Linux

Have a lot of fun!

About this page

Dec 3, 2008 by FNC
Killer Penguin

I tend to forget a lot of the things I learn. This page will serve as a place where I can document the things I learn and to so that I can refer to it later and hopefully it will help other ppl as well.

Anonymous takes on Microsoft

Mar 25, 2009 by FNC



OpenVPN

Dec 3, 2008 by FNC

Franna's step-by-step guide to installing OpenVPN on Linux with windowz clients.
Log on to the server as root.
Check if openvpn is installed, by typing:

"rpm -qa openvpn"
If no result is returned, OpenVPN is not installed and need to be downloaded.

Open http://rpm.pbone.net/
Select advance search.
Select the correct version of Linux you are using e.g. mandriva 2007 or Fedora 9.
Search for openvpn.
Look for a main release of openvpn, and open the link.
Look for a local server e.g. ftp.is.co.za
Right click on the link and copy the link location.
On the Linux box, type:
wget link.to.openvpn.file
P.S. you can right click in putty to paste the link from the clipboard.
Once the file is downloaded run
rpm -Uvh openvpn-XXXXX.rpm
Replace XXXXXX with correct file name.
Some dependencies may be required e.g. lzo and pam. These can be installed using your distributions package installer e.g. yum or urpmi
Once it is installed, copy the easy-rsa directory to /etc/openvpn
cp -rv /usr/share/openvpn/easy-rsa /etc/openvpn/

Change to the /etc/openvpn/easy-rsa directory
cd /etc/openvpn/easy-rsa

With a text editor like vi edit the file vars
vi vars
and change the following to your needs:
export KEY_COUNTRY=ZA
export KEY_PROVINCE=GP
export KEY_CITY=PRETORIA
export KEY_ORG="Valhalla-Pixel"
export KEY_EMAIL=francois@pixelcs.co.za

Run the following commands
. ./vars (note the space between the dots!!)
./clean-all
./build-ca

The last command require some input. Most settings would default to the settings in the vars file. But you need to enter a common name.
[root@valgrind easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
....................................++++++
.....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ZA]:
State or Province Name (full name) [GP]:
Locality Name (eg, city) [PRETORIA]:
Organization Name (eg, company) [Valhalla-Pixel]:
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:valgrind
Email Address [francois@pixelcs.co.za]:
Now run
./build-key-server server

As in the previous step, most parameters can be defaulted.
When the Common Name is queried, enter server.
You may also enter a password for the vpn if needed.
Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".
Choose yes for both.

Now make the client key:
./build-key leech
(I called my leech :-) )

As before enter a common name, in this case "leech".

Now run :
./build-dh

Now all we have to do is configure the config files

Copy a sample conf file to /etc/openvpn"

cp /usr/share/openvpn/sample-config-files/server.conf /etc/opnevpn

Now move the keys for the server to the same directory
mv /etc/openvpn/easy-rsa/keys/server.* /etc/openvpn/
And also
mv /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/
And
mv /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/

The only thing we need to do to the server.conf file is to add the route to the network.
push route 192.168.0.0 255.255.255.0

Use the correct ip range for the network that the server is on.

we can now start openvpn
service openvpn start

Last step is to configure the client

Download and install openvpn-gui for xp from the internet.

From the start/programs menu - open openvpn config directory, and copy the client cert files and the ca.crt file in to it
In my example it would br leach.key, leech.crt and ca.crt

Copy a client.ovpn from C:\Program Files\OpenVPN\sample-config to C:\Program Files\OpenVPN\config
Edit th client.ovpn and change the volowing to correct settings:
Healthy Connection
remote franna.dyndns.org 1194
(use hostname or ip of server)
ca ca.crt
cert leech.crt
key leech.key

Save the file, right click on the openvpn icon on the taskbar and enjoy your vpn!!!

NIC Bonding

Dec 4, 2008 by FNC

Step #1: Create a bond0 configuration file

Red Hat Linux stores network configuration in /etc/sysconfig/network-scripts/ directory. First, you need to create bond0 config file:

# vi /etc/sysconfig/network-scripts/ifcfg-bond0
Append following lines to it:
DEVICE=bond0
IPADDR=192.168.1.20
NETWORK=192.168.1.0
NETMASK=255.255.255.0
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
Replace above IP address with your actual IP address. Save file and exit to shell prompt.

Step #2: Modify eth0 and eth1 config files:

Open both configuration using vi text editor and make sure file read as follows for eth0 interface:
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
Modify/append directive as follows:
DEVICE=eth0
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
Open eth1 configuration file using vi text editor:
# vi /etc/sysconfig/network-scripts/ifcfg-eth1
Make sure file read as follows for eth1 interface:
DEVICE=eth1
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
Save file and exit to shell prompt.

Step #3: Load bond driver/module

Make sure bonding module is loaded when the channel-bonding interface (bond0) is brought up. You need to modify kernel modules configuration file:
# vi /etc/modprobe.conf
Append following two lines:
alias bond0 bonding
options bond0 mode=balance-alb miimon=100
Save file and exit to shell prompt. You can learn more about all bounding options in kernel source documentation file (click here to read file online).

Step # 4: Test configuration

First, load the bonding module:
# modprobe bonding
Restart networking service in order to bring up bond0 interface:
# service network restart
Verify everything is working:
# less /proc/net/bonding/bond0
Output:
Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 0
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:0c:29:c6:be:59

Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:0c:29:c6:be:63
List all interfaces:
# ifconfig
Output:
bond0 Link encap:Ethernet HWaddr 00:0C:29:C6:BE:59
inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:2804 errors:0 dropped:0 overruns:0 frame:0
TX packets:1879 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:250825 (244.9 KiB) TX bytes:244683 (238.9 KiB)

eth0 Link encap:Ethernet HWaddr 00:0C:29:C6:BE:59
inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fec6:be59/64 Scope:Link
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:2809 errors:0 dropped:0 overruns:0 frame:0
TX packets:1390 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:251161 (245.2 KiB) TX bytes:180289 (176.0 KiB)
Interrupt:11 Base address:0x1400

eth1 Link encap:Ethernet HWaddr 00:0C:29:C6:BE:59
inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fec6:be59/64 Scope:Link
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:502 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:258 (258.0 b) TX bytes:66516 (64.9 KiB) Interrupt:10 Base address:0x1480

Now you have bond multiple network interfaces into a single channel (NIC)

Read the original howto



Port Forward / NAT

Apr 1, 2009 by FNC

Ok, this is one that I can never rember, but it's oh so powerfull. By default any modern Linux distributions will have IP Forwarding disabled. This is normally a good idea, as most peoples will not need IP Forwarding, but if we are setting up a Linux router/gateway or maybe a VPN server then we will need to enable forwarding. Firstly we need to enable IP forwarding in the kernel.
The second part enables NAT for an external NIC. This is usefull if you want to setup routing.
Then we wil look at port forwarding in iptables.

read here

This command instructs iptables to perform Network Address Translation. We have to tell iptables the name of the interface that connects to the internet. Unfortunately it won't be the same for each of us, so I can't provide you with exactly what to type. In the command below you'll need to substitute "$EXT" with the name of your external interface - the one that connects to the internet.

iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

Possible "real world" examples look like:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

The syntax for port forwarding is:
iptables -t nat -A PREROUTING -p ${PROTOCOL} -i ${INTERFACE} -d ${LOCAL_IP_ADDR} --dport ${LOCAL_PORT} -j DNAT --to ${DESTINATION_IP_ADDR}:{DESTINATION_PORT}

Possible "real world" examples look like:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.2.2:80

Hierdie is ook usefull

[fnc@mail fnc]$ cat /etc/sysctl.conf
net.ipv4.ip_forward=1
kernel.sysrq=0
net.ipv4.conf.default.rp_filter=1
kernel.core_uses_pid=1

ek sal later hierdie mooi maak