Archive for December, 2010

Linux Bonding Interfaces for High availability.

Well this article is for bonding Ethernet interfaces into one for high availability and performance improvement on your Linux box.
Bonding is important if you want to have a high available server. If one interface goes down you still have backup interfaces left.
The interfaces can be programmed as: Balance Round-Robin, Back-up slave, Balance-tlb, Balance-alb, Balance-xor, etc…

So there are the steps to get it work on RedHat, Fedora and CentOS based systems.

Create the ifcfg-bond0 file at /etc/sysconfig/network-scripts/

touch /etc/sysconfig/network-scripts/ifcfg-bond0

Edit the file and change the IP address to match for your needs.

DEVICE=bond0
IPADDR=192.168.0.100
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
BROADCAST=192.168.0.255

Next step is to modify the interface cards configuration files.
cat /etc/sysconfig/network-scripts/ifcfg-eth0

eth0 should look like this:

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes

Then change the eth1 as well.
cat /etc/sysconfig/network-scripts/ifcfg-eth1

eth1 should look like this:

DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
MASTER=bond0
SLAVE=yes

If you want more device to bond just change the ifcfg file(s).

After you setup the interfaces you need to setup the kernel module parameters.

Add the following lines to /etc/modprobe.conf file.

alias bond0 bonding
options bonding mode=balance-alb miimon=100

Next thing is load the kernel module.

modprobe bonding

Then restart the network service.

service network restart

You are set!

To test the bonding devices, list them with this command:

cat /proc/net/bonding/bond0

You can change the mode at the modules.conf file to fit for your system.
Take a look at this link for more reference: http://www.linuxfoundation.org/collaborate/workgroups/networking/bonding and search for the “Bonding Driver Options” part to change the bonding mode.


VNC secure connect with putty. Part 2 “The client box”

Well if you already setup your Linux box you can start to setup the client side.
Let’s assume you are using Windows on the client side.

First of all download the latest putty.exe from here: PUTTY.EXE

After you started the application put your Linux box’s IP address into the “Host Name (or IP address)” box.

And put a name into the “Saved Sessions” box that you want to save for the later connections and save it.
It must be saved otherwise the next time you start the putty it will be lost and you need to refill every part of the configuration.

 

Next step is to go to the Connection/SSH/Tunnels tab and fill the source and destination ports.
We will forward the local 5900 port to the Linux box 5901 port.
The VNC communication will be encrypted through the SSH protocol.

Next step click on the X11 tab and tick the “Enable X11 forwarding

Next step click on the “Session” tab then save the session as you named it before!
I already mentioned it at the top of this guide.

Well we can check the connection so click the open tab and log into the Linux box through SSH.

After you logged in with the user that you added on your Linux box start the vncviewer on the client box.
If you don’t have VNC yet you can download it here: RealVNC

Then in the “Server tab” type localhost:5900 and click on the “ok” tab.
The VNC client will ask for the password that you typed into the Linux box so type it and click “ok
You should get an Xdesktop:

If your connection is refused by the Linux box check the firewall. The port 22 has to be opened.
As well as on the client box don’t install the vnc server because if you do the local vnc server will be forwarded to itself and it wont work.
So check that service to be sure it is not running on the client box.

VNC secure connect with putty. Part 1 “The Linux box”

This guide will show you how to setup a VNC server on your Linux box and how to connect to it with a ssh putty client.

The server to connect is a Linux CentOS box. And the client is a Windows box(version really does not matter in this case)

After you logged in into your Linux box with root account edit the /etc/sysconfig/vncserver file.
open it with your prefered editor and change these parameters:

VNCSERVERS=”1:ok”
VNCSERVERARGS[1]=”-geometry 1152×864 -depth 16 -nolisten tcp -nohttpd”

In the first line the 1 means the default port number + 1 ==>> it will run on port 5901.
The “ok” is the user name who will connect into the box. Change it to your user name that you already added into your Linux box.

Edit the file under the /root/.vnc/xstartup and make sure that your file looks like this one:

#!/bin/sh

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80×24+10+10 -ls -title “$VNCDESKTOP Desktop” &
twm &

If you use kde desktop change the last line “startx” to “startkde“.

Then copy the xstartup file into the home directory of the user

that you made to connect with into the Linux box.

In my case this is the ok user.
So copy the xstartup file from the /root/.vnc/xstartup to /home/ok/.vnc/ directory.


cp /root/.vnc/xstartup /home/ok/.vnc/

Don’t forget to change the user’s directory name into the user that you used!
If the user that you used called myvncuser for example it vill be look like

cp /root/.vnc/xstartup /home/myvncuser/.vnc/

Now we can start the vnc server.
service vncserver start
chkconfig vncserver on

Now check the service that is running. In our case the VNC server runs on port 5901.
So we check just that port with the netstat command.
netstat -a | grep 5901

If it says something like that:
tcp 0 0 *:5901 *:* LISTEN
That means the server is ready to server the clients.

By the way you can use this command to check the open ports on your Linux box:
nmap localhost
nmap 192.168.0.100
of course the 192.168.0.100 is should be your Linux box’s IP address.

The next step is to setup the password for your VNC service.
Issue this command in your terminal:
vncpasswd
Then type the password for the VNC server.

Well the next step to do is setup the firewall on your box.
Start the system-config-securitylevel or system-config-securitylevel-tui (this is the terminal version)
Make sure the SSH service is ticked as a trusted service. As well as add the VNC port 5901 if you want to use the VNC in your local network.
In this guide is not necessary to open the 5901 port because we will connect through secure SSH service. (port 22)

After you setup the firewall save it and restart it.
service iptables restart
Then check the ports that is accepted by the firewall with this command:
iptables -L
this will list the whole firewall rules.
An important thing with the firewall don’t use the iptables and the ip6tables together!

This is a RedHat recommendation!

Solution for this problem is that:
service ip6tables off
service iptables on

Then check them with this command:
chkconfig –list | grep tables
this will list the iptables and the ip6tables services too.
Make sure the iptables is on and the ip6tables is off.

The Linux box part is done by this.
To be continued with the next box. That will be the Windows box with putty ssh client.

Reference: http://wiki.centos.org/HowTos/VNC-Server

SquidGuard + Squid proxy installer script with LDAP integration

SquidGuard + Squid proxy integration into Windows Active directory.

#Preinstall the requriements to work with LDAP

yum install -y flex bison openldap* gcc make

#ORACLE Berkeley DB. The 3.2.9 is the stable and tested for squidguard
#Don’t use higher or lower versions cause squidguard wont be stable or wont start at all

wget http://download.oracle.com/berkeley-db/db-3.2.9.tar.gz

tar xzvf db-3.2.9.tar.gz

cd db-2.7.7

cd build_unix

#Building the Oracle BerkeleyDB for Linux
../dist/configure && make && make install

#SquidGuard
wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz

tar xzvf squidGuard-1.4.tar.gz

cd squidGuard-1.4

./configure –with-db=/usr/local/BerkeleyDB.3.2/ –with-ldap=yes && make && make install

# Blacklists
wget http://cri.univ-tlse1.fr/blacklists/download/blacklists.tar.gz

tar xzvf blacklists.tgz

mv blacklists /usr/localsquidGuard/db/

chown -R squid:squid /usr/local/squidGuard/*
chmod -R 740 /usr/local/squidGuard/db/
chmod -R 755 /usr/local/squidGuard/log/

wget http://opensourcetechnology.co.uk/wp-content/uploads/2010/12/squid-guard
wget http://opensourcetechnology.co.uk/wp-content/uploads/2010/12/squidGuard.conf
wget http://opensourcetechnology.co.uk/wp-content/uploads/2010/12/squidGuard.ldap

wget http://opensourcetechnology.co.uk/wp-content/uploads/2010/12/squid.conf

# Change the ldapbinddn
# Ldapbindpass and the ldapusersearch part to fit for your configuration
# If you make a group in the AD named InternetAccessGroup and you put your users into it that users wont be filtered at all
# If you make a group named InternetAccessGroup2 and the “regular” user linked into it that users will be filtered as the rules say in the SquidGuard

To get it work make an organization unit in AD called myorg.

Make a group in myorg called InternetAccessGroup. (This group users wont be filtered at all)

Make a group called InternetAccessGroup2. (This group users will be filtered)

The users in the first group will reach the Internet with out any restrictions.
The second group can reach the Internet but will be filtered.

 

IPTABLES

Iptables based Linux Firewall.

This firewall was posted on Sourceforge.net site.
It has based on Iptables and it has all the features that has to have a firewall.

Just few things to mention:

– NAT, PAT, DMZ
– Packet mangling
– Access controlling
– Port forwarding

You can download it from here: https://7layer.org/wp-content/uploads/2010/12/rc.firewall

The installation manual: https://7layer.org/wp-content/uploads/2010/12/install.html

The configuration manual: https://7layer.org/wp-content/uploads/2010/12/config.html

The advance features like access control, port forwarding: https://7layer.org/wp-content/uploads/2010/12/advanced.html

Also one of my favourite iptable based firewall is:  CSF firewall .

Check out the status report file here: http://configserver.com/cp/csfdemo/status.html

 

 
Show Buttons
Hide Buttons