Message Notifier

You are not logged in.

Feed Display

No Feed URL specified.
The News
Live DNS Server with Open Suse PDF Print E-mail
Written by Administrator   
Wednesday, 12 May 2010 05:46

Live DNS with Open Suse 11

 

By: Salman Aftab

This is a Basic Live DNS Setup Steps

Server at my end is Open Suse Linux 11 with Required Bind Packages for DNS

 

Steps:

 

Should be Performed on Registrar Site:

 

My Domain = mydomain.com

 

My IP Address = <Live IP Address Provided by your ISP and assigned to the Machine you wish to create DNS Server>

 

1. On Registrar ( for example register.com, godaddy.com, name.com) register the IP address <Live IP Provided by your ISP) with your choice of Name Server (e.g ns.mydomain.com)

 

It will be like ns.mydomain.com = <Live IP Address of your machine>

 

                        OR

ns1.mydomain.com in case you have more than one IP address and wish to create Primary and Secondary DNS Server.

 

I am creating only Master or Primary DNS  Server thus:

 

2. Delete Other Name Servers Provided by Your Registrar. Only ns.mydomain.com should be the only name server present.

 

Domain Records Should be as follow:

 

NS = ns.mydomain.com -----> <IP address>

 

A = mydomain.com -------> <IP address>

 

CNAME = www.mydomain.com -----> <IP address>

 

ON Suse Machine (On Your Server End)

 

1. Make Sure that the Live IP is assinged to the machine Properly, ping and make sure that it can access internet.

 

2. Make sure you have latest Bind Package with Chroot-env and Utilities

 

3. Now on root shell type yast and access DNS under Network Services

 

4. In Start-UP enter the name of your domain in my case its mydomain.com select it as master

 

5. Once the domain is added click on it and click Edit and add NS (it should be automatically created e.g ns.mydomain.com) , MX and other records.

 

6. In Forwarders enter the live IP address

 

7. Zone files will be automatically created.

 

Now give at least one day to settle the things up , DNS is working you can check it with the following command and it should return no error

 

[root]# dig www.mydomain.com <---

 

 
 
TrueCrypt PDF Print E-mail
Written by Administrator   
Friday, 22 May 2009 13:55

This howto will explain how you can easily encrypt and decrypt the data using free opensource tool. Truecrypt.

This Article contains screenshots and you need to click this link (truecrypt) to view it in pdf format.

 

Thank you.

 
Test Article PDF Print E-mail
Written by Test   
Thursday, 14 May 2009 04:35
This is a test Article
 
MASQUERADE PDF Print E-mail
HowTos
Written by Administrator   
Saturday, 09 May 2009 16:16
                                                           MASQUERADE

Masquerading help by putting the masque on private ip address of public ip addresse. Why it does like this? The reason behind this is private ip class address cannot go to internet directly as they are dedicated for the local area networks, whereas public ip addresses are the only which can communicate over internet.
Even when you connect your computer with the simple dialup modem, it connect with the ISP (Internet Service provider) first, which will provide your computer with the public ip and only then you can browse or connect with the internet.

Therefore if you have a Linux based server with static ip or dynamic ip provided by the ISP, you need masquerading to allow your client computers web traffic to the internet.

If you don’t have Squid and just want to enable internet sharing with the client computers so that they can also connect to the internet use on
your Linux dialup Firewall server (here I assume that my server is connected with the modem not with the DSL router to show that masquerading also works with dynamic ip addresses)

[root@Firewall1 /]# echo 1 > /proc/sys/net/ipv4/ip_forward
 
[root@Firewall1 /]# iptables -t nat -A POSTROUTING -o ppp0 -p tcp -j MASQUERADE

SNAT:
SNAT or source network address translation is same as masquerading but its used when we have a static ip address, we implement SNAT instead of NAT as SNAT is faster than NAT also.

DNAT:
IF we wish to install squid on any machine other than the gateway machine and this machine has only one Ethernet card eth0, we use DNAT rule, which redirect the traffic to the certain ip (192.168.1.2 in our case , this machine is on LAN and we have installed squid onto it and we wish that our clients go through this machine before going to internet) or machine whose rule we setup with the DNAT rule e.g we will give the following commands on our Linux firewall machine (which is our main gateway server)
[root@Firewall1 /]# iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.1.2 -p tcp --dport 80 -j DNAT –-to-destination 192.168.1.2:3128

We can also use DNAT to redirect any incoming traffic to certain machine which has private ip address i.e which is on LAN e.g if you have your web server installed on one of the machine in LAN with only one interface eth0 and has ip of 192.168.2.3 and if our Linux server i.e Firewall1 has a permanent IP address of 212.154.145.5 and our web server is registered with this IP address on the internet and we don’t want to put extra load on our gateway machine we use the following command.

[root@Firewall1 /]# iptables -t nat -A PREROUTING -i eth0 -d 212.154.145.5-p tcp --dport 80 -j DNAT –-to-destination 192.168.2.3:80

The above command will redirect any incoming request for port 80 or web server from out side world to IP address 192.168.2.3 (Web Server). 
By this example we can easily understand the DNAT command which help in redirecting the request to internal ip address, whereas the request was for web server which is registered on the internet with an ip address of 212.154.145.5.

Note: Some times this type of error occurs. (This is an example not word by word error)
IP_conntrack_max bucket exceeded limit

To remove this error login as root and type following
#echo 262144 > /proc/sys/net/ipv4/ip_conntrack_max
Last Updated on Sunday, 10 May 2009 23:13
 
IPtables Howto? PDF Print E-mail
Written by Administrator   
Saturday, 09 May 2009 16:14
                                                           IPTABLES

IPtables have INPUT, OUTPUT, FORWARD, PREROUTING and POSTROUTING chains. 
In this example I consider that my Firewall server’s name is Firewall1.
I will type all my rules on this server (Firewall1) & you have to do the same 

First of all I would like to write about the various options by which we can take help and is always useful 

[root@Firewall1/]# man iptables 

[root@Firewall1/]# info iptables

[root@Firewall1/]#iptables –h or - -help 

To list the current rules in your IPtables use the following command.

[root@Firewall1/]#iptables -L

By default all rules are set to Accept.

To Flush all rules from iptalbes, use the following command.

[root@Firewall1/]#iptables –F

Do remember to save the iptables rules every time, else they will be removed every time the system reboots or iptables service restarts.
To save iptables, use the following command.

[root@Firewall1/]iptables-save > /etc/sysconfig/iptables

Now let us first consider and example of blocking any incoming telnet request from the Internet to our server
For this I consider that my Firewall server has two interfaces eth0 and eth1
eth0 is connected with the DSL router and eth1 is connected with the internal network or LAN.
If you are connected with a modem you have to write ppp0 instead of eth0.

[root@Firewall1/]# iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP

In the above example –A stands for Append, it will append or add the rule to the iptables , INPUT states that the rule is applied on the Input chain, -i is used to tell iptables that rule is for incoming traffic which is on the Ethernet eth0, -p is used for protocol in the above case we used tcp so the traffic will be blocked for traffic traveling over tcp protocol , if we want to control udp traffic we need to write –p udp, --dport stand for destination port, in the above case we used 23 which is a telnet port, -j stand for jump-to and finally DROP means to drop the packet , we can also use REJECT.

The difference between DROP and REJECT is that DROP will drop the packet and without sending the acknowledgement to the machine which requested the connection for telnet to our Firwall server, whereas REJECT will send the acknowledgement to the machine which requested the telnet request saying “Destination unreachable”

By the same way we can now block traffic for ssh or secure shell
[root@Firewall1/]#iptables –A –INPUT –i eth0 –p tcp –-dport 22 –j  REJECT 

Now let us consider an example in which we want to Reject every one to the ssh port i.e 22, but we want to allow one IP address to allow. For this purpose we have to add two rules , but remember to add the allow rule first and then the reject or drop rule.
So lets do it 

[root@Firewall1/]#iptables –A – INPUT –i eth0 –p tcp - - source 192.168.1.25 - -dport 22 –j ACCEPT

 Now the second rule to reject everyone

[root@Firewall1/]#iptables –A – INPUT – i eth0 –p tcp - - source 0/0 –j REJECT

In the above example 0/0 means any ip address with any Net mask.

Now let us consider another example in which we will allow any web requests to and from the web server. In the below example –o is used which means outgoing interface from where is traffice is going out of the server.

[root@Firewall1 /]# iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

[root@Firewall1 /]# iptables -A OUTPUT -o eth0 -p tcp -d 0/0 –dport 80 -j ACCEPT

Now let us consider an example in which we will allow any one to access our webserver or port 80, yet deny all other service or ports.

[root@Firewall1 /]# iptables -A INPUT -i eth0 -p tcp -syn --dport !80 -j DROP

Whereas if you wish to Reject any services or ports from any one from the outside world other than port 80, or web server, use the following example

[root@Firewall1/]# iptables -A FORWARD -i eth0 -o eth0 --dport 80 -j REJECT

If we wish to allow our clients on the network to access the Internet or messenger we have to apply the NAT (Network Address Translation) rule 

But first we need to enable IP forwarding , which can be done by:

[root@Firewall1/]# vi /etc/sysctl.conf 

Now in sysctl.conf configuration file we can enable IP forwarding by replacing 0 with 1 in front of “net.ipv4.ip_forward = “
The above will be a permanent method of IP forwarding, Now we will apply the below rule

[root@Firewall1/]# iptables -t nat -A POSTROUTING -o eth0 -p tcp -j MASQUERADE

Now if you are running squid proxy server and you wish that by force every client in your network must go through your proxy server then in addition to setting up transparent proxy you have to apply the following rule via iptables. In the below example I assume that squid is setup on its default port i.e 3128
For more information about squid server visit www.squid-cache.org 

[root@Firewall1/]#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Including the above We must also understand what is DNAT , SNAT and MASQUERADE
 
More Articles...
<< Start < Prev 1 2 Next > End >>

Page 1 of 2