Internet Connection Sharing using Ubuntu 10.04 LTS as NAT Gateway

The following how to contains procedures to configure an Ubuntu 10.04 LTS machine to be used as a NAT (Network Address Translation) gateway for sharing internet connection.

Part A. Configuring IP v4 forwarding option

A.1. Edit the sysctl.conf file by issuing command: nano /etc/sysctl.conf  and un-commented (remove hash mark) from the following line # net.ipv4.ip_forward=1
A.2. Open the rc.local file by issuing command: nano /etc/rc.local, next, add the following lines before exit 0 line

/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables –table nat -A POSTROUTING -o eth0 -j MASQUERADE

(to be continued)

Install Cacti on Ubuntu 10.04 LTS

1. Install command: apt-get install snmpd
2. edit the file /etc/default/snmpd
3. find line SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1 and remove string 127.0.0.1
save the changes

4 edit the file /etc/snmp/snmpd.conf
Find the line com2sec readonly  default  public
and replace the community string name (i.e., public) with the one for your snmp community
for example: com2sec readonly  default  unpatti
Save the changes

5. restart snmp daemon /etc/init.d/snmpd restart
6. test using the command: /usr/bin/snmpwalk -v 2c unpatti 127.0.0.1

Note: replace unpatti with the ro community string of your server
Note: In this tutorial, the MySQL and Apache2 have been installed in the system and running.
Check whether SNMP is installed and run, if SNMP it is not installed, run apt-get install snmp apt-get php5-snmp

Part B. Install Cacti

1. Install command: apt-get install cacti
2. press/choose ok to acknowledge message of Configuring libphp-adodb
3. configure database for cacti with dbconfig-common(y)? yes
4. supply Password of the database’s administrative user: your mysql root password
5. define MySQL application password for Cacti: yourpassword
6. Choose type of webserver to be used: Apache2 (OK)
… system will proceed with … selecting previously deselected package Gawk …
Finished.

7.Go to http://yourhost/cacti using browser to continue installation process
8. Cacti Installation Guide info, click Next
9. Choose: New Install and then Next
10. Cacti will show the following information
Database User: cacti
Database Hostname:
Database: cacti
Server Operating System type: Unix

11. Click Next
Make sure that RDTool 1.3x or higher is selected

12. Click Finish.
13. First time login on http://yourhost/cacti
user: admin
password: admin

15. proceed with password change
16. Add your device
Go to Management -> Devices -> Add

Personal Caching Domain Name Server with BIND9 on Windows Vista

BIND9 is a popular domain server application in *nix platform. It serves an important roles in providing an open source DNS application for the Internet and local area network (LAN).
This publication explains how to install a Win32 BIND9 version that can be used as a personal caching DNS server in Windows Vista.

Step 1: Download BIND9 binary application for Win32 from Internet Consortium System website.

Step 2: Unzip the downloaded file to a folder (i.e., c:\bind9) and run the installer file named “BINDInstall.exe”. This will install Bind9 to the destination folder at \Windows\System32\dns\bin\.

BIND9 Installer window

Step 3: During the installation process, the installer will ask for a “Service Account Password”, select “automatic startup” then click install. Exit the installer when finished.

Step 4: Open the Command Prompt as Administrator / Run as Administrator and type the following commands :
cd c:\windows\System32\dns\bin (press enter)
wrote key file “C:\Windows\system32\dns\etc\rndc.key”

rndc-confgen -a (press enter)

Step 5: Close the command Prompt

 

 

 

 

 

 

 

 

 

 

 

Now there should be six files existed in the folder c:\windows\system32\dns\etc as shown in the picture below, except session.key file.

BIND9 Files

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

=

Note that The file “rndc.key” file has been created step 4.

Step 6: Open Notepad (Run as Administrator) and copy and paste the following:

options {directory "c:\windows\system32\dns\etc";
pid-file none;
version "not currently available";
listen-on { 127.0.0.1; 192.168.0.0/24; 180.216.59.213; };
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

key "rndc_key" {
algorithm hmac-md5;
secret "o690RparSJLi5da4mjPB/Q==";
};

zone "." IN {
type hint;
file "root.hints";
};

zone "localhost" IN {
type master;
file "zone.localhost";

allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "revp.127.0.0";
allow-update { none; };
};

include "filter.conf";

Note that before saving this file it is need to change the key string secret “o690RparSJLi5da4mjPB/Q==” to the same key string found in your file “rndc.key”. The key in your rndc.key file will be different to the one shown here. To get the key, open rndc.key file using Notepad and copy & paste the appropriate key for your system.

Also, it is needed to change the line listen-on { 127.0.0.1; 192.168.0.0/24; 180.216.59.213; }; with the corresponding IP address(es) that match the network where the caching DNS will be used.

Save the file as named.conf (Note: Run Notepad as Administrator to have rights to write or save at c:\Windows\System32\dns\etc\)

Step 7: Create a new file using Notepad and copy & paste the following root hints information into the file.

; <<>> DiG 9.3.2 <<>> NS . @m.root-servers.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1378
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 15

;; QUESTION SECTION:
;.                IN    NS

;; ANSWER SECTION:
.            518400    IN    NS    A.ROOT-SERVERS.NET.
.            518400    IN    NS    I.ROOT-SERVERS.NET.
.            518400    IN    NS    C.ROOT-SERVERS.NET.
.            518400    IN    NS    H.ROOT-SERVERS.NET.
.            518400    IN    NS    M.ROOT-SERVERS.NET.
.            518400    IN    NS    E.ROOT-SERVERS.NET.
.            518400    IN    NS    K.ROOT-SERVERS.NET.
.            518400    IN    NS    L.ROOT-SERVERS.NET.
.            518400    IN    NS    B.ROOT-SERVERS.NET.
.            518400    IN    NS    J.ROOT-SERVERS.NET.
.            518400    IN    NS    D.ROOT-SERVERS.NET.
.            518400    IN    NS    G.ROOT-SERVERS.NET.
.            518400    IN    NS    F.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.    3600000    IN    A    198.41.0.4
B.ROOT-SERVERS.NET.    3600000    IN    A    192.228.79.201
C.ROOT-SERVERS.NET.    3600000    IN    A    192.33.4.12
D.ROOT-SERVERS.NET.    3600000    IN    A    128.8.10.90
E.ROOT-SERVERS.NET.    3600000    IN    A    192.203.230.10
F.ROOT-SERVERS.NET.    3600000    IN    A    192.5.5.241
G.ROOT-SERVERS.NET.    3600000    IN    A    192.112.36.4
H.ROOT-SERVERS.NET.    3600000    IN    A    128.63.2.53
I.ROOT-SERVERS.NET.    3600000    IN    A    192.36.148.17
J.ROOT-SERVERS.NET.    3600000    IN    A    192.58.128.30
K.ROOT-SERVERS.NET.    3600000    IN    A    193.0.14.129
L.ROOT-SERVERS.NET.    3600000    IN    A    199.7.83.42
M.ROOT-SERVERS.NET.    3600000    IN    A    202.12.27.33

When done, save the file as root.hints at C:\Windows\System32\dns\etc\.

Step 8: Create a new file using Notepad and copy & paste the following zone localhost information into the file.

;
; loopback/localhost zone file
;
$TTL 1D
$ORIGIN localhost.
@              IN  SOA   @  root (
1   ; Serial
8H  ; Refresh
15M ; Retry
1W  ; Expire
1D) ; Minimum TTL
IN   NS   @
IN   A    127.0.0.1

When done, save the file as zone.localhost at C:\Windows\System32\dns\etc\.

Step 9: Create a new file using Notepad and copy & paste the following information into the file.

;
; reverse pointers for localhost
;
$TTL 1D
$ORIGIN 0.0.127.in-addr.arpa.
@    IN   SOA  localhost. root.localhost. (
1    ; serial
8H   ; refresh
15M  ; retry
1W   ; expire
1D ) ; minimum
IN   NS   localhost.
1    IN   PTR  localhost.

When done, save the file as revp.127.0.0 at C:\Windows\System32\dns\etc\.

Step 10: Create a new file using Notepad and leave it empty (a blank file). Save the file as filter.conf at C:\Windows\System32\dns\etc\. It is an empty file and It will be filled with filter information if Bind9 is to be used to block adverts.

Step 11: Starting BIND9. In order to start the new BIND9, Open a Command Prompt (Run as Administrator) and type the following:

services.msc (press enter)

This will open Windows Services list as shown below.

Windows Services List

Windows Services List


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

=

Scroll to find ISC BIND service line (as shown in the picture above), then right-click to open Properties dialog box for ISC BIND.

BIND9 Properties

BIND9 Properties

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Set the option Startup type to Automatic and click Start button to start ISC BIND for the first time. If there are no errors, BIND9 will be started and the Service status will changed from Stopped to Started.

If there is an Windows error message saying: Windows could not start the ISC BIND on Local Computer. Error 1067: The process terminated unexpectedly. Then check Log On Properties for ISC BIND. Click on the Log On tab in the Properties window and check that log-on setting matched the one shown below.

BIND9 Properties

BIND9 Properties

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Click OK to close the Properties window and try to restart ISC BIND via Services window again. When done, BIND9 is now running in local computer (127.0.0.1) and ready to be used.

To test or use BIND9 as a personal DNS Caching server at the computer in which it is installed, put 127.0.0.1 as Preferred DNS server in the network setting of the computer.

Reference page: http://npr.me.uk/installdns.html

Fedena Project version 2.0 for Win32 Platform

Installation steps of Fedena Project version 2.0 for Win32 platform:

Part A: Install Ruby
Download and install One-Click Ruby Installer for Windows.
http://rubyforge.org/frs/download.php/72085/rubyinstaller-1.8.7-p302.exe

Part B: Install Rails
Use the RubyGems package manager to download and install Rails 2.3.5 (Note: Version should be 2.3.5),
1. Open a command window and run the command “gem install rails -v=2.3.5 –remote” (without quotes).
2. Check rake version: “gem list rake” (check version, if v 0.9.2 installed, it must be downgraded)
3. Run the command “gem uninstall rake”. (this will uninstall v 0.9.2)
4. Run the command “gem install rake -v 0.8.7″. (downgraded to version 0.8.7)
5. Then, run the command “gem install prawn -v=0.6.3 –remote”.

Part C: Install MySQL
1. Download and install the “essential” version of the MySQL installer v5.0 from http://downloads.mysql.com/archives/mysql-5.0/mysql-essential-5.0.90-win32.msi
2. Copy libmysql.dll from MySQL bin directory (usually C:\Program Files\MySQL\MySQL Server 5.0\bin) to Ruby bin directory (usually C:\Ruby\bin)
3. Or download it from http://instantrails.rubyforge.org/svn/trunk/InstantRails-win/InstantRails/mysql/bin/libmySQL.dll

Part D: Setup Fedena
1. Download Fedena source code from GitHub or from http://www.projectfedena.org/download. Extract the ZIP/TAR archive and save to a folder (i.e., C:\Fedena).
2. Now go to the Fedena source directory in the command window.
3. Run the command “gem install mysql”.
4. Run the command “rake gems:install” .This will install all missing gems.
5. Update the MySQL database details in Fedena/config/database.yml (under “development:”)
6. Run the command “rake db:create”. This will create the required databases.
7. Run the command “rake db:migrate”. This will populate the database with required tables.
8. Run the command “rake gems:install”. This will install 2 missing gems, declarative_authorization & searchlogic.
9. Run the command “ruby script/server”. This would start the server and it will be accessible at http://localhost:3000
10. If you want to run Fedena in production mode, run the command “ruby script/server –e=production”. For this, Production database details should be given in config/database.yml
11. To solve Warning “C:/Ruby187/lib/ruby/gems/1.8/gems/rails-2.3.5/lib/rails/gem_dependency.rb:119:Warning: Gem::Dependency#version_requirements is deprecated and will be removed on or after August 2010. Use #requirement”
It is needed to edit C:\Ruby187\lib\ruby\gems\1.8\gems\rails-2.3.5\lib\rails\gem_dependency.rb according to the changes shown at https://github.com/rails/rails/commit/268c9040d5c3c7ed30f3923eee71a78eeece8a8a#diff-0

Part E: Install Mongrel web server to speed up access via LAN
1. Navigate to Ruby187\bin folder
2. install mongrel web server, run the command “gem install mongrel”
3. Then navigate to Fedena directory and run the command “mongrel_rails start” or mongrel_rails start –e=production
4. Also port can be changed or specified for mongrel by using command: “mongrel_rails start -p 80 –e=production” . This will run Fedena on port 80, hence it can be accessed directly by typing server IP (i.e., 127.0.0.1)

References:
http://www.projectfedena.org/install
http://www.mattvsworld.com/blog/2010/03/version_requirements-deprecated-warning-in-rails/
http://railsforum.com/viewtopic.php?id=34012

Enabling HTTPS web service in Ubuntu 10.04 LTS

The first step to enable https web service (port 443) in Ubuntu 10.04 LTS is enabling SSL module for apache2, by issuing the following command (bold face) in command prompt:

marinyo@paparisa:~$ sudo a2enmod ssl
Enabling module ssl. (SSL Engine)
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run ‘/etc/init.d/apache2 restart’ to activate new configuration!

Next step is to generate keys. This section will cover generating a key with a passphrase, and one without. The non-passphrase key will then be used to generate a certificate that can be used with various service daemons such as apache2.
Note: Running a secure service without a passphrase is convenient because it will not needed to enter the passphrase every time a secure service is started. But it is insecure and a compromise of the key means a compromise of the server as well.

To generate the keys for the Certificate Signing Request (CSR) run the command:

marinyo@paparisa:~$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
………++++++
…………………………………………………………………++++++
e is 65537 (0×10001)
Enter pass phrase for server.key:yourpass phrase
Verifying – Enter pass phrase for server.key:yourpass phrase

Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in the server.key file.

Next create the insecure key, the one without a passphrase,

marinyo@paparisa:~$ openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key:yourpass phrase
writing RSA key

And, next, shuffle the key names by using the following commands:

marinyo@paparisa:~$ mv server.key server.key.secure
marinyo@paparisa:~$ mv server.key.insecure server.key

The insecure key is now named server.key, and it can be used to generate the CSR without passphrase.

Next is creating CSR, to create the CSR, run the following command at a terminal prompt:

marinyo@paparisa:~$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:your country code
State or Province Name (full name) [Some-State]:your state
Locality Name (eg, city) []your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:your company
Organizational Unit Name (eg, section) []:your dept
Common Name (eg, YOUR name) []:your common name
Email Address []:youremail@yourdomain.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:yourchallenge password
An optional company name []:your company

=== Once you enter all these details, your CSR will be created and it will be stored in the server.csr file.

=== Creating a Self-Signed Certificate

=== To create the self-signed certificate, run the following command at a terminal prompt:

marinyo@paparisa:~$ sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=AU/ST=your state/L=your city/O=your company/OU=your dept/CN=your common name/emailAddress=email@yourdomain.com
Getting Private key

Next, copy the generated certificate to their place in the system:

marinyo@paparisa:~$ sudo cp server.crt /etc/ssl/certs
marinyo@paparisa:~$ sudo cp server.key /etc/ssl/private

Next step is to create and edit config file(s) in /etc/apache2/sites-available

marinyo@paparisa:~$ cd /etc/apache2/sites-available/

Create new config file named ssl for https service using template of default configuration file

marinyo@paparisa:/etc/apache2/sites-available$ sudo cp default ssl

Edit default configuration file:

marinyo@paparisa:/etc/apache2/sites-available$ sudo nano default

Do the following:

=== change: NameVirtualHost * to NameVirtualHost *:80
=== change: <VirtualHost *> to <VirtualHost *:80>
=== Save changes

Edit ssl configuration file:

marinyo@paparisa:/etc/apache2/sites-available$ sudo nano ssl

Do the following:

=== change: NameVirtualHost * to NameVirtualHost *:443
=== change: <VirtualHost *> to <VirtualHost *:443>

==== Find line: DocumentRoot /var/www/
==== add the following lines below it
SSLEngine on
SSLOptions +StrictRequire

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
=== Save changes

Next move to /etc/apache2/sites-available

marinyo@paparisa:/etc/apache2/sites-available$ cd ../sites-enabled

Enabling ssl site config by issuing the following command:

marinyo@paparisa:/etc/apache2/sites-enabled$ sudo a2ensite ssl
Site ssl installed; run /etc/init.d/apache2 reload to enable.

Restart Apache2 service:

marinyo@paparisa:/etc/apache2/sites-enabled$ sudo /etc/init.d/apache2 restart
* Restarting web server apache2
…done.

Check whether the https web service is available by browsing to https://yourdomain.com

References:
https://help.ubuntu.com/10.04/serverguide/C/httpd.html
https://help.ubuntu.com/10.04/serverguide/C/certificates-and-security.html
https://help.ubuntu.com/10.04/serverguide/C/httpd.html
https://help.ubuntu.com/10.04/serverguide/C/certificates-and-security.html

Simple NAT using IPtables

It was needed to do NAT (Network Address Translation) in the network of INHERENT Universitas Pattimura (UNPATTI). In this case, it was decided to do NAT of one INHERENT’s IP which is 167.205.164.5. The purpose is to be able to connect several client computers assigned with class C private IP in 192.168.76.xxx through 167.205.164.5.

The machine used to handle this task is an IBM x3650 which also serves  as a multipurpose server as web server and database server. The operating system installed is CentOS 5, and as far as it was tried, centOS is the only Linux distro that can be installed in this machine and nothing else of open source distro works.

The NAT application implemented is very straight forward, network schema is as shown in the picture below.

inherent unpatti nat

It is needed to pass inbound and outbound trafics from/to eth0 167.205.164.5 from/to eth1 192.168.76.1 and to achieve this task, IPtables is used.

Here are the IPtables commands that were used to configure the NAT for 192.168.76.0/24 and 167.205.164.5

[inherent@hotumese ~]$/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.76.0/24 -j SNAT –to-source 167.205.164.5

[inherent@hotumese ~]$/sbin/iptables-save > /etc/sysconfig/iptables