Slow SSH connection in Ubuntu

There is always a problem with Ubuntu’s i.e. very slow SSH connection. For some reasons, there’re some options are being enabled by default and causing either the incoming or outgoing SSH connection very slow or hanged in a range from 15 to 60 seconds.

There’re two major contributors which I know of, than can causing the abovementioned problem.

[1] GSSAPIAuthentication

GSSAPI is a ITEF standard for doing strong encrypted authentication in network based applications. OPENssh uses this API and the underlying kerberos 5 code to provide a alternative means of authentication other than ssh_keys.

For some reasons, this feature is enabled by default since Ubuntu Fiesty, you can disable them globally affecting all users in the /etc/ssh/ssh_config

# SendEnv LANG LC_*
# HashKnownHosts yes
# GSSAPIAuthentication yes
# GSSAPIDelegateCredentials no

[2] Slow or Broken DNS Lookup

Everytime when you log into the OpenSSH server, it would actually perform a reverse-lookup on your IP address. If the DNS lookup timed out, then you’ll having big time of delaying as typically OpenSSH will perform 3 times trying.

All you need to do is add the following line in /etc/ssh/ssh_config

sudo echo "UseDNS no" >> /etc/ssh/sshd_config

Remember to restart the ssh services upon change.

How to use full screen mode in Virtual Box for Linux OS?

First thing, get your Linux OS install in Virtual Box as usual. Am going to use Ubuntu/Debian as example here.

Then, boot up the OS and open the Terminal window :

1. Login using Superuser using

    sudo su

2. Update the aptitude source

    apt-get update

3. Install the packages required :

    a. apt-get install build-essential

    b. apt-get install linux-headers-generic

Once completed, click on the VBox “Devices” menu and “Install Guest Additions”.

Then, go back to the Terminal window :

4. Make a new mount folder,

   mkdir /mnt/vbox

5. Mount the Guest Additions to the newly created folder,

   mount /dev/scd0 /mnt/vbox

6. Install the Guest Additions, depends on either you’re using x86 or 64bit workstation,

cd /mnt/vbox 

 ./VBoxLinuxAdditions-x86.run   

./VboxLinuxAdditions-amd64.run

7. Reboot and you shall able use full screen as you like.

How to : Quagga Routing Suite

Quagga, a routing software that run on Linux based on Zebra router, the last Zebra release was 2005. Quagga is able to act as your open-source BGPv4+, OSPFv2, OSPFv3, RIP router installed on Linux system with kernel 2.4 or higher. The best part is you can own a Cisco-IOS look alike router less than RM5K !! Strongly recommend this for your personal study and experimental use.

There’re few daemons that built-up this router :

• zebra – routing manager
• ospfd - implementing OSPFv2
• ripd - implementing RIP v1 and V2
• ospf6d - implementing OSPFv3 (IPv6)
• ripngd - implementing RIPng (IPv6)
• bgpd - implementing BGPv4+ (including address family support for multicast and IPv6)

Download the package from Quagga website, HERE or use Aptitude :

#apt-get install quagga

Here’re some good tips on configuring Debian/Kubuntu based Quagga upon completion of package installation.

To start/stop/restart Quagga service

#/etc/init.d/quagga <start|stop|restart>

To enable/disable the daemons:

#vim /etc/quagga/daemons

zebra=yes
bgpd=no
ospfd=yes
ospf6d=no
ripd=no
ripngd=no

To create configuration files

Firstly, you must create a configuration file, even it is not exist, and each daemons are associated with different configuration files. For example :

• zebra – zebra.conf
• ospfd – ospfd.conf
• bgpd – bgpd.conf

Copy the template or sample configuration files from /usr/share/doc/quagga/examples/.. to /etc/quagga/..

#cp /usr/share/doc/quagga/examples/zebra.conf.sample /etc/quagga/zebra.conf
#cp /usr/share/doc/quagga/examples/ospfd.conf.sample /etc/quagga/ospfd.conf
#cp /usr/share/doc/quagga/examples/bgpd.conf.sample /etc/quagga/bgpd.conf

Add a password to all the newly copied files :

# echo 'password YourPassHere' > /etc/quagga/bgpd.conf
# echo 'password YourPassHere' > /etc/quagga/ospfd.conf
# echo 'password YourPassHere' > /etc/quagga/zebra.conf

You must always ensure the file permissions are correct, it may be vary from your machine/permission settings :

#chown quagga.quaggavty /etc/quagga/*.conf
#chmod 640 /etc/quagga/*.conf

Then, try to restart the Quagga.

debian.conf Configuration Guide

By default, the Quagga daemons are listening to the loopback interface 127.0.0.1 only with different ports for bgpd, ospfd, and zebra respectively, and cannot access remotely. For example, bgpd daemon is using port 2605. Which also means that you can access to the BGP router by executing the following command :

#telnet localhost 2605

If you want to access the Quagga routers remotely from specific IP address, then you may need to modify the /etc/quagga/debian.conf file.

If you want your OSPF router listen to loopback interface and 10.10.10.1, then your configuration will be like :

ospfd_options=" --daemon -A 127.0.0.1 10.10.10.1"

If you wish to let your BGP router to be access from all interfaces IP address, the configuration will be as below :

*For security measurement, I recommend you shouldn’t not allow this.

bgpd_options=” –daemon”

You may need to restart your Quagga services to take effective.

How to configure VTYSH, an integrated shell for Quagga

By instance, if you wish to access to your BGP router :

#telnet localhost 2605

If you found it is not practical or troublesome to telnet into the zebra, ospf and bgp routers separately, you can enable this feature, VTYSH. It has created an interface to access and save the configuration using a single UI, and it looks like your Cisco router!

To use this feature, you need to create the configuration by copy the sample :

#cp /usr/share/doc/quagga/examples/vtysh.conf.sample /etc/quagga/vtysh.conf

Then, edit the configuration /etc/quagga/vtysh.conf and here’s the sample configuration :

 
!
! Sample
!
! service integrated-vtysh-config
hostname quagga-router
username root nopassword
!

In the sample above, “service integrated-vtysh-config” is remarked and disabled. It would save your configuration separately into the protocol you have updated. Let’s see the example below when OSPF and BGP routers configuration are changed and saved :

#vtysh
quagga-router#write
Configuration saved to /etc/quagga/ospfd.conf
Configuration saved to /etc/quagga/bgpd.conf

If you have enabled “service integrated-vtysh-config” in the config, the configuration will be saved into another file namely, /etc/quagga/quagga.conf. By using this configuration, you will look into quagga.conf first followed by it own protocol files i.e. ospfd.conf when you telnet into it. My recommendation is to disable this feature for easier maintenance and avoid confusion.

#vtysh
quagga-router#write
Configuration saved to /etc/quagga/quagga.conf

Make sure you have enabled “vtysh_enable=yes” settings in the /etc/quagga/debian.conf.

In addition, it’s recommended to add “VTYSH_PAGER=more” in your /etc/environment file, or else you will be annoying by the blinking “END” at the left down corner & requires you to type “q” to continue.

Some of the machine may not works by adding the abovementioned, then you shall need to it in your /home/username/.profile

Ensure the file permission and restart the Quagga service :

#chown quagga.quaggavty /etc/quagga/*.conf
#chmod 640 /etc/quagga/*.conf
#/etc/init.d/quagga restart

Additional Info, IP Forwarding

By default, Linux does not allowed IP forwarding between interfaces. It’s required to enable this by executing the following configurations :

#echo "1" > /proc/sys/net/ipv4/ip_forward

How to change date/time in Ubuntu?

Linux always have two types of clocks, which are Hardware Clock and System Clock. Hardware Clock, also known as CMOS Clock or Real-time Clock (RTC). System Clock is the software clock used by Linux.

When the system boots up, it would get the time/date from Hardware Clock and set it to System Software Clock. This System Clock may not often accurate, and will experience some clock slipping especially high hardware resources during too many processes running. There’re only two ways to ensure the clock is accurate according NTP, either reboot your system or perform manual synchronization.

To check your current date & time

root:/home# date
Tue Apr 20 07:45:44 PDT 2010

To change the system software clock manually

root:/home# date 042022462010.00
Tue Apr 20 22:46:00 PDT 2010

Format : date <MMDDHHmmYYYY.ss>

To ensure if your system time zone is configured correctly

( Only perform these steps if time/date is NOT CRITICAL on your system, else skip this step )

root:/home# /etc/network/if-up.d /ntpdate
root:/home#  date
Tue Apr 20 07:50:41 PDT 2010

It seems like the time zone is not configured properly, change your folder to /usr/share/zoneinfo and select the most appropriate region in the following steps

To change the system time zone

root:/home# ln -sf /usr/share/zoneinfo/Asia/Kuala_Lumpur /etc/localtime

To perform synchronization to NTP using rdate

The time server can be any public NTP server that comply to RFC868

root:/home# /usr/bin/rdate -s time-a.nist.gov

To set your hardware clock time and verify

root:/home# /sbin/hwclock --show
Tue 20 Apr 2010 03:59:03 PM MYT  -0.987237 seconds
root:/home# /sbin/hwclock --systohc
root:/home# /sbin/hwclock --show
Tue 20 Apr 2010 10:58:26 PM MYT  -0.782410 seconds
root:/home# /etc/network/if-up.d /ntpdate

Refers : Man Page for hwclock

Cesium Atomic Clock, maintain an accuracy of 10⁻⁹ seconds per day!! 

Top 10 misconceptions about Linux

Today, I found an interesting and very useful article from other’s site Top 10 misconceptions about Linux, please pay a visit and read.

For most computer users, Windows is the only operating system (OS) they’ve ever used. In fact, most people don’t even know about other OSes at all, and that is not good. In our daily lives we always like to have a choice. Whether it’s different flavors of ice-cream or different brands and types of shirts and pants, we like to have a choice. So the question is, why not have a choice with our computers? While we all get to choose whether we want NVIDIA or ATI graphics card, most PCs come with pre-installed Windows operating system. It’s almost shoved down our throats. Where’s the choice in that?

There are many operating systems out there, some are good and some are bad. This list is about Linux, a free open-source operating system. There is a chance you have never heard of it, and even if you have you probably carry a few misconceptions about it. I’ll try to dispel some of these misconceptions starting with the most common:

1. Misconception: Linux is an Operating System (OS)

2. Misconception: Linux is a command line OS

3. Misconception: Linux is for geeks only

and many more….. ( Click here )

How to connect Nokia e71 SIP to Asterisk?

Today I tried another wonderful feature that built in this Nokia e71, VoIP SIP client. After several testing, it's works! Now, my e71 not only as my mobile phone but also my "mobile office extension phone"! It become an Unified Communication Device with combinations of several features e.g. mobile phone, emails, web browser, extensions phone, instant messenger client etc.

In order to connect your Nokia e71 SIP ( Internet Call ), there are some configurations are needed in your Asterisk Server. You may refers to my sip.conf settings as below :

[1010]
type=friend
secret=1234
qualify=yes
port=5060
pickupgroup=
nat=yes
host=dynamic
dtmfmode=rfc2833
dial=SIP/1010
context=from-internal
canreinvite=no
callerid=device <1010>
call-limit=50

You may also like to configure the "realm" in the sip.conf under [General] context, else you may leave it as default which is "asterisk".

Remember to restart your SIP service to avoid getting Error 400 later in your asterisk debug.

The next step that you need to do is configure your phone ( Make sure there is Internet Connections ).

Step 1:

Go to "Menu"-->"Tools"-->"Settings"-->"Connections"-->"SIP Settings". Then, click on "Options"-->"Add New"

Profile name: <to be defined>
Service profile: IETF
Default access point: <your wifi access point>
Public user name: sip:<SIP user>@<domain or IP address>
Use compression: No
Registration: Always on
Use security: No

[Proxy server]
Proxy server address: sip:<IP address of your asterisk>
Realm: asterisk or <realm of your asterisk>
User name: <SIP user>
Password: <secret>
Allow loose routing: Yes
Transport type: Auto
Port: 5060

[Registrar server]
Registrar server address: sip:<IP address of your asterisk>
Realm: asterisk or <realm of your asterisk>
User name: <SIP user>
Password: <secret>
Transport type: Auto
Port: 5060

Now, you should able to see that your SIP is Registered.

Step 2:

Go to "Menu"-->"Tools"-->"Settings"-->"Connections"-->"internet Telephone Settings". Then, click on "Options"-->"Add New Profile"

Name: <to be defined>
SIP profiles: <previously defined profile>

Try to make an Internet Call by select "Options"-->"Call"-->"Internet Call" after key in the telephone number.

How to send messages within a shell terminal in Linux ?

There are TWO(2) common methods that you can communicate and send messages between users in shell terminal in Linux. Most of the kernel is compiled with the package, i.e. wall and write.

Wall is a command to send message to everyone in the shell terminal, in the other word means broadcast the message.

( Refer Wall Manpage )

Example :

root@localhost:/# wall    ( press Enter )
Hello Testing...broadcast using wall    ( Ctrl-D to broadcast )

Broadcast Message from josephlee@localhost
        (/dev/pts/2) at 22:21 ...

Hello Testing...broadcast using wall
root@localhost:/#

Write is a command to send message to a specify user in the shell terminal. Normally you will also need "who" or "w" command to find out who is in the terminal.

( Refer Write Manpage )

Example :

root@localhost:/# write testuser    ( press Enter )
Testing 123...     ( Ctrl-D to send )

Message from josephlee@localhost on pts/2 at 22:26 ...
Testing 123...
EOF
root@localhost:/#

Build your own Network Attached Storage(NAS)

Need a network attached storage (NAS) ? Feel expensive to get one from the store ? Now, you can make your own with a normal desktop PC !!! Want to know about NAS ? Click here

Before you get started, make sure your hardware requirements as :

• Minimum of 96MBytes of RAM.
• A bootable CD Room.
• or you may also install it in a virtual drive.

FreeNAS, is a open source FREE network attached storage running on FreeBSD 6.2 distribution and it is web-based GUI. I had just installed one FreeNAS on a server, and comparing it to Buffalo NAS, it is more powerful and more features!!!

FreeNAS, not only able to provide you the storage access using NFS and FTP, you may also use it a rsync server! Besides, it do support Samba (SMB) used by Microsoft Windows Network FIle System.

FreeNAS is probably one of the easiest installations out there. I can’t believe that it takes only a few minutes to perform a complete installation of an operating system.

FreeNAS can be downloaded from it website or through the FreeNAS SourgeForge Site. Choose the latest image (ISO) and get it downloaded. It would takes you some times if you are using a low bandwidth Internet access.. :) Burn the image into a CD and start your installations.

Simple guide to install FreeNAS :

1. Boot up the burned ISO CD until you reach the console text-based installation menu as below :

   "Console setup"
   "*********************"
   1) Assign Interface
   2) Set LAN IP address
   3) Reset WebGUI password
   4) Reset to factory defaults
   5) Ping host
   6) Shell
   7) Reboot system
   8) PowerOff system
   9) Install to a hard drive/memory drive/USB Pen, etc

2. First, assign the interface by clicking "1" then followed by setting the IP address, option "2".

3. Then, you may proceed on the installation by clicking option "9". ( This option will be disappeared if you had installed successfully into the hard drive. )

   "Install"
   "*********************"
   1) Install on HD, CF or USB key: Create 1 UFS partition
   2) Install on HD: Create 2 UFS partitions (OS and DATA)
   3) Upgrade existing installed version from CDROM
   4) Return to main menu

4. You can select either install the FreeNAS boot partition and data partition on the same partition or you can seperate it for both boot partition and data partition. It is recommended to select option "2" here so that you can use the remaining space in the HDD as Data storage.

5. Once the FreeNAS is install completed, remove the CD.

6. Then select "4" to exit to the main menu, and select "7" to reboot the system.

7. Now, you may access the Web interface by browsing to the http://<IP_ADDRESS_CONFIGURED>.

8. The default username : admin and password : freenas

9. Download the manual here, or browse to the online manual. Proceed with the configurations.

10. Then, you NAS will be ready to use! Good luck ya...

Linux Policy Routing : ip rule

Policy based routing is actually an act of having a multiple routing table in a single machine. Normally, it is used when involving different routes and gateways.

Your kernel must be ready compiled with IP Advanced Router and IP Policy Routing in order to use this features.

To show the ip rule

# /sbin/ip rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

To show the main routing table

# /sbin/ip route list table main

203.158.11.16/29 dev eth2  proto kernel  scope link  src 203.158.11.17
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.254
10.100.100.0/24 dev eth1  proto kernel  scope link  src 10.100.100.2
default via 203.158.11.22 dev eth2

The above shown, main table is actually refers to the main routing table when you type /sbin/ip route, whereas the local and default table is a new one.

You can generate rules which point to different tables ( i.e. xyz table ) which allow us to override system wide routing rules.

The first rule specifies that any packet from any where should first be matched against routes in the local routing table.The local routing table is for broadcast addresses on link layers, network address translation, and locally hosted IP addresses.

When a packet that bound for x.x.x.x IP address

1. The packet that bound for x.x.x.x would first pass thru the local routing table.
2. If there is no a local hosted IP address, it would look the main routing table to select a destination route.
3. If there is no host nor network match for this destination, thus the packet will match the default route in the main routing table.

To add a new table

# /sbin/ip route add 192.168.1.0/24 via 192.168.0.254 table 200

# /sbin/ip route add default via 10.100.100.1 table 200

To apply a rule to the newly added table 200

It means all the traffic from 192.168.0.0/26 will be routed via routing table 200

# /sbin/ip rule add from 192.168.0.0/26 table 200

# /sbin/ip route flush cache

*** Remember to flush the routing table cache ***

Therefore, you may have the followings results when you show your ip rules :

# /sbin/ip rule show
0:      from all lookup local
32765:  from 192.168.0.0/26 lookup 300
32766:  from all lookup main
32767:  from all lookup default

To delete a ip rule

# /sbin/ip rule del from 192.168.0.0/26 table 200

# /sbin/ip route flush cache

*** Remember to flush the routing table cache ***

It is quite troublesome if you need to type so many lines each and everytime the system is booted, thus you can actually put in a scripts. Below is some sample scripts :

#!/bin/sh
/sbin/ip route flush table 200
# Copy main routing table to 200
/sbin/ip route list table main |while read ROUTE ; do /sbin/ip route add table 200 $ROUTE ; done
/sbin/ip route replace default via 10.100.100.1 table 200
/sbin/ip rul add from 192.168.0.0/26 table 200
/sbin/ip route flush cache

Some other useful ip rule commands :

To change the preferences of the routing table

# /sbin/ip ru add from 192.168.0.0/26 pref 3500 table 200

0:      from all lookup local
3500 :  from 192.168.0.0/26 lookup 300
32766:  from all lookup main
32767:  from all lookup default

To create a NAT rule with ip rule

# /sbin/ip ru add nat 203.158.11.20 from 192.168.0.188

0:      from all lookup local
3500 :  from 192.168.0.0/26 lookup 300
32765:  from 192.168.0.188 lookup main map-to 203.158.11.20
32766:  from all lookup main
32767:  from all lookup default

 

Usage: ip rule [ list | add | del | flush ] SELECTOR ACTION
SELECTOR := [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK ]
            [ dev STRING ] [ pref NUMBER ] [ prio NUMBER ]
ACTION := [ table TABLE_ID ]
          [ prohibit | reject | unreachable ]
          [ realms [SRCREALM/]DSTREALM ]
TABLE_ID := [ local | main | default | NUMBER ]

How to minicom serial console in Linux ?

Firstly, you need to get ready with the tools as below :

1. RS232 Console Serial Cable
2. USB to RS232 Serial Cable convertor

Then, you will need to install minicom package into your linux. For debian user, you can install using aptitude or apt.

# apt-get install minicom

Then plug your USB to RS232 Serial Convertor into your USB port. The type # dmesg and you should see the followings text at the bottom.

usb 5-1: new full speed USB device using uhci_hcd and address 2
usb 5-1: configuration #1 chosen from 1 choice
usbcore: registered new interface driver usbserial
/build/buildd/linux-source-2.6.22-2.6.22/drivers/usb/serial/usb-serial.c: USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
/build/buildd/linux-source-2.6.22-2.6.22/drivers/usb/serial/usb-serial.c: USB Serial Driver core
/build/buildd/linux-source-2.6.22-2.6.22/drivers/usb/serial/usb-serial.c: USB Serial support registered for pl2303
pl2303 5-1:1.0: pl2303 converter detected
usb 5-1: pl2303 converter now attached to ttyUSB0
usbcore: registered new interface driver pl2303
/build/buildd/linux-source-2.6.22-2.6.22/drivers/usb/serial/pl2303.c: Prolific PL2303 USB to serial adaptor driver

Identify where you USB convertor is attached to. From the example above, it is connected to /dev/ttyUSB0 *( Remember it, as you will be using this info later ).

Now, start to configure your minicom using su privileges by :

# sudo minicom -s

Then, select theSerial port setup.

Change your settings for Serial Device to /dev/ttyUSB0 ( or whichever is shown when you did # dmesg just now ) and also change the item (E), Bps/Parity/Bits to suite to your device. You may need to change other settings as per your requirements. Press ENTER upon complete.

  Then, select Save setup as dfl and exit.

Now, you may start with your serial console communication by issue the following command :

# minicom

Done!

VLAN for linux

What is VLAN ?

VLAN, Virtual Local Area Network, is somehow a several virtual network co-exist in a same switch port or interface by using the software configurations but not using hardware interface.

In the case whereby all workstations which connected to a same L2 switch in LAN X, are able to communicate within each other. If a workstation from LAN X is wish to communicate with LAN Y, then a router is needed.

VLAN, is actually an act of dividing the communications between few different network virtually by using a single switch device. A single switch port in a VLAN-capable switch can carry packets from multiple virtual LANs and linux can understand the format of these Ethernet frames.

VLAN, is known as IEEE 802.1Q and aslo known as VLAN tagging. More info on Wikipedia.

What are the advantages using VLAN ?

• Performance
• Easy to manage
• Security
• Trunks
• Save the work of 'hardware configurations' whenever there is any changing of physical location for any device.

How to configure VLAN ?

The 802.1Q package has been pre-patch in kernel 2.4. Any distributions which are earlier than this, should download and compile/patch the kernel before proceed.

First of all, you need/must to modprobe the module by :

# modprobe 8021q

Then you should make sure the interface where you want to add the VLAN is UP and RUNNING.

For example,

2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:44:73:ed:64 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::202:44ff:fe73:ed64/64 scope link
       valid_lft forever preferred_lft forever

To bring up the interface

# ifconfig eth0 up

# ip link set eth0 up

To bring down the interface

# ifconfig eth0 up

# ip link set eth0 up

Case 1 : You will want to add an VLAN 8 to interface eth0 and configure as 10.10.10.10/25 for this VLAN interface. Then remove it.

To add a new VLAN

# vconfig add eth0 8

To bring up the VLAN interface and configure IP

# ifconfig eth0.8 up

# ifconfig eth0.8 10.10.10.10 netmask 255.255.255.128 broadcast 10.10.10.127

To remove the VLAN interface

# vconfig rem eth0.8

How to dial PPPoE in Linux

There are a few simple steps to make a pppoe connection in Linux.

** The following commands is based on Kubuntu distributions

First, you need to configure the pppoe configurations at the very first time using the following command using root provileges.

# pppoeconf

Then following the text-based menu screen will be shown and follow the instructions as below :

1. Confirm that your Ethernet card is going to connect to ADSL modem.
2. Enter your username ( i.e. justk2@streamx )
3. Enter your password.
4. If you have configured it before, you will be asked if it may be modified.
5. Popular options: you are asked if you want the “noauth” and “defaultroute” options and to remove “nodetach” - choose Yes.
6. Use peer DNS - choose Yes.
7. Limited MSS problem - choose Yes.
8. Then you are asked if you want to connect at start up.
9. Finally you are asked if you want to establish the connection immediately.

10. Once you have finished these steps, your connection should be working.

Next time, you may use the following command

To start the adsl dial up

# pon dsl-provider

To stop the adsl dial up

# poff dsl-provider

Linux Firewall : iptables - NAT

What is NAT ?

NAT, refers to Network Address Translations, also known as network masquerading, native address translation or IP masquerading, is a method to translate/change the source or destination IP address when traffic passing through. It may also used for the TCP and UDP port  of the passing IP packet.

Most of the time it is used to provide Internet access to a multiple LAN hosts by using a single Public IP.

 

What you must know ?

MASQUERADING

Masquerading is to translate all IP to a single IP and it is done with NAT. It is to fake the outgoing packet. The incoming packet should be translated too.

Masquerading works based on the specified interface.

Source NAT ( SNAT )

SNAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT.

For dynamic Public IP case, whenever the source IP is changed, the source port numbers may changed too. Therefore, it is more easier to do SNAT on all outgoing packets on this interface. Also bear in mind, it would implicit DNAT as well and somehow.

Destination NAT ( DNAT )

DNAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.

What is important ?

The most important option here is the table selection option, `-t'. For all NAT operations, you will want to use `-t nat' for the NAT table.

You may need to specify the source ( `-s' or `--source' ) and destination ( `-d' or `--destination' ) of the packets you want to NAT. These options can be followed by a single IP address ( e.g. 192.168.1.1 ), a domain name ( e.g. www.justk2.com ), or a network address ( e.g. 192.168.1.0/24 or 192.168.1.0/255.255.255.0 ).

Lastly, you also need to specify the incoming ( `-i'  ) or outgoing ( `-o' ) interface to match, but which you can specify depends on which chain you are putting the rule into: at PREROUTING you can only select incoming interface, and at POSTROUTING you can only select outgoing interface.

**If you use the wrong one, iptables will give an error.

Chains in NAT table

There are three (3) different chains in NAT table, which are PREROUTING, POSTROUTING and OUTPUT.

PREROUTING Chain

It is for Destination NAT, as packets first come in.

Destination NAT is specified using " -j DNAT ", and the " --to-destination " option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

Case 1 :

To DNAT all incoming packet at 203.158.26.29 at eth2 to the single LAN station 192.168.10.22.

# /sbin/iptables -t nat -A PREROUTING -i eth2 -d 192.168.10.22 -j DNAT --to 203.158.26.29

Case 2 :

To DNAT the incoming port 8080 at 203.158.26.29 at eth2 to the DMZ station 192.168.10.188 web server ( port 80 )

# /sbin/iptables -t nat -A PREROUTING -i eth2 -d 192.168.10.188 -j DNAT --to 203.158.26.29:8080

** This is known as Port forwarding.

POSTROUTING Chain

It is for Source NAT, as packets leave.

Source NAT is using " -j SNAT " and " --to-source " option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

Case 1 :

To NAT the LAN station ( 192.168.92.62 ) from eth0 to a static public IP or WAN IP ( 203.158.26.29 ) at eth2

# /sbin/iptables -t nat -A POSTROUTING -o eth2 -s 192.168.92.62 -j SNAT --to 203.158.26.29

Case 2 :

To NAT the entire LAN network ( 10.10.10.0/24 ) from eth1 to a range of WAN IP ( 203.158.26.29 ~ 203.158.26.32 ) at eth2

# /sbin/iptables -t nat -A POSTROUTING -o eth2 -s 10.10.10.0/24 -j SNAT --to 203.158.26.29-203.158.29.32

Case 3 :

To NAT the LAN network to a dynamic WAN IP i.e. PPP connection.

# /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

OUTPUT Chain

It is for the firewall or router itself.

 

FOUR steps to makes your NAT works

Forward the traffic

If you are using the Linux kernel more than 2.6, the following commands should works.

Firstly, you should allow the traffic to forward ( passing ) through your firewall/router. By default, the value is 0 which is disabled.

# echo 1 > /etc/sys/net/ipv4/ip_forward

In some cases, you may need to edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. This essentially tells your kernel to do step one on boot.

** Also remember to accept the traffic passing in your forward chains ( more info as my earlier post )

# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Post-route the traffic

# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Linux Firewall : iptables - FILTER table

Further to the basic understanding on the iptables in my earlier post ( Linux Firewall : iptables - Basic ), now let's me continue with some example commands for FILTER table :

To list the iptables table/chain

#iptables -L

#iptables -t <table> -L

( use to list the specify table besides default - FILTER table )

#iptables -t <table> -L -vnx

( use this with verbose, show numeric output and expand the numbers )

To add a rule on top of the chain

#iptables -I <chain> -j [ACCEPT|DROP|REJECT|other]

e.g. # iptables -I FORWARD -j ACCEPT

To append a rule at the bottom of the chain

#iptables -A <chain> -j [ACCEPT|DROP|REJECT|other]

e.g. # iptables -I INPUT -j DROP

To delete a rule in a chain

#iptables -D <chain> <the row number of the rule started from 1>

e.g. # iptables -D FORWARD 2

To create a new chain

#iptables -N <chain>

e.g. # iptables -N CUSTOMFORWARD

To change the default policy of a chain

#iptables -P <chain> [ACCEPT|DROP|REJECT|other]

e.g. # iptables -P FORWARD DROP

# iptables -P CUSTOMFORWARD ACCEPT

To flush the iptables

#iptables -F

To flush specify TABLE

#iptables -t <table> -F

To delete a CHAIN

#iptables -X <chain>

So, have you warmed-up? Now let's go into more commands, try to understand and apply it wisely. :P

Case 1

To drop all the traffic from 192.168.0.0/24 which trying to ssh-ing to the firewall itself, 10.133.0.1

# iptables -I INPUT -p tcp --dport 22 -s 192.168.0.0/24 -d 10.133.0.1 -j ACCEPT

-I = to add this rule to the top of INPUT chain.

-p = protocol, specifically here is TCP.

--dport = destination port, specifying SSH port ( port 22 ).

-s = the source address, pertaining where this traffic from where is 192.168.0.0/24 for this rule.

-d = the destination address, here is the firewall itself (suppose) as it is INPUT chain.

-j = jump to targer. Here is to accept the traffic.

Case 2

To drop all the traffic from 192.168.0.0/24 passing thru the firewall and only allowed 192.168.0.188 to pass thru.

# iptables -P FORWARD DROP

# iptables -I FORWARD -s 192.168.0.188 -j ACCEPT

# iptables -I FORWARD -d 192.168.0.188 -j ACCEPT

Firstly, we set the FORWARD as "default drop policy" ( means drop everything! ). Then we add the 2 following rules on top of the FORWARD chain. In order to allows the traffic passing thru, it should be dual-way. Thus, two(2) different rules as above are created with specifying source and destination address respectively.

General Network Traffic rules

Next, we will want to use some standard rules for general network traffic. This goes a bit beyond the basic stuff, however iptables can determine the 'state' that a packet is in. This has to do with standard TCP communication. For example, the 3 way handshake between two hosts when transmitting data.

• NEW => Server1 connects to Server2 issuing a SYN (Synchronize) packet.

• RELATED => Server 2 receives the SYN packet, and then responds with a SYN-ACK (Synchronize Acknowledgment) packet.

• ESTABLISHED => Server 1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment) packet.

After this 3 way handshake is complete, the traffic is now ESTABLISHED. In order for this type of TCP communication, something similar to these three rules are necessary:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

The last rule obviously allows any traffic the leave the server.

The result of the three rules and the previous commands in Case 1 and Case 2 above will be as follow respectively :

Chain INPUT (policy ACCEPT) target prot in out source destination ACCEPT tcp * * 192.168.0.0/24 10.133.0.1 tcp dpt:ssh ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy DROP) target prot in out source destination ACCEPT * * * 0.0.0.0/0 1 92.168.0.188 ACCEPT ACCEPT * * * 192.168.0.188 0.0.0.0/0 ACCEPT ACCEPT * eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT) target prot in out source destination ACCEPT * * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

From here you can add whatever rules you like depending on your server requirements :

To block some BAD source IP address

#iptables -A INPUT -s 10.10.132.2 -j DROP

To drop some spamming from a source IP address ( if you are using default accept policy or accepted SMTP port in other rule )

#iptables -A FORWARD -p tcp --dport 25 -s 192.168.0.111 -j DROP

To allow the LAN (eth0) to access your web while block all external access from WAN(eth1) to your web

#iptables -I INPUT -p tcp --dport 80 -j DROP

#iptables -I INPUT -p tcp --dport 80 -s 192.168.0.0/24 -j ACCEPT

The 1st rule should be execute before the 2nd rule as you are using the -I ( add ).

To drop all ICMP/Ping packet to the firewall

#iptables -A INPUT -p icmp -j DROP

If you are using the default ACCEPT policy, then you must be DROP anything else at the last of the rule. In our case here ( since FORWARD chain is default drop policy ), you should reject everything for the INPUT chain.

# iptables -A INPUT -j REJECT

There are more to explore besides the example shown above. But bear in mind, ***NEVER TRY ON A LIVE SYSTEM!!***

In the next post, I will proceed to NAT table.

10 things to consider when choosing a Linux distribution

• Date: April 9th, 2008
• Author: Jack Wallen

I can’t begin to tell you how many people over the years I have consulted with about choosing a Linux distribution. And even with my own personal loyalties to one distribution or another, it always amazes me how certain distributions are better suited to various users and needs. So when I set out to write a 10 Things article, it only made sense that my first one be related to choosing a Linux distribution.

Of course, times and opinions change. For nearly 10 years I road the Red Hat/Fedora wagon. And then, after considerable thought, I jumped over to Ubuntu. Why? Because it fit my evolving needs. Many will argue that one Linux distribution is just like another — and I agree, on fundamentals. But when it comes down to everyday use, each distribution is different from the next. So why would you want to use Debian vs. Fedora or Ubuntu vs. Mandriva? Let’s dive into this and find out.

Note: This information is also available as a PDF download.

#1: 100 % open or not?

Many people don’t seem to know this question even exists. Average users may think that all Linux distributions are created equal, since they are released under the GPL. They are not. Some distributions are being released with proprietary drivers. In some instances, these are necessary. For example, for many laptops, getting wireless to work often requires the use of a proprietary driver. Because of this, some Linux distributions are opting to make the inclusion of proprietary drivers the user’s choice. And many of these distributions are even offering downloads of free and non-free (with regards to licenses, not cost) drivers.

If you champion 100% free software, you’ll want to look at the following:

• gNewSense
• Ututo
• Dynebolic
• Musix
• Blag

Those are the only distributions that don’t offer any releases with non-free software. You can also get versions of distributions like Mandriva Free, which are bereft of non-free applications. This choice will be dictated by two things: the “politics” of Linux and the need for proprietary drivers.

#2: Package management

This is one of those areas where people begin to leap up on their soapboxes. RPM vs. Apt vs. dpkg vs. urpmi. Some would say that they are all fundamentally the same: Each has a command-line tool as well as a GUI front end, and each has a configurable repository system that can be edited by hand (via text editor) or through the GUI front end. I will argue (not that I have become a Ubuntu convert) that the Apt system is much better as a package management system. I say this because RPM has a tendency to be unable to resolve dependencies, as well as to muck up a system over time. But for the average user, the biggest (and probably most crucial) difference lies in the GUI front ends. Between managers like Synaptic and GnoRPM, there is no comparison. Even after nearly 10 years of working with Linux, I have never found a stable front end for RPM. Apt front ends, on the other hand, have enjoyed stability for a long time.

So if you prefer one package management system over another, your choice will already be narrowed down. Of course, it can get a little murky with crossovers, like apt-rpm. But if you want Apt, you will be using a Debian-based system. If you want RPM, you will be using a Red Hat/Fedora-based distribution (or, in the case of urpmi, Mandriva.)

#3: Directory hierarchy

This is one of those issues that has always befuddled me. There should be a standard that all distributions stick to. But as it stands, there is not. Take the init system (the initialization system). In Fedora-based systems, you will find this in /etc/rc.d/init.d. In Debian-based systems, you will find this in /etc/init.d. Even the Linux Standards Base does not define where the initialization system should lie. But you will still have your own personal standard. When moving from Fedora to Ubuntu, it took me a while to keep from typing /etc/rc.d/init.d/mysql start and typing /etc/init.d/mysql start. If you’re used to one, either stick with it or anticipate a few “command not found” errors.

#4. Desktop environment

Although you can install your desktop of choice, some users just want to install the OS and go. In that case, you will want to make sure you choose a distribution that focuses on the desktop environment you like. If you want GNOME, go with Fedora. You can check out this listing of distributions shipping with GNOME as the default. If you want KDE, check out this listing of distributions shipping KDE as the default. Of course, you are not limited to either GNOME or KDE. My preference is for Enlightenment. Some distributions ship with Enlightenment as the default, such as Elive and gOS.

Even though it’s possible to install the desktop of your choice, it’s not always as simple as it might seem. If you don’t want to spend time resolving dependencies or figuring out what repository to add to install KDE4, go with a distribution that ships your preferred desktop by default.

#5: Security

Linux is a much more secure OS than most, although not all distributions are equally secure. In fact, there are distributions aimed primarily at security, such as Trustix, which claims to be the most secure of all Linux distributions. But truth be told, the most secure Linux distribution is the one that is properly configured. But if you want security “out of the box,” the short list of distributions would include Trustix, Engarde Linux, and Bastille Linux.

#6: Intended use

Let’s face it: We don’t all use our computers for the same thing. Some need multimedia. Some need servers. Some need development. Some need a simple workstation to write and surf the Web. And there are Linux distributions for every need. Need a headless server? Give Ubuntu Server Edition <http://www.ubuntu.com/products/whatisubuntu/serveredition> a try. Is multimedia your game? If so, take a look at StartCom Multimedia Edition. If you’re an average user (office suite, e-mail, Web), you can go with any of the distributions.

#7: Hardware

This one is tricky. As I said earlier, your hardware will sometimes dictate what drivers you will use. But it goes beyond that. There are distributions that are known for their hardware friendliness. For instance, PCLinuxOS is one of the best choices for overall hardware detection and setup (as well as being one of the simplest to install). For wireless, your best choices are Ubuntu, Mepis, and SuSE.

#8: Laptop use

Another tricky spot. On top of having to deal with wireless and graphics (see #7), you also have to hope that your laptop will support hibernation. This is one of the rougher spots for modern Linux. Getting a laptop to suspend or hibernate is a matter of hoping your particular laptop will play well with your distribution. Your best bet is to simply Google your make and model of laptop along with “linux suspend” to find out which distribution is best suited for your machine.

Wireless on your laptop will be an interesting journey. But here’s a good tip to help you out: Forget tools like Exalt and go directly to WICD. This tool is much better at handling various forms of wireless authentication.

#9: Installation

If you are really considering Linux, you know you have two choices: Find a vendor that will sell you a machine with a pre-installed distribution or install a distribution yourself. If you have never installed an operating system, don’t fret; it’s not hard. It will take some time, but rest assured that all modern Linux distributions (with the rare exception) are point-and-click GUI installations. And Linux one-ups its competition by giving you the Live CD. You can pop it into the machine, boot from it, and give Linux a try without having to install anything. A Live CD instance of Linux will run considerably slower than the installed version (and that will depend upon how much RAM your machine has), but you can get a good idea how well it is going to react to your hardware (and how you are going to react to the OS).

I would like to say that one distribution’s installation routine is better than another (to help you weed out possible hurdles in your adoption of Linux). But that is not so much the case now. Personally, I prefer the installations of Ubuntu (in its many incarnations) and Fedora to any other. I find their installations to be far more intuitive and user friendly.

If installation isn’t your game, just find a vendor that sells Linux pre-installed. You can go to online dealers like Hewlett Packard, Dell, Zonbu, Everex, and many others. This will keep you from having to dance around distributions to figure out which will support your hardware.

#10: Community

This aspect is a bit esoteric, but it should be addressed. Linux is more than an operating system. Linux, akin to Apple, is a community. Linux is about freedom and its communities embrace that — some more than others. So if community (feeling like you belong to something special) is important to you, Ubuntu is the distribution for you. If not, you could go with the more enterprise-level Red Hat, where you’ll enjoy a more traditional model of both customer service and support.

Which brings up a related issue: Support. Along with Linux comes many forms of support. Each distribution has its own mailing list, where you can enjoy hundreds (or thousands) of users who range from every level of experience. If you’re a DIY kind of person, this type of support will be right up your alley. And it’s free! If you’re not the DIY type, you should stick with SuSE (which benefits from Novell’s backing) or Red Hat, where you can buy a solid support package for your installations. If you do opt for the more community-drive distribution, you’ll be in good hands. On many occasions I have enjoyed speaking directly to the developer(s) of the application in question. Finding such a communication line with, say, a Microsoft or an Apple wouldn’t be so easy. With Linux — you never know. You might wind up chatting up the Linux kernel with Linux creator Linus Torvalds himself. I have a few times.

So there you have it. Ten things to consider when choosing a Linux distribution. But ultimately, it all boils down to choice. And that’s where Linux really shines. With Linux, you can choose on nearly every level. You aren’t locked down to any one thing.

Original Post : http://blogs.techrepublic.com.com/10things/?p=334