M$ Penguin ™'s Installing an All-In-One Box

I really wanted to call myself “The Angry Penguin”™, still might... Anyway, I really got into linux back in 1996 doing some product work. I then needed to have a virtual file space and a web page up. Some place where I could keep my resume and some files. I was going to have a database full of local car racing pictures and a little web site for all the local dogs that vist our local "Leash Free Park". These parks are great for the dogs and their owners.

Anyway, Microsoft was charge way too much money too buy one of their servers and I couldn't find cheap good hardware to run it. I also needed to get a firewall up and protecting... MicroSoft was just too much money! So, I went back to opensource just for fun. I have tried both OpenBSD and RedHat, but not Caldera, SuSE or Debian .

What I ended up with is far different than I expected. I have a system which is more of a Small Office Home Office (SOHO) or Small and Medium size Enterprises (SME) power plant. It now handles my office functionality with out any issues.

If you find any errors, mistakes, please let me know. If you know of some neat packages that I might want to use, drop me a line.

M$ Penguin™

Getting your distro

Why did I choose RedHat?

For the simple reason, it is the most popular. I am a lemming that follows everyone else. See http://www.linuxnovice.org/main_distro.php3 , http://www.linuxplanet.com/linuxplanet/tutorials/ , DistroWatch.com, LinuxPlanet - Tutorials or for a good general info. Check with http://www.linuxbase.org/ to ensure that you are using a Linux that is "Standarized".

Make sure you get puTTY while you are at it. It will save you lots of time an headackes.The most GNU/Linux on 1 floppy disk, The Linux Documentation Project and RPM Find are also a favorites.

RedHat 7.2 Choices

• Printer Support
• Classic X
• X windows System
• GNOME
• KDE
• network
• messaging
• NFS File Server
• Windows (Samba) support
• FTP (Risky)
• WWW
• Router
• DNS Name Server

Service Configuration

• anacron
• apmd
• atd
• crond
• dhcpd
• httpd
• ipchains
• isdn
• iptables
• ldap
• named
• netfs
• network
• nfs
• nfslock
• postgresql
• rhnsd
• sendmail
• smb
• snmpd
• squid
• sshd
• tomcat4 (not yet installed, so it will not likely appear)

• ipchains
• isdn
• finger
• rlogin
• rsh
• rwhod
• telnet
• wu-ftpd

Setup the network

1. setup the devices (should be done as part of the automatic install).
2. set up the path with
   route -n
route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0
route add default gw 192.168.1.2
route -n
3. ping some computer...

Installing DHCP Server

Taken from Dynamic Host Configuration Protocol RFC
The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP IP network. DHCP is based on the Bootstrap Protocol (BOOTP), adding the capability of automatic allocation of reusable network addresses andadditional configuration options. DHCP captures the behavior of BOOTP relay agents, and DHCP participants can interoperate with BOOTP participants.

1. cd /mnt/cdrom/RedHat/RPMS
2. rpm -ih ./dhcp-2.0pl5-8.i386.rpm
3. vi /etc/dhcpd.conf

   subnet 192.168.1.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time -5hr*60min*60sec # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1 range dynamic-bootp 192.168.0.128 192.168.0.255; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } }

4. Go back to the Service Configuration and make sure dhcpd is checked on
5. In a command prompt goto /etc/rc.d/init.d and type ./dhcpd start

Configuring rhn

You can use RHN website to manage multiple Red Hat Linux systems simultaneously including viewing Errata Alerts, applying Errata Updates, and installing packages.

1. gpg --import /usr/share/rhn/RPM-GPG-KEY
2. up2date --configure
3. up2date -p; up2date -u -i
4. Add it to a cron file...

Configuring Samba

Taken from the Samba Web Site

Here is a very short list of what samba includes, and what it does. For many networks this can be simply summarised by "Samba provides a complete replacement for Windows NT, Warp, NFS or Netware servers."

• a SMB server, to provide Windows NT and LAN Manager-style file and print services to SMB clients such as Windows 95, Warp Server, smbfs and others.
• a NetBIOS (rfc1001/1002) nameserver, which amongst other things gives browsing support. Samba can be the master browser on your LAN if you wish.
• a ftp-like SMB client so you can access PC resources (disks and printers) from unix, Netware and other operating systems
• a tar extension to the client for backing up PCs
• limited command-line tool that supports some of the NT administrative functionality, which can be used on Samba, NT workstation and NT server.

For a much better overview have a look at the web site at http://samba.org/samba, and browse the user survey. Related packages include:

• smbfs, a linux-only filesystem allowing you to mount remote SMBfilesystems from PCs on your linux box. This is included as standard with Linux 2.0 and later.
• tcpdump-smb, a extension to tcpdump to allow you to investigate SMB networking problems over netbeui and tcp/ip.
• smblib, a library of smb functions which are designed to make it easy to smb-ise any particular application. See ftp://samba.org/pub/samba/smblib .

Please note: Windows NT, Windows 95, OS/2 Warp Connect and OS/2 Warp 4 clients don't need any extra software in order to run talk to a Samba server. These OS's come standard with TCP/IP which is all you need. You may find the following doc s useful in configuring them: Windows NT 4.0 , Windows 95 , Warp 4 and Warp Connect.

1. cd /etc/samba

2. # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command "testparm" # to check that you have not made any basic syntactic errors. # #======================= Global Settings ===================================== [global] # workgroup = NT-Domain-Name or Workgroup-Name workgroup = Name # server string is the equivalent of the NT Description field server string = My Samba Server # This option is important for security.It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the "loopback" interface. For more examples of the syntax see # the smb.conf man page ; hosts allow = 192.168.1. 192.168.2. 127. hosts allow = 192.168.1. 127. # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # It should not be necessary to spell out the print system type unless # yours is non-standard. Currently supported print systems include: # bsd, sysv, plp, lprng, aix, hpux, qnx printing = lprng # Uncomment this if you want a guest account, you must add this to /etc/passwd # otherwise the user "nobody" is used ; guest account = pcguest : : : : # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply ; local master = no local master = yes # OS Level determines the precedence of this server in master browser # elections. The default value should be reasonable ; os level = 33 # Domain Master specifies Samba to be the Domain Master Browser. This # allows Samba to collate browse lists between subnets. Don't use this # if you already have a Windows NT domain controller doing this job domain master = yes : : : [public] comment = Public Stuff path = /share public = yes writable = yes printable = no write list = @staff [cds] comment = CDs For all path = /share/CDs browseable = yes printable = no public = yes writable = no

3. testparm
4. cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
5. smbpasswd username
6. /etc/init.d/smb restart
7. go to a windows machine and try \\192.168.1.4\public

Configuring Bind

BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System, including:

• a Domain Name System server (named)
• a Domain Name System resolver library
• tools for verifying the proper operation of the DNS server

1. go to /etc/named.conf

2. / generated by named-bootconf.pl options { directory "/var/named"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; }; // // a caching only nameserver config // controls { inet 127.0.0.1 allow { localhost; } keys { rndckey; }; }; #zone "." IN { # type hint; # file "named.ca"; #}; zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; }; zone "robertsearle.com" IN { notify no; type master; file "robertsearle.com.zone"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { notify no; type master; file "1.168.192.zone"; allow-update { none; }; allow-transfer { 192.168.1/24; }; };

3. go to /var/named/ and create a file mydomain.com.zone

4. $TTL 86400 @ IN SOA robertsearle.com. root.robertsearle.com. ( 3 ; serial 28800 ; refresh 7200 ; retry 604800 ; expire 86400 ; ttl ) NS robertsearle.com. MX 10 robertsearle.com. TXT "Robert Searle domain" localhost A 127.0.0.1 robertsearle.com. A 192.168.1.4 cage A 192.168.1.4 cheese A 192.168.1.100 searlehome A 192.168.1.36 homepage CNAME www.wlfdle.phub.net.cable.rogers.com. smtp CNAME smtp.wlfdle.phub.net.cable.rogers.com. nntp CNAME nntp.wlfdle.phub.net.cable.rogers.com. pop3 CNAME pop3.wlfdle.phub.net.cable.rogers.com. pop CNAME pop3.wlfdle.phub.net.cable.rogers.com. include "/etc/rndc.key";

5. dig @localhost cage
6. dig @localhost -x 192.168.1.4

ntpd-Network Time Protocol(ntp)

• ntpq -p

• awk '/^server/ {print $2}' /etc/ntp.conf | grep -v '127.127.1.0' > /etc/ntp/step-tickers

• for h in `cat ./ntp/step-tickers`; do echo restrict `dig +short $h` >>/etc/ntp.conf; done

 
# Prohibit general access to this service.
restrict default ignore

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 


# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
 restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap


# --- OUR TIMESERVERS ----- 
# or remove the default restrict line 
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip



# --- NTP MULTICASTCLIENT ---
# multicastclient			# listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
#  restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap



# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server	127.127.1.0	# local clock
fudge	127.127.1.0 stratum 10	

server ntp.cpsc.ucalgary.ca	#University of Calgary, Calgary, Alberta, Canada
server ntp1.cmc.ec.gc.ca	# Canadian Meteorological Centre, Dorval, Qu�bec, Canada
server ntp2.cmc.ec.gc.ca	# Canadian Meteorological Centre, Dorval, Qu�bec, Canada
server tick.utoronto.ca prefer	# University of Toronto, Toronto, Ontario, CANADA
server tock.utoronto.ca prefer	# University of Toronto, Toronto, Ontario, CANADA
server time.chu.nrc.ca 		# National Research Council of Canada, Ottawa, Ontario, Canada
server time.nrc.ca 		# National Research Council of Canada, Ottawa, Ontario, Canada


#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/drift
broadcastdelay	0.008

#
# Authentication delay.  If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
authenticate yes

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys		/etc/ntp/keys

      

Configuring a Virtual CD-ROM Jukebox

1. /etc/init.d/autofs stop
2. cd /share/
3. mkdir ISOs CDs .automount
4. ls -a
5. vi /etc/auto.master

   # $Id: auto.master,v 1.2 1997/10/06 21:52:03 hpa Exp $ # Sample auto.master file # Format of this file: # mountpoint map options # For details of the format look at autofs(8). # time is 30 sec /share/.automount /etc/auto.misc --timeout=30

6. vi /etc/auto.master

   # $Id: auto.misc,v 1.2 1997/10/06 21:52:04 hpa Exp $ # This is an automounter map and it has the following format # key [ -mount-options-separated-by-comma ] location # Details may be found in the autofs(5) manpage #cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom docs -ro,loop,fstype=iso9660 :/share/ISOs/docs.iso Office2000.cd1 -ro,loop,fstype=iso9660 :/share/ISOs/Office2000.cd1.iso # the following entries are codeles to pique your imagination #linux -ro,soft,intr ftp.example.org:/pub/linux #boot -fstype=ext2 :/dev/hda1 #floppy -fstype=auto :/dev/fd0 #floppy -fstype=ext2 :/dev/fd0 #e2floppy -fstype=ext2 :/dev/fd0 #jaz -fstype=ext2 :/dev/sdc1 #removable -fstype=ext2 :/dev/hdd

7. cd CDs
8. ln -s ../.automount/docs
9. ln -s ../.automount/Office2000.cd1
10. get the RedHat 7.3 doc iso file from ftp.redhat.com called valhalla-docs.iso
11. umount /mnt/cdrom
12. dd if=/dev/cdrom of=/share/ISOs/Office2000.cd1.iso
13. /etc/init.d/autofs restart
14. Goto a windows machine and view your server and the share CDs

    RedHat

    setiathome_win_3_07.exe

    local

    wireless

Setup the Firewall

Installing iptables

1. iptables masq app
2. look at /etc/sysconfig/ for iptables, you will probably have to create a new file.

   # Generated by iptables-save v1.2.4 on Wed Mar 6 15:37:32 2002 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :drop-and-log-it - [0:0] -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth1 -j SNAT --to-source 24.156.249.26 -A POSTROUTING -s 24.156.249.26/32 -o eth1 -j ACCEPT -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 24.156.249.26 -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j ACCEPT -A POSTROUTING -j drop-and-log-it -A drop-and-log-it -j LOG --log-level error -A drop-and-log-it -j DROP COMMIT # Completed on Wed Mar 6 15:37:32 2002 # Generated by iptables-save v1.2.4 on Wed Mar 6 15:37:32 2002 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :drop-and-log-it - [0:0] -A INPUT -i eth1 -s 192.168.0.0/255.255.0.0 -j drop-and-log-it -A INPUT -i eth1 -d 192.168.0.0/255.255.0.0 -j drop-and-log-it -A INPUT -i eth1 -s 127.0.0.0/255.0.0.0 -j drop-and-log-it -A INPUT -i eth1 -d 127.0.0.0/255.0.0.0 -j drop-and-log-it -A INPUT -i eth1 -p udp -m udp --sport 2233 -j drop-and-log-it -A INPUT -i eth1 -p tcp -m tcp --sport 2233 -j drop-and-log-it -A INPUT -i lo -p all -j ACCEPT -A INPUT -i eth0 -p all -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --sport 25 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --sport 110 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --sport 80 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --sport 6340:6390 -j DROP -A INPUT -i eth1 -p tcp -m tcp --dport 6340:6390 -j DROP -A INPUT -i eth1 -p tcp -m tcp --sport 443 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --sport 53 -j ACCEPT -A INPUT -i eth1 -p udp -m udp --sport 53 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 67:68 -j DROP -A INPUT -i eth1 -p udp -m udp --dport 67:68 -j DROP -A INPUT -j drop-and-log-it -A FORWARD -i eth1 -p icmp -j DROP -A FORWARD -o eth0 -p icmp -j DROP -A FORWARD -i eth1 -o eth0 -m state --state NEW,INVALID -j DROP -A FORWARD -i eth1 -s 192.168.0.0/255.255.0.0 -j drop-and-log-it -A FORWARD -i eth1 -s 127.0.0.0/255.0.0.0 -j drop-and-log-it -A FORWARD -i eth0 -p all -j ACCEPT -A FORWARD -o eth0 -p udp -m udp --sport 67:68 -j ACCEPT -A FORWARD -o eth0 -p udp -m udp --dport 67:68 -j ACCEPT -A FORWARD -i lo -p all -j ACCEPT -A FORWARD -i eth1 -p udp -m udp --sport 53 -j DROP -A FORWARD -i eth1 -p udp -m udp --sport 2233 -j drop-and-log-it -A FORWARD -i eth1 -p tcp -m tcp --sport 2233 -j drop-and-log-it -A FORWARD -o eth0 -p udp -m udp --sport 2233 -j drop-and-log-it -A FORWARD -o eth0 -p tcp -m tcp --sport 2233 -j drop-and-log-it -A FORWARD -i eth1 -p tcp -m tcp --sport 6340:6390 -j DROP -A FORWARD -i eth1 -p tcp -m tcp --dport 6340:6390 -j DROP -A FORWARD -i eth1 -p tcp -m tcp --sport 80 -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --sport 8080 -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --sport 443 -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --sport 25 -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --sport 110 -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --sport 119 -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 67:68 -j DROP -A FORWARD -j drop-and-log-it -A OUTPUT -o lo -p all -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp --sport 67:68 -j ACCEPT -A OUTPUT -o eth0 -d 192.168.1.0/24 -p all -j ACCEPT -A OUTPUT -d 192.168.1.4/255.255.255.0 -o eth1 -j drop-and-log-it -A OUTPUT -s 192.168.1.4/255.255.255.0 -o eth1 -j drop-and-log-it -A OUTPUT -o eth1 -p tcp -m tcp --sport 80 -j ACCEPT -A OUTPUT -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT -A OUTPUT -s 24.156.249.26/32 -o eth1 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -o eth1 -p udp -m udp --sport 53 -j DROP -A OUTPUT -o eth0 -j LOG --log-level error -A OUTPUT -o eth0 -j REJECT -A OUTPUT -j drop-and-log-it -I FORWARD -i eth1 -p tcp -m tcp --sport 161 -j DROP -I INPUT -i eth1 -p tcp -m tcp --sport 161 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --sport 161 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --dport 161 -j DROP -I INPUT -i eth1 -p tcp -m tcp --dport 161 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --dport 161 -j DROP -I FORWARD -i eth1 -p udp -m udp --sport 161 -j DROP -I INPUT -i eth1 -p udp -m udp --sport 161 -j DROP -I OUTPUT -o eth1 -p udp -m udp --sport 161 -j DROP -I FORWARD -i eth1 -p udp -m udp --dport 161 -j DROP -I INPUT -i eth1 -p udp -m udp --dport 161 -j DROP -I OUTPUT -o eth1 -p udp -m udp --dport 161 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --sport 111 -j DROP -I INPUT -i eth1 -p tcp -m tcp --sport 111 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --sport 111 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --dport 111 -j DROP -I INPUT -i eth1 -p tcp -m tcp --dport 111 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --dport 111 -j DROP -I FORWARD -i eth1 -p udp -m udp --sport 111 -j DROP -I INPUT -i eth1 -p udp -m udp --sport 111 -j DROP -I OUTPUT -o eth1 -p udp -m udp --sport 111 -j DROP -I FORWARD -i eth1 -p udp -m udp --dport 111 -j DROP -I INPUT -i eth1 -p udp -m udp --dport 111 -j DROP -I OUTPUT -o eth1 -p udp -m udp --dport 111 -j DROP #http://support.microsoft.com/default.aspx?scid=kb;EN-US;q289241 -I FORWARD -i eth1 -p tcp -m tcp --sport 593 -j DROP -I INPUT -i eth1 -p tcp -m tcp --sport 593 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --sport 593 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --dport 593 -j DROP -I INPUT -i eth1 -p tcp -m tcp --dport 593 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --dport 593 -j DROP -I FORWARD -i eth1 -p udp -m udp --sport 593 -j DROP -I INPUT -i eth1 -p udp -m udp --sport 593 -j DROP -I OUTPUT -o eth1 -p udp -m udp --sport 593 -j DROP -I FORWARD -i eth1 -p udp -m udp --dport 593 -j DROP -I INPUT -i eth1 -p udp -m udp --dport 593 -j DROP -I OUTPUT -o eth1 -p udp -m udp --dport 593 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --sport 3268:3269 -j DROP -I INPUT -i eth1 -p tcp -m tcp --sport 3268:3269 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --sport 3268:3269 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --dport 3268:3269 -j DROP -I INPUT -i eth1 -p tcp -m tcp --dport 3268:3269 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --dport 3268:3269 -j DROP -I FORWARD -i eth1 -p udp -m udp --sport 3268:3269 -j DROP -I INPUT -i eth1 -p udp -m udp --sport 3268:3269 -j DROP -I OUTPUT -o eth1 -p udp -m udp --sport 3268:3269 -j DROP -I FORWARD -i eth1 -p udp -m udp --dport 3268:3269 -j DROP -I INPUT -i eth1 -p udp -m udp --dport 3268:3269 -j DROP -I OUTPUT -o eth1 -p udp -m udp --dport 3268:3269 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --sport 3389 -j DROP -I INPUT -i eth1 -p tcp -m tcp --sport 3389 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --sport 3389 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --dport 3389 -j DROP -I INPUT -i eth1 -p tcp -m tcp --dport 3389 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --dport 3389 -j DROP -I FORWARD -i eth1 -p udp -m udp --sport 3389 -j DROP -I INPUT -i eth1 -p udp -m udp --sport 3389 -j DROP -I OUTPUT -o eth1 -p udp -m udp --sport 3389 -j DROP -I FORWARD -i eth1 -p udp -m udp --dport 3389 -j DROP -I INPUT -i eth1 -p udp -m udp --dport 3389 -j DROP -I OUTPUT -o eth1 -p udp -m udp --dport 3389 -j DROP #http://www.snort.org/ports.html?port=31337 -I FORWARD -i eth1 -p tcp -m tcp --sport 31337 -j DROP -I INPUT -i eth1 -p tcp -m tcp --sport 31337 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --sport 31337 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --dport 31337 -j DROP -I INPUT -i eth1 -p tcp -m tcp --dport 31337 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --dport 31337 -j DROP -I FORWARD -i eth1 -p udp -m udp --sport 31337 -j DROP -I INPUT -i eth1 -p udp -m udp --sport 31337 -j DROP -I OUTPUT -o eth1 -p udp -m udp --sport 31337 -j DROP -I FORWARD -i eth1 -p udp -m udp --dport 31337 -j DROP -I INPUT -i eth1 -p udp -m udp --dport 31337 -j DROP -I OUTPUT -o eth1 -p udp -m udp --dport 31337 -j DROP -A drop-and-log-it -j LOG --log-level error -A drop-and-log-it -j DROP #http://support.microsoft.com/default.aspx?scid=kb;EN-US;q298804 -I FORWARD -i eth1 -p tcp -m tcp --sport 445 -j DROP -I INPUT -i eth1 -p tcp -m tcp --sport 445 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --sport 445 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --dport 445 -j DROP -I INPUT -i eth1 -p tcp -m tcp --dport 445 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --dport 445 -j DROP -I FORWARD -i eth1 -p udp -m udp --sport 445 -j DROP -I INPUT -i eth1 -p udp -m udp --sport 445 -j DROP -I OUTPUT -o eth1 -p udp -m udp --sport 445 -j DROP -I FORWARD -i eth1 -p udp -m udp --dport 445 -j DROP -I INPUT -i eth1 -p udp -m udp --dport 445 -j DROP -I OUTPUT -o eth1 -p udp -m udp --dport 445 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --sport 135:139 -j DROP -I INPUT -i eth1 -p tcp -m tcp --sport 135:139 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --sport 135:139 -j DROP -I FORWARD -i eth1 -p tcp -m tcp --dport 135:139 -j DROP -I INPUT -i eth1 -p tcp -m tcp --dport 135:139 -j DROP -I OUTPUT -o eth1 -p tcp -m tcp --dport 135:139 -j DROP -I FORWARD -i eth1 -p udp -m udp --sport 135:139 -j DROP -I INPUT -i eth1 -p udp -m udp --sport 135:139 -j DROP -I OUTPUT -o eth1 -p udp -m udp --sport 135:139 -j DROP -I FORWARD -i eth1 -p udp -m udp --dport 135:139 -j DROP -I INPUT -i eth1 -p udp -m udp --dport 135:139 -j DROP -I OUTPUT -o eth1 -p udp -m udp --dport 135:139 -j DROP COMMIT

3. cd /etc/rc.d/init.d/
4. ./ipchains stop
5. ./iptables restart
6. iptables -L -t nat -L
7. iptables -L
8. See Linux IP Masquerade Resource or Masq Apps
9. Setup Direct X Script

   #delete table: filter, nat #http://www.tsmservices.com/masq/cfm/detail.cfm?AppID=217 #http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q240429& #activate standard masquerade #iptables -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT #iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE #activate directplay-rules iptables -t nat -A PREROUTING -p tcp -d 24.156.248.45 --dport 6073 -j DNAT --to-destination 192.168.1.36:6073 iptables -t nat -A PREROUTING -p tcp -d 24.156.248.45 --dport 2300:2400 -j DNAT --to-destination 192.168.1.36:2300-2400 iptables -t nat -A PREROUTING -p udp -d 24.156.248.45 --dport 6073 -j DNAT --to-destination 192.168.1.36:6073 iptables -t nat -A PREROUTING -p udp -d 24.156.248.45 --dport 2300:2400 -j DNAT --to-destination 192.168.1.36:2300-2400 iptables -A FORWARD -p tcp -d 192.168.1.2/4 --dport 6073 iptables -A FORWARD -p tcp -d 192.168.1.2/4 --dport 2300:2400 iptables -A FORWARD -p udp -d 192.168.1.2/4 --dport 6073 iptables -A FORWARD -p udp -d 192.168.1.2/4 --dport 2300:2400

Configuring Snort

1. Get snort http://www.snort.org/
2. snort -D
3. Now all I have to do is make it permiment

Configuring Gaurdian

1. get gaurdian
2. configure it...
3. Add it to the boot up script

Setting up Apache

1. add the follwing to /etc/httpd.conf

   # IndexIgnore .??* *~ *# .[!.]* images* unpublish* _* HEADER* README* RCS CVS *,v *,t : : : # The following lines prevent .htaccess files from being viewed by # Web clients. Since .htaccess files often contain authorization # information, access is disallowed for security reasons. Comment # these lines out if you want Web visitors to see the contents of # .htaccess files. If you change the AccessFileName directive above, # be sure to make the corresponding changes here. # # Also, folks tend to use names such as .htpasswd for password # files, so this will protect those as well. # <Files ~ "^\.ht"> Order allow,deny Options -Indexes Deny from all </Files> <Directory ~ "(/_|image).*"> Options -Indexes </Directory> <Directory ~ "/\..*" > AllowOverride None Options-Indexes Order deny,allow Deny fromAll </Directory>

2. The change

   # # # This controls which options the .htaccess files in directories can # override. Can also be "All", or any combination of "Options", "FileInfo", # "AuthConfig", and "Limit" # AllowOverride AuthConfig : : : # HostnameLookups: Log the names of clients or just their IP addresses # e.g., www.apache.org (on) or 204.62.129.132 (off). # The default is off because it'd be overall better for the net if people # had to knowingly turn this feature on, since enabling it means that # each client request will result in AT LEAST one lookup request to the # nameserver. # #HostnameLookups Off HostnameLookups On

3. Change this line in the file

   AuthType Basic AuthName MyPrivateFile AuthUserFile /etc/httpd/conf/users Satisfy All Require valid-user

4. create users and passwords to access this protected directory
   htpasswd -c /etc/httpd/conf/users user1
htpasswd /etc/httpd/conf/users user2
   
5. Then for Virtual File names do

   # # Use name-based virtual hosting. # NameVirtualHost * # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for requests without a known # server name. # <VirtualHost *> ServerName platinumarchitecturegroup.com ServerAlias www.platinumarchitecturegroup.com ServerAlias platinumjava.com ServerAlias www.platinumjava.com ServerAdmin webmaster@platinumjava.com SSLDisable DocumentRoot /var/www/htdocs/platinumjava.com/ ErrorLog logs/platinumjava.com-error_log RefererLog logs/platinumjava.com-referer_log TransferLog logs/platinumjava.com-access_log </VirtualHost> <VirtualHost *> ServerName thegreedforspeed.com ServerAlias www.thegreedforspeed.com ServerAlias www.winnerscircleautoservice.com ServerAlias winnerscircleautoservice.com ServerAdmin webmaster@thegreedforspeed.com DocumentRoot /var/www/htdocs/winnerscircleautoservice.com/ RefererLog logs/winnerscircleautoservice.com-access_log ErrorLog logs/winnerscircleautoservice.com-error_log TransferLog logs/winnerscircleautoservice.com-access_log </VirtualHost> <VirtualHost 192.168.1.2> ServerName snotbox.platinumjava.com ServerAdmin webmaster@snotbox.platinumjava.com DocumentRoot /var/www/htdocs/ ErrorLog logs/snotbox.platinumjava.com-error_log CustomLog logs/snotbox.platinumjava.com-access_log common </VirtualHost>

Installing MRTG

1. Note you need snmpd working....
2. rpm -qa |grep mrtg to see if it is installed
3. cd /etc/mrtg
4. vi mrtg.cfg
5. make sure that snmpd is automatically loaded as a deamon
6. create a new MRTG file
7. cfgmaker public@machine_name > mrtg.cfg

Installing Analog

1. Goto http://www.analog.cx/
2. Get the pre built rpm file
3. rpm -ih rpm-file-name
4. Follow the directions at http://www.analog.cx/how-to/vhosts1/index.html

Installing Mailman

• bin/check_perms -f
• follow instructions at mailman.org

Java

• Goto http://java.sun.com/j2se download and follow the directions
• Goto http://java.sun.com/j2ee download and follow the directions

• JAVA_HOME=/usr/java/j2sdk1.4.0_02 export JAVA_HOME J2EE_HOME=/usr/java/j2sdkee1.3.1 JBOSS_HOME=/var/jboss-3.0.3 BASH_ENV=$HOME/.bashrc PATH=$PATH:$JAVA_HOME/bin:$HOME/bin BASH_ENV=$HOME/.bashrc USERNAME="root" export JAVA_HOME J2EE_HOME JBOSS_HOME USERNAME BASH_ENV PATH

  
  
• logout
• log back in

Installing JBoss

1. get JBoss from www.jboss.org
2. rpm -ihf
3. rpm -ihf
4. http://localhost:8080/

Installing TomCat 4

1. get tomcat from
2. rpm -i
3. rpm -i
4. /sbin/chkconfig --add tomcat4

Installing MySQL

1. http://www.jboss.org/forums/thread.jsp?forum=144&thread=21205&message=3741202&q=datasource#3741202
   • A mysql-service file exists in %JBOSS_INST%\docs\examples\jca. Copy it to your project directory and modify these following lines:
   • <config-property name="ConnectionURL" type="java.lang.String">jdbc:mysql://dell:3306/jbossdb</config-property> Set your database here.
   • <config-property name="DriverClass" type="java.lang.String">org.gjt.mm.mysql.Driver</config-property> Set your database driver. By default you must not modify it.
   • <config-property name="UserName" type="java.lang.String">UserName</config-property>
   • <config-property name="Password" type="java.lang.String">Password</config-property> Set the user and pwd for database access.
   • Then copy it into %JBOSS_INST%\server\default\deploy directory. Be sure that you copy your mysql jdbc driver to %JBOSS_INST%\server\default\lib before.
2. Remember you need the mysql driver from www.mysql.org
3. http://www.jboss.org/forums/ has good info and a search box at the bottom of the page
4. mysqlshow
5. mysqlshow -i mysql
6. mysql -e "select * from db;" mysql
7. mysql -e "select version();" mysql
8. mysql -e "select user();" mysql
9. mysql -e "select now();" mysql
10. mysql -e "describe db" mysql
11. MySQL document or Post Installation or Disaster_Prevention or Check Table

Misc Stuff

LaTeX

• Install TeTeX
• http://entropy.brni-jhu.org/linuxsetup30.html has great instructions for installing fonts.
• try
  
• the following must be run as root
  

  #!/bin/sh texhash for h in `ls *.mf`; \ do \ echo $h; mktextfm $h done texhash

  vi `kpsewhich --format=cnf fmtutil.cnf` ;uncomment the -en line fmtutil --missing

  
  

Linux Journal Dec 2001 -- Marcel Gagne's Ligher Admin Fare with Depth

XCruise

• goto http://www.unixuser.org/~euske/pub
• xmkmf -a
• make

TDFSB 3-D filesystem Browser

• goto http://www.hgb-leipzig.de/~leander
• install glut from your distro
• ./compile
• ./tdfsb
  

Setting Up Photo Servlet

Configuring PostSQL

1. Modify the postSQL startup script to use TCP/IP with vi /etc/init.d/postgresql
2. On line 135 modify the line from postmaster start > to read postmaster start -o -i >
3. /etc/init.d/postgresql status
4. /etc/init.d/postgresql start or restart
5. mount /mnt/cdrom (with the redhat disc two in it)
6. cd /mnt/cdrom/RedHat/RPMS
7. rpm -ih post*jdbc*
8. psql -h localhost

GET INFOMAGIK from sourceforge

Installing PhotoServlet from scratch

1. See tomcat
2. See postSql
3. down load the tar file from Source Forge
4. tar -xvf ./photoservlet-20020301.tgz
5. mv ./release /var/tomcat4/webapps/photoservlet
6. cd /var/tomcat4/webapps/photoservlet
7. chgrp -R tomcat4 ./photoservlet
8. chown -R tomcat4 ./photoservlet
9. ls -l /var/tomcat4/webapps/ drwxrwxrwx 1 tomcat4 tomcat4 4096 Mar 5 18:38 photoservlet
10. ln -s $PWD/etc/photo.conf /usr/local/etc/photo.conf
11. ln -s $PWD/etc/spyrunner.conf /usr/local/etc/spyrunner.conf
12. ln -s /share/apache/photoservlet/etc/ /etc/photoservl et
13. edit imageserver.conf on line 135 change db.url jdbc:postgresql://localhost/photo db.url jdbc:postgresql://localhost/photo db
14. edit photo.conf on line 3 change dbSource jdbc:postgresql://localhost/photo dbSource jdbc:postgresql://localhost/photo db on line 15,17,18 change includes /var/tomcat4/webapps/photoservlet/ etc/inc/ xslt.default /var/tomcat4/webapps/photoservlet /etc/inc/xsl/default.xsl xslt.simple /var/tomcat4/webapps/photoservlet /etc/inc/xsl/simple.xsl on line 24 comment # xslt_processor net.spy.photo.xslt.ResinXSL on line 27 uncomment xslt_processor net.spy.photo.xslt.ApacheXSLT on line 37 mail_sender photoservlet@mycompany.com MAKE SURE YOU ADD A MAIL BOX FOR PHOTOSERVLET on line 46 upload_tmp_dir /tmp
15. feel free to ignore the resin.conf file (we are using tomcat4)
16. edit spyrunner.conf line 20 rhash.args /tmp/rcache line 23 imageserver.args /var/tomcat4/webapps/photoservlet /etc/imageserver.conf
17. su tomcat4
18. createdb -h localhost photodb
19. createuer -h localhost -D -A nobody
20. createuer -h localhost -d -a dbadmin
21. psql -h localhost -d photodb -f /var/tomcat4/webapps/photoservelt/etc/photo.sql -U dbadmin
22. cd /var/tomcat4/common/lib
23. ln -s /usr/share/pgsql/jdbc7.0-1.1.jar ln -s /usr/share/pgsql/jdbc7.1-1.2.jar ln -s ../../webapps/photoservlet/photo.jar ln -s ../../webapps/photoservlet/spy.jar
24. Add this apache classes ln -s <some path>/xalan.jar ln -s <some path>/xalanservlet.jar ln -s /usr/share/java/xerces.jar ln -s /usr/share/java/servlet-2.3.jar
25. add ln -s <some path>/cos.jar
26. make sure /var/tomcat4/webapps/photoservelt/startRMI will run
27. change /var/tomcat4/conf/server.xm

    <!-- Tomcat Root Context --> <!-- <Context path="" docBase="ROOT" debug="0"/> --> <!-- Tomcat Manager Context --> <Context path="/manager" docBase="manager" debug="0" privileged="true"/> <!-- Tomcat Examples Context --> <Context path="/examples" docBase="examples" debug="0" reloadable="true" crossContext="true"> <Logger className="org.apache.catalina.logger.FileLogger" prefix="localhost_examples_log." suffix=".txt" timestamp="true"/> <Ejb name="ejb/EmplRecord" type="Entity" home="com.wombat.empl.EmployeeRecordHome" remote="com.wombat.empl.EmployeeRecord"/> <!-- PersistentManager: Uncomment the section below to test Persistent

    to

    <!-- Tomcat Root Context --> <!-- <Context path="" docBase="ROOT" debug="0"/> --> <!-- Tomcat Manager Context --> <Context path="/manager" docBase="manager" debug="0" privileged="true"/> <Context path="/photo" docBase="photoservlet" debug="0" /> <!-- Tomcat Examples Context --> <Context path="/examples" docBase="examples" debug="0" reloadable="true" crossContext="true"> <Logger className="org.apache.catalina.logger.FileLogger" prefix="localhost_examples_log." suffix=".txt" timestamp="true"/> <Ejb name="ejb/EmplRecord" type="Entity" home="com.wombat.empl.EmployeeRecordHome" remote="com.wombat.empl.EmployeeRecord"/> <!-- PersistentManager: Uncomment the section below to test Persistent

28. load up a web browser and goto http://localhost:8010/photo/servlet/photo or http://localhost:8080/photo/servlet/photo and make sure everthing is working.
29. Always run startRMI????