How to setup Linux as a Router / Firewall

One of the great features of Linux, is it's easy installation and configuration as a IP-Router and Firewall. You can masquerade the internal LAN so called Trusted Network, which is often in the private range (no routable range, e.g. 192.168.x.x). There are two steps needed for this configuration, which we want to show you in the next example, the trusted (or masqueraded) network is 192.168.138.0. The needed steps are as follows:

• Install two Network Cards in the PC, and attach an IP-address for each of this cards.
• Configure the IP-Masquerading software on this Linux machine.

Install two Network Cards in the PC, and attach an IP-address for each of this cards

Install the network cards and attach an IP-Address using the following scripts in /etc/sysconfig/network-scripts for RedHat Linux.

Script: if-cfg-eth0 (first LAN card)

DEVICE=eth0
IPADDR=192.168.138.200
NETMASK=255.255.255.0
NETWORK=192.168.138.0
BROADCAST=192.168.138.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=yes
GATEWAY=192.168.126.200

Script: if-cfg-eth1 (second LAN card)

DEVICE=eth1
IPADDR=192.168.126.200
NETMASK=255.255.255.0
NETWORK=192.168.126.0
BROADCAST=192.168.126.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=yes
GATEWAY=192.168.138.200

After you have rebooted the machine, check if both LAN devices are properly configured with the command ifconfig.

eth0 Link encap:Ethernet HWaddr 00:01:02:0F:1A:85
inet addr:192.168.138.200 Bcast:192.168.138.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:146003 errors:0 dropped:0 overruns:1 frame:0
TX packets:100427 errors:0 dropped:0 overruns:0 carrier:0
collisions:500 txqueuelen:100
Interrupt:10 Base address:0x6e00

eth1 Link encap:Ethernet HWaddr 00:01:02:0F:1B:3C
inet addr:192.168.126.200 Bcast:192.168.126.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13249 errors:0 dropped:0 overruns:0 frame:0
TX packets:14200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:15 Base address:0x6d00

Configure the IP-Masquerading software on this Linux machine

Install the Script rc.firewall in /etc/rc.d/init.d, then create a symblic link in /etc/rc.d/rc3.d.

lrwxrwxrwx 1 root root S91firewall -> ../init.d/rc.firewall

#!/bin/sh
#
# rc.firewall
#
# Enable IP Masquerade (NAT = Network Address Translation,
# SUA = Single User Access)on this host

# Needed to initially load modules

/sbin/depmod -a

# Supports the proper masquerading of FTP file
# transfers using the PORT method

/sbin/modprobe ip_masq_ftp

# CRITICAL:  Enable IP forwarding since it is disabled
# by default. Redhat Users: you may try changing the options
# in /etc/sysconfig/network from:
#
# FORWARD_IPV4=false to FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward

# MASQ timeouts
#
#  2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN"
#        packet is received.
# 160 sec timeout for UDP traffic (Important for
#         MASQ'ed ICQ users)

/sbin/ipchains -F
/sbin/ipchains -M -S 7200 10 160

# Enable simple IP forwarding and Masquerading
#
#  NOTE:  The following is an example for an internal
#  LAN address in the 192.168.138.x network with a
# 255.255.255.0 or a "24" bit subnet mask.
#
# Please change this network number and subnet mask
# to match your internal LAN setup

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.138.0/24 -j MASQ

# Now show current settings

NAT=`cat /proc/sys/net/ipv4/ip_forward`
if [ "$NAT" = "1" ]
then
  echo "IP Masquerading is ON"
else
  echo "IP Masquerading is OFF"
fi

/sbin/ipchains -L

Monitor your changed files in real-time in Linux

Everybody knows top or htop. Ever wished there was something similar but to monitor your files instead of CPU usage and processes? Well, there is.
Run this:
watch -d -n 2 ‘df; ls -FlAt;’
and you’ll get to spy on which files are getting written on your system. Every time a file gets modified it will get highlighted for a second or so. The above command is useful when you grant someone SSH access to your box and wish to know exactly what they’re modifying.

Debugging Network Problems with TCPDUMP

The tcpdump program (dump traffic on a network) can be used to view network traffic, and, if necessary, its output can be parsed do deduce the source of excess packets. You can get the tcpdump-smb program, an extension to tcpdump, from the Samba Website (www.samba.org). It's used to investigate SMB networking problems over NetBUI and TCP/IP. Typically, it must be run as root due to the hardware access level and the information it provides. The following examples shows a debugging session for Samba, but tcpdump can be used for any other networking problems.

Capture all SMB packets to debug Name Resolution Problems (WINS)

# tcpdump port 137 

tcpdump: listening on eth0
15:33:15.437022 opal.netbios-ns > 193.247.121.207.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x3A4F
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=AKADIA NameType=0x1D (Master Browser)
QuestionType=

In the example above, the machine opal sends a broadcast request to the broadcast address 193.247.121.207 for the NetBIOS name resolution.

Capture all SMB packets to debug Network Neighborhood Browsing Problems

# tcpdump port 138
 

tcpdump: listening on eth0
15:46:19.420347 rabbit.netbios-dgm > 193.247.121.207.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x110A ID=0x3B1F IP=193.247.121.196 Port=138 Length=183 Res2=0x0
SourceName=RABBIT NameType=0x00 (Workstation)
DestName=
SMB PACKET: SMBunknown (REQUEST)

Capture all SMB packets to debug NetBIOS Session Problems

# tcpdump -s 100 port 139 

tcpdump: listening on eth0
15:51:00.155440 akadia01.10032 > rabbit.netbios-ssn: P 3139570112:3139570160(48) ack 3279569702 win
8721NBT Packet
NBT Session Packet
Flags=0x0
Length=44

SMB PACKET: SMBchkpth (REQUEST)
SMB Command = 0x10
Error class = 0x0
Error code = 0
Flags1 = 0x18
Flags2 = 0x3
Tree ID = 2
Proc ID = 51966
UID = 101
MID = 3200
Word Count = 0
smbbuf[]=
Path=\Upload

While the above command is running, issue a net view command from a windows client and you will see an output similar the the shown above.

To print traffic between rabbit and either paragon or diamond

# tcpdump host rabbit and \( paragon or diamond \)

Telnet from paragon to rabbit and watch the output.

How to serve several domains with one IP-address ?

The answer is ... use Apache's virtual host support. Apache was one of the first servers to support IP-based virtual hosts right out of the box. Versions 1.1 and later of Apache support both, IP-based and name-based virtual hosts (vhosts). The latter variant of virtual hosts is sometimes also called host-based or non-IP virtual hosts.

Name Based Virtual Hosts

Using Name Based Virtual Hosts is quite easy. The notable difference between IP-based and name-based virtual host configuration is the NameVirtualHost directive which specifies an IP address that should be used as a target for name-based virtual hosts.

For example, we use both www.akadia.ch and www.arkum.ch at the IP address 193.247.121.196. We simply add to one of the Apache configuration files (most likely httpd.conf) code similar to the following:

NameVirtualHost 193.247.121.196

<VirtualHost 193.247.121.196>
    ServerName www.akadia.ch
    DocumentRoot /www/akadia
</VirtualHost>

<VirtualHost 193.247.121.196>
    ServerName www.arkum.ch
    DocumentRoot /www/arkum
</VirtualHost>

Of course, any additional directives can (and should) be placed into the <VirtualHost> section. To make this work, all that is needed is to make sure that the names www.akadia.ch and www.arkum.ch are pointing to the IP address 193.247.121.196
When you specify an IP address in a NameVirtualHost directive then requests to that IP address will only ever be served by matching <VirtualHost>s. The "main server" will never be served from the specified IP address. If you start to use virtual hosts you should stop to use the "main server" as an independent server and rather use it as a place for configuration directives that are common for all your virtual hosts. In other words, you should add a <VirtualHost> section for every server (hostname) you want to maintain on your server.

Drop all ping packets

*************************************************
To drop all ping packets all together
*************************************************

You can setup kernel variable to drop all ping packets.

# echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

This instructs the kernel to simply ignore all ping requests (ICMP type 0 messages).


To enable ping request type the command:

# echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

[or]

You can drop by adding following line to /etc/sysctl.conf file:

net.ipv4.icmp_echo_ignore_all = 1

Save and close the file.

HOWTO- Apache "httpd" authentication in Linux

Create a directory on "apache" document root,which is "/var/www/html"

mkdir /var/www/html/admin
cd /var/www/html/admin

Create simple "index.html" page.

Now, Open "/etc/httpd/conf/httpd.conf" file and add/modify following lines.

Options Indexes Includes
AllowOverride AuthConfig

Create ".htaccess" file in "/var/www/html/nishith/.htaccess" & add below lines.
AuthType Basic
AuthName "My Private Page"
AuthUserFile /etc/httpd/conf/.htaccess
require valid-user

Now, Create/Add new user to access "/var/www/html/admin" page

htpasswd -mc /etc/httpd/conf/htpasswd nishith
New password:
Re-type new password:
Adding password for user nishith

View the content of "htpasswd" file
cat /etc/httpd/conf/htpasswd
nishith:$apr1$akwCX...$c3uo.k4oHIQNzlSEDQYMh0

Note:-
To add few more user we should use only -m, the -c option will create the file always, but as the file exist so do not use -cm option once the file was created.

htpasswd -m /etc/httpd/conf/htpasswd alex
New password:
Re-type new password:
Adding password for user alex

cat /etc/httpd/conf/htpasswd
nishith:$apr1$akwCX...$c3uo.k4oHIQNzlSEDQYMh0
alex:$apr1$70g94/..$m8QyD4gQisd265nLW7pbR0

Finally, access your webpage in your browser by typing,
http://ip address/admin (from remote pc)

OR

http://localhost/admin ( from local pc only)

"rsync" configuration in Linux/Unix

What "rsync" can do ?

"rsync" can perform differential uploads and downloads (synchronization) of files across the network, transferring only data that has changed. The rsync remote-update protocol allows rsync to transfer just the differences between two sets of files across the network connection.

Hand's ON Practical :-

Recommended : Install "rsync" on both linux or unix machines. (only for redhat/fedora)
yum install rsync

Note: Always use rsync over ssh

Since rsync does not provide any security while transferring data it is recommended that you use rsync over ssh . This allows a secure remote connection. Now let us see some examples of rsync.

Task 1: Copy file from a local computer to a remote server. Copy file from "/data/office.tar.gz" to a remote server called "192.168.1.1"

$ rsync -v -e ssh /data/office.tar.gz rohit@192.168.1.1:/home/nishith

Task 2: Copy file from a remote server to a local computer

Copy file "/home/nishith/data.txt" from a remote server "192.168.1.1" to a local computer "/tmp" directory:
$ rsync -v -e ssh nishith@192.168.1.1:/home/nishith/data.txt /tmp

Give Password:


Task: Synchronize a local directory with a remote directory

$ rsync -r -a -v -e "ssh -l nishith" --delete 192.168.1.1:/home/nishith/ /data

Task: Synchronize a remote directory with a local directory

$ rsync -r -a -v -e "ssh -l nishith" --delete /data 192.168.1.1:/home/nishith/

Task: Synchronize a local directory with a remote rsync server

$ rsync -r -a -v --delete rsync://192.168.1.1/data /home/nishith/

"rsync" command common options.

• --delete : delete files that don't exist on sender (system)
• -v : Verbose (try -vv for more detailed information)
• -e "ssh options" : specify the ssh as remote shell
• -a : archive mode
• -r : recurse into directories
• -z : compress file data