Tuesday, December 30, 2008

Eleven SSH Tricks

Run remote GUI applications and tunnel any Net connection securely using a free utility that's probably already installed on your system.

SSH is the descendant of rsh and rlogin, which are non-encrypted programs for remote shell logins. Rsh and rlogin, like telnet, have a long lineage but now are outdated and insecure. However, these programs evolved a surprising number of nifty features over two decades of UNIX development, and the best of them made their way into SSH. Following are the 11 tricks I have found useful for squeezing the most power out of SSH.

Installation and Versions

OpenSSH is the most common free version of SSH and is available for virtually all UNIX-like operating systems. It is included by default with Debian, SuSE, Red Hat, Mandrake, Slackware, Caldera and Gentoo Linux, as well as OpenBSD, Cygwin for Windows and Mac OS X. This article is based on OpenSSH, so if you are using some other version, check your documentation before trying these tricks.

X11 Forwarding

You can encrypt X sessions over SSH. Not only is the traffic encrypted, but the DISPLAY environment variable on the remote system is set properly. So, if you are running X on your local computer, your remote X applications magically appear on your local screen.

Turn on X11 forwarding with ssh -X host. You should use X11 forwarding only for remote computers where you trust the administrators. Otherwise, you open yourself up to X11-based attacks.

A nifty trick using X11 forwarding displays images within an xterm window. Run the web browser w3m with the in-line image extension on the remote machine; see the Debian package w3m-img or the RPM w3m-imgdisplay. It uses X11 forwarding to open a borderless window on top of your xterm. If you read your e-mail remotely using SSH and a text-based client, it then is possible to bring up in-line images over the same xterm window.

Config File

SSH looks for the user config file in ~/.ssh/config. A sample might look like:

ForwardX11 yes
Protocol 2,1

Using ForwardX11 yes is the same as specifying -X on the command line. The Protocol line tells SSH to try SSH2 first and then fall back to SSH1. If you want to use only SSH2, delete the ,1.

The config file can include sections that take effect only for certain remote hosts by using the Host option. Another useful config file option is User, which specifies the remote user name. If you often log in to a machine with ssh -l remoteuser remotehost or ssh remoteuser@remotehost, you can shorten this by placing the following lines in your config file:

Host remotehost
ForwardX11 yes
User remoteuser

Host *
ForwardX11 no

Now, you can type ssh remotehost to log on as user remoteuser with the ForwardX11 option turned on. Otherwise, ForwardX11 is turned off, as recommended above. The asterisk matches all hosts, including hosts already matched in a Host section, but only the first matching option is used. Put specific Host sections before generic sections in your config file.

A system-wide SSH config file, /etc/ssh/ssh_config, also is available. SSH obtains configuration data in the following order: command-line options, user's configuration file and system-wide configuration file. All of the options can be explored by browsing man ssh_config.

Speeding Things Up: Compression and Ciphers

SSH can use gzip compression on any connection. The default compression level is equivalent to approximately 4× compression for text. Compression is a great idea if you are forwarding X sessions on a dial-up or slow network. Turn on compression with ssh -C or put Compression yes in your config file.

Another speed tweak involves changing your encryption cipher. The default cipher on many older systems is triple DES (3DES), which is slower than Blowfish and AES. New versions of OpenSSH default to Blowfish. You can change the cipher to blowfish with ssh -c blowfish.

Cipher changes to your config file depend on whether you are connecting with SSH1 or SSH2. For SSH1, use Cipher blowfish; for SSH2, use:

Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

Port Forwarding

Ports are the numbers representing different services on a server; such as port 80 for HTTP and port 110 for POP3. You can find the list of standard port numbers and their services in /etc/services. SSH can translate transparently all traffic from an arbitrary port on your computer to a remote server running SSH. The traffic then can be forwarded by SSH to an arbitrary port on another server. Why would you want to do this? Two reasons: encryption and tunneled connections.


Many applications use protocols where passwords and data are sent as clear text. These protocols include POP3, IMAP, SMTP and NNTP. SSH can encrypt these connections transparently. Say your e-mail program normally connects to the POP3 port (110) on mail.example.net. Also, say you can't SSH directly to mail.example.net, but you have a shell login at shell.example.net. You can instruct SSH to encrypt traffic from port 9110 (chosen arbitrarily) on your local computer and send it to port 110 on mail.example.net, using the SSH server at shell.example.net:

ssh -L 9110:mail.example.net:110 shell.example.net

That is, send local port 9110 to mail.example.net port 110, over an SSH connection to shell.example.net.

Then, simply tell your e-mail program to connect to port 9110 on localhost. From there, data is encrypted, transmitted to shell.example.net over the SSH port, then decrypted and passed to mail.example.net over port 110. As a neat side effect, as far as the POP3 dæmon on mail.example.net knows, it is accepting traffic from shell.example.net.

Tunneled Connections

SSH can act as a bridge through a firewall whether the firewall is protecting your computer, a remote server or both. All you need is an SSH server exposed to the other side of the firewall. For example, many DSL and cable-modem companies forbid sending e-mail from your own machine over port 25 (SMTP).

Our next example is sending mail to your company's SMTP server through your cable-modem connection. In this example, we use a shell account on the SMTP server, which is named mail.example.net. The SSH command is:

ssh -L 9025:mail.example.net:25 mail.example.net

Then, tell your mail transport agent to connect to port 9025 on localhost to send mail. This exercise should look quite similar to the last example; we are tunneling from local port 9025 to mail.example.net port 25 over mail.example.net. As far as the firewall sees, it is passing normal SSH data on the normal SSH port, 22, between you and mail.example.net.

A final example is connecting through an ISP firewall to a mail or news server inside a restricted network. What would this look like? In fact, it would be the same as the first example; mail.example.net can be walled away inside the network, inaccessible to the outside world. All you need is an SSH connection to a server that can see it, such as shell.example.net. Is that neat or what?

Limitations/Refinements to Port Forwarding

If a port is reassigned on a computer (the local port in the examples above), every user of that computer sees the reassigned port. If the local system has multiple users, tunnel only from unused, high-numbered ports to avoid confusion. If you want to forward a privileged local port (lower than 1024), you need to do so as root. Forwarding a lower-numbered port might be useful if a program won't let you change its port, such as standard BSD FTP.

By default, a tunneled local port is accessible only to local users and not by remote connection. However, any user can make the tunneled port available remotely by using the -g option. Again, you can do this to privileged ports only if you are root.

Any user who can log in with SSH can expose any port inside a private network to the outside world using port forwarding. As an administrator, if you allow incoming SSH connections, you're really allowing incoming connections of any kind. You can configure the OpenSSH dæmon to refuse port forwarding with AllowTcpForwarding no, but a determined user can forward anyway.

A config file option is available to forward ports; it is called LocalForward. The first port-forwarding example given above could be written as:

Host forwardpop
Hostname shell.example.com
LocalForward 9110 mail.example.com:110

This way, if you type ssh forwardpop you receive the same result as in the first example. This example uses the Host command described above and the HostName command, which specifies a real hostname with which to connect.

Finally, a command similar to LocalForward, called RemoteForward, forwards a port from the computer to which you are connected, to your computer. Please read the ssh_config man pages to find out how.

Piping Binary Data to a Remote Shell

Piping works transparently through SSH to remote shells. Consider:

cat myfile | ssh user@desktop lpr

tar -cf - source_dir | \
ssh user@desktop 'cat > dest.tar'

The first example pipes myfile to lpr running on the machine named desktop. The second example creates a tar file and writes it to the terminal (because the tar file name is specified as dash), which is then piped to the machine named desktop and redirected to a file.

Running Remote Shell Commands

With SSH, you don't need to open an interactive shell if you simply want some output from a remote command, such as:

ssh user@host w

This command runs the command w on host as user and displays the result. It can be used to automate commands, such as:

perl -e 'foreach $i (1 .. 12) \
{print `ssh server$i "w"`}'

Notice the back-ticks around the SSH command. This uses Perl to call SSH 12 times, each time running the command w on a different remote host, server1 through server12. In addition, you need to enter your password each time SSH makes a connection. However, read on for a way to eliminate the password requirement without sacrificing security.


How does SSH authenticate that you should be allowed to connect? Here are some options:

  • By hostnames only: uses .rhosts file; insecure; disabled by default.

  • By hostnames and host-key checking.

  • The S/Key one-time password system.

  • Kerberos: private-key encryption with time-expired “tickets”.

  • Smart card.

  • Password prompt.

  • Public key.

The most common authentication method is by password prompt, which is how most SSH installations are run out of the box.

However, public key encryption is worth investigating; it is considerably more secure than passwords, and by using it you can do away with all or most of your password typing.

Briefly, public key encryption relies on two keys: a public key to encrypt, which you don't keep secret, and a private key to decrypt, which is kept private on your local computer. The general idea is to run ssh-keygen to generate your keys. Press Return when it asks you for a passphrase. Then copy your public key to the remote computer's authorized_keys file.

The details depend on whether the computer to which you are connecting uses SSH1 or SSH2. For SSH1 type ssh-keygen -t rsa1, and copy ~/.ssh/identity.pub to the end of the file ~/.ssh/authorized_keys on the remote computer. For SSH2, type ssh-keygen -t rsa, and copy ~/.ssh/id_rsa.pub to the end of the file ~/.ssh/authorized_keys on the remote computer. This file might be called ~/.ssh/authorized_keys2, depending on your OpenSSH version. If the first one doesn't work, try the second. The payoff is you can log in without typing a password.

You can use a passphrase that keeps the private key secret on your local computer. The passphrase encrypts the private key using 3DES. At no time is your passphrase or any secret information sent over the network. You still have to enter the passphrase when connecting to a remote computer.

Authentication Agent

You might wonder: if we want to use a passphrase, are we stuck back where we started, typing in a passphrase every time we log in? No. Instead, you can use a passphrase, but type it only once instead of every time you use the private key. To set up this passphrase, execute ssh-agent when you first start your session. Then execute ssh-add, which prompts for your passphrase and stores it in memory, not on disk. From then on, all connections authenticating with your private key use the version in memory, and you won't be asked for a password.

Your distribution may be set up to start ssh-agent when you start X. To see if it's already running, enter ssh-add -L. If the agent is not running already, you need to start it, which you can do by adding it to your .bash_login, logging out and logging back in again.

Authentication Agent Forwarding

If you connect from one server to another using public key authentication, you don't need to run an authentication agent on both. SSH automatically can pass any authentication requests coming from other servers, back to the agent running on your own computer. This way, it never passes your secret key to the remote computer; rather, it performs authentication on your computer and sends the results back to the remote computer.

To set up authentication agent forwarding, simply run ssh -A or add the following line to your config file:

ForwardAgent yes

You should use authentication agent forwarding only if you trust the administrators of the remote computer; you risk them using your keys as if they were you. Otherwise, it is quite secure.

Traveling with SSH Java Applet

Many people carry a floppy with PuTTY or another Windows SSH program, in case they need to use an unsecured computer while traveling. This method works if you have the ability to run programs from the floppy drive. You also can download PuTTY from the web site and run it.

Another alternative is putting an SSH Java applet on a web page that you can use from a browser. An excellent Java SSH client is Mindterm, which is free for noncommercial use. You can find it at www.appgate.com/mindterm.


An SSH configuration can go wrong in a few places if you are using these various tricks. You can catch many problems by using ssh -v and watching the output. Of course, none of these tricks is essential to using SSH. Eventually, though, you may encounter situations where you're glad you know them. So give a few of them a try.

Thursday, December 11, 2008

SQUID ( Proxy Server )

.Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other computer network lookups for a group of people sharing network resources, to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS.[1] The development version of Squid (3.1) includes IPv6 and ICAP support.

Squid is the default proxy server in RHEL5. In this article I will show how to configure squid proxy server on RHEL5.


Purpose: Web caching, bandwidth management, URL surf control etc.
Service Type: Standalone
Dependency: Network Service
Ports: 8080 / 3128 TCP


RAM: Min 1.0 GB
Processor: Min Pentium 4 D at least 2.8 GHz
Hard Drives: SCSI OR SATA-I, 3 HDs, 80GB each (SATA comes min in 80GB)

Partition Scheme:

To distribute I/O load among al hard drives use folowing partition scheme. You can use remaining space as
you like. There are three main directories where I/O load is very much in a proxy server

1. Operating system (/)
2. Log Directory (/var/log)
3. Cache Directory (/cache1 and /cache2)

And we have created these directories as a separate partition on diferent directories.

/boot 500MB
/ 30GB

/var/log 80GB

/cache1 15GB
/cache2 15GB

The proxy server should be suficient for 1000 users (1000/3=330 active users)

Directory and File Location:

/etc/squid: Contains al Squid configuration files.
/etc/squid/squid.conf: Main proxy server’s configuration file.
/var/log/squid: Squid log directory
/var/log/squid/cache.log: Squid service log directory
/var/log/squid/access.log: Squid acess log directory
/var/log/message: Main system log file
/var/spool/squid: Default cache directory

Required Packages:

Squid-version.number: Main rpm package


End Result: A proxy server performing web-cache.

Proxy Server: linuxbox5 (
Proxy Server Port: 8080

Internal Network:

Like apache web server squid proxy server comes almost pre-configured. You just have to configure proxy port
and ACLs and start squid service that’s al.

Step 1:

Configure htpd service to start at boot time.
chkconfig squid on

Step 2:

Configure /etc/hosts file. In this scenario /etc/hosts file should look like linuxbox4

Step 3:

Note: squid.conf file is checked in sequence upper part is read first then lower part by squid service. Therefore
you must define parameters at their defined places. Sample configuration is present in default squid
configuration file.

Open /etc/squid/squid.conf file and change http_port parameter as.

htp_port 3128

htp_port 8080
Find “visible_hostname” section and define visible_hostname as.

visible_hostname linuxbox4

Note: /etc/hosts file must be configured.

Find ACL section and define folowing two lines at the beginning of that section.

acl internal src
http_access alow internal

Acl: is key word for ACL

Internal: ACL name.

src: ACL type is src (source address). Means we have specified source addresses in
this acl. ACLs are group of source address, URLs, time and MAC addresses etc.
After making such groups we configure their access either they are alowed or
denied access to access htp using this proxy server .
IP address and subnet mask of clients which wil use this proxy server for
Internet access.
htp_access alow internal:
Alow web access to Source IP Group internal.

Step 4:

Save and exit and reload squid service.

service squid reload

Checking: In client system open Internet explorer and define Proxy server’s address and port and browse
some site.


End Result: A proxy server performing web-cache and blocking certain sites.

Proxy Server: linuxbox5 (
Proxy Server Port: 8080
Internal Network:
Blocked Sites: hotmail.com & yahoo.com sites

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing ACL lines

acl blk url_regex hotmail.com yahoo.com
htp_access deny blk

Above these lines

acl internal src
htp_access alow internal

Save and exit and reload squid service.

service squid reload
Checking: In client system open Internet explorer and define Proxy server’s address and port and browse
hotmail.com and yahoo.com and you wil get “Acess Denied” eror from proxy.


End Result: A proxy server performing web-cache and blocking certain MAC addresses.

Proxy Server: linuxbox5 (
Proxy Server Port: 8080
Blocked MAC: 00:B0:D0:A1:68:06
Alowed MAC: 17:FF:C3:A1:68:A0

Note: MAC based setings can only be used in squid.conf file if we have compiled squid with
enable-arp-acl” configure option. Squid does not come precompiled with this option.

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing ACL lines

acl deny-macs arp 00:50:04:99:C4:1D
http_access deny deny-macs

acl alow-macs arp 17:FF:C3:A1:68:A0
http_access allow allow-macs

deny-macs & alow-macs: are ACL names.

arp: ACL type is ARP (MAC address). Means we have created group of clients/PCs
based on MAC addresses. And after that we alow or deny access based on
these ACLs.

http_access deny deny-macs:
We have denied web (htp_access) acess to MAC addres specified in “deny-macs”

htp_access alow alow-macs:
We have alowed web (htp_acces) acess to MAC addres specified in “alow-macs”

Save and exit and reload squid service.

service squid reload


End Result: A proxy server performing web-cache sending outgoing data from modem/DSL and
geting incoming data from satelite.

Proxy Server: linuxbox5
Proxy Server Port: 8080
IP address Assigned by ISP:
IP Address Given by Satelite Company:
Internal Network:
Number of NICs in Proxy Server: One


1. Proxy server is connected with ISP and is assigned as primary IP address to proxy server
and is asigned as secondary IP addres to proxy server.
2. Proxy server’s gateway is configured as provided by ISP, so outgoing trafic go out using ISP
3. Satelite interface card is instaled and configured and sync.

Perform all steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing lines in squid.conf file.


Save and exit and reload squid service.

service squid reload

Checking: Instal ipterf package on proxy server and monitor packets on satelite interface


End Result: A proxy server performing transparent web-cache.

Proxy Server: linuxbox5 (
Proxy Server Port: 8080
Internal Network:

Note: Squid can not be configured with authentication and as a transparent proxy at the same

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing lines under “htpd_accel” section.

htpd_accel_host virtual
htpd_accel_port 80
htpd_accel_with_proxy on
htpd_accel_uses_host_header on

Save and exit and reload squid service.

service squid reload

Add the folowing line at the end of /etc/rc.local file and reboot the server.

iptables -t nat -A PREROUTING -s -p tcp -dport 80 -j REDIRECT --to-port 8080


End Result: A proxy server performing web-cache with user authentication.

Proxy Server: linuxbox5 (
Proxy Server Port: 8080
Internal Network:
Alowed Users: u1 and u2

Step 1:

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Step 2:

Create squid password file and add users in it.

touch /etc/squid/squidpasswd
htpasswd /etc/squid/squidpasswd u1
htpasswd /etc/squid/squidpasswd u2

Step 3:

Add folowing lines under “auth_param” section in squid.conf file.

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squidpasswd
auth_param basic children 15


auth_param: This parameter tels proxy to require authentication from clients.

basic: This is authentication type. Username and Passwords travel in clear text over the network.

program /usr/lib/squid/ncsa_auth:
Use this program to authenticate users. ncsa_auth only supports basic auth type.

User name and passwords wil be kept in this file. We have to create this file and add users in it
by htpasswd command

auth_param basic children 15:
Start 15 authentication processes if 16 users logs in at the same time the last user wil have to
wait until a authentication programs becomes available.

Add folowing ACL lines

acl authchk proxy_auth REQUIRED
htp_access alow authchk

Above these lines

acl internal src
htp_access alow internal

Step 4:

Save and exit and reload squid service.

service squid reload


End Result: A proxy server performing web-cache and implementing time based restrictions.
Proxy Server: linuxbox5 (
Proxy Server Port: 8080
Alowed Time: 9:00 AM to 09:00 PM

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the

additional steps given below.

Add folowing ACL line

acl timechk time 09:00-21:00

Above this line

acl internal src

And change folowing line

htp_access alow internal

htp_access alow internal timechk

timechk : ACL name.

time: ACL type is time. Means we have set group of times and based on these time
groups we wil alow or deny clients.

htp_access alow internal timechk:
Tells squid to implement time restrictions on clients what belongs to internal group

(whose source IP addres is in between – 253)

Save and exit and reload squid service.

service squid reload


End Result: A proxy server with bandwidth management assigning 256Kbps to two clients and
64Kbps to al other users of network.
Proxy Server: linuxbox5 (
Proxy Server Port: 8080
Bandwidth Group1: and (256Kbps)
Bandwidth Group2: (64Kbps) Except and

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Define folowing lines in squid.conf file.

acl bw256k src
acl bw256k src

Above these lines

acl internal src
htp_access alow internal

In delay pool section add folowing.

delay_pools 2
delay_class 1 2
delay_parameters 1 32000/32000 -1/-1
delay_access 1 alow bw256k

delay_class 2 2
delay_parameters 2 8100/8100 -1/-1
delay_access 2 alow internal

delay_pools 2 : There are two types of setings / groups of people one delay pool handle one
type of setings that’s y define two delay pool.

delay_class 1 2: Delay pool 1 belongs to delay clas 2. There are three delay classes. In class we
can limit bandwidth for only subnet. In class 2 we can configure bandwidth for a
client and subnet as wel. And in clas 3 we can configure bandwidth for a client
and subnet and complete network.

delay_parameters 1 32000/32000 -1/-1:
For delay pool 1 we are providing 32000/32000 (256Kbps OR 32000 Kilo Bytes)
for one user min and max 256Kbps. -1/-1 means no limit on network.

delay_access 1 alow bw256k:
We are alowing bw256k ( & group/ACL to use
setings of delay pool 1.

Save and exit and reload squid service.

service squid reload


End Result: A proxy server keeping web cache in customized directory.

Proxy Server: linuxbox5 (
Proxy Server Port: 8080
Cache Directory: /cache partition (10GB in size)

Note: It is recommended that you should create /cache as a separate partition.

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Create a squid directory in /cache partition. And set it’s owner and group to squid user and group.

mkdir /cache/squid
chown squid.squid /cache/squid

Under cache_dir section add the folowing line

cache_dir ufs /cache/squid 8500 16 256

We left 1500 space for swap.state file that keep status of cache directory. Save and exit and run folowing

squid –z reconfigure
service squid restart


End Result: A perfect squid proxy server.

Proxy Server: linuxbox5 (
Proxy Server Port: 8080

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

And configure folowing parameters under their sections

maximum_object_size 10000 KB
maximum_object_size_in_memory 16 KB
dns_timeout 3 minutes
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

Tuesday, December 9, 2008

Preboot Execution Environment(PXE) Booting

The Preboot eXecution Environment (PXE, aka Pre-Execution Environment, or 'pixie') is an environment to boot computers using a network interface independently of available data storage devices (like hard disks) or installed operating systems.

PXE was introduced as part of the Wired for Management framework by Intel and is described in the specification (v2.1) published by Intel and Systemsoft on September 20, 1999. It makes use of several network protocols like IP, UDP, DHCP and TFTP and of concepts like GUID/UUID and Universal Network Device Interface and extends the firmware of the PXE client (the computer to be bootstrapped via PXE) with a set of predefined APIs.

The term PXE client only refers to the role that the machine takes in the PXE boot process. A PXE client can be a server, desktop, laptop or any other machine that is equipped with a PXE boot code.

In this article I will show how to configure a Server for PXE booting and also a client for the same in RHEl5.

Diskless installation/PXE installation-Article :

Server hostname Name - station1
Server IP Address -
DHCP Server -

Step-1 --> Set up DHCP Server on
# vi /etc/dhcpd.conf
ddns-update-style none;
subnet netmask {
option routers;
option subnet-mask;
option domain-name "example.com";
option domain-name-servers;
default-lease-time 21600;
max-lease-time 43200;
option root-path "/tftpboot/";
filename "pxelinux.0";
:wq (Save this file)
# service dhcpd restart
# chkconfig dhcpd on

Step-2 --> Now Setup PEX boot.
# mkdir /tftpboot
# cp /root/pxelinux.0 /tftpboot/.
# cp /root/memdisk/ /tftpboot/.
Note: Pl scrap your mail Id's for -- ("pxelinux.0", "memdisk") files.

Step-3 --> Configure 'tftp' server
# chkconfig tftp on ( This will enable tftp from /etc/xinetd.d/tftp file )
# service xinetd restart
# /etc/init.d/dhcpd restart

Step-4 --> Setup PXE file's from the RedHat 1st cd. Insert RedHat 1st disk and copy the 'initrd.img' and 'vmlinuz' to /root directory.
# cd /root
# cp initrd.img /tftpboot/.
# cp vmlinuz /tftpboot/.
also copy and rename to
# cp initrd.img /tftpboot/fc2-initrd.img
# cp vmlinuz /tftpboot/fc2-vmlinuz
# cd /tftpboot
# mkdir pxelinux.cfg
# cd pxelinux.cfg
# touch default
# vi default
default install
# Always prompt
prompt 1
display pxeboot.msg
# Boot automatically after 30 seconds in tenths of a second
timeout 300
label local
localboot 0
label install
kernel vmlinuz
append initrd=initrd.img
:wq ( save this file )

Step-5 --> Now mount the ISO

Let's copt the RedHat ISO to /tmp directory ( ISO Name ->RHEL5.0_1.iso)

# mount -o loop -t iso9660 /tpm/RHEL5.0_1.iso /media/cdrom
# mount /dev/cdrom /media/cdrom

Step-6 --> Make NFS Share

# vi /etc/exportfs

/media/cdrom *(rw,sync)

:wq (Save the file)

# service nfs restart
# chkconfig nfs on
# service dhcpd restart

Step-7 --> Now just set your client to boot from network(F12)

boot: PRESS Enter.....

Saturday, December 6, 2008

Configuring Firewall using IPTABLES

In this article I will show how to configure firewall in linux using IPtables.


Purpose: A modular command based state-ful firewal.
Service Type: Standalone
Directory and File Location:

/sbin/iptables: Main iptables binary file.
/lib/iptables: iptables modules directory.

Required Packages:

iptables-version.number: Single package provides al modules and main iptables binary.

Prerequisite: IP packet forwarding should be enabled fist if your Linux box is acting as a
gateway for other PCs and you want to filter forwarded packets as wel.

Open “/etc/sysctl.conf” and set.

net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1

Save and exit and run folowing command.

sysctl –p


1. iptables can perform Static and Dynamic Filtering.
2. iptables can perform Quality of Service
3. iptables can perform Addres and Port Redirection
4. iptables can perform Nating
5. iptables can do much more by adding available modules.


Iptables is consists of three tables

1. Filter Table
Filter table is used for blocking IP address and ports.

2. Nat Table
Nat table is used for Nating and Address and Port redirection

3. Mangle Table
Mangle is special purpose table used for QOS (quality of service) etc.

(Refer the image at the top of the article)

1. As soon as packets enters the system first PREROUTING is checked of MANGLE table and
then NAT table.
2. After that system checks its routing table and find out that if this packet is for itself or for
some other system (If system is acting as a network firewal and is a part of two networks,
normaly a system connected to internet).
3. If the packet’s destination is firewal system itself then INPUT chain of MANGLE table and
then INPUT chain of FILTER table is checked. And packet is given to concerned
4. If packet’s destination is some other system and system has to forward this packet to
another system then:
a. FORWARD chain of MANGLE table and then FORWARD chain of FILTER table is
b. Then POSTROUTING chain of MANGLE table and then POSTROUTING chain of NAT table is checked.

5. If packet is generated by firewal itself then:
First routing decision is made first that packet wil go out using which interface. After routing decision OUTPUT chain of first MANGLE table then NAT table and finaly FILTER
table is checked.
b. Then POSTROUTING chain of MANGLE table then NAT table is checked.

In iptables we have to create rules in chains to do a particular task.



Folowing rule tels iptables to block FTP access from host

iptables –t filter –A INPUT –s –p tcp –dport 20:21 –j DROP

Note: Filter table is default table of iptables if we do not specify any table in our rule then filter table is

Options Used in Rule Creation:

-A Defines the chain name to which the rule belongs to
-t Defines the table name to which the rule belongs to
-D To delete a single Rule
-F To Flush iptables al rules
-Z To set rule counters to zero
-n Do not resolve IPs to name from DNS used with –L option
-L Display curent firewal rules
-P To configure Policy Rule (default rule)

-p To define protocol (tcp, udp and icmp)
-s To define source address
-d To define destination addres
-o To define exit / out interface
-i To define incoming interface
-s-port To define source port
-d-port To define destination port
-m state –state To define status of packet
! To inverse the mentioned criteria
-j To define action to be taken on matched packet (DROP, ACCEPT, REJECT, MASQUERADE, and


Scenario 1 (Filter Table, INPUT Chain Implementation):

End Result: A FTP server with firewal configured, ofering web services to only selected clients.
Server: linuxbox4 (
Alowed Clients: and

Firewal Rules:

iptables –A INPUT –s –p tcp –-d-port 20:21 –j ACCEPT
iptables –A INPUT –s –p tcp –-d-port 20:21 –j ACCEPT
iptables –A INPUT –p tcp –port 20:21 –j DROP

Save Changes and set iptables service to start at boot time:

service iptables save
chkconfig iptables on

Scenario 2 (Filter Table, OUTPUT Chain Implementation):

End Result: A Client computer that is not alowed to telnet or SSH to a telnet and SSH server.
Server IP: linuxbox4 (

Firewal Rule Configured on Client PC:

iptables –A OUTPUT –d –p tcp –-d-port 22:23 –j DROP

Save Changes and set iptables service to start at boot time:

service iptables save
chkconfig iptables on

Scenario 3 (Filter Table, FORWARD Chain Implementation):
End Result: A Gateway Server part of two networks ( and filtering incoming and
outgoing trafic only alowing IP to acess file and print service on any PC in network while not a single client PC in network is alowed to acces
any service from network.

Firewal Rule For Gateway Server:

iptables –A FORWARD –s –p tcp –-d-port 135:139 –j ACCEPT
iptables –A FORWARD –s –p tcp –-d-port 445 –j ACCEPT
iptables –A FORWARD –p tcp -d-port :1024 –j DROP


Scenario 1 (Nat Table, POSTROUTING Chain Implementation):

End Result: An Internet gateway server converting internal private IP
addreses in to public IP addres.
Server: linuxbox4 (
Internet Clients: Network
Server Interface Connected to Internet: Modem / Linux interface name ppp0

Firewal Rules:

iptables -t nat -A POSTROUTING -s -j MASQUERADE


iptables -t nat -A POSTROUTING –o ppp0 -j MASQUERADE

Note: -i option cannot be used with POSTROUTING CHAIN

For net sharing purpose you must complete the Prerequisite as mentioned at the beginning of this document.

PORT REDIRECTION (Used for T-Proxy Setup):

Scenario 1 (Nat Table, PREROUTING Chain Implementation):

End Result: A proxy server changing, destination port in incoming packets for T-Proxy.
Server: linuxbox4 (
Internet Clients: Network
Server Interface Connected to Clients: NIC / Linux interface name eth0

Firewal Rules:

iptables -t nat -A PREROUTING -p tcp --dport 80 -s -j REDIRECT --to-port 8080


iptables -t nat -A PREROUTING -p tcp --dport 80 –i eth0 -j REDIRECT --to-port 8080

Note: -o option cannot be used with PREROUTING CHAIN


End Result: An Internet gateway server performing QOS MSN.
Server: linuxbox4 (
Alowed Clients:

Firewal Rules:

iptables -t mangle -A FORWARD –s -p tcp -dport 1863 -j TOS -set-tos Minimize-Delay

This wil forward MSN trafic without delay and MSN service wil get improved.


End Result: A FTP server with dynamic firewal configured, ofering web services to only selected clients.
Server: linuxbox4 (
Alowed Clients: and

Firewal Rules:

iptables -A INPUT –s -p tcp -dport 20:21 -m state -state NEW -j ACCEPT
iptables -A INPUT –s -p tcp -dport 20:21 -m state -state NEW -j ACCEPT

iptables -A INPUT –s -p tcp --dport 20:21 -m state -state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT –s -p tcp --dport 20:21 -m state-state ESTABLISHED,RELATED -j

iptables -A INPUT -p tcp -dport 20:21 -j DROP

-m state –state:
Is an iptables parameter, which is used to define a packet’s state.

NEW: NEW state means that the packet has started a new connection Such packets
has special TCP flag set in it (SYN)

ESTABLISHED: ESTABLISHED means that the packet is asociated with a connection that has
already been made by a NEW state packet.

RELATED: Means that the packet is starting a new connection, but is asociated with an
existing connection, such as an FTP data transfer, or an ICMP erorr.

INVALID: INVALID means that the packet is associated with an unknown connection.
Connection was not already created for this packets and neither this is an
associated packet with another connection.

Friday, December 5, 2008

Configuring Network File System(NFS) :

Network File System(NFS):
A network file system is any computer file system that supports sharing of files, printers and other resources as persistent storage over a computer network. For this a NFS server is to be configured.

In this article i will show how to configure NFS in RHEL5.

Network File System

Purpose: File Sharing between same and diferent operating systems
specialyUnix based operating systems
Port: 2049 tcp/udp
Dependency: Portmap Service
Service Type: Standalone
User Account to Configure NFS: root

File Location:

Config File: /etc/exports
Status Dir: /var/lib/nfs
Status of exported/shared partitions: /var/lib/nfs/etab
Status of remotely mounted local partitions: /var/lib/nfs/rmtab
Startup scripts: /etc/rc.d/init.d/nfs
Executeable files: /usr/sbin/rpc.nfsd , /sbin/rpc.lockd
/usr/sbin/rpc.mountd, /sbin/rpc.statd

Configuration Steps:

Server Side Setings:

1. Configure portmap and nfs services to start at boot time

Command: chkconfig –level 35 portmap on
chkconfig –level 35 nfs on

2. Create /etc/exports file

File Contents (very basic): /data *

3. Start/Restart portmap and nfs services

Command: service portmap restart
service nfs restart

4. Check if directories shared properly or not

Command: showmount –e

Client Side Setings:

1. Start/Restart portmap and nfs services:

Command: service portmap restart
service nfs restart

2. Check rpc status of NFS server:

Command: rpcinfo –p IP_OF_SERVER

3. Check shared directory list of server:

Command: showmount –e IP_OF_SERVER

4. Mount shared directory:


5. Umount shared directory:

Command: umount /LOCAL_SYSTEM_DIR

6. Configuring /etc/fstab file:

Add folowing at the end of the /etc/fstab file

IP_OF_SERVER:/SHARED_DIR /mnt nfsintr,bg,defaults 0 0

Checking command: mount –a

Special Settings:

/etc/exports Configuration Options (server):

rw : Alow write permissions
sync: Tels server to sync data on HD then reply client
no_root_squash: Client root user has root permissions (ful access) on shared
directory of server
anonuid: nfs server wil treat every access request with the permission of
specified user
anongid: nfs server wil treat every access request with the permission of
specified group

/etc/fstab Configuration Options (client):

intr: If client communication with server stops or if some problem occurs
then client system creates problems and some times becomes
unavailable to avoid this situation use this option.

soft: it can be used in place of intr. Soft option drops connection from the
server and do not let client system unavailable

bg: If we have added entry in /etc/fstab of client to mount a partition on
server and server is unavailable / down when client system boots this
option tels client system to boot normaly and try to mount later and
keep trying.

Sunday, November 30, 2008

Linux Basics(3 of 6):

Linux Basics(3 of 6):

Boot Loader, MBR & First Sector of a Hard Drive:

Boot Loader: It is a very smal program, during boot process BIOS executes this program and this
program loads /boots operating system. During instalation of an operating system,
depending upon our provided setings the operating system writes boot loader
program either in the MBR (first sector of hard drive) in first sector of the partition in
which operating system is being instaled.
When we tel operating system to write Boot Loader program in first sector of the
partition then we have to set that partition active.

MBR: Master Boot Record is very first record of a hard drive. Where the operating system
normaly keeps Boot Loader program. When we create partitions on a hard drive then
tools like fdisk keep Partition Table in MBR.

First Sector of a Hard Drive:
We can force Linux to keep its Boot Loader program in first sector of the partition in
which we are instaling Linux. But if we instal Boot Loader program in first sector of a
partition then we have to make that partition ACTIVE.

Initial Boot Process:
- During boot process BIOS after Power On Self Test (POST) checks Boot Priority and
goes to the first sector (MBR) of the first boot device and tries to load Boot Loader
program. If it does not find Boot Loader there then it checks the active partition of the
hard drive and tries to find Boot Loader program on first sector of Active partition.
Therefore when we keep Boot Loader program in first sector of a partition then we
have to make that partition active.
- Boot Loader tels where the kernel is present and starts to load kernel.
- And then kernel finaly loads complete operating system.

Registry Concept in Linux:

Registry is a centralized place where windows operating system keeps current system,
services and application configuration information. BUT in Linux we do not have
centralize registry concept. For each task of the system and for each service and
application we have separate configuration information (registry). These files are
caled configuration files.
Most of the system and services’ configuration files are present in /etc directory.

Directory and File Location:

/ Parent of all directories.
|_boot Contains files that are required to boot Linux system like kernel, boot loader files etc.
| Path: /boot
|_etc Contains System, Services’ and application configuration files.
| Path: /etc
|_home Contains home directories of al users created with default setings. Home directories
| are given same name as user name. A home directory for a user is a place where user
| have ful rights. And can create files directories etc.
| Path: /home
|_lost+found Similar to Recyclebin in windows
| Path: / lost+found
|_bin Contains user level commands that are found in almost al Uinux.
| Path: /bin
|_sbin Contains admin level commands that are almost found in al Uinux.
| Path: /sbin
|_lib Contains library files that are required by many commands
| Path: /lib
|_dev Contains device files
| Path: /dev
|_usr Volume wise it is the biggest directory of Linux operating system some of its sub
| | directories are important.
| | Path: /usr
| |
| |_bin Contains Linux specific user level commands.
| | Path: /usr/bin
| |
| |_sbin Contains Linux specific admin level commands. Specialy service related files are
| | present in it.
| | Path: /usr/sbin
| |
| |_src A main directory for keeping al kind of source codes for compilation.
| Path: /usr/src
|_var var is for variable. Contents of this directories keep changing.
| | Path: /var
| |
| |_log Main log directory for system, application and service log. It contains many sub
| | directories.
| | Path: /var/log
| |
| |_spool Main spool directories that contain separate spool directories for separate applications
| | and services. Path: /var/spool
| |
| |_mail Contains Mail boxes of al users.
| | Path: /var/spool/mail
| |_mqueue Mail queue directories. Users’ incoming and out going mails are kept
| | here before sending them out or delivering them to user’s mailboxes. In
| | this directories we can process emails for iruses and Spam.
| | Path: /var/spool/mqueue
| |
| |_cups Holds print jobs before printing. It is print spool directory.
| Path: /var/spool/cups
|_mnt Default mount point. (wil be explained later in “Mounting Process” section)
| Path: /mnt
|_tmp Temp directory to hold temporary files created during instalation of software etc.
|_opt Default location for third party software instalation like Oracle etc.
| Path: /opt
|_proc Keeps system, service and application status information. It is volatile it is populated
as system boots and its contents are deleted in shutdown process.

Note: There are certain other directories but their function is not important especialy at this stage.

Mounting Process:
In Linux we cannot access a medium (a device that hold data line hard drive, floppy,
Cdrom and USB. To access these we have to mount them on an Empty directory
(mount point). Then that directory / mount point is acts as the mounted medium.
Suppose you have mounted /dev/hda1 partition on /mnt directory. Then /mnt wil
become that partition and what ever you copy in /mnt is actualy goes to /dev/hda1.
Mount command creates link between device file and mount point.
After we umount /mnt it wil become a normal directory again.
Note: Mounted partitions can be viewed in “df” & “mount” command.

Linux Basics(2 of 6)

Linux Basics(2 of 6):


General Device Names Linux Names
COM 1 /dev/tyS0
COM 2 /dev/tyS1
COM 3 /dev/tyS2
COM 4 /dev/tyS3
Paralel Port 1 / Lpt port 1 /dev/lp0
First NIC (Network Interface Card) / LAN Card /dev/eth0
Second NIC (Network Interface Card) / LAN Card /dev/eth1

Hard Drive Name Linux Names
IDE Type Primary Master hda
IDE Type Primary Slave hdb
IDE Type Secondary Master hdc
IDE Type Secondary Slave hdd

SCSI Type First SCSI Drive sda
SCSI Type Second SCSI Drive sdb
SCSI Type Third SCSI Drive sdc

SATA Type First SATA Drive sda
SATA Type Second SATA Drive sdb
SATA Type Third SATA Drive sdc

USB Flash Drive First USB sda

Note: If a hard drive has a SATA and / or a SCSI drive and you plug in a USB device in it then
system wil assign leters to them in the sequence as system find them during boot
processes. Suppose during boot process Linux system detects SCSI first then SATA and then
USB then SCSI drive wil be given “sda” name SATA wil be given “sdb” and USB Flash drive
wil be assigned “sdc” name.

There are two types of partitions

1. Main Partition

Types of Main Partition
a. Primary Partitions
b. Extended Partitions

2. Logical Partitions
Logical partitions are created inside the Extended partition.

Note: First 4 (1-4) leters are reserved for Main Partitions and from 5 to onward al leters are
reserved for Logical partitions.

Disk Partitions Linux Names
IDE Type Primary Master First Main (Pri / Ext) Partition hda1
IDE Type Primary Master Second Main (Pri / Ext) Partition hda2
IDE Type Primary Master Third Main (Pri / Ext) Partition hda3
IDE Type Primary Master Fourth Main (Pri / Ext) Partition hda4
IDE Type Primary Master First Logical Partition hda5
IDE Type Primary Master Second Logical Partition hda6

Different Combinations Partitions Linux Names
IDE Type Secondary Third logical Partition hdc7

IDE Type Primary Slave Second Main (Pri / Ext) Partition hdb2

IDE Type Secondary Slave Second logical Partition hdb6

SCSI Type Second Hard Fourth logical Partition sdb8

USB Flash Drive - sda1

Linux Basics(1 of 6)

Linux Basics(1 of 6):

UNIX Standards:

SYSTEM V (system 5)

Free BSD
Open BSD


Solaris (Developed by SUN Microsystems)
HP-UX (Developed by HP)

There are some UNIX versions that folow some good features from BSD standard and some from
System v standard they can be named as Hybrid Unix Like:



In Linux/Unix every thing is treated as a file and every thing is represented by a file. Even devices
are represented by device files. There are four types files in Linux/Unix

1. Normal File:
Every file that contains data in it is caled normal file. E.g. execute able files,
Text files, movie files, audio files and Virus files etc.etc.

2. Directory File:
These are container files that hold other file and directories.

3. Link File :
These are like short cuts in windows. These just point towards the actual file.

4. Device File:
These represent devices. When ever we need to access a device we use these
files and these files gets the job done for us. These are present in /dev


Word root is used for three entities in Linux/Unix

root user: Admin user of Unix/Linux systems is root user.
/root directory: Home directory of root user.
/: / is like my computer in Windows. It is the parent directory of al linux system.
Every thing is present under this directory

Note: Linux/Unix is case sensitive in every thing from username and password to parameters of file and command options.