Me in IT UNIX/Linux Consultancy is based in Utrecht, The Netherlands and specialized in UNIX and Linux consultancy. Experience with Red Hat Enterprise Linux (Red Hat Certified Architect), Fedora Project, CentOS, OpenBSD and related released Open Source products makes Me in IT UNIX/Linux Consultancy a great partner in implementing, maintaining and upgrading your environment.
Open Source software is an important aspect of any Linux distribution. Me in IT UNIX/Linux Consultancy tries to use Open Source software where possible and tries to share experiences actively. In the articles section you will find many UNIX/Linux adventures shared for others to benefit.
Network Address Translation is a technique to masquerade IP addresses on your internal LAN to the outside world. In other words; the outside world will not be able to look into your network.
This technique is easy to setup and maintain, saves IP addresses and is likely more secure that pure routing. To set it up, you require:
To be able to use IP forwarding, you must tell the kernel that it's okay to forward traffic from one network card to another. This setting is found in /etc/sysctl.conf. Set net.ipv4.ip_forward to 1.
To do this, execute:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
Make sure the service IPtables is running now and is started at bootup:
# service iptables status
# chkconfig --list iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Now that the kernel knows it's allowed to forward traffic from one NIC to another, configure the firewall. The firewall is the intelligent part of setting up NAT, IPtables actually 'does the work'. Here are the commands to set it up:
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
You have only configured the firewall for now, a reboot would undo all settings. Run this command once you are happy with the setup:
# /sbin/service iptables save
Reboot to test the setup. Your LAN client will have to set the default route to the IP address of the NAT machine's LAN NIC.
There are a few ways to start (and stop) daemons at specific runlevels. For Fedora you could use modify how Apache (httpd) is started:
This is a simple command line tool to tell the the startup facility to enable (on) the Apache (httpd) daemon at runlevel 4 (--level 4). Works great and fast, but the script httpd must have some parameters in the file to let chkconfig know what to do with it:
# chkconfig: 4 85 15
# description: Apache is a World Wide Web server. It is used to serve HTML files and CGI.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd.pid
ls /etc/rc4.d. The numbers of the startup script represent the order of how they are started.
A much simpler, more simplistic method to start Apache. This command symbolically links /etc/rc4.d/S85httpd to the startup script of Apache. Don't forget to also stop the daemons with this set of links:
ln -s /etc/init.d/httpd /etc/rc0.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc1.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc2.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc3.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc5.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc6.d/K15httpd
A text-based graphical menu to enable or disable services.
A graphical interface to enable or disable services.
Booting a computer to run Linux is quite a complex procedure. Happily it's understandable, so correctable when things break.
The bootloader could point to a kernel that's not there, or adds a boot parameter that incorrect. A.k.a. a typo. Review your Grub or Lilo configuration and try again. Grub is a lot easier to debug, is has a minimalistic shell included.
You could have built a kernel that's not suitable for your computer. I hope you have left and old kernel on your system, use Grub to select that kernel and boot it.
Init is quite simple, it reads /etc/inittab and starts RC. When you have "played around with" /etc/inittab and made a typo somewhere, you might need to boot of a CD to fix the typo.
This is the part where many "errors" can occur, like: "Apache is not starting". Review the startup script in /etc/init.d, review that there a script and it has no errors in it. Also read the article about controlling daemons.
These modern day computers are so fast, that "cat"-ting a file scrolls by at an unreadable speed!
Here is a small shell script to slowly cat files or standard input:
# A program to slowly cat file or standard input.
if [ "$1" ] ; then
cat "$file" | while read line ; do
And here is how to use it:
$ scat mylongfile
$ cat mylongfile | scat
Amazing what computers can do!
I tried to explain what "chrooting" is to a group of starting Linux gurus. It seemed rather difficult to explain. So, maybe an illustrated article will explain what chroot is.
From chroot's manpage:
chroot - run command or interactive shell with special root directory
And in my own words:
chroot starts a process in a directory which looks like the root directory to that process.
Here is an example of how chroot can be used to reset a root password on an existing system. (Even works when the bootloader (grub) has a password set.)
mkdir /mnt/a && mount /dev/sda5 /mnt/a && mount /dev/sda3 /mnt/a/usr
chroot /mnt/a /bin/sh
If you are a normal (non-root) user on Fedora Core 9, you are able to reboot a machine without the usage of a password. Reboot initiates all kind of scripts that should normally be run as root, while "reboot" does not have a set user id bit set:
$ which reboot
$ ls -l /usr/bin/reboot
lrwxrwxrwx 1 root root 13 2008-11-11 22:18 /usr/bin/reboot -> consolehelper
$ ls -l /usr/bin/consolehelper
-rwxr-xr-x 1 root root 3904 2008-08-03 09:10 /usr/bin/consolehelper
$ file /usr/bin/consolehelper
/usr/bin/consolehelper: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
From the man page of consolehelper I find:
consolehelper is a tool that makes it easy for console users to run system programs, doing authentication via PAM (which can be set up to trust all console users or to ask for a password at the system administrator’s discretion).
And in /etc/pam.d/reboot there is:
auth sufficient pam_rootok.so
auth required pam_console.so
#auth include system-auth
account required pam_permit.so
And from the manpage of pam_console.so:
pam_console.so is designed to give users at the physical console (virtual terminals and local xdm-managed X sessions by default, but that is configurable) capabilities that they would not otherwise have, and to take those capabilities away when the are no longer logged in at the console.
So; reboot is permitted by non-root users when they are logged into the console. To test this, login to a machine, try "reboot":
reboot: Need to be root
The "set user id"-bit (or setuid-bit) is a potentially dangerous permission type. Wrong usage of setuid can result in unauthorized access to your system.
When a setuid bit is set to an executable, the script will be executed as if it was executed by the owner of the file. So for example this script has a setuid bit set:
$ ls -l myscript.sh
-rwsr-xr-x 1 root wheel 200 Nov 5 10:47 myscript.sh
Imagine that this script contains the command "reboot"; in that case anybody would be able to reboot the machine.
# chmod 4755 myscript.sh
# chmod u+s myscript.sh
Here is a small demonstration, first showing that a user can't write to /etc/passwd.
$ echo "foo bar" >> /etc/passwd
-bash: /etc/passwd: Permission denied
# chmod u+s /bin/echo
$ echo "foo bar" >> /etc/passwd
See the dangerous situation we have just created? Undo it by executing
# chmod u-s /bin/echo.
# find / -perm -4000
Most people on the windows platform know Cygwin. ("Cygwin is a Linux-like environment for Windows.") As I never use Windows, I feared programs like these, but it turns out cygwin is quite usable. It's even possible to run shell scripts that normally run on my Mac OS X machine.
Download the installer, select all packages you want. (Don't worry, all "generic" tools (ls, cd, grep, awk, ps, bash) are installed by default.) I added "openssh", "netcat", "xterm" and some others. Dependencies will be resolved automatically. The installer downloads everything. You can run the installer again to add extra packages.
You end up with a "Cygwin" icon. Double click it to start your terminal. It's not really a terminal, but looks quite like it.
Some things are strange or missing, like "top" that's missing, permissions (ls -al) look strange, just as the directory structure. But; take some distance from these details and conclude that you have "bash" running on your windows machine!
Have you ever used the command
comm? It's a Linux command used to compare two (sorted) files. Comm produces three columns of output:
1: Lines only in file 1.
2: Lines only in file 2.
3: Lines in bothe files.
You can surpress columns by using options like "-1", "-2", "-12" and so on.
Imagine file 1 contains:
$ cat file1
And file 2 contains:
$ cat file2
Than these options (left) would produce this output (right):
|-1||ACD||Show lines only in file 2 and in both files|
|-2||ABC||Show lines only in file 1 and in both files|
|-3||BD||Show lines in file 1 and in file 2, but not in both files|
|-12||AC||Show lines in both files|
|-13||D||Show lines only in file 2|
|-23||B||Show lines only in file 1|
|-123||(no output)||Surppress all columns|
When you are new to Linux or don't use Linux on a daily basis, finding out how file permissions work can be challenging. Here is an as short as possible guide, which can be applied on UNIX, Linux, Mac OS X, FreeBSD, OpenBSD, and other UNIX-like operating systems. We'll call those systems *nix in this guide.
*nix splits permissions in thee groups for files and directories:
Besides ownership of files and directories, certain permissions can be given as well:
These permissions are set using chmod. (Change Mode.) Ownership of file is altered with chown. (Change Owner)
Chmod wants to know what permissions you give to a file or directory. This value is built up on four fields.
The zeroth field represents the special bits. (Set User id, Set Group id and Stikcy bit, see below.) Most users will not set this bit, which makes it "0" by default, which means: "No special permissions set."
The first field represents the permissions you give to the Owner.
The second field represents the permissions you give to the Group.
The third fiels represents the permissions you give to the World.
Chmod uses numerical arguments to set permissions, to illustrate it a bit:
chmod 750 myscript.sh would change permissions for the file myscript.sh.
Read permissions equals a value of 4.
Write permissios equals a value of 2.
Execute permissions equals a value of 1.
Add the numbers representing the permissions you'd like to give to a Owner, Group or World.
So here is a list of common permissions:
Some "weird" permissions, mostly because they are broken or very rare:
There are some special permissions you can give, these permissions go into the zeroth field. You'd use chmod like this to set no special permissions:
chmod 0750 myscript.sh.
4750 would mean the file may be executed by the owner and the group, and will be executed as the owner.
Imagine a script would have 4775 permissions and would be owned by root:users; a user could edit the script, and the world could execute it with roots permission!
Just to remind you once more; Set Group or User id bits are dangerous, know what you are doing when using them!