1 www mail CNAME CNAME bigboy bigboy Reverse Zone File For A Home Network Using NAT .my-site.my-siteinternal.com. seconds 3600 ) .0. . seconds 3600 . retry. . minimum.com. seconds .168.com .253. $TTL 3D @ IN SOA www.102 firewall A 192. NS www . localhost A 127.com.com my-other-site. . Primary Mail Exchanger A A 127. ( 200211152 . Inet Address of name server .168.168.168. localhost www MX 10 mail.100.com and for web applications you could access it as www.1.com. Zone file for my-site-internal.158. hostmaster.1.my-site-internal.my-site-internal.1.com.com in which we can also access bigboy as bigboy.my-site-internal. . .com.0. . As server bigboy is also a mail and web server we have also added CNAMEs so that you can access 192.linuxhomenetworking.100 by one of two aliases depending on the role you wish it to play. serial# 3600 .1. refresh.26 Forward Zone File For A Home Network Using NAT Here is an example for a zone file for my-site-internal. The full zone file .1 97. For mail.320 www.0.0.

firewall. smallfry.com. NS www . Now you’ll get correct responses for both forward and reverse lookups using the host or nslookup commands.my-site-internal.com.Appendix II : Codes. $TTL 3D @ IN SOA www.com.my-site-internal. retry. refresh.my-site-internal.168. seconds 2H . 100 102 1 PTR PTR PTR bigboy.com. expire.com. hostmaster. minimum.168. ( 200210023 .1.my-site-internal. Zone file for 192. serial number 8H . seconds 1D ) .X network using the same principles you used for a public network. seconds 4W . Scripts and Configurations 321 You can also create a reverse zone file for the home network on the 192. . seconds . . Inet Address .my-site-internal.1.x . .

>>>>>>>>>> >> NOTE >> >>>>>>>>>> The program "newaliases" must be run after this file is updated for any changes to show through to sendmail.322 www. localhost.2 (Berkeley) 3/5/94 Aliases in this file will NOT be expanded in the header from Mail. # # by default we allow relaying from localhost.localdomain RELAY localhost RELAY 127.0..168 RELAY Sendmail Sample /etc/aliases File # # # # # # # # # # @(#)aliases 8. bin: root daemon: root adm: root lp: root sync: root shutdown: root halt: root .1 RELAY # # Relay messages from the local subnet 192.cf is part of the sendmail-doc # package.these MUST be present. but WILL be visible over networks or from /bin/mail. (search for access_db in that file) # The /usr/share/doc/sendmail/README. # Basic system aliases -.com Sendmail Sample /etc/mail/access File # Check the /usr/share/doc/sendmail/README.linuxhomenetworking. mailer-daemon: postmaster postmaster: root # General redirections for pseudo accounts.cf file for a description # of the format of this file.0..

com .Appendix II : Codes.my-site. Scripts and Configurations 323 mail: news: uucp: operator: games: gopher: ftp: nobody: apache: named: xfs: gdm: mailnull: postgres: squid: rpcuser: root rpc: ingres: system: toor: manager: root dumper: abuse: newsadm: news newsadmin: usenet: ftpadm: ftpadmin: ftp-adm: ftp ftp-admin: root root root root root root root root root root root root root root root root root root root root root news news ftp ftp ftp # trap decode to catch security attacks decode: root # Person who should get root's mail root: t689ndtw@my-site.com mail. # my-site.com www.my-site.com Sendmail Sample /etc/mail/local-host-names File # local-host-names .include all aliases for your machine here.

com Sendmail Sample /etc/mail/sendmail. `/etc/mail/userdb.mc File divert(-1) dnl This is the sendmail macro config file. `authwarnings.`smtp.com ns.com www.novrfy.my-other-site.true)dnl define(`PROCMAIL_MAILER_PATH'. If you make changes to this file.db')dnl define(`confPRIVACY_FLAGS'. dnl you need the sendmail-cf rpm installed and then have to generate a dnl new /etc/mail/sendmail.your.pem') dnl define(`confSERVER_KEY'.com ns.linuxhomenetworking. `2000000')dnl define(`confUSERDB_SPEC'.restrictqrun')dnl define(`confAUTH_OPTIONS'.pem') .com # my-other-site. `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confCACERT_PATH'.cf dnl include(`/usr/share/sendmail-cf/m4/cf.mc > /etc/mail/sendmail.provider') define(`confDEF_USER_ID'.crt') dnl define(`confSERVER_CERT'.noexpn.`/usr/share/ssl/certs/sendmail.cf by running the following command: dnl dnl m4 /etc/mail/sendmail.`/usr/share/ssl/certs/ca-bundle.``8:12'')dnl undefine(`UUCP_RELAY')dnl undefine(`BITNET_RELAY')dnl dnl define(`confAUTO_REBUILD')dnl define(`confTO_CONNECT'.324 www.`/usr/share/ssl/certs/sendmail.`/usr/bin/procmail')dnl define(`ALIAS_FILE'. `/etc/mail/statistics')dnl define(`UUCP_MAILER_MAX'. `A')dnl dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confAUTH_MECHANISMS'. `/etc/aliases')dnl dnl define(`STATUS_FILE'.com mail.`/usr/share/ssl/certs') dnl define(`confCACERT'.my-other-site.true)dnl define(`confDONT_PROBE_INTERFACES'.m4') VERSIONID(`linux setup for Red Hat Linux')dnl OSTYPE(`linux') dnl dnl Uncomment and edit the following line if your mail needs to be sent out dnl through an external mail server: dnl dnl define(`SMART_HOST'.my-site.my-other-site. `1m')dnl define(`confTRY_NULL_MX_LIST'.

the user runs over his quota. However. dnl DAEMON_OPTIONS(`Port=smtp.`'. Name=MTA') dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires dnl a kernel patch dnl DAEMON_OPTIONS(`port=smtp.`hash -o /etc/mail/virtusertable. Family=inet6') dnl We strongly recommend to comment this one out if you want to protect dnl yourself from spam.Addr=127.0. the laptop and users on computers that do dnl not have 24x7 DNS do need this.0.`procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db'.Appendix II : Codes.db')dnl FEATURE(`virtusertable'.0.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl dnl The '-t' option will retry delivery if e. Name=MTA-v6.g. FEATURE(local_procmail.db')dnl FEATURE(`blacklist_recipients')dnl dnl dnl dnl ***** Customised section 1 start ***** dnl dnl FEATURE(always_add_domain)dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl FEATURE(delay_checks)dnl dnl FEATURE(genericstable. `12')dnl dnl define(`confREFUSE_LA'. dnl FEATURE(`accept_unresolvable_domains')dnl dnl FEATURE(`relay_based_on_MX')dnl . `18')dnl define(`confTO_IDENT'.`hash -T<TMPF> -o /etc/mail/access.1 dnl and not on any other network devices.1. Comment this out if you want dnl to accept email over the network. `0')dnl dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa'.0.Addr=::1. `hash -o /etc/mail/genericstable')dnl dnl GENERICS_DOMAIN_FILE(`/etc/mail/genericstable')dnl dnl dnl dnl ***** Customised section 1 end ***** dnl dnl dnl EXPOSED_USER(`root')dnl dnl This changes sendmail to only listen on the loopback device 127.`/usr/sbin/smrsh')dnl FEATURE(`mailertable'.`hash -o /etc/mail/mailertable. Scripts and Configurations 325 dnl define(`confTO_QUEUEWARN'. `5d')dnl dnl define(`confQUEUE_LA'. `4h')dnl dnl define(`confTO_QUEUERETURN'.`dnl')dnl FEATURE(`smrsh'.

')dnl (for local machine) MASQUERADE_DOMAIN(`my-site.16384)dnl dnl MASQUERADE_AS(`my-site.com t689ndtw@my-site.linuxhomenetworking.com.com @my-site.`goaway')dnl .com MAILER(smtp)dnl MAILER(procmail)dnl dnl Cwlocalhost.326 www.com)dnl (for local machine) dnl dnl dnl ***** Customised section 2 end ***** dnl dnl Sendmail Sample /etc/mail/virtusertable File @my-other-site. `$j server ready at $b')dnl .Limits command usage define(`confSMTP_LOGIN_MSG'.com paul@my-site.localdomain dnl dnl dnl ***** Customised section 2 start ***** dnl dnl define(`confPRIVACY_FLAGS'.com error:nouser User unknown error:nouser User unknown paul paul paul .Changes login message define(`confMAX_HEADERS_LENGTH'.com paul@my-other-site.')dnl (for everyone else) MASQUERADE_AS(my-site.com.

The sender is using a Type of Service (TOS) that is not available through this router for that specific host. indicating the host is not available at this time Protocol Unreachable The protocol defined in IP header cannot be forwarded. indicating the host may never have been available on connected network. Dynamically adds a network entry in original sender's routing tables. indicating this network may never have been an available. Scripts and Configurations 327 ICMP Codes Type 3 Description Destination Unreachable Codes Net Unreachable The sending device knows about the network but believes it is not available at this time. The sender is using a Type of Service (TOS) that is not available through this router for that specific network. Redirect Datagram for the Host ICMP sender (router) is not the best way to get to the desired host. Name ICMP sender (router) has been configured to block access to the desired destination host. application set the Don't Fragment bit. Reply contains IP address of best router to destination. Reply contains IP address of best router to destination. Port Unreachable The sending device does not support the port number you are trying to reach Fragmentation Needed and Don't The router needs to fragment the packet to forward it across Fragment was Set a link that supports a smaller maximum transmission unit (MTU ) size. using Flash Override precedence).Appendix II : Codes. Source Route Failed ICMP sender can't use the strict or loose source routing path specified in the original packet. However. Host Unreachable The sending devices knows about host but doesn't get ARP reply. Dynamically adds a host entry in original sender's route tables. Precedence value defined in sender's original IP header is not allowed (for example. ICMP sender is not available for communications at this time. Redirect Codes Redirect Datagram for the Network ICMP sender (router) is not the best way to get to the (or subnet) desired network. Destination Network Unknown ICMP sender does not have a route entry for the destination network. ICMP sender (router) has been configured to block access to the desired destination network. Destination Host Unknown ICMP sender does not have a host entry. . Source Host Isolated Communication with Destination Network is Administratively Prohibited Communication with Destination Host is Administratively Prohibited Destination Network Unreachable for Type of Service Destination Host Unreachable for Type of Service Communication Administratively Prohibited Host Precedence Violation 5 ICMP sender (router) has been configured to not forward packets from source (the old electronic pink slip). Perhaps the network is too far away through the known route.

Dynamically adds a network entry in original sender's route tables. Parameter Problem Codes Pointer indicates the error Error is defined in greater detail within the ICMP packet. Should redirect application to another host. Time Exceeded Codes Time to Live exceeded in Transit ICMP sender (router) indicates that originator's packet arrived with a Time To Live (TTL) of 1.linuxhomenetworking. Alternate Host Address Codes Alternate Address for Host Reply that indicates another host address should be used for the desired service. Bad Length Original packet structure had an invalid length.com Type 6 11 12 Name Description Redirect Datagram for Type of the ICMP sender (router) does not offer a path to the Service and Network destination network using the TOS requested. Dynamically adds a host entry in original sender's route tables. Missing a Required Option ICMP sender expected some additional information in the Option field of the original packet. Routers cannot decrement the TTL value to 0 and forward the packet. . Redirect Datagram for the Type of ICMP sender (router) does not offer a path to the Service and Host destination host using the TOS requested. Fragment Reassembly Time ICMP sender (destination host) did not receive all fragment Exceeded parts before the expiration (in seconds of holding time) of the TTL value of the first fragment received.328 www.

255. Don't forget to put it back. Scripts and Configurations 329 Cisco PIX Firewall .255. Cisco suggests you remove it when troubleshooting ! getting your IP address.100 www netmask 255. Internet interface to use the PPPOE protocol ! to get it's IP address and default route. ! Substitute your DSL username for "myusername" and your ! password for "*********" ! vpdn group ISP request dialout pppoe vpdn group ISP localname myusername vpdn group ISP ppp authentication pap vpdn username myusername password ********* ! ! Set up the outside.1.100 snmp-server community password ! ! DSL setup using a generic group called "ISP".168. Substitute "password" ! with the real SNMP string (Optional) ! snmp-server host inside 192.outside) tcp interface www 192.100.0 0 0 ! ! Port forwarding setup.168. or else you'll ! never get your default route back ! ip address outside pppoe setroute .168. The set route command ! is very important.0. Forward all www traffic to 192.Appendix II : Codes.0 0.0.1.255 0 0 ! ! Apply an access list entry to allow www (TCP Port 80)traffic in ! access-group inbound in interface outside access-list inbound permit tcp any any eq www ! ! Enable SNMP queries from 192.0.168.0.100 ! (Linux webserver) ! static (inside.1.1.DHCP DSL Configuration ! ! NAT Setup ! global (outside) 1 interface nat (inside) 1 0.

1.100 interface ethernet0 10baset interface ethernet1 10full icmp deny any outside 2002 eq eq eq eq eq www 222 domain domain smtp .158.Static DSL Configuration : Saved : Written by enable_15 at 22:33:57.253.330 www.255.168.sfba.com ip address inside 192.601 UTC Sat Nov 23 PIX Version 6.168.0 ! ! Setup DHCP autoconfiguration for the outside interface ! dhcpd auto_config outside Cisco PIX Firewall .253.26 access-list inbound permit tcp any host 97.158.26 access-list inbound permit udp any host 97.158.1.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list inbound permit icmp any any access-list inbound permit tcp any host 97.253.253.158.255.1 255.home.26 pager lines 25 logging on logging timestamp logging trap warnings logging history warnings logging facility 22 logging host inside 192.158.253.26 access-list inbound permit tcp any host 97.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password sde0sdD0sGz09COjx encrypted passwd sde0sdD0sGz09COjx encrypted hostname aquapix domain-name stcla1.linuxhomenetworking.26 access-list inbound permit tcp any host 97.

255.255 0 0 static (inside.168.outside) 97.1.0 inside telnet timeout 15 ssh 192.255.0.1.255.253.0.255.168.1.158.0 0.0 0.158.168.0.1.101 netmask 255.100 netmask 255.255.253.168.0 255.30 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:3af43873d35d6f0651f8c999180c2342 .Appendix II : Codes.158.0 inside snmp-server host inside 192.0. Scripts and Configurations 331 mtu outside 1500 mtu inside 1500 ip address outside 97.110 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local filter java 80 0.0 255.255.255.158.255.0.0.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.0 0.255.1.0 0.168.0.1.1.255.248 ip address inside 192.255.0.255 0 0 access-group inbound in interface outside route outside 0.0 67.255.0 255.168.96 255.168.100 no snmp-server location no snmp-server contact snmp-server community simiya2002 snmp-server enable traps tftp-server inside 192.0.1.0.255.0.1.168.1.0 ntp server 192.99 netmask 255.255 0 0 static (inside.168.168.221.168.25 255.100 /aquapix-confg floodguard enable no sysopt route dnat telnet 192.168.0.0.1 255.255.0.0.28 192.255.0.outside) 97.1.0.0 0.255.0.outside) 97.0.253.1.120.255.0 inside ssh timeout 15 dhcpd address 192.0.0 0.255.248 0 0 static (inside.253.100 source inside http server enable http 192.0 0.27 192.168.0 filter activex 80 0.1.26 192.20-192.

com : end .linuxhomenetworking.332 www.

com =========================================== An informal listing of some of the sites I visited to create this manual.Hosting Your Website at Home Static DNS NTP Server POP Mail Server Samba .iptables Configuration General Home Networking Resource Pages SSH Servers and SSH Clients The Windows SCP client called WinSCP FTP Server and FTP Clients DHCP Server Apache Web Server Software Sendmail Mail Configuration Dynamic DNS . .Linux as a Windows File Server General Linux Resource Pages Disk Partitioning Network Monitoring My Other Sites © Peter Harrison.333 Appendix III Bibliography =========================================== In This Chapter Appendix III Bibliography Wireless Linux Cisco Router Configuration Examples Cisco PIX Firewall Configuration Examples Netfilter .linuxhomenetworking. www.

.com/personal/Jean_Tourrilhes/Linux/ http://www.linux-wlan.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapt er09186a00800ca7b1.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapt er09186a00800ca7b1.unixguru.shtml http://linuxdoc.cisco.com/en/US/products/hw/routers/ps221/prod_configuration_examples_list.org/ http://prism2.cisco.Configuring IOS IPSec Network Security • Cisco PIX Firewall Configuration Examples Cisco Systems • • http://www.com Wireless Linux A good reference page (Has GUI screens for PCMCIA type cards) • • • • • http://www.hp.com http://www.saragossa.com/en/US/products/hw/routers/ps380/prod_configuration_examples_list. RPM versions of the drivers can be found here Cisco Router Configuration Examples Cisco Systems • • • • http://www.com http://www.html http://www.cisco.Configuring IPSec Network Security Cisco .cisco.linuxhomenetworking.html http://www.net/LinuxG3/ls-wlan.us The LDP Wireless LAN Resources for Linux The drivers are here.htm Configuring Cisco PIX firewalls for DHCP .raleigh.nc.html http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/pixclnt.html Configuring Cisco 800 series routers Configuring 1700 / 2600 / 3600 series routers Cisco .org/HOWTO/Wireless-HOWTO http://www.cisco..334 www.hpl.

com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapt er09186a00800eb72a.html http://www.org/HOWTO/Net-HOWTO/ http://www.chiark.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.netfilter.html#xtocid3 http://www.cisco.org/assignments/port-numbers ICMP codes listing TCP and UDP port assignments SSH Servers and SSH Clients PuTTY homepage (Free) • • http://www.htm http://www.htm#xtocid15 Cisco .cisco.html http://www.99/icmp09/code.com/ SecureCRT homepage (Purchase Required) .org.iana.cisco.com/oct.tldp.html General Home Networking Resource Pages Linux networking HOWTO • • • • • http://www.Configuring IPSec Network Security • Cisco .ht ml http://www.greenend.Appendix III : Bibliography 335 Cisco PIX 500 series configuration guides • http://www.tldp.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.uk/~sgtatham/putty/ http://www.nwconnection.html Linux Networking-HOWTO http://www.vandyke.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapt er09186a00800ca7b1.cisco.iptables Configuration Netfilter iptables HOWTO tutorial site • http://www.org/HOWTO/Networking-Overview-HOWTO.org/documentation/tutorials/blueflux/iptables-tutorial.Configuring PIX IPSec Network Security • Cisco PIX error messages • • Configuring Cisco PIX logging parameters Netfilter .cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/syslog/index.

linuxhomenetworking.linux-mag.apache.336 www.html Good page on how to stop SPAM with sendmail .html http://www.redhat.com The Windows SCP client called WinSCP • http://winscp.0-Manual/custom-guide/s1-dhcp-configuringserver.html http://www.cz/eng/ FTP Server and FTP Clients A good site on how to install one of the many Windows GUI FTP clients • • Zen and the Art of FTP: An FTP Tutorial http://www.com/2000-04/networknirvana_05.com/docs/manuals/linux/RHL-8.vse.brettglass.com/features/vhost Apache week's description of how to do virtual hosting Sendmail Mail Configuration Good sendmail quick setup guide • • http://www.unixreview.html Linux Magazine's detailed guide • Apache Web Server Software Apache's documents on setting up virtual hosts • • http://httpd.com/documents/s=2426/uni1018361705067/0204e.com/network_howto/part3/ http://www.apacheweek.com/spam/paper.htm Perl Script to do Automatic FTP File Copies to Update Your Website DHCP Server RedHat's guide to configuring DHCP • http://www.neilgunton.org/docs/vhosts/examples.

Appendix III : Bibliography 337 Some more was found here • • • • http://www.org/dynamic/ http://www.technopagan.tldp.sendmail.technopagan.com/handbook/sendmail.com/permanentEmailAddress.DDNS Provider Ez-ipupdate DDNS Update Script DDclient DDNS Update Script Static DNS What is DNS? • • http://www. Mirrored here.primemail.Hosting Your Website at Home What is Dynamic DNS (DDNS)? • • • • • http://www.org/dynamic/ http://www.org/HOWTO/DNS-HOWTO.html http://www.html http://www.freebsdsystems.html .cx/proj/ez-ipupdate/ See the README for more information.redhat. MiniDNS.eecis.0-Manual/ref-guide/s1-email-sendmail.org http://gusnet.org/m4/features.com/docs/manuals/linux/RHL-8.DDNS Provider dynDNS.dyndns.html Masquerading explanations Explanation on the difference between email headers and envelopes RedHat's recommendations for configuring sendmail Dynamic DNS .hml http://www.html All you ever need to know about setting up DNS for a home / SOHO environment NTP Server NTP Configurations • http://www.edu/~mills/ntp/servers.org .net .udel.net http://www.minidns.

338 www.html POP server compilation and configuration details Samba .html Automount HOWTO with FAQs • • http://home.net/rosko/howto/en/mini/Automount.htm A very comprehensive guide to sudo .in/pipermail/plug-mail/2002-June/004274. by David Lechnyr Simple Windows Workgroup Networking Tutorial SAMBA organization's description of creating a PDC Mandrake's resource page on Samba PDCs Sharing a Windows hard drive from a Linux box (Windows steps to do this) Sharing a Windows hard drive from a Linux box (Linux steps to do this) General Linux Resource Pages Text Terminal HOWTO • http://www.html http://unix.edu/davidrl/samba.linux.html http://us6.org/samba/ftp/docs/htmldocs/Samba-PDC-HOWTO.com/download/cfyc/HOWTO_setup_samba.org.org/docs/connect/csamba6.3-xml/imapop.html#toc14 Complete Linux Networking HOWTO http://www.html http://playstation2-linux.html http://www.linuxhomenetworking.Linux as a Windows File Server The Samba Project • • • • • • • http://www.about.com/library/weekly/aa102500c.rosko.com/~jemorrow/samba/implementation.uoregon.openna.com POP Mail Server From the creators of the default Redhat POP server • • http://www.de/howtos/html/NET-3-HOWTO.linuxpowered.com/archive/howto/Text-Terminal-HOWTO.com/community/articles/security/v1.mandrakeuser.html http://www.html http://plug.azstarnet.samba.samba.html The Unoffical Samba HOWTO.org http://hr.uni-bayreuth.washington.edu/imap/ http://www.

html Network Monitoring The MRTG homepage • http://www.org.org My Other Sites Simiya .Caribbean Art and Photos • Simiya .linuxsa.au/tips/disk-partitioning.Appendix III : Bibliography 339 Disk Partitioning • http://www.mrtg.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->