20421470 linux server installation configuration manual

8/8/2019 20421470 Linux Server Installation Configuration Manual

1/32

Redhat -9 SERVER INSTALLATION

Partition:boot 100 MB/ 10 GBhome 10 GBvar 10 GB

swap Double of ramprofile 30 GB

Packages:Select all servers packages.Select all development packages.Kernel source.Do not select samba's and samba-swat packages.

DNS Configuration:

Check DNS rpm# rpm -qa | grep bind

Now open /etc/named.conf# vi /etc/named.confcopy all 5lines of local host at last.

This is a forward lookup zone entry

zone hitech.com.zone IN {

type masterfile hitech.com.zoneallow-update {none;} ;

This is a reverse lookup zone entry

zone 100.168.192.in-addr.arpa IN {type masterfile named.local.hitech;allow-update {none;} ;

copy 2 file in directory /var/named

(1) hitech.com.zone(2) named.local.hitech

#cp /var/named/localhost.zone /var/named/hitech.com.zone#cp /var/named/named.local /var/named/named.local.hitech


2/32

4. vi /var/named/hitech.com.zone

ORIGIN hitech.com@ 1D IN NS hitech.comhitech.com. 1D IN A 192.168.100.1mail IN A 192.168.100.1hitech.com. IN MX 5 mail.hitech.com

5. vi /var/named/named.local.hitech

Replace all localhost words with hitech.com.

Contents of named.local.hitech$TTL 86400 @ IN SOA hitech.com. root.hitech.com. (

1997022700 ; Serial28800 ; Refresh14400 ; Retry

3600000 ; Expire86400 ) ; Minimum

IN NS hitech.com.

2 IN PTR hitech.com.

Note: In above file 2 stands for last octet of ip address.

Now Edit /etc/resolve.conf

#vi /etc/resolve.confnameserver 192.168.100.2 (Give server ip)nameserver ISP's DNS

#service named restart#rndc reload#host hitech.com

qmail queris this

#host -t MX hitech.com#host mail.hitech.com#host 192.168.100.1#host -a hitech.com

Note: If on client side error of dns lookup, then iptables should be off.

If we implement qmail and other packages then we have to change ip in dns file andothers configuration files.


3/32

Samba Configuration:

(1) First you have to remove all samba's old rpms if installed.#rpm -e nodeps samba#rpm -e nodeps samba-common#rpm -e nodeps samba-client#rpm -e nodeps samba-swat(if installed)

Install all new rpms of samba from redhat enterprise cd.

Samba-swat-3.0.0-15samba-commom-3.0.0-14.3E from cd-2samba-3.0.0-14.3E from cd-3samba-client-3.0.0-14.3E from cd-2

If rpm is not found download from net and then followed this procedure.(If source rpm)

# rpmbuild rebuild (Samba rpm name)

Now we have to edit /etc/samba/smb.conf file

Contains of file which are edited in Global section.

[global]workgroup = HITECHEXPORTserver string = Hi-Tech Export PDC Server#interfaces = eth0, lo#bind interfaces only = Yes

obey pam restrictions = Yespam password change = Yeshosts allow = 192.168.100. 127.printing = cupslog file = /var/log/samba/%m.logmax log size = 0unix password sync = Yespasswd program = /usr/bin/passwd %upasswd chat = *New*password* %n\n *ReType*new*password* %n\n

*passwd:*all*authentication*tokens*updated*successfully*socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s/bin/false -M %u

local master = Yesos level = 99domain master = Yespreferred master = Yesdomain logons = Yeslogon script = %U.batlogon path = \\%L\Profiles\%Udns proxy = Nolog level = 1


4/32


5/32

# mkdir -p /home/samba/netlogon (same as samba.conf file)

To check users.

# vi /etc/passwd

To check smbpasswd file is blank or not(still it is blank)

# vi /etc/samba/smbpasswd (no use if smbpasswd file directly copied from pdcserver.)

To convert normal user to samba users.

Note: If smb password file is blank then and then fire this command.

# cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

We must give a root smbpassword for domain admin password.

# smbpasswd root

To append password of user to exiting passwd file.

# smbpasswd -a user

Now restart smb service.

# service smb restart

To check Configuration is ok or not type command:

# net getlocalsid (Fire on pdc)# net rpc getsid (only works on bdc)

Note:To copy SID from pdc to bdc give command net rpc getsidWe should also check this line in pdc smb.conf.

add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false-M %u

If any machine does not join domain then you have to create trust manually :

#useradd -g samba-clients -d /dev/null -s /bin/false machinename$#passwd -l machinename$#smbpasswd -a -m machinename

If there is a secondary PDC, then (else it would create problem for login of users)domain logons = NO

Only for BDC:In Smb.confos level < pdcpreffered master = No


6/32

domain master = No

/etc/samba/smb.conf the following should be adjust in BDC

preffered master = Nodomain master = Noos level < PDCserver string = instead of PDC write BDC.

Note: Also copy of following file of PDC server./etc/passwd/etc/samba/smbpasswd/etc/shadow/etc/gshadow/etc/group/Profiles//home/

If while joinig domain if any error, then its possible that PDC may take 10min. tobroadcast SID.

/Profiles name should be same in smb.conf file and fstab file.

If any user is not able to login then on PDC chmod -R 777 /ProfilesYou can delete partition of /Profiles , if any error found in it.

(3)Give permission .recycle folder 333.# chmod -R 333 /NewEDrive/Path where .recycle

Note : Whenever you copy paste to original file of Server, kindly take backup of thatoriginal file first and then copy / paste.

To create and transfer users to new group.Ex. If we wants to transfer users of autocad group in to new surajn group.

First we have to create new group called surajn

#addgroup surajn

Now find autocad group id in /etc/group and write down. To find autocad group id fire

this command.

#cat /etc/group |grep autocad

Now, Find above id in /etc/passwdwith the help of following command.

#cat /etc/passwd | grep id number.

Now change user's group.

# usermod -g groupname(New) username


7/32

Second Ex.

add a group called abc.# groupadd abc

Add user xyz in abc group# adduser -g abc xyz

If user xyz in 2 groups then fire this command# adduser -g abc -G pqr xyz

Note: In this case xyz user's primary group is abc and secondary group is pqr.

To change user's primary group.# usermod -g xyz user

HOME Directory :

If there is no home directory of a user then you can create his home directory :#mkdir -p /home/sanjeevm#chown -R sanjeevm /home/sanjeevm#usermod -d /home/sanjeevm/ sanjeevmThis is useful for Webmail etc...

Note :When you add new share in samba, then you have to do :

mkdir -p /NewFOlder/.recyclechmod -R 2777 NewFolder(Sgid set on this Folder to maintain quota)

chmod -R 333 NewFolder/.recyclechgrp -R groupname NewFolder

Swat

This is a webbased tool for counfigure samba server.

# vi /etc/xinetd.d/swat

disable = noonly from = 192.168.100.0/24

Quota

To set quota on share folder follow the following steps.

1. Edit the /etc/fstab file.(Entry in fstab)/dev/sdb1 /Ddrive ext3 defaults,usrquota,grpquota 0 0

2. Now create 2 file in /Ddrive. This is quota database file never delete it.#touch /Ddrive/aquota.user

#touch /Ddirive/aquota.group


8/32

3. Now check quota on disk.#quotacheck -vgum /Ddrive

4. Now to on Quota.#quotaon /Ddrive

5. To set quota on folder/Group

# setquota -g grpname 1000 2000 0 0 /dev/sdc1(FileSystem)Note: 1000 is soft limit of file size.2000 is hard limit of file size.0 0 is Number of file limit.(0 refers to unlimited, means user can create unlimitedfile in folder)

6. To check quota:# repquota -avg

Sgid:

To set Sgid on folder#chmod -R 2777 /Path of share folder.

Note: In every share folder we have to set sgid for maintain quota.

Rsync

This script is used for taking backup.

# vi /etc/xinetd.d/rsync

disable = no

Note :In rsync script for backup when you take backup of whole folder then you have toexclude : lost+found(Not necessary).

Whenever we change in /etc/xinetd.d directory we have to restart xinetd.d service.

Fdisk

Using fdisk

#fdisk /dev/hdcp printn newasked for extended e

primary - pSelect e or pThen give partition number.First cyclinder press enterlast cyclinder +150000(150 gb)

Type w to write on disk.


9/32

Now format the partition.

#mkfs -t ext3 /dev/hda1

If not formatting fire this command and then fire above command.

#partprobe

NIS Configuration

If we wants to linux desktop users logins on server we have to configure NIS server. Inoue scenario we do not use NIS server because there are lots of problem on client sidelike desktop hang and Pcs work slow.For server side

Rpms required for NIS:

yptoolsypbindypserve

# domainname

Give nis domain entry# vi /etc/sysconfig/network NISDOMAIN = XYZ.com

# echo XYZ.com > /var/yp/ypdomain

Note: ypdomain does not exit we have to create this file using above command.

# domainname

start service ypserve, yppasswd, ypxfrd.# service start ypserve then yppasswd, ypxfrd

To move /etc/passwd file data in nis file type command (or update nis password file)# /usr/lib/yp/init -mnext host to add xyz.com

ctl + D# rpm -qa | grep nfs-utlis

# vi /etc/exports To mount any share of server using NFS/home *(rw, sync):wq

Start NFS service.#service nfs start/statusTo check remote service

# rpcinfo -p localhost


10/32

To check which folder we mount.#Exportfs

NFS on Client side

mount home folder of server,Edit /etc/fstab file.

# vi /etc/fstab192.168.100.10/home /home nfs defaults,soft 0 0

start service ypbind# service ypbind start

# authconfig (then follow the instruction)

Syslog

To view a system log this service must be a start.# vi /etc/syslog.conf

*.debug /var/log/messages

Add above line to check system log in deep.

Cron tab

# vi /var/spool/cron/root

MAILTO = mail id

Note: To forward mail of logs to specific email id go to usermin and do mail

forwarding

You can forward mails coming to root to any other user by creating file in root :vi .forward and write the mail address e.g. [email protected] will work only for sendmail and not for qmail or other.

For Qmail you will have to create the file as under (if it does not exists):#vi /var/qmail/alias/.qmail-root& then #echo emailid > /var/qmail/alias/.qmail-root

SSH Server

To login one server to another server without password we have to configure this server. Weare using this server for taking backup of data through rsync.

From Bdc to Pdc server login.

On Pdc server

# ssh-keygen -t dsa

Now on Bdc server
mailto:[email protected]:[email protected]


11/32

# ssh -keygen -t dsa# scp -p /root/.ssh/id_dsa.pub 192.168.100.2(ip of Pdc server) :/root/.ssh/authorized_keys

If you don't want the keys to get overwrite then :#scp -p id_dsa IP of PC:/root

go to above give IP PC and :#cat id_dsa >> .ssh/authorized_keys

Usermin

Password change procedure:with the help of usermin we can change passwordsamba,system and send mail.

Install webminSelect usermin option.Now click on install tab.

After installation of usermin rpm select module restriction.Then adduser restrictionThen select all user.Click on change password tab.

Apache

# vi /etc/httpd/conf/httpd.confuncomment this line:NameVirtualHost server ip

Copy virtual host 7 line

Uncomment all line

< virtual host 192.168.100.4>server admin .........................................DocumentRoot /var/www/webs(Set path of index.html)server name hitech.com..............................................................................

Note : If we creat index.html file and put it in /var/www/webs/ - then we have to :#chown -R apache:apache /var/www/webs/

Whenever we change in httpd.conf file we have to restart httpd service.#service httpd restart

Grub

File: etc/grub.confHow to generate boot loader password after installation.


12/32

# grub-md5-crypt

Then copy md5 password in grub.conf under splash image line.Password --md5 paste password(md5 formatted)

Contents of grub.conf (with password)

# grub.conf generated by anaconda## Note that you do not have to rerun grub after making changes to this file# NOTICE: You do not have a /boot partition. This means that# all kernel and initrd paths are relative to /, eg.# root (hd0,0)# kernel /boot/vmlinuz-version ro root=/dev/hdc1# initrd /boot/initrd-version.img#boot=/dev/hdcdefault=0timeout=10

splashimage=(hd0,0)/boot/grub/splash.xpm.gzpassword --md5 $1$wKPul0$7bMy79pnEE6UoEZYuS4dl0title Red Hat Linux (2.4.20-8)

root (hd0,0)kernel /boot/vmlinuz-2.4.20-8 ro root=LABEL=/initrd /boot/initrd-2.4.20-8.img

After changes in grub.conf we must fire following command to implement of changes.

# grub-install /dev/hdc

Lilo

#cp /etc/lilo.conf.anaconda /etc/lilo.conf(If not counfigured)

# vi /etc/lilo.confContent of lilo.conf

prompttimeout=50

default=Jayboot=/dev/hdcmap=/boot/mapinstall=/boot/boot.brestrictedpassword=redhat4299message=/boot/messagelinear

image=/boot/vmlinuz-2.4.20-8label=Jay


13/32

initrd=/boot/initrd-2.4.20-8.imgread-onlyappend="root=LABEL=/"

Note: if we change lable then we must change default. Both lable and default are same.

Send Mail

Rpms required for send mail.

Sendmail -8.12.8-4sendmail-cf 8.12.8-4

we cant change directly in sendmail.cf file, so change in send mail macro file which issendmail.mc

# vi /etc/mail/sendmail.mc (lines which are edited)

define(`SMART_HOST',`mail.reliadat.com')

DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnlNote : Addr=0.0.0.0 For ExternalFEATURE(`accept_unresolvable_domains')dnl (if this feature is enable we can send &receive mail from any network)

LOCAL_DOMAIN (`mail.reliadat.com')dnl

Now open access file.

We can not change directly in access.db file so open.

# vi /etc/mail/access192.168.100.0/24 Relay(In place of relay it canbe REJECT OR DROP )Comment all lines and add : 127.0.0.1 RELAY

To redirect changes of access to access.db

m4 /etc/mail/access > /etc/mail/access.db

2. To redirect changes sendmail.mc to sendmail.cf

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

3.Add host entry# vi /etc/hosts127.0.0.1 servername mail.reliadat.com localhost

4 # servive senmail restart

5. To check sand mail# ps -aux | grep sendmail
http://mail.reliadat.com/http://mail.reliadat.com/http://mail.reliadat.com/


14/32

Now edit ipop3 file.

#vi /etc/xinetd.d/ipop3 Changedisable = no#Service xinetd restart

Note : IPTables should be off in all run-levels.

qmail service stop#qmailctl stopqmail has its own ipop3, same sendmail has its own ipop3. So if you remove qmail then itsipop3 is also removed, so if you install sendmail after removing qmail then you have toinstall imap which installs ipop3.

GNFC 3rd :

PDC = mail.reliadat.com(qmail counfigured)BDC = mail.bdc.com

Squirrelmail

To check rpm for squirrel mail.# rpm -qa |grep squirrel

# cd /usr/share/squirrelmail/config/

#./conf.pl : Change Options as required

# vi /etc/httpd/conf/httpd.confNote : give pathSquirrelmail index.php (/usr/share/squirrelmail/index.php)

Content of httpd.conf

#

ServerAdmin [email protected] DocumentRoot /usr/share/squirrelmail/

ServerName reliadat.comErrorLog /var/log/mail.reliadat.com

# CustomLog logs/dummy-host.example.com-access_log common

Note : You have to change disable = no in /etc/xinetd.d/imap & /etc/xinetd.d/imaps &Restart xinetd service.IPTAbles service should be off in all runlevels.


15/32

Squid

Introduction:Two important goals are:

Reduce Internet bandwidth charges.

Limit access to the Web to only authorized users.

The Squid web caching proxy server can achieve both these goals easily.Users configure their web browsers to use the Squid proxy server instead of going to theweb directly. The Squid server then checks its web cache for the web information requestedby the user. It will return any matching information that finds in its cache, and if not, itwill go to the web to find it on behalf of the user. Once it finds the information, it will popu-late its cache with it and also forward it to the user's web browser.

This reduces the amount of data accessed from the web. Another advantage is that you canconfigure your firewall to only accept HTTP web traffic from the Squid server and no oneelse. Squid can then be configured to request usernames and passwords for each user thatusers its services. This provides simple access control to the Internet.

Advantages of Squid are, caching images and files on a server shared by all, Internet band-width charges can be reduced.

Squid's password authentication feature is well liked because it allows only authorizedusers to access the Internet.

To increase more http security. And we can block particular website using only keywordnot url.

Counfiguration:

To check squid rpm.# rpm -qa | grep squid

Note: Get print out squid.conf from proxy server.

Squid users and password on terminal.

#htpasswd -c /etc/squid/squid_passwd username-c is used if the password file does not exists. Else you can omitt -c.

If we edit in squid.conf we must restart squid service.

#service squid restartIf ncsa not found.# locate ncsa_auth

Cache rebuild

#/usr/sbin/squid -f /etc/squid/squid.conf -z

#service squid restart


16/32

Ip Forwarding#vi /etc/sysctl.confnet.ipv4.ip_ipforward = 1

#sysctl -p (To ipforwarding)

Note:

#chmod 744 /etc/squid/squid_pass#chmod 744 /etc/squid/squid.conf#chown squid /etc/squid/squidpass#chown squid /etc/squid/squid.conf

To create cache log.#touch /var/log/squid/cache.log

Squid guard tool

Introduction:This tool is used for block website by url and blocking website by user wise.ex. If we wants to only directors and PMs can surf gmail.com and others are not allowed tosurf gmail.com.

How squid, squidguard and Blacklist are works?Users typewww.google.com in browser first browser ask for proxy authentication if usersare authorized then he can go ahead other wise users are not able to access any site. If anyregex found in url then squid also blocked their request. If not squid is redirect theirrequest to squidguard.conf.

In squidguard.conf we define acl such as rules who is allowed or disallowed to such web-site. The database of blacklist(Block website) file is also define here. When request comeson squidguard.conf, squidguard check database of blacklist file if any url found in blacklistfile then squidguard redirect particular website which we define in squidguard.conf. If urlnot found in blacklist it will go to the web to find it on behalf of the user . Once it finds theinformation, it will populate its cache with it and also forward it to the user's web browser.

#vi /etc/squid/squidgaurd.conf

Note: Get print out of squidguard.conf from proxy server.

Download SquidGuard and Blacklist :

Install above packages.Copy porn folder from /Blacklist to squidguard directory#Cd /blacklist# cp -r pron/ /var/lib/squidguard/# cp r ads/ /var/lib/squidguard/# cp r aggressive /var/lib/squidguard/# cp r audio-video /var/lib/squidguard/# cp r drugs /var/lib/squidguard/# cp r gambling /var/lib/squidguard/# cp r hacking /var/lib/squidguard/
http://net.ipv4.ip/http://www.google.com/http://net.ipv4.ip/http://www.google.com/


17/32

# cp r proxy /var/lib/squidguard/# cp r violence /var/lib/squidguard/# cp r warez /var/lib/squidguard/

You can add your list of websites to /var/lib/squidguard/porn/domains OR/var/lib/squidguard/porn/urls

We are blocked following domain/website:desibaba.comespnstar.comporngirl.compkronline.comsexworld.commusicindia.comraaga.commail.comonlinemusic.comonlinevideo.com

videoonline.comindiafm.commusiconline.comonlinemovie.commovieonline.comadult.comgames.comgmail.comyahoo.comhotmail.comsify.com

indiatimes.comrediff.comrediffmail.comazesearch.com

Note : We are remove key words like sex and Music from Gnfc6th proxyserver(Squid.conf) due to request of Anilthoria and vijaybhai.Removed below sites from squidguard due to Hitesh Patel.www.altavista.comwww.metacrawler.comwww.excite.com

Removed below sites from squidguard due to Binoj.Www.hollywood.com

To access website userwise:Create a file called legal in /var/lib/squidguard/porn/Add a website name in this file which we dont want to block.

Now create another file called users in /var/lib/squidguard/porn/Add users which we wants to access above website.


18/32

Following websites are allowed for Directors, PM and Technical group.

Hotmail.comYahoo.comGmail.comRediff.comRediffmail.com

Indiatimes.com

Below modules thats are same configured in Proxy and BDC Server.1. Squid2. Squidguard3. Iptables rules and tcp wrappers4. Squid report.

In Apache create Virtual Host : /var/www/html/Create file index.html For Access Denied and paste it in /var/www/html/

#chown apache /var/www/html/index.html

#Start httpd service#service httpd start

Samba, Dns and ip details of all branches.

Gnfc 6

PDC = 192.168.100.2 - eth0BDC = 192.168.100.3 - eth0SMB WGRP = HitechexportDNS = hitech.comProxy = Icenet - 203.88.147.195 - eth2

Gilp - 203.77.194.67 eth1Local 192.168.100.7 - eth0

Reliadat

PDC = 192.168.2.3 - eth0BDC = 192.168.2.2 - eth0

SMB WGRP = ReliadatDNS = reliadat.com

1.Server Configuration


19/32

Gnfc6 Server Configuration:

PDC BDC ProxyMotherboard Intel Asus p4800delux Asus p4800deluxCPU Xeon dual Processor

3.0GhzP4-2.8Ghz P4-2.8Ghz

Ram 2 Gb 1 Gb 1 Gb

HDD 1.SCSI 76GB2.SCSI 146GB2.SCSI 146GB2.Wd 120GB Ide

1.Seagate 40gb2.Seagate 120gb3.Seagate 120gb4.Seagate 120gb

1.Seagate 40gb

Reliadat Server Configuration:

Pdc BdcMotherboard Intel865 gvsr Intel845 gvsrCPU P4-3.0ghz P4-2.6ghz

Ram 1 Gb 1 GbHDD 1.Seagate 120gb

2.Seagate 120gb1.Seagate 120gb2.Seagate 120gb

To install a lan card of ASUS motherboard we have to compile kernel source code.

Installation Instructions for sk98lin Driver.

Unpack the driver installation package using the command

# tar xfvz install-???.tar.bz2

After the driver installation package is unpacked, type the followingcommands to start the sk98lin driver build process:

#cd DriverInstall#./install.sh

Select the driver installation mode.(User)

To compile the Linux Kernel, proceed as follows:

Go to the directory /usr/src and remove all symbolic links to oldLinux sources using the commands:

# cd /usr/src# make xconfig

Select the options you want to compile into the new kernel.

- For kernel 2.4.x family:a. Select the menu "Network Device Support".


20/32

b. Select "Ethernet (1000 Mbit)".

To integrate the driver permanently into the kernel, mark"Marvell Yukon Chipset/SysKonnect SK-98xx Support" with (*)

Select "Exit".

After booting the Linux kernel and compiling the driver as a loadablekernel module (LKM), the driver needs to be loaded.

Enter "modprobe sk98lin".

NOTE: For further information (e.g. the driver parameters) refer tothe sk98lin.txt file.

IPTables

Introduction:With the help of iptables we can do block port, anonymous request, port

forwarding, routing and filtering.

In our scenario we use iptables for nating and virus-port blocking.

Counfiguration:There is a file /etc/rc.d/rc.local in which when the system starts, the line added in/etc/rc.d/rc.local- will get executed. The line is : /root/icenet.sh

There are 2 files in /root

gipl.shifdown eth0ifdown eth1ifdown eth2ifup eth1ifup eth0/etc/rc.d/rc.gipl

icenet.shifdown eth0

ifdown eth1ifdown eth2ifup eth1ifupeth2/etc/rc.d/rc.icenet

Now the files /etc/rc.d/rc.gipl :

#!/bin/sh#IPTABLES=/sbin/iptablesiptables -F -t nat


21/32

#####DMZ##################Addison Pc######iptables -I PREROUTING -t nat -d 203.77.194.104 -j DNAT --to-destination 192.168.100.41iptables -I POSTROUTING -t nat -s 192.168.100.41 -j SNAT --to-source 203.77.194.104###Comp 5############iptables -I PREROUTING -t nat -d 203.77.194.101 -j DNAT --to-destination192.168.100.35

iptables -I POSTROUTING -t nat -s 192.168.100.35 -j SNAT --to-source 203.77.194.101###Comp 7############iptables -I PREROUTING -t nat -d 203.77.194.102 -j DNAT --to-destination192.168.100.37iptables -I POSTROUTING -t nat -s 192.168.100.37 -j SNAT --to-source 203.77.194.102###Comp 8############iptables -I PREROUTING -t nat -d 203.77.194.103 -j DNAT --to-destination192.168.100.38iptables -I POSTROUTING -t nat -s 192.168.100.38 -j SNAT --to-source 203.77.194.103iptables -I PREROUTING -t nat -s 192.168.100.0/24 -j ACCEPT###################################

iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADEiptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#########Port Forwading For VNC Connection#############################################iptables -t nat -A PREROUTING -p tcp -d 203.77.194.67 -j DNAT --to 192.168.100.14:5900iptables -t nat -A PREROUTING -p tcp -d 203.77.194.67 --dport 80 -j DNAT --to192.168.100.14:5900iptables -t nat -A PREROUTING -p tcp -d 203.77.194.69 -j DNAT --to192.168.100.191:5900

iptables -t nat -A PREROUTING -p tcp -d 203.77.194.69 --dport 80 -j DNAT --to192.168.100.191:5900

#########Ip Routing#########################route add -net 192.168.0.0 netmask 255.255.255.0 dev eth0 gw 192.168.100.1############################################

iptables -F -t filter#port 135 DCE Endpoint Resolutioniptables -I INPUT -p tcp --sport 135 -j DROPiptables -I INPUT -p udp --sport 135 -j DROP

iptables -I INPUT -p tcp --dport 135 -j DROPiptables -I INPUT -p udp --dport 135 -j DROP

iptables -I FORWARD -p tcp --sport 135 -j DROPiptables -I FORWARD -p udp --sport 135 -j DROPiptables -I FORWARD -p tcp --dport 135 -j DROPiptables -I FORWARD -p udp --dport 135 -j DROP

#port 445 Microsoft-DSiptables -I INPUT -p tcp --sport 445 -j DROPiptables -I FORWARD -p tcp --sport 445 -j DROP


22/32

iptables -I INPUT -p tcp --dport 445 -j DROPiptables -I FORWARD -p tcp --dport 445 -j DROP

#port 4444 krb524iptables -I INPUT -p tcp --sport 4444 -j DROPiptables -I FORWARD -p tcp --sport 4444 -j DROPiptables -I INPUT -p tcp --dport 4444 -j DROP

iptables -I FORWARD -p tcp --dport 4444 -j DROP

iptables -F -t mangleiptables -t mangle -I PREROUTING -p tcp ! --syn -m state --state NEW -j DROPiptables -t mangle -I PREROUTING -m state --state INVALID -j DROPiptables -t mangle -I PREROUTING -m unclean -j DROP

#iptables -I INPUT -p tcp -s 203.77.194.66 -j ACCEPT#iptables -I INPUT -p tcp -s 203.77.194.94 -j ACCEPT#iptables -I INPUT -p tcp -s 203.88.141.34 -j ACCEPT#iptables -I INPUT -p tcp -s 203.88.141.62 -j ACCEPT

#iptables -I INPUT -p tcp -s 203.88.141.27 -j ACCEPT#iptables -I INPUT -p tcp -s 192.168.100.0/24 -j ACCEPT#iptables -A INPUT -p tcp -j REJECTecho 1 > /proc/sys/net/ipv4/ip_forwardecho nameserver 203.77.198.101 > /etc/resolv.confecho nameserver 203.77.200.20 >> /etc/resolv.conf

Note: Last two lines of above file for,we dont have to need change dns in resolve.confmanually. It will take dns automatically when this script is run.Ip Routing line is user for define static route on eth0.

FIREWALL

Rules to block/access IP's with particular Ethernet card:

iptables -I INPUT -p tcp -s (IP of the machine which wants to access our machine) -i(Ethernet of our machine) -j ACCEPTFor e.g.#Iptables -I INPUT -p tcp -s 203.77.194.67 -i eth0 -j ACCEPT

Rules to block/access IP without ethernet card

#iptables -I INPUT -p tcp -s ipadd. -j ACCEPT

To reject all ip.#iptables -A INPUT -p tcp -j REJECT

To Flush rules.#iptables -F -t filter#iptables -F -t nat#iptables -F -t mangle

To List rules :


23/32

#iptables -L -t nat#iptables -L -t filter#iptables -L -t mangle

To block ports#iptables -I PREROUTING -p tcp dport 136 -j DROPThis above can repeat for other ports also

In Reliadat : PDC / BDC both are having IPTABLES FILTER RULESON

To allote RealIP's to Local Machine from Linux Router :Source nating

#iptables -I PREROTING -t nat -d 203.77.194.66 -j DNAT -to-destination 192.168.100.10#iptables -I POSTROUTING -t nat -s 192.168.100.10 -j SNAT -to-source 203.77.194.66#iptables -I PREROUTING -t nat -s 192.168.100.0/24 -j ACCEPT

Note: Above rule has should to be apply before our nating / squid / port

filtering rules.We have to create alias of realip card with alloting new realip.(i.e eth0 Icenet IP , then eth0:1 New Icenet IP)

To access Our local pc from Outside network with Vnc viewer.

Add the following rules after our nating rules.# iptables t nat A PREROUTING p tcp d Real IP j DNAT -- to local IP:5900#iptables t nat A PREROUTING p tcp d REAL IP dport 80 j DNAT -to localip:5800

To Define IP Route:#route add -net 192.168.0.0 netmask 255.255.255.0 eth0 gw 192.168.100.1

Note:

This is only for Cisco 1751. If any request come from 192.168.0.0 network thenproxy use 192.168.100.1 gateway, not use xincom. This is special for NLDC line.

New Firewall

TCPWrapper :

This is another tool for increase security but it is not more power full thenIptables. Tcpwrapper is used for block particular daemon/port/services.In our scenario we block ssh service through tcp wrapper. Only selected ips are allowed toconnect our server using ssh service.All this security like Tcpwrapper and Iptables are set in proxy server.

For Vastrapur

#vi /etc/hosts.allow :sshd : 192.168.100.sshd : 203.77.194.67


24/32

sshd : 203.77.194.93sshd : 203.88.141.19sshd : 203.88.141.18

#vi /etc/hosts.deny :ALL:ALL EXCEPT 127.0.0.1 192.168.100.

Add GIPL given blocking list to /etc/rc.d/rc.icenet and /etc/rc.d/rc.gipl

TCPWrapper : For GNFC 6th

#vi /etc/hosts.allow :sshd: 192.168.100. 203.77.194.21 203.88.147.194


Add GIPL given blocking list to /etc/rc.d/rc.icenet and /etc/rc.d/rc.gipl

TCPWrapper : For GNFC 3rd

#vi /etc/hosts.allow :sshd : 192.168.2.sshd : 203.77.194.67sshd : 203.77.194.93sshd : 203.77.194.66sshd : 203.77.194.94sshd : 203.88.140.234


Add GIPL given blocking list to /etc/rc.d/rc.gnfc in PDC / BDC

Services List of all Location:

#chkconfig --list servicename#chkconfig level 35 servicename on/off

#service servicename status

GNFC6:

PDC = ON(35) namedON(35) crondOFF(35) squidOFF(35) iptablesON(35) smbON(35) sendmailOFF(35) dhcp


25/32

BDC = ON(35) namedON(35) crondOFF(35) squidOFF(35) iptablesOFF(35) smb

ON(35) sendmailOFF(35) dhcp

Proxy server = ON(35) namedOFF(35) crondON(35) squidON(35) iptablesOFF(35) smbON(35) sendmail

ON(35) dhcp

GNFC 3rd

PDC = ON(35) namedON(35) crondOFF(35) squidON(35) iptablesON(35) smbOFF(35) dhcp

QMAIL - ON

BDC = ON(35) namedOFF(35) crondOFF(35) squidON(35) iptablesOFF(35) smbON(35) sendmailOFF(35) dhcp

Note :

Fstab File:In /etc/fstab the last column should be 0 0 and not 1 2

Tmp watch:Tmpwatch checks access time of the files and it will remove the file as per the parameters.As for e.g.#/usr/sbin/tmpwatch atime -v 48 /NewEDrive/Anil/.recycleAnd do make an entry for the same in crontab's file as well by creating shell script for theabove. Give chmod 777 recycle.sh


26/32

Log rotate

#vi /etc/logrotate.conf(configuration file)For this to work , syslog service should be ON.

daily

weeklymonthlyyearly

Note :In our case logs rotate = WeeklyTo check the logs : /var/log/secure

USB Device

For first time at connecting USB device you have to do :#fdisk /dev/sda AND fdisk -l

#vi /etc/modules.conf There should be 1 line added if not present :alias usb-controller1 usb-uhci

You have format the USB device etc... same as IDE.

#vi /etc/fstab Do not write in /etc/fstab but manually mount it as :#mount /dev/sda1 /usb/NewEDrive

Entry in fstab file./dev/sda1 /usb/NewE_FDrive ext3 suid,rw 0 0

Change Password Tool

This is a third party rpm which you can download and install :#tar -zxvf chnangepasswd*.*#cd chnangepasswd*.*#./configure --enable-cgidir=/var/www/cgi-bin --enable-language=Portuguese

--enable-smbpasswd=/usr/local/samba/private/smbpasswd--enable-squidpasswd=/etc/squid/passwd enable-logo=opentech.jpg

You can get this above from /root/changepassword/ README file.

Entry in httpd.conf:

ServerAdmin [email protected] /var/www/webs/


27/32


28/32

Misc : TroubleShooting#telnet hitechexport.com 25#ehlo localhost#mailfrom:emailid#rcptto:emailid

#lsmod#dmesg

Dhcp:To view a dhcpd log#vi /var/lib/dhcp/dhcpd.leases

Squid:When pings get reply but we are not able to surfing kindly check gateway using command:#netstat -arAdd & remove Gateway:#route add default gw 192.168.100.7

#route del default gw 192.168.100.7

To view cache.log:#route -C#tail -f /var/squid/cache.log#tail -f /var/squid/access.log

Partition and Quota Details of PDC Server.

Squid Report Generator

SARG: Squid Analysis Report Generator is a tool that allows you to view "where" your usersare going to on the Internet.

Installation Notes:

Download sarg2.0.9.tar.gz source code from http://sf.net.

Now untar the above file.#tar zxvf sarg*.*

Go to the sarg-2.0.9 dircetroy.#cd sarg-2.0.9

Now compile the source code.#./configure#make#make install

Now edit the sarg.conf file in /usr/local/sarg/ directory.Get the print out of sarg.conf from proxy server.
http://sf.net/http://sf.net/


29/32

To generate report from command line:#sarg l /var/log/squid/access.log

Add the entry in cron:We generate report every day at 12.10am10 12 * * * sarg l /var/log/squid/access.log

Hard-Disk Details in HP Server.

1. 76GB SCSI (Quota not set on this Drive.)Device = /dev/sda

/boot 100MB/home 10GB/Var 10GB/ 10GBSwap 4GB

/Profiles 30GB

2. 146GB SCSI (Quota set on this Drive.)Device = /dev/sdb

/DDrive 78GB/EDrive 57GB

3. 146GB SCSI (Quota set on this Drive.)Device = /dev/sdb

/FDrive 78GB/Gdrive 57GB

4. 120GB Ide Drive. (Quota not set on this Drive.)/Hdrive 52GB

Share Details of each Drive on PDC Server.

1. DdriveAddisonChampak

DTPHeartSanjeev

2. EDriveBhaskarHomeHMHomeKetanHomeNDHomeVijayBinojHome


30/32

HRKPHomePBHomeVijayHomeHeratHomeItMatchManishHome

TapanHome

3. FdriveAuctionEofficeFinanceGADSharedSoftwareTechnical

4. Gdrive

AccountsCADMarketing

5. HDriveNewSource

Quota on above Folder

1. DdriveAddison 05GBChampak 25GBDTP 10GBHeart 25GBSanjeev 10GB

2. EDriveBhaskarHome 01GBHMHome 02GB

KetanHome 01GBNDHome 01GBVijay 25GBBinojHome 01GBHR 05GBKPHome 01GBPBHome 02GBVijayHome 01GBHeratHome 01GBItMatch 05GBManishHome 01GB


31/32

TapanHome01GB

3. Fdrive

Auction 02GBEoffice 03GBFinance 05GB

GAD 05GBShared 20GBSoftware 10GBTechnical 10GB

4. Gdrive

Accounts 10GBCAD 25GBMarketing 10GB

5. HDriveNewSource (-)

Partition Details of BDC Server:

No. of Hard-Disk.1. 40GB IDE

Device = /dev/hda

/boot = 100MB.

/ = 10GB./Var = 05GB./home= 10GB.Swap = 04GB

2. 120GB IDEDevice = /dev/hdb

/DDrive = 78GB/Profiles = 30GB

3. 120GB IDEDevice = /dev/hdc

/EDrive = 60GB/GDrive = 51GB

4. 120GB IDEDevice = /dev/hdd

/Fdrive = 78GB/Hdrive = 33GB


32/32

Share Details of each Drive on BDC Server.

1. DdriveAddison

ChampakDTPHeartSanjeev

2. EDriveBhaskarHomeHMHomeKetanHomeNDHomeVijay

BinojHomeHRKPHomePBHomeVijayHomeHeratHomeItMatchManishHomeTapanHome

3. Fdrive

AuctionEofficeFinanceGADSharedSoftwareTechnical

4. Gdrive

AccountsCADMarketing

5. HDriveNewSource

20421470 linux server installation configuration manual

Documents