PROMO SELL

Tuesday, March 08, 2005

Apache/PHP/MySQL with SSL Installation

# Move to /usr/local
cd /usr/local
# Get the following source:

ftp://ftp.openssl.org/source/openssl-0.9.7c.tar.gz
http://www.ibiblio.org/pub/mirrors/apache/httpd/httpd-2.0.48.tar.gz
http://www.linuxguruz.org/downloads/php-4.3.4.tar.gz
http://mysql.secsup.org/Downloads/MySQL-4.0/mysql-4.0.17.tar.gz



# Decompress the sources:
tar -xvzf openssl-0.9.7c.tar.gz
tar -xvzf httpd-2.0.48.tar.gz
tar -xvzf php-4.3.4.tar.gz
tar -xvzf mysql-4.0.17.tar.gz

cd ../mysql-4.0.17
./configure
make
make install
scripts/mysql_install_db

adduser mysql
# In the file /etc/login.access add this line:
-:mysql:ALL
# So the user mysql never actualy logs in

# For Slackware:
chown -R mysql.users /usr/local/var
# For Redhat:
chown -R mysql.mysql /usr/local/var

mysqld_safe --user=mysql &

# Hit
mysqladmin -u root password 'yourpasswordhere'

cd ../openssl-0.9.7c
sh config -fPIC
make
# If you get a "Not enough room for program headers" error here,
# install the LATEST version of binutils.

cd ../httpd-2.0.48
SSL_BASE=../openssl-0.9.7c ./configure --prefix=/usr/local/apache --enable-module=all --enable-ssl --enable-so
make

# Note: There is a Redhat bug that complains about mod_auth_dbm.so
# during the Apache `make` proccess. Adding the configuration
# switch --disable-module=auth_dbm to the end of the ./configure line
# will fix it.

# If you presently have a libphp4.so module you should make a backup:
cp /usr/local/apache/modules/libphp4.so /usr/local/apache/modules/libphp4.so.was

# If you have a file called /usr/local/apache/conf/httpd.conf already you
# should make a backup:
mv /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.was

# This way you'll get a fresh httpd.conf with all your Apache modules listed
# and 100% loadable.

# Don't worry if your web server is presently running. The httpd.conf file
# is only read by the httpd binary when starting the web server.

make install

# Now to create a "test certificate".
cd /usr/local/apache/conf/
openssl genrsa -des3 -out ca.key 1024
# Note: In order to go live, the "Common Name" has to match the server's
# host adress.
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 1024
openssl req -new -days 365 -key server.key -out server.crt

wget http://www.linuxguruz.com/downloads/sign.sh
chmod +x sign.sh
./sign.sh server.crt
chmod -x sign.sh
mkdir ssl.crt ssl.key
cp server.crt ssl.crt
cp server.key ssl.key

#
cd ../php-4.3.4
./configure --with-apxs2=/usr/local/apache/bin/apxs --with-config-file-path=/usr/local/apache/conf --enable-versioning --with-mysql=/usr/local --enable-ftp --enable-bcmath --disable-debug --enable-memory-limit=yes --enable-track-vars
make
make install

# Make sure you have, Uncomment (remove the #'s), Change or Create
# the following lines in the file /usr/local/apache/conf/httpd.conf

LoadModule php4_module libexec/libphp4.so


DirectoryIndex index.html index.php index.php3 index.phtml

# And for PHP 4.x, use:
#
AddType application/x-httpd-php .php .php3 .phtml
AddType application/x-httpd-php-source .phps

cp /usr/local/php-4.3.4/php.ini-dist /usr/local/apache/conf/php.ini

# Start Apache:
/usr/local/apache/bin/apachectl startssl

# Create a file in /usr/local/apache/htdocs called index.php
-html-
-head--title-PHP Test Page-/title--/head-
-body-
-? phpinfo(); ?-
-/body-
-/html-

# Point your Web Browser at:
http://localhost/index.php

Anyone who wishes to make additions or changes to this
PHP Tutorial email them to webmaster@linuxguruz.com

Apache/PHP/MySQL Installation

Title: Apache/PHP/MySQL Installation
Contributor: yudhax (aka Ranman)
Last Update: Mart 08 22:24 EST 2005

# Move to /usr/local
cd /usr/local

# Get the following source:

http://www.ibiblio.org/pub/mirrors/apache/httpd/httpd-2.0.48.tar.gz
http://www.linuxguruz.org/downloads/php-4.3.4.tar.gz
http://mysql.secsup.org/Downloads/MySQL-3.23/mysql-3.23.55.tar.gz

# Decompress the sources:
tar -xvzf httpd-2.0.48.tar.gz
tar -xvzf php-4.3.4.tar.gz
tar -xvzf mysql-4.0.17.tar.gz

cd ../mysql-4.0.17
./configure
make
make install
scripts/mysql_install_db

adduser mysql
# In the file /etc/login.access add this line:
-:mysql:ALL
# So the user mysql never actualy logs in

# For Slackware:
chown -R mysql.users /usr/local/var
# For Redhat:
chown -R mysql.mysql /usr/local/var

mysqld_safe --user=mysql &
# Hit
mysqladmin -u root password 'yourpasswordhere'

cd ../httpd-2.0.48
./configure --prefix=/usr/local/apache --enable-module=all --enable-so
make

# Note: There is a Redhat bug that complains about mod_auth_dbm.so
# during the Apache `make` proccess. Adding the configuration
# switch --disable-module=auth_dbm to the end of the ./configure line
# will fix it.

# If you presently have a libphp4.so module you should make a backup:
cp /usr/local/apache/libexec/libphp4.so /usr/local/apache/libexec/libphp4.so.was

# If you have a file called /usr/local/apache/conf/httpd.conf already, you
# should make a backup:
mv /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.was

# This way you'll get a fresh httpd.conf with all your Apache modules listed
# and 100% loadable.

# Don't worry if your web server is presently running. The httpd.conf file
# is only read by the httpd binary when starting the web server.

make install

cd ../php-4.3.4
./configure --with-apxs2=/usr/local/apache/bin/apxs --with-config-file-path=/usr/local/apache/conf --enable-versioning --with-mysql=/usr/local --enable-ftp --with-gd --enable-bcmath --disable-debug --enable-memory-limit=yes --enable-track-vars
make
make install

# Make sure you have, Uncomment (remove the #'s), Change or Create
# the following lines in the file /usr/local/apache/conf/httpd.conf

LoadModule php4_module libexec/libphp4.so


DirectoryIndex index.html index.php index.php3 index.phtml

# And for PHP 4.x, use:
#
AddType application/x-httpd-php .php .php3 .phtml
AddType application/x-httpd-php-source .phps

cp /usr/local/php-4.3.4/php.ini-dist /usr/local/apache/conf/php.ini

# Start Apache:
/usr/local/apache/bin/apachectl start

# Create a file in /usr/local/apache/htdocs called index.php
head--title-PHP Test Page-/title--/head
body
? phpinfo(); ?
/body
/html

# Point your Web Browser at:
http://localhost/index.php

Anyone who wishes to make additions or changes to this
PHP Tutorial email them to webmaster@linuxguruz.org

Copyright (c) 1999, 2000, 2001, 2002, 2003 and 2004 by LinuxGuru

Apache/PHP/MySQL Installation

Title: Apache/PHP/MySQL Installation
Contributor: yudhax (aka Ranman)
Last Update: Mart 08 22:24 EST 2005

# Move to /usr/local
cd /usr/local

# Get the following source:

http://www.ibiblio.org/pub/mirrors/apache/httpd/httpd-2.0.48.tar.gz
http://www.linuxguruz.org/downloads/php-4.3.4.tar.gz
http://mysql.secsup.org/Downloads/MySQL-3.23/mysql-3.23.55.tar.gz

# Decompress the sources:
tar -xvzf httpd-2.0.48.tar.gz
tar -xvzf php-4.3.4.tar.gz
tar -xvzf mysql-4.0.17.tar.gz

cd ../mysql-4.0.17
./configure
make
make install
scripts/mysql_install_db

adduser mysql
# In the file /etc/login.access add this line:
-:mysql:ALL
# So the user mysql never actualy logs in

# For Slackware:
chown -R mysql.users /usr/local/var
# For Redhat:
chown -R mysql.mysql /usr/local/var

mysqld_safe --user=mysql &
# Hit
mysqladmin -u root password 'yourpasswordhere'

cd ../httpd-2.0.48
./configure --prefix=/usr/local/apache --enable-module=all --enable-so
make

# Note: There is a Redhat bug that complains about mod_auth_dbm.so
# during the Apache `make` proccess. Adding the configuration
# switch --disable-module=auth_dbm to the end of the ./configure line
# will fix it.

# If you presently have a libphp4.so module you should make a backup:
cp /usr/local/apache/libexec/libphp4.so /usr/local/apache/libexec/libphp4.so.was

# If you have a file called /usr/local/apache/conf/httpd.conf already, you
# should make a backup:
mv /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.was

# This way you'll get a fresh httpd.conf with all your Apache modules listed
# and 100% loadable.

# Don't worry if your web server is presently running. The httpd.conf file
# is only read by the httpd binary when starting the web server.

make install

cd ../php-4.3.4
./configure --with-apxs2=/usr/local/apache/bin/apxs --with-config-file-path=/usr/local/apache/conf --enable-versioning --with-mysql=/usr/local --enable-ftp --with-gd --enable-bcmath --disable-debug --enable-memory-limit=yes --enable-track-vars
make
make install

# Make sure you have, Uncomment (remove the #'s), Change or Create
# the following lines in the file /usr/local/apache/conf/httpd.conf

LoadModule php4_module libexec/libphp4.so


DirectoryIndex index.html index.php index.php3 index.phtml

# And for PHP 4.x, use:
#
AddType application/x-httpd-php .php .php3 .phtml
AddType application/x-httpd-php-source .phps

cp /usr/local/php-4.3.4/php.ini-dist /usr/local/apache/conf/php.ini

# Start Apache:
/usr/local/apache/bin/apachectl start

# Create a file in /usr/local/apache/htdocs called index.php

PHP Test Page





# Point your Web Browser at:
http://localhost/index.php

Anyone who wishes to make additions or changes to this
PHP Tutorial email them to webmaster@linuxguruz.org

Copyright (c) 1999, 2000, 2001, 2002, 2003 and 2004 by LinuxGuru

Some notes on CVS

Setup and run the CVS server

Look for cvs services listed in /etc/servics

# grep cvs /etc/services
cvspserver2401/tcp# CVS client/server operations
cvspserver2401/udp# CVS client/server operations
cvsup 5999/tcpCVSup# CVSup file transfer/John Polstra/FreeBSD
cvsup 5999/udpCVSup# CVSup file transfer/John Polstra/FreeBSD
#

Add cvs pserver to xinted

# cd /etc/xinetd.d/
# cat cvspserver
# service cvspserver
{
socket_type = stream
protocol = tcp
wait = no
user = root
passenv =
server = /usr/bin/cvs
server_args = --allow-root=/cvs pserver -f
}



# /sbin/service xinetd restart
Adding CVS users and CVS passwd file

Used this perl script to generate a password ( you can also use htpasswd )

$ cat passwd.pl

#!/usr/bin/perl -w
$saltchars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./';
while (<>) {
chomp $_;
my ($salt) = substr($saltchars, rand(64), 1) . substr($saltchars, rand(64), 1);
my ($c) = crypt($_, $salt);
print "'$_' => '$c'\n";
}

Generate a password

$ ./passwd.pl
password
'password' => 'OKqq1ib8XEv2E'
$

Add the password into the password file

$ cd $CVSROOT/CVSROOT
$ cat passwd
cvs-user:OKqq1ib8XEv2E:
$

Connecting to the CVS server
Login from another machine like this

$ cvs -d :pserver:cvs-user@serverbox.your.domain.com:/cvs login
(Logging in to cvs-user@serverbox.your.domain.com)
CVS password:
$

Or like this

$setenv CVSROOT :pserver:cvs-user@serverbox.your.domain.com:/cvs
$cvs login

Fixing some common CVS glitches

Got the folowing error:

cvs co -r open-source-product-121-trial-build open-source-product-121
cvs server: cannot open /root/.cvsignore: Permission denied
cvs [server aborted]: can't chdir(/root): Permission denied

Fixed by :

$
#unset HOME
#/etc/rc.d/init.d/inet restart
#/sbin/service xinetd restart

Or by : ( not recommended )

# chmod a+w /root
# chmod a+x /root


Sticky problems


problem:

$ cvs commit -m "adding new version" foobar.c
cvs server: sticky tag 'RELEASE-CANDIDATE-1' for file 'foobar.c' is not a branch
cvs [server aborted]: correct above errors first!
$

fix using an update:

$ cvs update -A foobar.c
M foobar.c
$
$ cvs commit -m "adding new version" foobar.c
Checking in package;
/your/open/source/program/foobar.c,v <-- foobar.c
new revision: 1.2; previous revision: 1.1
done
$


On HP-UX rsh is not the remoteshell remsh is the remote shell,

So you might need to add:

$ setenv CVS_RSH /bin/remsh


Some common CVS commands


$ cd /the/downlaoded/open-source-product/121/source/base/
$ cvs import -m "open-source-product 1.2.1 source import" \
open-source-product-121 FOOBAR open-source-product121
$ cvs checkout open-source-product-121
U open-source-product-121/open-source-product/Makefile.in
....
$ cvs checkout open-source-product-121
$ cvs commit -m "Added FOOBAR specific changes"
Checking in open-source-product/nsprpub/configure;
/cvs/open-source-product-121/open-source-product/nsprpub/configure,v <-- configure
new revision: 1.2; previous revision: 1.1
done
$ cvs -q tag open-source-product-121-trial-build
$ cvs checkout -r open-source-product-121-trial-build open-source-product-121
$ mkdir build
$ cvs add build/
$ cvs -q tag open-source-product-121-trial-build
$ cvs tag -R open-source-product-121-trial-build
$ cvs co -r open-source-product-121-trial-build open-source-product-121

Sample Code - Using shared libs on UNIX

Sample C code for :

1. Creating a shared library
2. Runtime loading of a shared library
3. Calling a method from the loaded library


On GNU/Linux :

share.c

/*
* sample code for creating a shared library on GNU/Linux
*
* cc -fPIC -c share.c -o share.o
* ld -shared share.o -o share.sl
*
* kishan@hackorama.com ( www.hackorama.com ) Feb 2001
*
*/

#include

void
share( int value )
{
fprintf( stdout, "\nthe answer is %d\n", value );
}

------------ cut ----------

#cc -fPIC -c share.c -o share.o
#ld -shared share.o -o share.sl


main.c [ using dlopen(), dlsym() ]

coding ---

/*
* sample code for loading, calling a method from
* and unloading a shared library on GNU/Linux
*
* cc main.c -o main -ldl
*
* If using c++ compiler the symbol names will be mangled
* So a method called "share" will be "share__Fi" in the
* shared library, Please do a "nm share.sl" to find the
* mangled symbol for the method.
*
* kishan@hackorama.com ( www.hackorama.com ) Feb 2001
*
*/

#include
#include

int
main( void )
{
const char *sh_lib = "share.sl" ;
const char *method = "share";

void (*fp) (int) = NULL ;
void *handle = dlopen( sh_lib , RTLD_NOW );

if( handle == NULL ){
fprintf( stderr, "\nfailed loading %s\n", sh_lib );
exit(1);
}else{
fp = ( void (*)(int) )dlsym( handle, method );
if( fp == NULL )
fprintf( stderr, "\nfailed getting method %s\n", method);
else
fp( 42 );
if ( dlclose(handle) != 0 )
fprintf( stderr, "\nfailed unloading %s\n", sh_lib );
}

exit(0);
}

----------------------- cut _------------------

cc main.c -o main -ldl


On HP-UX :

share.c

coding ---

/*
* sample code for creating a shared library on HP-UX
*
* cc +z -c share.c -o share.o
* ld -b share.o -o share.sl
*
* kishan@hackorama.com ( www.hackorama.com ) Feb 2001
*
*/

#include

void
share( int value )
{
fprintf( stdout, "\n\nthe answer is %d\n\n", value );
}


------------------------- cut -------------------------

cc +z -c share.c -o share.o
ld -b share.o -o share.sl
main.c [ using shl_load(), shl_findsym() ]

coding ---

/*
* sample code for loading , calling a method from
* and unloading a shared library on HP-UX
*
* cc main.c -o main
*
* If using a c++ compiler the symbol names will be mangled
* So a method called "share" will be "share__Fi" in the
* shared library, Please do a "nm share.sl" to find the
* mangled symbol for the method.
*
* kishan@hackorama.com ( www.hackorama.com ) Feb 2001
*
*/

#include
#include

int
main( void )
{
const char* sh_lib = "share.sl";
const char* method = "share";

void (*fp) ( int value ) = NULL ;
shl_t handle = shl_load( sh_lib , BIND_IMMEDIATE , NULL );

if( handle == NULL ){
fprintf( stderr, "\nfailed loading %s\n", sh_lib);
exit(1);
}else{
shl_findsym( &handle, method, TYPE_UNDEFINED, &fp );
if( fp == NULL )
fprintf( stderr, "\nfailed getting method %s\n", method);
else
fp( 42 );

if ( shl_unload( handle ) != 0 )
fprintf( stderr, "\nfailed unloading %s\n", sh_lib);
}

exit(0);
}

------------------------- cut ----------------------

cc main.c -o main


The linux sample code should work for other UNIX flavours, which use dlopen()/dlsym(). Only HP-UX uses shl_load()/shl_findsym(). Please look at the man pages of cc and ld for the correct flags to be used for the particular version of UNIX.

Oracle 8i on Linux

This is a step by step guide to installing Oracle8i on Linux. The installation was successfully tested on Suse 6.4 , Redhat 6.2 and Caldera openLinux 2.4 using Oracle 8i Enterprise Edition Release 2 (8.1.6) for Linux (Intel) circa October 2000.

1.Installtion
2.Notes
3.Trouble Shooting

1.Installation

Download Java 1.1.6 ( JRE ) for Linux from www.java.sun.com/linux or from blackdown.org and Oracle 8i from oracle.com If you have the Oracle 8i CD download only the JRE.


[download the files to some directory like /tmp ]
$cd /tmp
$ls *.gz
jre_1.1.6-v5-glibc-x86.tar.gz
oracle8161_tar.gz

[ become root ]
$su

[ set up and install the jre ]
#cp /tmp/jre_1.1.6-v5-glibc-x86.tar.gz /usr/local/lib
#cd /usr/local/lib
#tar -xzvf jre_1.1.6-v5-glibc-x86.tar.gz
#ln -s /usr/local/lib/jre116_v5 /usr/local/lib/jre
#export PATH=$PATH:/usr/local/jre/bin

[ create user groups ]
#/usr/sbin/groupadd -g 111 oinstall
#/usr/sbin/groupadd -g 112 dba

[ create auser named oracle ]
#mkdir /home/oracle
#/usr/sbin/useradd -g dba -d /home/oracle oracle
#/usr/sbin/usermod -g dba -G oainstall oracle
#passwd oracle
#chown oracle /home/oracle
#chgrp dba /home/oracle

[ make some directories required during installtion ]
#mkdir -p /usr/local/oracle/8i && cd /usr/local/oracle/8i
#mkdir -p /usr/local/oracle/8i && cd /usr/local/oracle/8i
#mkdir {u01,u02,u03,u04}
#chown oracle:oinstall {u01,u02,u03,u04}


[ become user oracle ]
#su oracle
$cd
$pwd
/home/oracle
$

[ Create/Edit the file named /home/oracle/.bashrc
with the following contents : [ SEE NOTE 2]

ORACLE_HOME=/usr/local/oracle/8i/u01/app/oracle/product/8.1.5
ORACLE_BASE=/usr/local/oracle/8i/u01/app/oracle
export ORACLE_HOME ORACLE_BASE
NLS_LANG='english_united kingdom.we8iso8859p1'
ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
ORACLE_TERM=vt100
LD_LIBRARY_PATH=$ORACLE_HOME/lib
PATH=$PATH:$ORACLE_HOME/bin:/usr/local/jre/bin
export NLS_LANG ORA_NLS33 PATH LD_LIBRARY_PATH

$vi .bashrc
$source .bashrc

[ NO CD - unzip and extract the downloaded files ]
$gunzip /tmp/oracle8161_tar.gz
$tar -xvf /tmp/oracle8161_tar
$cd /tmp/Oracle8iR2/install/linux

[ WITH CD - If not mounted mount the CD ] [ SEE NOTE 1 ]
#su
#mount -t iso9660 /dev/hdc /cdrom
#exit
#su oracle
$cd /cdrom/install/linux


[ start installation ]
$./runInstaller

During installation the installation program will prompt you a couple of times to run certain commands as root from a shell. It will also ask you to create an SID at the end of the installation.

Post Install:

$svrmgrl
>connect internal
>startup

$export ORACLE_SID=your_sid_name
$sqlplus scott/tiger
SQL>
SQl>select ename from emp;

2.Notes
1. Mounting CD

The mount command might be little different on diferent machines the third parameter the device file for CDROM [ /dev/hdc ] may not be the same on all machines. Please contact your friendly sysadmin for help.

Or if you have an X desktop environment like Gnome or KDE you can click on the CDROM icon it might mount the CDROM and will open the CDROM contents in a file explorer.

Some Linux distributions ( like Caldera open Linux ) will have the CD auto mounted at /auto/cdrom. in that case you just go to that directory to access the installation files you dont have to mount the CD.

2. Adding the .profile/.login/.bashrc

Usually the default shell for new user accounts on Linux is bash. So the file to add Oracle environment variables is usually .bashrc in the home directory /home/oracle. But if you are running another shell please contact your friendly sysadmin to find out which file to edit.

If you are not familiar with vi , please use any of the notepad like editors gedit,kedit,nedit .
3.Troubleshooting
1. Make sure you have set the Oracle environment variables correctly.

$su oracle
$cd
$pwd
/home/oracle
$source .bashrc
$env | grep -E 'ORACLE|NLS|LD'
NLS_LANG=english_united kingdom.we8iso8859p1
LD_LIBRARY_PATH=/usr/local/oracle/8i/u01/app/oracle/product/8.1.5/lib
ORACLE_BASE=/usr/local/oracle/8i/u01/app/oracle
ORA_NLS33=/usr/local/oracle/8i/u01/app/oracle/product/8.1.5/ocommon/nls/admin/data
ORACLE_HOME=/usr/local/oracle/8i/u01/app/oracle/product/8.1.5
$

Make sure the env command shows the above output, otherwise make sure you edited the /home/orcle/.bashrc file correctly.


2. Stale files from an aborted/failed installation

Sometimes the Oracle Universal Installer leaves behind stale files from an earlier failed installation as a different user.

One of the files left behind is /etc/oraInst.loc

#su
#cat /etc/oraInst.loc
inventory_loc=/home/user_name/oraInventory
inst_group=dba
#
[ where user_name is the user account from which the last failed installation was attempted ]

If you have this file hanging around you might get an error message saying no permissions to write /home/user_name/oraInventory . In that case become root and delete /etc/oraInst.loc file, and continue installation as user oracle.

SETTING UP NETWORK ON LINUX [ for DSL / LAN ]

This is a MINI HOW-TO on setting up the network configurations to connect yout Linux box on to a DSL network. It also applies to setting up your machine on a LAN.

The configuration instructionsa are specific to Redhat Linux distro. There might be slight difference in the configuration files with other distros.


Get the IP Addresses

All you need from your DSL provider or your LAN sys-admin is the following set of IP addreses.

1. Your IP address

111.111.111.111

2. The Gateway IP address

222.222.222.222

3. The netmask

255.255.255.333

4. The DNS ( Primary and Secondary )

444.444.444.444
555.555.555.555

NOTE: The IP addresses above are just place holders please replace with your actual IP addresses.


1.Set up your IP ( 111.111.111.111 )

* add the following line to /etc/hosts
111.111.111 hostname

* Eg: If your machine was called kahlua:

$cat /etc/hosts
127.0.0.1 localhost localhost.localdomain
111.111.111.111 kahlua


2.Set up Gateway ( 222.222.222.222 )


* Edit the /etc/sysconfig/network file with:
GATEWAY="222.222.222.222"

* Eg: If your machine was called kahlua:

$cat /etc/sysconfig/network
NETWORKING=yes
FORWARD_IPV4="yes"
HOSTNAME="kahlua"
GATEWAY="222.222.222.222"
GATEWAYDEV="eth0"

3. Set up the netmask ( 255.255.255.333 ) and IP ( 111.111.111.111 )

* Edit /etc/sysconfig/network-scripts/ifcfg-eth0 with:
IPADDR="111.111.111.111"
NETMASK="255.255.255.333"

* Eg: If your machine has IP 111.111.111.111 :

$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
IPADDR="111.111.111.111"
NETMASK="255.255.255.333"
ONBOOT="yes"
BOOTPROTO="none"
IPXNETNUM_802_2=""
IPXPRIMARY_802_2="no"
IPXACTIVE_802_2="no"
IPXNETNUM_802_3=""
IPXPRIMARY_802_3="no"
IPXACTIVE_802_3="no"
IPXNETNUM_ETHERII=""
IPXPRIMARY_ETHERII="no"
IPXACTIVE_ETHERII="no"
IPXNETNUM_SNAP=""
IPXPRIMARY_SNAP="no"
IPXACTIVE_SNAP="no"

4. Set up the DNS ( 444.444.444.444 and 555.555.555 )

* Edit /etc/resolv.conf and add:
nameserver 444.444.444.444
nameserver 555.555.555.555

* Eg: If your machine was called kahlua
and your providers domain is called dslinc.net :

$ cat /etc/resolv.conf
domain dslinc.net
search kahlua
nameserver 444.444.444.444
nameserver 555.555.555.555


Now you should be all set. Just ping any server on the net and verify if everything works fine.


Fore more information, please read the how-to docs NET-3-HOWTO / NET3-4-HOWTO in your /usr/doc/HOWTO ( normal path for Redhat distros ). Or search the newsgroup postings or linux archives.

Installing ssh and sshd

Title: Installing ssh and sshd
Contributor: yudhax (neorganicz)
Last Update: Saturday Mart 20 01:30 EDT 2005


cd /usr/local

Get ftp://ftp.cis.fed.gov/pub/ssh/ssh-2.4.0.tar.gz

wget ftp://ftp.cis.fed.gov/pub/ssh/ssh-2.4.0.tar.gz
tar -xzvf ssh-2.4.0.tar.gz
cd ssh-2.4~.0
./configure
make
make install


# In /etc/rc.d/rc.local:
# SSH Startup
echo Starting SSH Daemon
/usr/local/sbin/sshd

# Start sshd for the first time:
/usr/local/sbin/sshd

# Your done! now just:
ssh machine_name

SSH Tunnell using POP3 for IMAP Mail

Who wants to read this
If you have a POP mail account on a remote server, provided by your ISP/work/school and wants to access your mails from your home/local machine through a secure channel.

Please note I will be reffering to POP3 as just POP throughout this article.

Why Secure POP
The normal POP communcations sends everything in clear text, including your mail account passwords. We need to use a secure channel, where everything will be encrypted between your local machine and the remote mail server. The rational is analogous to the use of encrypted HTTPS versus the normal HTTP communication when we access secure webservices.

Check for IMAP with SSL support
IMAP with SSL encrypts the mail communications the same way HTTPS encrypts the website communications. Sadly not all mail servers support this. ( My ISP replied to me "at this time we do not provide SSL mail due to stability issues in current implementations" )

If you have SSL mail, all you need to do is configure your mail tool to use SSL. All the popular mail clients like Mozilla/Netscape Mail, Eudora , Outlook Express etc supports SSL. The SSL option may not be On by default so please edit the Configuration/Settings of your mail client to use SSL.

On Mozilla 0.95/Netscape6.x Mail :

Select Menu:
Mail -> Mail & Newsgroups Account Settings
From the popup Dialog:
Select "Server Settings", Check "Use Secure connection (SSL) "
Select "Outgoing server (SMTP)" , Check "Always" for "Use secure connection ( SSL)"

If your remote server supports SSH
If you dont know much about SSH, please google the web for more information and then download and install SSH on your local machine. Most of the Linux machines should have it already installed.

If you already use SSH ( like as a secure replacement for telnet/ftp ) and just want to know about POP through SSH then jump ahead to the SSH tunnelling section.

The following instructions are for Linux/Unix. But the concept is the same for other platforms as well. Instead of the command line invocations, you might use a GUI application.

Run ssh with the hostname or IP address of the mail server. If you get the following response you cannot use SSH.


$ ssh mail.remoteserver
ssh: connect to address xxx.xxx.xxx.xxx port 22: Connection refused
$

If you can connect to the remote server using SSH, then we can setup a secure tunnell through SSH for your POP communications. The tunnell connects a port on your local machine ( say 1234 ) to the POP3 port ( port 110 ) of your remote server.



$ ssh -P -f -L 1234:remoteserver:110 user@remoteserver sleep 25

-L specifies the port forwarding 1234 on local machine to 110 od remoteserver.
-f tells SSH to fork out and run in the background.
-P option allows us ti open a non privilaged port - like 1234 - which does not require root access ( ports higher than 1024 ).

"sleep 25" is the command to execute at the remote server so as long as the command is executing at the server the tunnell will be kept open. In the example the connection will be open for 25 seconds, you can specify any duration to sleep.

This is called port forwarding in technical jargon, which means the local port on your machine will just forward any communication coming there to the POP server port. So in the mail tool when we configure the mail server name instead of the remoteserver:110 we will say localhost:12345

Now you have the POP tunnell yo get your mail to your local machine. Now if you want to send a mail for your mail through the SMTP server on the remote machine you can setup another secure tunnell to the SMTP port ( port 25 ) of the remote mail server as follows.



$ ssh -P -f -L 1235:remoteserver.net:25
user@remoteserver sleep 25
Test the tunnell
Once you have setup the the tunnel as explained above, test whether they are connecting correctly by telnetting to the tunnell ports.

First test the incoming POP tunnel. After connecting if you see the name of your remote server then your tunnell is working. Press the escape charecter "ctrl+]" to get to telnet prompt and then type "close" to exit.



$ telnet localhost 1234
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK QPOP (version 3.1.2) at remoteserver.net starting.
^]

telnet> close
Connection closed.
$

Now check the same for the outbound tunnell. Type "quit" to close connection.



$ telnet localhost 1235
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 remoteserver.net ESMTP Sendmail 8.8.6/8.8.2; Thu, 6 Dec 2001 22:24:54 -0800

quit
Connection closed by foreign host.
$
Mail tool configuration
In the settings/configuration for incoming POP server pleasee specify localhost as the server and 1234 as the port. For outgoing SMTP mail server please specify localhost and 4321 as server and the port. And make sure you enable the tunnels before getting sending the mail.

One click tunnelling
I have put the above commands into shellscripts for convenience. And to make it even easier I have created a desktop shortcut on my linux workstation, which will bring up the scripts inside a small xterm window. So whenever I need to get or send mail, I just click on the desktop icon and type in the password/passphrase on the xterm that pops up with the tunnell script.

These are the scripts I use , you can either use these or create your own which suits your needs.





$cat getmail.sh


#/bin/sh
DELAY=300
ps -ef | grep -i ssh | grep 1234 | grep -v grep | grep -v sshd
echo ""
ssh -P -f -L 1234:mail.foo.net:110 user@foo.net sleep $DELAY
sleep $DELAY
$


$cat putmail.sh


#/bin/sh
DELAY=300 ps -ef | grep -i ssh | grep 1235 | grep -v grep | grep -v sshd
echo ""


ssh -P -f -L 1235:mail.foo.net:25 user@foo.net sleep $DELAY
sleep $DELAY
$


$cat tunnel.sh


#/bin/sh
xterm -geometry 60x5+60+10 -bg red -fg white -T
'local:1234]==[110:mail.foo.net]' -e /home/foo/bin/getmail.sh &
xterm -geometry 60x5+60+110 -bg green -fg black -T
'local:4321]==[ 25:mail.foo.net]' -e /home/foo/bin/putmail.sh &
$

SAMBA - Windows Linux file Sharing Notes

Simple SAMBA on LINUX Sharing

Some basic notes on using SAMBA on a home network with linux and windows machines, like my home network setup.
Running SAMBA on a Linux machine

To start, stop or restart samba,

/etc/init.d/smd start
/etc/init.d/smd stop
/etc/init.d/smd restart

All options for the SAMBA goes to /etc/samba/smb.conf This is my smb.conf

Notable changes I made are:

My linux machine is a gateway server with two ethernet interfaces eth0 and eth1. For security reasons I set up SAMBA to run only on the internal interface

interfaces = 192.168.0.1/24 127.0.0.1/24
bind interfaces only = Yes

Also set hosts allow to only allow internal and localhoist

hosts allow = 127. 192.168.0.
hosts deny = *
SAMBA authentification

For the file access permissions for the shares to work, you have to set up the SAMBA username/password by running smbpasswd program on the linux box.

Then on the Windows machine login with the username/password created above with smbpasswd. Otherwise the file sharing will not work.
SAMBA Linux to Windows Sharing

Set up the shares in /etc/samba/smb.conf as follows


[musak]
comment = music from linux boxen
path = /var/stuff/media/musak
read only = Yes

On the windows machine access it as \\192.168.0.1\musak where 192.168.0.1 is the IP address of the linux machine.

If you want to share CD/DVD drive


[dvd]
comment = dvd drive on linux boxen
writable = No
locking = No
path = /mnt/cdrom2

SAMBA Windows to Linux Sharing

First turn on file sharing. Go to Start->Setting->Control Panel and open "Network" and in the first tab called "Configuration" click on "File and Pring Sharing..." and om the Dialog Box that comes up check "I want to be able to give others access to my files"

Now go to the file explorer and right click on the folder you want to sgare, and from the menu that pops up slect "Sharing..." and from the "Manual Properties" Dialog Box that comes up select the second tab "Sharing" and select "Shared as" which will enable all the text boxes, fill in the "Share Name" "Comments" and selct "Read Only" "Full" or "Depends on Password" and enter a password. This is the password that will give access to this share. Also note the "Share Name", lets name it "MYSHARE".

Also find out the hostname of the Windows machine. Go to Start->Setting->Control Panel and Open "Network" and in the second tab "Identification" note the "Computer Name", This is the name to use from Linux to access shares on this machine. Let it be "MYWINBOX"

Now go to the Linux machine. Crete mount point for the share.

mkdir /mnt/winstuff
Mount the share named "MYSHARE" on Windows hos namedt "MYWINBOX"

smbmount \\MYWINBOX\MYSHARE /mnt/winstuff
This will prompt you for the password for the share, enter the password and after that if you go to /mnt/winstuff you can access all files on the Windows folder.

PORT FORWARDING - with IPTABLES while using BASTILLE firewall

Background on network setup

I have my home network setup as described here. So my linux gateway server is the only one visible to the internet, while all other machines are in an internal subnet with DHCP assigned IP's not visible to the outside internet, but can access the outside net using Iptables based Network Address Translation (NAT).

Why you need portforwarding

So in this setup if I want to run a public service like httpd, not on the gateway server ( where it is visible to outside ) but on an internal machine ( which is not visible outside ) how do I make it availble to the outside internet.

To make the above scenario of exposing and internal machine's service to outside we need to use port forwarding on the gateway server. Which is assigning a port on the gateway to accept all connections and forward it to the internal machines port where the service is listening to.

Let xxx.xxx.xxx.xxx be the IP address of the gateway server connected to the cable modem and 192.168.0.2 , the IP address of the internal machine. And say we want to run a web server ( httpd ) on 192,168.0.2 on port 80 which should be avaialble to the outside internet. We can forward the port 80 on xxx.xxx.xxx.xxx to port 80 of 192.168.0.2

Source: xxx.xxx.xxx.xxx:80 -- forwarded to -> 192.168.0.2:80

You can chhose any port on xxx.xxx.xxx.xxx it need not match the port we are forwarding to.

Source: xxx.xxx.xxx.xxx:8888 -- forwarded to -> 192.168.0.2:80

Port Forwarding using Iptables

Since I have been using 2.4 kernel, I use iptables for firewall and NAT. So these are the Iptable rules required for port forwarding xxx.xxx.xxx.xxx:8888 to 192.168.0.2:80 .

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx
--dport 8888 -j DNAT --to 192.168.0.2:80
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT

How to add custom rules to Bastille firewall

Since I trust Bastille firwall script to generate the correct iptable scripts for my server, I wanted to keep those scripts but add these custom port forwarding rules to supplement/extend it.

But the version of Bastille on my machine ( 1.2.0 ) does not support port forwarding, and does not had a way of adding custom scripts to it. Posting the question to Bastille mailing list generated these prompt responses from Peter Watkins, core developer of Bastille. ( See the complete thread )

Following Peter's advice I upgraded Bastille to the latest version, without any problem. The new version regenerated all the scripts with my old rules intact.

And with the new Bastill in place and working fine doing all the firewall filteringa nd NAT. I made the following changes to add a supplemental script, portforward.sh ( get the script ) for my custom port forwarding rules.

Created the directories for supplemetal script. ( as explained in the comments at portforward.sh )


/etc/Bastille/firewall.d/pre-chain-split.d/

Created portforward.sh with working portforwarding rules, following the sample script from Peter.
[ Please note: The ipchains rules in portforward.sh are untested. I have left it there from Peter's sample script for completeness. ]

In portforward.sh all you have to do is specify the portforwarding source and destination IP addresses and ports with the ethernet interface name ( "eth0" if you have only one interface ) and the protocol type ( "tcp" in this case ).


IP_FORWARDS="eth0-xxx.xxx.xxx.xxx-8888-tcp-192.168.0.2-80"

Also you can have multiple port forwaring specified like:


IP_FORWARDS="eth0-xxx.xxx.xxx.xxx-8888-tcp-192.168.0.2-80
eth0-xxx.xxx.xxx.xxx-2222-tcp-192.168.0.2-22"

This will be parsed and stored into varibles down the script and used in the following Iptable calls to generate the rules. [ NOTE: The rules need to be on a single continuous line, I have broken it down to two lines for readability ]


${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface
-d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport

${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface
-d $fw_outaddr --dport $fw_outport -j ACCEPT

Which will translate to.


/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx
--dport 8888 -j DNAT --to 192.168.0.2:80
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2
--dport 80 -j ACCEPT

Now we can restart Bastille scripts to make this rules effective.


#/etc/rc.d/init.d/bastille-firewall start

Verify the rules by listing them.


# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere xxx.xxx.xxx.xxxtcp dpt:ddi-tcp-1 to:192.168.0.2:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/16 anywhere
MASQUERADE all -- 192.168.0.0/16 anywhere
MASQUERADE all -- 192.168.0.0/16 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
[ where "ddi-tcp-1", I assume corresponds to port 8888 ]

Verify the port forwaring works by connecting to the port from a machine outside the network.

Notes on this setup

The above rules work fine when you access from outside, but if you try to access the same port xxx.xxx.xxx.xxx:8888 from an internal machine, it will not work. But from the internal network you dont need the forwarding, since you can directly access the machine 192.168.0.2:80.

http://www.netfilter.org/
http://www.bastille-linux.org/