Thursday, May 26, 2011

Zentyal As A Gateway: The Perfect Setup

Zentyal is the Linux Small Business Server, it lets you manage all your network services through one single platform. It's a Network Gateway, as well as an Infrastructure, UTM (Unified Threat Manager), Office and Communications Server. All these features are fully integrated and easy to configure, it truly helps to save system administrators time.

In this tutorial you will see how to set up a Zentyal Server to act as a gateway in a very common scenario. Zentyal will provide basic network infrastructure, load balancing between two Internet providers, firewall and HTTP proxy caching and content filtering. All these steps are well explained in the Zentyal Documentation, which is a really recommended reading. The following example network layout is used:

Click to enlarge

Zentyal runs on top of Ubuntu Server so it will work on the same hardware. You can take a look at the Ubuntu-certified hardware page for more information. There are two ways to install Zentyal:

Using Zentyal installer that you can download from the project website. This is the recommended choice, it includes all package dependencies for offline install and also makes some custom configuration.Install on top of a working Ubuntu Server, you can find detailed info and URL for the repository in the Zentyal Installation Guide.

Click to enlarge

If you install Zentyal using the installer you will see this screen when booting from CD-ROM and a couple of wizards will guide you through the process. You can choose default settings in all of them.

Zentyal provides a web administration interface, after the installation a Firefox browser will show up giving you access to it (you can also access Zentyal from any client browser typing: https://zentyal_server_ip). User and password are the same you entered during installation.

Now you can select the desired packages to install, for this tutorial you should install the Gateway package. Later DHCP and DNS modules will also be installed by using the Software Management module.

Click to enlarge

After this step all the necessary packages are installed, now setup will guide you through configuration wizards for installed modules, in this case Network and Users. We can skip network configuration for now, so if you start this tutorial from an already installed Zentyal you can still follow it.

Click to enlarge

Click to enlarge

Zentyal Server is now installed. By following the next steps you will configure each module.

As shown in the scenario, you have to configure three network interfaces, two external routers and one for the internal network. Zentyal will balance traffic between the two Internet connections.

Go to Network -> Interfaces and configure each interface by introducing its IP and netmask. Don't forget to mark external interfaces because Zentyal uses this info in firewall rules. In the next image you can see configuration for one of the external interfaces and the internal one.

Click to enlarge

Now you have to set up both gateways in the gateways table (Network -> Gateways):

Click to enlarge

Go to Network -> Balance Traffic to enable load balancing between the gateways.

Zentyal As A Gateway: The Perfect Setup - Page 2

Importing iptables Configurations Into Firewall Builder


Author: Mike Horn
http://www.fwbuilder.org


Firewall Builder is a firewall configuration and management GUI that supports configuring a wide range of firewalls from a single application. Supported firewalls include Linux iptables, BSD pf, Cisco ASA/PIX, Cisco router access lists and many more. The complete list of supported platforms along with downloadable binary packages and soure code can be found at http://www.fwbuilder.org.


Import of existing iptables configurations was greatly improved in the recently released Firewall Builder V4.2. Features like object de-duplication and expanded rules recognition make it even easier to get started using Firewall Builder to manage your iptables configurations.


For this tutorial we are going to import a very basic iptables configuration from a firewall that matches the diagram shown below.



Firewall Builder imports iptables configs in the format of iptables-save. Script iptables-save is part of the standard iptables install and should be present on all Linux distribution. Usually this script is installed in /sbin/.


When you run this script, it dumps the current iptables configuration to stdout. It reads iptables rules directly form the kernel rather than from some file, so what it dumps is what is really working right now. To import this into Firewall Builder, run the script to save the configuration to a file:

iptables-save > linux-1.conf


As you can see in the output below, the example linux-1.conf iptables configuration is very simple with only a few filter rules and one nat rule.

# Completed on Mon Apr 11 21:23:33 2011
# Generated by iptables-save v1.4.4 on Mon Apr 11 21:23:33 2011
*filter
:INPUT DROP [145:17050]
:FORWARD DROP [0:0]
:OUTPUT DROP [1724:72408]
:LOGDROP - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -s 10.10.10.0/24 -d 10.10.10.1/32 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -s 10.10.10.0/24 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A FORWARD -o eth0 -s 10.10.10.0/24 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A FORWARD -j LOGDROP
-A LOGDROP -j LOG
-A LOGDROP -j DROP
COMMIT
# Completed on Mon Apr 11 21:23:33 2011
# Generated by iptables-save v1.4.4 on Mon Apr 11 21:23:33 2011
*nat
:PREROUTING ACCEPT [165114:22904965]
:OUTPUT ACCEPT [20:1160]
:POSTROUTING ACCEPT [20:1160]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 11 21:23:33 2011


If you are running Firewall Builder on a different system than the one that is running iptables copy the file linux-1.conf from the firewall to the system where Firewall Builder is running.


Launch the Import wizard by selecting the File -> Import Firewall menu item.


Click Browse to find the file named linux-1.conf.



Click the Continue button to move to the next step of the import process.


The next window shows a preview of the configuration file that will be imported and the type of firewall that Firewall Builder has detected it to be.



Next you need to enter a name for the firewall. This is the name that will be used in Firewall Builder to refer to the firewall after it is imported. When you click the Commit button the configuration data will be read.


By default, Firewall Builder attempts to detect if there are items, like IP addresses, used in the rules that match existing items in the object tree. If there is a match the existing item is used, if there is no match a new object is created. This feature can be disabled by unchecking the box next to "Find and use existing objects" which will result in objects being created for evry item used in the imported rules regardless of whether it already exists in the object tree or not.



After the import is complete, Firewall Builder displays a log showing all the actions that were taken during the import. Warning messages are displayed in blue font and error messages are displayed in red.



The program tries to interpret the configuration file rule by rule and recreates the equivalent rule in Firewall Builder. Note that rules imported into Firewall Builder may not always be optimized since features like defining multiple source and/or destinations are supported by Firewall Builder, but not by iptables.


The progress window displays warning and error messages, if any, as well as some diagnostics that shows network and service objects created in the process.


As you can see from the import process log, Firewall Builder detected that there are rules in the iptables configuration that allow RELATED and ESTABLISHED traffic through the firewall. This behavior can be controlled by a setting in Firewall Builder, so a warning message is shown.


Click the Done button to complete the firewall import. Next we will go through some common post-import actions.

VBoxHeadless - Running Virtual Machines With VirtualBox 4.0 On A Headless Ubuntu 11.04 Server

This guide explains how you can run virtual machines with VirtualBox 4.0 on a headless Ubuntu 11.04 server. Normally you use the VirtualBox GUI to manage your virtual machines, but a server does not have a desktop environment. Fortunately, VirtualBox comes with a tool called VBoxHeadless that allows you to connect to the virtual machines over a remote desktop connection, so there's no need for the VirtualBox GUI.


I do not issue any guarantee that this will work for you!


I have tested this on an Ubuntu 11.04 server (host system) with the IP address 192.168.0.100 where I'm logged in as a normal user (user name administrator in this example) instead of as root.


To install VirtualBox 4.0 on our Ubuntu 11.04 server, we open /etc/apt/sources.list...

sudo vi /etc/apt/sources.list


... and add the following line to it:

[...]deb http://download.virtualbox.org/virtualbox/debian natty contrib

Then we download the VirtualBox public key...

wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -


... and update our package database:

sudo apt-get update


Afterwards, we install VirtualBox 4.0 as follows:

sudo apt-get install linux-headers-$(uname -r) build-essential virtualbox-4.0 dkms


(The dkms package ensures that the VirtualBox host kernel modules are properly updated if the Linux kernel version changes.)


Starting with version 4.0, VirtualBox has introduced so called "extension packs" and has outsourced some functionality like remote desktop connection support (VRDP) that was part of VirtualBox packages before version 4.0 into these extension packs. Because we need remote desktop connections to control our virtual machines, we need to install the appropriate extension pack now. Go to http://www.virtualbox.org/wiki/Downloads, and you will find a link to the following extension pack:

VirtualBox 4.0.6 Oracle VM VirtualBox Extension Pack
Support for USB 2.0 devices, VirtualBox RDP and PXE boot for Intel cards.


Download and install the extension pack as follows:

cd /tmp
wget http://download.virtualbox.org/virtualbox/4.0.6/Oracle_VM_VirtualBox_Extension_Pack-4.0.6-71344.vbox-extpack
sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.0.6-71344.vbox-extpack


(Make sure you grab the latest version from the VirtualBox web site.)


(Make sure you run the last command with sudo - sudo VBoxManage extpack install ... - because otherwise you will get an error like this:

administrator@server1:/tmp$ VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.0.6-71344.vbox-extpack
0%...
Progress state: NS_ERROR_FAILURE
VBoxManage: error: Failed to install "/tmp/Oracle_VM_VirtualBox_Extension_Pack-4.0.6-71344.vbox-extpack": The installer failed with exit code 127: Error creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address
administrator@server1:/tmp$


)


Now we must add the user that will run VirtualBox (administrator in this example) to the vboxusers group:

sudo adduser administrator vboxusers


VirtualBox is now installed and ready to be used.


To create a VM on the command line, we can use the VBoxManage command. See

VBoxManage --help


for a list of available switches and (highly recommended!) take a look at http://www.virtualbox.org/manual/ch08.html.


I will now create an Ubuntu 11.04 Server VM with 512MB memory and a 10GB hard drive from the Ubuntu 11.04 Server iso image (which I have stored in /home/ubuntu-11.04-server-amd64.iso):

VBoxManage createvm --name "Ubuntu 11.04 Server" --register
VBoxManage modifyvm "Ubuntu 11.04 Server" --memory 512 --acpi on --boot1 dvd --nic1 bridged --bridgeadapter1 eth0
VBoxManage createhd --filename Ubuntu_11_04_Server.vdi --size 10000
VBoxManage storagectl "Ubuntu 11.04 Server" --name "IDE Controller" --add ide
VBoxManage storageattach "Ubuntu 11.04 Server" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium Ubuntu_11_04_Server.vdi
VBoxManage storageattach "Ubuntu 11.04 Server" --storagectl "IDE Controller" --port 1 --device 0 --type dvddrive --medium /home/ubuntu-11.04-server-amd64.iso


Let's assume you have a VM called examplevm that you want to reuse on this host. On the old host, you should have a directory Machines/examplevm in the VirtualBox directory; Machines/examplevm should contain the examplevm.xml file. Copy the examplevm directory (including the examplevm.xml file) to your new Machines directory (if your user name is administrator, this is /home/administrator/.VirtualBox/Machines - the result should be /home/administrator/.VirtualBox/Machines/examplevm/examplevm.xml).


In addition to that copy the examplevm.vdi file from the old VDI directory to the new one (e.g. /home/administrator/.VirtualBox/VDI/examplevm.vdi).


Afterwards, you must register the imported VM:

VBoxManage registervm Machines/examplevm/examplevm.xml


Regardless of if you create a new VM or import an old one, you can start it with the command:

VBoxHeadless --startvm "Ubuntu 11.04 Server"


(Replace Ubuntu 11.04 Server with the name of your VM.)


VBoxHeadless will start the VM and a VRDP (VirtualBox Remote Desktop Protocol) server which allows you to see the VM's output remotely on another machine.


To stop a VM, run

VBoxManage controlvm "Ubuntu 11.04 Server" poweroff


To pause a VM, run

VBoxManage controlvm "Ubuntu 11.04 Server" pause


To reset a VM, run

VBoxManage controlvm "Ubuntu 11.04 Server" reset

Fedora 14 Samba Standalone Server With tdbsam Backend

Version 1.0
Author: Falko Timme
Follow me on Twitter
Last edited 11/26/2010

This tutorial explains the installation of a Samba fileserver on Fedora 14 and how to configure it to share files over the SMB protocol as well as how to add users. Samba is configured as a standalone server, not as a domain controller. In the resulting setup, every user has his own home directory accessible via the SMB protocol and all users have a shared directory with read-/write access.

I do not issue any guarantee that this will work for you!

I'm using a Fedora 14 system here with the hostname server1.example.com and the IP address 192.168.0.100.

Please make sure that SELinux is disabled as shown in chapter 5 of this tutorial: The Perfect Server - Fedora 14 x86_64 [ISPConfig 2] - Page 3

Connect to your server on the shell and install the Samba packages:

yum install cups-libs samba samba-common

Edit the smb.conf file:

vi /etc/samba/smb.conf

Make sure you see the following lines in the [global] section:

[...]# ----------------------- Standalone Server Options ------------------------## security = the mode Samba runs in. This can be set to user, share# (deprecated), or server (deprecated).## passdb backend = the backend used to store user information in. New# installations should use either tdbsam or ldapsam. No additional configuration# is required for tdbsam. The "smbpasswd" utility is available for backwards# compatibility.# security = user passdb backend = tdbsam[...]

This enables Linux system users to log in to the Samba server.

Then create the system startup links for Samba and start it:

chkconfig --levels 235 smb on
/etc/init.d/smb start

Now I will add a share that is accessible by all users.

Create the directory for sharing the files and change the group to the users group:

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

At the end of the file /etc/samba/smb.conf add the following lines:

vi /etc/samba/smb.conf

[...][allusers] comment = All Users path = /home/shares/allusers valid users = @users force group = users create mask = 0660 directory mask = 0771 writable = yes

If you want all users to be able to read and write to their home directories via Samba, add the following lines to /etc/samba/smb.conf (make sure you comment out or remove the other [homes] section in the smb.conf file!):

[...][homes] comment = Home Directories browseable = no valid users = %S writable = yes create mask = 0700 directory mask = 0700

Now we restart Samba:

/etc/init.d/smb restart

In this example, I will add a user named tom. You can add as many users as you need in the same way, just replace the username tom with the desired username in the commands.

useradd tom -m -G users

Set a password for tom in the Linux system user database. If the user tom should not be able to log into the Linux system, skip this step.

passwd tom

-> Enter the password for the new user.

Now add the user to the Samba user database:

smbpasswd -a tom

-> Enter the password for the new user.

Now you should be able to log in from your Windows workstation with the file explorer (address is \\192.168.0.100 or \\192.168.0.100\tom for tom's home directory) using the username tom and the chosen password and store files on the Linux server either in tom's home directory or in the public shared directory.


The Perfect Server - Ubuntu Natty Narwhal (Ubuntu 11.04) [ISPConfig 2]

This tutorial shows how to set up an Ubuntu Natty Narwhal (Ubuntu 11.04) server that offers all services needed by ISPs and hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Courier POP3/IMAP, Quota, Firewall, etc. In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig 2 (i.e., ISPConfig runs on it out of the box).


I will use the following software:

Web Server: Apache 2.2.17 with PHP 5.3.5, Python, Ruby, and WebDAV Database Server: MySQL 5.1.54Mail Server: PostfixDNS Server: BIND9FTP Server: proftpdPOP3/IMAP: I will use Maildir format and therefore install Courier-POP3/Courier-IMAP.Webalizer for web site statistics

Please note that this setup does not work for ISPConfig 3! It is valid for ISPConfig 2 only!


I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!


To install such a system you will need the following:


In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.


Insert your Ubuntu install CD into your system and boot from it. Select your language:


Click to enlarge

Then select Install Ubuntu Server:


Click to enlarge

Choose your language again (?):


Click to enlarge

Then select your location:


Click to enlarge

Click to enlarge

Click to enlarge

If you've selected an uncommon combination of language and location (like English as the language and Germany as the location, as in my case), the installer might tell you that there is no locale defined for this combination; in this case you have to select the locale manually. I select en_US.UTF-8 here:


Click to enlarge

Choose a keyboard layout (you will be asked to press a few keys, and the installer will try to detect your keyboard layout based on the keys you pressed):


Click to enlarge

Click to enlarge

The installer checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network:


Click to enlarge

Click to enlarge The Perfect Server - Ubuntu Natty Narwhal (Ubuntu 11.04) [ISPConfig 2] - Page 2

Wednesday, May 25, 2011

The Perfect Desktop - Kubuntu 11.04

This tutorial shows how you can set up a Kubuntu 11.04 desktop that is a full-fledged replacement for a Windows desktop, i.e. that has all the software that people need to do the things they do on their Windows desktops. The advantages are clear: you get a secure system without DRM restrictions that works even on old hardware, and the best thing is: all software comes free of charge. Kubuntu 11.04 is derived from Ubuntu 11.04 (Natty Narwhal) and uses the KDE desktop instead of the GNOME desktop.


I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!


To fully replace a Windows desktop, I want the Kubuntu desktop to have the following software installed:

The GIMP - free software replacement for Adobe Photoshop Shotwell Photo Manager - full-featured personal photo management applicationGoogle Picasa - application for organizing and editing digital photosFirefoxOperaChromium - Google's open-source browser Flash Player 10 FileZilla - multithreaded FTP client Thunderbird - email and news clientEvolution - combines e-mail, calendar, address book, and task list management functionsaMule - P2P file sharing applicationKTorrent - Bittorrent client Vuze - Java Bittorrent client Kopete - multi-platform instant messaging clientSkypeGoogle EarthQuassel IRC - IRC client Gwibber Social Client - open-source microblogging client (Twitter, Facebook, etc.) LibreOffice Writer - replacement for Microsoft Word LibreOffice Calc - replacement for Microsoft Excel Adobe ReaderGnuCash - double-entry book-keeping personal finance system, similar to Quicken Scribus - open source desktop publishing (DTP) applicationAmarok - audio player Audacity - free, open source, cross platform digital audio editorBanshee - audio player, can encode/decode various formats and synchronize music with Apple iPods MPlayer - media player (video/audio), supports WMA Rhythmbox Music Player - audio player, similar to Apple's iTunes, with support for iPods gtkPod - software similar to Apple's iTunes, supports iPod, iPod nano, iPod shuffle, iPod photo, and iPod miniXMMS - audio player similar to Winampdvd::rip - full featured DVD copy programKino - free digital video editorSound Juicer CD Extractor - CD ripping tool, supports various audio codecsVLC Media Player - media player (video/audio)RealPlayer - media player (available for i386 systems only)Totem - media player (video/audio)Xine - media player, supports various formats; can play DVDs Brasero - CD/DVD burning program K3B - CD/DVD burning programMultimedia CodecsKompoZer - WYSIWYG HTML editor, similar to Macromedia Dreamweaver, but not as feature-rich (yet)Bluefish - text editor, suitable for many programming and markup languagesQuanta Plus - web development environment, including a WYSIWYG editorVirtualBox OSE - lets you run your old Windows desktop as a virtual machine under your Linux desktop, so you don't have to entirely abandon Windows TrueType fontsJavaRead-/Write support for NTFS partitions

Lots of our desired applications are available in the Ubuntu repositories, and some of these applications have been contributed by the Ubuntu community.


As you might have noticed, a few applications are redundant, for example there are two CD/DVD burning applications in my list (Brasero, K3B). If you know which one you like best, you obviously don't need to install the other applications, however if you like choice, then of course you can install both. The same goes for music players like Amarok, Banshee, Rhythmbox, XMMS or browsers (Firefox, Opera, Chromium).


I will use the username falko in this tutorial. Please replace it with your own username.


The installation of the base system is easy as 1-2-3 because the Kubuntu installer doesn't offer a lot of options to choose from, so you cannot go wrong.


Download the Kubuntu 11.04 Desktop iso image from http://www.kubuntu.org/getkubuntu (this link offers torrent downloads only; if you want to download the iso image directly, you can use one of the mirrors listed on https://launchpad.net/ubuntu/+cdmirrors), burn it onto a CD, and boot your computer from it. Select Start Kubuntu:


Click to enlarge

The system boots:


Click to enlarge

Select your language and click on the Install Kubuntu button to start the installation:


Click to enlarge

On the next screen you see a few requirements for the Kubuntu 11.04 installation (the system should have at least 3.9GB available drive space, should be plugged into a power source (to make sure that the system doesn't shut down during installation because of an empty battery), and should be connected to the Internet). Please check the Download updates while installing and Install this third-party software (this will install the software necessary to process Flash, MP3, and other media files) checkboxes and click on Forward:


Click to enlarge

Now we come to the partitioning of our hard disk. Usually Guided - use entire disk is a good choice, unless you need custom partitions and know what you're doing. Guided - use entire disk will create one big / partition for us:


Click to enlarge

Then choose your time zone:


Click to enlarge

Change the keyboard layout, if necessary:


Click to enlarge

Type in your real name, your desired username along with a password, and click on Forward:


Click to enlarge

Afterwards, Kubuntu is being installed. This can take a few minutes, so be patient:


Click to enlarge

After the installation, you will be asked to reboot the system. Click on Restart Now:


Click to enlarge

At the end of the shutdown process, you are asked to remove the Kubuntu installation CD from the CD drive. Please do this now and press ENTER:


Click to enlarge

Your new Kubuntu system starts. Log in to the desktop with the username and password you provided during the installation:


Click to enlarge

This is how your new desktop looks:


Click to enlarge

Now the base system is ready to be used.

The Perfect Desktop - Kubuntu 11.04 - Page 2