Categotry Archives: Linux Networking

Ubuntu Linux Networking

0

Openvpn revisited: Howto install and configure openvpn

by

wayno vpn from outside

wayno vpn from outside

Virtual Private Networks. They are useful, but they can also seem daunting. As I have learned more about VPN’S from my first post, some 2 years ago, I thought we should re-vist and update.

1. What’s the first thing we do? Why install openvpn of course!

REMOTE (HOST) Configuration


sudo apt-get install openvpn

2. Now we need to generate our secret key. This is used to authenticate a remote user trying to gain access. We will use openvpn itself to generate the secret key. NOTE: Debian by default, does NOT provide a path to /usr/sbin

You can fully qualify it: /usr/sbin/openvpn

temporarily add it to the PATH variable: export PATH=$PATH:/sbin:/usr/sbin:/usr/sbin

Or just add:

export PATH=$PATH:/sbin:/usr/sbin:/usr/sbin

to .bashrc

If you add it to .bashrc, you will need to logout and back in again, so it will re-read the file.

Let’s generate that key! (The key below is named homer for the host, it can be anything)


openvpn --genkey --secret homer.key

Simple, huh?

3. Let’s move some files, and create the configuration file for openvpn.

first, let’s move our secret key file:


sudo cp homer.key /etc/openvpn/.

The period at the end, is significant. It says copy the file, right here.

4. Next is the configuration file. Using your favourite editor (nano in my case) create the
/etc/openvpn/openvpn.conf file as follows: Most of the explanations of the parameters come from here.


# Sample openvpn configuration file
# jjs June 6, 2012 V1.0
#
# annotated by Wayno April 26, 2014
#
# remote specifies the address of the server

local 192.168.1.101 5001
#local 192.168.1.101 1194

# dev tun specifies that we are using a tunnel device

dev tun

# ifconfig tells ip address for the interface

ifconfig 192.168.224.253 192.168.224.254

# and the secret key name (in /etc/openvpn)

secret homer.key

# use port 5001 (default) to connect to the vpn. This may require
# you to add this in your router.

port 5001
#port 1194

# if you want data compression

comp-lzo

# ping every 10 seconds, if no ping in 120 seconds, other side dead

keepalive 10 120

# ping timer starts after it receives a connection

ping-timer-rem

# don't recreate a virtual net interface TUN after automatic restart

persist-tun

# Don't read pre-shared static key file again after auto restart

persist-key

# user and group

user nobody
group nogroup

# after initialization, run in the background as a daemon

daemon

# append the /etc/openvpn/openvpn.log

log-append openvpn.log

5. Restart openvpn


sudo service openvpn restart

If you check /etc/openvpn/openvpn.log you will get something like this:

sudo cat openvpn.log
Tue Jun 24 20:00:39 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014
Tue Jun 24 20:00:39 2014 TUN/TAP device tun0 opened
Tue Jun 24 20:00:39 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 24 20:00:39 2014 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 24 20:00:39 2014 /sbin/ip addr add dev tun0 local 192.168.224.253 peer 192.168.224.253
Tue Jun 24 20:00:39 2014 GID set to nogroup
Tue Jun 24 20:00:39 2014 UID set to nobody
Tue Jun 24 20:00:39 2014 UDPv4 link local (bound): [AF_INET]192.168.1.101:5001
Tue Jun 24 20:00:39 2014 UDPv4 link remote: [undef]
Tue Jun 24 20:00:44 2014 Peer Connection Initiated with [AF_INET]192.168.1.103:5001
Tue Jun 24 20:00:45 2014 Initialization Sequence Completed

6. Let’s see if it works?


ping -c 5 192.168.224.253

PING 192.168.224.253 (192.168.224.253) 56(84) bytes of data.
64 bytes from 192.168.224.253: icmp_req=1 ttl=64 time=0.033 ms
64 bytes from 192.168.224.253: icmp_req=2 ttl=64 time=0.041 ms
64 bytes from 192.168.224.253: icmp_req=3 ttl=64 time=0.030 ms
64 bytes from 192.168.224.253: icmp_req=4 ttl=64 time=0.041 ms
64 bytes from 192.168.224.253: icmp_req=5 ttl=64 time=0.040 ms

— 192.168.224.253 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.030/0.037/0.041/0.004 ms

==================

1. Now the CLIENT configuration /etc/openvpn/client.conf:


#
# openvpn CLIENT configuration
#
# V1.0 by Wayno April 26, 2014

# remote specifies the ip address of the remote (host) openvpn

remote 192.168.1.101

# dev tun specifies that we are using a tunnel device

dev tun

# ifconfig tells ip address for the interface
# NOTE that the ifconfig ip's are BACKWARD from the host

ifconfig 192.168.224.254 192.168.224.253

# The name of the secret key we generated (it could be anyname)

secret homer.key

# use port 5001 (note you may need to open this up in your router
# and make sure it points to the remote (host))

port 5001

# if you want data compression

comp-lzo

# ping every 10 seconds, if no ping in 60 seconds, other side dead

keepalive 10 60

# ping timer starts after it receives a connection

ping-timer-rem

# don't recreate a virtual net interface TUN after automatic restart

persist-tun

# Don't read pre-shared static key file again after auto restart

persist-key

#user and group

user nobody
group nogroup

# after initialization, run in the background as a daemon

daemon

log-append openvpn.log

2. Ensure you copy the secret key over to the /etc/openvpn on the client side. This assumes the key is already in your home folder


sudo cp ~/homer.key .

Note that the period (.) at the end IS significant.

3. And your output should look something like this:

sudo cat openvpn.log
Tue Jun 24 20:20:27 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
Tue Jun 24 20:20:27 2014 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Tue Jun 24 20:20:27 2014 LZO compression initialized
Tue Jun 24 20:20:27 2014 TUN/TAP device tun0 opened
Tue Jun 24 20:20:27 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 24 20:20:27 2014 /sbin/ifconfig tun0 192.168.224.254 pointopoint 192.168.224.253 mtu 1500
Tue Jun 24 20:20:27 2014 GID set to nogroup
Tue Jun 24 20:20:27 2014 UID set to nobody
Tue Jun 24 20:20:27 2014 UDPv4 link local (bound): [undef]
Tue Jun 24 20:20:27 2014 UDPv4 link remote: [AF_INET]192.168.1.101:5001
Tue Jun 24 20:20:27 2014 Peer Connection Initiated with [AF_INET]192.168.1.101:5001
Tue Jun 24 20:20:28 2014 Initialization Sequence Completed

3. ssh into the vpn

nwayno@Willy:~$ ssh 192.168.224.253
nwayno@192.168.224.253’s password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-29-generic x86_64)

* Documentation: https://help.ubuntu.com/

Last login: Tue Jun 24 20:40:04 2014 from 192.168.224.253
nwayno@Homer:~$

11

Stabilizing an atheros ar9485 (ath9k) connection in Linux (Wheezy)

by

If you search the internet, one of the issues that seems to come up a lot, are connectivity issues with the atheros AR 9485 card.

I am configuring a new laptop, an HP Pavilion G6-2323DX for my Mom. I ran into many issues that caused me to have to do hokey pokey.

This is pure hokey pokey. But it does work.

The operating system I am using is Debian/Wheezy V 7 RC 1 (64 Bit)

If you do a uname -a I get back:

Linux AnnLin 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux

Let’s just step by step check things.

1. let’s see if Linux see’s the card:


lspci | grep Wireless

You will get back a line like:

02:00.0 Network controller: Atheros Communications Inc. AR9485 Wireless Network Adapter (rev 01)

That means Linux sees it, but of course it is NOT configured.

2. Let’s see if the driver (ath9k) is loaded. We will use modprobe.


modprobe ath9k

if the device driver is loaded, it will just return a prompt. That’s a “good thing” as Martha would say.

3. Let’s look to make sure the wpa-supplicant programme is installed. The WPA supplicant provides wireless protected access (encryption) for our connection.


dpkg -l | grep supplicant

and you should get back:

ii wpasupplicant 1.0-3+b2
amd64 client support for WPA and WPA2 (IEEE 802.11i)

We’re good!

4. Now let’s modify /etc/network/interfaces


cd /etc/network # go to network interfaces
sudo cp interfaces interfaces.org # make a backup copy
sudo nano interfaces

You will get back something like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

#define the network interface for the wireless lan card
iface wlan0 inet dhcp
wpa-ssid MyHome
wpa-psk MyPass

wpa-ssid is the name of the wireless network you are trying to connect to. wpa-psk is the password for that network. Yup plain text!

The iface line defines wlan0 so it has access to the internet, and gets it’s ip address dynamically (dhcp).

The card interface is STILL not up!

5. Bring up the interface!


sudo ifdown wlan0; sudo ifup wlan0;

you will get output that looks like:

ifdown: interface wlan0 not configured
Internet Systems Consortium DHCP Client 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/wlan0/20:16:d8:e5:32:b4
Sending on LPF/wlan0/20:16:d8:e5:32:b4
Sending on Socket/fallback
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 8
DHCPREQUEST on wlan0 to 255.255.255.255 port 67
DHCPOFFER from 192.168.1.1
DHCPACK from 192.168.1.1
bound to 192.168.1.4 — renewal in 37985 seconds.

6. AND NOW THE HOKEY POKEY PART 1!

Install wicd (Wireless Interface Connection Daemon)


sudo apt-get install wicd

once that is installed, REMOVE the gnome network mangler!


sudo apt-get purge network-manager-gnome

7. HOKEY POKEY PART 2!

Reboot the machine. After re-booting bring up the interface.


sudo ifdown wlan0; sudo ifup wlan0;

It should look like this:

Wicd

8. HOKEY POKEY PART 3!

now go back to /etc/network/interfaces and remove (or comment out with a # in front the wpa-ssid, and wpa-pskid for the wlan card. so just: iface wlan0 inet dhcp and whatever else was there — just not the wpa information.


cd /etc/network # go to network interfaces
sudo nano interfaces

9. Restart the network:


sudo /etc/init.d/networking restart

you will get back something like this:

[….] Running /etc/init.d/networking restart is deprecated because it may not[warnnable some interfaces … (warning).
[….] Reconfiguring network interfaces…Internet Systems Consortium DHCP Client 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/wlan0/20:16:d8:e5:32:b4
Sending on LPF/wlan0/20:16:d8:e5:32:b4
Sending on Socket/fallback
DHCPRELEASE on wlan0 to 192.168.1.1 port 67

this basically makes sure we don’t have any errors in /etc/network/interfaces

10. HOKEY POKEY PART 4

Reboot once again, and this time the interface should come up automatically. Screensaver engagement should not knock the connection offline.

And that’s what it’s all about!

I have to thank 3 people for all their help. Joe, Loni and Frances.

Wayno

0

Upgrading from Ubuntu 8.04 (lts) to Ubuntu 12.04 (lts)

by

On 03/26/2013 10:48 AM, wrote:

Sunday night I upgraded my server again – I had previously upgraded it from ubuntu 8.04 to 10.04, so I figured I’d go ahead and take it to 12.04 so it will be supported until 2017.

It all went smoothly. All I had to do to get the ball rolling was to type: ‘do-release-upgrade’ and the process began. Again, the box stayed up all through the upgrade, continued to serve dns and dhcp, routed nat traffic to the internet, and kept the vpns running.

When the upgrade was complete, I had to go to run level 6 to boot into the new kernel, so the system was down for about a minute while the reboot process ran its course.

When it came up, there was a problem with forwarding traffic to the internet. That was caused by a new /etc/sysctl.conf which didn’t have the ipv4 forwarding enabled. I fixed the file, typed “sysctl -p” to make the new setting take effect, and lan access to the internet was restored.

A bit later I noticed a second problem: wireless devices were not able to access the internet. I found that the dhcp server was not running. I tried starting it manually and it failed. Looking in the log, I could see that apparmor didn’t like the fancy things dhcpd was trying to do. Admittedly it’s a custom configuration, and the new version of dhcpd might require a few changes. At any rate, I just unloaded apparmor to get things up and running. Then dhcpd was able to start, and there were no other problems.

All in all, a smooth upgrade with a rather short outage.

Joe

0

How to: Easily block access to a website in Windows

by

There is an old Linux trick, that works superbly in Windows as well.

1. It is necessary to run notepad or your Windows editor of choice as the Administrator. Right click on notepad in the start menu, and choose: Run as Administrator.

Once you do that, navigate to the Windows host file. Don’t know where that is? I will tell you!


c:\windows\system32\drivers\etc\hosts

2, Once you have that open, click on file, and then save as hosts.org. That makes a copy of the intact original file.

Your file needs to look like:


# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.

# define local host GU 09/26/2012

127.0.0.1 localhost
::1 localhost

# add sites to be blocked GU 09/26/2012

127.0.0.1 facebook.com
127.0.0.1 twitter.com
127.0.0.1 youtube.com
127.0.0.1 pandora.com

Notice the the definition for 127.0.0.1 (localhost) was UNCOMMENTED. Very important. Also ::1.

Now you just tell it what sites you want to block, (as seen here, facebook, twitter, youtube, pandora) — whatever you want blocked.

3. Now hit file, and SAVE AS as hosts. Overwrite the file. I rebooted Windows and guess what? No more access to those sites!

4. To check:


ping youtube.com

PING youtube.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_req=1 ttl=64 time=0.027 ms

You can do the same thing in Linux, by editing /etc/hosts.

Wayno

0

How to install and configure openvpn (virtual private network) for Linux

by

Virtual Private Networks are a useful tool, to allow us to securely reach an isolated computer or network.

Yet, is requires more tweaking then one would imagine. So here’s a step by step guide on how I did it, with a LOT of help in understanding some of the key concepts, provided by my friend Joe, and protocol explanations from Darren of hak5.

1. What’s the first thing we do? Why install openvpn of course!


sudo apt-get install openvpn

2. Now we need to generate our secret key. This is used to authenticate a remote user trying to gain access. We will use openvpn itself to generate the secret key. NOTE: Debian by default, does NOT provide a path to /usr/sbin

You can fully qualify it: /usr/sbin/openvpn

temporarily add it to the PATH variable: export PATH=$PATH:/sbin:/usr/sbin:/usr/sbin

Or just add:

export PATH=$PATH:/sbin:/usr/sbin:/usr/sbin

to .bashrc

If you add it to .bashrc, you will need to logout and back in again, so it will re-read the file.

Let’s generate that key!


openvpn --genkey --secret vpn.key

Simple, huh?

3. Let’s move some files, and create the configuration file for openvpn.

first, let’s move our secret key file:


sudo cp vpn.key /etc/openvpn/.

The period at the end, is significant. It says copy the file, right here.

4. Next is the configuration file. Using your favourite editor (nano in my case) create the
/etc/openvpn/openvpn.conf file as follows: Most of the explanations of the parameters come from here.


# Sample openvpn configuration file
# jjs June 6, 2012 V1.0
#
# annotated by Wayno
#
# remote specifies the address of the server

remote 172.229.15.5

# dev tun specifies that we are using a tunnel device

dev tun

# ifconfig tells ip address for the interface

ifconfig 192.168.224.253 192.168.224.254

# and the secret key name (in /etc/openvpn)

secret vpn.key

# use port 5001 (default) to connect to the vpn. This may require
# you to add this in your router.

port 5001

# if you want data compression

comp-lzo

# ping every 10 seconds, if no ping in 120 seconds, other side dead

keepalive 10 120

# ping timer starts after it receives a connection

ping-timer-rem

# don't recreate a virtual net interface TUN after automatic restart

persist-tun

# Don't read pre-shared static key file again after auto restart

persist-key

# user and group

user nobody
group nogroup

# after initialization, run in the background as a daemon

daemon

# setup the route after ifconfig

route 192.168.111.0 255.255.255.0

# append the /etc/openvpn/openvpn.log

log-append openvpn.log

5. Restart openvpn


sudo service openvpn restart

If you check /etc/openvpn/openvpn.log you will get something like this:

sudo cat openvpn.log
Tue Oct 2 01:22:07 2012 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012
Tue Oct 2 01:22:07 2012 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Tue Oct 2 01:22:07 2012 /usr/sbin/openvpn-vulnkey -q vpn.key
Tue Oct 2 01:22:07 2012 WARNING: file ‘vpn.key’ is group or others accessible
Tue Oct 2 01:22:07 2012 LZO compression initialized
Tue Oct 2 01:22:07 2012 TUN/TAP device tun0 opened
Tue Oct 2 01:22:07 2012 /sbin/ifconfig tun0 192.168.224.253 pointopoint 192.168.224.254 mtu 1500
Tue Oct 2 01:22:07 2012 GID set to nogroup
Tue Oct 2 01:22:07 2012 UID set to nobody
Tue Oct 2 01:22:07 2012 UDPv4 link local (bound): [undef]
Tue Oct 2 01:22:07 2012 UDPv4 link remote: [AF_INET]72.200.67.229:5001
Tue Oct 2 01:22:07 2012 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012
Tue Oct 2 01:22:07 2012 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Tue Oct 2 01:22:07 2012 /usr/sbin/openvpn-vulnkey -q vpn.key
Tue Oct 2 01:22:07 2012 WARNING: file ‘vpn.key’ is group or others accessible
Tue Oct 2 01:22:07 2012 LZO compression initialized
Tue Oct 2 01:22:07 2012 TCP/UDP: Socket bind failed on local address [undef]: Address already in use
Tue Oct 2 01:22:07 2012 Exiting
Tue Oct 2 01:22:10 2012 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Tue Oct 2 01:22:20 2012 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Tue Oct 2 01:22:20 2012 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)

6. Let’s see if it works?


ping -c 5 192.168.224.253

PING 192.168.224.253 (192.168.224.253) 56(84) bytes of data.
64 bytes from 192.168.224.253: icmp_req=1 ttl=64 time=0.033 ms
64 bytes from 192.168.224.253: icmp_req=2 ttl=64 time=0.041 ms
64 bytes from 192.168.224.253: icmp_req=3 ttl=64 time=0.030 ms
64 bytes from 192.168.224.253: icmp_req=4 ttl=64 time=0.041 ms
64 bytes from 192.168.224.253: icmp_req=5 ttl=64 time=0.040 ms

— 192.168.224.253 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.030/0.037/0.041/0.004 ms

0

how to fix: too many parameters for iface line in Linux

by

Well —

RTFM never fails!

I had brought over my /etc/network/interfaces file from Ubuntu to Debian. When I tried to restart the network:


sudo /etc/init.d/networking restart

I got:

Reconfiguring network interfaces…/etc/network/interfaces:1: too many parameters for iface line
ifdown: couldn’t read interfaces file “/etc/network/interfaces”
/etc/network/interfaces:1: too many parameters for iface line
ifup: couldn’t read interfaces file “/etc/network/interfaces”
failed.

Huh? This worked fine in Ubuntu, but NOT Debian! Debian != Ubuntu.

The second paragraph under description for


man interfaces

says:

Lines starting with `#’ are ignored. Note that end-of-line comments
are NOT supported, comments must be on a line of their own.

Okay so they changed the parser in Ubuntu. Once I got rid of the inline comments, and made sure there was a tab at the end of each line it worked!


cat /etc/network/interfaces


# define static ip for network interfaces
# note that debian does NOT allow inline comments
#
# man interfaces (2nd paragraph under description)
# Lines starting with `#' are ignored. Note that end-of-line comments are
#NOT supported, comments must be on a line of their own.
#
# make sure there is a tab each line
#
# gu 06/02/2012

# define eth0 as static
iface eth0 inet static

# and the static ip address
address 192.168.1.104

# the netmask
netmask 255.255.255.0

# the network
network 192.168.1.0

# broadcast group
broadcast 192.168.1.255

# and the gateway to the internet, is router ip
gateway 192.168.1.1

Who knew? Thanks for the reality check, nsadmin and epsilon on #debian.

This was driving me insane. Now I hope I can continue on to try openvpn.

Wayno

2

How to add a network printer in Debian/Ubuntu Linux

by

This is actually fairly easy, but there are a couple of tricks!

1. What is the IP address of that printer?

The easy way is to scan for it!

If you have not done so, install the arp-scan programme. Arp (Address Resolution Protocol) This will allow us to scan the network for all devices on the network.


sudo apt-get install arp-scan

2. Run arp-scan to see what’s on your network:


sudo arp-scan --interface=eth0 --localnet

arp-scan MUST be run as root, so that’s why we do the sudo.
We are limiting the search for anything we can reach, via our local ethernet connection.

You will get output that looks like:

$ sudo arp-scan –interface=eth0 –localnet
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1 00:12:34:56:78:81 (Unknown)
192.168.1.100 00:34:56:78:9a:5d Hewlett Packard
192.168.1.104 00:46:cd:ef:49:b1 (Unknown)
192.168.1.105 00:aa:bd:cb:d7:aa Roku, LLC

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.6: 256 hosts scanned in 1.421 seconds (180.15 hosts/sec). 4 responded
$

Hmm. There’s something that says Hewlett Packard. Yup that’s my printer at address: 192.168.1.100

5. Go into: System/Administration/Printing and add your printer, if it is NOT already present. And follow the prompts for adding a printer. Almost done, couple of other chores.

6. Now click on Server and then Settings, and your screen should look like:

7. One last step. Enable the printer, and enable it for sharing. Also you may/may not want to set it as the default printer. Single right click on the printer icon, and select/check Enabled/Sharing:

8. Repeat these steps on each computer that you want to add this network printer too.

Wayno

3

Making Ubuntu/Debian Linux do it’s own DNS (Domain Name Service)

by

Making Ubuntu/Debian Linux do it’s own DNS (Domain Name Service)

Okay so what is dns? Dns is the piece of software that translates the www.usatoday.com into http://209.97.50.34 auto-magically, behind the scenes.

Yeah those ip addresses might be a little hard to remember. Making your Linux box, be it’s own dns, means faster/quicker access to the internet. That’s what we want!

Quick comparison. Using my isp’s supplied nameserver, I did a dig on hak5.org.

;; Query time: 99 msec
;; SERVER: 68.10.16.20#53(68.10.16.20)
;; WHEN: Wed May 25 00:11:57 2011
;; MSG SIZE rcvd: 177

vs my local DNS machine:

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 25 00:15:19 2011
;; MSG SIZE rcvd: 46

WHOA! 99 msec vs 1 msec. Oh yeah!

While the steps outlined here are easy to follow:

* * * W A R N I N G DANGER WILL ROBINSON! W A R N I N G * * *

THESE STEPS SHOULD ONLY BE UNDERTAKEN IF YOU HAVE AN
ADVANCED KNOWLEDGE (OVER A YEAR) WITH LINUX. THIS IS not
FOR N00BS!

As always, anything with an octothorpe (#) is a comment. That and the comments that follow need NOT be coded.

NOTE that a LAN DNS Server is meant to run on a machine that is always on the Internet. In other words, up 24/7/365. You only need ONE DNS server per LAN. Remember, if you will use this for DNS resolution of any other computers on your LAN, that computer should always be running. If your DNS machine is powered off, DNS will default to the second DNS server in your router, and continue on.

1. do an ifconfig, so we have a path back to the way it was before we messed it up.


ifconfig

You will get output that looks like:

eth0 Link encap:Ethernet HWaddr 00:23:54:12:ec:6c
inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::223:54ff:fe12:ec6c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2905 errors:0 dropped:0 overruns:0 frame:0
TX packets:3651 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1808387 (1.8 MB) TX bytes:543852 (543.8 KB)
Interrupt:42 Base address:0x6000

2. The second step is to remove the network manager. YUP! I said this
ain’t for n00bs! Go to: System/Adminstration/Synaptic Package Manager

3. Type in network-manager, find network-manager and check MARK FOR COMPLETE REMOVAL. Hit apply. Network mangler is history.

4. Now change from using any dynamic dhcp assignments to a static ip LAN address.

let’s first backup the file:


cd /etc/network
sudo cp interfaces interfaces.bkp # make a backup copy of the file

using your favourite editor, change /etc/network/interfaces to read:


iface eth0 inet static # define eth0 as static
address 192.168.1.101 # and the static ip address we want
netmask 255.255.255.0 # the netmask
network 192.168.1.0 # the network
broadcast 192.168.1.255 # broadcast group
gateway 192.168.1.1 # gateway to the internet, is router ip

save and exit.

5. Now we install the dnsmasq software.


sudo apt-get install dnsmasq

6. backup /etc/resolv


cd /etc/
sudo cp /resolv.conf resolv.conf.bkp # make a backup copy of file

edit /etc/resolv.conf using your favourite editor, it should look SOMETHING like this:


domain ph.cox.net # domain name of your isp
search ph.cox.net # search doman name
nameserver 127.0.0.1 # first name server is the local machine
nameserver 68.10.16.20 # primary dns server (from isp)
nameserver 68.10.16.29 # secondary dns server (from isp)

7. Now let’s test our new configuration. Dig is a dns lookup utility


dig www.hak5.org

and you will get something that looks like:


; < <>> DiG 9.7.1-P2 < <>> www.hak5.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 17839 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.hak5.org. IN A ;; ANSWER SECTION: www.hak5.org. 63 IN A 50.19.115.126 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue May 24 19:59:55 2011 ;; MSG SIZE rcvd: 46

The item to notice is: ;; SERVER: 127.0.0.1#53(127.0.0.1

that tells us the name of the DNS server it used. Yup that's our guy!

8. But what happens if I need to change the settings for my card or....some other thing?

no fear!

wicd is a very nice replacement for network mangler.


sudo apt-get install wicd

to run:


sudo wicd-client

Enjoy your own DNS goodness.

You may need to adjust some router settings. I am running dd-wrt and so I had to do check use dnsmasq for DNS so that the 127.0.0.1 would show up in /etc/resolv.conf properly.

router changes for dd-wrt

You may need to go into wicd properties for the ethernet card, and add 127.0.0.1 as the first static dns server, then add your isp as dns 2 and 3 (or you can use google’s dns servers: 8.8.8.8 and 8.8.8.4:

Wicd Changes

And anything on your LAN would also be able to use this for a DNS server. Just point it to the LAN address of where you installed the software. In my case: 192.168.1.101. You would also need to port forward all incoming dns requests in your router for port 53 to the LAN ip of your dns server.

==========

Here is a test using my Netbook:

I changed /etc/resolv.conf on my Netbook (this is temporary, since network mangler is installed on my Netbook)

nwayno@Nelson:/etc$ cat /etc/resolv.conf
# Generated by NetworkManager
domain ph.cox.net
search ph.cox.net
nameserver 192.168.1.101
nameserver 68.10.16.20
nameserver 68.10.16.29
nameserver 8.8.8.8
nwayno@Nelson:/etc$

I changed the nameserver to point to the dns server we just created.

Now dig:
nwayno@Nelson:/etc$ dig www.hak5.org

; < <>> DiG 9.7.1-P2 < <>> www.hak5.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 16789 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.hak5.org. IN A ;; ANSWER SECTION: www.hak5.org. 129 IN A 50.19.115.126 ;; Query time: 2 msec ;; SERVER: 192.168.1.101#53(192.168.1.101) ;; WHEN: Tue May 24 23:30:00 2011 ;; MSG SIZE rcvd: 46 nwayno@Nelson:/etc$ Notice that the server address is indeed: 192.168.1.101 -- Our new DNS server. 9. Be brave and get rid of the network-mangler once you know all is well:
sudo apt-get purge network-manager

CAUTION: DO THIS ONLY IF WICD IS WORKING CORRECTLY. IF YOU DO THIS AND WICD FAILS, YOU WILL INDEED HAVE NO INTERNET CONNECTION. YOU WOULD HAVE TO GO TO ANOTHER MACHINE AND GET THE .deb FILES.

Thanks Joe and Loni, for your help.

1

Subnet masks explained

by

Subnet masks are absolutely one of the most confusing things I have ever encountered. It is likely, you have also experienced a considerable amount of confusion as well.

Subnet Mask Explained

So let’s define: What is a subnet mask?

I liked this definition which I will use from wikipedia.org on subnet masks.

A subnetwork, or subnet, is a logically visible subdivision of an IP network.[1] The practice of dividing a network into subnetworks is called subnetting.

It breaks a larger network, into smaller subnets. A logical, visible subdivion….Well let’s see how they work.

Key Concepts

1. In order to understand subnet masks, we have to think Binary (base 2)

and NOT decimal (base 10).

2. IPv4 addresses are given in octets. Meaning that we have one byte or 8 binary digits (bits) to represent a number. Lowest number we can represent in 8 bits is zero (0), highest (HIGH VALUE or ALL BITS ON) is 255 (base 10.) Numbering starts at zero (0) and not one (1). So we have 256 choices!

Light Switch on -- can NOT change

Light Switch Off -- CAN change

3. Subnet masks are identified with a / or slash after the IP address:

4. 192.168.0.0/30

30 bits CAN’T change. only gives us 2 bit that can change. So it would allow 4 subnet hosts. Remember the 1 bit (on,) means it can NOT change. A zero bit (off,) means it CAN change. BUT one bit is reserved for broadcast, and one bit for network (we can’t use those so we have to subtract that!)

 3    2    2    2    1    1             
 2    8    4    0    6    2    8    4   
 1111 1111 1111 1111 1111 1111 1111 1100 (binary)

(32 – 30) = 2 bits allowed to change. (2^2) -2 = 2 choices.

NOTE: ^ means raised to the power of. So 2 raised to the power of 2 (2 squared) = 4.

So a subnet mask of 30 allows us to control two (2) subnet hosts.

5. A subnet mask of 20 i.e.

 3    2    2    2    1    1             
 2    8    4    0    6    2    8    4   
 1111 1111 1111 1111 1111 0000 0000 0000 (binary)

192.168.0.0/20, means (32-20) = 12 bits allowed to changed. (2^12) -2 = 4094.

Again, 2 raised to the 12th power (2x2x2x2x2x2x2x2x2x2x2x2) = 4096.

6. A /24 sub network 192.168.0.0/24

 3    2    2    2    1    1             
 2    8    4    0    6    2    8    4   
 1111 1111 1111 1111 1111 1111 0000 0000 (binary)

Means 24 bits CAN’T change. (32 – 24) = 8 (2^8) – 2 = 254.

Allows 254 subnet hosts, since we have masked OFF 24 bits, only 8 can change! (minus one bit for broadcast, one bit for network)

—–

Thanks Loni, for looking over my shoulder.

Remember. Bits, nibbles, and bytes can hurt you! Be careful out there!

Wayno

0

Updating .profile when changing Linux Distributions

by

Ever had one of those Twilight Zone experiences? You know where something works one minute, but doesn’t the next? It’s like the universe just getting suxed into a black hole?

Okay well my experience wasn’t quite that dramatic, but this took over a year to figure out.

Symptoms

If I was locally connected to a machine, .bash_aliases worked fine. (.bash_aliases are user added aliases to the bash shell). But, if I ssh’d (secure shell) into the machine, it was like, huh? What are you talking about?

I fought this for a year.

Solution
So someone on ubuntu (yofel) said: “Hey, look at your .profile!”

So I did. Here’s what I got:

nwayno@Phoenix:~$ ls -l -t -r .bash*

-rwxr-xr-x 1 nwayno nwayno 925 2007-05-20 00:45 .profile.old
-rw-r–r– 1 nwayno nwayno 675 2011-01-26 23:48 .profile

nwayno@Phoenix:~$ cat .profile.old
# Sample .profile for SuSE Linux
# rewritten by Christian Steinruecken
#
# This file is read each time a login shell is started.
# All other interactive shells will only read .bashrc; this is particularly
# important for language settings, see below.

Uh oh! SuSE .profile, on a Ubuntu machine? Who would have thought? So I renamed the .profile

copied it over from another machine (using scp)

logged out/back in again (to re-read .bashrc)

and TADA! .bash_aliases worked when I ssh’d into the box.

So, the lesson here is, if you change Linux distros, you will probably need to change the .profile file as well.

The weird flakiness is gone!

And so it goes….

Wayno