This is a short but potentially extremely handy guide to ghosting one Linux box to another (or simply making a full backup of a desktop/server).
On the target machine:
[codesyntax lang="bash"]
nc -p 2222 -l | bzip2 -d | dd of=/dev/hdb
[/codesyntax]
On the source machine:
[codesyntax lang="bash"]
bzip2 -c /dev/hda | nc 10.111.1.206 2222
[/codesyntax]
Note:
Assumptions
I am assuming that we have two networks linked with a vpn connection (net1: 10.99.0.0/24 and net2: 10.34.132.0/24). Also I am assuming that on net1 is a functional NIS master server.
NIS MASTER: nis1.test.org 10.99.0.10
NIS SERVER: nis2.test.org 10.34.132.195
How to setup a NIS client
If you put a servername in /etc/yp.conf, make sure the server is also in /etc/hosts. Otherwise if your system boots and the network is not yet up or DNS isn't reachable, ypserv cannot resolve the servers in /etc/yp.conf and will hang!
[codesyntax lang="bash"]
vim /etc/hosts
[/codesyntax]
10.99.0.10 nis1.test.org nis1
Install the netbase, portmap and nis packages
[codesyntax lang="bash"]
apt-get install nis
[/codesyntax]
Configure NIS servers
[codesyntax lang="bash"]
vim /etc/yp.conf
[/codesyntax]
domain test-auth server nis1.test.org
Make domain binding persistent
[codesyntax lang="bash"]
vim /etc/defaultdomain
[/codesyntax]
test-auth
Setup 'running' domain
[codesyntax lang="bash"]
nisdomainname test-auth
[/codesyntax]
Update local maps search rules
[codesyntax lang="bash"]
vim /etc/nsswitch.conf
[/codesyntax]
passwd: db files compat nis
group: db files compat nis
shadow: db files compat nis
netgroup: nis
Restart NIS services
[codesyntax lang="bash"]
/etc/init.d/nis stop /etc/init.d/nis start
[/codesyntax]
Make the auth process query NIS
[codesyntax lang="bash"]
vim /etc/passwd
[/codesyntax]
+@gods::0:0:::
+::0:0:::/bin/false
[codesyntax lang="bash"]
vim /etc/group
[/codesyntax]
+:::
Test NIS client setup
[codesyntax lang="bash"]
id user ypwhich
[/codesyntax]
Setup a NIS server slave
[codesyntax lang="bash"]
vim /etc/default/nis :%s/NISSERVER=false/NISSERVER=slave :%s/YPPWDDIR=\/etc/YPPWDDIR=\/etc\/yp :%s/NISMASTER=/NISMASTER=nis1.test.org :wq
[/codesyntax]
Restart NIS server
[codesyntax lang="bash"]
/etc/init.d/nis stop /etc/init.d/nis start
[/codesyntax]
Links:
http://lyre.mit.edu/~powell/debian-howto/nis.html
http://www.server-world.info/en/note?os=Debian_6.0&p=nis
http://www.linuxhelp.in/2010/05/how-to-install-and-configure-nis-server.html
When you want to install linux on a large number of servers kickstart approach is a very good one. But what about hostname?! You have many choices:
Fortunately for you there is a third option: Automatically set the hostname during Kickstart Installation. I wish to take credit for this, but this will be so unfair for the guy which wrote an article about this.
I won't get to long with the story so... let's get started.
The trick is to pass the kernel a parameter and use it in our kickstart file. What if you were to pass a parameter that it doesn't recognize? In most cases, it will probably ignore it, but it will still in the kernel list. We can check kernel parameters by issuing the following command:
[codesyntax lang="bash"]
cat /proc/cmdline
[/codesyntax]
So what if we can pass a parameter with desired hostname to the kernel? With a very simple script we can parse the output of the above command and look for our parameter.
[codesyntax lang="bash"]
#!/bin/sh
echo "network --device eth0 --bootproto dhcp --hostname localhost.localdomain" > /tmp/network.ks
for x in `cat /proc/cmdline`; do
case $x in SERVERNAME*)
eval $x
echo "network --device eth0 --bootproto dhcp --hostname ${SERVERNAME}" > /tmp/network.ks
;;
esac;
done
[/codesyntax]
Here we are looking for SERVERNAME end evaluates that value into a variable. We will then echo the network setup with the variable (which we will use as part of the hostname setup) and redirect into the file under /tmp. Then we will include that file in our installation section.
You may ask yourself what is all about this line:
[codesyntax lang="bash"]
echo "network --device eth0 --bootproto dhcp --hostname localhost.localdomain" > /tmp/network.ks
[/codesyntax]
in the script above?! Well, if you don't pass the SERVERNAME to the kernel, then /tmp/network.ks will not be created and your installation will fail.
So this is my kickstart file for a minimal CentOS 6.3 installation:
install
firewall --disabled
url --url="ftp://ftp.ines.lug.ro/centos/6.3/os/i386"
network --bootproto=dhcp --device=eth0
rootpw --iscrypted YOUR_ENCRYPTED_PASSWORD
text
%include /tmp/network.ks
keyboard us
lang en_US
selinux --disabled
skipx
logging --level=info
reboot
timezone --utc Europe/Bucharest
bootloader --location=mbr --driveorder=sda,sdb --append="console=tty0 console=ttyS0,115200N1"
zerombr
clearpart --all --initlabel
part / --fstype="ext4" --size=10000
part swap --fstype="swap" --size=8000
part pv.01 --fstype="ext4" --grow --size=1
volgroup vg0 pv.01
logvol /data --vgname=vg0 --percent=90 --name=lv0 --fsoptions=noatime --fstype=ext4 --size=1 --grow
%packages
@core
sed
perl
less
dmidecode
bzip2
iproute
iputils
sysfsutils
rsync
nano
mdadm
setserial
man-pages.noarch
findutils
tar
net-tools
tmpwatch
lsof
python
screen
lvm2
curl
ypbind
yp-tools
smartmontools
openssh-clients
acpid
irqbalance
which
bind-utils
ntsysv
ntp
man
mysql
postfix
chkconfig
gzip
%end
%pre
#!/bin/sh
echo "network --device eth0 --bootproto dhcp --hostname localhost.localdomain" > /tmp/network.ks
for x in `cat /proc/cmdline`; do
case $x in SERVERNAME*)
eval $x
echo "network --device eth0 --bootproto dhcp --hostname ${SERVERNAME}" > /tmp/network.ks
;;
esac;
done
%end
%post
cat > /etc/cron.d/ntpdate < /dev/null 2>&1
EOF
chkconfig ntpd on
chkconfig sshd on
chkconfig ypbind on
chkconfig iptables off
chkconfig ip6tables off
chkconfig yum-updatesd off
chkconfig haldaemon off
chkconfig mcstrans off
chkconfig sysstat off
cat > /etc/motd <> /etc/motd
echo >> /etc/motd
%end
Introduction
This document describes how to install DHCP, DNS and PXE network services on a debian squeeze.
For this tutorial I use a machine that has two network interfaces:
eth0: 10.34.132.149/255.255.254.0 (WAN interface)
eth1: 172.20.30.1/255.255.255.0 (LAN interface)
To install a PXE server, you will need the following components:
DHCP Server
TFTP Server
NFS/FTP/HTTPD server (to store installing files)
Note: DHCP Server will listen only on eth1.
In this tutorial I will use apache2 server.
Install required packages
[codesyntax lang="bash"]
apt-get install tftpd-hpa syslinux dhcp3-server bind9 dnsutils
[/codesyntax]
Configure DHCP Server
[codesyntax lang="bash"]
vim /etc/dhcp/dhcpd.conf
[/codesyntax]
ddns-update-style ad-hoc;
log-facility syslog;
option domain-name "test.org";
option domain-name-servers 172.20.30.1;
option subnet-mask 255.255.255.0;
subnet 172.20.30.0 netmask 255.255.255.0 {
authoritative;
range 172.20.30.10 172.20.30.90; # ip range
option routers 172.20.30.1; # gateway for clients
######
# in case want to deny clients that are not configured in dhcpd uncomment the following line
######
#deny unknown-clients;
allow booting;
allow bootp;
next-server 172.20.30.1; # tftpd server's IP
filename "pxelinux.0";
######
# sample of a client that has mac address reserved on dhcp
######
#host guest1 {
# hardware ethernet 00:0C:29:14:DA:AD;
# fixed-address 172.20.30.15;
#}
######
}
Force DHCP Server to listen only on eth1
[codesyntax lang="bash"]
vim /etc/default/isc-dhcp-server :%s/INTERFACES=""/INTERFACES="eth1"/g :wq
[/codesyntax]
Configure TFTP Server. Change the root directory on startup from /srv/tftp to /tftpboot
[codesyntax lang="bash"]
vim /etc/default/tftpd-hpa :%s/\/srv\/tftp/\/tftpboot/g :wq
[/codesyntax]
Setup TFTP Server network boot files
[codesyntax lang="bash"]
mkdir -p /tftpboot chmod 777 /tftpboot cp -v /usr/lib/syslinux/pxelinux.0 /tftpboot cp -v /usr/lib/syslinux/menu.c32 /tftpboot cp -v /usr/lib/syslinux/memdisk /tftpboot cp -v /usr/lib/syslinux/mboot.c32 /tftpboot cp -v /usr/lib/syslinux/chain.c32 /tftpboot mkdir /tftpboot/pxelinux.cfg
[/codesyntax]
Create PXE menu file
[codesyntax lang="bash"]
vim /tftpboot/pxelinux.cfg/default
[/codesyntax]
default menu.c32
prompt 0
timeout 300
MENU TITLE test.org PXE Menu
LABEL centos6.3_i386
MENU LABEL CentOS 6.3 i386
KERNEL /netboot/centos/6.3/i386/vmlinuz
APPEND console=tty0 console=ttyS0,9600N1 initrd=/netboot/centos/6.3/i386/initrd.img ks=http://172.20.30.1/netboot/centos/6.3/i386/centos6.3-ks.cfg ksdevice=link
Share the internet connection with clients
[codesyntax lang="bash"]
vim /etc/sysctl.conf :%s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1 :wq
[/codesyntax]
Apply the settings:
[codesyntax lang="bash"]
sysctl -p
[/codesyntax]
Share internet connection using iptables:
[codesyntax lang="bash"]
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[/codesyntax]
Configure bind9
[codesyntax lang="bash"]
echo "include \"/etc/bind/bind.keys\"; ">> /etc/bind/named.conf vim /etc/bind/named.conf.options
[/codesyntax]
options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
forwarders { 8.8.8.8; 8.8.4.4; };
listen-on port 53 { any; };
allow-query { any; };
allow-query-cache { any; };
};
Add the following lines at the end of the named.conf.default-zones
[codesyntax lang="bash"]
vim /etc/bind/named.conf.default-zones
[/codesyntax]
zone "test.org" {
type master;
file "/etc/bind/test.org";
};
zone "30.20.172.in-addr.arpa" {
type master;
file "/etc/bind/30.20.172.in-addr.arpa";
};
[codesyntax lang="bash"]
vim /etc/bind/test.org
[/codesyntax]
$ORIGIN test.org.
$TTL 1H
test.org. IN SOA ns.test.org. root.test.org. (
2012062600 ; serial
12H ; refresh
2H ; retry
1W ; expiry
2D ) ; minimum
test.org. IN NS ns.test.org.
ns.test.org. IN A 172.20.30.1
www10 IN A 172.20.30.10
www11 IN A 172.20.30.11
www12 IN A 172.20.30.12
www13 IN A 172.20.30.13
www14 IN A 172.20.30.14
www15 IN A 172.20.30.15
[codesyntax lang="bash"]
vim /etc/bind/30.20.172.in-addr.arpa
[/codesyntax]
$ORIGIN 30.20.172.in-addr.arpa.
$TTL 2D
@ IN SOA ns.test.org. root.test.org. (
2012062600 ; serial
12H ; refresh
2H ; retry
1W ; expiry
2D ) ; minimum
@ IN NS ns.test.org.
1 IN PTR ns.test.org.
10 IN PTR www10.test.org.
11 IN PTR www11.test.org.
12 IN PTR www12.test.org.
13 IN PTR www13.test.org.
14 IN PTR www14.test.org.
15 IN PTR www15.test.org.
Let's use our DNS server
[codesyntax lang="bash"]
echo "search test.org" > /etc/resolv.conf echo "nameserver 127.0.0.1" >> /etc/resolv.conf
[/codesyntax]
DNS stands for Domain Name System and is a a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. In other words DNS translate human readable hostnames such as test.org into machine readable ip addresses such as 89.36.25.239.
Preliminary notes
- Server Name: ns.test.org
- Server IP: 172.20.30.1/24
Install required software packages
[codesyntax lang="bash"]
yum install bind bind-libs bind-utils
[/codesyntax]
Set BIND service to start on system boot
[codesyntax lang="bash"]
chkconfig named on
[/codesyntax]
Start named service for generating some default configuration files.
/etc/init.d/named start
Note: In case the command above hangs there is an entropy problem. You should install haveged daemon. More details here.
If you don't want to install haveged daemon there is a workaround:
[codesyntax lang="bash"]
rndc-confgen -a -r /dev/urandom
[/codesyntax]
Edit main configuration file and add zone entry of www.test.org
[codesyntax lang="bash"]
vim /etc/named.conf
[/codesyntax]
options {
forwarders { 8.8.8.8; 8.8.4.4; };
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "test.org" {
type master;
file "test.org";
};
zone "30.20.172.in-addr.arpa" {
type master;
file "30.20.172.in-addr.arpa";
};
Create Zone files which we mentioned in named.conf file
[codesyntax lang="bash"]
cd /var/named vim /var/named/test.org
[/codesyntax]
$ORIGIN test.org.
$TTL 1H
test.org. IN SOA ns.test.org. root.test.org. (
2012062600 ; serial
12H ; refresh
2H ; retry
1W ; expiry
2D ) ; minimum
test.org. IN NS ns.test.org.
ns.test.org. IN A 172.20.30.1
www10 IN A 172.20.30.10
www11 IN A 172.20.30.11
www12 IN A 172.20.30.12
www13 IN A 172.20.30.13
www14 IN A 172.20.30.14
www15 IN A 172.20.30.15
[codesyntax lang="bash"]
vim /var/named/30.20.172.in-addr.arpa
[/codesyntax]
$ORIGIN 30.20.172.in-addr.arpa.
$TTL 2D
@ IN SOA ns.test.org. root.test.org. (
2012062600 ; serial
12H ; refresh
2H ; retry
1W ; expiry
2D ) ; minimum
@ IN NS ns.test.org.
1 IN PTR ns.test.org.
10 IN PTR www10.test.org.
11 IN PTR www11.test.org.
12 IN PTR www12.test.org.
13 IN PTR www13.test.org.
14 IN PTR www14.test.org.
15 IN PTR www15.test.org.
Restart named service
[codesyntax lang="bash"]
/etc/init.d/named restart
[/codesyntax]
Update /etc/resolv.conf file
[codesyntax lang="bash"]
echo "search test.org" > /etc/resolv.conf echo "nameserver 127.0.0.1" >> /etc/resolv.conf
[/codesyntax]
Source: http://www.broexperts.com/2012/03/linux-dns-bind-configuration-on-centos-6-2/
A PXE install server allows your client computers to boot and install a Linux distribution over the network, without the need of burning Linux iso images, or human interaction.
For this tutorial I use a machine that has two network interfaces:
eth0: 10.34.132.149/255.255.254.0 (WAN interface)
eth1: 172.20.30.1/255.255.255.0 (LAN interface)
To install a PXE server, you will need the following components:
DHCP Server
TFTP Server
NFS/FTP/HTTPD server (to store installing files)
Note:
* DHCP Server will listen only on eth1.
* In this tutorial I will use HTTPD server.
1. Install required packages
[codesyntax lang="bash"]
yum install dhcp tftp tftp-server syslinux wget vim httpd
[/codesyntax]
2. Configure DHCP Server
[codesyntax lang="bash"]
vim /etc/dhcp/dhcpd.conf
[/codesyntax]
#--SystemImager vars - if you don't have SystemImager you can delete the following lines
######
option option-100 code 100 = string;
option option-128 code 128 = string;
option option-129 code 129 = text;
option option-140 code 140 = string;
option option-141 code 141 = unsigned integer 32;
option option-142 code 142 = string;
option option-143 code 143 = string;
option option-144 code 144 = string;
option option-144 "n";
option option-140 "172.20.30.1"; # this must be the IP address of the SI server where images reside
######
ddns-update-style ad-hoc;
log-facility syslog;
option domain-name "test.org";
option domain-name-servers 172.20.30.1;
option subnet-mask 255.255.255.0;
subnet 172.20.30.0 netmask 255.255.255.0 {
authoritative;
range 172.20.30.10 172.20.30.90; # ip range
option routers 172.20.30.1; # gateway for clients
######
# in case want to deny clients that are not configured in dhcpd uncomment the following line
######
#deny unknown-clients;
allow booting;
allow bootp;
next-server 172.20.30.1; # tftpd server's IP
filename "pxelinux.0";
######
# sample of a client that has mac address reserved on dhcp
######
#host guest1 {
# hardware ethernet 00:0C:29:14:DA:AD;
# fixed-address 172.20.30.15;
#}
######
}
3. Force DHCP Server to listen only on eth1
[codesyntax lang="bash"]
vim /etc/sysconfig/dhcpd :%s/DHCPDARGS=/DHCPDARGS=" eth1 "/ :wq
[/codesyntax]
4. Configure TFTP Server. Set disable from yes to no, and change the root directory on startup from /var/lib/tftpboot to /tftpboot
[codesyntax lang="bash"]
vim /etc/xinetd.d/tftp
[/codesyntax]
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
5. Setup TFTP Server network boot files
[codesyntax lang="bash"]
mkdir -p /tftpboot chmod 777 /tftpboot cp -v /usr/share/syslinux/pxelinux.0 /tftpboot cp -v /usr/share/syslinux/menu.c32 /tftpboot cp -v /usr/share/syslinux/memdisk /tftpboot cp -v /usr/share/syslinux/mboot.c32 /tftpboot cp -v /usr/share/syslinux/chain.c32 /tftpboot mkdir /tftpboot/pxelinux.cfg mkdir -p /tftpboot/netboot/centos/6.3/i386 cd /tftpboot/netboot/centos/6.3/i386 wget -c ftp://ftp.ines.lug.ro/centos/6.3/os/i386/images/pxeboot/initrd.img wget -c ftp://ftp.ines.lug.ro/centos/6.3/os/i386/images/pxeboot/vmlinuz
[/codesyntax]
6. Encode root password used for clients
[codesyntax lang="bash"]
openssl passwd -1 "your_password"
[/codesyntax]
$1$LY1EPt3P$BvVLJ.7yyzaDy/7zxmakr.
7. Create a new kickstart file
[codesyntax lang="bash"]
vim /var/www/html/netboot/centos/6.3/i386/centos6.3-ks.cfg
[/codesyntax]
install
firewall --disabled
url --url="ftp://ftp.ines.lug.ro/centos/6.3/os/i386"
network --bootproto=dhcp --device=eth0
rootpw --iscrypted $1$LY1EPt3P$BvVLJ.7yyzaDy/7zxmakr.
text
%include /tmp/network.ks
keyboard us
lang en_US
selinux --disabled
skipx
logging --level=info
reboot
timezone --utc Europe/Bucharest
bootloader --location=mbr --driveorder=sda,sdb --append="console=tty0 console=ttyS0,115200N1"
zerombr
clearpart --all --initlabel
part / --fstype="ext4" --size=10000
part swap --fstype="swap" --size=8000
part pv.01 --fstype="ext4" --grow --size=1
volgroup vg0 pv.01
logvol /data --vgname=vg0 --percent=90 --name=lv0 --fsoptions=noatime --fstype=ext4 --size=1 --grow
%packages
@core
sed.i686
perl.i686
less.i686
dmidecode.i686
bzip2.i686
iproute.i686
iputils.i686
sysfsutils.i686
rsync.i686
nano.i686
mdadm.i686
setserial.i686
man-pages.noarch
findutils.i686
tar.i686
net-tools.i686
tmpwatch.i686
lsof.i686
python.i686
screen.i686
lvm2.i686
curl.i686
ypbind.i686
yp-tools.i686
smartmontools.i686
openssh-clients.i686
acpid.i686
irqbalance.i686
which.i686
bind-utils.i686
ntsysv.i686
ntp.i686
man.i686
mysql.i686
postfix.i686
chkconfig.i686
gzip.i686
net-snmp.i686
%end
%pre
#!/bin/sh
echo "network --device eth0 --bootproto dhcp --hostname localhost.localdomain" > /tmp/network.ks
for x in `cat /proc/cmdline`; do
case $x in SERVERNAME*)
eval $x
echo "network --device eth0 --bootproto dhcp --hostname ${SERVERNAME}" > /tmp/network.ks
;;
esac;
done
%end
%post
cat > /etc/cron.d/ntpdate <<EOF
0 */2 * * * /usr/sbin/ntpdate pool.ntp.org 1> /dev/null 2>&1
EOF
cat > /etc/snmp/snmpd.conf <<EOF
com2sec readonly default AW_PUB
com2sec readwrite default AW_RW_PRIV
group MyRWGroup v1 readwrite
group MyROGroup v1 readonly
view all included .1 80
access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all all all
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
disk / 10000
pass .1.3.6.1.4.1.2021.255 /usr/sbin/ucd-snmp-vmstat
extend .1.3.6.1.4.1.2021.8.101 vs /usr/sbin/vendiostats.pl
EOF
chkconfig ntpd on
chkconfig snmpd on
chkconfig sshd on
chkconfig ypbind on
chkconfig iptables off
chkconfig ip6tables off
chkconfig yum-updatesd off
chkconfig haldaemon off
chkconfig mcstrans off
chkconfig sysstat off
cat > /etc/motd <<EOF
This server was deployed with kickstart with the centos6.3-ks.cfg configuration file.
Install finished at:
EOF
date >> /etc/motd
echo >> /etc/motd
%end
8. Create PXE menu file
[codesyntax lang="bash"]
vim /tftpboot/pxelinux.cfg/default
[/codesyntax]
default menu.c32
prompt 0
timeout 300
MENU TITLE test.org PXE Menu
LABEL centos6.3_i386
MENU LABEL CentOS 6.3 i386
KERNEL /netboot/centos/6.3/i386/vmlinuz
APPEND console=tty0 console=ttyS0,9600N1 initrd=/netboot/centos/6.3/i386/initrd.img ks=http://172.20.30.1/netboot/centos/6.3/i386/centos6.3-ks.cfg ksdevice=link
9. Disable SELINUX
[codesyntax lang="bash"]
vim /etc/sysconfig/selinux :%s/SELINUX=enforcing/SELINUX=disabled :wq
[/codesyntax]
10. Share the internet connection with clients
[codesyntax lang="bash"]
vim /etc/sysctl.conf :%s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1 :wq
[/codesyntax]
Apply the settings:
[codesyntax lang="bash"]
sysctl -p
[/codesyntax]
Share internet connection using iptables:
[codesyntax lang="bash"]
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save
[/codesyntax]
11. Final service setup
[codesyntax lang="bash"]
chkconfig dhcpd on chkconfig xinetd on chkconfig iptables on chkconfig httpd on chkconfig iptables6 off chkconfig ip6tables off
[/codesyntax]
12. Reboot the server
[codesyntax lang="bash"]
reboot
[/codesyntax]
Links:
http://monzell.com/post/15547967527/automatically-set-the-hostname-during-kickstart
http://kaivanov.blogspot.ro/2010/09/how-to-install-centos-pxe-server.html
This document describes the required steps to make a fully functional PPTP server on debian squeeze and how to configure Arno iptables firewall to accept incoming connections to PPTP server (in case you use this great firewall script).
If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server please view the last note.
PPTP or PopTop is a vpn implementation that is rather similar to OpenVPN. The difference is that PPTP is quite a bit less secure than OpenVPN, as it is not encrypted. That said, if you need quick VPN solution that’s easy and hassle free to set up, PPTP is the obvious choice.
1. Install the PPTP server package.
[codesyntax lang="bash"]
apt-get install pptpd
[/codesyntax]
2. Edit the /etc/pptpd.conf configuration file.
[codesyntax lang="bash"]
echo "localip 192.168.1.1" >> /etc/pptpd.conf echo "remoteip 192.168.1.236-239" >> /etc/pptpd.conf
[/codesyntax]
The Local IP is the IP address of the server, remoteip specifies the IPs the vpn will assign its clients.
3. Edit the /etc/ppp/pptpd-options configuration file:
name Private.VPN
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490
4. Edit the chap secrets file /etc/ppp/chap-secrets and add to it the authentication credentials for a user’s connection, in the following syntax:
username <TAB> * <TAB> users-password <TAB> *
5. Restart the connection’s daemon for the settings to take affect:
[codesyntax lang="bash"]
/etc/init.d/pptpd restart
[/codesyntax]
6. Enable Forwarding (this is an optional step).
Note: By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to "jump" through the VPN server, to all other devices on the network.
Edit the sysctl file:
[codesyntax lang="bash"]
vim /etc/sysctl.conf
[/codesyntax]
Find the net.ipv4.ip_forward line and change the parameter from 0 (disabled) to 1 (enabled):
net.ipv4.ip_forward=1
6. You can either restart the system or issue this command for the setting to take affect:
[codesyntax lang="bash"]
sysctl -p
[/codesyntax]
7. Configure Arno iptables firewall script
[codesyntax lang="bash"]
vim /etc/arno-iptables-firewall/debconf.cfg
[/codesyntax]
DC_EXT_IF="eth0"
DC_EXT_IF_DHCP_IP=1
DC_OPEN_TCP="1723"
DC_OPEN_UDP=""
DC_INT_IF="ppp+"
DC_NAT=0
DC_INTERNAL_NET="192.168.1.236/30"
DC_NAT_INTERNAL_NET=""
DC_OPEN_ICMP=0
[codesyntax lang="bash"]
vim /etc/arno-iptables-firewall/custom-rules
[/codesyntax]
/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
8. Restart Arno iptables firewall script:
[codesyntax lang="bash"]
/etc/init.d/arno-iptables-firewall restart
[/codesyntax]
Note:
If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server we have to configure NAT for PPTP connections, otherwise you cannot reach anywhere from this server. Add the following lines at the end of the /etc/rc.local right before exit 0
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Execute the /etc/rc.local file:
[codesyntax lang="bash"]
/etc/rc.local
[/codesyntax]
General Commands
Configuration commands
Creating a VLAN
vlan <vlan #> name <name of vlan> by port
Adding ports to a VLAN
First edit the vlan, with vlan 666
Misc things
| include
example to output lines in the config containing "mail". Note this doesn't seem to be available in older code versions.
sh run | include mail
show vlan eth 0/1/16
Load balancer commands
Load balancer configuration
Deleting servers and virtual servers
Example load balancer configuration
First add the real hosts. We'll use real hosts mailhost1 and mailhost2 and a proto of smtp in this example:
[codesyntax lang="bash"]
server real mailhost1 1.2.3.3 port default disable port smtp port smtp keepalive server real mailhost2 1.2.3.4 port default disable port smtp port smtp keepalive
[/codesyntax]
Then add the virtual host(s):
[codesyntax lang="bash"]
server virtual mailhost 1.2.3.5 predictor least-conn port default disable port smtp bind smtp mailhost1 smtp mailhost2 smtp
[/codesyntax]
This creates a virtual server called mailhost listening on IP address 1.2.3.5. The VIP listens on the SMTP port and passes SMTP traffic to the real servers, mailhost1 and mailhost2.
This document describes the necessary steps to be carried out in order to authenticate with ssh protocol 1 without password.
1. Generate private/public pair of keys on client computer (let's say desktop)
[codesyntax lang="bash"]
ssh-keygen -t rsa1
[/codesyntax]
2. Copy the public key to the server
[codesyntax lang="bash"]
ssh-copy-id -i identity.pub user@server
[/codesyntax]
3. Try to authenticate on server
[codesyntax lang="bash"]
ssh -1 -vvv server
[/codesyntax]
Note: If authenticate on step 3 fails with the following error message:
user@user:~/.ssh$ ssh -1 -vvv user@server
OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to staging13.vendio.com [10.111.0.236] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/identity type 0
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: Remote protocol version 1.5, remote software version 1.2.27
debug1: no match: 1.2.27
debug1: Local version string SSH-1.5-OpenSSH_5.3p1 Debian-3ubuntu7
debug2: fd 3 setting O_NONBLOCK
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1014
debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1015
debug1: Host 'staging13.vendio.com' is known and matches the RSA1 host key.
debug1: Found key in /home/user/.ssh/known_hosts:1014
debug1: Encryption type: 3des
debug3: Wrote 156 bytes for a total of 194
debug1: Sent encrypted session key.
debug2: cipher_init: set keylen (16 -> 32)
debug2: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug3: Wrote 20 bytes for a total of 214
debug1: RSA authentication using agent refused.
debug1: Trying RSA authentication with key '/home/user/.ssh/identity'
debug3: Wrote 268 bytes for a total of 482
Connection closed by X.X.X.X
And the sshd log on looks like:
Aug 29 00:26:21 staging13 sshd[16286]: connect from Y.Y.Y.Y
Aug 29 00:26:21 staging13 sshd[16286]: log: Connection from Y.Y.Y.Y port 43749
Aug 29 00:26:21 staging13 sshd[16286]: log: Could not reverse map address Y.Y.Y.Y.
Aug 29 00:26:22 staging13 sshd[16286]: fatal: RSA key has too many bits for RSAREF to handle (max 1024).
You should know that this is a limitation in the RSAREF library and we should set a host key with at most 896 bits. This can be accomplished by adding -b 896 parameter to ssh-keygen command on step one. After generating the key, it must be copied on the server.
Why would you need such a thing? I would like to use the squid proxy server only for one domain and connect to everything else directly. A PAC file is nothing but proxy auto-configuration file. This is a specialized JavaScript function definition that a browser calls to determine how requests are handled. So how a PAC looks like?
[codesyntax lang="javascript"]
function FindProxyForURL(url, host)
{
return "PROXY proxy-host:3128; DIRECT";
}
[/codesyntax]
If you want to connect to a specific domain via proxy, and directly connect to all other site:
[codesyntax lang="javascript"]
function FindProxyForURL (url, host)
{
if (localHostOrDomainIs (host, "www.whatismyip.com"))
{
return "PROXY proxy-host:3128";
}
else
{
return "DIRECT";
}
}
[/codesyntax]
What if you will attempt to match one or more URLs to a specified shell expression?
[codesyntax lang="javascript"]
function FindProxyForURL(url, host)
{
var proxyserver = 'proxy-host:3128';
var proxylist = new Array(
'*.whatismyip.com/*',
'whatismyipaddress.com/*'
);
for (var i = 0; i < proxylist.length; i++)
{
var value = proxylist[i];
if (shExpMatch(url, value))
{
return "PROXY "+proxyserver;
}
}
return "DIRECT";
}
[/codesyntax]
Recent Comments