Comments (5)

NFS

Make sure the “nfsserver” and “portmap” services have started. You can set them to start at bootup by typing the following:


chkconfig nfsserver on
chkconfig portmap on

Now “vi” the /etc/exports file to define which folders need to be exported, the syntax is as follows:

Directory Host(options1,option2,option3)

Note that “host” can be a computer name or an IP address. It can also be a network name (use a * before your domain name, eg *.yourdomain.co.za) or a network IP range. You can also use a * to indicate everyone. Here is an example of a computer name

/data/ peterhpc(rw) fredblog(rw)

You can share a folder temporarily by using the “exportfs” command as follows:

exportfs -o ro,root_squash,sync 192.168.0.0/24:/data

Client

You can use the command “showmount -e (or-a) computername” to show which folders are the export directories on a computer. If you leave off the “computername” it will default to the computer you are accessing

You can mount a remote “share” if you type the following at the command prompt:

mount -t smbfs -o (options) (devise directory)

For this to work, you need to have had started the “portmap” service by typing in the following at the command prompt:

rcportmap start

If you don’t want to mount this directory permanently (ie mount on boot up) type the following:

mount -o soft computername:/data /data2/temp/

You can edit the /etc/fstab file and put in a line similar to the following:

peterh@yourdomain.co.za:/data /datalocal nfs default 0 0

Comments (1)

Windows client:


1. Download “whfc” from the Internet

2. Install it on your windows client

3. Install a new printer with the following settings

a. Local printer

b. Select an Apple PS printer

c. Choose the “whfc” port

4. Use the “login” name you created under when you installed the Hylafax server. When you try and use whfc you will be asked for the password

5. Print to the new printer

Comments (1)

Hylafax Fax server setup


The following was done on my system with success using SuSE 10.2 and a generic 56k modem.
1. Test you modem by dialing with the dialer tool thing on your task bar. Try ring your cell phone or something. (That is after configuring your modem in YaST). Atleast you will know that it is not your modem that is faulty when Hylafax doesn’t work
2. Install Hylafax and mgetty

3. Run “faxsetup” from the shell. Use all of the defaults you can.

4. Run “faxaddmodem” from the shell. Type in your com port when required to do so (ttyS0 is com 1) Use all of the defaults you can.

5. Add a user to Hylafax by typing the following in the shell “faxadduser password 10 username” (substitute “password” for your own password and “username” for your own username. “10″ is the UID which should be the same as the system user “uucp”)

6. Make sure that Hylafax is set to run on level 2345 in the “run level” editor

7. Vi to the /etc/inittab and make sure that the “#” is taken out of the following line:

mo:2345:respawn:/usr/lib/fax/faxgetty ttyS0

Make sure that the path is correct and the run levels are set to 2345. Also, if you used /dev/ttyS0 in the “faxaddmodem” you use it here as well – other wise just say “ttyS0″ as above

8. Vi the /var/spool/fax/etc/config.ttyS0 file (or whatever your port is ttyS0 is com1) and change the following:

RecvFileMode: 0644

DeviceMode: 0666

9. If you are using a US Robotics (3Com) modem add the following to the /var/spool/fax/etc/config.ttyS0 file as well


ModemATCmdDelay: 100

10. And that is that! Restart Hylafax and make sure faxgetty is running. (Look in the run level editor under YaST, or Command prompt = rchylafax status)

Comments (3)

A Virtual Private Network (VPN) is a private communications network often used by companies or organizations, to communicate


confidentially over a public network. VPN traffic can be carried over a public networking infrastructure (e.g. the Internet) on top
of standard protocols, or over a service provider’s private network.
VPN Scenario
There are a number of VPN scenarios you would use, these are as follows:
1.      Server to server (encrypted tunnel only)
2.      Client to Server (encrypted tunnel and authentication)
3.      Client to Client
As far as this document goes we will be considering scenarios one and two. We will be using IPSEC and L2TP. The following
diagram provides an overview of the two scenarios:

IPSEC and L2TP
IPSEC and L2TP are the two protocols discussed in this document. There are other methods of setting up a VPN but I have chosen to focus on the L2TP over IPSEC method.
Openswan (openswan-2.4.7-1.i686.rpm ) can be downloaded from the Internet, and  is used to install IPSEC. You will fine that alot of distributions include openswan. L2TP can also be downloaded from the Internet in the form of a tarball or RPM (the xl2tpd rpm or the older l2tpd rpm will work fine)
IPSEC
IPEC, which is installed when you install “Openswan”, allows you to create an encrypted tunnel between to servers that are connected via the Internet.
This means that any traffic between the two servers will be encrypted and thus will be unreadable to anyone trying to “eavesdrop” on the data passing between the two servers. Users from either side of the connection can connect to each others network through the encrypted tunnel.
To stop hackers from connecting to either of the servers, IPSEC is setup to use either “Preshared key”, “RSA key” or “PKI Certs”.

L2TP
L2TP will be used in a client server scenario, allowing the users to “log on” to the VPN server.
L2TP is used to manage things like IP address range and authentication type for the clients who connect.
Once L2TP is installed, the connection will use PPP to administer the client log on.
In order to install L2TP you will need to install  the XL2TPD or the L2TPD package. In order for L2TP to work you need to install IPSEC as well, as L2TP runs over IPSEC.


VPN config and setup overview
The server to server overview
For a server to server VPN “Pipe” you will only need an IPSEC connection since you won’t be authenticating on either server.
You will only be providing an encrypted tunnel between two networks. Your routing tables need to be configured so that each server knows about the other network.
On the server you will need to do the following, all of which will be explained in detail later:
1.      For the server to support VPN you will need to make sure that your server kernel supports IP Sec
2.      Download and install “openswan-2.4.7-1.i686.rpm” or in stall from your software manager if you distribution includes it.
3.      Set ipsec to start at boot. And start the ipsec service
4.      Check to see if ipsec has started properly with the “ipsec verify” command. The encryption should be disabled at this stage.
5.      Draw your network as follows, designate one as left and one as right.
6.      Left and right parameters must be configured in the /etc/ipsec.conf configuration file. Each server needs to be configured.
7.      Setup The RSA Keys on both servers, and restart ipsec.
8.      Change firewall settings as needed
9.      Initialize the new tunnel
10.  Test new tunnel
The client to server Overview
For a client server environment you will need to use L2TP over IPSEC. IPSEC provides the encrypted tunnel and L2TP will be used to manage clients who connect.
During this course you will install XL2TPD which is provides an updated version of L2TP.
To successfully set up a client server connection you will need to do the following:
1.      Install IPSEC on the server
2.      Install L2TP on the server
3.      Edit the /etc/ipsec.conf file to define a connection from anywhere and that the authentication will be using PPP.
4.      edit the /xl2tpd/xl2tpd.conf file to define the IP range for incoming client connections and whether the authentication will use pap or chap.
Specify your options file (options.l2tpd).
5.      Edit the /etc/ppp/chap-secrets file and add in a user name and password for the client who wants to connect.
6.      Start your services
7.      Connect with a client and test
Server to Server setup
Installing IPSEC (Openswan)
Download and install “openswan-2.4.7-1.i686.rpm” as follows
rpm -i  openswan-2.4.7-1.i686.rpm
Check the ipsec installation by verifying it with the “ipsec verify” command, this check should come back something like the following:
——————————————————————————————————————————
[root@localhost /]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.9-42.EL (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for ‘ip’ command                                       [OK]
Checking for ‘iptables’ command                                 [OK]
Checking for ’setkey’ command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]
[root@localhost /]#
————————————————————————————————————————
If “IP Forwarding” fails then you will need to enable IP Forwarding by editing  the /etc/sysctl.conf file and make sure it reads “net/ipv4/ip_forward = 1″. This will make IP forwarding permanent.
TIP
If you only want IP forwarding to work until next reboot. then use the command “echo “1″ > /proc/sys/net/ipv4/ip_forward” at the command prompt.
Starting IPSEC
Set ipsec to start at boot with “chkconfig ipsec on”. Start the ipsec service with the “service ipsec start” command.
Server to server diagram
create a diagram of your server to server physical setup similar to the following:

This diagram will help you when setting up your ipsec.conf files on each server. You will actually need two such diagrams,
One for each server as “left” is local and “right” is remote from the point of view of each server.
Configuring ipsec.conf
Based on the two diagrams of the server to server setup you will need to edit the “/etc/ipsec.conf” file for each server.
Bear in mind that each server is “left” in relation to the other server which is “right”
The following table will explain the parameters of the “/etc/ipsec.conf” file.
ipsec.conf parameters are defined as follows:
left
Internet IP address of the left-hand side VPN device.
leftsubnet
The network protected by the left-hand side VPN device
leftid
Fully qualified domain name in DNS of the left-hand side VPN device, which is preceded by an “@” sign. If DNS is set up for the IP addresses, remove this entry, because names that don’t resolve correctly cause the VPN initialization to fail.
leftrsasigkey
The entire left RSA sig public key for the left-hand side VPN device. This can be obtained by using the ipsec showhostkey –left command.
leftnexthop
The next hop router from the left-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router.
right
Internet IP address of the right-hand side VPN device
rightsubnet
The network protected by the right-hand side VPN device.
rightid
Fully qualified domain name in DNS of the right-hand side VPN device, which is preceded by an @ sign. If DNS isn’t set up for the IP addresses, remove this entry, because names that don’t resolve correctly cause the VPN initialization to fail.
rightrsasigkey
The entire right RSA sig public key for the right-hand side VPN device. This can be obtained by going to the other computer and using the ipsec showhostkey –left command there.
rightnexthop
The next hop router from the right-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router.
auto
= auto – This option tell the VPN tunnel to start automatically

For other acceptable parrameter browse to http://www.die.net/doc/linux/man/man5/ipsec.conf.5.html
If two servers were configured as follows:

The two ipsec.conf files, with a simple configuration, would look something like the following examples:
Server A ipsec.conf
————————————————————————————————————————-
conn net-to-net
auto=start
left=196.36.13.202
leftid=@196.36.13.202
leftrsasigkey=0sAQPrX0wPJ4+lZDBaNb09gZ01cskYq5W7eXPIwS40KkQo++
OcqvaUNhyvaXcc8p4Pv9+XIdOMkW1zit5uxS+VMyy++ieb8tXNEragbHkIBgxC
G8fCg4F3Yrkkl/S38LzbGGZ5REmQm2PXs5Lx9VRH3w6sblckreTuFFOdIBr9Io
4I9DSbd//AiFoyXr1sz+iXk88hsuMPsnLByaLpEVpiupbzbDWPWTQJnezDAZTf16
26XknYvHZt5m7g6tpyfled7/J5fRPCQBLNyn5hIZkNIWF23KaJDRrSmAvIMG9Em
s0tnbxs7b2kVLQ82zxkoEJUvKCaSYxKmRHqfxUnL2s6y/oPyfaUmQ2DR/WKE+4
vywDcg3ct
leftsubnet=192.168.20.0/24
leftnexthop=%defaultroute
right=196.36.13.204
rightid=@196.36.13.204
rightsubnet=10.0.0.0/24
rightnexthop=%defaultroute
rightrsasigkey=0sAQOnq7yZWqLdC10hHnMq2T301iOGknVa+Onap3Bgy+4
ULq1D7fi1UPJZ9vz58S8PiLJvDbcexZ8p5NHFaayYRREZ0hw2E5fKwjX2Pw55
8ac3SjqPrXuXr+KRfXGW8JkxPmexAsM9oxNIIzWiaJQUuXJWWCuXioIY+NP+s4
8tvDYZCR0QdX3bOiFGgPcg2QoGl5RbN2Ca03cKhrmo3uejXvuP4Fu+1d5XuBx
rjPHLGTJ7Tv5sYuN0dQotqCdRUKWmQPVi6IulLHU2f8FLzFPt9WjgUnwO1hHC
sagoS+xyfF7FV7pi6achxctxAECwBfTKDa/CXP7Xj0xAgmpAPSQ78GzUbkeDF
DTd8Hn9r5zO2+Z9DwyF
——————————————————————————————————————————
Server B ipsec.conf
——————————————————————————————————————————
conn net-to-net
auto=start
left=196.36.13.204
leftid=@196.36.13.204
leftrsasigkey=0sAQOnq7yZWqLdC10hHnMq2T301iOGknVa+Onap3Bgy+4ULq
1D7fi1UPJZ9vz58S8PiLJvDbcexZ8p5NHFaayYRREZ0hw2E5fKwjX2Pw558ac3
SjqPrXuXr+KRfXGW8JkxPmexAsM9oxNIIzWiaJQUuXJWWCuXioIY+NP+s48tvD
YZCR0QdX3bOiFGgPcg2QoGl5RbN2Ca03cKhrmo3uejXvuP4Fu+1d5XuBxrjPHLG
TJ7Tv5sYuN0dQotqCdRUKWmQPVi6IulLHU2f8FLzFPt9WjgUnwO1hHCsagoS+xy
txAECwBfTKDa/CXP7Xj0xAgmpAPSQ78GzUbkeDFDTd8Hn9r5zO2+Z9DwyF
fF7FV7pi6achxc
leftsubnet=10.0.0.0/24
leftnexthop=%defaultroute
right=196.36.13.202
rightid=@196.36.13.202

rightsubnet=192.168.20.0/24
rightnexthop=%defaultroute
rightrsasigkey=0sAQPrX0wPJ4+lZDBaNb09gZ01cskYq5W7eXPIwS40KkQo++Ocqv
aUNhyvaXcc8p4Pv9+XIdOMkW1zit5uxS+VMyy++ieb8tXNEragbHkIBgxCG8fCg4F3Yr
kkl/S38LzbGGZ5REmQm2PXs5Lx9VRH3w6sblckreTuFFOdIBr9Io4I9DSbd//AiFoy
Xr1sz+iXk88hsuMPsnLByaLpEVpiupbzbDWPWTQJnezDAZTf1626XknYvHZt5m7g6t
pyfled7/J5fRPCQBLNyn5hIZkNIWF23KaJDRrSmAvIMG9Ems0tnbxs7b2kVLQ82zxko
EJUvKCaSYxKmRHqfxUnL2s6y/oPyfaUmQ2DR/WKE+4vywDcg3ct
—————————————————————————————————————————–
You need to make sure that there are no blank lines for each “conn”. Also, you must indent each section as in the example. If you don’t do this then there will be errors when you try and start the VPN tunnel.
Once you have made changes to the /etc/ipsec.conf file you will need to reload ipsec.
Initializing the VPN tunnel and checking VPN status
To initialize the VPN tunnel you need to type “ipsec auto –up net-to-net” at the command prompt. If you are returned to the command prompt without error then you have probable configured the VPN tunnel correctly.
To make sure you can check the status of the VPN tunnel with the “ipsec auto –status” command.
Other concerns
Make sure that your routing on both servers have been set up correctly. You will need this if you want to pass traffic between the two networks.
Client to server setup
Server setup
When setting up the server there are essentially three things that need to be setup:
ipsec (provides encrypted tunnel)
l2tp (manages connection)
ppp (provided ppp connection and authentication)
Once these have been setup you will need to restart all the relevant services.
You will need to edit the /etc/ipsec.conf and /etc/ipsec.secrets files.
ipsec.conf
Edit the etc/ipsec.conf to include the following:
—————————————————————————————————————————-
conn L2TP-PSK
authby=secret
pfs=no
rekey=no
keyingtries=3
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
auto=add
————————————————————————————————————————–
In the above example you have specified the following:
conn is the name of the connection, in this case  L2TP-PSK
authby Tells IPSEC what authentication to use. In this case “secret” because we want to use ppp for authentication
left Is the default route, you can use % defaultroute if the default gateway is to be used, otherwise specify an IP address.
leftprotoport Defines the protocol and port. In this case 17/1701 means protocol 17 and port 1701
pfs whether Perfect Forward Secrecy of keys is desired on the connection’s keying channel (with PFS, penetration of the key-exchange protocol does not compromise keys negotiated earlier); acceptable values are yes (the default) and no
rekey whether a connection should be renegotiated when it is about to expire; acceptable values are yes (the default) and no
keyingtries how many attempts (a whole number or %forever) should be made to negotiate a connection, or a replacement for one, before giving up (default %forever). The value %forever means
right ip address of incoming connection
for other acceptable parameter browse to http://www.die.net/doc/linux/man/man5/ipsec.conf.5.html
ipsec.secrets
You will need to add a PSK key to the end of the file. The following represents the last few lines of the /etc/ipsec.secrets file where : PSK “HPGWthisisakey” has been added:
—————————————————————————————————————————
dca39469c5dd31ad50f9a58d147b178b99f24139a9bd359ede3adf832a2b562b87220d2a2e031
}
# do not change the indenting of that “}”

: PSK “HPGWthisisakey”
—————————————————————————————————————————–
L2TP
Next you will need to download and install L2TP. For the course we will use ” xl2tpd-1.1.06-4.i386.rpm’. This will install XL2TPD.
Once you have installed this you will need to edit the /etc/xl2tpd/xl2tpd.conf file as follows:
——————————————————————————————————————————-
ip range = 10.0.0.10-10.0.0.20
local ip = 10.0.0.3
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
——————————————————————————————————————————-
The parameters you need to check are as follows:
ip range
IP range of incoming connection.
local ip
IP Address of the server
require chap
“yes” tells server to use chap-secrets. chap-secrets can be used by Microsoft clients
refuse pap
“yes” server not to use PAP
require authentication
Tells server to require authentication
pppoptfile
Make sure that this path reflects the correct path to the options.xl2tpd file which is usually found in the /etc/ppp/ directory.

PPP
There are two files in the /etc/ppp directory you need for PPP to work properly with L2TP:
chap-secrets or pap-secrets (depending on your authentication method)
options.xl2tpd (There is usually no need to edit this file)
To edit the chap-secrets, browse to the /etc/ppp/chap-secrets and add in the VPN users as required. The following is an example of the format:
————————————————————————————————————————–
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
peter   *       password        *
————————————————————————————————————————–
In the above example, the user name is “peter” and the password is “password”
There is usually no need to edit the options.xl2tpd, but should you need to you should browse to browsing to  /etc/ppp/.
This file needs to be there even if you don’t need to edit it. By default the file will look like the following:
————————————————————————————————————————–
ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.1.1
ms-dns  192.168.1.3
ms-wins 192.168.1.2
ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
————————————————————————————————————————-

Client setup
The most common client is the Microsoft Windows client. The following will demonstrate how to connect a Windows client to a Linux based VPN server.
In order to connect to a VPN server you will need to do the following:
1.      Open the “control panel” and double click on “Network Connections”

2.      Click on “create a new connection”
3.      Follow the Wizard.

Once you have gone through the wizard, you need to “Right click” on the connection and select “properties”:
4.      Go to the “Networking” tab and change the “Type of VPN” to “L2TPIPSecVPN”


5.      Next go to the “Security” tab and click on “IPSec Setting” and put in the “code” that you put in the “/etc/ipsec.secrets” file.
7.      Test the connection, you should be asked for your user name and password. Use the user and password you created in the /etc/ppp/chap-secrets file.

Comments (2)

Linux firewalls use iptables. The best way of creating a firewall with iptables is to write a scripts.

The first thing you need to do in your script is to write a routine that deletes out any previous firewall rules (flushing) and then blocks everything. Once you have blocked everything, you can start building your firewall to filter and allow connections as needed.

Creating a script
Create a script called firewall.sh. Change permissions on the file so that it is executable with the chmod command as follows:

chmod 777 firewall.sh

Save the file in /usr/local/sbin directory. If you do this you will be able to run the script from anywhere within the directory structure by typing “firewall.sh”

Declaring your network cards

In order for your firewall script to be more readable you could declare your network cards at the top of the script as follows:

EXT=eth0
INT=eth2
DMZ=eth1

From now on you use $EXT when referring to eth0 and $INT when referring to eth1, and so on.

Flushing all your rules

The next thing is to flush the Filter table. You will also need to flush any NAT tables. This can be accomplished with the “iptables -F” command. Type the following into your script. The -F serves to flush the tables.

iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F

Logging
One of the important things needed on a firewall is a logging system. To set up logging on your firewall you need to add the following right a the bottom of your firewall.

iptables -A INPUT -j LOG –log-prefix “Denied INPUT:”
iptables -A OUTPUT -j LOG –log-prefix “Denied OUTPUT:”
iptables -A FORWARD -j LOG –log-prefix “Denied FORWARD:”

Enabling logging for your firewall will enable trouble shooting.
By default, on some distros, the firewall logging is captured in the /var/log/messages file. SuSE logs firewall errors in another location, “/var/messages/firewall”

Setting up a default policy to block all
The default policy for the INPUT, OUTPUT and FORWARD filters table should be DROP/DENY all packets. After you have flushed all the tables you can set the firewall to “drop all” by default. Once you have set the firewall to drop all by default you can go about opening the ports you need.

Below the section for flushing your firewall you can add the following to “drop” all in each of the filter tables:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Anything that doesn’t match any of the policies that follow, will be subject to the default policy, which in this case is “DROP”. In this case because we haven’t created any policies yet, everything will be dropped.

Your firewall.sh file should look like the following:
——————————————————————————————-
#!/bin/bash
EXT=eth0
INT=eth2
DMZ=eth1
# flush
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
# Default policy set to DROP all
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Logging rules – always at the END of the script
iptables -A INPUT -j LOG –log-prefix “Denied INPUT: ”
iptables -A OUTPUT -j LOG –log-prefix “Denied OUTPUT: ”
iptables -A FORWARD -j LOG –log-prefix “Denied FORWARD: “
——————————————————————————————-

INPUT and OUTPUT

We want to be able to ping another computer from our firewall server, we also want to be able to receive a reply from the computer we ping.

You can accomplish this with OUTPUT and INPUT Policies
If your firewall server offers services other than a firewall or if you are putting a firewall on a “standalone” server, you will need to filter connections coming in to the service/s your server offers as well as filter connection originating from the server’s service/s. This is usually the case as you would normally have “ssh” setup on the firewall server for administration purposes. You might want to allow pings to and from the server. Another example of this would be if your server acted as a proxy server, web server or mail server in addition to being a firewall.
For connections originating from the server’s service you will need to use the “OUTPUT” policy to filter outbound connections.

For connections to the server’s services you will need to use the “INPUT” policy.

In other words, the INPUT and OUTPUT policies only effects the “loca” computer, and not any connections that pass through the “local” computer/firewall (for this you need a FORWARD policy).

OUTPUT Policy

To allow outbound connections from your computer you need to add a rule similar to the following:

iptables -A OUTPUT -p tcp –dport 22 -j ACCEPT

The above rule will allow the protocol TCP, port 22 outbound. The following rule will allow ping traffic out:

iptables -A OUTPUT -o $EXT -p icmp –icmp-type ping -j ACCEPT

Have a look at the rules above, notice that you can specify the following:

1. A protocol with the -p option

2. A protocol type as with the icmp protocol, –icmp-type

3. Destination port with the –dport option

INPUT Policy

To allow inbound traffic you will need to add an INPUT rule. To allow TCP on port 22 inbound you would type the following:

iptables -A INPUT -p tcp –dport 22 -j ACCEPT

To allow inbound icmp protocol for ping/pong you will need to type the following:

iptables -A INPUT -i $EXT -p icmp –icmp-type pong -j ACCEPT

It makes sense that if you want a computer to ping and be pinged you then you will need to allow both ping and pong inbound and outbound.
—————————————————————————————————
#!/bin/bash
EXT=eth0
INT=eth2
DMZ=eth1
# flush
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
# Default policy set to DROP all
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow us to ping other machines
iptables -A OUTPUT -o $EXT -p icmp –icmp-type ping -j ACCEPT
iptables -A INPUT -i $EXT -p icmp –icmp-type pong -j ACCEPT
# Allow other machine to ping us
iptables -A INPUT -i $EXT -p icmp –icmp-type ping -j ACCEPT
iptables -A OUTPUT -o $EXT -p icmp –icmp-type pong -j ACCEPT
# Logging rules – always at the END of the script
iptables -A INPUT -j LOG –log-prefix “Denied INPUT: ”
iptables -A OUTPUT -j LOG –log-prefix “Denied OUTPUT: ”
iptables -A FORWARD -j LOG –log-prefix “Denied FORWARD: “
————————————————————————————————

In the above example you could leave off the icmp type and just allow all icmp traffic inbound and out bound as follows:

iptables -A INPUT -i $EXT -p icmp -j ACCEPT
iptables -A OUTPUT -o $EXT -p icmp -j ACCEPT

Without specifying the icmp type the firewall will allow all icmp types, this means that the above rules will allow pings and pongs in and out on the external network card

TIP – You will need to allow �loopback� connections with a rule similar to the following:

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

These rule will allow service on the computer to communicate via loopback if needed. These rule should be place near the top of the script under the “block all” policy. Some service will not work correctly if this is not enabled.

ESTABLISHED and RELATED rules
Some services will listen on one port and offer a service on another port, sometimes these ports are random. You don’t want these ports to be open all the time as this would constitute a security risk. ESTABLISHED and RELATED rules will allow you to open these ports for the duration of the connection. In other words, allow the connection on another port that is normally closed, if the requested port is part of or related to another already established connection.
You can also use the ESTABLISHED and RELATED rule to allow the reply from a ping, this is because the reply (pong) is related to the ping. This means you can get rid of the “pong accept” rule if you use the ESTABLISHED and RELATED rule. The syntax for this is as follows:

iptables -A INPUT -m state -i $EXT –state ESTABLISHED,RELATED -j ACCEPT

Notice that you can specify the following:

1. The state with the –state option
2. The interface with the -i option

You will need one for each filter. (INPUT and OUTPUT) his should be added to your firewall script.
Your firewall script should now look like the following:

—————————————————————————————————
#!/bin/bash
EXT=eth0
INT=eth2
DMZ=eth1
# flush
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
# Default policy set to DROP all
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#Loopback accept rule
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Allow us to ping other machines
iptables -A OUTPUT -o $EXT -p icmp –icmp-type ping -j ACCEPT
#iptables -A INPUT -i $EXT -p icmp –icmp-type pong -j ACCEPT
# Allow other machine to ping us
iptables -A INPUT -i $EXT -p icmp –icmp-type ping -j ACCEPT
#iptables -A OUTPUT -o $EXT -p icmp –icmp-type pong -j ACCEPT
# Allow reply packets to established and/or related connections
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Logging rules – always at the END of the script
iptables -A INPUT -j LOG –log-prefix “Denied INPUT: ”
iptables -A OUTPUT -j LOG –log-prefix “Denied OUTPUT: ”
iptables -A FORWARD -j LOG –log-prefix “Denied FORWARD: “
————————————————————————————————-

Suppose you want to configure your firewall for the following:
a) You want to be able to ssh (port 22 TCP) from a remote trusted computer.
Hint, use -s in the rule.
b) You want users on your computer to be able to use the Internet for web (port 80 TCP), ftp (port 21 TCP ) and DNS lookup (port 53 TCP and UDP).
Your firewall script should now look like the following:

————————————————————————————————
#!/bin/bash
EXT=eth0
INT=eth2
DMZ=eth1
# flush
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
# Default policy set to DROP all
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#Loopback accept rule
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Allow us to ping other machines
iptables -A OUTPUT -o $EXT -p icmp –icmp-type ping -j ACCEPT
#iptables -A INPUT -i $EXT -p icmp –icmp-type pong -j ACCEPT
# Allow other machine to ping us
iptables -A INPUT -i $EXT -p icmp –icmp-type ping -j ACCEPT
#iptables -A OUTPUT -o $EXT -p icmp –icmp-type pong -j ACCEPT
# Allow reply packets to established and/or related connections
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
#Allow external users to ssh to this server
# Probably should specify source addresses of trusted hosts
iptables -A INPUT -i $EXT -s 192.168.19.43 -p tcp –dport 22 -j ACCEPT
# Allow this server to access external services
# Connect to remote servers on ssh
# Access web and ftp sites for software downloads and updates
# Do DNS lookups
iptables -A OUTPUT -o $EXT -p tcp -m multiport –dports 22,80,53 -j ACCEPT
iptables -A OUTPUT -o $EXT -p udp -m multiport –dports 53 -j ACCEPT
# Logging rules – always at the END of the script
iptables -A INPUT -j LOG –log-prefix “Denied INPUT: ”
iptables -A OUTPUT -j LOG –log-prefix “Denied OUTPUT: ”
iptables -A FORWARD -j LOG –log-prefix “Denied FORWARD: “
—————————————————————————————————–

POSTROUTING NAT and FORWARD
Your LAN users will need to connect to the Internet. Since you have only 1 �Public� IP address you will need to make it appear that your LAN users are connection to the Internet with the Public IP address. This is called “MASQUERADING”.

Setting up a POSTROUTING NAT Policy on your firewall will accomplish this. In the firewall rule we use “SNAT” (source NAT). You will also need to include a FORWARD policy.

We will assume that your server has 3 network card.
If you have more than one network card you will need to enable IP forwarding. This will allow you to move packets between your two network cards. Put in the following at the top of your firewall script.

echo “1″ > /proc/sys/net/ipv4/ip_forward

Alternatively you can make this permanent by editing the /etc/sysctl.conf file and make sure there is a line that reads:

net.ipv6.conf.all.forwarding = 1

For the purposes of this example we will be adding “echo “1″ /proc/sys/net/ipv4/ip_forward” to the firewall script

POSTROUTING NAT (Masquerade)

You would like all LAN Internet browsers to appear as if they are browsing from one “Public” IP address. POSTROUTING, or SNAT, changes the source address of the connection to a different IP address. There is two ways of doing this:
1. MASQUERADE – Using the “MASQUERADE” option will change the source IP address of the connection to the IP address of the interface mentioned in the rule “-o eth0″. See examples below.
2. SNAT – Using “SNAT” requires you to specify an IP address to be used as the source IP address of the connection.
So to allow POSTROUTING NAT or masquerading you need to add one of the following to your firewall:

iptables -t nat -A POSTROUTING -o $EXT -s 192.168.0.0/24 -j MASQUERADE

OR

iptables -t nat -A POSTROUTING -o $EXT -s 192.168.0.0/24 -j SNAT –to 196.36.36.199

The first option allows masquerading using the IP address of the Output device. The second option specifies the IP Address to use.
This is a “POSTROUTING” rule because you need to decide on the route the connection needs to take before you masquerade the computer on the LAN behind your public IP address. For example you want to browse to a web site, so you use a DNS server to resolve the domain name to an IP Address. Once the IP address of the remote server has been established and it’s been determined that your connection needs to pass through your default gateway your firewall masquerades your computer behind your public IP address. Packets from your computer to the remote server will have their source IP addresses changed to reflect your networks public IP address.
Although you don’t need to specify the “-s 192.168.0.0/24″ (source on on lan), it is better to put this in for security reasons.

FORWARD policy
In order for your users to be able to connect to the Internet (another computer the other side of the firewall) you will need to add a FORWARD rule to your firewall. You can lso specify the port, protocol and interface you wish to allow.

iptables -A FORWARD -i $INT -o $EXT -p tcp –dport 110 -j ACCEPT

In the example above you are allowing traffic coming in on $INT connecting through to, and out on $EXT, using port 110 with protocol tcp. “-i” = incoming interface and “-o” = outbound interface.

To allow pings, you will need to specify the icmp protocol as follows:

iptables -A FORWARD -i $INT -o $EXT -p icmp -j ACCEPT

You can also specify multiple ports with one rule as follows:

iptables -A FORWARD -i $INT -o $EXT -s 192.168.0.0/24 -p tcp -m multiport –dports 80,53,22 -j ACCEPT

ESTABLISHED and RELATED again
You will also need to add an ESTABLISHED and RELATED rule for the FORWARD policy as follows:

iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

Your firewall should now look something like the following:
—————————————————————————————————–
#!/bin/bash
EXT=eth0
INT=eth2
DMZ=eth1
echo “1″ > /proc/sys/net/ipv4/ip_forward
# flush
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
# Default policy set to DROP all
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#Loopback accept rule
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Allow us to ping other machines
iptables -A OUTPUT -o $EXT -p icmp –icmp-type ping -j ACCEPT
#iptables -A INPUT -i $EXT -p icmp –icmp-type pong -j ACCEPT
# Allow other machine to ping us
iptables -A INPUT -i $EXT -p icmp –icmp-type ping -j ACCEPT
#iptables -A OUTPUT -o $EXT -p icmp –icmp-type pong -j ACCEPT
# Allow reply packets to established and/or related connections
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
#Allow external users to ssh to this server
# Probably should specify source addresses of trusted hosts
iptables -A INPUT -i $EXT -s 192.168.19.43 -p tcp –dport 22 -j ACCEPT
# Allow this server to access external services
# Connect to remote servers on ssh
# Access web and ftp sites for software downloads and updates
# Do DNS lookups
iptables -A OUTPUT -o $EXT -p tcp -m multiport –dports 22,80,53 -j ACCEPT
iptables -A OUTPUT -o $EXT -p udp -m multiport –dports 53 -j ACCEPT
# Allow our users to ping external sites
iptables -A FORWARD -i $INT -o $EXT -s 192.168.0.0/24 -p icmp –icmp-type ping -j
ACCEPT
# Masquerade outbound connections
iptables -t nat -A POSTROUTING -o $EXT -s 192.168.0.0/24 -j MASQUERADE
# Allow internal users access to Internet services
iptables -A FORWARD -i $INT -o $EXT -s 192.168.0.0/24 -p tcp -m multiport –dports 80,53,22 -j ACCEPT
iptables -A FORWARD -i $INT -o $EXT -s 192.168.0.0/24 -p udp -m multiport –dports 53 -j ACCEPT
# Allow trusted LAN users to access services on firewall
iptables -A INPUT -i $INT -s 192.168.0.100 -p tcp –dport 22 -j ACCEPT
# Logging rules – always at the END of the script
iptables -A INPUT -j LOG –log-prefix “Denied INPUT: ”
iptables -A OUTPUT -j LOG –log-prefix “Denied OUTPUT: ”
iptables -A FORWARD -j LOG –log-prefix “Denied FORWARD: ”
——————————————————————————————————
PREROUTING NAT and FORWARD
PREROUTING NAT

You should keep the servers you want to make available to the Internet in the DMZ. This allows you to make the servers in the DMZ available to the outside work while protecting your LAN. Normally you would put your mail sever and web server in the DMZ. LAN users will also need access to the DMZ to collect their mail, administer the DMZ servers etc.

If your company’s mail server is in the DMZ it will have a private IP address. On the other hand, if you were to do a dig on your domain name you would see that all zone records point to your public IP address, the IP address of the external network card of your firewall. This means any connection to your DMZ servers will stop at your firewall unless you can direct requests for those services to the appropriate server in the DMZ. To accomplish this we use PREROUTING NAT. In the firewall rule we use “DNAT” (destination NAT)

iptables -t nat -A PREROUTING -i $EXT -p tcp -m multiport –dports 110,80 -j DNAT –to 192.168.10.3

This is called PREROUTING because routing decisions take place after the destination IP address in the protocol header has been changed to the IP address of the server in the DMZ.
Doing PREROUTING NAT for LAN users is not necessary if you have the necessary routing tables in place. But if you were to use PREROUTING NAT for LAN users you would replace “-i $EXT” to “-i $INT”.
Notice that you can specify multiple ports in the rule by using the -m multiport option. You can also specify a different port for the DMZ server by putting a colon after the DMZ IP address, as per the following example:

iptables -t nat -A PREROUTING -i $EXT -p tcp –dport 80 -j DNAT –to 92.168.10.3:8080

FORWARD Policy again
For the above to work, make sure you have the appropriate forward policies in place for
connections originating on the internal and external interfaces.
Your firewall should now look something like the following:
——————————————————————————————————-
#!/bin/bash
EXT=eth0
INT=eth2
DMZ=eth1
echo “1″ > /proc/sys/net/ipv4/ip_forward
# flush
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
# Default policy set to DROP all
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#Loopback accept rule
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Allow us to ping other machines
iptables -A OUTPUT -o $EXT -p icmp –icmp-type ping -j ACCEPT
#iptables -A INPUT -i $EXT -p icmp –icmp-type pong -j ACCEPT
# Allow other machine to ping us
iptables -A INPUT -i $EXT -p icmp –icmp-type ping -j ACCEPT
#iptables -A OUTPUT -o $EXT -p icmp –icmp-type pong -j ACCEPT
# Allow reply packets to established and/or related connections
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
#Allow external users to ssh to this server
# Probably should specify source addresses of trusted hosts
iptables -A INPUT -i $EXT -s 192.168.19.43 -p tcp –dport 22 -j ACCEPT
# Allow this server to access external services
# Connect to remote servers on ssh
# Access web and ftp sites for software downloads and updates
# Do DNS lookups
iptables -A OUTPUT -o $EXT -p tcp -m multiport –dports 22,80,53 -j ACCEPT
iptables -A OUTPUT -o $EXT -p udp -m multiport –dports 53 -j ACCEPT
# Allow our users to ping external sites
iptables -A FORWARD -i $INT -o $EXT -s 192.168.0.0/24 -p icmp –icmp-type ping -j ACCEPT
# Masquerade outbound connections
iptables -t nat -A POSTROUTING -o $EXT -s 192.168.0.0/24 -j MASQUERADE
# Allow internal users access to Internet services
iptables -A FORWARD -s $INT -o $EXT -s 192.168.0.0/24 -p tcp -m multiport –dports 80,53 -j ACCEPT
iptables -A FORWARD -s $INT -o $EXT -s 192.168.0.0/24 -p udp -m multiport –dports 53 -j ACCEPT
# Allow trusted LAN users to access services on firewall
iptables -A INPUT -i $INT -s 192.168.0.100 -p tcp –dport 22 -j ACCEPT
# Allow external users access to DMZ servers
iptables -A FORWARD -i $EXT -o $DMZ -d 192.168.10.3 -p tcp -m multiport –dports 110,80 -j ACCEPT
iptables -t nat -A PREROUTING -i $EXT -p tcp -m multiport –dports 110,80 -j DNAT –to 192.168.10.3
# Allow LAN users access to DMZ servers, no need for using PREROUTING NAT.
iptables -A FORWARD -i $LAN -o $DMZ -p tcp -m multiport –dports 110,80 -j ACCEPT
# Logging rules – always at the END of the script
iptables -A INPUT -j LOG –log-prefix “Denied INPUT: ”
iptables -A OUTPUT -j LOG –log-prefix “Denied OUTPUT: ”
iptables -A FORWARD -j LOG –log-prefix “Denied FORWARD: ”
—————————————————————————————————–

Additional useful information

Forcing users to use a firewall.

Proxy users could take out the proxy server settings from their Internet explorer, and as long as they know the DNS servers they need to use, could connect to the Internet directly, thus by passing the proxy security. One way to overcome this is to use PREROUTING NAT to redirect any requests for port 80 to port 3128 on the proxy server. You will need to set your squid proxy server to “transparent”. OR, you could just not allow port 80 in your forward policy

opening certain ports
Certain services need to have certain ports open on the firewall the following are some

examples:
Proxy server – depending on the ports you have configured your proxy server with, you’ll need to have these opened on the firewall in order for users to connect to the Proxy server. Standard ports are TCP 3128 or 8080.
Samba server – For file sharing some users might need access to port 137 and 138 UDP and port 139 and 445 TCP. Depending on where the Samba server is and whether the firewall server is a Samba server it’s self you will need to allow access to these protocols and ports through your firewall.
Web access - Ports used by web servers are generally 80, 8080 and 443 for secure web sites. FTP usually uses port 21.
Mail servers - Depending on the type of mail server, you might need to open port 110 and 25
VPN – You need to open your firewall for the ports and protocols you need for vpn. Generally you will need to open protocol 47 (p47), TCP 1723 for PPTP. For L2TP/ipsec you need to open Protocol 50 (P50), UDP 4500 and 5000.
VNC and Remote Desktop – VNC usually uses 5901 or 5910. Remote Desktop uses 3389.

Closing certain ports
Once you have configured your firewall you will need to make sure that certain ports in particular are closed. An example of this is the port your Proxy server uses. While this port needs to be open for the LAN users and the server it’s self, if it is situated on the same computer as your firewall, it MUST be closed to “outside” traffic. The reason for this is that dubious individuals will try and use your proxy server to access the Internet to send Spam etc. If this happens it will appear that the malicious activity is coming from your network and you WILL get black listed.

Comments (1)

In a typical networking environment the following components will be in place:


a) WAN (Connection to the Internet or another third party)

b) DMZ (demilitarized Zone). Location of your your web and/or mail server or any other servers you want the outside world to have access to

c) LAN (”internal” or Local area network.) workstations and servers that are not connected directly to the Internet. They have access to the DMZ and WAN but can’t be accessed from the WAN or DMZ.

d) ROUTER gateway to another network. Typically this would be the link between your company and your ISP (Internet Service Provider).

e) LINUX FIREWALL. Firewall protection for the LAN and DMZ

What is a firewall?

Simply put, a firewall protects your LAN from the outside world while filtering packets and allowing selected Internet or WAN traffic through. Your LAN should be protected in such a way that no unwanted traffic should be allowed access it from the DMZ or Internet. You LAN, however, will need access to the DMZ and the Internet.

Your DMZ will need to be accessed by the Internet and your LAN. All the services that need to be accessed by the Internet, like mail and web servers, should be located in the DMZ. Everything else should be on the LAN

IPTABLES

Linux uses “iptables” to provide this functionality.

Filtering and blocking of ports and protocols. This is for both “outbound” and “inbound” network traffic to and from the LAN and DMZ.

With IP tables we can match traffic based on source and destination address, source and destination port; and protocol (ip, tcp, udp and so on). To filter connections based on ports, network, IP Addresses, interfaces and protocols we use INPUT, OUTPUT and FORWARD tables.

Input and output tables

INPUT and OUTPUT tables are used for connections to the local computer running the firewall, for services originating from the computer and services accepting connections. An example of this would be the sshd daemon on the server running the firewall.

Forward table

The FORWARD table is used for filtering connections passing through the firewall but not originating on the server running the firewall.

An example of this would be LAN users connecting through the firewall to the Internet.

Network Address translation (NAT)

NAT does the following on the firewall:

DNAT
Redirecting of “inbound” network traffic to”Internal” Computers within the DMZ. In other words we can change the destination address of a packet. For example, if someone on the Internet wanted to browse your web site, the destination address would be your public IP address. This destination IP address would have to be changed, “pre-routing” to the IP address of your web server in the DMZ, which has a Private IP address. Another term synonymous with this is “DNAT” (Destination NAT).

SNAT
Masquerading “outbound” connections behind a single “public” IP address. In other words we can change the source address of a packet, making it appear to be coming from another source. If you only had one public IP address, you can make it appear that all your LAN users are browsing from the on public IP address. Another term synonymous with this is “SNAT” (Source NAT).

Ports
There are around 65535 ports that can be used in a Linux environment some of which are reserved for specific service and programs. Ports are used to distinguish different connections between two computers and provides mapping between the application and a service. Some of these ports are listed below:

pop3 = 110

smtp = 25

Printing = 631

proxy = 3128 or 8080

Web = 80, 8080 or 443 for secure sites

ftp = 21

telnet = 23

ssh = 22

Samba file sharing = 137, 138 , 139 and 445

You can use the “nmap” tool to check which ports are open on a system by typing the following at the shell.

nmap -v

NB: be aware that you should ask permission before running this program to scan for open ports. Some companies have policies which forbid employees from running these types of tools. Even if you can’t get fired, most companies would view the using of such programs in a dim light.

IP Forwarding

Just a brief note on IP forwarding. If you have two or more network cards on your computer you will have to enable “ip forwarding”. This has to be enabled for your firewall to work correctly, forwarding traffic between two network cards. To accomplish this you will need to type the following at the command prompt:

echo “1″ > /proc/sys/net/ipv4/ip_forward

NB Please note that this will not be a persistent change. You will either need to add this to a start up script. Or make it persistent by editing the /etc/sysctl.conf file and make sure there is a line that reads: “net.ipv6.conf.all.forwarding = 1″

The above is not necessary if you only have one network cards.

Planning your firewall

Take some time to review your company security policies and planning your firewall. What is it you need to accomplish?

Default Policy
Your default policy should be leaning to the side of caution. In other words, block everything and allowing ONLY the ports and protocols needed. In order to do this the first thing to put in your firewall script is the “blocking of everything”. Once everything is blocked you can go about “allowing” and “filtering” as needed.

Setting up the firewall

a) The first thing in your firewall script should include a “flushing” of any previous firewall settings.

b) The next thing is to set up your firewall by allowing ports needed and setting up NAT filters. The following represents the structure of your firewall script.

Flush all previous settings
Block all ports (inbound and outbound)
Open ports needed
Set NAT filters (SPORT & DPORT)

In the ideal world companies should have at least 3 network interfaces on their Linux firewall. These would be arranged as follows:

Interface 1 = Internet (Public IP address)

Interface 2 = DMZ (Private IP address)

Interface 3 = LAN (Private IP address)

Network Interface naming convention:

You will need to know how Linux refers to your Network Cards and Internet when setting up your firewall. Most networks have 3 network cards, although some Linux firewalls have a modem or some such device. In this regard the following will apply:

Network cards are referred to as eth0, eth1, eth2 and so on

Internet connections that use Modems etc can be called pppoe0, pppoe1, dsl0, dsl1 or similar.

To view current configuration

For viewing the current firewall configuration on your computer you can use the “iptables” command as follows:

iptables -L -n -v

By default this command only shows the”FILTER” table. If you want to see one of the other tables you can specify the table with the “-t

iptables -L -n -v -t nat

Configuring your firewall

There are a few methods of getting a firewall up and running. The following is a list of possible options:

1. Webmin firewall

2. Using a script that runs when you boot up the server

3. Yast or similar can be used to configure a basic firewall

Linux ftp server – installation, setup and configuration

Comments (0)

By peter, September 12, 2009

Installing ftp (vsftpd)


1. Install “vsftpd”
2. Once installed go to the:
1. “/etc/xinetd.d/vsftpd” file and change the “disabled” value to “no”.
3. Vi the “/etc/vsftpd.conf” file and uncomment the line “Listen = NO”. Make sure the option is set to “NO”
4. Now restart the “xinetd” (”rcxinetd restart” for SuSE or “service xinetd restart” other distros like Redhat)
5. Vi the file “etc/ftpusers” and add in any user you don’t want to access your ftp site. By default “root” is included in this file.

Test your ftp access by typing “ftp 192.168.0.1″ or whatever the IP address is, in the shell. If it is working you will be asked for a username and password. you can log on as anonymous.

ftp

Linux sendmail installation, setup and configuration

Comments (0)

By peter, September 11, 2009

1. Search for and install “qpopper”. SuSE 11 doesn’t include qpopper so you will need to have a look for another pop utility/program
2. Search for “sendmail” and install. You might need to uninstall Postfix as it will conflict with sendmail.
3. Vi the /etc/xinetd.d/qpopper file and change setting to “disabled = no”

Edit the /etc/xinetd.d/qpopper file

4. Close and save the file
5. Edit the “/etc/mail/access” file and add the following at the end of the file

192.168 RELAY

6. Edit the “/etc/mail/local-host-names” file and add your domain name at the end of the file

yourdomain.co.za

7. Edit the “/etc/mail/relay-domains” file and add the following at the end of the file

192.168

yourdomain.co.za

8. Edit the “/etc/sysconfig/sendmail” file and insert the smtp server you will be relaying mail through.

9. Edit the “/etc/sysconfig/mail” file and add insert your domain as follows:

10. Also, in the same file, “/etc/sysconfig/mail”, change “SMTP_LISTEN_REMOTE = no” to “yes” as follows:

Sendmail

How to send mail from the shell prompt

Comments (0)

By peter, September 11, 2009

To send a mail from the command prompt use the following command (all in one line):

mail -v -r reply@address.co.za -s “subject goes here” -a /pathto/attachment.txt < /pathto/bodyofmail.txt recipient@destinationaddress.co.za

You may like to use this command in a script, or just from the command prompt as a quick way of e-mailing someone a file

Mail Commands

Setting up a basic Postfix Mail Server

Comments (0)

By peter, September 11, 2009

The following is based on SuSE 10.2

The most popular mail program at the moment is “Postfix”.

Make sure that you have installed the following:

1) Postfix – for sending and receiving mail to your server)

2) qpopper – to allow users to collect mail from your server. (SuSE 11 doesn’t include qpopper, search for another pop utility/program instead)

Setting up Postfix

qpopper:
Vi the /etc/xinetd.d/qpopper file and change setting to “disabled = no”

edit the /xinetd.d/qpopper file

Postfix:

Vi the “/etc/sysconfig/mail” file and change “SMPTD_REMOTE_LISTEN = YES”

Vi the “/etc/sysconfig/postfix” file and change the following:
“POSTFIX_LOCALDOMAINS” and add in the domain names you will receive. Eg below

POSTFIX_LOCALDOMAINS=”yourdomain.co.za”

set the “POSTFIX_BASIC_SPAM_PREVENTION” to “medium” eg follows:

POSTFIX _BASIC_SPAM_PREVENTION=”medium”

If you are using a dialup modem, then you will need to set the “POSTFIX_DIALUP” to “yes” and “POSTFIX_NODNS” to “no”.
You might need to edit the “/etc/postfix/main.cf” file as well and check some of the settings like “myhostname” if you are receiving for yourdomain.co.za and not for computername.yourdomain.co.za. Also check things like “mydestination” and put in all the domains for which you receive mail.

Restart “xinetd” and “postfix”. Restarting xinetd will allow qpopper to become active

Testing

Go into the “Shell”
Type “telnet your_server_ip_address 25” (25 is the smtp port)
Type”telnet your_server_ip_address 110” (110 is the pop3 port)
If you connect, your mail is working!

For trouble shooting, if something isn’t working correctly, view the log files. This will help you to determine why something isn’t working correctly

TIP

To see the log, type the following into the shell:

tail /var/log/mail

to see the log as it happens type the following:

tail -f /var/log/mail

For general messages “tail -f /var/log/messages”

The mail queue
Sending
If the mail is either delayed while waiting for a modem connection, or you have set “defer_transports = smtp” then your mail will be waiting in a mail queue. You can see the content of the mail queue by typing the command “mailq” at the command prompt.

To send queued mail use the “sendmail -q” command.

Receiving
Unless your “mx” record is pointing to your static IP address, then you are going to have to use “fetchmail” to receive mail.

vi the “/root/.fetchmailrc” file similar to the following example:

poll 192.168.114.3 protocol pop3 username peterh password 3ry691+ is peterh

poll 192.168.114.3 protocol pop3 username thabangs password hfs065( is thabangs

Notice the format:

poll mail server protocol pop3 username “username” password “password” is local user
Set a con job to run “fetchmail -a” at the desired intervals
You will need to change permissions on the “.fetchmailrc” file to at least “0710″ as follows:
chmod 0710 .fetchmailrc

Test by typing “fetchmail -v -a” at the command prompt.

Postfix