Skip navigation.

Posts tagged with "howto"

SERVER : IPKungfu (Firewall configuration utility)

Tuesday, 9. January 2007, 11:38:40

, , , ...

The default linux firewall installed by Ubuntu is configured using the IPTables. I've never managed to understand the exact syntax for that, so I've ended up using a 3rd party script that configures the IPTables using some very simple rules.
To install IPKungfu you must do this : 
sudo aptitude install ipkungfu
If it complains about some missing libraries then try this : 
sudo apt-get -f install

After IPKungfu finished installing you can modify it by modifying the files found in /etc/ipkungfu
Here are the files I've changed (with comments about what the change is for) :
the ipkungfu.conf file : 
# Please read the README and FAQ for more information

# Some distros (most notably Redhat) don't have
# everything we need in $PATH so we specify it here.
# Make sure modprobe, iptables, and route are here,
# as well as ordinary items such as echo and grep.
# Default is as shown in the example below.
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin

# Your external interface
# This is the one that connects to the internet.
# Ipkungfu will detect this if you don't specify.
EXT_NET="ppp0"

# Your internal interfaces, if any.  If you have more
# than 1 internal interface, separate them with
# spaces.  If you only have one interface, put "lo"
# here. Default is auto-detected.
INT_NET="eth0"

# IP Range of your internal network.  Use "127.0.0.1"
# for a standalone machine.  Default is a reasonable
# guess.
LOCAL_NET="192.168.1.0/255.255.255.0"

# Set this to 0 for a standalone machine, or 1 for
# a gateway device to share an Internet connection.
# Default is 1.
GATEWAY=1

# TCP ports you want to allow for incoming traffic
# Don't add ports here that you intend to forward.
# This should be a list of tcp ports that have
# servers listening on them on THIS machine,
# separated by spaces. Default is none.

# 80 is for HTTP (Apache server)
# 21 is for FTP
# 22 is for SSH
# 10000 is for WebMin
ALLOWED_TCP_IN="80 21 22 10000"
#... rest of file is unchanged (and commented by default)
Of course, if you modified the webmin, FTP, HTTP or SSH to use another port you'll have to add that port instead.

If you're paranoid, you can enable certain services only from certain computers, so for example of you want WebMin to be accessible only from a computer who's IP is 123.456.789.1 you'll have to first remove WebMin's port from ALLOWED_TCP_IN and then edit the /etc/ipkungfu/accept_hosts.conf file, and add in somethings like this :
# Please see the README and FAQ for more information
#
# IP addresses of hosts or nets to always ACCEPT
# and optionally, ports they are allowed to access
# Format: host[:port:protocol]

# accept WebMin connection only from 123.456.789.1
123.456.789.1:10000:


If you need to accept an entire range of IP's, you can add this line : 
123.456.789.0/255.255.255:22:tcp
this will accept connection from any IP that starts with 123.456.789, but only on port 22 and only TCP type connections.

Since i use DC++ i also had to enable some forwarding for it, si here's my vhosts.conf file :
# enable UDP and TCP connection trough 4100-4150 ports towards 192.168.1.10
# it's used by DC++
0/0:192.168.1.10:4100-4150:4100-4150:# DC++

In DC++ enter firewall (not passiv) and enter any port from the 4100 to 4150 range, it should work without a hitch (at least it does for me p:)

Now start ipkungfu by executing this : 
ipkungfu

If IPKungfu complains about the shell, edit /usr/sbin/ipkungfu and change the first line to be 
#!/bin/bash
now run IPKungfu, hopefully it won't give any errors.

Now just like for NO-IP, if you restart the server, the ipkungfu program won't run automatically, so we need to ad it to /etc/rc.local which is executed each time the computer boots. Just run this command : 
sudo editor /etc/rc.local
and modify the file to look like this : 
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# start No-Ip si that our server is accessible with myname.no_ip_domain
noip2

# Start IPKungfu (the firewall configuration utility)
ipkungfu

# don't remove the next line, or the server fill give some errors
exit 0

:idea: Whenever you edit any of IPKunfu's files, you'll have to execute IpKungfu again, since it doesn't run in the background, it only creates the IPTables Chains when it's executed and after that it exits.

No comments

SERVER : Installing UBUNTU server

Thursday, 4. January 2007, 14:47:47

, , , ...

So, after a few tries, I've finally managed to install Ubuntu Server.

Just in case somebody needs this information (or I have to reinstall the server :D) I've decided to write down the steps I've taken in order to install it correctly.

First of all, i should draw a schematic of how my network looks like this :


Download the image

So, first things first, download and burn the Ubuntu Server ISO image. I've used the Ubuntu Edgy Eft 6.10 version, You can get it from the Ubuntu Download server.

Install the LAMP server
When you boot from the CD you have just have to press ENTER to continue the instalation (you'll select the LAMP (Linux, Apache, MySQL and PHP) a little bit later.

You can view a detailed LAMP Server Installation with Screenshots at this site

I will only include the main steps to get LAMP installed.

So first of all select your language, i used English. After that, it asks you where are you from (the window title is "Choose Language" but it should actually be "Choose Location"), I selected Other and then Romania (since I'm from Romania p: )
Then it asks if you want to let the installer detect your keyboard, you better choose NO and then select your keyboard layout (I've used U.S. English).

After a few windows where it detects your hardware and network you wnd up at the Configure the network window, where you have to enter the server name, i've used Merlin, but you can use any name you like. After you press Continue, the partition editor will come up.
The partition editor has 2 options, one is to auto partition and format the disk for you, the other lets you manually edit your partitions. I've chose the first one since it's faster, and i didn't have anything on the HDD. So i chose "Erase entire disk : EDIE (0,0,0) (hda) ...".
It then asks if i really want to write the changes to the disk, i chose Yes.

After a while (after finishing the partitioning and formatting of the partitions), it asks if your computer's time is in UTC (Universal Time) or in local time. Most users have it set as UTC so i chose that.

Now we get to the interesting part, the installer asks you to create a user that will be the administrator of the computer. You can enter any name you like, but make shore you set the password to something hard enough to be hard to crack, but still easy enough so you don't forget it, since all configuration will be done with this user's account.
After you finish creating the user, you finally get to the window where you can select to install LAMP.
Select it and press continue (you should probably leave the DNS server unchecked).

After a while the installation finishes and a window appears informing you about that. After you press "Continue" the CD is ejected and the system reboots.

NOTE since I have PPPoe Internet connection, the installation takes a very long time, since after finishing installing the programs it tries to connect to the net to get some updates, and until that gets a timeout the installer just sits helplessly. I have no idea how to get around this as it can take up to 10 minutes before it finally realises it doesn't have a connection and gives up :cry:.

Configure after reboot
After rebooting (I hope you entered in BIOS and modified it to boot from HDD only) you'll get to a window similar to this :
Enter the name and password you entered for the admin user and you should be logged in without problems.

Enable root user
You can enable the root user, but it's not recommended for security options.
If you DO want to enable the root user, write this : 
sudo passwd root
enter the admin user's password and then enter the password you want for the root user (you'll have to enter it twice).
From now on, to become root just enter the following command 
su


Modify network configuration
Now, we must modify the network interfaces, so other computers can connect to it from the internal (GREEN) network.
So, execute this line : 
sudo editor /etc/network/interfaces
and then modify the file to look like this :
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

####################################
# RED (outside)
# The primary network interface
auto eth1
iface eth1 inet dhcp

##################################
# GREEN (inside)
#
auto eth0
iface eth0 inet static
        network 192.168.1.0
        address 192.168.1.1
        netmask 255.255.255.0
        gateway 192.168.1.1
        broadcast 192.168.1.255

Of course, you'll have to modify the eth0 and eth1 to your network cards, in my case the eth0 is the internal and eth1 is the external network.
After that we must restart the network daemon, so enter execute this line 
sudo /etc/init.d/networking restart
If you get any error than you'll have to look at the interfaces file, maybe you made a mistake.

Install DHCP server
Now we want to install the DHCP server, so the computers on the internal (GREEN) network can connect without having to have a fixed IP. For that, execute this line 
sudo apt-get install dhcp3-server
Don't worry if it shows you an error, it's normal since the DHCP server doesn't have any configuration yet.
Edit the DHCP config file by executing this line : 
sudo editor /etc/dhcp3/dhcpd.conf

you should modify it to look like this :
# option definitions common to all supported networks...
option domain-name "merlin";

default-lease-time 600;
max-lease-time 7200;

option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers 192.168.1.1;

subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.10 192.168.1.30;
}

Of course, the domain-name should be your server name (the one you choose at installation).
After saving the file, execute this line : 
sudo /etc/init.d/dhcp3-server restart

If you get any error, check the dhcpd.conf file, and make shore you put the ; sign after each line (that's the most common mistake).

Install the SSH server (SSH is Secure Shell)
Now it's time to install the SSH server, so we can configure the server remotely. For that, execute the following line : 
sudo install openssh-server

From now on, you should be able to configure the server remotely.

Configure PPPoe connection
It's now time to configure the PPPoe connection, so lets do that with 
sudo pppoeconf
. The program will show you the network cards that it detected and ask you if all of them are visible. If they are, press yes and let it detect which card is connected to a PPPoe server. (I shore hope you've connected the cable to the card , otherwise you won't be able to finish this step :devil:). After it detects that card that's connected to PPPoe it will ask for your user name and password used to connect trough PPPoe. Note the name and password will both be visible while you enter them !. After a few more questions you'll end up back to the prompt.

Now if everything went well you can use the following commands :
to initialize a connection use this :
sudo pon dsl-provider

to kill a connection use this :
sudo poff

if you get an error that more than one connection is active, use this instead :
sudo poff -a

to check the connection status, use this :
plog
If plog doesn't show anything it doesn't mean you don't have a connection, only that PPPoe didn't write any log messages in the last few minutes. You can use the next command to see what was the last error or if you're connected :
cat /var/log/syslog |grep pppd


Update and Upgrade your installation
All software installation is done using the apt-get and aptitude commands.
First of all, we need to configure Aptitude to use the Internet sources to find packages, for that execute the following command : 
sudo editor /etc/apt/sources.list
and uncomment all the deb http://... and deb-src http://... lines, and don't forget to comment the deb cdrom ... line so it doesn't ask for a CD anymore.
You should end up with something similar to this :
#
# deb cdrom:[Ubuntu-Server 6.10 _Edgy Eft_ - Release i386 (20061025.1)]/ edgy main restricted


#deb cdrom:[Ubuntu-Server 6.10 _Edgy Eft_ - Release i386 (20061025.1)]/ edgy main restricted

deb http://ro.archive.ubuntu.com/ubuntu/ edgy main restricted
deb-src http://ro.archive.ubuntu.com/ubuntu/ edgy main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://ro.archive.ubuntu.com/ubuntu/ edgy-updates main restricted
deb-src http://ro.archive.ubuntu.com/ubuntu/ edgy-updates main restricted

## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
 deb http://ro.archive.ubuntu.com/ubuntu/ edgy universe
 deb-src http://ro.archive.ubuntu.com/ubuntu/ edgy universe

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
 deb http://ro.archive.ubuntu.com/ubuntu/ edgy-backports main restricted universe multiverse
 deb-src http://ro.archive.ubuntu.com/ubuntu/ edgy-backports main restricted universe multiverse


deb http://security.ubuntu.com/ubuntu edgy-security main restricted
deb-src http://security.ubuntu.com/ubuntu edgy-security main restricted
 deb http://security.ubuntu.com/ubuntu edgy-security universe
 deb-src http://security.ubuntu.com/ubuntu edgy-security universe

After this we must get Aptitude to update the package list by running this : 
sudo aptitude update
After this has finished, lets update the instalation by executing 
sudo aptitude upgrade
This might take a while (it takes about 10-15 minutes for me) so be patient.

1 comment

Photos

La Padure - Martie 2006/DSC00012.JPGLa Padure - Martie 2006/DSC00014.JPGLa Padure - Martie 2006/DSC00025.JPGLa Padure - Martie 2006/DSC00013.JPGLa Padure - Martie 2006/DSC00016.JPGLa Padure - Martie 2006/DSC00028.JPGLa Padure - Martie 2006/DSC00024.JPGLa Padure - Martie 2006/DSC00015.JPGLa Padure - Martie 2006/DSC00021.JPGLa Padure - Martie 2006/DSC00026.JPG
November 2009
S M T W T F S
October 2009December 2009
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30