Wednesday, May 17, 2006

Adding Additional Hard drive on your Linux Machine


Normally one would ask? how do i add additional harddrive to my linux box.. well we could make use of utilities like fdisk, cfdisk or QtParted but it is fdisk that is im going to discuss below.

Why FDISK.. the answer is simple. since fdisk is the utility that i've been using eversince i've tried linux. :)

Here are the steps:

You must first be able to identify which partion is your new harddrive either though dmesg or using fdisk utility

 # fdisk -l

The output will display the current harddrive informations and which device it is assigned to.
for scsi drive its normally /dev/sda while for IDE drive its /dev/hda

# fdisk /dev/hdc

Command (m for help): _

For a short manual we need to enter the 'm' command:

        Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)

Command (m for help):

We need to know just few necessary commands: d,p,n,q,w. Don't be afraid to use them--all your changes will be done only in memory and will only be written to the hard after the 'w' command is entered. If we have an error, we just need to cancel all changes with the command 'q'.

First of all, let's make ourself sure that disk is empty:

        Command (m for help): p

Disk /dev/hdc: 64 heads, 63 sectors, 787 cylinders
Units = cylinders of 4032 * 512 bytes

Device Boot Start End Blocks Id System

Command (m for help):

Often sellers of PCs and hardware will pre-divide disks into partitions. In such cases we can use command 'd' (described below) to delete everything what we do not need.

So, let's create a new parititon (with command 'n'), answering all the questions as we go:

        Command (m for help): n
Command action
e extended
p primary partition (1-4)

Choosing the partition type-- primary or extended--we will enter P for primary.

In choosing number of the partition in this example, we will assign all of the all free space to one partition. Because this will be the first and only existing partition, we will assign the number 1:

        Partition number (1-4): 1

When setting the number of the first cylinder of the partition, we can just use the default value, which is recorded when we just press Enter:

        First cylinder (1-787, default 1):
Using default value 1

Setting the number of the last cylinder of the partition is easy in this example, since we are filling the entire drive with one partition. Again, just press Enter for the default (instead of the number of the cylinder, we can set size of partition in bytes, kbytes, or megabytes):

        Last cylinder or +size or +sizeM or +sizeK (1-787, default 787):
Using default value 787

Command (m for help):

Now, partition is created. We can take a look of new table of partitions with the help of the 'p' command:

        Command (m for help): p

Disk /dev/hdc: 64 heads, 63 sectors, 787 cylinders
Units = cylinders of 4032 * 512 bytes

Device Boot Start End Blocks Id System
/dev/hdc1 1 787 1586560+ 83 Linux

Command (m for help):

If we don't like (for some reason) the location or number of the partition, we can delete it using 'd' command:

        Command (m for help): d
Partition number (1-4): 1
Command (m for help):

If you want to divide the disk into a few partitions, you will need to repeat all these operations a few times. One thing that is important to remember is that if the amount of partitions is greater than four, you'll need to create not primary, but an extended partition across the whole available disk space. Inside this partition you can create as many logical parts as needed.

Remember, please, that logical partitions always should be numbered from 5 upwards; it doesn't matter how many primary partitions were created before (one, three, or none at all).

After a partition has been made. you may want to format it using mkfs command. you could use mkfs.ext3 depending on what type of partiition that you desired.

mkfs.ext3 /dev/hdc1

After formating you may want to mount it to your linux box so that you could use it already

mount /dev/hdc1 /u01

or simply add it on your fstab so that you dont need to remount it everytime your system is restarted.

Monday, May 01, 2006

3-legged 'Transparent Proxy' firewall using IPFilter 4.1.8, Squid on Fedora Core 1

3-legged 'Transparent Proxy' firewall using IPFilter 4.1.8, Squid on Fedora Core 1
Date: Oct 8, 2005
by Jett Tayer <>


Download and install apt for Fedora Core 1
# cd /usr/local/src
# wget http://apt.sw.be/fedora/1/en/i386/dag/RPMS/apt-0.5.15cnc6-4.1.fc1.rf.i386.rpm
# wget http://apt.sw.be/fedora/1/en/i386/dag/RPMS/apt-devel-0.5.15cnc6-4.1.fc1.rf.i386.rpm
# rpm -ivh apt-0.5.15cnc6-4.1.fc1.rf.i386.rpm
# rpm -ivh apt-devel-0.5.15cnc6-4.1.fc1.rf.i386.rpm
Update your apt database
# apt-get update
Upgrade your packages
# apt-get upgrade
Upgrade the kernel
# apt-get install kernel#2.4.22-1.2199.nptl kernel-source#2.4.22-1.2199.nptl
Install some needed apps
# apt-get install patch rpm-build
Restart your machine and boot the newly installed kernel.
Download and extract the Squid package.
# apt-get install squid
Configure Squid to do 'transparent proxying'
# vi /etc/squid/squid.conf
You will need to make at least the following changes in /etc/squid/squid.conf
http_port 3128
http_access deny to_localhost
acl our_networks src 192.168.1.0/24 192.168.2.0/24
http_access allow our_networks
visible_hostname your.server.name.dom
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Fire up Squid!
# service squid start
Install Bind 9: Provide caching DNS service to LAN only
# apt-get install bind bind-chroot
# service named start
Install IPFilter
Download and extract ipfilter software package
# wget http://coombs.anu.edu.au/~avalon/ip_fil4.1.8.tar.gz
# gzip -cd ip_fil4.1.8.tar.gz tar xvf -
# cd ip_fil4.1.8
Edit Makefile
# vi Makefile
look for the line,
LINUXKERNEL=/usr/src/linux
and change it to,
LINUXKERNEL=/usr/src/linux-2.4
Uncomment the following 3 lines
STATETOP_CFLAGS=-DSTATETOP
STATETOP_INC=
STATETOP_INC=-I/usr/local/include
and change the last line
STATETOP_INC=-I/usr/local/include
to
STATETOP_INC=-I/usr/include
Uncomment the following 2 lines
STATETOP_LIB=-lncurses
STATETOP_LIB=-L/usr/local/lib -lncurses
and change the last line
STATETOP_LIB=-L/usr/local/lib -lncurses
to
STATETOP_LIB=-L/usr/lib -lncurses
Next look for the line
POLICY=-DIPF_DEFAULT_PASS=FR_PASS
and change it to
POLICY=-DIPF_DEFAULT_PASS=FR_BLOCK
Save the file
# wq!
Compile IPFilter
# make linux
# make install-linux
Note:
There will be errors about ipfilter.o not being found.
Just copy ipfilter.o created in 'make-linux' command above in
/usr/src/redhat/BUILD/ipfilter/lib/modules/2.4.22-1.2199.nptl/kernel/net/ipv4/
then do a "make install-linux" again.
Still there will be errors, but don't worry because ipfilter RPM file will
be written in /usr/src/redhat/RPMS/i386. In that case just go directly
to the location of IPFilter RPM file and install it manually.
# cd /usr/src/redhat/RPMS/i386/
# rpm -ivh ipfilter-4.1.8-1.i386.rpm
IPFilter is now installed.
Config file (/etc/ipf.conf)
Here is my working ipf.conf for a 3-legged firewall
############################
### ipf.conf starts here ###
#
# $Linux ipf.conf 2005/07/17 16:15:55 tayer Exp $
#
# See /usr/share/ipfilter/examples for syntax and examples.
# eth0 is connected to the Internet with ip address 10.10.10.1 which is part of
# 10.10.10.0/24 network (not my real ip block of course!)
# eth1 is connected to the private subnet 192.168.1.0/24, 192.168.1.1 is the IP of eth1
# eth2 is connected to the private subnet 192.168.2.0/24, 192.168.2.1 is the IP of eth2
# Filtering:
block in all
block out all
block in quick on eth0 from 127.0.0.0/8 to any
block in quick on eth0 from 192.168.0.0/16 to any
block in quick on eth0 from 172.16.0.0/12 to any
block in quick on eth0 from 10.0.0.0/8 to any
block in quick on eth0 from 169.254.0.0/16 to any
block in quick on eth0 from 223.0.0.0/8 to any
block in quick on eth0 from 198.18.0.0/15 to any
block in quick on eth0 from 197.0.0.0/8 to any
block in quick on eth0 from 224.0.0.0/3 to any
block out quick on eth0 from any to 127.0.0.0/8
block out quick on eth0 from any to 192.168.0.0/16
block out quick on eth0 from any to 172.16.0.0/12
block out quick on eth0 from any to 10.0.0.0/8
block out quick on eth0 from any to 169.254.0.0/16
block out quick on eth0 from any to 223.0.0.0/8
block out quick on eth0 from any to 198.18.0.0/15
block out quick on eth0 from any to 197.0.0.0/8
block out quick on eth0 from any to 224.0.0.0/3
# What's these?? :)
block in log quick on eth0 from any to 10.10.10.0
block in log quick on eth0 from any to 10.10.10.255
block in log quick on eth0 from any to 255.255.255.255
##### Block a bunch of different nasty things. ############
# That I don"t want to see in the log
#
# Block frags
block in log quick on eth0 all with frags
# Block short tcp packets
block in log quick from any to any with ipopts
block in log quick all with short
# Block anything with special options
block in log quick all with ipopts
#
# Log packets with BOTH ssrr and lsrr set
log in all with opt lsrr,ssrr
# block source routed packets
block in log quick all with opt lsrr
block in log quick all with opt ssrr
# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on eth0 proto tcp from any to any flags FUP
# Block public pings
#block in log quick on eth0 proto icmp all
# Allow loopback packets freely
pass in quick on lo
pass out quick on lo
# Allow LAN packets freely
# allow freely packets from 192.168.1.0/24 LAN
pass in quick on eth1
pass out quick on eth1
# allow freely packets from 192.168.2.0/24 LAN
pass in quick on eth2
pass out quick on eth2
# Allow incoming data channel for outgoing connections, reject
# and log all incoming control connections
pass out quick on eth0 proto tcp from any to any port = 21 flags S keep state
# Allow SSH
pass in on eth0 proto tcp from any to eth0/32 port = 22 flags S/SA keep state
# Allow SMTP traffic
#pass in on eth0 proto tcp from any to eth0/32 port = 25 flags S/SA keep state
# Allow DNS traffic (tcp & axfr)
#pass in on eth0 proto tcp from any to eth0/32 port = 53 flags S/SA keep state
# Allow DNS traffic (udp)
#pass in on eth0 proto udp from any to eth0/32 port = 53 keep state
# Allow outside world to ping me (bad idea)
#pass in on eth0 proto icmp from any to any icmp-type 8 code 0 keep state keep frags
# Allow me to ping the outside world
pass out quick proto icmp from any to any icmp-type 8 code 0 keep state keep frags
# Allow all outgoing tcp traffic
pass out on eth0 proto tcp all flags S/SA keep state
# Allow all outgoing udp traffic
pass out on eth0 proto udp all keep state
#
### ipf.conf ends here ###
##########################
Config file (/etc/ipnat.conf)
Here is my working ipnat.conf for my 3-legged firewall
### ipnat.conf starts here ###
#
map eth0 192.168.1.0/24 -> 10.10.10.1/32 proxy port ftp ftp/tcp
map eth0 192.168.1.0/24 -> 10.10.10.1/32 portmap tcp/udp 40000:60000
map eth0 192.168.1.0/24 -> 10.10.10.1/32
map eth0 192.168.2.0/24 -> 10.10.10.1/32 proxy port ftp ftp/tcp
map eth0 192.168.2.0/24 -> 10.10.10.1/32 portmap tcp/udp 40000:60000
map eth0 192.168.2.0/24 -> 10.10.10.1/32
#
# Redirection is triggered for input packets.
# For example, to redirect FTP connections through this box, to the local ftp
# port, forcing them to connect through a proxy, you would use:
#
rdr eth0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
#
# squid transparent proxy
rdr eth1 192.168.1.1/32 port 80 -> 192.168.1.1 port 80
rdr eth1 0.0.0.0/0 port 80 -> 192.168.1.1 port 3128
rdr eth1 192.168.2.1/32 port 80 -> 192.168.2.1 port 80
rdr eth1 0.0.0.0/0 port 80 -> 192.168.2.1 port 3128
#
### ipnat.conf ends here ###
Enable IP Forwarding:
Add this line in /etc/sysctl.conf if not already there
# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
Re-read /etc/sysctl.conf
# sysctl -p
Fire up IPFilter
# service ipfilter start
IPFilter admin commands
Display a table of data detailing firewall performance,
including how many packets have been passed or blocked.
# ipfstat -hio
To flush and load ipfilter rules
# ipf -Fa -f /etc/ipf.conf
To flush and load ipnat rules
# ipnat -CF -f /etc/ipnat.conf