Monday, 31 October 2005

mount your files the Linux way

In Linux, if you want to access a filesystem be it a CDROM, a partition or a different drive including zip, floppy, usb keys and so on, you have to mount the filesystem first prior to start using it. In most cases, the system will do it for you. But sometimes you have to do it yourselves. This you do by using the 'mount' command. Here I will explain different things you can achieve by using this very important and useful command.

Check which filesystems are mounted
Just enter the command:
$ mount
...to see all the filesystems that are mounted on your machine.

Re-mount a drive as read-only
This is useful if you want to take a backup of a filesystem in a production server. Once you have taken the backup, you can remount the filesystem as read-write. For example, if I want to remount the already mounted partition /dev/hda2 as read-only, I enter the following mount command:
# mount -o remount,ro /dev/hda2 /mnt/C/
... so that no one can write to the partition while the backup is going on. Once the backup is finished, I can remount it again as read-write:
# mount -o remount,rw /dev/hda2 /mnt/C/
ro - ReadOnly
rw - ReadWrite

You will find the above command useful in a situation in which your system gets corrupt. And when you boot into single user mode, the filesystem is mounted read-only. In which case, you have to remount it as read-write (see the above command) inorder to make changes to the configuration files.

Mounting a ISO image file to view its contents
If you have downloaded an ISO image (perhaps a Linux distribution) from the net and you want to see the contents of the file, there is an easy way of achieving it in Linux. You just mount it using the loopback device as follows:

# mount -t iso9660 -o loop,ro  knoppix-4.0.iso /mnt/iso
This is desirable in a situation where, you have downloaded a Linux ISO on to your harddisk. But your computer's BIOS does not support booting from the CD Drive. In which case, you have to create a boot disk (floppy) so that you can start the installation by booting from the floppy. Most Linux ISO's contain a floppy bootdisk image which you can copy to your floppy.

Move a already mounted filesystem to another location
I have already mounted a FAT32 partition in the '/mnt/D/' location. Now if I want to delink it from the current location and make it available at another location, I use the --move flag with the mount command as follows:

# mount --move /mnt/D/ /mnt/newLocation/
Now all the files on my FAT32 partition have been moved from /mnt/D/ to the /mnt/newlocation/. The files have not been actually moved but has been decoupled from /mnt/D/ mount point and linked at /mnt/newLocation/ .

Mount a filesystem simultaneously at two different places
I can use the --bind or --rbind option to mount an already mounted, part of file hierarchy or an entire filesystem to another location with different rights.
For example, I have a subdirectory called 'softwares' in the read-only mount point /mnt/D/ , which I want to make accessible to other users for writing data. I can achieve this by using the --bind command as follows:

# mount -o rw --bind /mnt/D/softwares /mnt/backup
Now only the subdirectory 'softwares/' is accessible as read-write in the location /mnt/backup .

If you ask me, mount is a very important command in the Linux toolbox. Because, if there was no mount, Linux would not have been the same OS that it is now. The mount command has lots of other options. You may read the man page of mount to know more about it.

Sunday, 30 October 2005

ClamAV - The free Anti Virus solution for Windows on Linux

There is a common perception that there are no viruses on the Linux platform - which to a large extent is true. But what happens when you get a mail attachment which you would like to forward to your windows machine so you can open it with your favorite proprietary software? And what if this attachment is infected by a virus? This is where the anti virus solutions for linux comes into the picture.
ClamAV is a free GPLed anti-virus solution which provides a lot of advantages when installed in Linux. Sticking to the philosophy of linux, it contains a set of command line tools which can be used to check if a file on your system is infected by a virus.
The installation is quite simple as executing a single command as follows:

# yum install clamav
(for RedHat based systems)
OR
# apt-get install clamav
(for Debian based systems)

ClamAV basically installs three binary tools on your system (in the /usr/bin directory), them being :
freshclam - As you know an anti-virus solution is only as good as the latest virus updates it has. This tool is used to update the virus databases on your system. It downloads the latest virus updates from the internet and keeps your anti-virus solution upto date.
clamscan - This is the tool that actually checks your files to see if they are infected.
sigtool - When you download the latest virus updates from the net, there should be a way of verifying the validity of the update. This is achieved by the sigtool. It is used to verify the digital signatures of databases and list virus signature names among other things.

This is how I use this wonderful package to my advantage. I have installed Linux alongside windows and boot via Grub bootloader (most people do). I have a FAT and NTFS partition on my harddrive which I have mounted in /mnt/C:/ and /mnt/D:/ . To check all the files in my windows partition, I just enter the command as follows (you don't have to be root to run this command):
$ clamscan --bell -r --log=/home/ravi/virus_log -i /mnt/D:/

The above command will scan my /mnt/D:/ directory (FAT32 partition) recursively (-r) and log (--log) the result in the virus_log file, will beep (--bell) each time a virus has been detected and only print (-i) infected files to the output.

clamscan can scan a wide variety of files including archive files (rar, zip, tar, deb, jar, arj ), your mails, html files ... In fact just about any file on your system.

For instance, if I want to scan a tar file, I will enter the following command:

$ clamscan --tar=/bin/tar  myfile.tgz
Same is the case for other archives. You pass the path of the archive tool in the command line.

Usually clamscan will recurse through a maximum depth of 15 levels if the -r option is used. But you can set the depth of recursion using the --max-dir-recursion option.
$ clamscan -r --max-dir-recursion=4 ~ravi/.

Here is another example of how you check only the text files on your harddisk for virus infection.
$ find . -iname \*.txt -exec clamscan -r -i {} \;

Updating the virus database
You will agree with me that the usefulness of an anti-virus solution is only as good as its virus definition files. With ClamAV, it is very easy to update the database. All it takes is executing the command :
# freshclam

And ClamAV will download the latest virus definition files from the internet and update your database. You can also run the above command as a daemon as follows:
# freshclam -d
Usually you don't have to run this command yourselves. When you install ClamAV on your machine, it creates a user and group named 'clamav' and also creates a cron job to update on a regular basis, the virus database on your machine.

ClamAV has been developed targeting firms running mail servers in mind and so is designed to check for virus on the fly. If you manage a mail server, you can integrate it with sendmail or any other mail server to check your incoming and outgoing emails for viruses.

Advantages of Clamav over other Anti-Virus suites
  1. The one and only GPLed Anti-Virus solution available with an unbeatable price tag (Free).
  2. Multi architecture and multi OS support. Clamav is available for MacOS, Windows, Linux and other Unix variants.
  3. Simple command line usage - which does away with memory bloat that other anti-virus solutions carry around. I still remember the times when my windows 98 machine would slow to a crawl when an antivirus package was installed on it.
  4. Can be linked with other linux commands to create powerful filters to check just a subset of files on your machine.
  5. You can automate the whole process of virus detection and prevention.
  6. Easy installation and uninstallation - I remember the trouble I had in uninstalling Norton Antivirus from my windows 98 machine a few years back. When I tried to uninstall Norton Antivirus, it said I should uninstall "Live Update" first and when I tried uninstalling the latter, it complained that "Norton Antivirus" was running and should be uninstalled first - in short a catch 22 situation - the only way out being a clean re-installation of windows OS. Clamav doesn't have any such problems.
  7. Lots of third party softwares with in-built support for ClamAV. For example, DansGuardian virus patch is a GPL addon that takes the virus scanning capabilities of ClamAV and integrates them into the content filtering web proxy DansGuardian.
What? You don't want to install the Clam Antivirus package just yet ? No problem, there is a Online scanning tool available from ClamAV which will help you scan a file on your harddisk without installing it.

Fig: The output of running clamscan on my machine.

Friday, 28 October 2005

The Knoppix Advantage

There is a great deal of discussion going on about which distribution is most ideal for the desktop, with people taking different sides. If you ask me, Knoppix scores over other distros when it comes to installing Linux on old machines. Let me elaborate on how I reached this conclusion.
Recently, I received a Knoppix Ver 4.0 live CD from a friend. And I decided to try it out on one of my older computers. The computer has a Celeron 333 MHz processor, with 96 MB SDRAM, Microsoft Serial IntelliMouse, Aztec 2320 chipset based ISA sound card and 440LX Intel Original motherboard - In short, a really old machine in today's standards. In the past, I have had lots of trouble in installing Linux (which includes Fedora and Ubuntu) on this machine especially problems with sound and mouse, each time having to tweak the configuration files to get both working . But when I popped in the Knoppix live CD, I was amazed to see it detecting both my sound card and mouse correctly. In fact, I saw it booting into KDE (the default window manager) without prompting for any user input.

Knoppix comes with chockfull of softwares all crammed into a 700 MB CD ROM. The CD has around 2.1 GB of softwares all compressed into a 700 MB space using a special algorithm. You get many applications preinstalled, which you have to usually download and install in other distributions.

The installation of knoppix on the hard-disk is quite simple and is aided by a script called knoppix-install. Just fire-up a terminal in knoppix and become root user. The root has no password so just typing 'su' is sufficient.
$ su
#_
# knoppix-install
Once you enter the above commands, a nice easy to understand GUI (See Picture below) pops up and you are walked through the installation. Since it is just copying the live distribution on to your hard-disk as most choices have already been decided for you by knoppix and you just have to go through 4 simple steps.That is ...
  1. Editing your configuration
  2. Partitioning your hard disk (using QTParted)
  3. Choosing your installation method and
  4. Actual installation.
Fig: Knoppix installation GUI

Before starting the installation, you are asked for your choice from three methods of installation. They are
  1. Debian installation (recommended)
  2. Multiuser installation
  3. Knoppix installation
Then it will start copying the files on to your hard-disk and at the end will install Grub boot-loader in your MBR.

Advantages of Knoppix
  • Multimedia programs compiled with MP3 support.
  • Auto detects a wide variety of hardware including certain off-beat ISA cards.
  • Contains a lot of softwares, which usually have to be downloaded separately and installed in other distributions.
  • Knoppix is based on Debian so can easily update, install or upgrade using Apt package management.
  • Coexists with other OSes with out any problem via the GRUB boot-loader.
  • Sound configuration is automatic and is not a hassle.
  • If the hardware is atleast 4 years old, then knoppix is a viable choice of installing and using Linux.
  • Appeals to people without broadband internet who want to install a more complete Linux with support for many proprietary file formats like MP3.
  • Contains multiple window managers like KDE, Fluxbox, IceWm, twm etc.
Disadvantages of Knoppix
  • Knoppix is optimized for use as a live distro. So when installed on the hard-disk will boot up a bit slower than other distributions.
  • If you want to learn the inner working of Linux, this is not the best way. You will be better off installing a distribution like Slackware, Fedora or Ubuntu.

Fig: A cute GUI front-end for configuring a firewall in knoppix.

Fig: Screen shot of Knoppix KDE desktop running a game.

Thursday, 27 October 2005

Find the speed of your Ethernet card in Linux

For logging on to the net or for attaching as a node on a LAN, your computer needs a network card. The network card forms the interface between your computer and the network. There are different kinds of network cards available in the market depending on its speed and other features. Here is a tip to find out the characteristics of your network card.

If you want to find what type of network card is used, its speed, on which IRQ it is listed, and the chip type used, you use the following command :

# dmesg |grep eth0
Here eth0 is the first network card. If you have additional cards, it will be named eth1, eth2 and so on. And here is the output of the above command :
divert: allocating divert_blk for eth0
eth0: RealTek RTL8139 at 0xd800, 00:80:48:34:c2:84, IRQ 9
eth0: Identified 8139 chip type 'RTL-8100B/8139D'
divert: freeing divert_blk for eth0
divert: allocating divert_blk for eth0
eth0: RealTek RTL8139 at 0xd800, 00:90:44:34:a5:33, IRQ 9
eth0: Identified 8139 chip type 'RTL-8100B/8139D'
eth0: link up, 100Mbps, full-duplex, lpa 0x41E1
eth0: no IPv6 routers present
...
The important things to note here are those highlighted in colour. As you can see from the above listing, my ethernet card is a RealTek RTL8139 chipset based card on IRQ 9 (Interrupt Request). Its speed is 100 Mbps and is a full-duplex card. And the link is up.

As is the philosophy of Linux, there is more than one way of finding the same information. Linux also comes with a cute sounding tool called mii-tool which can also be used to get the same information about your network card.
# mii-tool -v eth0
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD
...
Here -v is verbose mode. From the above listed output, one can see that the ethernet card is working as a 100baseTX, FD (Full Duplex) card which can work in the following modes :
  • 100 Mbps Speed (Full duplex or half duplex ) or
  • 10 Mbps speed (Full duplex or half duplex).
And it uses autonegotiation to bring up the link. You can call the above device as a 10/100 NIC.
Another tool which also does the same thing is ethtool. Try the following command on your machine to see the output.
# ethtool eth0

Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 32
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbg
Wake-on: p
Current message level: 0x00000007 (7)
Link detected: yes
Here full duplex, half duplex and auto-negotiation have the following meanings.
Full Duplex - Logic that enables concurrent sending and receiving. This is usually desirable and enabled when your computer is connected to a switch.

Half Duplex - This logic requires a card to only send or receive at a single point of time. When your machine is connected to a Hub, it auto-negotiates itself and uses half duplex to avoid collisions.

Auto-negotiation - This is the process of deciding whether to work in full duplex mode or half duplex mode. An ethernet card supporting autonegotiation will decide for itself which mode is the optimal one depending on the network it is attached to.

Tuesday, 25 October 2005

OpenOffice.org Version 2.0 - A definite would-be MS Office Killer

Yesterday, I downloaded the latest stable release of OpenOffice.org (version 2.0) for the Linux platform. It was 106 MB gzipped tar file. I downloaded it and unpacked it into my home directory using the command :
$ tar -xvzf OOo_2.0.0_LinuxIntel_install.tar.gz
One thing that struck me as unique was instead of finding a setup file for installing the software, there were a series of RPM packages (around 20 or so). I checked the readme files which came along with the package but there was no instruction on how to go about installing the software which was really strange. Obviously the OpenOffice team do not expect Linux users to install the software on their own because OpenOffice is bundled with all Linux distributions worth their name.

Any way, I figured out after some time that you just have to install the RPMs. Here you have a flexibility of installing only those parts of the office suite that you need. Like if you don't have a need for Impress (a presentation software), you can leave it out. I chose to install everything. So I moved into the directory containing the RPMs and executed the command:
$ su root
password : ******
# rpm -Uvh *
Note: The new version (2.0) can coexist with your older version of OpenOffice. If you chose to keep the older version then it is better to make a slight change to the above command :
# rpm -ivh *
The installation went without any glitch. And the software was installed in the directory /opt/openoffice.org2.0 . No I was not given the choice of where to install the software.

Changes with respect to previous version
  • Writer executable - swriter
  • Impress (presentation software) - simpress
  • Spreadsheet - scalc
  • Drawing Application - sdraw
  • Formula editor - smath
  • Database (a.k.a Access) - sbase ...which is a new inclusion
As you can see above, the executable files are named differently. When previously it was names like oowriter, ooimpress and so on , now the names start with 's'.

Since the software was installed in the /opt directory, I had to update my PATH to include this change. So I edited my .bashrc file to mirror that change as follows:
#File: ~ravi/.bashrc

export PATH=$PATH:/opt/openoffice.org2.0/program
... and then re-read the file as follows:

$ source .bashrc
Now I could just fire up the terminal and type 'swriter' to open the word processor.

Fig: The first time you run OpenOffice, the wizard guides you.

Fig: Toolbar of OpenOffice.org ver 2.0

New Features in OpenOffice.org Ver 2.0
  1. Appreciable decrease in startup time. In fact, ver 2.0 took less than half the time it took ver 1.11 to load on my machine.
  2. Better support for saving and opening MSWord documents.
  3. Now has MSWord ClipArts equivalent known by name FontWork Gallery.
  4. Support for accomplishing Mail Merges to email.
  5. Now you can embed movie and sound clips into your documents.
  6. Bundles with 'base' - a good database equivalent to MS Access on windows platform.
  7. Better tables, lists and bullets support than the previous version.
  8. Has a closer semblance to MS Office, which is good thing for people who are thinking of migrating from the MS Office world.
  9. Creates smaller sized PDF documents.
  10. Full support for Open Document framework.
Drawbacks of OpenOffice.org ver 2.0
  1. Lacks the setup installer (for linux platform) found in the previous versions. So not user friendly as far as installation is concerned.
  2. The binary setup comes in only two formats - the RPM and Deb. So you have to choose between the two. If you use a distribution like slackware, then this inserts an additional hurdle in installing OpenOffice.
  3. Greater dependence on JRE (Java Runtime Environment). For certain features to work properly, you need JRE installed on your machine. The problem is java is not bundled by default on Linux distributions. So you have to download it seperately and install it yourself.
Below are a few screen shots of the features I found interesting in the new OpenOffice.org ver 2.0 .


Fig: Clip art support


Fig: Document containing charts, lists and images

Fig: Support for including formulas in your document

Fig: Import data from other databases like MySql using JDBC/ODBC


Epilogue
With many governments pushing for an open document framework, and the availability of this office suite for multiple architectures and OSes, it is only a matter of time before this powerful software overturns the monopoly enjoyed by Microsoft Office Suite.

Sunday, 23 October 2005

Bash Shell Scripting - 10 Seconds Guide

This Bash shell scripting guide is not a detailed study but a quick reference to the BASH syntax. So lets begin...

Common environment variables


PATH - Sets the search path for any executable command. Similar to the PATH variable in MSDOS.

HOME - Home directory of the user.

MAIL - Contains the path to the location where mail addressed to the user is stored. Read more »

Friday, 21 October 2005

Make your bash scripts user friendly using - dialog

If you have installed Linux using the text installer, then you will find a neat professional looking install process. You can rest assured that no extreme programming has gone into creating the text installer. In fact, it has been created using a utility called dialog. Dialog is a utility installed by default on all major Linux distributions. It is used to create professional looking dialog boxes from within shell scripts.

Some of the dialogs supported are Input boxes, Menu, checklist boxes, yes/no boxes, message boxes, radiolist boxes and text boxes.

Creating a dialog is very easy. Here I will explain how to create dialog boxes of different types.
Input boxes : These allows the user to enter a string. After the user enters the data, it is written to standard error . You may also redirect the output to a file.
$ dialog --title "Ravi's Input Box" 
--inputbox
"Enter the parameters..."
8
40
As you can see, the options are self explanatory. The last two options 8 and 40 are the height and width of the box respectively.

Fig: Inputbox

Textbox : This is a box which takes a file as the parameter and shows the file in a scrollable box.
$ dialog --title "textbox" --textbox ./myfile.txt 22 70 
... it shows the file myfile.txt in a textbox.

Fig: Textbox showing the file.

Checklist : The user is presented with a list of choices and can toggle each one on or off individually using the space bar.
$ dialog --checklist "Choose your favorite distribution:" 
10 40 3
1 RedHat on
2 "Ubuntu Linux" off
3 Slackware off
... here, 10 is the height of the box, 40 - width, 3 is the number of choices, and the rest are the choices numbered 1,2 and 3.

Radiolist: It displays a list containing radio buttons. And the user can only choose one option from the set of options.
$ dialog --backtitle "Processor Selection" 
--radiolist "Select Processor type:"
10 40 4
1 Pentium off
2 Athlon on
3 Celeron off
4 Cyrix off
10 and 40 are the height and width respectively. 4 denotes the number of items in the list.

Infobox: This is useful for displaying a message while an operation is going on. For example, see the code below:
$ dialog --title "Memory Results" 
--infobox "`echo ;vmstat;echo ;echo ;free`"
15 85

Fig: Information box - listing the vmstat and free listing.

Fig: Message box

Dialog is usually used inside a script which gives the script a degree of user friendliness. There is another package called Xdialog which gives the same features for scripts executed in X Windows. Xdialog utility also has additional functionality not found in the dialog utility.
To know more about the dialog utility check the man page of dialog.

Flock - The new experimental web browser for Linux

Yesterday, I got a invitation via email for downloading and trying out Flock - the new experimental web browser. Flock is much more than just a web browser. It can easily import all your bookmarks from del.icio.us and more importantly sync your local bookmarks with your del.icio.us account. I was really surprised to find a slick editor for blogging. That is right - flock comes with an inbuilt editor which can be used to easily add content to your favourite blogs - be it a blogger account, livejournal, textpad or wordpress including wordpress.com. Here are a few screen shots to whet your appetite.


Fig: Flock Toolbar


Fig: Importing del.icio.us bookmarks (xterm output) - took a loooong time.


Fig: The blog editor (Quite slick)

Fig: Flickr photo bar

Fig: My del.icio.us bookmarks neatly categorized.

At this time though, there is no function to upload images from the editor to your blog. Importing my del.icio.us account took a very long time. Infact at one point of time, I was suspecting that something was wrong with the function of importing the bookmarks.
Installation of the browser is quite simple, the downloaded file is a compressed tar file. So all it takes is the command:
$ tar -xvzf flock-0.4.8.en-US.linux-i686.tar.gz
... and it will create a new directory by its own name and uncompress all the files there. Now you can start using the browser by moving into the just created directory and entering the command :
$ ./flock &
Advantages of Flock over Firefox
  • Has new features lacking in Firefox
  • Can synchronize your local bookmarks with your online del.icio.us account - really cool.
  • Simple inbuilt blogging editor - has support for Livejournal, Blogger, Wordpress and Textpad for starters.
  • Can just select some text on any webpage you are browsing , and publish it to your blog - which is just a right click away.
  • Can view images by just entering the flickr username in the flickr bar (See figure above).
  • Uses the Firefox codebase so inherits all the positive aspects of firefox.
  • Can easily subscribe to newsfeeds.
Disadvantages of Flock over Firefox
  • Still only a Developer 0.5 Pre version release.
  • Took an awfully long time in importing my del.icio.us account bookmarks.
  • Has to log on to the internet to view the documentation.
  • Obviously has a bigger memory footprint.
If you are interested in trying out this web browser just visit this page and download it for your platform. The Linux version is around 8.0 MB in size.

Tuesday, 18 October 2005

Designing a firewall using Iptables for the Home User

In the previous post on iptables , I had given an introduction about iptables - the firewall installed by default in all Linux distributions. Here I will explain how to go about designing a firewall keeping in mind the needs of a home user. I am assuming that the typical home user will be having a single computer connected to the internet via a cable, DSL, Dialup or ISDN connection. There is no hard and fast rule in designing a firewall. What is good for one situation may not be good for another. But you can arrive at a common ground on certain things.
Here I will explain how you can make your home machine which is connected to the internet , which I am giving the name 'my_machine', more secure. First let us see what are the services that are running on the home machine (my_machine). Usually when you install Linux on your machine, you will be having some default services.
They are as follows:
  • sshd - Secure Shell server
  • portmap - Which is used by file services like NFS
  • httpd - Apache web server
  • ftp server - File Transfer Protocol server. This is not usually running on a home machine but just make sure about it by checking. In RedHat, you can check by running the command:
    # chkconfig --list |grep ftp
    If you have nmap installed on your machine, you can run the command :
    # nmap -sS your_ip_address
    ...to find all the open ports on your machine. The output for my_machine are as follows:

    Starting nmap 3.50 ( http://www.insecure.org/nmap/ )
    at 2005-10-19 09:41 IST
    Interesting ports on my_ip_address:
    (The 1653 ports scanned but not shown below
    are in state: closed)
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    3306/tcp open mysql
    6000/tcp open X11
    32774/tcp open sometimes-rpc11

    Nmap run completed -- 1 IP address (1 host up)
    scanned in 1.205 seconds
    As seen above, I have apache webserver (http) , ssh, mysql server, X Server and rpcbind open to the outside world. rpcbind is used by NFS for mounting a remote drive. Usually a stand alone machine in our case my_machine need not open these services to the internet - except maybe ssh server which you might need to say - connect to your machine from a remote location - that too only if you have a static IP address, which is quite rare.
So lets get a pen and paper and decide how much or how little we want to open up our machine to the outside world. This is what I have decided:

  1. I want full access to my_machine locally. That is all the services should be available for the localhost or IP address 127.0.0.1 .
  2. New connections originating from a remote machine to Portmap, ssh, webserver and X server has to be blocked.
  3. Established and related connections to my_machine has to be allowed. Here I would like to deviate from the topic to explain the terms 'new','established' and 'related'.For that you have to look at how TCP works. TCP is a connection-oriented protocol. Connection-oriented means that it makes sure all the packets reach the destination without any packet loss in transit. If a packet is lost, it re-sends the lost packet. This it achieves by using a set of flags. The flags are called SYN (Synchronize) and ACK (Acknowledge).
    When you click on a link in your web browser, your machine sends a SYN packet to the remote server which hosts the link. This process is called initiating a connection and is represented as NEW connection. When the remote server receives your request which has the flag SYN set, it sends a acknowledgment back to your machine by setting the SYN-ACK flag. And this is called a related connection.
    Once your machine receives the SYN-ACK packet, it responds with a final ACK packet which tells the remote machine that we have indeed received the packet. Then the connection is said to be established. This is called the three way handshake.
  4. Restrict anyone initiating a new connection to my_machine from a remote location.
  5. Allow all outgoing connections originating from my_machine.
  6. Restrict all other incoming connections.
Now that we have jotted down what we want to achieve, let us write rules for achieving it.

I usually write the rules in a script file and then execute the file. This allows me to keep everything organized. Also if I make a mistake, I just have to go back and edit the script and re-execute it. One other thing though - all allow rules must precede the deny rules.

Iptables Rules:

Allow localhost access to everything
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT

Allow all related and established tcp connections to my_machine.
iptables -A INPUT -p tcp -m state
--state ESTABLISHED,RELATED

-j ACCEPT

Allow all outgoing connections from my_machine.
iptables -A OUTPUT -j ACCEPT
... now start writing the deny rules.
Deny all new tcp connections from remote machines. And log the same.
iptables -A INPUT -p tcp -m state --state NEW -j LOG
iptables -A INPUT -p tcp -m state --state NEW -j DROP

Block the apache port on my_machine. See the nmap command listing above. Also log the traffic.
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j LOG
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j DROP
Note: LOG rule must precede the corresponding filter rule.

Block ssh to my_machine. Also log the traffic.
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j LOG
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j DROP

Finally Deny everything else.
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
Now execute the script to load the rules into kernel space. That is it. Now we have got a robust firewall in place. You can check the results by re-running the nmap command listed above.

Monday, 17 October 2005

Installing Ubuntu Linux alongside Windows OS

There are different flavors of Linux distributions ... Fedora, SUSE, Mandriva, Slackware ... the list goes on and on. Around a year back, a South African upstart company called Canonical, founded by the multimillionaire and space tourist Mark Shuttleworth created a new Linux distribution. They named it Ubuntu Linux. In African language, Ubuntu means 'Humanity to others'. They not only succeeded in creating a robust distribution based on Debian but also decided that they will distribute the CDs free of cost.

If you want a few CDs, just visit shipit.ubuntu.org, create an account and place an order for the free CDs. You can order any number of them for your use as well as passing over to friends and acquaintances. Ubuntu Linux has quickly grown to have a wide user base and excellent support. It is a distribution basically targeted at the desktop user. But recently a separate server version has also been released.

Ubuntu Linux comes with a enhanced text based installer which is claimed to be very easy to use. I came across this excellent step-by-step tutorial called - Ubuntu Dual Boot - which gives a very clear description about how to install Ubuntu Linux on your machine along side with Windows OS, which I would recommend to everyone who are interested in Ubuntu. It also has all the screen shots of the installer which makes installing this distribution a cake walk. Even though, I have installed Linux (though not Ubuntu) numerous times in the past, I was able to clarify a few of my doubts about partitioning by reading this tutorial.

Sunday, 16 October 2005

Make a donation and support this project

I have been maintaining this site for the past one year. And this site has reached over a 100 posts all related to Linux - which includes configuring, troubleshooting and usage tips. This project was started with a personal goal of putting all my notes related to linux online so that it would become a place of reference not only for me but also for other like minded netizens. Now it has expanded and includes reviews of Linux distributions and related softwares I have tested.

Ways you can support this project
  • Make a donation - You can send some money via PayPal in appreciation of this site. That will make me very very happy :) as it will help me in paying my Internet bills.
  • Spread the word around - Talk about this site to all your friends, relatives, acquaintances and just about anybody you come across, who is even remotely interested in Linux.
  • Participate by posting a comment - Even though I do not have plans to accept articles from others at this point of time (as some people had suggested); mainly because this site lists my personal experiences in using Linux. Also accepting articles from others will throw up a whole set of other problems which I am not ready to face at present. But you can post a comment telling your views about the topic I write. You can tell me what you like / dislike about my post, any mistakes I have made (all humans are prone to mistakes) and any new things you know about the article.
You can make a donation via "PayPal" button on the right hand side. I am looking forward to your valuable contributions.

iptables - The poor man's robust firewall for Linux

A firewall is a software which is used to control the movement of network traffic according to a set of rules. Linux ships with an excellent GPLed firewall called iptables. Here I will explain the rudimentary concepts in using iptables.

Iptables is a packet filter which supersedes the erstwhile ipchains. It forms the first point of contact for packets that flow into or out of your network. In fact the packets are checked in the following order when it reaches your computer.

+-----------+
| Incoming |
| packet |
+-----------+
|
|
v
+-----------+
| Iptables | --> Block
+-----------+
| Pass
|-------> Forward to another system
|
| Kernel Space
----------------------------------------
| User Space
|
v
+--------------+
| TCP Wrappers | --> Block
+--------------+
| Pass
|
v
+--------------------+
| xinetd based rules | --> Block
+--------------------+
| Pass
|
v
Onward journey
of the packet

As you can see in the above diagram, iptables works in the kernel space.

Here I will give a simple introduction to this very useful and powerful but cryptic form of securing ones network.
If you are using kernel 2.4 and above, you will be using iptables. Iptables functionality is directly compiled into the Linux kernel as a module (netfilter). The policies are checked at the layers 2, 3 and 4 of the OSI Reference Model. That is 'Datalink', 'Network' and 'Transport' layer. It is very fast because only the packet headers are inspected. There is a wonderful tutorial on configuring firewalls using iptables at Netfilter.org. But if you are lazy (like me :) ) to plod through over 130 pages of the tutorial, then read on ...

Netfilter is divided into tables which in turn are divided into chains. And each chain can have different targets.

Netfilter tables :
There are three inbuilt tables. They are as follows:
  1. filter - This is the default table if no table name is specified in the rule. The main packet filtering is performed in this table.
  2. nat - This is where Network Address Translation is performed. For example, if you are using your machine as a router or sharing your internet connection with other machines on your network, you might use the NAT table in your rule.
  3. mangle - This is where a limited number of 'special effects' can happen. This table is rarely used.
Netfilter chains :
I said above that each table has a number of inbuilt chains. These are as follows:
For filter table
  1. INPUT - Handles packets destined for the local system, after the routing decision.
  2. OUTPUT - This chain handles packets after they have left their sending process and before being processed by POSTROUTING (applicable to nat and mangle) chain.
  3. FORWARD - This chain handles packets routed through the system but which are actually destined for another system on your LAN.
For the nat table
  1. OUTPUT - see explanation above.
  2. PREROUTING - This is the entry point of packets on their arrival. All packets first pass through this chain before even passing through the routing decision.
  3. POSTROUTING - If PREROUTING is the first chain that a packet encounters, POSTROUTING is the final point of contact for any packet before it leaves the system.
For mangle table
  • The mangle table contains a union of all the chains in the filter and nat tables.

Note: Over and above the builtin chains, you can also have custom user defined chains too. Usually you use a custom chain to group a series of actions together before passing it to one of the inbuilt chains.

Rule targets :
As I said above, each chain can have different targets. They are broadly classified into builtin and extension targets. The target names must be preceded by the option -j . -j as in jump. These are the targets:

Builtin targets
  • DROP - As the name indicates, discards the packet. No message is relayed back to the sender of the packet.
  • ACCEPT - Allows the packet to pass through the firewall.
  • RETURN - This is a built in target which is created for convenience. Because most targets do not return. That is if a packet matches a rule, the checking of that packet ceases and the chain is exited.
Extension targets
  • LOG - This is used to log messages to your system of offending or blocked packets. Usually, control is passed to the syslog facility which logs the message to the file /var/log/messages and then returns the control back to the iptables.
  • REJECT - If this target is used, a notice is sent back to the sender. Like for example "you are denied access to this service" message.
  • DNAT - Used for destination NAT ie rewriting the destination IP address of the packet.
  • SNAT - Used for rewriting the source IP address of the packet.
  • MASQUERADE - This is used to do either SNAT or DNAT. Basically this target is used to set up internet connection sharing in your network.
Note: All extension targets are usually implemented in special-purpose kernel modules. To know which all modules are loaded on your system, execute the command:


# lsmod |grep ipt

ipt_limit 1792 8
iptable_mangle 2048 0
ipt_LOG 4992 8
ipt_MASQUERADE 2560 0
iptable_nat 17452 1 ipt_MASQUERADE
ipt_TOS 1920 0
ipt_REJECT 4736 1
ipt_state 1536 6
ip_conntrack 24968 5 ipt_MASQUERADE,
iptable_nat,ip_conntrack_irc,ip_conntrack_ftp,ipt_state
iptable_filter 2048 1
ip_tables 13440 9 ipt_limit,iptable_mangle,ipt_LOG,
ipt_MASQUERADE,iptable_nat,ipt_TOS,ipt_REJECT,ipt_state,
iptable_filter

These are the modules that are loaded on my system. As you can see, all modules that start with the name 'ipt_' are extension modules. So in the above listing, iptable_nat module uses a extension module called ipt_MASQUERADE . And to use the LOG extension target, you should have loaded the ipt_LOG extension module. So on and so forth :) .

A few examples to whet your appetite

# iptables -t filter -A INPUT -p tcp -s 192.168.0.5 -j DROP
The above rule can be read as follows. In the filter table (-t), append (-A) to the INPUT chain the rule that, all packets using the protocol (-p) tcp and originating (-s) from the remote machine with IP address 192.168.0.5 should be dropped (-j DROP).

# iptables -A FORWARD -s 0/0 -p TCP -i eth0 -d 192.168.5.5
-o
eth1
--sport
1024:65535 --dport 80 -j ACCEPT
This rule reads as follows: Append (-A) to the FORWARD chain, the rule that all packets coming from anywhere (-s 0/0) using the protocol (-p) TCP and using unreserved ports (--sport 1024:65535), incoming (-i) through the interface eth0 , and destined (--dport) for port 80 on address (-d) 192.168.5.5 and outgoing (-o) through the interface eth1 should be accepted.

# iptables -L
List (-L) all the rules in the iptables.

# iptables -F
Flush (-F) all the rules from iptables. Now you can start afresh.

# iptables -A OUTPUT -j LOG
# iptables -A INPUT -j LOG
Log all incoming and outgoing rules in the filter table to the file /var/log/messages.

I hope you have got the drift ;) . Iptables is a very powerful and flexible tool and can be used to block anything or everything that comes into or goes out of your computer.

Wait there is one more thing ...

Usually the commands that you executed above will reside in memory but will not persist across rebooting. Which means, once you reboot, all your rules are lost and you have to start all over. So to avoid this, you save your rules into a file which is read by the OS when you reboot your machine.
In RedHat/Fedora, the iptables rules are saved in the file /etc/sysconfig/iptables . You save it using the programs iptables-save as follows:
# iptables-save > /etc/sysconfig/iptables 

or do the following :
# service iptables save 

There is another script called iptables-restore which can be used to load the rules from a file into memory.

Thursday, 13 October 2005

Different ways of locking a user's account in Linux

You can disable a user's account in the following different ways:

First Method
Open /etc/passwd file and find the line containing the user's name.
# vi /etc/passwd 

Or if you are on a system used by lots of people, there is a very secure form of opening the /etc/passwd file for editing :
# vipw 
... which also opens the /etc/passwd file for editing in the vi editor - but in a more secure manner.
#FILE: /etc/passwd
...
ravi:x:500:500:Ravi Kumar:/home/ravi:/bin/bash
...
Now change the shell /bin/bash to /sbin/nologin .

#FILE: /etc/passwd
...
ravi:x:500:500:Ravi Kumar:/home/ravi:/sbin/nologin
...
Save and exit the file.

Second Method
Enter /etc/passwd file and move to the line containing the user's name. Now enter a '!' (bang) or '*' (asterisk) just before the 'x' in the second field. Save and exit the file.
Note: The fields in the file /etc/passwd are separated by ':' (colons) .

#FILE: /etc/passwd
...
ravi:*x:500:500:Ravi Kumar:/home/ravi:/bin/bash
...
Note: If you are not using shadow passwords (highly unlikely), you will have the password in encrypted format in the second field instead of an x. Unlocking the account is the reverse of what you did above.
Important: One guy told me that if you use the above method, a disabled user can login through the network using SSH. I have not checked it out though.

Third Method
You can use the command chage to lock a user's account. You do this by changing the expiry date to any date before the current date.

# chage -E 2005-10-01 ravi

The above command will set the expiry date of ravi's account to 'Oct 1st 2005' which is a previous date. So when the next time ravi tries to login to his account, he will get the message that his account is disabled.
Note: For chage to work, you should be using shadow passwords (most distros use this by default). You can re-enable the user's account by running the same command but changing the date to a value greater than the current date.

Fourth Method
Execute the following command:
# passwd -l ravi
This will lock ravi's account. Now to unlock the account, do:
# passwd -u ravi

Check the logs
All failed logins will be audited and logged to the file /var/log/messages. To see who all have unsuccessfully tried to login to their account, try the following:

# grep "FAILED LOGIN" /var/log/messages

Also if you have a file called /var/log/faillog check that out too. It contains a history of all failed login details. This file is used when you use PAM (Pluggable Authentication Modules) for enforcing password policies.

You can change the default password policies by editing the file /etc/login.defs . But any changes will be applicable to only to those user accounts created after the modification of the file.

Monday, 10 October 2005

3dDesktop - The Desktop switcher on steroids

I am amazed when people pass comments like - Linux is drab, graphic applications in Linux are primitive and so on. These comments may have had some validity a few years back; But not any longer. For one, OpenGL which is a well developed graphics engine has strong support on the Linux platform. One just have to look at any application which uses OpenGL libraries to understand the true power behind this graphics engine. I tell each and everyone even remotely interested in computers that Linux has come of age and it is definitely going to be a real threat to its commercial counterparts.
Here I will describe a nifty utility which can be used to switch your desktop - that is right, Linux has multiple desktops (4 by default). This utility is called 3dDesktop. 3D-Desktop is a program for switching virtual desktops in a seamless 3-dimensional manner on Linux. The current desktop is mapped into a fullscreen 3D environment where you may choose other screens.It uses OpenGL for rendering the special effects. If you are running 3dDesktop, you can have quite a number of special effects in the same leagues as those in Mac OSX.

But first the prerequisites:

For successfully running any application using OpenGL, you need a good graphics card having atleast 64 MB memory. If your PC does not have a graphics card, your experience of running 3dDesktop will be atmost crappy. For example, I have a NVIDIA Graphics card installed in my machine.

3dDesktop is usually shipped with all major Linux distributions. But if it is not installed on your machine, you can download it from its website and install it.
The 3dDesktop package installs amoung others, three important files. They are :
  1. 3ddeskd - Which is the server (daemon) which should work in the background
  2. 3ddesk - The client which is used to show the special effects to the user. And
  3. 3ddesktop.conf - which is the system wide configuration file which contains details like what kind of special effects need to be shown and so on. The contents of this file could be overridden.
How to make it work
First fire up xterm and start the 3ddesktop server (3ddeskd).
$ 3ddeskd --wm=fluxbox --acquire --texturesize=1024 &
In the above command, I have passed the type of window manager I am using with the --wm option, acquire screenshots of all my desktops with the --acquire option and used a texture size of 1024 (must be multiples of 2 with a minimum value of 128) with the --texturesize option. I have used Fluxbox as my window manager. But you can pass the name of the window manager in which you are working, in the --wm option.

From now on, when ever you want to switch the desktop, you run the client part of the package which is 3ddesk. It can be passed a few options; the important ones being :
--view - This option decides the kind of graphics effects to show. The different values being goright, goleft, slide, zoom, nozoom, linear, linearzip and bigmoney.
--mode - This option sets the arrangement of the special effects. The effects being carousel (which is the default), cylinder, linear, viewmaster, priceisright, flip or random.

Of course, you can also run 3ddesk without passing any options in which case, it reads the default options from the /etc/3ddesktop.conf configuration file.

Here are a few examples of how to start the show.
$ 3ddesk
... accepts the default options.
$ 3ddesk --mode=cylinder --view=zoom
... the desktop takes the shape of a cube.
$ 3ddesk --view=bigmoney
... Vertical rotation

Once you execute any of the above commands, try switching the desktop by rotating the mouse wheel or clicking the left or right mouse buttons. And select the desktop by clicking the middle button (wheel).You can also rotate the desktop by using the arrow keys on your keyboard and then select your desktop by pressing enter.

Mapping a Key Sequence to start 3ddesk
This utility becomes really useful when you map a key sequence to execute the 3ddesk (client) program in your window manager. In KDE and GNOME, it is a snap. Here I will explain how to map a key sequence in Fluxbox (my window manager of choice) to start 3ddesk.

If you are running fluxbox as your window manager, you will have a hidden directory by name .fluxbox in your home directory.
$ ls -al | grep fluxbox
This hidden directory contains the configuration files for this window manager. Now open the file ~/.fluxbox/keys in your favorite editor and insert the following lines.
#FILE: ~ravi/.fluxbox/keys
# Use 3ddesk to change desktop
Mod4 KP_6 :ExecCommand 3ddesk --gotoright
Mod4 Right :ExecCommand 3ddesk --gotoright --nozoom
Mod4 KP_4 :ExecCommand 3ddesk --gotoleft
Mod4 Left :ExecCommand 3ddesk --gotoleft --nozoom
Mod4 Down :ExecCommand 3ddesk --mode=viewmaster
The above lines map a key sequence to execute 3ddesk program. For example, if I press the [Windows key] and the 6 in the keypad simultaneously, it will automatically execute the 3ddesk command on the first line in the above listing. Here,
Mod4 - Window Key on your keyboard
KP_6 - The 6 on your number pad.
Mod1 - Alt key

Now you reload the configuration file in fluxbox. That is it. Now to switch your desktop, you just have to press [WindowKey + left arrow]. Or try [Win Key + Down arrow].


Figure 1 : Vertical Flip

Figure 2 : Vertical flip continued

Figure 3: Viewmaster mode

Figure 4: Bigmoney mode


Figure 5: Cylindrical mode

Note: For the 3ddeskd daemon to start each time you boot into Linux, you have to set it up in the configuration file. I have inserted the following line in the ~ravi/.fluxbox/startup file.

# FILE: /home/ravi/.fluxbox/startup
if [ -x /usr/bin/3ddeskd ]; then
3ddeskd
fi
All code in the file /home/ravi/.fluxbox/startup will be executed when you log into fluxbox. So that does the trick of starting the 3ddeskd daemon automatically.

Next time if anybody starts giving you a sermon about the beauty of Mac OSX, direct them to this article. :)