Linux » Mochabomb

Archive for the ‘Linux’ Category

Quick NFS Setup Notes

October 27th, 2007

Quick NFS Setup Notes:

Server with files to be shared:
# service portmap start; service nfslock start; service nfs start # echo " /home/sharedfiles (ro,sync) >> /etc/exports

Server that accesses these files
Edit /etc/vfstab
server:/share/adir /opt/adir nfs ro,sync 0 0

Add a macro.NFS to /etc/shorewall:
############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP PARAM - - udp 111,2049 PARAM - - tcp 111,2049 PARAM - - udp 4000:4003 PARAM - - tcp 4000:4003 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Leave your comment »

Posted in Linux

NFS with Shorewall & SELinux – CentOS

October 22nd, 2007

These are my notes from what I got working for a CentOS NFS with Shorewall and SELinux. Here are the following:
* Server called “server” (192.168.1.10) exporting /opt/goodies for machine “client” (192.168.1.15) to use in /usr/local/goodies
* Both are running *nix with Shorewall firewall
* This config works for CentOS – others may need tweaking. On Windows get a VMware server running with 2 instances of CentOS if you’d like to play along.

Server
1. Add this to /etc/init.d/nfslock after a line with daemon rpc.statd before the start() function

STATD_PORT=4000

2. run the following commands:

[root@server]# echo "MOUNTD_PORT=4002" >> /etc/sysconfig/network
[root@server]# echo "options lockd nlm_udpport=4001 nlm_tcpport=4001" >> /etc/modprobe.conf
[root@server]# echo "rquotad 4003/tcp" >> /etc/services

3. portmap, nfs and nfslock need to be running ..

[root@server]# chkconfig --list | egrep 'nfs|nfslock|portmap'
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfslock         0:off   1:off   2:off   3:off   4:off   5:off   6:off
portmap         0:off   1:off   2:off   3:off   4:off   5:off   6:off

To autostart any services, run the following:

[root@server]# chkconfig --levels 235 nfs on

4. Create the /etc/shorewall/macro.NFS file

#
# Shorewall version 3.4 - NFS Macro
#
# /usr/share/shorewall/macro.NFS
#
#       This macro handles NFS traffic. You need to invoke
#       this macro in both directions.  Beware!  This rule opens a lot
#       of ports, and could possibly be used to compromise your firewall
#       if not used with care.  You should only allow NFS traffic
#       between hosts you fully trust.
#
###############################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
#                               PORT    PORT(S) DEST            LIMIT   GROUP
PARAM   -       -       udp     111,2049
PARAM   -       -       tcp     111,2049
PARAM   -       -       udp     4000:4003
PARAM   -       -       tcp     4000:4003
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5. Allow NFS traffic through the IPtables or Shorewall firewall, edit /etc/shorewall/rules; here we allow traffic only between the server and two other systems. Be aware that NFS is IP based – ensure your network is secure..

NFS/ACCEPT      net:192.168.1.15,192.168.1.17     $FW
NFS/ACCEPT      $FW     net:192.168.1.15,192.168.1.17

Alternatively if you are running iptables manually, you can enter these rules: here I made a script to make life easier. That last rule is needed to end the firewall. I prefer to use Shorewall because as it says, “IPtables made easy” and its -really- easy to typo these commands and lose time trying to get this working.
The name of my firewall was RH-Firewall-1, substitute as needed.

#!/bin/sh
echo "nfs & iptables setup"
echo "Network IP (eg; 192.168.1.0): \c"
read networkip
echo "Subnet mask without the slash (eg; /24 is entered as 24): \c"
read subnet
iptables -A -INPUT -f -j ACCEPT -s $networkip/$subnet
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 111 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 2049 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4000 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4001 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4002 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4003 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4002 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4003 -j ACCEPT
iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited; iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

If you used shorewall, it will require a restart”

[root@server]# shorewall check

If the check passed, you are safe to restart:

[root@server]# shorewall restart

6. With services and firewall running properly, we can export a directory; edit /etc/exports
(More on this topic can be found at http://nfs.sourceforge.net)

#
# format example:
# /dir/of/sharedfiles  192.168.1.30(ro,root_squash,sync)
#
/opt/goodies      192.168.1.15(ro,sync)       # share read-only
/opt/goodies      192.168.1.17(rw,root_squash,sync)   # share read write, root squash

Client
1. Repeat steps 1-5 to setup the client

2. Create directories to mount the share, for this example its /usr/local/goodies. The file /opt/goodies/sometool.sh will show on the client as /usr/local/goodies/sometool.sh

[root@server]# mkdir /usr/local/goodies; chmod 755 /usr/local/goodies

3. edit /etc/fstab – here we are mounting as read-only

192.168.1.10:/opt/goodies      /usr/local/goodies     nfs     ro,sync         0 0

4. mount the nfs share:

[root@server]# mount /usr/local/goodies

5. Test it out – you should be able to read files from here. If not, re-check your work and check /var/log/messages for error messages.

Troubleshooting
Server: try these commands -

[root@server]#  service nfs reload

Client:

[root@server]# service netfs restart

SELinux
If you got this far – awesome – next step is SELinux. There are many opinions about it, mine is I want to use it – I like its idealogy.

So, both the server and client in this case can be running SELinux in enforcing mode and work with NFS.

1. Server and client:

[root@server]# setsebool -P use_nfs_home_dirs 1
[root@client]# setsebool -P use_nfs_home_dirs 1

2. To turn on and off SELinux ( 0 = off, 1 = on):

[root@server]# echo "0" >/selinux/enforce

At this you could reboot both systems and if SELinux has been activate, might as well to ensure all works after a reboot.

This should get NFS working – next is tuning. NFS is a deep topic and some study will result in a secure and useful setup.

Gregg [aaattt] mochabomb [dot] com

Leave your comment »

Posted in Linux, Networking

Squirrelmail – Login problems because of password aging

September 10th, 2007

I was trying to login to Squirrelmail (hey I hear gripes its old, ugly, not web 2.0 – but it packs the punch of a 1972 Dodge Roadrunner – does only one or two well – very well).

Anyhow error message was: Error username or password incorrect
Error logs – Aborted login

Guess what – the issue was password aging – as I tried to login, I had to update my password. That fixed it instantly.

Leave your comment »

Posted in Linux

Do subnet math in your head

April 12th, 2007

Subnets are a necessary part of networking and while there are a lot of websites with charts out there. You can print out one of many such charts really small, then laminate it, or better, use our God-given noggen and memorize it! We learned multiplication tables as a kid – learning subnetting is about as easy you work with me on this… Take 20 minutes now and you’ll know this for life.

At first, subnets were hard for me to understand – until my brother Hans somegeek explained it in a really simple way.

Update Nov 9, 2010 : Take the quiz

Definition
A subnet is a portion of the full net – and every network we use is part of a subnet. As geeks we mostly deal with class C or smaller.

Lets work with an example. You just started working at RARPAnet and have lots of computers to set up. You were assigned the entire 10.0.0.0 network for address space. Since the 10 network is designated for use on private networks (its not routed on the public internet) you have lots of addresses.

Class – amount of address space you have:
Class A: The entire 10 network – any address where the first number is the same
Class B: The 10.1, or the 10.2 network – up to the 10.255 network – any address where the first 2 numbers are the same
Class C: 10.0.1, or 10.0.2, up to the 10.0.255 network – any address where the first 3 numbers are the same

Examples of subnets from the 10 network: Class A: 10.0.0.0 to 10.255.255.255 Class B: 10.1.0.0 to 10.1.255.255 Class C: 10.1.0.0 to 10.1.0.255

Every Subnet has 4 parts to it:

Network – this is the first address on the network – designates the starting address
Hosts – addresses that can be used for hosts (routers, computers, etc)
Broadcast – the last address of the network – for ‘yelling’ at everyone at the same time.
Netmask – used to get the network – put as a mask over the address

Example 1: Break down the 192.168.1 network

For the 192.168.1 subnet:
192.168.1.0 network 192.168.1.1 - 254 hosts 192.168.1.255 broadcast 255.255.255.0 netmask

Every IP address is made up of 32 bits in 4 chunks of 8 bits.

To count in binary is really simple – use the table below to make the number – a sum of its parts.

Basic table for counting up to 255 in binary: first row of 1′s, second row powers of 2 starting with 1:

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1

Conversion of regular numbers to binary:

1 in binary:

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1
                                        1

2 in binary: 2 + 0

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1
                                   2    0 = 2
                                   1    0

5 binary: 4 + 1

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1
                              4    0    1 = 5
                              1    0    1

18 binary: 16 + 2

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1
                  16     0    0    2    0 = 18
                   1     0    0    1    0

187 in binary: 128 + 32 + 16 + 8 + 2 + 1

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1
128    0    32    16     8    0    2    1 = 187 
1      0     1     1     1    0    1    1

Convert Binary to Decimal
Convert 10110 to a decimal number:

First 10110 is 5 bits, you biggest number in the count set will always be 2^(n-1).
Another way to remember is the largest number will be half of 2^n;
2^5 = 32; half is 16.

The mathematical way is:
n = 5; so 2^(5-1) = 16 That’s your biggest number, so count set is “16 8 4 2 1″

1*16 + 0*8 + 1*4 + 1*2 + 0*1 = 22 – convert 22 back to binary above – it can be done in your head.
Takes some practice but like counting change when working a cash register, it’ll flow after a while.

With the binary-decimal conversion understood, lets look at IP’s – v4 that is. The binary for the full IPv4 address is: 1111111.1111111.1111111.1111111

Detailed breakdown

Now, for a host with ip of 192.168.1.12, the IP and subnet are often denoted together in one of two ways:
192.168.1.12 255.255.255.0
or more often used and shorter to write:
192.168.1.12/24

The /24 means of the 32 bits for the address, use first 24 bit to denote the network, last 8 bits for address space:

For a /24: There 8 bits for address space:
Subtract the slash number from 32: in the case of /24:
32 – 24 = 8 bits;
Then the number of IP addresses used is 2^8bits = 256;

256 addresses: first address is network, last is broadcast; 254 in the middle are for hosts.
192.168.1.0 network 192.168.1.1 to 192.168.0.254 hosts 192.168.1.255 broadcast 255.255.255.0 subnet mask 1111111.1111111.1111111.00000000 Last 8 bits are zero's

How to easily remember this:
Mentally I think this: I see 192.168.1/24 – then
1. an IP address has 32 bits for address
2. 32 – 24 = 8; 2^8 = 256;
3. 256 addresses – first one is network; last one is broadcast, the rest in the middle are hosts.

Example: You are given an address of 192.168.1.16/29 for your network:
For a /29: There are 3 bits for address space:
1. 32 bits – 29 bits = 3 bits for address space;
2. 2^3 = 8 – the number of addresses in this network
3. Since my first address is 192.168.1.16, 192.168.1.23 is my last address

Summary:
8 addresses: First is network, 6 in the middle for hosts, last is the broadcast address:

192.168.1.16                       network
192.168.1.17 to 192.168.1.22       hosts
192.168.1.23                       broadcast
255.255.255.248                    subnet mask     

1111111.1111111.1111111.1111000  Last 3 bits are zero's

… and since this subnet is most like subdivided into groups of 8 ip’s, there is a new network every 8 IP addreses on this 192.168.1 subnet – a good way to segment a network for security, etc.

192.168.1.0-7
192.168.1.8-15
192.168.1.16-23               (your network)
192.168.1.24-31
192.168.1.32-39
...and so on up to
192.168.1.248-255

So there it is – binary math, subnets and now no chart to carry in your pocket. This website has a subnet calculator – good for refence and checking your work.

Update Nov 9, 2010 : Test your knowledge – take the quiz

17 Comments »

Posted in Linux, Networking, Unix, Windows

Newer Entries »