Monday, December 31, 2012

Making Scientific Linux 6.2 a Router with Squid Proxy


My internet facing server has 2 nic,the nic connected to the internal network has

ip address 10.10.0.1/24 

So at first type at terminal

sysctl -w net.ipv4.ip_forward=1

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

see current iptables configuration by

iptables -L -t nat (to see the nat table)or iptables -L(to see the generel iptables setting)


we will remove the 2 reject statement in the input section and the forwarding section

iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited

iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited

yum install squid

nano /etc/squid/squid.conf

go to this line

http_port 3128

make this line

http_port 3128 intercept

to use a transparent proxy

save the file

service squid restart


to make sure all client's traffic(the intercepted traffic) from port 80 use port 3128 on the squid server

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.10.0.1:3128


Now we need to make sure clients can only use port 3128 to access net

iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

By default there is a line in iptables in the INPUT section which accepts anything from anywhere

you can see this by

iptables -L

In my case it is the third line

I had to delete it to make sure the clients use 3128 port

iptables -t filter -D INPUT 3

so at the end the input section of my iptables configuration looks like this

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:squid
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

at the client at the browser set the proxy with port 3128

Save this configuration by

 iptables-save > iptables.conf

This will create iptables.conf(in whatever directory you are in) which have the current iptables configuration

make a backup of the original iptables

cp /etc/sysconfig/iptables /etc/sysconfig/iptables_back

now replace the original iptables with our custom iptable configuration

mv /etc/iptables.conf /etc/sysconfig/iptables

now

service restart iptables

to load a iptables configuration temporarily

iptables-restore < iptables.conf


Wednesday, December 26, 2012

Install Oracle 10g Express on Scientific Linux 6 step by step


Ok so can not try oracle 11g express as it comes only in 64 bit(my old pc does not support 64 bit virtualization),so had to find the oracle 10g express edition.


I got the oracle-xe-10.2.0.1-1.0.i386.rpm from the book Oracle for Professionals,the book is heavy but supposed to be good,I have just started.


10g requires the following packages


glibc-2.3.2


and


libaio=0.3.96


you can see if they are installed by


rpm -qa | grep glibc


 rpm -qa | grep libaio


I tried rpm -ivh  oracle-xe-10.2.0.1-1.0.i386.rpm and faced the following errors


Preparing...                ########################################### [100%]

error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
error: %pre(oracle-xe-univ-10.2.0.1-1.0.i386) scriptlet failed, exit status 255
error:   install: %pre scriptlet failed (2), skipping oracle-xe-univ-10.2.0.1-1.0

but rpm -uvh oracle-xe-10.2.0.1-1.0.i386.rpm worked flawlessly


Thanks to the link


http://pb.zambale.com/2012/02/03/road-to-oracle-dba-installing-oracle-database-express-edition-oracle-database-xe/


you can set the password of the system account in the installation process


/etc/init.d/oracle-xe start


Now I can go to the


127.0.0.1:8080/apex


and login as syetem and enable the locked hr account


logout


Now


cd /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin


./oracle_env.sh


Now


nano /root/.bashrc


add the following line at the end


/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle_env.sh


save the file


source /root/.bashrc


to make the system read .bashrc


/etc/init.d/oracle-xe restart


Now I have faced an error


when trying sqlplus from the command line like


sqlplus system


sqlplus command not found


So I tried


export ORACLE_HOME=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server


export PATH=$PATH:$ORACLE_HOME/bin


export ORACLE_SID=XE



and restarted the oracle-xe


/etc/init.d/oracle-xe restart


then from bash


sqlplus system worked fine


Then I added these 3 lines to the /root/.bashrc


nano /root/.bashrc


add these 3 lines at the end


export ORACLE_HOME=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server


export PATH=$PATH:$ORACLE_HOME/bin


export ORACLE_SID=XE


save the file


source /root/.bashrc





 


Sunday, December 16, 2012

Creating a PXE Server with Scientific Linux 6 step by step

yum install nano dhcp tftp-server httpd syslinux ftp

Disable the firewall

 nano /etc/sysconfig/selinux

change the line to

SELINUX=disabled

save the file

nano /etc/xinetd.d/tftp

disable=no

save the file

service restart xinetd

cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot
cp /usr/share/syslinux/menu.c32 /var/lib/tftpboot
cp /usr/share/syslinux/memdisk /var/lib/tftpboot
cp /usr/share/syslinux/mboot.c32 /var/lib/tftpboot
cp /usr/share/syslinux/chain.c32 /var/lib/tftpboot


Create the directory for your PXE menus

mkdir /var/lib/tftpboot/pxelinux.cfg

mkdir /var/lib/tftpboot/images

mkdir /data

mount -ro loop /media/centos.iso /data


create /etc/dhcp/dhcpd.conf


#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#   see 'man 5 dhcpd.conf'
#
ddns-update-style interim;
allow booting;
allow bootp;
ignore client-updates;

option option-128 code 128 = string;
option option-129 code 129 = text;


set vendorclass=option vendor-class-identifier;

subnet 192.168.163.0 netmask 255.255.255.0 {

option routers 192.168.163.2;
option domain-name-servers 192.168.163.2;
option subnet-mask 255.255.255.0;
range 192.168.163.100 192.168.163.105;
filename "/pxelinux.0";
default-lease-time 21600;
max-lease-time 43200;
next-server 192.168.163.25;
}

service dhcpd restart

copy the pxeboot folder in images folder in the Centos dvd

cp -rv pxeboot/* /var/lib/tftpboot/images/

cd /var/lib/tftpboot/pxelinux.cfg

create a file named default

nano default

#this file should contain this


default menu.c32
prompt 0
timeout 300
ONTIMEOUT local

MENU TITLE PXE Menu


LABEL CentOS 5 PXEBOOT
       MENU LABEL CentOS 5 
        KERNEL images/vmlinuz
        APPEND initrd=images/initrd.img ramdisk_size=100000 ksdevice=eth1 ip=dhcp


#save the file


service start httpd

mkdir /var/www/html/install

mount the cent os DVD in the install folder

service httpd restart

Now the client should boot and get an ip from the pxe server and start booting

Wait this process is troublesome and I have faced several errors

First I faced the PXE-E32: TFTP open timeout error

Then I faced PXE- T01 File not found error because my tftpboot was in / instead of in /var/lib/tftpboot

at first the client is not even able to find the boot files

The reason was I first created the tftpboot directory in the /,which didn't work for me

so I moved the tftpboot folder in the /var/lib/tftpboot like this path is mentioned in /etc/xinetd.d/tftp file

then I faced the infamous "permission denied" error,the error is actually like this

pxe t00 permission denied

Now I don't know much about security,but I found this solution in his page

http://unix.stackexchange.com/questions/31809/permission-denied-trying-to-get-a-file-using-tftp


The solution is like this
   

"Probably a selinux problem. Do a ls -alZ in the directory. On RHEL5/Centos5 the context should be user_u:object_r:tftpdir_t.

You can run restorecon -Rv /tftproot to fix it.

Edit: Just saw the fedora tag. It seems you're using not F16 but an earlier version, so the instructions above should work for you. With F16 the tftproot is in /var/lib and the context is system_u:object_r:tftpdir_rw_t:s0."

So I used this command and finally felt sane again as the pxe server worked finally.

restorecon -Rv /var/lib/tftpboot/


Now I am ready to sleep,it's 4.50 in the morning.


Sourav Bhattacharya

Linux Faculty for 7 years

Saturday, December 15, 2012

Installing linux from NFS image



Okey this process is not smooth unlike ftp and http based installation.


Here how I did it.

I have used Scientific Linux (The best distro right now according to me)


I want to deploy CentOS through NFS image in the network,I boot the client PC using boot.iso in the images folder of the Cent OS 5.3 DVD,after booting I set the path to NFS server and the path of the CentOS image.

First I copied the CentOS 5.3 ISO(DVD Image) in my desktop.

Then

I created a folder named souravdvd in my home directory

mount -o loop /home/Desktop?CentOS5.3.ISO /home/sourav/souravdata

Then I created a folder name NFS in the root partition.

mount --bind /home/sourav/souravdata /nfs


Then

nano /etc/exports

/nfs  192.168.163.25(rw,sync,root_squash,anonuid=1001,anongid=1001)


(probably the rw should be ro,because the filesystem is read only rather than read write enabled,but anyway the problem went away) 

 now save the file

exportfs -a 

go to /etc/fstab

nano /etc/fstab

adda a line 

192.168.163.25:/nfs     /nfs         nfs          defaults          0           0 

 save the file

service nfs restart 




test it from another machine



create a folder there named test

mount -t 192.168.163.25:/nfs /test

or 

mount  192.168.163.25:/nfs /test 

may or may not work,I don't know

now boot the client machine using boot.iso,you need to configure dhcp in the nfs server,the client will aquire an IP and in then you need to choose NFS as the install media

The server will be 


192.168.163.25

The Path will be

/nfs 

Friday, December 14, 2012

Open FTP ports(20 and 21) through iptables

My IP Address is 192.168.163.25

go to

/etc/sysconfig/iptables

and the add the following lines before the first reject statement


-A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.163.25 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 192.168.163.25 --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.163.25 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp -s 192.168.163.25 --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

-A OUTPUT -p tcp -s 192.168.163.25 --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.163.25 --dport 20 -m state --state ESTABLISHED -j ACCEPT


Wednesday, December 5, 2012

Set a banner for ssh


nano /etc/motd

**************************************************************

Hello you,

Welcome to Sourav's area.

Have fun.

**************************************************************

save the file

service iptables restart

an error service not found

just create a symbolic link

ln -s /sbin/service /usr/bin

then service iptables restart will work fine


Change default port and disable root login in ssh and configure iptables accordingly


nano /etc/ssh/sshd_config



uncomment the line


#Port 22


and make it


Port 31111


then go to 


#PermitRootLogin   yes


and make it


PermitRootLogin   no


save the file


service sshd restart

now if I try to access my server using ssh with 31111 port

ssh -p 31111 10.10.1.1


it won't be accessible,we need to configure IPTABLES to make the port 31111 accessible from outside  

go to 

nano /etc/sysconfig/iptables

After the line


-A FORWARD -i eth1 -o eth0 -j ACCEPT

put this line

-A INPUT -p tcp -m state --state NEW -m tcp --dport 31111 -j ACCEPT

save the file

service iptables restart

ssh -p 31111 10.10.1.1

will prompt you to login with root

thoough you can not login with root as expected

so

useradd subrata

passwd subrata

set subrata's password

add subrata to the wheel group

nano /etc/group

go to the line 


wheel:x:10:root

make it


wheel:x:10:root,subrata

save the file

now subrata is in wheel group

go to 

nano /etc/sudoers

go to 


## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

uncomment the second line so that it looks like


## Allows people in group wheel to run all commands
 %wheel        ALL=(ALL)       ALL

save the file

now using subrata you can do every thing



ssh -p 31111 subrata@10.10.1.1 will work just fine.







Tuesday, December 4, 2012

Securing Linux,enabling an user to be root only if it is in wheel group



nano /etc/pam.d/su


go to

#Uncomment the following line to require a user to be in the "wheel" group.

#auth                   required                          pam_wheel.so use_uid

uncomment the line so that it looks like 


auth                   required                          pam_wheel.so use_uid

DHCP configuration file in CentOS 5

It is  /etc/dhcpd.conf  in CentOS 5

The commented out lines are for address reservation.


#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample 




ddns-update-style interim;
allow booting;
allow bootp;
ignore client-updates;

set vendorclass=option vendor-class-identifier;

subnet 10.10.1.0 netmask 255.255.255.0 {

option routers 10.10.1.1;
option domain-name-servers 192.168.163.2;
option subnet-mask 255.255.255.0;
range 10.10.1.15 10.10.1.25;
filename "/pxelinux.0";
default-lease-time 21600;
max-lease-time 43200;
next-server 10.10.1.1;
}



#host  client {

#hardware-ethernet 00:0C:29:BC:55:9C ;
#fixed-address  10.10.1.15;
#}









Sunday, December 2, 2012

Configure Cisco ASA 8.4 in GNS 3 step by step



 Download the ASA 8.4 files for GNS3 from this link


http://www.mediafire.com/download.php?l010dd0c1nayf0d

Now configure ASA under QEMU in GNS 3 like this

Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536






activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6

source:http://www.xerunetworks.com/2012/02/cisco-asa-84-on-gns3/