Ubuntuland

Introduction

The Ubuntu Server Guide contains information on how to install and configure various
server applications on your Ubuntu system to fit your needs. It is a step-by-step, task-oriented guide for configuring and customizing your system. This manual discusses many intermediate topics such as the following:
• Network Configuration
• Apache2 Configuration
• Databases
• Windows Networking

This manual is divided into the following main categories:
• Installation
• Package Management
• Networking
• Windows Networking
This guide assumes you have a basic understanding of your Ubuntu system. If you need
detailed help installing Ubuntu, refer to the Ubuntu Installation Guide.

HTML and PDF versions of the manual are available online at the Ubuntu

Documentation

You can buy this guide in book form from our Lulu store [http://www.lulu.com/ubuntu-doc]. You will only pay for the price of printing and postage.

Installation

This chapter provides a quick overview of installing Ubuntu 6.06 LTS Server Edition. For
more detailed instructions, please refer to the Ubuntu Installation Guide.

1. Preparing to Install

his section explains various aspects to consider before starting the installation.

1.1. System Requirements

Ubuntu 6.06 LTS Server Edition supports three (3) major architectures: Intel x86, AMD64,
and PowerPC. The table below lists recommended hardware specifications. Depending
on your needs, you might manage with less than this. However, most users risk being
frustrated if they ignore these suggestions.

Recommended Minimum Requirements

Install Type RAM 64 megabytes
Hard Drive Space 500 megabytes

The default profile for the Ubuntu 6.06 LTS Server Edition is shown below. Once again, the size of the installation will greatly depend on the services you install during setup. For most administrators, the default services are suitable for general server use.

Server

This is a small server profile, which provides a common base for all sorts of server
applications. It's minimal and designed to have the desired services added on top, such as file/print services, web hosting, email hosting, etc. For these services at least 500MB of disk space would suffice, but consider adding more space depending on the services you'd like to host with your server.

Remember that these sizes don't include all the other materials which are usually to be found, such as user files, mail, logs, and data. It is always best to be generous when considering the space for your own files and data.

1.2. Backing Up

• Before you start, make sure to back up every file that is now on your system. If this is the first time a non-native operating system has been installed on your computer, it's quite likely you will need to re-partition your disk to make room for Ubuntu. Any time you partition your disk, you should be prepared to lose everything on the disk should you make a mistake or something goes wrong during partitioning such as power loss to the system. The programs used in installation are quite reliable, and most have seen years of use, but they also perform destructive actions, and one mistake in use can result in loss of your valuable data.

If you are creating a multi-boot system, make sure that you have the distribution media of any other present operating systems on hand. Especially if you repartition your boot drive, you might find that you have to reinstall your operating system's boot loader, or in many cases the whole operating system itself and all files on the affected partitions.

2. Installing from CD

Insert your installation CD into your CD-ROM drive and reboot the computer. The
installation system is started immediately when booting from the CD-ROM. Once
initialized, your first screen will appear.

At this point, read the text on the screen. You may want to read the help screen provided by the installation system. To do this, press F1.
To perform a default server installation, select “Install to the hard disk” and press Enter.

The installation process will be started. Simply follow the on-screen instructions, and your Ubuntu system will be installed.

Alternatively, to install a LAMP server (Linux, Apache, MySQL, PHP/Perl/Python), select
“Install a LAMP server”, and follow the instructions.

Ubuntu features a comprehensive package management system for the installation,
upgrade, configuration, and removal of software. In addition to providing access to an organized base of over 17,000 software packages for your Ubuntu computer, the package management facilities also feature dependency resolution capabilities and software update checking.

Several tools are available for interacting with Ubuntu's package management system, from simple command-line utilities which may be easily automated by system
administrators, to a simple graphical interface which is easy to use by those new to

Ubuntu.

1. Introduction

Ubuntu's package management system is derived from the same system used by the Debian GNU/Linux distribution. The package files contain all of the necessary files, meta-data, and instructions to implement a particular functionality or software application on your Ubuntu computer.

Debian package files typically have the extension '.deb', and typically exist in repositories which are collections of packages found on various media, such as CD-ROM discs, or online. Packages are normally of the pre-compiled binary format; thus installation is quick and requires no compiling of software.

Many complex packages use the concept of dependencies. Dependencies are additional packages required by the principal package in order to function properly.

For example, the speech synthesis package Festival depends upon the package festvox-kalpc16k, which is a package supplying one of the voices used by the application. In order for Festival to function, all of the dependencies must be installed in conjunction with the principal Festival package. The software management tools in Ubuntu will do this automatically.

2. Apt-Get

The apt-get command is a powerful command-line tool used to work with Ubuntu's
Advanced Packaging Tool (APT) performing such functions as installation of new software packages, upgrade of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Being a simple command-line tool, apt-get has numerous advantages over other package management tools available in Ubuntu for server administrators. Some of these advantages include ease of use over simple terminal connections (SSH) and the ability to be used in system administration scripts, which can in turn be automated by the cron scheduling utility.

Some examples of popular uses for the apt-get utility:
• Install a Package: Installation of packages using the apt-get tool is quite simple. For example, to install the network scanner nmap, type the following:
sudo apt-get install nmap
• Remove a Package: Removal of a package or packages is also a straightforward and simple process. To remove the nmap package installed in the previous example, type the following:

Multiple Packages: You may specify multiple packages to be installed or
removed, separated by spaces.
• Update the Package Index: The APT package index is essentially a database of
available packages from the repositories defined in the /etc/apt/sources.list file.
To update the local package index with the latest changes made in repositories, type the following:

• Upgrade Packages: Over time, updated versions of packages currently installed on your
computer may become available from the package repositories (for example security
updated). To upgrade your system, first update your package index as outlined above, and then type:

If a package needs to install or remove new dependencies when being upgraded, it will not be upgraded by the upgrade command. For such an upgrade, it is necessary to use the dist-upgrade command.

Also, you may upgrade your entire Ubuntu system from one revision to another with
dist-upgrade. For example, to upgrade from Ubuntu version 5.10 to version 6.06 LTS,
you would first ensure the version 6.06 LTS repositories replace the existing 5.10
repositories in your computer's /etc/apt/sources.list, then simply issue the apt-get
update command as detailed above, and finally, perform the actual upgrade by typing:

After a fairly considerable amount of time, your computer will be upgraded to the
new revision. Typically, some post-upgrade steps would be required as detailed in the upgrade notes for the revision you are upgrading to.

Actions of the apt-get command, such as installation and removal of packages, are
logged in the /var/log/dpkg.log log file.
For further information about the use of APT, read the comprehensive Debian APT User Manual [http://www.debian.org/doc/user-manuals#apt-howto] or type:

3. Aptitude

Aptitude is a menu-driven, text-based front-end to the Advanced Packaging Tool (APT) system. Many of the common package management functions, such as installation, removal, and upgrade, are performed in Aptitude with single-key commands, which are typically lowercase letters.

Aptitude is best suited to use in a non-graphical terminal environment to ensure propert functioning of the command keys. You may start Aptitude as a normal user with the following command at a terminal prompt:
sudo aptitude When Aptitude starts, you will see a menu bar at the top of the screen and two panes below the menu bar. The top pane contains package categories, such as New Packages and Not Installed Packages. The bottom pane contains information related to the packages and package categories.
Using Aptitude for package management is relatively straightforward, and the user
interface makes common tasks simple to perform.

The following are examples of popular package management functions as performed in Aptitude:

• Install Packages: To install a package, locate the package via the Not Installed
Packages package category, for example, by using the keyboard arrow keys and the
ENTER key, and highlight the package you wish to install. After highlighting the
package you wish to install, press the + key, and the package entry should turn green, indicating it has been marked for installation. Now press g to be presented with a summary of package actions. Press g again, and you will be prompted to become root to complete the installation. Press ENTER which will result in a Password: prompt. Enter your user password to become root. Finally, press g once more and you'll be prompted to download the package. Press ENTER on the Continue prompt, and downloading and installation of the package will commence.

• Remove Packages: To remove a package, locate the package via the Installed Packages package category, for example, by using the keyboard arrow keys and the ENTER key, and highlight the package you wish to remove. After highlighting the package you wish to install, press the - key, and the package entry should turn pink, indicating it has been marked for removal. Now press g to be presented with a summary of package actions.
Press g again, and you will be prompted to become root to complete the installation.
Press ENTER which will result in a Password: prompt. Enter your user password
to become root. Finally, press g once more, and you'll be prompted to download the
package. Press ENTER on the Continue prompt, and removal of the package will
commence.

• Update Package Index: To update the package index, simply press the u key and you will be prompted to become root to complete the installation. Press ENTER which will result in a Password: prompt. Enter your user password to become root. Updating of the package index will commence. Press ENTER on the OK prompt when the download
dialog is presented to complete the process.

• Upgrade Packages: To upgrade packages, perform the update of the package index as detailed above, and then press the U key to mark all upgradeable packages. Now press g whereby you'll be presented with a summary of package actions. Press g again, and you
will be prompted to become root to complete the installation. Press ENTER which will
result in a Password: prompt. Enter your user password to become root. Finally, press g once more, and you'll be prompted to download the package. Press ENTER on the Continue prompt, and upgrade of the packages will commence.
The first column of information displayed in the package list in the top pane, when actually viewing packages lists the current state of the package, and uses the following key to describe the state of the package:

• i: Installed package.
• c: Package not installed, but package configuration remains on system
• p: Purged from system
• v: Virtual package
• B: Broken package
• u: Unpacked files, but package not yet configured
• C: Half-configured- Configuration failed and requires fix
• H: Half-installed- Removal failed and requires fix
To exit Aptitude, simply press the q key and confirm you wish to exit. Many other
functions are available from the Aptitude menu by pressing the F10 key.

4. Configuration

Configuration of the Advanced Packaging Tool (APT) system repositories is stored in the /etc/apt/sources.list configuration file. An example of this file is referenced here, along with information on adding or removing repository references from the file.
Here [../sample/sources.list] is a simple example of a typical /etc/apt/sources.list file.

You may edit the file to enable repositories or disable them. For example, to disable the requirement of inserting the Ubuntu CD-ROM whenever package operations occur, simply comment out the appropriate line for the CD-ROM, which appears at the top of the file:
# no more prompting for CD-ROM please
# deb cdrom:[Ubuntu 6.06 _Dapper Drake_ - Release i386 (20060329.1)]/ dapper main restricted

5. Extra Repositories

In addition to the officially supported package repositories available for Ubuntu, there
exist additional community-maintained repositories which add thousands more potential packages for installation. Two of these additional repositories are most popular, and are the Universe and Multiverse repositories. These repositories are not officially supported by Ubuntu, which is why they are not enabled by default, but they generally provide packages which are safe for use with your Ubuntu computer.
Packages in the Multiverse repository often have licensing issues that prevent
them from being distributed with a free operating system, and they may be illegal
in your locality.

Be advised that neither the Universe or Multiverse repositories contain officially
supported packages. In particular, there may not be security updates for these
packages.

Many other package sources are available, sometimes even offering only one package,
as in the case of package sources provided by the developer of a single application. You should always be very careful and cautious when using non-standard package sources, however. Research the source and packages carefully before performing any installation, as some package sources and their packages could render your system unstable or non-functional in some respects.

To enable the Universe and Multiverse repositories, edit the /etc/apt/sources.list file
and uncomment the appropriate lines:
# We want Multiverse and Universe repositories, please

5.1. References
Adding Repositories Howto (Ubuntu Wiki)
[https://wiki.ubuntu.com/AddingRepositoriesHowto]

Networks consist of two or more devices, such as computer systems, printers, and related equipment which are connected by either physical cabling wireless links for the purpose of sharing and distributing information among the connected devices.
This section of the Ubuntu Server Guide provides general and specific information pertaining to networking, including an overview of network concepts and detailed discussion of popular network protocols and server applications.

1. Network Configuration

Ubuntu ships with a number of graphical utilities to configure your network devices. This document is geared toward server administrators and will focus on managing your network on the command line.

1.1. Ethernet
Most ethernet configuration is centralized in a single file, /etc/network/interfaces. If
you have no ethernet devices, only the loopback interface will appear in this file, and it will look something like this:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface auto lo iface lo inet loopback

If you have only one ethernet device, eth0, and it gets its configuration from a DHCP
server, and it should come up automatically at boot, only two additional lines are required:

The first line specifies that the eth0 device should come up automatically when you boot.
The second line means that interface (“iface”) eth0 should have an IPv4 address space (replace “inet” with “inet6” for an IPv6 device) and that it should get its configuration automatically from DHCP. Assuming your network and DHCP server are properly configured, this machine's network should need no further configuration to operate properly. The DHCP server will provide the default gateway (implemented via the route command), the device's IP address (implemented via the ifconfig command), and and DNS servers used on the network (implemented in the /etc/resolv.conf file.)

To configure your ethernet device with a static IP address and custom configuration,
some more information will be required. Suppose you want to assign the IP address
192.168.0.2 to the device eth1, with the typical netmask of 255.255.255.0. Your
default gateway's IP address is 192.168.0.1. You would enter something like this into

In this case, you will need to specify your DNS servers manually in /etc/resolv.conf,
which should look something like this:

search mydomain.com
nameserver 192.168.0.1
nameserver 4.2.2.2

The search directive will append mydomain.com to hostname queries in an attempt to resolve names to your network. For example, if your network's domain is mydomain.com and you try to ping the host “mybox”, the DNS query will be modified to “mybox.mydomain.com” for resolution. The nameserver directives specifiy DNS servers to be used to resolve hostnames to IP addresses. If you use your own nameserver, enter it here. Otherwise, ask your Internet Service Provider for the primary and secondary DNS servers to use, and enter them into /etc/resolv.conf as shown above.

Many more configurations are possible, including dialup PPP interfaces, IPv6 networking, VPN devices, etc. Refer to man 5 interfaces for more information and supported options.

Remember that /etc/network/interfaces is used by the ifup/ifdown scripts as a higher level configuration scheme than may be used in some other Linux distributions, and that the traditional, lower level utilities such as ifconfig, route, and dhclient are still available to you for ad hoc configurations.

1.2. Managing DNS Entries This section explains how to configure the nameserver to use when resolving IP address
to hostnames and vice versa. It does not explain how to configure the system as a name
server.
To manage DNS entries, you can add, edit, or remove DNS names from the
/etc/resolv.conf file. A sample file [../sample/resolv.conf] is given below:
search com

The search key specifies the string which will be appended to an incomplete hostname.
Here, we have mentioned it as com. So, when we run: ping ubuntu it would be interpreted as ping ubuntu.com.
The nameserver key specifies the nameserver IP address. It will be used to resolve
the given IP address or hostname. This file can have multiple nameserver entries. The
nameservers will be used by the network query in the same order.
If the DNS server names are retrieved dynamically from DHCP or PPPOE
(retrieved from your ISP), do not add nameserver entries in this file. It will be
updated automatically.

1.3. Managing Hosts

To manage hosts, you can add, edit, or remove hosts from /etc/hosts file. The file
contains IP addresses and their corresponding hostnames. When your system tries to
resolve a hostname to an IP address or determine the hostname for an IP address, it refers

If your network contains computers whose IP addresses are not listed in DNS, it is
recommended that you add them to the /etc/hosts file.

2. TCP/IP

The Transmission Control Protocol and Internet Protocol (TCP/IP) is a standard set
of protocols developed in the late 1970s by the Defense Advanced Research Projects
Agency (DARPA) as a means of communication between different types of computers
and computer networks. TCP/IP is the driving force of the Internet, and thus it is the most popular set of network protocols on Earth.

2.1. TCP/IP Introduction

The two protocol components of TCP/IP deal with different aspects of computer
networking. Internet Protocol, the "IP" of TCP/IP is a connectionless protocol which
deals only with network packet routing using the IP datagram as the basic unit of
networking information. The IP datagram consists of a header followed by a message.
The Transmission Control Protocol is the "TCP" of TCP/IP and enables network hosts to establish connections which may be used to exchange data streams. TCP also guarantees that the data between connections is delivered and that it arrives at one network host in the same order as sent from another network host.

2.2. TCP/IP Configuration

The TCP/IP protocol configuration consists of several elements which must be set by
editing the appropriate configuration files, or deploying solutions such as the Dynamic
Host Configuration Protocol (DHCP) server which in turn, can be configured to provide the proper TCP/IP configuration settings to network clients automatically. These
configuration values must be set correctly in order to facilitate the proper network
operation of your Ubuntu system.
The common configuration elements of TCP/IP and their purposes are as follows:

• IP address The IP address is a unique identifying string expressed as four decimal
numbers ranging from zero (0) to two-hundred and fifty-five (255), separated by periods,ith each of the four numbers representing eight (8) bits of the address for a total length of thirty-two (32) bits for the whole address. This format is called dotted quad notation.

• Netmask The Subnet Mask (or simply, netmask) is a local bit mask, or set of flags
which separate the portions of an IP address significant to the network from the bits
significant to the subnetwork. For example, in a Class C network, the standard netmask is 255.255.255.0 which masks the first three bytes of the IP address and allows the last byte of the IP address to remain available for specifying hosts on the subnetwork.

• Network Address The Network Address represents the bytes comprising the network portion of an IP address. For example, the host 12.128.1.2 in a Class A network would use 12.0.0.0 as the network address, which uses twelve (12) to represent the first byte
of the IP address, (the network part) and zeroes (0) in all of the remaining three bytes to represent the potential host values. Network hosts using the very common private and non-routable IP addresses such as 192.168.1.100 would in turn use a Network Address of 192.168.1.0, which specifies the first three bytes of the Class C 192.168.1 network and a zero (0) for all the possible hosts on the network.

• Broadcast Address The Broadcast Address is an IP address which allows network
data to be sent simultaneously to all hosts on a given subnetwork rather than specifying a particular network host. The standard general broadcast address for IP networks is 255.255.255.255, but this broadcast address cannot be used to send a broadcast message to every host on the Internet because routers block it. A more appropriate broadcast address is set to match a specific subnetwork. For example, on the popular private Class C IP network, 192.168.1.0, the broadcast address should be configured as 192.168.1.255. Broadcast messages are typically produced by network protocols such as the Address Resolution Protocol (ARP) and the Routing Information Protocol (RIP).

• Gateway Address A Gateway Address is the IP address through which a particular
network, or host on a network, may be reached. If one network host wishes to
communicate with another network host, and that host is not located on the same
network, then a gateway must be used. In many cases, the Gateway Address will be that of a router on the same network, which will in turn pass traffic on to other networks or hosts, such as Internet hosts. The value of the Gateway Address setting must be correct, or your system will not be able to reach any hosts beyond those on the same network.

• Nameserver Address Nameserver Addresses represent the IP addresses of Domain
Name Service (DNS) systems, which resolve network hostnames into IP addresses.
There are three levels of Nameserver Addresses, which may be specified in order of
precedence: The Primary Nameserver, the Secondary Nameserver, and the Tertiary
Nameserver. In order for your system to be able to resolve network hostnames into
their corresponding IP addresses, you must specify valid Nameserver Addresses which you are authorized to use in your system's TCP/IP configuration. In many cases these addresses can and will be provided by your network service provider, but many free
and publicly accessible Nameservers are available for use, such as the Level3 (Verizon) servers with IP addresses from 4.2.2.1 to 4.2.2.6.
The IP address, Netmask, Network Address, Broadcast Address, and Gateway
Address are typically specified via the appropriate directives in the file /etc/network/interfaces. The Nameserver Addresses are typically specified via nameserver directives in the file /etc/resolv.conf. For more information, view the system manual page for interfaces or resolv.conf respectively, with the following commands typed at a terminal prompt:
Access the system manual page for interfaces with the following command:
man interfaces
Access the system manual page for resolv.conf with the following command:

man resolv.conf

2.3. IP Routing

IP routing is a means of specifying and discovering paths in a TCP/IP network along which network data may be sent. Routing uses a set of routing tables to direct the forwarding of network data packets from their source to the destination, often via many intermediary network nodes known as routers. IP Routing is the principal mode of path discovery on the Internet. There are two primary forms of IP Routing: Static Routing and Dynamic Routing.

Static routing involves manually adding IP routes to the system's routing table, and this is usually done by manipulating the routing table with the route command. Static routing enjoys many advantages over dynamic routing, such as simplicity of implementation on smaller networks, predictability (the routing table is always computed in advance, and thus the route is precisely the same each time it used), and low overhead on other routers and network links due to the lack of a dynamic routing protocol. However, static routing does present some disadvantages as well. For example, static routing is limited to small networks and does not scale well.

Static routing also fails completely to adapt to network outages and failures along the route due to the fixed nature of the route.

Dynamic Routing depends on large networks with multiple possible IP routes from a
source to a destination and makes use of special routing protocols, such as the Router Information Protocol (RIP), which handle the automatic adjustments in routing tables that make dynamic routing possible. Dynamic routing has several advantages over static routing, such as superior scalability and the ability to adapt to failures and outages along network routes. Additionally, there is less manual configuration of the routing tables, since routers learn from one another about their existence and available routes. This trait also eliminates the possibility of introducing mistakes in the routing tables via human error.

Dynamic routing is not perfect, however, and presents disadvantages such as heightened complexity and additional network overhead from router communications, which does not immediately benefit the end users, but still consumes network bandwidth.

2.4. TCP and UDP

TCP is a connection-based protocol, offering error correction and guaranteed delivery of data via what is known as flow control. Flow control determines when the flow of a data stream needs to be stopped, and previously sent data packets should to be re-sent due to problems such as collisions, for example, thus ensuring complete and accurate delivery of the data. TCP is typically used in the exchange of important information such as database transactions.

The User Datagram Protocol (UDP), on the other hand, is a connectionless protocol which seldom deals with the transmission of important data because it lacks flow control or any other method to ensure reliable delivery of the data. UDP is commonly used in such applications as audio and video streaming, where it is considerably faster than TCP due to the lack of error correction and flow control, and where the loss of a few packets is not generally catastrophic.

2.5. ICMP

The Internet Control Messaging Protocol (ICMP) is an extension to the Internet Protocol (IP) as defined in the Request For Comments (RFC) #792 and supports network packets containing control, error, and informational messages. ICMP is used by such network applications as the ping utility, which can determine the availability of a network host or device. Examples of some error messages returned by ICMP which are useful to both network hosts and devices such as routers, include

Destination Unreachable and Time
Exceeded.

2.6. Daemons

Daemons are special system applications which typically execute continuously in the
background and await requests for the functions they provide from other applications.
Many daemons are network-centric; that is, a large number of daemons executing in
the background on an Ubuntu system may provide network-related functionality.

Some examples of such network daemons include the Hyper Text Transport Protocol Daemon (httpd), which provides web server functionality; the Secure SHell Daemon (sshd), which provides secure remote login shell and file transfer capabilities; and the Internet Message Access Protocol Daemon (imapd), which provides E-Mail services.

3. Firewall Configuration

The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.

3.1. Firewall Introduction

The kernel's packet filtering system would be of little use to administrators without a
userspace interface to manage it. This is the purpose of iptables. When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables s all you need to manage your firewall if you're familiar with it, but many frontends are available to simplify the task.

3.2. IP Masquerading

The purpose of IP Masquerading is to allow machines with private, non-routable
IP addresses on your network to access the Internet through the machine doing the
masquerading. Traffic from your private network destined for the Internet must be
manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly.

Traffic leaving your private network is thus "masqueraded" as having originated from
your Ubuntu gateway machine. This process is referred to in Microsoft documentation as

Internet Connection Sharing.

This can be accomplished with a single iptables rule, which may differ slightly based on your network configuration:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
The above command assumes that your private address space is 192.168.0.0/16 and that your Internet-facing device is ppp0. The syntax is broken down as follows:
• -t nat -- the rule is to go into the nat table
• -A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING chain
• -s 192.168.0.0/16 -- the rule applies to traffic originating from the specified address
space
• -o ppp0 -- the rule applies to traffic scheduled to be routed through the specified network device
• -j MASQUERADE -- traffic matching this rule is to "jump" (-j) to the MASQUERADE
target to be manipulated as described above

Each chain in the filter table (the default table, and where most or all packet filtering
occurs) has a default policy of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work:
sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

The above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them.

3.3. Tools

There are many tools available to help you construct a complete firewall without intimate knowledge of iptables. For the GUI-inclined, Firestarter is quite popular and easy to use, and fwbuilder is very powerful and will look familiar to an administrator who has used a commercial firewall utility such as Checkpoint FireWall-1. If you prefer a command-line tool with plain-text configuration files, Shorewall is a very powerful solution to help you configure an advanced firewall for any network. If your network is relatively simple, or if you don't have a network, ipkungfu should give you a working firewall "out of the box" with zero configuration, and will allow you to easily set up a more advanced firewall by editing simple, well-documented configuration files. Another interesting tool is fireflier, which is designed to be a desktop firewall application. It is made up of a server (fireflier-server) and your choice of GUI clients (GTK or QT), and behaves like many popular interactive firewall applications for Windows.

3.4. Logs

Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT).

For example:
sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "
A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this:
[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 src=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0
The above log will also appear in /var/log/messages, /var/log/syslog, and
/var/log/kern.log. This behavior can be modified by editing /etc/syslog.conf
appropriately or by installing and configuring ulogd and using the ULOG target instead of LOG. The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to a PostgreSQL or MySQL database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as fwanalog, fwlogwatch, or lire.

4. OpenSSH Server

4.1. Introduction
This section of the Ubuntu Server Guide introduces a powerful collection of tools for the remote control of networked computers and transfer of data between networked computers, called OpenSSH. You will also learn about some of the configuration settings possible with the OpenSSH server application and how to change them on your Ubuntu system.

OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling a computer or transferring files between computers. Traditional tools used to accomplish these functions, such as telnet or rcp, are insecure and transmit the user's password in cleartext when used. OpenSSH provides a server daemon and client tools to facilitate secure, encrypted remote control and file transfer operations, effectively replacing the legacy tools.

The OpenSSH server component, sshd, listens continuously for client connections
from any of the client tools. When a connection request occurs, sshd sets up the correct connection depending on the type of client tool connecting. For example, if the remote computer is connecting with the ssh client application, the OpenSSH server sets up a remote control session after authentication. If a remote user connects to an OpenSSH server with scp, the OpenSSH server daemon initiates a secure copy of files between the server and client after authentication. OpenSSH can use many authentication methods, including plain password, public key, and Kerberos tickets.

4.2. Installation

Installation of the OpenSSH client and server applications is simple. To install the
OpenSSH client applications on your Ubuntu system, use this command at a terminal
prompt:

To install the OpenSSH server application, and related support files, use this command at a
terminal prompt:

4.3. Configuration

You may configure the default behavior of the OpenSSH server application, sshd, by
editing the file /etc/ssh/sshd_config. For information about the configuration directives
used in this file, you may view the appropriate manual page with the following command,
issued at a terminal prompt:
man sshd_config
There are many directives in the sshd configuration file controlling such things as
communications settings and authentication modes. The following are examples of
configuration directives that can be changed by editing the /etc/ssh/ssh_config file.
Prior to editing the configuration file, you should make a copy of the original file
and protect it from writing so you will have the original settings as a reference
and to reuse as necessary.

Copy the /etc/ssh/sshd_config file and protect it from writing with the
following commands, issued at a terminal prompt:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original
The following are examples of configuration directives you may change:

• To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port 22,
change the Port directive as such:
Port 2222

• To have sshd allow public key-based login credentials, simply add or modify the line:
PubkeyAuthentication yes in the /etc/ssh/sshd_config file, or if already present, ensure the line is not commented out.
• To make your OpenSSH server display the contents of the /etc/issue.net file as a
pre-login banner, simply add or modify the line:
Banner /etc/issue.net
in the /etc/ssh/sshd_config file.

After making changes to the /etc/ssh/sshd_config file, save the file, and restart the sshd
server application to effect the changes using the following command at a terminal prompt:

 

Read More "Ubuntu Server Guide: Part 2" 

 

 

Latest Posts 08/04 – RSS Buttons Collection Pack for Your Blog: The Ultimate List 05/04 – MP3Roaster is a Perl hack for Burning Audio Cds out of Mp3 OGG Vorbis and FLAC files 31/03 – Newsbeuter, RSS feedreader for the text console 30/03 - An Introdution to CrossOver Games 29/03 – Cdrkit, a collection of applications related to creation of optical disk media on Unix platforms 28/03 - BurnCDDA, a tool for creating audio Cds 27/03 – Ten Tips for New Ubuntu Users 26/03 – Picasa is a software application for organizing and editing digital photos 25/03 – KolourPaint: More than a Microsoft Paint clone 20/03 – Sunbird, Mozilla's Calendar appolication, support extensions just as Firefox and Thunderbird do 19/03 – Dvd+rw-tools makes it possible to burn Dvd images created by “dvdauthor” or “mkisofs” 15/03 – The Burgner project aims to be a complete free burning suite 14/03 - Software Packages in Hardy Heron: Administration Utilities 10/03 – Compiz and Compiz Fusion 0.72 released 06/03 - Evolution: Calendar, eMail and Collaboration 03/03 - Cdrdao records audio or data CD-Rs in disk-at-once 29/02 - Firebird 2.03 included in Ubuntu 8.04 Hardy Heron 29/02 - FEBE, Firefox Environment Backup Extension 28/02 - Introducing Ubuntu Mobile 25/02 - ZetBackup, backup utility specially build for using external disks 24/02 -Ubuntu 8.10: Introducing the Intrepid Ibex 21/02 - Games for Linux: comparison of free software shooters 18/02 - Xfiles files tree syncronization and cross validation 15/02 - Tape Oriented Backup is a general driving for making and maintaning backups   Linux Links 05/04 Zmanda Recovery Manager for MySQL 2.0 Released 25/03 – Phaser, a frontend to Cd record with the aim for Making Cd Burning Under Linux Easier 19/03 – Gnash, the free software Flash Player , has released its first beta 16/03 – Burn CDDA console frontend for cdrecord, mpg 123, oggdec, mppdec, flac 14/03 – BU Linux, based on Fedora Core Linux 13/03 – BuffaloLinux is a Slackware based distribution 12/03 – New features for Gobuntu 8.04 Hardy Heron (alpha 6) 07/03 – Mythbuntu Linux Media Center 06/03 – Mozilla New Mail Icon 05/03 - KNOPPIX 5.3 release al CeBIT 2008 03/03 – KPDF viewer based on the code of the xpdf application 03/03 – New Compiz Fusion plugins and updates 29/02 – Over 35 Different Styles of RSS Icons 28/02 - ZZEE Active SQL Backup 27/02 - The Zumastor Linux storage project adds enterprise storage 23/02 - Run Linux inside Windows 22/02 – ARSIG Linux (Arl) is optimized for use on LAN routers 20/02 - Yet another Cd backup tool (Yacdbak) 15/02 - VitalFile for Real-Time Worstation Protection