GATEWAY SETUP ************* This Linux box is a masquerading firewall connecting my local private network to the internet through a cable modem. ISP's network 24.113.94.0 ----------------+----------------- | My account with ISP | IP Address: 24.113.94.87 | Netmask: 255.255.254.0 | Hostname: cr324145-a | Domainname: rchmd1.bc.wave.home.com | Gateway: 24.113.94.1 | Nameserver1:24.2.10.33 | Nameserver2:24.2.10.34 | +-----------+-----------+ Private domainname: novatek.co.nz | eth0 | Private hostname: gateway | | Pivate primary ns: gateway | Masqerading Firewall | Private secondary ns: ns1.waikato.ac.nz | Linux box | 140.200.128.13 | | ns1.granitecanyon.com | eth1 | Mailserver mail.novatek.co.nz +-----------+-----------+ | Private Network | IP Address: 192.168.0.254 | Netmask: 255.255.255.0 | ----------------+----------------- Private Network 192.168.0.0 Gateway Addressing ------------------ gateway: 24.113.94.87, 192.168.0.254 gw-ext: 24.113.94.87 gw-int: 192.168.0.254 imail: 24.113.94.87 ns1: 24.113.94.87 ftp: 24.113.94.87 www: 24.113.94.87 novatek.co.nz.: 24.113.94.87 Aliases ------- gw: gateway Computer Hardware +++++++++++++++++ Motherboard: 486DX2, UNI-486WB With 32Mb RAM Video Controller: Cirrus GD5424 Generic Vesa Bus with 1Mb Ram Ethernet Controllers: Outside World: eth0 - NE2K IO=0x240, IRQ=12, 00 00 e8 d3 d7 65 Local Network: eth1 - NE2K IO=0x300, IRQ=11, 00 00 e8 d3 d9 c0 Multi IO Card: Generic ISA type with FDD Controller IDE Controller 2 Comms ports, games port and printer port. Game port disabled Serial Ports: mouse: ttyS0 - IO=0x3f8, IRQ=4, (gpm -t ms) modem: ttyS1 - IO=0x2f8, IRQ=3, 14400 Internal Fax / Data modem spare ttyS2 - IO=0x3e8, IRQ=4 Parallel Port: printer: lp0 - IO=0x378, polling, HP850C printer. IDE Controller: ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 hda: WDC AC21600H, 1549MB w/128kB Cache, CHS=3148/16/63 hdb: ATAPI 4X CD-ROM drive, 128kB Cache FDD Controller: fd0: 1.44Mb IRQ map (cat /proc/interrupts) ++++++++++++++++++++++++++++++ 0: 14486776 XT-PIC timer 1: 23423 XT-PIC keyboard 2: 0 XT-PIC cascade 4: 75248 XT-PIC serial 8: 2 XT-PIC rtc 11: 155798 XT-PIC NE2000 12: 1619305 XT-PIC NE2000 13: 1 XT-PIC fpu 14: 498599 XT-PIC ide0 NMI: 0 IO Map (cat proc/ioports) +++++++++++++++++++++++++ 0000-001f : dma1 0020-003f : pic1 0040-005f : timer 0060-006f : keyboard 0070-007f : rtc 0080-008f : dma page reg 00a0-00bf : pic2 00c0-00df : dma2 00f0-00ff : fpu 01f0-01f7 : ide0 0240-025f : NE2000 02f8-02ff : serial(auto) 0300-031f : NE2000 0378-037a : parport0 03c0-03df : vga+ 03e8-03ef : serial(auto) 03f6-03f6 : ide0 03f8-03ff : serial(auto) HDD Partition Table (fdisk -l /dev/hda) +++++++++++++++++++++++++++++++ Disk /dev/hda: 16 heads, 63 sectors, 3148 cylinders Units = cylinders of 1008 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 131 65992+ 82 Linux swap /dev/hda2 132 3148 1520568 83 Linux /etc/fstab ------------------------------------------------------------------------------ /dev/hda2 / ext2 defaults,sync 1 1 /dev/hda1 swap swap defaults 0 0 #/dev/fd0 /mnt/floppy ext2 noauto 0 0 #/dev/cdrom /mnt/cdrom iso9660 noauto,ro 0 0 none /proc proc defaults 0 0 none /dev/pts devpts mode=0622 0 0 -------------------------------------------------------------------------- Note that we default the main drive to be synchronous (IO). There is no disk caching preventing data loss and disk corruption during crashes and reboots. Note alos that we have commentted oout the floppy and cdrom mounts from this table as we use automount for them see autofs below. See mount and fstab man pages for more detailed explination. The /dev/pts are the virtual terminal mount points (see pts options in compiling the kernel). BIOS Setups +++++++++++ Nothing fancy, used HDD Autodetect to detect harddrive, and set boot search sequence (adv options) to C:, A: GETTING AND INSTALLING THE KERNEL USING FTP (REDHAT 6) ******************************************* (With a cable modem this now becomes practical). It is even more practical to ftp the whole release to my other Linux box using the cable modem link, then connect the two Linux boxes, and do an ftp install using the 10MB/s ethernet rather than the cable modem. Using my other Linux box (Redhat 5.2), I first reconfigured the network interface for my cable modem ISP. See HOWTO Change Internet addresses, below. I then ftp'd into a Redhat ftp mirror. See www.redhat.com/mirrors.html - I found acs-mrror.ucsd.edu to be reasonably reliable and fast. I got the whole installation package release for Redhat-6.0. from /linux/redhat/RedHat-6.0/i386. I copied this all to the anonymous ftp section on my other Linux box /home/ftp/linux/redhat/redhat-6.0/i386. That took a few hours. I then created a netboot diskette (using the other Linux box) using: cd /home/ftp/linux/redhat/redhat-6.0/i386/images dd if=bootnet.img of=/dev/fd0 bs=1440K I then changed the other Linux box's IP address back to 192.168.0.3 for the private network and connected its ethernet to gateway's eth1. I then rebooted gateway with the netboot diskette. At the boot prompt, enter expert . Follow the prompts selecting FTP install. This is my IP Config: IP Address: 192.168.0.254 petmask: 255.255.255.0 Default Gateway: 192.168.0.254 Primary Name Server (left blank - going to ftp to an IP address on same subnet. On the following screen I left the Domain name and host name prompts blank. Next screen FTP site: 192.168.0.3 Red Hat Directory /linux/redhat/redhat-6.0/i386 and selected use Anonymous FTP. When selecting packages, I selected all the docs, and networking stuff. It is useful to read from Ch.5.11 through to the end of Ch.6.of the RedHat Installation manual. Found on their web site. http://www.redhat.com/corp/support/docs/rhl/RHL-6.0-Manual/install-guide/manual/ BUILDING A KERNEL FOR A MASQUERADING FIREWALL ********************************************* GCC was not included as part of this RedHat package, it appears that the egs compiler is the kernel compiler of choice. Irrespective we need to ensure that we have the latest versions of glibc-devel (2.1.1-6) and ncurses-devel (4.2-18) to build the kernel (2.2.10-3) To build a kernel, see the Kernel HOWTO, RedHat Installation Manual Ch.11.8, I tend to favour a monolithic kernel build specifically for a box. This conflicts with ip_masq module extensions. So as far as possible, the kernel is monolithic, with a few modules for ip_masq, seldomly used file systems, etc. I use 'make menuconfig' to create my .config file. Here it is: ---------------start of /usr/src/linux/.config----------- # # Automatically generated by make menuconfig: don't edit # # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Processor type and features # # CONFIG_M386 is not set CONFIG_M486=y # CONFIG_M586 is not set # CONFIG_M586TSC is not set # CONFIG_M686 is not set CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIG_X86_BSWAP=y CONFIG_X86_POPAD_OK=y CONFIG_1GB=y # CONFIG_2GB is not set # CONFIG_MATH_EMULATION is not set # CONFIG_MTRR is not set # CONFIG_SMP is not set # # Loadable module support # CONFIG_MODULES=y CONFIG_MODVERSIONS=y CONFIG_KMOD=y # # General setup # CONFIG_NET=y # CONFIG_PCI is not set # CONFIG_MCA is not set # CONFIG_VISWS is not set CONFIG_SYSVIPC=y CONFIG_BSD_PROCESS_ACCT=y CONFIG_SYSCTL=y CONFIG_BINFMT_AOUT=m CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=m # CONFIG_BINFMT_JAVA is not set CONFIG_PARPORT=y CONFIG_PARPORT_PC=y # CONFIG_PARPORT_OTHER is not set # CONFIG_APM is not set # # Plug and Play support # # CONFIG_PNP is not set # # Block devices # CONFIG_BLK_DEV_FD=y CONFIG_BLK_DEV_IDE=y # CONFIG_BLK_DEV_HD_IDE is not set CONFIG_BLK_DEV_IDEDISK=y CONFIG_BLK_DEV_IDECD=y CONFIG_BLK_DEV_IDETAPE=m CONFIG_BLK_DEV_IDEFLOPPY=m # CONFIG_BLK_DEV_IDESCSI is not set CONFIG_BLK_DEV_CMD640=y # CONFIG_BLK_DEV_CMD640_ENHANCED is not set # CONFIG_IDE_CHIPSETS is not set # CONFIG_BLK_DEV_LOOP is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_MD is not set CONFIG_BLK_DEV_RAM=m # CONFIG_BLK_DEV_XD is not set CONFIG_PARIDE_PARPORT=y # CONFIG_PARIDE is not set # CONFIG_BLK_CPQ_DA is not set # CONFIG_BLK_DEV_HD is not set # # Networking options # CONFIG_PACKET=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NETLINK_DEV=y CONFIG_FIREWALL=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_RTNETLINK=y CONFIG_NETLINK=y # CONFIG_IP_MULTIPLE_TABLES is not set # CONFIG_IP_ROUTE_MULTIPATH is not set # CONFIG_IP_ROUTE_TOS is not set CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_ROUTE_LARGE_TABLES is not set # CONFIG_IP_PNP is not set CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_NETLINK=y CONFIG_NETLINK_DEV=y CONFIG_IP_ALWAYS_DEFRAG=y CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_ICMP=y CONFIG_IP_MASQUERADE_MOD=y CONFIG_IP_MASQUERADE_IPAUTOFW=y CONFIG_IP_MASQUERADE_IPPORTFW=y CONFIG_IP_MASQUERADE_MFW=y CONFIG_IP_ROUTER=y CONFIG_NET_IPIP=y CONFIG_NET_IPGRE=y CONFIG_NET_IPGRE_BROADCAST=y CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y CONFIG_IP_ALIAS=y # CONFIG_ARPD is not set CONFIG_SYN_COOKIES=y CONFIG_INET_RARP=y CONFIG_SKB_LARGE=y # CONFIG_IPV6 is not set # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set # CONFIG_LAPB is not set # CONFIG_BRIDGE is not set # CONFIG_LLC is not set # CONFIG_ECONET is not set # CONFIG_WAN_ROUTER is not set # CONFIG_NET_FASTROUTE is not set # CONFIG_NET_HW_FLOWCONTROL is not set # CONFIG_CPU_IS_SLOW is not set # # QoS and/or fair queueing # # CONFIG_NET_SCHED is not set # # SCSI support # # CONFIG_SCSI is not set # # Network device support # CONFIG_NETDEVICES=y # # ARCnet devices # # CONFIG_ARCNET is not set CONFIG_DUMMY=y # CONFIG_EQUALIZER is not set # CONFIG_ETHERTAP is not set # # Ethernet (10 or 100Mbit) # CONFIG_NET_ETHERNET=y # CONFIG_NET_VENDOR_3COM is not set # CONFIG_LANCE is not set # CONFIG_NET_VENDOR_SMC is not set # CONFIG_NET_VENDOR_RACAL is not set # CONFIG_RTL8139 is not set # CONFIG_YELLOWFIN is not set CONFIG_NET_ISA=y # CONFIG_AT1700 is not set # CONFIG_E2100 is not set # CONFIG_DEPCA is not set # CONFIG_EWRK3 is not set # CONFIG_EEXPRESS is not set # CONFIG_EEXPRESS_PRO is not set # CONFIG_FMV18X is not set # CONFIG_HPLAN_PLUS is not set # CONFIG_HPLAN is not set # CONFIG_HP100 is not set # CONFIG_ETH16I is not set CONFIG_NE2000=y # CONFIG_SEEQ8005 is not set # CONFIG_SK_G16 is not set # CONFIG_NET_EISA is not set # CONFIG_NET_POCKET is not set # CONFIG_FDDI is not set # CONFIG_HIPPI is not set # CONFIG_PLIP is not set CONFIG_PPP=y # CONFIG_SLIP is not set # CONFIG_NET_RADIO is not set # # Token ring devices # # CONFIG_TR is not set # CONFIG_RCPCI is not set # CONFIG_SHAPER is not set # # Wan interfaces # # CONFIG_HOSTESS_SV11 is not set # CONFIG_COSA is not set # CONFIG_SEALEVEL_4021 is not set # CONFIG_DLCI is not set # # Amateur Radio support # # CONFIG_HAMRADIO is not set # # IrDA subsystem support # # CONFIG_IRDA is not set # # ISDN subsystem # # CONFIG_ISDN is not set # # Old CD-ROM drivers (not SCSI, not IDE) # # CONFIG_CD_NO_IDESCSI is not set # # Character devices # CONFIG_VT=y CONFIG_VT_CONSOLE=y CONFIG_SERIAL=y CONFIG_SERIAL_CONSOLE=y # CONFIG_SERIAL_EXTENDED is not set # CONFIG_SERIAL_NONSTANDARD is not set CONFIG_UNIX98_PTYS=y CONFIG_UNIX98_PTY_COUNT=256 CONFIG_PRINTER=y # CONFIG_PRINTER_READBACK is not set # CONFIG_MOUSE is not set # CONFIG_QIC02_TAPE is not set # CONFIG_WATCHDOG is not set # CONFIG_NVRAM is not set CONFIG_RTC=y # # Video For Linux # # CONFIG_VIDEO_DEV is not set # # Joystick support # # CONFIG_JOYSTICK is not set # CONFIG_DTLK is not set # # Ftape, the floppy tape device driver # # CONFIG_FTAPE is not set # # Filesystems # CONFIG_QUOTA=y CONFIG_AUTOFS_FS=y # CONFIG_ADFS_FS is not set # CONFIG_AFFS_FS is not set # CONFIG_HFS_FS is not set # CONFIG_FAT_FS is not set # CONFIG_MSDOS_FS is not set # CONFIG_UMSDOS_FS is not set # CONFIG_VFAT_FS is not set CONFIG_ISO9660_FS=y CONFIG_JOLIET=y CONFIG_MINIX_FS=m # CONFIG_NTFS_FS is not set # CONFIG_HPFS_FS is not set CONFIG_PROC_FS=y CONFIG_DEVPTS_FS=y # CONFIG_QNX4FS_FS is not set # CONFIG_ROMFS_FS is not set CONFIG_EXT2_FS=y # CONFIG_SYSV_FS is not set # CONFIG_UFS_FS is not set # CONFIG_EFS_FS is not set # # Network File Systems # # CONFIG_CODA_FS is not set CONFIG_NFS_FS=y CONFIG_NFSD=y CONFIG_NFSD_SUN=y CONFIG_SUNRPC=y CONFIG_LOCKD=y CONFIG_SMB_FS=y # CONFIG_NCP_FS is not set # # Partition Types # # CONFIG_BSD_DISKLABEL is not set # CONFIG_MAC_PARTITION is not set # CONFIG_SMD_DISKLABEL is not set # CONFIG_SOLARIS_X86_PARTITION is not set # CONFIG_UNIXWARE_DISKLABEL is not set CONFIG_NLS=y # # Native Language Support # CONFIG_NLS_CODEPAGE_437=m CONFIG_NLS_CODEPAGE_737=m CONFIG_NLS_CODEPAGE_775=m CONFIG_NLS_CODEPAGE_850=m CONFIG_NLS_CODEPAGE_852=m CONFIG_NLS_CODEPAGE_855=m CONFIG_NLS_CODEPAGE_857=m CONFIG_NLS_CODEPAGE_860=m CONFIG_NLS_CODEPAGE_861=m CONFIG_NLS_CODEPAGE_862=m CONFIG_NLS_CODEPAGE_863=m CONFIG_NLS_CODEPAGE_864=m CONFIG_NLS_CODEPAGE_865=m CONFIG_NLS_CODEPAGE_866=m CONFIG_NLS_CODEPAGE_869=m CONFIG_NLS_CODEPAGE_874=m CONFIG_NLS_ISO8859_1=m CONFIG_NLS_ISO8859_2=m CONFIG_NLS_ISO8859_3=m CONFIG_NLS_ISO8859_4=m CONFIG_NLS_ISO8859_5=m CONFIG_NLS_ISO8859_6=m CONFIG_NLS_ISO8859_7=m CONFIG_NLS_ISO8859_8=m CONFIG_NLS_ISO8859_9=m CONFIG_NLS_ISO8859_15=m CONFIG_NLS_KOI8_R=m # # Console drivers # CONFIG_VGA_CONSOLE=y CONFIG_VIDEO_SELECT=y # CONFIG_MDA_CONSOLE is not set # CONFIG_FB is not set # # Sound # # CONFIG_SOUND is not set # # Kernel hacking # # CONFIG_MAGIC_SYSRQ is not set ---------------end of /usr/src/linux/.config------------- NOTES AND REASONS FOR SELECTING CERTAIN OPTIONS +++++++++++++++++++++++++++++++++++++++++++++++ 1. CONFIG_KMOD (Loadable Module Support) Note that we are using the new kmod feature - no kerneld required. see /usr/src/linux/Documentation/kmod.txt. 2. CONFIG_UNIX98_PTYS (Character Devices) CONFIG_DEVPTS_FS (Filesystems) I've selected both of these to enable Unix98 PTY convention. I am assuming this is a good thing, as RedHat's default installation of its dev rpm has a mount option for dev/pts listed. I guess I am following their lead. Still in the /usr/src/linux directory, issue the following make dep clean bzImage This should keep the computer busy for a a time. While this is churning away, have a look at /usr/src/linux/Documentation/modules.txt. Move the old modules out of the way (so we can recover if necessary) before making the new modules, ie: mv /lib/modules/2.2.5-15 lib/modules/2.2.5-15-prev. (The original modules from the first build I moved to: /lib/modules/2.2.5-15-orig). make modules; make modules_install; Having done this it is a good idea to confirm that /boot/System.map link is linked to the correct file. I found I needed to kill the old link and relink: rm /boot/System.map ln -s /usr/src/linux/System.map /boot/. NOTE: Do not use 'make install' to install the kernel. 'make install' is configuration dependent and assumes defaults about lilo.conf, where System.map links to, etc. Our configuration is different to the default. Configuring LILO ++++++++++++++++ REFS: README in /usr/doc/lilo*/ BootPrompt-HOWTO /usr/doc/kernel-doc*/ide.txt. This is the /etc/lilo.conf I use: ------------start of /etc/lilo.conf------------------ boot=/dev/hda map=/boot/map install=/boot/boot.b vga=ext # 50 line display mode linear # gets over 1023 cylinder probs single-key # single key press - no rqd prompt # display boot prompt timeout=50 # default timeout 5 secs image=/boot/bzImage append="ether=12,0x240,eth0 ether=11,0x300,eth1" label=l # current linux build root=/dev/hda2 read-only image=/usr/src/linux/arch/i386/boot/bzImage append="ether=12,0x240,eth0 ether=11,0x300,eth1" label=n # new - checking new builds root=/dev/hda2 read-only image=/boot/vmlinuz label=o # orig kernel for recovery root=/dev/hda2 read-only --------------end of /etc/lilo.conf------------------ NOTES: 1. As I did not build ethernet as a module, I need the append command to tell the os to recognise both ethernet cards. See Ethernet Howto, Proxy and Firewall Howto, and Trinity OS www.ecst.csuchico.edu/~dranch/Linux/TrinityOS.wri, and the Boot Prompt Howto. To ensure that the append instruction works, do a 'dmesg | less' and look for something like: ne.c:v1.10 9/23/94 Donald Becker (becker@cesdis.gsfc.nasa.gov) NE*000 ethercard probe at 0x240: 00 00 e8 d3 d7 65 eth0: NE2000 found at 0x240, using IRQ 12. NE*000 ethercard probe at 0x300: 00 00 e8 d3 d9 c0 eth1: NE2000 found at 0x300, using IRQ 11. 2. Besides booting to the DOS partition labeled 'w' There are 2 Linux boot options 'l' The default linux boot 'n' The new boot option which points to the location that 'make bzImage' writes the image. 'o' The original kernel - just in case! Therefore to test a new image without destroying the previous working image, after running lilo we can boot to 'l-new' and if there are problems we can reboot back to 'l'. You may need to move the orig modules back. If everything works well, then cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage and rerun lilo. 3. It is always necessary to rerun lilo after any changes to any of the boot images. 4. Check out the partition table, Note that I have created a small partition for /boot. I've made sure that its last cylinder is less than 1023. As this is an old bios (1993 vintage), the linear option in lilo does not work too well. Organising things this way always ensures the boot image in /boot is always found in cylinders less than 1023. SELECTING APPROPRIATE DAEMONS ***************************** A little /etc/sysconfig to get the appropriate daemons working. This box will only ever be running in level 3, so we need not concern ourselves with levels 4 and 5. ------------------------------------------- root@gateway:~>chkconfig --list keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:on 2:on 3:on 4:on 5:on 6:off xfs 0:off 1:off 2:on 3:off 4:on 5:on 6:off anacron 0:off 1:off 2:off 3:off 4:off 5:off 6:off apmd 0:off 1:off 2:on 3:off 4:on 5:on 6:off arpwatch 0:off 1:off 2:off 3:off 4:off 5:off 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off named 0:off 1:off 2:off 3:on 4:off 5:off 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off inet 0:off 1:off 2:off 3:on 4:on 5:on 6:off ipchains 0:off 1:off 2:off 3:off 4:off 5:off 6:off irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off pcmcia 0:off 1:off 2:on 3:off 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:off 4:on 5:on 6:off linuxconf 0:off 1:off 2:on 3:on 4:on 5:on 6:off lpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:on 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:off 5:off 6:off identd 0:off 1:off 2:off 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off rstatd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rusersd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rwalld 0:off 1:off 2:off 3:off 4:off 5:off 6:off rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off smb 0:off 1:off 2:off 3:on 4:off 5:off 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network.orig 0:off 1:off 2:off 3:off 4:off 5:off 6:off hylafax 0:off 1:on 2:on 3:on 4:on 5:on 6:off xntpd 0:off 1:off 2:off 3:on 4:off 5:off 6:off -------------------------------------------------------------------- GETTING THE TWO NETWORK CARDS WORKING ************************************* For this setup, I prefer editing the config files directly rather than using the control panel gui to do the job. Good ref's are the NET-3 Howto, LDP Network Administration guide, Firewalling and Proxy Serer HOWTO, and the RedHat Installation Manual Ch 11.3 /etc/HOSTNAME ----------------------------- gateway.novatek.co.nz ---------------------------- /etc/hosts #NOTE There are two options here. The first option is if we have not # configured our local name server, and depending on our ISP's # name server. ------------------------------------------------------------------- 127.0.0.1 localhost localhost.localdomain 24.113.94.87 cr324145-a cr324145-a.rchmd1.bc.wave.home.com 192.168.0.254 gateway gateway.novatek.co.nz 192.168.0.1 hercules hercules.novatek.co.nz 192.168.0.2 spare1 spare1.novatek.co.nz 192.168.0.3 henry henry.novatek.co.nz 192.168.0.4 spare2 spare2.novatek.co.nz 192.168.0.5 beatroot beatroot.novatek.co.nz 192.168.0.6 hershel hershel.novatek.co.nz --------------------------------------------------------- Alternaltively if we have configured a name server (named) then it is only necessary to include the local host in /etc/hosts. Some exceptions, see what has been written about this in the DNS section about specifying /etc/hosts. /etc/networks ------------------------------- loopback 127.0.0.0 localnet 192.168.0.0 externnet 24.113.94.0 ------------------------------- /etc/host.conf ------------------------ order hosts,bind multi on ---------------------- /etc/resolv.conf #NOTE There are two options here. The first option is if we have not # configured our local name server, and depending on our ISP's # name server. ----------------------------------------- domain novatek.co.nz search rchmd1.bc.wave.home.com home.com com nameserver 24.2.10.33 nameserver 24.2.10.34 ---------------------------------------- # Alternative /resolv.conf - used when we have our own local name # server setup on this host. ---------------------------------------- domain novatek.co.nz search gateway.novatek.co.nz novatek.co.nz nameserver 127.0.0.1 --------------------------------------- I recommend keeping two files /etc/resolv.conf.dns and /etc/resolv.conf.nodns and depending on what we are configuring copy the appropriate file to /etc/resolv.conf. /etc/sysconfig/network ------------------------------- NETWORKING=yes FORWARD_IPV4=yes HOSTNAME=`cat /etc/HOSTNAME` GATEWAY=24.113.94.1 GATEWAYDEV=eth0 #NISDOMAIN= ------------------------------- /etc/sysconfig/network-scripts/ifcfg-eth0 ------------------------------------------- DEVICE=eth0 IPADDR=24.113.94.87 NETMASK=255.255.254.0 NETWORK=24.113.94.0 BROADCAST=24.113.95.255 ONBOOT=yes BOOTPROTO=none USERCTL=no ------------------------------------------ /etc/sysconfig/network-scripts/ifcfg-eth1 ------------------------------------------ DEVICE=eth1 IPADDR=192.168.0.254 NETMASK=255.255.255.0 NETWORK=192.168.0.0 BROADCAST=192.168.0.255 ONBOOT=yes BOOTPROTO=none USERCTL=no ------------------------------------------ We can optimize IP window size per TrintyOS Ch16. Original /etc/sysconfig/network-scripts/ifup from line 105 -------------------------------------------------------------------- ifconfig ${DEVICE} ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST} # don't re-add subnet route on 2.2 kernels, but add a route # to a non-local subnet. # stupid hack, but it should work if [ "$ISALIAS" = no ] && [ -z "`route -n | sed "s/ .*//" | grep ${NETWORK}`" ]; then route add -net ${NETWORK} netmask ${NETMASK} ${DEVICE} else route add -host ${IPADDR} ${DEVICE} fi # this is broken! it's only here for compatibility with old RH systems if [ "${GATEWAY}" != "" -a "${GATEWAY}" != "none" ]; then route add default gw ${GATEWAY} metric 1 ${DEVICE} fi . /etc/sysconfig/network if [ "${GATEWAY}" != "" ]; then if [ "${GATEWAYDEV}" = "" -o "${GATEWAYDEV}" = "${DEVICE}" ]; then # set up default gateway route add default gw ${GATEWAY} ${DEVICE} DEFGW=${GATEWAY} fi fi if [ "$BOOTPROTO" = bootp -a "$ISALIAS" = no ]; then if [ -n "$GATEWAYS" ]; then for gw in $GATEWAYS; do if [ $gw != "${DEFGW}" ]; then route add default gw $gw ${DEVICE} fi done fi -------------------------------------------------------------------- changed to -------------------------------------------------------------------- ifconfig ${DEVICE} ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST} # don't re-add subnet route on 2.2 kernels, but add a route # to a non-local subnet. # stupid hack, but it should work if [ "$ISALIAS" = no ] && [ -z "`route -n | sed "s/ .*//" | grep ${NETWORK}`" ]; then route add -net ${NETWORK} netmask ${NETMASK} window 8192 ${DEVICE} else route add -host ${IPADDR} window 8192 ${DEVICE} fi # this is broken! it's only here for compatibility with old RH systems if [ "${GATEWAY}" != "" -a "${GATEWAY}" != "none" ]; then route add default gw ${GATEWAY} window 8192 metric 1 ${DEVICE} fi . /etc/sysconfig/network if [ "${GATEWAY}" != "" ]; then if [ "${GATEWAYDEV}" = "" -o "${GATEWAYDEV}" = "${DEVICE}" ]; then # set up default gateway route add default gw ${GATEWAY} window 8192 ${DEVICE} DEFGW=${GATEWAY} fi fi if [ "$BOOTPROTO" = bootp -a "$ISALIAS" = no ]; then if [ -n "$GATEWAYS" ]; then for gw in $GATEWAYS; do if [ $gw != "${DEFGW}" ]; then route add default gw $gw window 8192 ${DEVICE} fi done fi ------------------------------------------------------------------- Now restart networking /etc/rc.d/init.d/network restart NOTE it might be a good idea to reboot if the HOSTNAME has changed. Check that everything is working with ifconfig and netstat -rn ifconfig ------------------------------------------------------------------- eth0 Link encap:Ethernet HWaddr 00:00:E8:D3:D7:65 inet addr:24.113.94.87 Bcast:24.113.95.255 Mask:255.255.254.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2025152 errors:0 dropped:0 overruns:0 frame:2 TX packets:41482 errors:0 dropped:0 overruns:0 carrier:0 collisions:372 txqueuelen:100 Interrupt:12 Base address:0x240 eth1 Link encap:Ethernet HWaddr 00:00:E8:D3:D9:C0 inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:194157 errors:0 dropped:0 overruns:0 frame:0 TX packets:208219 errors:0 dropped:0 overruns:0 carrier:0 collisions:18 txqueuelen:100 Interrupt:11 Base address:0x300 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:79 errors:0 dropped:0 overruns:0 frame:0 TX packets:79 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 ------------------------------------------------------------------- netstat -rn ------------------------------------------------------------------- Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.254 0.0.0.0 255.255.255.255 UH 0 8192 0 eth1 24.113.94.87 0.0.0.0 255.255.255.255 UH 0 8192 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 24.113.94.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 8192 0 lo 0.0.0.0 24.113.94.1 0.0.0.0 UG 0 8192 0 eth0 ------------------------------------------------------------------- Great, now try pinging an address on the internet (metalab.unc.edu) and a private ip address (hershel - 192.168.0.6). Now from a box on the private network, ping the private interface - 192.168.0.254 and the internet interface 24.113.94.87. Now from a box on the private network, attempt to ping an address on the internet (metalab.unc.edu). The DNS should work - ie. returns the ip address, but the ping attempts all timeout. SOME BASIC SECURITY ******************* Most from TrinityOS Section 8, Security HOWTO New release updates - Policy Suggestion +++++++++++++++++++++++++++++++++++++++ Watch www.cert.org and www.securityfocus.com. Always get the latest software for any program that interfaces to the internet. Obscure the identy of the package and its version number of the packages that interface to the internet. Packages are * sendmail * Wu-FTP * Samba * Apache, etc. Watch the security updates at www.redhat.com/support. I update the kernel every 2 to three months, usually skipping 5 minor points, eg 2.2.5, to 2.2.10, . . and so on. Async vs Sync I/O access for HDD's ++++++++++++++++++++++++++++++++++ When working with a machine where reliability is paramount, it is probably reasonable to sacrifice speed performance for reliablility of information. With Async I/O, speed is gained by buffering data that should be written to disk, and doing it later. Occasionally things can go wrong causing a crash where the information on the disk is out of sync with the buffers. This can be avoided by making the access to the HDD synchronous. This is done by adding "sync" to the command options. See fstab and mount man pages for more info. More than once I have issued a 'reboot' without a 'sync' first and corrupted the disk requiring a total rebuild. I'm choosing to play it safe on gateway even if I sacrifice almost a 10 times performace reduction on file transfers that write to gateway's hdd. Ensure the following line exists in fstab. /dev/hda2 / ext2 defaults,sync 1 1 I've suffered with sync'd (spelled s-l-o-w) disk IO long enough. I've now resorted to using cron to sync every 5 minutes with: >>>>>>>>>>>>>>>>/etc/cron.d/sync */5 * * * * root /bin/sync <<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>/etc/fstab /dev/hda3 / ext2 defaults 1 1 /dev/hda1 /boot ext2 defaults 1 2 none /proc proc defaults 0 0 none /dev/pts devpts gid=5,mode=620 0 0 /dev/hda2 swap swap defaults 0 0 <<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>/etc/auto.master /mnt /etc/auto.misc -t 60 <<<<<<<<<<<<<<>>>>>>>>>>>>>>/etc/auto.misc cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom fd -fstype=auto :/dev/fd0 hal-9000 -ro,soft,intr hal-9000:/ henry -ro,soft,intr henry:/ hercules -ro,soft,intr hercules:/ <<<<<<<<<<<<<< . . . ------------------------ checkout hosts.allow, on the hosts to ensure that they permit portmap access from hal-9000. ------------------------- portmap: 192.168.0.254 ------------------------- then stop and restart the following daemons on the host. /etc/rc.d/init.d/nfs stop /etc/rc.d/init.d/portmap stop /etc/rc.d/init.d/nfslock stop /etc/rc.d/init.d/portmap start /etc/rc.d/init.d/nfs start /etc/rc.d/init.d/nfslock start killall -HUP inetd Now to check that it works by changing to any of the automounted nfs directories. One of the reasons for making the nfs mounts automounts is that the hosts maynot always be present. SOME BASIC SETUP COSMETICS ************************** Look at: Config-HOWTO HOWTO/mini/Colour-ls Keyboard-and-Console-HOWTO Remember current version of X 3.3.3.1-52 1. Not used 2. Taming bash --------------- look at the color ls mini howto, and the Config-HOWTO /etc/profile ------------------------------------------------ # /etc/profile # System wide environment and startup programs # Functions and aliases go in /etc/bashrc # Users can override these settings and/or add others in their # $HOME/.bash_profile PATH="$PATH:/usr/X11R6/bin:/usr/local/bin" PS1="\u@\h:\w>" PS2=". . .>" ulimit -c 1000000 if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then umask 002 else umask 022 fi USER=`id -un` LOGNAME=$USER MAIL="/var/spool/mail/$USER" NNTPSERVER=news.rchmd1.bc.wave.home.com VISUAL=vi EDITOR=vi HOSTNAME=`/bin/hostname` HISTSIZE=1000 HISTFILESIZE=1000 INPUTRC=/etc/inputrc PRINTER=hp850c export PATH PS1 HOSTNAME HISTSIZE HISTFILESIZE USER LOGNAME MAIL INPUTRC export NNTPSERVER VISUAL EDITOR PRINTER # enable colour ls eval `dircolors /etc/DIR_COLORS -b` #export LS_OPTIONS='-s -F -T 0 --color=yes' #LS_COLORS="di=33;1" ; export LS_COLORS # customize less LESS='-M-Q' LESSEDIT="%E ?lt+%lt. %f" LESSOPEN="| lesspipe.sh %s" LESSCHARSET=latin1 LESSCHARDEF=8bcccbcc13b.4b95.33b. # show colours in ls -l | less export LESS LESSEDIT LESSOPEN LESSCHARSET LESSCHARDEF for i in /etc/profile.d/*.sh ; do if [ -x $i ]; then . $i fi done unset i # call fortune, if available if [ -x /usr/games/fortune ] ; then echo ; /usr/games/fortune ; echo fi ---------------------------------------------------- /etc/bashrc ------------------------------------------------- # /etc/bashrc # System wide functions and aliases # Environment stuff goes in /etc/profile # For some unknown reason bash refuses to inherit # PS1 in some circumstances that I can't figure out. # Putting PS1 here ensures that it gets loaded every time. PS1="\u@\h:\w>" PS2=". . .>" alias ls="ls --color=auto -s -F -T 0" alias dir="dir --full-time --color=auto -a -l -F -T 0" alias lo="logout" alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias md='mkdir' # The following line gets backspace and delete to behave like backspace # used with "xterm*ttyModes: erase ^?" in ~/.Xdefaults. Pipe stdout # and stderr to /dev/null to avoid showing error messages when xmodmap -e "keysym BackSpace = Delete" > /dev/null 2> /dev/null ------------------------------------------------ /etc/inputrc ------------------------------------------------- set meta-flag on set input-meta on set convert-meta off set output-meta on "\e0d": backward-word "\e0c": forward-word "\e[h": beginning-of-line "\e[f": end-of-line "\e[1~": beginning-of-line "\e[4~": end-of-line "\e[5~": beginning-of-history "\e[6~": end-of-history "\e[3~": delete-char "\e[2~": quoted-insert ------------------------------------------------ /etc/skel/.bashrc ------------------------------------------------ # .bashrc # User specific aliases and functions # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi ------------------------------------------------- /etc/skel/.bash_profile -------------------------------------------------- # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin BASH_ENV=$HOME/.bashrc USERNAME="" export USERNAME BASH_ENV PATH -------------------------------------------------- Using lesspipe.sh as a frontend processer to list .tar, .gzip, rpm contents, etc. etc. - Works in conjunction with the LESSOPEN env var defined in profile above. Ensure /usr/local/bin is in the $PATH. ------------------------------------------------------------- #!/bin/sh # This is a preprocessor for 'less'. It is used when this environment # variable is set: LESSOPEN="|lesspipe.sh %s" lesspipe() { case "$1" in *.tar) tar tf $1 2>/dev/null ;; # View contents of .tar and .tgz files *.tgz|*.tar.gz|*.tar.Z|*.tar.z) tar ztf $1 2>/dev/null ;; *.Z|*.z|*.gz) gzip -dc $1 2>/dev/null ;; # View compressed files correctly *.zip) unzip -l $1 2>/dev/null ;; # View archives *.arj) unarj -l $1 2>/dev/null ;; *.rpm) rpm -qpil $1 2>/dev/null ;; *.cpio) cpio --list -F $1 2>/dev/null ;; *.1|*.2|*.3|*.4|*.5|*.6|*.7|*.8|*.9|*.n|*.man) FILE=`file -L $1` FILE=`echo $FILE | cut -d ' ' -f 2` if [ "$FILE" = "troff" ]; then groff -s -p -t -e -Tascii -mandoc $1 fi ;; *) file $1 | grep text > /dev/null ; if [ $? = 1 ] ; then # it's not some kind of text strings $1 fi ;; esac } lesspipe $1 ---------------------------------------------------------- 3. Taming xterm and other X packages ------------------------------------- I normally telnet to host and su - to root, and configure remotely. Often I loose track of which xterm belongs to which host, especially inside vi. A simple way of keeping track, is to have the root xterms in different colors, setup in /root/.Xdefaults for the respective host. Run 'showrgb | less' to select colors, I am not putting the output here, it is over 750 lines long. Tip. Have a look at /usr/X11R6/man/whatis to findout about X related commands. /etc/skel/.Xdefaults -------------------------------------------------- ! Parts (C) 1996 By Greg J. Badros ! You may use this file as specified under the GNU General Public License !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! emacs, xemacs emacs*Background: DarkSlateGray emacs*Foreground: Wheat emacs*pointerColor: Orchid emacs*cursorColor: Orchid emacs*bitmapIcon: on emacs*font: fixed emacs.geometry: 80x25 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! xterm (and friends) XTerm*highlightSelection: true ! Uncomment this to use color for the bold attribute XTerm*VT100*colorBDMode: on XTerm*VT100*colorBD: blue ! Uncomment this to use color for underline attribute XTerm.VT100*colorULMode: on XTerm.VT100*underLine: off XTerm*VT100*colorUL: magenta ! Uncomment this to display the scrollbar XTerm*scrollBar: true ! This resource specifies whether or not to ignore the 'alternate screen' ! of applications such as vi. When it is on, these applications will restore ! the contents of the screen when they are exited to what they were before ! they were started. When it is off, the contents of vi will remain on the ! screen after the program is quit. XTerm.VT100.titeInhibit: true ! Uncomment this to turn off color mode in your xterms !XTerm.VT100*colorMode: off XTerm.VT100*dynamicColors: on ! Number of lines of scrollback to save XTerm*saveLines: 1500 xterm*reverseWrap: true *visualBell: true *scrollTtyOutput: False *scrollKey: True Scrollbar.JumpCursor: True ------------------------------------------------------ root/.Xdefaults (for root) ------------------------------------------------------ #ifdef COLOR *customization: -color #endif emacs*Background: DarkSlateGray emacs*Foreground: Wheat emacs*pointerColor: Orchid emacs*cursorColor: Orchid emacs*bitmapIcon: on emacs*font: fixed emacs.geometry: 80x25 Seyon.modems: /dev/modem xterm*background: Black xterm*foreground: Wheat xterm*cursorColor: Orchid xterm*reverseVideo: false xterm*scrollBar: true xterm*saveLines: 5000 xterm*reverseWrap: true xterm*font: fixed xterm*fullCursor: true xterm*scrollTtyOutput: off xterm*scrollKey: on #xterm*VT100.Translations: #override\n\ # Prior : scroll-back(1,page)\n\ # Next : scroll-forw(1,page) xterm*titleBar: true -------------------------------------------------- STILL TO DO: ------------ In xterms, I still want to be able to map the functionality of ^D (rubout under cursor) to the Delete key. At least I now have the backspace key behaving correctly, and the Delete key behaving like the backspace key. GETTING MASQ AND A MINIMAL FIREWALL IN PLACE ******************************************** Now that we have a kernel compiled to support ip-masq, two network cards working, and tied down some security, lets get ip-masq and ipchains working. Refs: ip-masq Howto - I used v1.71 (incomplete draft) available from dranch's web site 'www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html', TrinityOS doc 'www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri, the ipchains howto. We need to get ipmasqadm. The rpm can be retrieved from Juanjo's website juanjox.kernelnotes.org. The suggested approach is to include an entry in /etc/rc.d/rc.local that calls /etc/rc.d/rc.firewall, and create the file rc.firewall. While we are messing in /etc/rc.d, we should ensure that all files here have 750 permissions. Use 'chmod 750 rc rc.*' in /etc/rc.d. From a security perspective it is better to hide the version numbers and type's of programs from remote logons. User's with less than honourable intent usually look at the version numbers and types of programs as they are usually aware of which exploits apply to which program type / release. General principle is to use the latest release of comms / network software and not announce the fact. Here's my rc.local. /etc/rc.d/rc.local ------------------------------------------------------------ #!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/rc.d/rc.firewall ]; then /etc/rc.d/rc.firewall fi if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) arch=$(uname -m) a="a" case "_$arch" in _a*) a="an";; _i*) a="an";; esac # This will overwrite /etc/issue at every boot. So, make any changes you # want to make to /etc/issue here or you will lose them when you reboot. # NOTE: we do not want users on the net with bad intent to know the OS and # version at the log in prompt. echo "" > /etc/issue echo "Novatek Electronics Limited" >> /etc/issue echo "***************************" >> /etc/issue echo "" >> /etc/issue cp -f /etc/issue /etc/issue.net echo "$R" >> /etc/issue echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue echo "" >> /etc/issue echo "\l@$(uname -n)" >> /etc/issue echo "telnet@$(uname -n)" >> /etc/issue.net echo "" >> /etc/issue echo "" >> /etc/issue.net fi --------------------------------------------------------------------- Notes on rc.local 1. Do a file check on rc.firewall before calling it. 2. Heed the security advice not to let any telnet users know the package, release, and version that they are logging into - further limit exploitation of package/release/version specific holes. /etc/rc.d/rc.firewall ------------------------------------------------------------------------ #!/bin/sh # #/etc/rc.d/rc.firewall # #Created by Jonathan Marks, 5/21/99 # Do not need to do a depmod, as this is done in rc.sysinit #/sbin/depmod -a # Lets install the required ip_masq modules #/sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_irc #/sbin/modprobe ip_masq_quake /sbin/modprobe ip_masq_raudio #/sbin/modprobe ip_masq_user #/sbin/modprobe ip_masq_vdolive # Flush old firewall rules - just in case /sbin/ipchains -F # Masquerading firewall timeouts: tcp conns 2hrs, tcp after fin pkt 10s, udp 120s /sbin/ipchains -M -S 7200 10 120 # Set up ipchains for a masqerading firewall /sbin/ipchains -P forward REJECT /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ # Input chain rules # Ignore sunrpc broadcasts from the specific source addresses. /sbin/ipchains -A input -p udp -s 24.113.59.175 -d 255.255.255.255 111 -j REJECT /sbin/ipchains -A input -p udp -s 24.113.43.52 -d 255.255.255.255 111 -j REJECT # Port forwarding - first flush out any forwards - just in case /usr/sbin/ipmasqadm portfw -f # Add port forwarding for http, smtp and ftp to henry /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 80 -R 192.168.0.3 80 #/usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 25 -R 192.168.0.3 25 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 21 -R 192.168.0.3 21 # ICQ tcp return port setup # First to Hershel /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2000 -R 192.168.0.6 2000 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2001 -R 192.168.0.6 2001 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2002 -R 192.168.0.6 2002 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2003 -R 192.168.0.6 2003 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2004 -R 192.168.0.6 2004 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2005 -R 192.168.0.6 2005 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2006 -R 192.168.0.6 2006 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2007 -R 192.168.0.6 2007 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2008 -R 192.168.0.6 2008 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2009 -R 192.168.0.6 2009 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2010 -R 192.168.0.6 2010 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2011 -R 192.168.0.6 2011 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2012 -R 192.168.0.6 2012 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2013 -R 192.168.0.6 2013 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2014 -R 192.168.0.6 2014 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2015 -R 192.168.0.6 2015 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2016 -R 192.168.0.6 2016 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2017 -R 192.168.0.6 2017 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2018 -R 192.168.0.6 2018 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2019 -R 192.168.0.6 2019 # Secondly to Hercules /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2020 -R 192.168.0.1 2020 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2021 -R 192.168.0.1 2021 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2022 -R 192.168.0.1 2022 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2023 -R 192.168.0.1 2023 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2024 -R 192.168.0.1 2024 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2025 -R 192.168.0.1 2025 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2026 -R 192.168.0.1 2026 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2027 -R 192.168.0.1 2027 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2028 -R 192.168.0.1 2028 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2029 -R 192.168.0.1 2029 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2030 -R 192.168.0.1 2030 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2031 -R 192.168.0.1 2031 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2032 -R 192.168.0.1 2032 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2033 -R 192.168.0.1 2033 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2034 -R 192.168.0.1 2034 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2035 -R 192.168.0.1 2035 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2036 -R 192.168.0.1 2036 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2037 -R 192.168.0.1 2037 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2038 -R 192.168.0.1 2038 /usr/sbin/ipmasqadm portfw -a -P tcp -L 24.113.94.87 2039 -R 192.168.0.1 2039 Notes on rc.firewall 1. Flush out ipchains and portfw. This is useful if this file is run manually, after bootup (say during debugging / testing). 2. The syntax of portfw is different to that in the ip_masq howto. Check out the ipmasqadm man page and run 'ipmasqadm portfw -h' 3. (6/23/99) There is a ip_masq_icq module available too, see: http://members.tripod.com/~djsf/masq-icq/ and search the ip-masq mail archives around 6/10/99 onwards http://home.indyramp.com/lists/masq/ 4. The port forwarding for ftp and http work only from the external network. Trying to ftp from a private host to the external ip port (24.113.94.87 in this case) with the intention of getting the port forwarded ftp site will not succeed. I will need to come back and find the reason for this - I suspect it has to do with port forwarding interacting with the routing table and private IP addresses being directed in external internet and being killed. The short answer here is to include the following in /etc/hosts of the private hosts: 192.168.0.254 gateway gateway.novatek.co.nz. Now lets confirm that the settings are all ok. do a 'lsmod', this is what I see: -------------------------------------------- Module Size Used by ip_masq_user 2440 0 (unused) ip_masq_raudio 2884 0 ip_masq_irc 1336 0 (unused) ip_masq_ftp 2128 0 nfsd 150212 8 (autoclean) lockd 30736 1 (autoclean) [nfsd] sunrpc 50688 1 (autoclean) [nfsd lockd] msdos 8176 1 (autoclean) fat 26228 1 (autoclean) [msdos] -------------------------------------------- The ip_masq_... modules are installed do a 'ipchains -L' -------------------------------------------- Chain input (policy ACCEPT): Chain forward (policy DENY): target prot opt source destination ports MASQ all ------ 192.168.0.0/24 anywhere n/a Chain output (policy ACCEPT): -------------------------------------------- This will be strengthened later. lastly do a 'ipmasqadm portfw -l' -------------------------------------------- prot localaddr rediraddr lport rport pcnt pref TCP cr324145-a hercules 2039 2039 10 10 TCP cr324145-a hercules 2038 2038 10 10 TCP cr324145-a hercules 2037 2037 10 10 TCP cr324145-a hercules 2036 2036 10 10 TCP cr324145-a hercules 2035 2035 10 10 TCP cr324145-a hercules 2034 2034 10 10 TCP cr324145-a hercules 2033 2033 10 10 TCP cr324145-a hercules 2032 2032 10 10 TCP cr324145-a hercules 2031 2031 10 10 TCP cr324145-a hercules 2030 2030 10 10 TCP cr324145-a hercules 2029 2029 10 10 TCP cr324145-a hercules 2028 2028 10 10 TCP cr324145-a hercules 2027 2027 10 10 TCP cr324145-a hercules 2026 2026 10 10 TCP cr324145-a hercules 2025 2025 10 10 TCP cr324145-a hercules 2024 2024 10 10 TCP cr324145-a hercules 2023 2023 10 10 TCP cr324145-a hercules 2022 2022 10 10 TCP cr324145-a hercules 2021 2021 10 10 TCP cr324145-a hercules 2020 2020 10 10 TCP cr324145-a hershel 2019 2019 10 10 TCP cr324145-a hershel 2018 2018 10 10 TCP cr324145-a hershel 2017 2017 10 10 TCP cr324145-a hershel 2016 2016 10 10 TCP cr324145-a hershel 2015 2015 10 10 TCP cr324145-a hershel 2014 2014 10 10 TCP cr324145-a hershel 2013 2013 10 10 TCP cr324145-a hershel 2012 2012 10 10 TCP cr324145-a hershel 2011 2011 10 10 TCP cr324145-a hershel 2010 2010 10 10 TCP cr324145-a hershel 2009 2009 10 10 TCP cr324145-a hershel 2008 2008 10 10 TCP cr324145-a hershel 2007 2007 10 10 TCP cr324145-a hershel 2006 2006 10 10 TCP cr324145-a hershel 2005 2005 10 10 TCP cr324145-a hershel 2004 2004 10 10 TCP cr324145-a hershel cfinger cfinger 10 10 TCP cr324145-a hershel 2002 2002 10 10 TCP cr324145-a hershel 2001 2001 10 10 TCP cr324145-a hershel 2000 2000 10 10 TCP cr324145-a henry ftp ftp 10 10 TCP cr324145-a henry www www 10 10 ---------------------------------------------- Now from a host (that is configured correctly) on the private network, ping a external site, say metalab.unc.edu (choose a not so busy site or busy time). If that works, attempt to ftp an external site from a host on the private network. - same with http. Refer to the ipmasq Howto to trouble shoot if there are problems. IP MASQ AND MASQ MODULES TRACKING PROGRESS ++++++++++++++++++++++++++++++++++++++++++ IP Masq is bleeding edge technology in Linux, and there is a lot of movement. Therefore it is especially important to track the newsgroup at: http://home.indyramp.com/lists/masq/ Currently watching progress on: 1. Icq module: Has limitations with chat/file transfers, as noted in the README. The current setup using portfw is working, could change to using autofw - not nec. tho. I'll keep my eye on indyramp mail list and http://members.tripod.com/~djsf/masq-icq/ 2. QT4 and REAL AUDIO - My participation in fixing ip_masq_raudio.c a. To debug ip masq kernel CONFIG_IP_MASQ_DEBUG must be set. I achieve this by adding '#define CONFIG_IP_MASQ_DEBUG 1' to /usr/src/linux/include/linux/config.h. With this the contents of IP_MASQ_DEBUG(1-debug, "< . . .>"); stmts will appear in dmesg when the module is loaded with a debug=1 option. b. The kernel needs to completely rebuilt with the CONFIG_IP_MASQ_DEBUG option. c. Make changes to the modules in the /usr/src/linux/net/ipv4/ directory. To build run "make modules" from /usr/src/linux/ directory. When successfully built remove the old module and install the new module from /usr/src/linux/net/ipv4. cd /usr/src/linux/net/ipv4 rmmod ip_masq_raudio insmod ip_masq_raudio.o debug=1 The problem with QT4 was that it assumed tcp headers to be 20 bytes long rather than using 'th->doff * 4' to calc the tcp header length. The fixed source code for /usr/src/linux/net/ipv4/ip_masq_raudio.c for 2.2.x kernels is: Tested on 2.2.10. -------------------------------------------------------------------------- /* * IP_MASQ_RAUDIO - Real Audio masquerading module * * * Version: @(#)$Id: ip_masq_raudio.c,v 1.11 1998/10/06 04:49:04 davem Exp $ * * Author: Nigel Metheringham * Real Time Streaming code by Progressive Networks * [strongly based on ftp module by Juan Jose Ciarlante & Wouter Gadeyne] * [Real Audio information taken from Progressive Networks firewall docs] * [Kudos to Progressive Networks for making the protocol specs available] * * * * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version * 2 of the License, or (at your option) any later version. * * * Limitations * The IP Masquerading proxies at present do not have access to a processed * data stream. Hence for a protocol like the Real Audio control protocol, * which depends on knowing where you are in the data stream, you either * to keep a *lot* of state in your proxy, or you cheat and simplify the * problem [needless to say I did the latter]. * * This proxy only handles data in the first packet. Everything else is * passed transparently. This means it should work under all normal * circumstances, but it could be fooled by new data formats or a * malicious application! * * At present the "first packet" is defined as a packet starting with * the protocol ID string - "PNA". * When the link is up there appears to be enough control data * crossing the control link to keep it open even if a long audio * piece is playing. * * The Robust UDP support added in RealAudio 3.0 is supported, but due * to servers/clients not making great use of this has not been greatly * tested. RealVideo (as used in the Real client version 4.0beta1) is * supported but again is not greatly tested (bandwidth requirements * appear to exceed that available at the sites supporting the protocol). * * Multiple Port Support * The helper can be made to handle up to MAX_MASQ_APP_PORTS (normally 12) * with the port numbers being defined at module load time. The module * uses the symbol "ports" to define a list of monitored ports, which can * be specified on the insmod command line as * ports=x1,x2,x3... * where x[n] are integer port numbers. This option can be put into * /etc/conf.modules (or /etc/modules.conf depending on your config) * where modload will pick it up should you use modload to load your * modules. * * Fixes: * Juan Jose Ciarlante : Use control_add() for control chan * 10/15/97 - Modifications to allow masquerading of RTSP connections as * well as PNA, which can potentially exist on the same port. * Joe Rumsey * * Yoav Yerushalmi : Allow it to masquerade apple quicktime * Support multiple streams through the same * rtsp connection. * * Jonathan Marks : Fixed tcp header offset in masq_raudio_out */ #include #include #include #include #include #include #include #include #include #include #include #include #include /* #ifndef DEBUG_CONFIG_IP_MASQ_RAUDIO #define DEBUG_CONFIG_IP_MASQ_RAUDIO 0 #endif */ #define TOLOWER(c) (((c) >= 'A' && (c) <= 'Z') ? ((c) - 'A' + 'a') : (c)) #define ISDIGIT(c) (((c) >= '0') && ((c) <= '9')) struct raudio_priv_data { /* Associated data connection - setup but not used at present */ struct ip_masq *data_conn; /* UDP Error correction connection - setup but not used at present */ struct ip_masq *error_conn; /* Have we seen and performed setup */ short seen_start; short is_rtsp; }; int masq_rtsp_out (struct ip_masq_app *mapp, struct ip_masq *ms, struct sk_buff **skb_p, __u32 maddr); /* * List of ports (up to MAX_MASQ_APP_PORTS) to be handled by helper * First port is set to the default port. */ int ports[MAX_MASQ_APP_PORTS] = {554, 7070, 0}; /* I rely on the trailing items being set to zero */ struct ip_masq_app *masq_incarnations[MAX_MASQ_APP_PORTS]; /* * Debug level */ #ifdef CONFIG_IP_MASQ_DEBUG static int debug=0; MODULE_PARM(debug, "i"); #endif MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_MASQ_APP_PORTS) "i"); static int masq_raudio_init_1 (struct ip_masq_app *mapp, struct ip_masq *ms) { MOD_INC_USE_COUNT; if ((ms->app_data = kmalloc(sizeof(struct raudio_priv_data), GFP_ATOMIC)) == NULL) printk(KERN_INFO "RealAudio: No memory for application data\n"); else { struct raudio_priv_data *priv = (struct raudio_priv_data *)ms->app_data; priv->seen_start = 0; priv->data_conn = NULL; priv->error_conn = NULL; priv->is_rtsp = 0; } return 0; } static int masq_raudio_done_1 (struct ip_masq_app *mapp, struct ip_masq *ms) { MOD_DEC_USE_COUNT; if (ms->app_data) kfree_s(ms->app_data, sizeof(struct raudio_priv_data)); return 0; } int masq_raudio_out (struct ip_masq_app *mapp, struct ip_masq *ms, struct sk_buff **skb_p, __u32 maddr) { struct sk_buff *skb; struct iphdr *iph; struct tcphdr *th; char *p, *data, *data_limit; struct ip_masq *n_ms; unsigned short version, msg_id, msg_len, udp_port; struct raudio_priv_data *priv = (struct raudio_priv_data *)ms->app_data; /* Everything running correctly already */ if (priv && priv->seen_start) return 0; if(priv && priv->is_rtsp) return masq_rtsp_out(mapp, ms, skb_p, maddr); skb = *skb_p; iph = skb->nh.iph; th = (struct tcphdr *)&(((char *)iph)[iph->ihl*4]); data = (char *)th + (th->doff * 4); data_limit = skb->h.raw + skb->len; if(memcmp(data, "OPTIONS", 7) == 0 || memcmp(data, "DESCRIBE", 8) == 0) { IP_MASQ_DEBUG(1-debug, "RealAudio: Detected RTSP connection\n"); /* This is an RTSP client */ if(priv) priv->is_rtsp = 1; return masq_rtsp_out(mapp, ms, skb_p, maddr); } /* Check to see if this is the first packet with protocol ID */ if (memcmp(data, "PNA", 3)) { IP_MASQ_DEBUG(1-debug, "RealAudio: not initial protocol packet - ignored\n"); return(0); } data += 3; memcpy(&version, data, 2); IP_MASQ_DEBUG(1-debug, "RealAudio: initial seen - protocol version %d\n", ntohs(version)); if (priv) priv->seen_start = 1; if (ntohs(version) >= 256) { printk(KERN_INFO "RealAudio: version (%d) not supported\n", ntohs(version)); return 0; } data += 2; while (data+4 < data_limit) { memcpy(&msg_id, data, 2); data += 2; memcpy(&msg_len, data, 2); data += 2; if (ntohs(msg_id) == 0) { /* The zero tag indicates the end of options */ IP_MASQ_DEBUG(1-debug, "RealAudio: packet end tag seen\n"); return 0; } IP_MASQ_DEBUG(1-debug, "RealAudio: msg %d - %d byte\n", ntohs(msg_id), ntohs(msg_len)); if (ntohs(msg_id) == 0) { /* The zero tag indicates the end of options */ return 0; } p = data; data += ntohs(msg_len); if (data > data_limit) { printk(KERN_INFO "RealAudio: Packet too short for data\n"); return 0; } if ((ntohs(msg_id) == 1) || (ntohs(msg_id) == 7)) { /* * MsgId == 1 * Audio UDP data port on client * * MsgId == 7 * Robust UDP error correction port number on client * * Since these messages are treated just the same, they * are bundled together here.... */ memcpy(&udp_port, p, 2); /* * Sometimes a server sends a message 7 with a zero UDP port * Rather than do anything with this, just ignore it! */ if (udp_port == 0) continue; n_ms = ip_masq_new(IPPROTO_UDP, maddr, 0, ms->saddr, udp_port, ms->daddr, 0, IP_MASQ_F_NO_DPORT); if (n_ms==NULL) return 0; ip_masq_listen(n_ms); ip_masq_control_add(n_ms, ms); memcpy(p, &(n_ms->mport), 2); IP_MASQ_DEBUG(1-debug, "RealAudio: rewrote UDP port %d -> %d in msg %d\n", ntohs(udp_port), ntohs(n_ms->mport), ntohs(msg_id)); /* Make ref in application data to data connection */ if (priv) { if (ntohs(msg_id) == 1) priv->data_conn = n_ms; else priv->error_conn = n_ms; } ip_masq_put(n_ms); } } return 0; } /* * masq_rtsp_out * * */ int masq_rtsp_out (struct ip_masq_app *mapp, struct ip_masq *ms, struct sk_buff **skb_p, __u32 maddr) { struct sk_buff *skb; struct iphdr *iph; struct tcphdr *th; char *data, *data_limit; struct ip_masq *n_ms, *n_ms2; unsigned short udp_port; struct raudio_priv_data *priv = (struct raudio_priv_data *)ms->app_data; const char* srch = "transport:"; const char* srchpos = srch; const char* srchend = srch + strlen(srch); int state = 0; char firstport[6]; int firstportpos = 0; char secondport[6]; int secondportpos = 0; char *portstart = NULL, *portend = NULL; int diff; /* Everything running correctly already */ if (priv && priv->seen_start) return 0; skb = *skb_p; iph = skb->nh.iph; th = (struct tcphdr *)&(((char *)iph)[iph->ihl*4]); data = (char *)&th[1]; data_limit = skb->h.raw + skb->len; firstport[0] = 0; secondport[0] = 0; while(data < data_limit && state >= 0) { switch(state) { case 0: case 1: if(TOLOWER(*data) == *srchpos) { srchpos++; if(srchpos == srchend) { IP_MASQ_DEBUG(1-debug, "Found string %s in message\n", srch); state++; if(state == 1) { srch = "client_port"; srchpos = srch; srchend = srch + strlen(srch); } } } else { srchpos = srch; } break; case 2: if(*data == '=') state = 3; break; case 3: if(ISDIGIT(*data)) { portstart = data; firstportpos = 0; firstport[firstportpos++] = *data; state = 4; } break; case 4: if(*data == '-') { state = 5; } else if((*data == ';') || (*data == '\r') || (*data == '\n')) { portend = data - 1; firstport[firstportpos] = 0; state = -1; } else if(ISDIGIT(*data)) { firstport[firstportpos++] = *data; } else if(*data != ' ' && *data != '\t') { /* This is a badly formed RTSP message, let's bail out */ IP_MASQ_DEBUG(1-debug, "Badly formed RTSP Message\n"); return 0; } break; case 5: if(ISDIGIT(*data)) { secondportpos = 0; secondport[secondportpos++] = *data; state = 6; } else if(*data == ';') { portend = data - 1; secondport[secondportpos] = 0; state = -1; } break; case 6: if ((*data == ';') || (*data == '\r') || (*data == '\n')) { portend = data - 1; secondport[secondportpos] = 0; state = -1; } else if(ISDIGIT(*data)) { secondport[secondportpos++] = *data; } else if(*data != ' ' && *data != '\t') { /* This is a badly formed RTSP message, let's bail out */ IP_MASQ_DEBUG(1-debug, "Badly formed RTSP Message\n"); return 0; } break; } data++; } if(state >= 0) return 0; if(firstportpos > 0) { char newbuf[12]; /* xxxxx-xxxxx\0 */ char* tmpptr; udp_port = htons(simple_strtoul(firstport, &tmpptr, 10)); /* port must be even for apple -- is this a leak? */ do { n_ms = ip_masq_new(IPPROTO_UDP, maddr, 0, ms->saddr, udp_port, ms->daddr, 0, IP_MASQ_F_NO_DPORT); if (n_ms==NULL) return 0; } while (ntohs(n_ms->mport) & 1); ip_masq_listen(n_ms); ip_masq_control_add(n_ms, ms); if(secondportpos > 0) { udp_port = htons(simple_strtoul(secondport, &tmpptr, 10)); n_ms2 = ip_masq_new(IPPROTO_UDP, maddr, 0, ms->saddr, udp_port, ms->daddr, 0, IP_MASQ_F_NO_DPORT); if (n_ms2==NULL) { ip_masq_put(n_ms); return 0; } ip_masq_listen(n_ms2); ip_masq_control_add(n_ms2, ms); sprintf(newbuf, "%d-%d", ntohs(n_ms->mport), ntohs(n_ms2->mport)); } else { sprintf(newbuf, "%d", ntohs(n_ms->mport)); n_ms2 = NULL; } *skb_p = ip_masq_skb_replace(skb, GFP_ATOMIC, portstart, portend - portstart + 1, newbuf, strlen(newbuf)); IP_MASQ_DEBUG(1-debug, "RTSP: rewrote client_port to %s\n", newbuf); diff = strlen(newbuf) - (portend - portstart + 1); } else { return 0; } if(priv) { /* priv->seen_start = 1; */ /* we have multiple streams to worry about, and redirects */ /* so we will be slower, but at least we'll work */ if(n_ms) priv->data_conn = n_ms; if(n_ms2) priv->error_conn = n_ms2; } /* * Release tunnels */ if (n_ms) ip_masq_put(n_ms); if (n_ms2) ip_masq_put(n_ms2); return diff; } struct ip_masq_app ip_masq_raudio = { NULL, /* next */ "RealAudio", /* name */ 0, /* type */ 0, /* n_attach */ masq_raudio_init_1, /* ip_masq_init_1 */ masq_raudio_done_1, /* ip_masq_done_1 */ masq_raudio_out, /* pkt_out */ NULL /* pkt_in */ }; /* * ip_masq_raudio initialization */ __initfunc(int ip_masq_raudio_init(void)) { int i, j; for (i=0; (itcpdump -i eth0 -xns 110 host 24.113.59.175 tcpdump: listening on eth0 13:34:48.763723 24.113.59.175.3110 > 255.255.255.255.111: udp 108 4500 0088 9667 0000 8011 4fde 1871 3baf ffff ffff 0c26 006f 0074 3a24 01d9 7ceb 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0005 0000 0001 0000 0024 0000 003b 0000 000d 3234 2e31 3133 2e35 392e 3137 3500 0000 0000 0000 0000 0000 0000 0000 13:34:52.472293 24.113.59.175.3110 > 255.255.255.255.111: udp 108 4500 0088 9668 0000 8011 4fdd 1871 3baf ffff ffff 0c26 006f 0074 3a24 01d9 7ceb 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0005 0000 0001 0000 0024 0000 003b 0000 000d 3234 2e31 3133 2e35 392e 3137 3500 0000 0000 0000 0000 0000 0000 0000 ------------------------------------------------------------ What do I conclude here: A yp server on host 24.113.59.175 is making sunrpc (111) broadcasts. I guess attepmting to atract yp "lost soul" clients by announcing its presence. I suspect this is due to an incorrect configuration, and we do not want to be bothered by it. We create an ipchains rule to deny these packets in the input chain, and add them to /etc/rc.d/rc.firewall as follows: --------------------------------------------- # Input chain rules # Ignore sunrpc broadcasts from the specific source addresses. /sbin/ipchains -A input -p udp -s 24.113.59.175 -d 255.255.255.255 111 -j DENY /sbin/ipchains -A input -p udp -s 24.113.43.52 -d 255.255.255.255 111 -j DENY ------------------------------------------------ DNS / BIND ********** using bind-8.2.1-2.rpm This is the first time I am doing this, and trying to get an understanding of what is happening here, Like the HOWTO, I'm going to develop this section incrementally, first caching, then primary, and lastly secondary. Refs: DNS Howto V2.2, Feb 99. DNS and Bind, Second Ed, ORA. Redhat Linux Unleashed 3rd Ed. Bind documentation in http://www.isc.org/view.cgi?/products/BIND/docs/config/index.phtml TrinityOS Ch.24 "http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri" As root install the rpm. There is a lot of variation in terms of naming zone db files. The convention that I will adopt is to 1) Use the /var/named directory as default, 2) prefix all files with a db. 3) Topmost file called db.root (aka root.hints / named.ca / etc.) 4) Primary zone db files in /var/named/primary and secondary zone db files in /var/named/secondary - per the ORA book pg 142. a. Get a Caching Nameserver Working ================================ All a caching name server does, is find ip addresses for name queries and caches them. This makes following lookups much faster. Ensure things are correctly configured to use bind as our resolver. a. /etc/hosts.conf -------------------------------------------- order hosts,bind multi on -------------------------------------------- What does this mean: This is a standard file that tells the DNS resolver (bind (named) in our case) that is should first look in the hosts file to lookup an ip address for a name, and only if it is not there, then to use the bind nameserver. 'multi on' means that this host can have more than one ip address - ie it can be multihomed. This statement is necessary for every configuration except a stand-alone machine as any machine connected to a network has a minimum of two addresses 127.0.0.1 and the network address. b. /etc/resolv.conf ------------------------------------------- domain novatek.co.nz search gateway.novatek.co.nz novatek.co.nz nameserver 127.0.0.1 ------------------------------------------- What does this mean: Tells the resolver that the domain is novatek.co.nz. The 'domain' statement is redundant when the domain name is also present in the 'search' statement. (I include it for completeness). The purpose of the 'search' statement is to provide the nameserver a list of postfix options to append to hostnames that do not end with a period "." in the zone database files (/var/named/db.* files for example - see below). The 'nameserver' statement in this case points to our localhost nameserver. See comment on setting up Network above. c. /etc/nsswitch.conf ---------------------- In this file ensure that their is a 'hosts:' statement that speicifies files ahead of dns. The statement in my file is: hosts: files nisplus nis dns This file is an integral part of NIS, and appears as if it is required by the glib6 library. I wonder if host.conf is still required if we are using nsswitch.conf. A chocolate fish for the first person to let me know and why. Also info on the Name Services Switch in glib6 can be found in `info libc "NSS Configuration File"' d. /etc/hosts ------------------------------------------------ 127.0.0.1 localhost localhost.localdomain 192.168.0.3 ftp www ftp.novatek.co.nz www.novatek.co.nz ------------------------------------------------ The reason for the second line in /etc/hosts is that in the DNS, ftp and www are directed to 24.113.94.87 and gateway port forwards them to 192.168.0.3. However on gateway without this setting, if we attempt to connect to www or ftp we will connect to the external port of gateway. For ftp protocol we will get gateway instead of being forwarded to 192.168.0.3, and www protocol will fail, no httpd running on gateway. Now lets get onto the actual DNS configuration First edit /etc/named.conf -------------------------------------------- # /etc/named.conf options { // Root directory for master (db) files. directory "/var/named"; // If a lookup is not in our cache, query these nameservers // (usually our ISP's) before attempting // to resolve. forward first; forwarders { 24.2.10.33; 24.2.10.34; }; // may be required if this name server is behind a firewall // query-source address * port 53; }; // minimum for a caching name server zone "." { type hint; file "db.root"; }; zone "0.0.127.in-addr.arpa" { type master; file "db.127.0.0"; }; ------------------------------------------------ What does this all mean: +++++++++++++++++++++++ Options { directory "/var/named"; . . . makes /var/named the top level directory for all zone database files. These are the files referred to with the 'file' directive in the zone statements. The "forward first; forwarders . . " options, instruct the nameserver to interogate the cache's of the nameserver's listed in 'forwarders' for entries not found in this cache. Only if entries are not found in all these cache's will the nameserver search from the root. This reduces overall dns traffic. The root zone "." is where all name look ups commence. It is the only zone where the type is "hint". The meaning of hint is (from http://www.isc.org/view.cgi?/products/BIND/docs/config/zone.phtml) "The initial set of root nameservers is specified using a hint zone. When the server starts up, it uses the root hints to find a root nameserver and get the most recent list of root nameservers." The information on how to find the root nameservers and get desired info from them is specified in the file 'db.root' which is kept in /var/named/db.root . The "0.0.127.in-addr.arpa" zone is required to achieve reverse lookups (ie. derive "localhost" when "127.0.0.1" is specified. It is a "master" type as # /etc/named.conf options { // Root directory for master (db) files. directory "/var/named"; // If a lookup is not in our cache, query these nameservers // (usually our ISP's) before attempting // to resolve. forward first; forwarders { 24.2.10.33; 24.2.10.34; }; // may be required if this name server is behind a firewall // query-source address * port 53; }; // minimum for a caching name server zone "." { type hint; file "db.root"; }; zone "0.0.127.in-addr.arpa" { type master; file "db.127.0.0"; }; this DNS server is the only one that has access to the "localhost" and 127.0.0.0 network (anything else wouldn't make sense). The information required to do the reverse lookups is found in /var/named/db.0.0.127. NOTE: Be extra cautious about editing the zone db files - the location of periods is crucial to correct operation. Next we create the /var/named/db.root file. ++++++++++++++++++++++++++++++++++++++++++ This is done by getting it from a credible name server on the internet. This is done by doing the following (as root of course): 'dig @a.root-servers.net . ns > /var/named/db.root' This process should be every month or so to ensure we are up to date. - See maintenance below. The file looks like: --------------------------------------------------- ; <<>> DiG 8.2 <<>> @a.root-servers.net . ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 ;; Total query time: 147 msec ;; FROM: gateway.novatek.co.nz to SERVER: a.root-servers.net 198.41.0.4 ;; WHEN: Sat Jul 3 16:05:12 1999 ;; MSG SIZE sent: 17 rcvd: 436 ----------------------------------------------------- What does this mean: Looking at the first 13 entries following ;; ANSWER SECTION This tells us that there are 13 nameservers that can answer for the root domain "." (that is where the .com, .edu, .nz, .ca, and so on servers are). The ttl of 6 days behaves slightly differently to other cached data. Here, instead of the data being discarded after its ttl expires, it initiates a new request to refresh its data. Looking at the following 13 "A" records. These assign the specific IP addresses to the designated name servers. These records have a ttl (refresh -not discard only in this instance) of 41days 16hours - somewhat longer than the "NS" records. I guess this means that these nameservers have less likelihood of changing their IP addresses, than the root topology of the internet changing. Makes sense - doesn't it? In addition to this file behaving differently to other db zones, it is the only db file that does not have a SOA (Start of Authority) RR (Resource Record). That is because a SOA RR is used to indicate that this nameserver is the best (authorative) server for the zone defined in the zone db file. Any server, other than the root servers, cannot be authorative for the root zone. Finally onto the last file /var/named/db.127.0.0 ---------------------------------------------------- $TTL 1D @ IN SOA gateway.novatek.co.nz. hostmaster.novatek.co.nz. ( 1999070313 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D) ; min TLL IN NS gateway.novatek.co.nz. 1 IN PTR localhost. ----------------------------------------------------- What this means: The "$TTL 1D" at the start sets the default time to live for all RR when they are cache'd in other (non-authorative) nameservers. We select 1 day. The purpose of a SOA record is to indicate to the nameserver that it is the best (authorative) nameserver for the zone (127.0.0.x in this case). The first name after 'SOA' is the hostname, the second is the mail address (substitute @ for first .). The serial number is a unique counter yyyymmddnn comprising a date followed by two digits. Each time this file is updated the date should be updated and nn represents the nth update on that day. Refresh is the time between slave refreshes. If the refresh fails, retry is the period between further attempts to update. Expire is the time since last refresh that the info cached at the slave will keep the data before discarding it. TLL is the minimum time to live value given with each DNS request. The requestor will cache the DNS request for this period before discarding it. The NS RR indicates that this host is the nameserver. The PTR record indicates that "1" (127.0.0.1) points back to the local host. Now we are ready to test our Caching name server configuration. In one window do a 'tail -f /var/log/messages', and in another window, simply as root, '/etc/rc.d/init.d/named restart In the logging window, you should see - ------------------------------------------------------------ Jul 3 21:06:27 gateway named[5194]: starting. named 8.2.1 Thu Jun 24 08:34:16 EDT 1999 ^Iroot@hyland.magenet.com:/usr/src/redhat/BUILD/src/bin/named Jul 3 21:06:27 gateway named[5194]: hint zone "" (IN) loaded (serial 0) Jul 3 21:06:27 gateway named[5194]: master zone "0.0.127.in-addr.arpa" (IN) loaded (serial 1999070313) Jul 3 21:06:27 gateway named[5194]: listening on [127.0.0.1].53 (lo) Jul 3 21:06:27 gateway named[5194]: listening on [24.113.94.87].53 (eth0) Jul 3 21:06:27 gateway named[5194]: listening on [192.168.0.254].53 (eth1) Jul 3 21:06:27 gateway named[5194]: Forwarding source address is [0.0.0.0].53 Jul 3 21:06:27 gateway named[5195]: Ready to answer queries. -------------------------------------------------------------- Now continuing with the testing. The documentation suggest just running 'nslookup'. However if there was perhaps a 'named' running previously (perhaps even configured incorrectly) it could have picked up and cached another nameserver (likely your ISP's from resolv.conf), and it will take time to flush that out of the cache. The following sequence of commands demonstrates it is working. ----------------------------------------------- root@gateway:/etc>nslookup Default Server: proxy1.rdc1.bc.wave.home.com Address: 24.2.10.33 > ^d root@gateway:/etc>nslookup - localhost. Default Server: localhost Address: 127.0.0.1 > ora.com Server: localhost Address: 127.0.0.1 Name: ora.com Address: 204.148.40.9 > ora.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: ora.com Address: 204.148.40.9 > 127.0.0.1 Server: localhost Address: 127.0.0.1 Name: localhost Address: 127.0.0.1 > ^d --------------------------------------------- Note that the second time ora.com is queried, we get the localhost's nameserver's cached result. Also the reverse lookup for localhost works. b. Configuring a Primary Nameserver ++++++++++++++++++++++++++++++++++++ The reason why anyone would want to implement their own primary nameserver is because no one else is doing it for them, or they want to do it themselves. The nameserver's (primary and secondary) IP addresses are registered with the DNS authority that issued your domain name. Any DNS query for a domain name that reaches the parent DNS authority will refer the query onto the registered nameservers, either primary or secondary. When setting up a primary name server it is necessary to set up at least one (geographically apart) secondary server for redundancy. www.granitecanyon.com are a great orgainisation offering this service publicly for free. /etc/named.conf is updated to the following: ---------------------------------------------------------------- # /etc/named.conf options { // Root directory for master (db) files. directory "/var/named"; // If a lookup is not in our cache, query these nameservers // (usually our ISP's) our ISP's nameservers before attempting // to resolve. forward first; forwarders { 24.2.10.33; 24.2.10.34; }; // only accept DNS requests on port 53 and valid IP addresses listen-on port 53 { 127.0.0.1; // localhost 192.168.0.254; // internal network interface 24.113.94.87; // external network interface }; // may be required if this name server is behind a firewall // query-source address * port 53; }; // The next two zones are the minimum required for a caching nameserver. zone "." { type hint; file "db.root"; }; zone "0.0.127.in-addr.arpa" { type master; notify no; file "db.127.0.0"; }; // Master (primary) serving zones zone "novatek.co.nz" { type master; notify yes; allow-transfer { 205.166.226.38; // ns1.granitecanyon.com 140.200.128.13; // ns1.waikato.ac.nz 127.0.0.1; 192.168.0/24; 24.113.94.87; }; file "primary/db.novatek.co.nz"; }; zone "cmex.org" { type master; notify yes; allow-transfer { 205.166.226.38; // ns1.granitecanyon.com 127.0.0.1; 192.168.0/24; 24.113.94.87; }; file "primary/db.cmex.org"; }; zone "web-statements.com" { type master; notify yes; allow-transfer { 205.166.226.38; // ns1.granitecanyon.com 127.0.0.1; 192.168.0/24; 24.113.94.87; 24.113.94.163; }; file "primary/db.web-statements.com"; }; zone "0.168.192.in-addr.arpa" { type master; notify no; allow-transfer { none; }; file "primary/db.192.168.0"; }; zone "87.94.113.24.in-addr.arpa" { type master; notify yes; allow-transfer { 205.166.226.38; // ns1.granitecanyon.com 140.200.128.13; // ns1.waikato.ac.nz 127.0.0.1; 192.168.0/24; 24.113.94.87; }; file "primary/db.24.113.94.87"; }; zone "163.94.113.24.in-addr.arpa" { type master; notify yes; allow-transfer { 205.166.226.38; // ns1.granitecanyon.com 127.0.0.1; 192.168.0/24; 24.113.94.87; 24.113.94.163; }; file "primary/db.24.113.94.163"; }; --------------------------------------------------- The additions to the caching nameserver configuration are the: i. listen-on ============= We can never take enough security precautions. named only listens on port 53 to the designated ip addresses ii. Allow Transfers's option ============================ This option permits transfer's of the master (db) zones that are 'type master' and 'notify yes' to the listed ip addresses - these are the secondary servers. By default (without this option) anybody from any ip address can pull the zone info. This option restricts access to only those specified ip addresses. This has been implemented selectively on a zone by zone basis in the primary zones. iii. Adding the primary zones ============================= We added three zones, one for novatek.co.nz - the domain name, one for 192.168.0.x, our private addresses for reverse lookup, and the last 24.113.94.87 for reverse lookup of our static ip address. iv. Supporting multiple Domain Names ===================================== Named supports multiple domain names off the same ip address. This is achieved by adding primary zones and master db files for each domain name. cmex.org and web-statements.com in this case. The db (master) files for the three zones are: /var/named/primary/db.novatek.co.nz --------------------------------------------------------------------- $TTL 1D @ IN SOA gateway.novatek.co.nz. hostmaster.novatek.co.nz. ( 1999072402 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D) ; Min TLL IN NS ns1 IN NS ns1.granitecanyon.com. IN NS ns1.waikato.ac.nz. IN RP jon.novatek.co.nz. hostmaster.novatek.co.nz. IN TXT "Jonathan Marks - Fax (707) 221-3689" IN MX 10 mail localhost IN A 127.0.0.1 IN MX 10 mail hercules IN A 192.168.0.1 IN MX 10 mail spare1 IN A 192.168.0.2 IN MX 10 mail henry IN A 192.168.0.3 IN MX 10 mail spare2 IN A 192.168.0.4 IN MX 10 mail beatroot IN A 192.168.0.5 IN MX 10 mail hershel IN A 192.168.0.6 IN MX 10 mail gateway IN A 192.168.0.254 IN A 24.113.94.87 IN MX 10 mail ; specific mutlihomed i/f's gw-int IN A 192.168.0.254 gw-ext IN A 24.113.94.87 mail IN A 24.113.94.87 ns1 IN A 24.113.94.87 ftp IN A 24.113.94.87 www IN A 24.113.94.87 novatek.co.nz. IN A 24.113.94.87 ; Aliases gw IN CNAME gateway -------------------------------------------------------------------- Okay, lets explain what is going on here: We should know about SOA RR's now. The three NS RR's are for the primary and secondary nameservers for this zone. The next RP and TXT RR's provide information to Granite Canyon because they want it. Next we want our MX record for MTA's. We also want to include a MX record for each host. See pg 94 of ORA's "DNS and BIND". As 'gateway' is multihomed, it has 2 ip addresses. It is also a good idea to define separate names 'gw-int' and 'gw-ext' to access each port separately. This is especially necessary for 'www' and 'ftp' which we only want being accessed from the outside. See pg 64 of ORA's "DNS and BIND". The reason why we want ns1, www, ftp, and mail, to be A RR's and not CNAME RR's is that external connects will not see these addresses as aliases to gateway, but as the absolute address. Local accesses to these addresses connect to the external interface (eth0 instead of eth1). The reverse lookup zone database for 192.168.0.x /var/named/primary/db.192.168.0 ----------------------------------------------------------------------- $TTL 1D @ IN SOA gateway.novatek.co.nz. hostmaster.novatek.co.nz. ( 1999070314 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D) ; Min TLL IN NS ns1.novatek.co.nz. IN NS ns1.granitecanyon.com. IN NS ns1.waikato.ac.nz. 1 IN PTR hercules.novatek.co.nz. 2 IN PTR spare1.novatek.co.nz. 3 IN PTR henry.novatek.co.nz. 4 IN PTR spare2.novatek.co.nz. 5 IN PTR beatroot.novatek.co.nz. 6 IN PTR hershel.novatek.co.nz. -------------------------------------------------------------------------- And the reverse lookup zone database for my ip address: /var/named/primary/db.24.113.94.87 -------------------------------------------------------------------------- $TTL 1D @ IN SOA gateway.novatek.co.nz. hostmaster.novatek.co.nz. ( 1999072301 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D) ; Min TLL IN NS ns1.novatek.co.nz. IN NS ns1.granitecanyon.com. IN NS ns1.waikato.ac.nz. IN RP jon.novatek.co.nz hostmaster.novatek.co.nz IN TXT "Jonathan Marks - Fax (707) 221-3689" 87.94.113.24.in-addr.arpa. IN PTR gateway.novatek.co.nz. --------------------------------------------------------------------------- Note that db.24.113.94.87 will not give gateway.novatek.co.nz as it should. This is because my upstream isp has an entry for this ip address in its 94.113.24 zone master file, and is not happy to release it. This is not the end of the world, things still work as a reverse lookup will always get a domain name url; a pity it is not what I want and it is what my isp has assigned me. Finally one of the two other domain names being hosted by named shown here as an example. /var/named/primary/db.cmex.org $TTL 1D --------------------------------------------------------------------------- @ IN SOA gateway.novatek.co.nz. hostmaster.novatek.co.nz. ( 1999081904 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D) ; Min TLL IN NS ns1.novatek.co.nz. IN NS ns1.granitecanyon.com. IN RP jon.novatek.co.nz. hostmaster.novatek.co.nz. IN TXT "Jonathan Marks - Fax (707) 221-3689" IN MX 10 mail mail IN A 24.113.94.87 ftp IN A 24.113.94.87 www IN A 24.113.94.87 cmex.org. IN A 24.113.94.87 --------------------------------------------------------------------------- To check what is going on restart named with: '/etc/rc.d/init.d/named restart' and we should see something like: ------------------------------------------------------------------ Feb 13 00:52:55 gateway named[26133]: starting. named 8.2.2-P5 Mon Jan 31 16:45:28 EST 2000 ^Iroot@porky.devel.redhat .com:/usr/src/bs/BUILD/bind-8.2.2_P5/src/bin/named Feb 13 00:52:55 gateway named[26133]: hint zone "" (IN) loaded (serial 0) Feb 13 00:52:55 gateway named[26133]: master zone "0.0.127.in-addr.arpa" (IN) loaded (serial 1999070314) Feb 13 00:52:55 gateway named[26133]: master zone "novatek.co.nz" (IN) loaded (serial 1999081903) Feb 13 00:52:55 gateway named[26133]: master zone "cmex.org" (IN) loaded (serial 1999081904) Feb 13 00:52:55 gateway named[26133]: master zone "web-statements.com" (IN) loaded (serial 1999081903) Feb 13 00:52:55 gateway named[26133]: master zone "0.168.192.in-addr.arpa" (IN) loaded (serial 1999070315) Feb 13 00:52:55 gateway named[26133]: master zone "87.94.113.24.in-addr.arpa" (IN) loaded (serial 1999072302) Feb 13 00:52:55 gateway named[26133]: master zone "163.94.113.24.in-addr.arpa" (IN) loaded (serial 1999072302) Feb 13 00:52:55 gateway named[26133]: listening on [127.0.0.1].53 (lo) Feb 13 00:52:55 gateway named[26133]: listening on [24.113.94.87].53 (eth0) Feb 13 00:52:55 gateway named[26133]: listening on [192.168.0.254].53 (eth1) Feb 13 00:52:55 gateway named[26133]: Forwarding source address is [0.0.0.0].2223 Feb 13 00:52:55 gateway named: named startup succeeded Feb 13 00:52:56 gateway named[26134]: Ready to answer queries. Feb 13 00:53:07 gateway named[26134]: Sent NOTIFY for "87.94.113.24.in-addr.arpa IN SOA" (87.94.113.24.in-addr.arpa); 1 NS, 1 A Feb 13 00:53:11 gateway named[26134]: Sent NOTIFY for "web-statements.com IN SOA" (web-statements.com); 1 NS, 1 A Feb 13 00:53:15 gateway named[26134]: Sent NOTIFY for "163.94.113.24.in-addr.arpa IN SOA" (163.94.113.24.in-addr.arpa) ; 1 NS, 1 A Feb 13 00:53:16 gateway named[26134]: Sent NOTIFY for "cmex.org IN SOA" (cmex.org); 1 NS, 1 A Feb 13 00:53:22 gateway named[26134]: Sent NOTIFY for "novatek.co.nz IN SOA" (novatek.co.nz); 2 NS, 2 A Feb 13 00:53:22 gateway named[26134]: Received NOTIFY answer from 140.200.128.13 for "novatek.co.nz IN SOA" Feb 13 00:53:34 gateway named[26134]: Sent NOTIFY for "87.94.113.24.in-addr.arpa IN SOA" (87.94.113.24.in-addr.arpa); 2 NS, 2 A ------------------------------------------------------------- As a further test check out some domain names using nslookup, as with the caching nameserver. We could list the DNS database as it resides inside named. We could get this from any of the nameservers if they allow transfers out to us. We can get transfers from ns1.novatek.co.nz, and ns1.granitecanyon.com, not ns1.waikato.ac.nz. -------------------------------------------------------------- > server ns1.novatek.co.nz. Default Server: ns1.novatek.co.nz Address: 24.113.94.87 > ls -d novatek.co.nz [ns1.novatek.co.nz] $ORIGIN novatek.co.nz. @ 1D IN SOA gateway hostmaster ( 1999081903 ; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns1 1D IN NS ns1.granitecanyon.com. 1D IN NS ns1.waikato.ac.nz. 1D IN MX 10 mail 1D IN TXT "Jonathan Marks - Fax (707) 221-3689" 1D IN RP jon hostmaster 1D IN A 24.113.94.87 gw 1D IN CNAME gateway gw-ext 1D IN A 24.113.94.87 gw-int 1D IN A 192.168.0.254 henry 1D IN MX 10 mail 1D IN A 192.168.0.3 mail 1D IN A 24.113.94.87 spare1 1D IN MX 10 mail 1D IN A 192.168.0.2 localhost 1D IN MX 10 mail 1D IN A 127.0.0.1 www 1D IN A 24.113.94.87 gateway 1D IN MX 10 mail 1D IN A 24.113.94.87 1D IN A 192.168.0.254 spare2 1D IN MX 10 mail 1D IN A 192.168.0.4 beatroot 1D IN MX 10 mail 1D IN A 192.168.0.5 ns1 1D IN A 24.113.94.87 ftp 1D IN A 24.113.94.87 hercules 1D IN MX 10 mail 1D IN A 192.168.0.1 hershel 1D IN MX 10 mail 1D IN A 192.168.0.6 @ 1D IN SOA gateway hostmaster ( 1999081903 ; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ) ; minimum -------------------------------------------------------------- c. Configuring a Secondary Nameserver ++++++++++++++++++++++++++++++++++++++ To configure as a secondary nameserver for someone else's primary nameserver we add additional zone info to our named.conf file. For example an exerpt from named.conf could be: ------------------------------------------------------ zone "somewhere.outthere.com" { type slave; file "secondary/db.somewhere.outthere.com"; masters { 123.123.123.123; }; }; --------------------------------------------------------- d. DNS Periodic Maintenance ++++++++++++++++++++++++++++ Once DNS is running, we need to periodically (say, once a month) update the hints database. The following script is plagiarised from the DNS HOWTO and TrinityOS. /var/named/update-db.root ------------------------------------------------------------------ #!/bin/sh # # Update the nameserver cache information file once per month. # This is run automatically by a cron entry. # export PATH=/sbin:/usr/sbin:/bin:/usr/bin: cd /var/named dig @a.root-servers.net . ns > root.hints 2> result DIG_OUTCOME=FAIL if [ `grep -c SERVFAIL root.hints` = 0 ] && [ `grep -c ROOT-SERVERS root.hints` -gt 0 ] then DIG_OUTCOME=SUCCESS mv -f db.root db.root.old cp -f root.hints db.root chown root:root db.root chmod 444 db.root echo -n "Restarting named: " >> result /etc/rc.d/init.d/named restart >> result fi ( echo "To: hostmaster " echo "From: system " echo "Subject: DNS monthly hints.db update status: $DIG_OUTCOME." echo cat root.hints result echo ) | /usr/sbin/sendmail -t rm -f result root.hints exit 0 --------------------------------------------------------------- Now make the file rwx only by root. 'chmod 700 /var/named/root-hints-update' And put it in the monthly cron job. ' 'ln -s /var/named/update-db.root /etc/cron.monthly/update-db.root' MAILING ******* References: TrinityOS - chapters 25 and 18 ORA's Sendmail, Second Ed Jan 97, specifically Ch. 5 - to convince yourself to use m4 rather than edit the cf file Ch. 19 - Background to m4 Ch. 21 - DNS and Sendmail Ch. 22 - on Security Ch. 24 - on Aliases Ch. 27 - the .cf file for the adventurous Ch. 34.4, 34.6, 34.8 - Configuration options Sendmail website www.sendmail.org/ look at pages m4/readme.html m4/masquerading.html virtual-hosting.html /usr/lib/sendmail-cf/cf/README If you want to do virtual email hosting, have a look at the changes to this configuration in the virtual hosting worksheet, http://jon.novatek.co.nz/config/virtual Currently setup for sendmail 8.9.3-11. I have installed sendmail, sendmail-cf and sendmail-doc. NOTE: I found my computer hung during reboot while attempting to start Sendmail before it was configured. To disable, I booted with the rescue disk, mounted the harddisk and changed the the 'S' to 'K' in the sendmail startup file in /etc/rc.d/rc3.d/. Remember to 'sync' a few times before rebooting without the diskette. This is a knwon problem with RedHat, if you are patient, sendmail will timeout after about 5 minutes. Step 1: ====== Add all the host aliases to /etc/sendmail.cw ------------------------------------------------------------ # sendmail.cw - include all aliases for your machine here. novatek.co.nz mail.novatek.co.nz ns1.novatek.co.nz gateway.novatek.co.nz ftp.novatek.co.nz www.novatek.co.nz ------------------------------------------------------------- Step 2: ====== Edit /etc/sendmail.mc. This is what mine looks like now: ---------------------------------------------------------------------- divert(-1) dnl This is the macro config file used to generate the /etc/sendmail.cf dnl file. If you modify thei file you will have to regenerate the dnl /etc/sendmail.cf by running this macro config through the m4 dnl preprocessor: dnl dnl m4 /etc/sendmail.mc > /etc/sendmail/cf dnl dnl You will need to have the sendmail-cf package installed for this to dnl work. include(`/usr/lib/sendmail-cf/m4/cf.m4') define(`confDEF_USER_ID',``8:12'') VERSIONID(`@(#)novatek.m4 8.10 (Novatek) July 25, 99') OSTYPE(`linux') undefine(`UUCP_RELAY') undefine(`BITNET_RELAY') define(`confAUTO_REBUILD') define(`confTO_CONNECT', `1m') define(`confTRY_NULL_MX_LIST',true) define(`confDONT_PROBE_INTERFACES',true) define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail') dnl dnl Redefine options for security. Hide sendmail's identity and dnl and version, and tighen up the privacy options dnl define(`confSMTP_LOGIN_MSG', `$j spoken here; $b') define(`confPRIVACY_FLAGS', `goaway') dnl FEATURE(`smrsh',`/usr/sbin/smrsh') FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable') FEATURE(redirect) FEATURE(always_add_domain) FEATURE(use_cw_file) FEATURE(local_procmail) MAILER(procmail) MAILER(smtp) MASQUERADE_AS(novatek.co.nz) MASQUERADE_DOMAIN(novatek.co.nz) FEATURE(masquerade_entire_domain) FEATURE(rbl) FEATURE(`access_db') FEATURE(`blacklist_recipients') dnl We strongly recommend to comment this one out if you want to protect dnl yourself from spam. However, the laptop and users on computers that do dnl not hav 24x7 DNS do need this. dnl FEATURE(`accept_unresolvable_domains') dnl FEATURE(`relay_based_on_MX') ------------------------------------------------------------------------- Comments and what I've done. =========================== Reading the refs above will certainly help understanding! I used the existing /etc/sendmail.mc. 1. Edit VERSIONID - give it some uniqueness to your identity - highlights your mod's in the sendmail.cf file. 2. Enhance security by hiding the MTA's version and identity when host's connect. - confSMTP_LOGIN_MSG and confPRIVACY_FLAGS 3. Ensure FEATURE('virtusertable . . . ) exists - necessary if you are wanting redirect emails, host other email domains and receive unknown names to a domain name ie *@xyz.com. 4. Per TrinityOS add MASQUERADE_AS, MASQUERADE_DOMAIN and FEATURE(masqu. . ) to get only the domain name in email message headers. 5. We have a permanent connection so comment out FEATURE(`accept_unresolvable_domains'). Then we need to recreate the sendmail.cf file I do this as root. mv /etc/sendmail.cf /etc/sendmail.cf.orig # always a good idea m4 /etc/sendmail.mc > /etc/sendmail.cf /etc/rc.d/init.d/sendmail stop I then run sendmail -bt -d to see what I have done ^D to exit then: /etc/rc.d/init.d/sendmail start To check, I do a 'telnet mail 25' and get the following: ------------------------------------------------------- Trying 24.113.94.87... Connected to gateway.novatek.co.nz. Escape character is '^]'. 220 gateway.novatek.co.nz ESMTP spoken here; Sun, 1 Aug 1999 12:50:26 -0700 ^] telnet>quit connection closed ------------------------------------------------------------------ Sendmail is configured by default not to relay mail. This is to prevent anybody spamming through your mta, or assuming this domain's identity to send mail, etc. This is a good thing. However in this configuration we cannot send mail out of our domain. Any mail sent out of our domain will be bounced with the following message. ----------------------------------------------------------- From: Mail Delivery System <> To: Self Subject: Mail Delivery Failure. Date sent: Mon, 2 Aug 1999 08:08:54 Delivery has failed on the enclosed message for the following reasons reported either by the mail delivery system on the mail relay host or by the local TCP/IP transport module: 550 ... Relaying denied Your original mail message follows: -------------------------------------------------------- The simplest way to fix this is to create a file '/etc/mail/relay-domains' into which we list all the domains for which we will be relaying. Mine looks like -------------------------- novatek.co.nz -------------------------- Remember to '/etc/rc.d/init.d/sendmail restart' for this to take effect. To get the pop server "mailboxes running. Simply ensure the following lines exist and are uncommented in /etc/inetd.conf. --- pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d imap stream tcp nowait root /usr/sbin/tcpd imapd ---- Leave pop-2 commented out, unless you specifically use it. Next 'killall -HUP inetd' to re-read the configuration. Setting up mailboxes, aliases and virtual users +++++++++++++++++++++++++++++++++++++++++++++++ A mailbox is an user account with access to its spool directory through the pop or imap daemon. We want to restrict "mailbox only" users from logging on for 'other' purposes. Things to do here: 1. tcp-wrappers in a mostly closed configuration, only allow access to those host IP's domains for the pop3 and imap daemon. As I only want hosts on my local domain to access boxes, I add the following to my hosts.allow file. ---- # Give access to all on local host ALL: 127.0.0.1, 24.113.94.87, 192.168.0.254 # Give access to all on private network ipop3d: .novatek.co.nz ALL: hershel.novatek.co.nz, henry.novatek.co.nz ----- Remember to killall -HUP inetd for this to take effect. 2. We do not want "mailbox only" users telnetting into the box and snooping around, even if they are trusted. Therefore I changed the startup script in the passwd file for such users to: '/usr/local/bin/restricted_login', eg. - using adduser. --------------------------------------------- bingo:x:503:503::/home/bingo:/bin/bash novatek:x:504:231::/home/novatek:/etc/restricted_login --------------------------------------------- NOTE: group 231 is defined as popusers for RedHat Linux 6.0. For those who want to let the system do things, there is 'userconf'. You will end up needing to edit the file to get the /etc/restricted_login unless you enter the user as a regular user. 'usr/local/bin/restircted_login' looks like ----------------------------------------------------- #!/bin/sh echo "This is a restricted access account" ----------------------------------------------------- and has 755 permissions Now lets confirm everything is okay in the /etc/aliases file. For security purposes, ensure this file has chmod 700 permissions. --------------------------------------------------------------------- # # @(#)aliases 8.2 (Berkeley) 3/5/94 # # Aliases in this file will NOT be expanded in the header from # Mail, but WILL be visible over networks or from /bin/mail. # # >>>>>>>>>> The program "newaliases" must be run after # >> NOTE >> this file is updated for any changes to # >>>>>>>>>> show through to sendmail. # # Basic system aliases -- these MUST be present. MAILER-DAEMON: postmaster postmaster: root # General redirections for pseudo accounts. bin: root daemon: root games: root ingres: root nobody: root system: root toor: root uucp: root # Well-known aliases. manager: root dumper: root operator: root # trap decode to catch security attacks decode: root # Person who should get root's mail root: novatek # Direct the various masters to root FaxMaster: root ---------------------------------------------------------------------- FaxMaster was added by Hylafax. Redirect root to the existing novatek. account. Note that the host address of this box is gateway.novatek.co.nz for mail, not novatek.co.nz. Therefore any aliases to other users on this host will only work for mail between users on this host, and not for receiving mail addressed to @novatek.co.nz. Once this file is edited, run newaliases for it to take affect. This step is not necessary if restarting sendmail using '/etc/rc.d/init.d/sendmail restart' Note that novatek, jonathan, vanessa, steven, and cara are "popuser" only accounts - see below how to set them up. Virtual User Table. ================== Note that novatek.co.nz is a virtually hosted on gateway, so all external mail to users on the host who have mail or mailboxes need to be redirected through the '/etc/mail/virtusertable' as follows: ----------------------------------------------------- novatek@novatek.co.nz novatek hostmaster@novatek.co.nz novatek postmaster@novatek.co.nz novatek webmaster@novatek.co.nz novatek ftpmaster@novatek.co.nz novatek timemaster@novatek.co.nz novatek jonathan@novatek.co.nz jonathan jon.marks@novatek.co.nz jonathan jonathan.marks@novatek.co.nz jonathan vanessa@novatek.co.nz vanessa vanessa.marks@novatek.co.nz vanessa nessa@novatek.co.nz vanessa steven@novatek.co.nz steven steven.marks@novatek.co.nz steven coolshades@novatek.co.nz steven cara@novatek.co.nz cara cara.marks@nvoatek.co.nz cara kiwi@novatek.co.nz cara @novatek.co.nz jonathan ----------------------------------------------------- Note the last entry is a catchall for all other virtual users. This ensures everything is received and goes to a "trusted user". The trusted user could be an alias or an actual popuser. To get this table to take effect, run 'make' from the '/etc/mail' directory. Restarting sendmail also buids this table. PRINTING ******** Printing is not a good idea on a firewall. This is especially so when the printer is a print server for the rest of the internal network. Adding additional unrelated functionality to a firewall tends to defeat the purpose of the firewall. Setting up for printing involves two stages. 1. Installing the Printer 2. Enabling the Printer server (using Samba in this case) Printer Installation ++++++++++++++++++++ Use printtool as root to install a printer. Redhat could not have made this job any simpler. /etc/printcap -------------------------------------------------------- ##PRINTTOOL3## LOCAL cdj550 300x300 letter {} DeskJet550 3 1 hp850c:\ :sd=/var/spool/lpd/hp850c:\ :mx#0:\ :sh:\ :lp=/dev/lp0:\ :if=/var/spool/lpd/hp850c/filter: ---------------------------------------------------------- Remember to: /etc/rc.d/init.d/lpd restart /etc/rc.d/init.d/smb restart if you change /etc/printcap (and have smb configured). Also ensure that there is a PRINTER=hp850c in the environment. I've added this to /etc/bashrc Using Samba to make Gateway a print Server ++++++++++++++++++++++++++++++++++++++++++ (We could have used nfs - I may look at that later. I like samba because it does not require us to set up and nfs client software - exp on Winxx boxes). A printer server is not a good idea on a firewall, but anyway . . . . Using samba-2.0.5a-1.i386.rpm samba-client-2.0.5a-1.i386.rpm Refs: SMB howto - dated but still relevent /usr/docs/samba-2.0.3/docs/textdocs. I looked at Printing.txt. www.sfu.ca/~yzhang/linux/index.html Note there is a bug in the install of 2.0.5a-1 where it will replace smb.conf with the release version. Change the name of smb.conf before the upgrade, and copy the file back before issuing '/etc/rc.d/init.d/smb restart' In this instance, internal network security is not an issue, only external access security. I want everybody on the internal network to be able to access the printer. And I want no-one externally to be able to access the printer. NOTE: In a 'real' commercial environment, I would strongly advise against using a firewall box (masquerading, proxy, etc) as a print, fax, file, or any other type of server. A firewall should be a firewall, and nothing else. Adding other services tends to complicate security, creates more opportunities for crackers, and can make the network behind the firewall more vulnerable. 1. Ensure we have samba installed. It does come with Redhat 6.0 and the default is to install it. 2. Ensure that smbd and nmbd are started as deamon services. As root, run up ntsysv, and ensure that smb is selected. You can also do 'ps ax | grep mbd' and see if the smbd and nmbd entries come up. 3. Next edit the smb.conf file. You could use Swat, I prefer doing these things by hand. I generally use the example smb.conf file and clobber the comments first before changing things. Note that I am also allowing [homes]. This is if I have identical login names on both my Win9x and Linux box, I will be able to access my home directory (password protected) on the linux box from the Win9x box - also not a good thing for a firewall (oh well). The following is gateway's smb.conf file. ----------------------------------------------------------- [global] workgroup = Novatek server string = Gateway Resource Sharing security = share # guest account = smb guest only = yes hosts allow = 192.168.0. localhost log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY printcap name = /etc/printcap printing = bsd load printers = yes case sensitive = no short preserve case = yes preserve case yes [homes] comment = Home Directories read only = No create mask = 0750 browseable = No [printers] comment = All Printers path = /var/spool/samba public = Yes printable = Yes browseable = No writeable = No create mode = 700 ---------------------------------------------------------------- 4. We need to create a guest account. Do this with: 'adduser ' where is the value equated to 'guest account' in smb.conf. ++OR++ replace 'guest account = xxxx' with 'guest only = yes' and we do not need to create a new user. I prefer this latter approach. NOTE: The server string removing the fact that this is a Samba server and what version it is. 5. Restart samba. As root do '/etc/rc.d/init.d/smb restart' 6. Checking. Win9x On your Win9x box, Explore Nework Neighborhood. If you do not see the samba server - check the that the HOSTNAME on your Linux box and tcp/ip network domain (Control panel/network/tcp-ip/ properties/DNS Configuration) match. Open up you Samba server icon, and you should see 'lp' as a printer icon for the linux printer, and maybe your home directory if setup as above. I had problems printing until I discovered lpr's (on Linux) permissions were incorrect. I set them on the advise of TrinityOS to 4750, but they will only work when set to 4751. As root 'chmod 4751 /usr/bin/lpr'. UNIX Set up the client so that it uses a remote network printer (using printtool is the easiest). Then on the lpd server, we need to permit access to the clients. This is done by listing the client hosts in /etc/hosts.lpd on the server. (See the lpd man page). My /etc/hosts.lpd looks like: ---------------------------------- hershel henry hercules beatroot --------------------------------- Remember to restart the lpd '/etc/rc.d/init.d/lpd restart' PRINTING TIPS ------------- Look at mpage and pr. They are both very useful print filtering programs. There is a pretty printing package a2ps. I downloaded the latest version 4.10.4 from rpmfind.net. There is a comprehensive online manual for this package at http://www.inf.enst.fr/~demaille/a2ps/doc-4.10 Out the box it works fine except for the page size that needs to be changed. Edit /etc/a2ps.cfg, search for: 'Options: --medium, and chage the argument to 'letterdj' in my case. FAXING ****** Using the firewall box as a fax server is not a good idea from a security perspective, see comments in printing above. We have two choices of software for faxing / fax server. 1. mgetty+sendfax (www.alpha.greenie.net/mgetty) 2. HylaFax (www.hylafax.org) We are going to use Hylafax as mgetty does not support class 1 fax modems, and that is what I have. This is a two stage process 1. Setting up the fax modem to send and receive faxes. 2. Enabling the fax server / Configuring the remote fax clients. Note that we only want to use mgetty as a fax server. We do not want any dialin/login data access to our Box over the modem. Setting up the Fax Modem ++++++++++++++++++++++++ First check that we can talk to the modem. Use a serial comms program, I used minicom and ran it as root with the -s option. Set the serial port to /dev/ttyS1, and baudrate to 115200. Exit the configuration menu and watch the modem get initialised. type 'ata'. The modem should 'hook release' and sound a training tone. Hit [cr], and it should stop. - If modem is not working check setserial for correct io address and irq. At this stage it is a good idea to confirm the class of the fax modem with a 'at+fclass=?' to see what classes the modem support. If the modem only does class 1, forget about mgetty, it only supports class 2 modems. After going through the exercise of installing mgetty, I discovered this too late. (Cautions uninstalling mgetty. It changes the ownership and group of the serial port device to uucp. This must be changed back to root:tty I needed to reboot the machine to get serial port to work) HylaFAX Installation ++++++++++++++++++++ Refs: www.hylafax.org - its a good idea to go through this site first and explore some of its links. cirl.meei.harvard.edu/hylafax/linux/INSTALL-linux5.x-v4.0pl2.html for installation on redhat distribution Look at the man pages too at www.hylafax.org/man/ Installing hylafax-4.0pl2-3rh5.src.rpm Alos works for hylafax-4.1beta1-1rh6.i386.rpm which is currently installed. Ensure the following are installed ghostscript >=V5.10 gawk >=V3.0.0 libtiff >=3.4 libjpeg6a >= 6a ghostscript-fonts-std >=V5.10-8 Confirm /