Coded zone

Free webhosting

2007-07-23T12:51:00.001-07:00

Free and paid webhosting started, as an e-commerce website.

http://sales.rajesh.com.np, Its getting positive feedbacks.

VI find and replace

2007-07-16T06:14:00.001-07:00

Introduction: This tutorial is meant for VI text editor, mainly for linux, generally used in Console [my black Screen]

Tutorial Reference:
Linux.ie

Search (Wraped around at end of file):
Search STRING forward :   / STRING.
Search STRING backward:   ? STRING.
Repeat search:   n
Repeat search in opposite direction: N (SHIFT-n)

Find and Replace
First occurrence on current line: :s/OLD/NEW
Globally (all) on current line: :s/OLD/NEW/g

How did this happen?

Actually IPs changed from 203.91.136.234 to 116.90.239.10.
I had access to only vi editor and then, I need to replace the former with the latter. Later I found this :

:s/203.91.136.234/116.90.239.10/g

This just replaced 203.91.136.234 to 116.90.239.10 and the operator g was meant for global, same as in Perl.

Doing this, that is invoking the command in vi command prompt solved all my problem. But every time I had to press " n " for finding 203.91.136.234. Then invoking :s/203.91.136.234/116.90.239.10/g this solved them.

Mysql creating new users and assigning permissions

2007-07-16T06:13:00.001-07:00

Recently I tried to create a database to install mambo.

mysql> use forum_mambo
Database changed
mysql> GRANT ALL PRIVILEGES ON forum_mambo to forum_mambo@localhost identified by 'forum_mambo';
Query OK, 0 rows affected (0.11 sec)

Google Google Google..

2007-07-12T13:42:00.001-07:00

Here is something.. Googling in Google for how much I Googled in Google.com returned this . lol. This shows that I google much time during the nights from 9-4 @morning. Normally I sleep at 5,6,7,8 and I am @college at 9,10,11,12.

Surfing starts either at 3 or at 5 (College closes at 4)

7 and 8 is the Dinner time and so.. relatively less stats indicates that too.

I am more active at weekends Fri, Sat and Sundays hmm..
and umm I don't use much at the start of the semesters like @Feb, March, Aug, Sep and Oct . Okay cool

Google Trends created this Graph for me.

The world of Black Screen

2007-07-11T11:43:00.001-07:00

This is a sample remote system we are going to investigate..

Then I started playing inside..

Later I made sure if the DNS server is working or not.. by using Dig command

Now I stopped the Name server: "service named stop"

Dig localhost, to ensure which name server is working . Since our name server is stopped just a second ago, It might be another parent server that would reply by the dig. Here was the case that 202.52.242.65 replied at port 53. [This follows the precedence from /etc/resolv.conf]

Below is the famous "Cannot Find server" lol .. because the name server is down

The files resolv.conf contains the information about which servers to contact. It is usually found at /etc/resolv.conf .

I have here two of the name servers listed. If one fails it contacts the another. However most of the queries will be fetched from the first server.

Now since our local DNS (Domain Name Server) is down. Lets try to find the ip of hotmail.com by invoking : dig hotmail.com

This will return obviously the ip of hotmail.com as well as the ip of the Server which did the job for us. Most probably here will be 202.52.242.65 to do this for us , because we have kept its name at the second place. The one in the first place is 202.52.242.110, which is our local ip, and its DNS (Domain Name Server) is down now.

Now lets start our name server. Service named start.

The Error logs, or any logs are printed inside the /var/log/messages at the last portion. You may use tail function, or cat to print the latest log messages about the starting of the name server. Usually during starting name servers.. when there are errors .. I have found no error log is printed at the console, rather errors are printed at the log files. So Its better to find these stuffs there.. Remember /var/log/messages

Here it goes .. Now our DNS is running and, there is at least one server who will reply to our query for the domain. Remember last cannot find server. This time.. it won't say so.. Rather it worked.. See my domain is working now..

Okay what is there in the files of name servers? These files are situated inside the folder /var/named/ . Actually name server is configured by a configuration file /etc/named.conf, in which the directory /var/named is defined. I too have used the same configuration. Hence my files reside at /var/named. Inside that file are other files, within which, we can define different zones, and different subdomains.. like I have used a domain here kucc.ku.edu.np and defined different subdomains within this domain. So simple create any file and define subdomains. like A records, the www subdomain of kucc.ku.edu.np is defined inside kucc.ku.edu.np as :
www IN A 202.52.242.110.
Which means that, the ip of the subdomain "www.kucc.ku.edu.np" is 202.52.242.110.

Okay well we talked about named.conf Here is the screenshot of /var/named/named.conf

Now lets check it out what the DNS analyzers say, like DNSSTUFF.com has something to say about us.. whether working or not..

Okay just click the lookup button and there you go: the details of dns related stuff.

/var/named/named.ca

/var/named/kucc.ku.edu.np

Below is the history of whatever we did until now..

Now lets start towards mail servers. Lets perform nmap scan to see which ports are open for us to watch. If mail servers are on, smtp port 25,and pop3 port 111 must be open.

Now lets check by telnetting the ports. telnet at port 25 and telnet at port 110.

Okay our mail server is running.. Lets login

and after logging we get mails inside it:

One benefit of having a mail server is that, the system mails all the attacks and logs to the mail server, so that we can check them periodically. Not that you have to go to /var/log/message to check them all the time .. The logs are sent to the mail box as shown above. In traditional way, we had to check the attacks manually like below:

Windows Live writer for blogger

2007-07-09T09:44:00.001-07:00

Windows Live writer is Cute and nice for blogger.com and you can use it with other accounts. windows live spaces, WordPress, or other blogging sites. This one is from windows live writer. Wow excellent !! This works and is great. I love this stuff. Yeah.

Photograph for Pulitzer 1995

2007-07-06T19:47:00.000-07:00

I hope this picture will always serve as a reminder to us that how
fortunate we are and that we must never ever take things for granted.

We must all realise our social responsibilities.

Difference between Focusing on Problems and Focusing on Solutions

2007-07-06T19:40:00.000-07:00

Case 1 When NASA began the launch of astronauts into space, they found out that
the pens wouldn't work at zero gravity (ink won't flow down to the writing
surface). To solve this problem, it took them one decade and $12 million.
They developed a pen that worked at zero gravity, upside down, underwater,
in practically any surface including crystal and in a temperature range
from below freezing to over 300 degrees C.

And what did the Russians do...?? They used a pencil.

Case 2 One of the most memorable case studies on Japanese management was the case
of the empty soapbox, which happened in one of Japan's biggest cosmetics
companies. The company received a complaint that a consumer had bought a
soapbox that was empty. Immediately the authorities isolated the problem
to the assembly! line, which transported all the packaged boxes of soap
to the delivery department. For some reason, one soapbox went through the
assembly line empty. Management asked its engineers to solve the problem.
Post-haste, the engineers worked hard to devise an X-ray machine with
high-resolution monitors manned by two people to watch all the soapboxes
that passed through the line to make sure they were not empty. No doubt,
they worked hard and they worked fast but they spent a whoopee amount to
do so.

But when a rank-and-file employee in a small company was posed with the
same problem, he did not get into complications of X-rays, etc., but
instead came out with another solution. He bought a strong industrial
electric fan and pointed it at the assembly line. He switched the fan on,
and as each soapbox passed the fan, it simply blew the empty boxes out of
the line.

Moral : Always look for simple solutions.
Devise the simplest possible solution that solves the problems

Always Focus on solutions & not on problems
So at the end of the day the thing that really matters is HOW ONE LOOKS INTO
THE PROBLEM, mere perceptions can solve the tough probs...

Eleven Commandments of hi5

2007-01-04T09:56:00.000-08:00

ONE
If you’re ugly, stop acting like you don’t know it & stop using cute
nicknames. The captions under your picture that says “top model pose”,
“sexy”, “arnt i hot” doesn’t convince anyone.

TWO
To the people who have like over 1000 friends, are you serious? Nobody
in this universe can keep up with that many friends. You’re just
stupid. Go play in traffic.

THREE
If you’re real pretty, dont approve all friends request and bitching
later on how u hate getting stupid comments & messages. You’re the one
who approved them in the 1st place!! Be realistic on what u’re getting into!!

FOUR
Don’t ever post pictures and say “OMG, I’m so ugly” “OMG,I’m so fat” because if you were, you wouldn’t post them.

FIVE
Stop peeping others scrap book to see wot that guy or gal have conversed. Also stop being a Tomboy looking for hot chicks in others profiles.
(vice versa too)

SIX
Writing tons of scraps a day, begging people to send a testimonial, etc.. ” IS PATHETIC & IMATURE. ” .PEOPLE WHO ACTUALLY CARE ABOUT YOU WILL SEND YOU TESTIMONIALS.. Pls dont junk others scrap book so to get your
scrap figures multiply!

SEVEN
If all your pictures look the same, don’t post them all. Please put some variety in your pics. Nobody wants to see your face 10 different ways.

EIGHT
Who really cares if I/U don’t accept you/me as a friend? MOVE ON!!!
Don’t send me another request or message asking “what’s up with you not adding me?” I don’t want you as a friend; that’s what’s up!

NINE
Little 6th graders, go somewhere else because nobody wants you here and than hi5, you have better things in dis world to get addicted!

TEN
Nobody cares about threats over the internet. Don’t try to act hardcore with the keyboard. Fighting online is like racing in the special olympics; even if you win, you’re still retarded.

ELEVEN
If you get a scrap message and it says something like “repost this
within 100 seconds or a ghost will rape your dog tonight!!,” IT’S NOT
REAL!!QUIT BEING AN IDIOT!!!!!!!!

Oops 16bit assembly

2007-01-03T04:57:00.000-08:00

I tried to mess with some executables. I have
been using a Desktop manager and it is a trial version. So I tried to mess with their codes. And before
I could do anything I needed Assembly language to be run in my computer. I wanted to run some hello world
stuffs, those codes I had done previously, and which were familiar to me before
I used windows XP service pack2 .
I used to run those codes in win98 and winxp(sp1).

Now after 1-2 years , I can't run TASM .
While I tried to compile and link using TLINK to a "hello world" assembly
program in Windows, it gives an error like :
"16 bit MS-DOS Subsystem
c:\windows\system\cmd.exe -tlink ara.obj
X#=0D,CS=01B7 IP=00000231. The NTVDM CPU has encountered an unhandled exception.
Choose 'close' to terminate the application."

Then it gives a "Close" and "Ignore" options over a dialog button.
At both cases I can't link the obj file with the linker. This is a bullshit.
Windows takes all the control over the Operating System and what am I . Nothing.
A user who can't level up . Damn!!.

I searched over the internet all around but everyone says: use 32 bit programming codes. and use TASM32 and TLINK32.

Nah I don't wanna do that. I need TASM and TLINK cuzz I like playing with 16 bits. They are easier and give more control to me. 32 bits !! why 32 bits. If I am the programmer I need all the controls. Computers are for me , I am not for computers. Humans modify computers .. If computers start modifying humans thats unfair.
If I don't find a solution I have the solution, I will go back to windows98 and the service pack1 windows. Have the job done and return back. Thanks God I kept backup of all these.

Sources that I was using :

Assembly Language for NewBies

modifications made

2006-12-24T16:24:00.000-08:00

modifications made, added some links, removed blogger button and changed templates.

How to login to a remote server via ssh

2006-11-15T02:35:00.000-08:00

Download SSH (A telnet client) SSH stands for Secure Shell Login.

Select from a list of available download options

Save it to the Desktop as ssh.exe

Now Cut the ssh client

Now Go to windows -> Run -> Type a full stop (That is a "." ) and -> press enter and then press "control V"

The client will be saved in your default directory.

Now Just type
ssh username@domain-name.com
A black screen appears and it will prompt to provide a password

Milliseconds in C

2006-06-20T13:54:00.000-07:00

http://www.thescripts.com/forum/thread212375.html

int main()

{

clock_t t1 = clock(), t2;

while ((t2 = clock()) == t1) ;

printf("CLOCKS_PER_SEC: %.0f resolution: %f sec\n",

(double)CLOCKS_PER_SEC, (t2 - t1) / (double)CLOCKS_PER_SEC);

return 0;

}

fangorn:~/tmp 2299> gcc clockres.c

fangorn:~/tmp 2300> ./a.out

CLOCKS_PER_SEC: 1000000 resolution: 0.010000 sec

As you can see, CLOCKS_PER_SEC is merely a conversion factor, it provides

no indication WRT the resolution of the clock() function. The resolution

can only be determined at run time, as shown above.

milliseconds of a program in c, time.h

2006-06-20T12:55:00.000-07:00

http://www.math.uic.edu/~jan/MCS275/lec41.html

Below is the listing of the main program (stored in mytimer.c ),
that contains all routines in one file :


/* L-41 MCS 275 Fri 20 Apr 2001 : timing C programs */

/* The program below compares the time for multiplying two floats
   (single precision) with multiplying two doubles (double precision).
   Because one multplication happens extremely fast (unnoticable),
   we execute many multiplications.  We can test the correctness
   of the timing by executing the program on the prompt like
   prompt> time ./a.out
   The UNIX command time displays after a.out terminates the
   user time (among other things). */

#include <stdio.h>
#include <time.h>
#define N 100000000

typedef struct timedata timer;
struct timedata
{
   clock_t  user_time;
   time_t   real_time;
};

void tstart ( timer *tmr );
/* initializes the timer */

void tstop ( timer *tmr );
/* stops the timer */

long usersec ( timer tmr );
/* returns elapsed seconds user cpu time */

long realsec ( timer tmr );
/* returns elapsed seconds real time */

long usermsc ( timer tmr );
/* returns elapsed milliseconds user cpu time */

long realmsc ( timer tmr );
/* returns elapsed milliseconds real time */

void tprint ( timer tmr );
/* formatted print of user cpu time, seconds and milliseconds */

int main(void)
{
   long i;
   timer tmr,total;
   float a, b = 3.3333, c = 5.5555;
   double x, y = 3.3333, z = 5.5555;

   tstart(&total);
   printf("\nTiming single precision float multiplication : \n");
   tstart(&tmr);
   for (i = 0; i < a =" b*c;" i =" 0;" x =" y*z;">user_time = clock();
   tmr->real_time = time(NULL);
}

void tstop ( timer *tmr )
{
   tmr->user_time = clock() - tmr->user_time;
   tmr->real_time = time(NULL) - tmr->real_time;
}

long usersec ( timer tmr )
{
   return tmr.user_time/CLOCKS_PER_SEC;
}

long realsec ( timer tmr )
{
   return tmr.real_time;
}

long usermsc ( timer tmr )
{
   return (tmr.user_time*1000)/CLOCKS_PER_SEC;
}

long realmsc ( timer tmr )
{
   return (tmr.real_time*1000);
}

void tprint ( timer tmr )
{
   long usec = usersec(tmr);
   long umsc = usermsc(tmr);
   long rsec = realsec(tmr);
   long rmsc = realmsc(tmr);

   printf("%s%2d%s%3d%s\n",
          "Elapsed CPU user time : ", usec, " second(s) and ",
           umsc - 1000*usec , " millisecond(s).");

   printf("%s%2d%s%3d%s\n",
          "Elapsed real time     : ", rsec, " second(s) and ",
           rmsc - 1000*rsec , " millisecond(s).");
}

If we put all the timing utilities in the library libtimer ,
then our main program usetimer.c looks like


/* L-41 MCS 275 Fri 20 Apr 2001 : timing C programs with library */

#include <stdio.h>
#include "libtimer.h"
#define N 100000000

int main(void)
{
   long i;
   timer tmr,total;
   float a, b = 3.3333, c = 5.5555;
   double x, y = 3.3333, z = 5.5555;

   tstart(&total);
   printf("\nTiming single precision float multiplication : \n");
   tstart(&tmr);
   for (i = 0; i < a =" b*c;" i =" 0;" x =" y*z;">

Then libtimer.h has to contain

/* L-41 MCS 275 Fri 20 Apr 2001 : creating a library for timing */

#include <time.h>

typedef struct timedata timer;
struct timedata
{
   clock_t  user_time;
   time_t   real_time;
};

void tstart ( timer *tmr );
/* initializes the timer */

void tstop ( timer *tmr );
/* stops the timer */

long usersec ( timer tmr );
/* returns elapsed seconds user cpu time */

long realsec ( timer tmr );
/* returns elapsed seconds real time */

long usermsc ( timer tmr );
/* returns elapsed milliseconds user cpu time */

long realmsc ( timer tmr );
/* returns elapsed milliseconds real time */

void tprint ( timer tmr );
/* formatted print of user cpu time, seconds and milliseconds */


and the file libtimer.c has as content


/* L-41 MCS 275 Fri 20 Apr 2001 : timing library */

/* If this file has the name libtimer.c, we can create the library
   by typing after the prompt :
     prompt> gcc -c libtimer.c
     prompt> ar ruv libtimer.a libtimer
   or with we place in makefile the following :

libtimer: libtimer.c
 gcc -c libtimer.c
 ar ruv libtimer.a libtimer.o
*/

#include <stdio.h>
#include <time.h>
#include "libtimer.h"

void tstart ( timer *tmr )
{
   tmr->user_time = clock();
   tmr->real_time = time(NULL);
}

void tstop ( timer *tmr )
{
   tmr->user_time = clock() - tmr->user_time;
   tmr->real_time = time(NULL) - tmr->real_time;
}

long usersec ( timer tmr )
{
   return tmr.user_time/CLOCKS_PER_SEC;
}

long realsec ( timer tmr )
{
   return tmr.real_time;
}

long usermsc ( timer tmr )
{
   return (tmr.user_time*1000)/CLOCKS_PER_SEC;
}

long realmsc ( timer tmr )
{
   return (tmr.real_time*1000);
}

void tprint ( timer tmr )
{
   long usec = usersec(tmr);
   long umsc = usermsc(tmr);
   long rsec = realsec(tmr);
   long rmsc = realmsc(tmr);

   printf("%s%2d%s%3d%s\n",
          "Elapsed CPU user time : ", usec, " second(s) and ",
           umsc - 1000*usec , " millisecond(s).");

   printf("%s%2d%s%3d%s\n",
          "Elapsed real time     : ", rsec, " second(s) and ",
           rmsc - 1000*rsec , " millisecond(s).");
}


To create the library and the executables, use the makefile below :


libtimer.a: libtimer.h libtimer.c
 gcc -c libtimer.c
 ar ruv libtimer.a libtimer.o

mytimer: mytimer.c
 gcc -o mytimer mytimer.c

usetimer: usetimer.c libtimer.a
 gcc -o usetimer usetimer.c libtimer.a

clean:
 /bin/rm -f -r *o libtimer.a mytimer usetimer

program for insertion sort

2006-06-09T08:54:00.000-07:00

from http://www.cs.ucsc.edu/~pohl/CBDCourse/hw/kklenk_5.c

/**********************************************************/
/*                                                        */
/*  Author:       Kevin Klenk                             */
/*  Date:         May 25, 1998                            */
/*  Class:        CMPS012A - Spring 1998                  */
/*  Professor:    Ira Pohl                                */
/*  Description:  This program sorts randomly-filled      */
/*                arrays of four sizes (10, 100, 1000 and */
/*                10000) using insertion sort and then    */
/*                does several binary lookups on those    */
/*                arrays.  Originally, the program was    */
/*                also supposed to print timing           */
/*                information, but the clock() function   */
/*                in time.h proved to be too unreliable.  */
/*                                                        */
/**********************************************************/

/* Required libraries */
#include <stdio.h>
#include <time.h>
#include <assert.h>

/* Constants */
#define CLOCKS_PER_SEC 1000000
#define MAXSIZE 10000
#define RANGE 100
#define NUMLOOKUPSTOPRINT 20
#define NUMLOOKUPS 100

/* Function Prototypes */
void swap(int *a, int *b);
int GetRandNum();
void FillArray(int array[], int size);
void PrintArray(int array[], int size);
void Swap(int *a, int *b);
void InsertionSort(int data[], int size);
int BinaryLookup(int data[], int size, int key, int* position);

/* Returns a random integer from 0 to RANGE - 1. */
int GetRandNum()
{
   return (rand() % RANGE);
}

/* Fills an array of size integers with random values. */
void FillArray(int array[], int size)
{
  int i;

  srand(time(NULL));
  for(i = 0; i < size; i++)
    array[i] = GetRandNum();
}

/* Prints an array of size integers to stdout. */
void PrintArray(int array[], int size)
{
   int i;

   printf("\t");
   for (i = 0; i < size; i++)
      printf("%5d", array[i]);
   printf("\n");
}

/* Swaps two integers. */
void Swap(int *a, int *b)
{
   int tmp = *a;

   *a = *b;
   *b = tmp;
}

/* Sorts an array of size integers in increasing order using */
/*  the insertion sort algorithm.                            */
void InsertionSort(int data[], int size)
{
   int i, k;

   for(i = 0; i < size - 1; ++i)
   {
      for(k = i + 1; k > 0; --k)
      {
         if(data[k] < data[k-1])
            Swap(&data[k], &data[k-1]);
      }
   }
}

/* Looks for an integer, "key", in an array of size integers */
/*  and sets the integer pointed to by position to the index */
/*  which was last checked by the function.  Returns 0 if    */
/*  "key" is not found; returns 1, otherwise.  "position"    */
/*  points to an integer storing the index at which "key" is */
/*  found if it IS in fact found.  Otherwise, the integer    */
/*  pointed to by "position" will contain an index close     */
/*  to the index where "key" would have been found if it     */
/*  were in the array.                                       */
int BinaryLookup(int data[], int size, int key, int* position)
{
   int leftIndex = 0;
   int rightIndex = size - 1;

   *position = (leftIndex + rightIndex)/2;

   while ((leftIndex <= rightIndex) && (key != data[*position]))
   {
      if (key < data[*position])
      {
         leftIndex = leftIndex;
         rightIndex = *position - 1;
         *position = (leftIndex + rightIndex)/2;
      }
      else if (key > data[*position])
      {
         leftIndex = *position + 1;
         rightIndex = rightIndex;
         *position = (leftIndex + rightIndex)/2;
      }
      else
      {
         /* This will never occur because it is prevented by the loop */
         /*  condition.                                               */
      }
   }

   if (leftIndex > rightIndex)
      return 0;
   else
      return 1;
}

/* Main */
int main(void)
{
   int currSize, i, r, found, position, numLookups;
   int data[MAXSIZE];
   long before, after;

   for (currSize = 10; currSize <= MAXSIZE; currSize *= 10)
   {
      printf("\nRUNNING WITH %d ELEMENTS \n\n", currSize);

      FillArray(data, currSize);

      if (currSize == 10)
      {
         printf("  Before sorting array is:\n");
         PrintArray(data, currSize);
      }

/*      before = clock(); */
      printf("  Sorting the array:\n");
      InsertionSort(data, currSize);
/*
      after = clock();
      printf("\n     Sorting takes %lf seconds. \n\n",
       ((double)(after - before))/CLOCKS_PER_SEC);
*/
      if (currSize == 10)
      {
         printf("  After sorting array is:\n");
         PrintArray(data, currSize);
      }

/*      before = clock(); */

      if (currSize == 10)
         numLookups = NUMLOOKUPSTOPRINT;
      else
         numLookups = NUMLOOKUPS;
      printf("  Doing %d binary lookups:\n", numLookups);

      for (i = 0; i < numLookups; i++)
      {
         r = GetRandNum();
         found = BinaryLookup(data, currSize, r, &position);
         if (currSize == 10) {
            if (found)
               printf("    element = %2d found at index = %d\n", r, position);
            else
               printf("    element = %2d not found; would be near index = %d\n",
                r, position);
         }
      }
/*
      after = clock();
      printf("\n     Doing %d lookups takes %lf seconds. \n\n", NUMLOOKUPS,
       ((double)(after - before))/CLOCKS_PER_SEC);
*/
   }

   return 0;
}

Cron - Program Scheduler

2006-06-03T15:46:00.000-07:00

Cron - Program Scheduler: "Some examples of complete cron table entries are show below, implementing the vnukelog command as an example.
# Any output generated by the cron entries below is sent to the e-mail
# address assigned to the MAILTO environment variable.
MAILTO='webmaster@mycompany.com'

# Execute the 'vnukelog' command at 1:15 (15 1) AM every day.
15 1 * * * /usr/local/bin/vnukelog

# Execute the 'vnukelog' command at 11:40 PM (40 23) on the first day (1)
# of each month.
40 23 1 * */usr/local/bin/vnukelog

# Execute the 'vnukelog' command every 10 minutes for for the first
# half-hour (0-30/10) of the 9:00 AM and 5:00 PM hours (9,17) on
# Monday-Friday (1-5).
0-30/10 9,17 * * 1-5/usr/local/bin/vnukelog

# Execute the 'vnukelog' command at 4:00 AM, 8:00 AM, 12:00 noon, 4:00 PM,
# and 8:00 PM (0 */4) on each Sunday (sun) every January (jan).
0 */4 * jan sun/usr/local/bin/vnukelog

# Execute the 'vnukelog' command at 4:30 AM (30 4) on the first, fifteenth
# (1,15), and each Friday (fri) of every month.
30 4 1,15 * fri/usr/local/bin/vnukelog

# Execute the 'vnukelog' command at 12:00 midnight (0 0) on August 19 (8)
# (aug).
0 0 19 8 */usr/local/bin/vnukelog
0 0 19 aug */usr/local/bin/vnukelog"

How i can refine my search? search history !! and success historyGoogle Search

2006-06-02T01:12:00.000-07:00

"one user"+masquerade iptables - Google Search:

Guarddogiptables 1.2.6a - Is anyone using Guarddog with this version of
iptables? ... This means no Guarddog and NAT/IP masquerade on older kernel
2.2 systems. ...

Linux 2.4 Packet Filtering HOWTO: Using iptables

2006-06-02T01:04:00.000-07:00

Linux 2.4 Packet Filtering HOWTO: Using iptables: "Creating a New Chain
Let's create a new chain. Because I am such an imaginative fellow, I'll call it test. We use the `-N' or `--new-chain' options:
# iptables -N test
#

It's that simple. Now you can put rules in it as detailed above.
Deleting a Chain
Deleting a chain is simple as well, using the `-X' or `--delete-chain' options. Why `-X'? Well, all the good letters were taken.
# iptables -X test
#

There are a couple of restrictions to deleting chains: they must be empty (see Flushing a Chain below) and they must not be the target of any rule. You can't delete any of the three built-in chains.
If you don't specify a chain, then all user-defined chains will be deleted, if possible.
Flushing a Chain
There is a simple way of emptying all rules out of a chain, using the `-F' (or `--flush') commands.
# iptables -F FORWARD
#"

Resetting (Zeroing) Counters
It is useful to be able to reset the counters. This can be done with the `-Z' (or `--zero') option.
Consider the following:
# iptables -L FORWARD
# iptables -Z FORWARD
#
Setting Policy
The policy can be either ACCEPT or DROP, for example:
# iptables -P FORWARD DROP
#

Linux 2.4 Packet Filtering HOWTO

So What's A Packet Filter?
3.1 Why Would I Want to Packet Filter?
3.2 How Do I Packet Filter Under Linux?

4. Who the hell are you, and why are you playing with my kernel?

5. Rusty's Really Quick Guide To Packet Filtering

6. How Packets Traverse The Filters

Netfilter FAQ (Frequently Asked Questions)

Linux 2.4 Packet Filtering HOWTO: Mixing NAT and Packet Filtering

2006-06-02T01:03:00.000-07:00

Linux 2.4 Packet Filtering HOWTO: Mixing NAT and Packet Filtering: "9. Mixing NAT and Packet Filtering
It's common to want to do Network Address Translation (see the NAT HOWTO) and packet filtering. The good news is that they mix extremely well.
You design your packet filtering completely ignoring any NAT you are doing. The sources and destinations seen by the packet filter will be the `real' sources and destinations. For example, if you are doing DNAT to send any connections to 1.2.3.4 port 80 through to 10.1.1.1 port 8080, the packet filter would see packets going to 10.1.1.1 port 8080 (the real destination), not 1.2.3.4 port 80. Similarly, you can ignore masquerading: packets will seem to come from their real internal IP addresses (say 10.1.1.1), and replies will seem to go back there.
You can use the `state' match extension without making the packet filter do any extra work, since NAT requires connection tracking anyway. To enhance the simple masquerading example in the NAT HOWTO to disallow any new connections from coming in the ppp0 interface, you would do this:
# Masquerade out ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Disallow NEW and INVALID incoming or forwarded packets from ppp0.
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward"

Masquerade with a bit more security

2006-05-31T16:19:00.000-07:00

Stronger firewall rulesets to run after initial testing of Masquerade

#!/bin/sh
#
# rc.firewall-iptables-stronger
#
FWVER=0.88s

#          An example of a stronger IPTABLES firewall with IP Masquerade
#          support for 2.4.x kernels.
#
# Log:
#
#   0.88s - Updated the commands for dynamically addresses machines and
#           to point to an expanded FAQ section for more information
#
#   0.87s - Removed the unused drop-and-logit chain as it was only later
#           being deleted anyway
#   0.86s - Fixed a typo that had a preceeding ; instead of a #
#   0.85s - renamed from rc.firewall-2.4-stronger to rc.firewall-iptables-
#           stronger to reflect this script works for all IPTABLES enabled
#           platforms including 2.6.x kernels
#         - fixed an incorrect /24 netmask for the INTIP variable
#         - removed the unneeded SED variable
#   0.84s - Changed the defaults from 192.168.1.0 to 192.168.0.x to align
#           with the rest of the IPMASQ howto
#   0.83s - Added additional comments to make PORTFW configs more obvious
#   0.82s - Added a special ICMP filter to work around a Netfilter security
#           issue
#         - renamed the drop-and-log-it rule to reject-and-log-it
#   0.81s - Added an additional comment in the INPUT section for NOT
#           allowing all traffic in, but only select traffic
#   0.80s - Added a DISABLED ip_nat_irc kernel module section, changed the
#           default of the ip_conntrack_irc to NOT load by default, and
#           added additional kernel module comments
#   0.79s - ruleset now uses modprobe instead of insmod
#   0.78s - REJECT is not a legal policy yet; back to DROP
#   0.77s - Changed the default block behavior to REJECT not DROP
#   0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
#           where to put optional PORTFW commands
#   0.75s - Added clarification that PPPoE users need to use
#           "ppp0" instead of "eth0" for their external interface
#   0.74s - Changed the EXTIP command to work on NON-English distros
#   0.73s - Added comments in the output section that DHCPd is optional
#           and changed the default settings to disabled
#   0.72s - Changed the filter from the INTNET to the INTIP to be
#           stateful; moved the command VARs to the top and made the
#           rest of the script to use them
#   0.70s - Added a disabled examples for allowing internal DHCP
#           and external WWW access to the server
#   0.63s - Added support for the IRC module
#   0.62s - Initial version based upon the basic 2.4.x rc.firewall


echo -e "\nLoading rc.firewall-iptables-STRONGER - version $FWVER..\n"


# The location of various iptables and other shell programs
#
#   If your Linux distribution came with a copy of iptables, most
#   likely it is located in /sbin.  If you manually compiled
#   iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
#IPTABLES=/sbin/iptables
IPTABLES=/usr/local/sbin/iptables
#
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
IFCONFIG=/sbin/ifconfig


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must
#         change the EXTIF or INTIF variables above. For example:
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0"
#
EXTIF="eth0"
INTIF="eth1"
echo "  External Interface:  $EXTIF"
echo "  Internal Interface:  $INTIF"
echo "  ---"

# Specify your Static IP address here or let the script take care of it
# for you.
#
#   If you prefer to use STATIC addresses in your firewalls, un-# out the
#   static example below and # out the dynamic line.  If you don't care,
#   just leave this section alone.
#
#   If you have a DYNAMIC IP address, the ruleset already takes care of
#   this for you.  Please note that the different single and double quote
#   characters and the script MATTER.
#
#
#   PPP and DHCP (Cablemodem and DSL ) users:
#   -----------------------------------------
#   PPP: If you get your TCP/IP address via DHCP, **you will need ** to
#   enable the #   #ed out command below underneath the PPP section AND
#   replace the word "eth0" with the name of your EXTERNAL Internet
#   connection (ppp0, ippp0, etc) on the lines for "ppp-ip" and "extip".
#
#   DHCP and PPP users:  The remote DHCP or PPP server can and will change
#   IP addresses on you over time.  To deal with this, users should configure
#   their DHCP or PPP client to re-run the rc.firewall-* ruleset everytime
#   the IP address is changed.  Please see the "masq-and-dyn-addr" FAQ entry
#   in the IPMASQ howto for full details on how to do this.
#
#
# Determine the external IP automatically:
# ----------------------------------------
#
#  The following line will determine your external IP address.  This
#  line is somewhat complex and confusing but it will also work for
#  all NON-English Linux distributions:
#
EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"


# For users who wish to use STATIC IP addresses:
#
#  # out the EXTIP line above and un-# out the EXTIP line below
#
#EXTIP="your.static.PPP.address"
echo "  External IP: $EXTIP"
echo "  ---"


# Assign the internal TCP/IP network and IP address
INTNET="192.168.0.0/24"
INTIP="192.168.0.1/32"
echo "  Internal Network: $INTNET"
echo "  Internal IP:      $INTIP"
echo "  ---"




# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"

#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==

# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo -en "    Loading kernel modules: "

# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
# options as MODULES.  If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
#  NOTE: The following items are listed ONLY for informational reasons.
#        There is no reason to manual load these modules unless your
#        kernel is either mis-configured or you intentionally disabled
#        the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ
#        modules are shown below but are commented out from loading.
# ===============================================================

#Load the main body of the IPTABLES module - "ip_tables"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$MODPROBE ip_tables
fi


#Load the IPTABLES filtering module - "iptable_filter"
#
#  - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is
#    enabled
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack
fi


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack_ftp
fi


#Load the IRC tracking mechanism for full IRC tracking
#
# Disabled by default -- insert a "#" on the next few lines to activate
#
# echo -en "                             ip_conntrack_irc, "
#
#Verify the module isn't loaded.  If it is, skip it
#
# if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
#    $MODPROBE ip_conntrack_irc
# fi


#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$MODPROBE iptable_nat
fi


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_nat_ftp
fi


#Loads the IRC NAT functionality (for DCC) into the core IPTABLES code
#
# DISABLED by default -- delete the "#" on the next few lines to activate
#
# echo -e "ip_nat_irc"
#
#Verify the module isn't loaded.  If it is, skip it
#
# if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
#    $MODPROBE ip_nat_irc
# fi


echo "  ---"

# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function.  Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
#    ip_nat_snmp_basic - this module allows for proper NATing of some
#                        SNMP traffic
#
#    iptable_mangle    - this target allows for packets to be
#                        manipulated for things like the TCPMSS
#                        option, etc.
#
# --
#
#    ipt_mark       - this target marks a given packet for future action.
#                     This automatically loads the ipt_MARK module
#
#    ipt_tcpmss     - this target allows to manipulate the TCP MSS
#                     option for braindead remote firewalls.
#                     This automatically loads the ipt_TCPMSS module
#
#    ipt_limit      - this target allows for packets to be limited to
#                     to many hits per sec/min/hr
#
#    ipt_multiport  - this match allows for targets within a range
#                     of port numbers vs. listing each port individually
#
#    ipt_state      - this match allows to catch packets with various
#                     IP and TCP flags set/unset
#
#    ipt_unclean    - this match allows to catch packets that have invalid
#                     IP/TCP flags set
#
#    iptable_filter - this module allows for packets to be DROPped,
#                     REJECTed, or LOGged.  This module automatically
#                     loads the following modules:
#
#                     ipt_LOG - this target allows for packets to be
#                               logged
#
#                     ipt_REJECT - this target DROPs the packet and returns
#                                  a configurable ICMP packet back to the
#                                  sender.


#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP,
#   enable the following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
echo "  Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "  ---"

#############################################################################
#
# Enable Stronger IP forwarding and Masquerading
#
#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
#  NOTE #2:  The following is an example for an internal LAN address in the
#            192.168.0.x network with a 255.255.255.0 or a "24" bit subnet
#            mask connecting to the Internet on external interface "eth0".
#            This example will MASQ internal traffic out to the Internet
#            but not allow non-initiated traffic into your internal network.
#
#        
#         ** Please change the above network numbers, subnet mask, and your
#     

#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP
#
#    You CANNOT change this to REJECT as it isn't a vaild policy setting.
#    If you want REJECT, you must explictly REJECT at the end of a giving
#    INPUT, OUTPUT, or FORWARD chain
#
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

#Not needed and it will only load the unneeded kernel module
#
#$IPTABLES -F -t mangle


# Delete all User-specified chains
$IPTABLES -X


# Reset all IPTABLES counters
$IPTABLES -Z


#Configuring specific CHAINS for later use in the ruleset
#
#  NOTE:  Some users prefer to have their firewall silently
#         "DROP" packets while others prefer to use "REJECT"
#         to send ICMP error messages back to the remote
#         machine.  The default is "REJECT" but feel free to
#         change this below.
#
# NOTE: Without the --log-level set to "info", every single
#       firewall hit will goto ALL vtys.  This is a very big
#       pain.
#
echo "  Creating a DROP chain.."
$IPTABLES -N reject-and-log-it
$IPTABLES -A reject-and-log-it -j LOG --log-level info
$IPTABLES -A reject-and-log-it -j REJECT

echo -e "\n   - Loading INPUT rulesets"


#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT


# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j reject-and-log-it


# external interface, from any source, for ICMP traffic is valid
#
#  If you would like your machine to "ping" from the Internet,
#  enable this next line
#
#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT


# remote interface, any source, going to the MASQ servers IP address is valid
#
#  ENABLE this line if you want ALL Internet traffic to connect to your
#  the various servers running on the MASQ server.  This includes
#  web servers, ssh servers, dns servers, etc.
#
#  I DON'T recommend you enable this rule.  Instead, only enable specific
#  access to select server ports under the "OPTIONAL INPUT Section".
#  An example of enabling HTTP (WWW) has been given below:
#
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT


# Allow any related traffic coming back to the MASQ server in.
#
#  STATEFULLY TRACKED
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT


# ----- Begin OPTIONAL INPUT Section -----
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
#$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
#$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
#    NOTE:  This is NOT needed for simply enabling PORTFW.  This is ONLY
#           for users that plan on running Apache on the MASQ server itself
#
#echo -e "      - Allowing EXTERNAL access to the WWW server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED # -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

#
# ----- End OPTIONAL INPUT Section -----


# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it


# ---------------------------------------------------------------------

echo -e "   - Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#         already flushed and set to a default policy of DROP.
#

# Workaround bug in netfilter
# See http://www.netfilter.org/security/2002-04-02-icmp-dnat.html
#
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP

# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT


# local interface, MASQ server source going to the local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT


# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j reject-and-log-it


# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT


# ----- Begin OPTIONAL OUTPUT Section -----
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#         - Remove BOTH #s all the #s if you need this functionality.
#
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 # -d 255.255.255.255 --dport 68 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 # -d 255.255.255.255 --dport 68 -j ACCEPT

#
# ----- End OPTIONAL OUTPUT Section -----


# Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it


echo -e "   - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#

# ----- Begin OPTIONAL FORWARD Section -----
#
#  Put PORTFW commands here
#
# ----- End OPTIONAL FORWARD Section -----


echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.
#
$IPTABLES -A FORWARD -j reject-and-log-it


echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP


#######################################################################
echo -e "\nrc.firewall-iptables-stronger $FWVER done.\n"



##3 Done
######----------------------------------------------------------------------------
[root@kucc mast]# vi strong_mast.sh
[root@kucc mast]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@kucc mast]# sh strong_mast.sh

Loading rc.firewall-iptables-STRONGER - version 0.88s..

 External Interface:  eth0
 Internal Interface:  eth1
 ---
 External IP: 202.52.242.55
 ---
 Internal Network: 192.168.0.0/24
 Internal IP:      192.168.0.1/32
 ---
 - Verifying that all kernel modules are ok
   Loading kernel modules: ip_tables, ip_conntrack, ip_conntrack_ftp,
iptable_nat, ip_nat_ftp
 ---
 Enabling forwarding..
 Enabling DynamicAddr..
 ---
 Clearing any existing rules and setting default policy to DROP..
 Creating a DROP chain..

  - Loading INPUT rulesets
  - Loading OUTPUT rulesets
  - Loading FORWARD rulesets
    - FWD: Allow all connections OUT and only existing/related IN
    - NAT: Enabling SNAT (MASQUERADE) functionality on eth0

rc.firewall-iptables-stronger 0.88s done.

Ip masquerading script for iptables

2006-05-31T11:15:00.000-07:00


#!/bin/sh
#
# rc.firewall-iptables
FWVER=0.76
#
# Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.76 - Added comments on why the default policy is ACCEPT
# 0.75 - Added more kernel modules to the comments section
# 0.74 - the ruleset now uses modprobe vs. insmod
# 0.73 - REJECT is not a legal policy yet; back to DROP
# 0.72 - Changed the default block behavior to REJECT not DROP
# 0.71 - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
# 0.70 - Added commented option for IRC nat module
# - Added additional use of environment variables
# - Added additional formatting
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn't have a rule to ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
# 0.50 - Initial draft
#
echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"

# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
#IPTABLES=/sbin/iptables
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# If you are a PPPoE or analog modem user:
#
# EXTIF="ppp0"
#
#
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"

#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==

echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ===============================================================
echo "----------------------------------------------------------------------"
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables

#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated

#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack

#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp

#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc

#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp

#Loads the IRC NAT functionality into the core IPTABLES code
# Required to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc
echo "----------------------------------------------------------------------"
# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function. Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
# ip_nat_snmp_basic - this module allows for proper NATing of some
# SNMP traffic
#
# iptable_mangle - this target allows for packets to be
# manipulated for things like the TCPMSS
# option, etc.
#
# --
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
echo -e " Done loading modules.\n"


#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on external interface "eth0". This
# example will MASQ internal traffic out to the Internet but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#

#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
# Isn't ACCEPT insecure? To some degree, YES, but this is our testing
# phase. Once we know that IPMASQ is working well, I recommend you run
# the rc.firewall-*-stronger rulesets which set the defaults to DROP but
# also include the critical additional rulesets to still let you connect to
# the IPMASQ server, etc.
#
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-iptables v$FWVER done.\n"

Linux Tutorial - Linux Network Administration

2006-05-31T09:20:00.000-07:00

Linux Tutorial - Linux Network Administration: "ICMP: ICMP is the network protocol used by the ping and traceroute commands. ICMP redirect packets are sent from the router to the host to inform the host of a better route. To enable ICMP redirect, add the following line to /etc/sysctl.conf : net.ipv4.conf.all.accept_redirects = 1 Add the following to the file: /etc/rc.d/rc.local for f in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 1 > $f done"

SQUID Frequently Asked Questions: Interception Caching/Proxying

2006-05-30T11:09:00.000-07:00

SQUID Frequently Asked Questions: Interception Caching/Proxying: "http_port 8080
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on"

#!/bin/sh
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port
8080
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 563 -j REDIRECT --to-port
8080
#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on