Skip to content

Setting up a Linux Proxy server using Fedora core 5

Thursday, January 18, 2007

Assumption:

- eth0 is the external interface (Connected to internet)
- eth1 is the internal interface (local network) (Fixed IP)

Edit /etc/sysctl.conf to enable ip forwarding permanently.

net.ipv4.ip_forward = 1

Edit /etc/sysconfig/iptables-config and make following changes:

IPTABLES_MODULES=”ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp ip_conntrack_irc iptable_nat ip_nat_ftp ip_nat_irc”
IPTABLES_SAVE_ON_STOP=”yes”
IPTABLES_SAVE_ON_RESTART=”yes”

# To clear out any existing rules and set default policy,
# run following commands on command prompt
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

# FWD: Allow all connections OUT and only existing and related ones IN

iptables -A FORWARD -i eth0 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Enabling MASQUERADE functionality on eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  • Share/Bookmark
Filed in Linux | | Comments (0)

Aloha and slotted Aloha protocols

Tuesday, January 16, 2007

Pure ALOHA protocol

Pure ALOHA protocol is a random access protocol used for data transfer.

User accesses a channel as soon as a message is ready to be transmitted. After a transmission the user waits for an acknowledgement on either the same channel or separate feedback channel. In case of collision (i.e. when a NACK is received), the terminal waits for a random period of time and retransmits the message. As the number of users increase, a greater delay occurs because the probability of collision increases.

Slotted ALOHA protocol

In Slotted ALOHA protocol, time is divided into equal time slots of length greater than the packet duration (time taken to transmit a fixed length packet).

The subscribers (users), each have synchronized clocks and transmit a message only at the beginning of a new time slot, thus resulting in a discrete distribution of packets (each subscriber is assigned a time slot in which he can transmit.). (Note here: two users may get same time slot at peak times)

This prevents partial collisions (i.e. packets collide with portion of another). This implies that either a packet will collide completely or not at all.

As the number of users increase a greater delay will occur due to duplicate time slot assignments and hence greater number of complete collisions. Repeated transmission of lost packets would make things even slower.

But, the vulnerable period for slotted aloha is only one packet duration, since partial collisions are prevented through synchronization.

Overall, slotted ALOHA provides a maximum channel utilization of .368 Erlangs, double that of pure ALOHA.

Limitation of Aloha in general

ALOHA protocols do not listen to the channel before transmission, and therefore do not exploit information about other users. By listening to the channel before starting transmission, greater efficiencies may be achieved. This is where CSMA protocols come into the picture which I will cover in a separate post.

  • Share/Bookmark
Filed in Wireless Communication and Networking | | Comments (0)

TCP/IP and OSI

Tuesday, January 16, 2007

Transmission control Protocol (TCP) was developed before OSI model. Therefore, the layers in the TCP/IP protocol do not match exactly with those in the OSI model. The TCP/IP protocol is made of 5 layers: physical, data link, network, transport, and application. OSI has 7 layers.

Here follows the comparison:

Application layer of TCP/IP = Session, presentation, and application layers of the OSI model.

TCP & UDP protocol of TCP/IP = Transport layer of OSI model

(IGMP, ICMP, ARP, RARP)IP protocol of TCP/IP = Network layer of OSI model

At Data Link & Physical layers of OSI, TCP/IP does not define any specific protocol of its own. IP layer of TCP/IP is capable of interfacing with many available standards.  for example Ethernet, Token Ring, FDDI, HSSI, and ATM.

  • Share/Bookmark
Filed in Wireless Communication and Networking | | Comments (0)

fastcgi lighttpd rubyonrails Error: getcwd no such file or directory

Tuesday, January 2, 2007

I got this error today while deploying rails application on running lighttpd server.
Errno::ENOENT (No such file or directory – getcwd)
I replaced application directory without stopping lighty and got error while trying accessing app via browser.
I went off by merely restarting lighthttpd :)

Seems like server creates/uses some file “within” rails app folder which got erased while replacing the folder.

  • Share/Bookmark
Filed in Ruby | | Comments (0)

DOM Select : Setting Onchange cross browser way

Thursday, November 16, 2006

This is how you set event handler that works.. for all

[code]

selColumn.onchange = "func()";

var onChangeHandler = new Function(selColumn.onchange);

if (selColumn.addEventListener) {

selColumn.addEventListener('change', onChangeHandler, false );

} else if (selColumn.attachEvent) {

selColumn.attachEvent('onchange', onChangeHandler);

}

[/code]

  • Share/Bookmark
Filed in javascript | | Comments (0)

Find : various possibilities

Wednesday, October 11, 2006

find . -name "*.ext"

find . -user mike #owned by mike

find . -type d   #All directories  -type f for all files

find . -size +1024M #More than 1 GB

find . -name *.jpg ! -name bb*  #All jpgs except those that start with bb

find /etc  -mtime -1 #All files in /etc that have been modified within the last day (24 hour increment from -1 ie yesterday)

find /etc -user root -amin -2 #all files in /etc that have been accessed within the last two minutes

* -atime: when the file was last accessed
* -ctime: when the file's permissions were last changed
* -mtime: when the file's data was last modified
* -amin: when (in minutes) the file was last accessed
* -cmin: when (in minutes) the file's permissions were last changed
* -mmin: when (in minutes) the file's data was last modified

* -nouser: shows output that's not associated with an existing userid
* -nogroup: shows output not associated with an existing groupid
* -links n: file has n links
* -newer file: file was modified more recently than file.
* -perm 777: file has mode permissions. 777

  • Share/Bookmark
Filed in Uncategorized | | Comments (0)

RPM fast track

Monday, October 9, 2006

RPM packages have a file of names like foo-1.0-2.i386.rpm, which include the
package name (foo), version (1.0), release (2), and architecture (i386).

 To display package information before installing the program, use the command:
# rpm -qpi foo-2.3-8.i386.rpm

 To install a RPM package, use the command:
# rpm -ivh foo-1.0-2.i386.rpm

 To upgrade a RPM package, use the command:
# rpm -Uvh foo-1.0-2.i386.rpm

With this command, RPM automatically uninstalls the old version of foo package and installs the
new one. Always use rpm -Uvh to install packages, since it works fine even when there are no
previous versions of the package installed.

 To uninstall a RPM package, use the command:
# rpm -e foo
Notice the use of the package name “foo�?, not the name of the original package file “foo-
1.0-2.i386.rpm�?.

# rpm -q foo
foo-2.3-8
This command will print the package name, version, and release number of installed package
foo. Use this command to verify that a package is or is not installed on your system.

 To display package information, use the command:
# rpm -qi foo

 To display package information before installing the program, use the command:
# rpm -qpi foo-2.3-8.i386.rpm

 To list files in a installed RPM package, use the command:
# rpm -ql foo

 To know which files is part of which package, use the command:
# rpm -qf /etc/passwd

 To remove all the unneeded packages together, use the following commands:
# rpm -e –nodeps anacron apmd at dhcpcd dosfstools eject hotplug ipchains ksymoops kudzu lokkit mailcap pciutils pump raidtools redhat-logos redhat-release setserial kbdconfig mouseconfig timeconfig authconfig ntsysv setuptool

Once you have installed all the software that you need on your Linux server with the RPM
command, it’s a good idea to move it to a safe place like a floppy disk or other safe place of your choice. With this method if someone accesses your server and has the intention to install nasty software with the RPM command, he wouldn’t be able to. Of course, if in the future you want to install or upgrade new software via RPM, all you have to do is to replace the RPM binary to its original directory again.

 To move the RPM binary on the floppy disk, use the command:
[root@deep /]# mount /dev/fd0H1440 /mnt/floppy/
[root@deep /]# mv /bin/rpm /mnt/floppy/
[root@deep /]# umount /mnt/floppy/

One more thing you can do is change the default permission of the “rpm�? command from 755 to 700. With this modification, non-root users can’t use the “rpm�? program to query, install etc; in case you forget to move it to a safe place after installation of new programs.

  • Share/Bookmark
Filed in Linux | | Comments (0)

Tight up single-user login mode

Monday, October 9, 2006

Linux has a special command (linux single) also known as ‘single-user mode’, which can be
entered at the boot prompt during startup of the system. The single-user mode is generally used
for system maintenance. You can boot Linux in single-user mode by typing at the LILO boot
prompt the following command:
LILO: linux single

This will place the system in Run level 1 where you’ll be logged in as the super-user ‘root’, and
where you won’t even have to type in a password! Requiring no password to boot into root under single-user mode is a bad idea! You can fix this by
 Editing the inittab file (vi /etc/inittab) and change the following line:
id:3:initdefault:
To read:
id:3:initdefault:
~~:S:wait:/sbin/sulogin
The addition of the above line will require to enter the root password before continuing to boot
into single-user mode by making init (8) run the program sulogin (8) before dropping
the machine into a root shell for maintenance.

 Now, for the change to take effect type in the following at a prompt:
# /sbin/init q

  • Share/Bookmark
Filed in Linux | | Comments (0)

Tight Up NFS

Monday, October 9, 2006

Configure the /etc/exports file with the most restrictive access possible. This means not using wildcards, not allowing root
write access, and mounting read-only wherever possible.
 Edit the exports file (vi /etc/exports) and add:
As an example:
/dir/to/export host1.mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)
Where /dir/to/export is the directory you want to export, host1.mydomain.com is the machine allowed to log in this directory, the option mean mounting read-only and the option for not allowing root write access in this directory.
* root_squash – Maps the root user to the nobody user. This has the effect of not allowing a root user on a client to gain root file access permissions on the server.
* all_squash – Maps all the UIDs and GIDs to the nobody user. This is useful if the share is to have anonymous access, much like an anonymous FTP server.

 For this change to take effect you will need to run this command on your terminal:
#/usr/sbin/exportfs -a

  • Share/Bookmark
Filed in Linux | | Comments (0)

Tightup /etc/fstab

Monday, October 9, 2006

- Mounting boot partition read only, increases security of kernel. This how you do it in /etc/fstab

LABEL=/boot /boot ext2 defaults,ro 1 2

And reload changes
# mount /boot -oremount

And yes, make it writable when you are planning kernel upgrade. Otherwise new kernel wont be able to enter :)

Other security options in the fstab file are:
 defaults Allow everything (quota, read-write, and suid) on this partition.
 noquota Do not set users quotas on this partition.
 nosuid Do not set SUID/SGID access on this partition.
 nodev Do not set character or special devices access on this partition.
 noexec Do not set execution of any binaries on this partition.
 quota Allow users quotas on this partition.
 ro Allow read-only on this partition.
 rw Allow read-write on this partition.
 suid Allow SUID/SGID access on this partition.

Some useful examples:
LABEL=/cache /cache ext2 defaults,nodev 1 2
LABEL=/tmp /tmp ext2 defaults,nosuid,noexec 1 2

# mount /cache -oremount
# mount /tmp -oremount

 To verify if the modifications have been correctly applied:
# cat /proc/mounts

  • Share/Bookmark
Filed in Linux | | Comments (0)