-:HISTORY OF LINUX:-
FATHER OF LINUX
Linus Torvalds, who was then a student at the University of Helsinki in Finland, developed Linux in 1991. He released it for free on the Internet. Due to the far reach of the Free Software Foundation (FSF) and the GNU Project, Linux popularity increased rapidly, with utilities developed and released for free online. A commercial version of Unix was released by RedHat in the early 1990’s (combining the OS with technical support and documentation) and the popularity of Linux continued to skyrocket.
A system is termed UNIX only if it complies fully with (and is certified by) the Single Unix Specification (SUS) standards. Similar systems that do not comply fully or are not certified, such as Linux, are termed “Unix-like” operating systems.
Learning About Linux
Linux Certification Training
Free Linux Training
Free Online Linux Training
System Administrators
are the technology workers that will typically need to have the most in depth Linux experience.
From a user management perspective there are also two types of FTP: regular FTP in which files are transferred using the username and password of a regular user FTP server, and anonymous FTP in which general access is provided to the FTP server using a well known universal login method.
Take a closer look at each type.
Active FTP
The sequence of events for active FTP is:
1.) Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this connection.
2.) Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port (greater than 1024) on the client.
3.) Thus the ls listing that you asked for comes back over the port 20 to high port connection, not the port 21 control connection.
FTP active mode therefore transfers data in a counter intuitive way to the TCP standard, as it selects port 20 as it's source port (not a random high port that's greater than 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.
Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.
Passive FTP
Passive FTP works differently:
Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over that connection.
Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.
Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Because client always initiates the required connections, passive FTP works better for clients protected by a firewall.
As Windows defaults to active FTP, and Linux defaults to passive, you'll probably have to accommodate both forms when deciding upon a security policy for your FTP server.
Regular FTP
By default, the VSFTPD package allows regular Linux users to copy files to and from their home directories with an FTP client using their Linux usernames and passwords as their login credentials.
VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you to restrict the addition of new files to your system to authorized personnel.
The disadvantage of regular FTP is that it isn't suitable for general download distribution of software as everyone either has to get a unique Linux user account or has to use a shared username and password. Anonymous FTP allows you to avoid this difficulty.
Anonymous FTP
Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s and uploading diagnostic information for a technical support engineers' attention. Unlike regular FTP where you login with a preconfigured Linux username and password, anonymous FTP requires only a username of anonymous and your email address for the password. Once logged in to a VSFTPD server, you automatically have access to only the default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.
As seen in Chapter 6, "Installing Linux Software", using anonymous FTP as a remote user is fairly straight forward. VSFTPD can be configured to support user-based and or anonymous FTP in its configuration file which you'll see later.
How To Download And Install VSFTPD
Most Linux software products are available in a precompiled package format. Downloading and installing packages isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail. It is best to use the latest version of VSFTPD.
When searching for the file, remember that the VSFTPD packages' filename usually starts with the word vsftpd followed by a version number, as in vsftpd-1.2.1-5.i386.rpm for Redhat/Fedora or vsftpd_2.0.4-0ubuntu4_i386.deb for Ubuntu.
Most Linux software products are available in a precompiled package format. Downloading and installing packages isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail. It is best to use the latest version of VSFTPD.
When searching for the file, remember that the VSFTPD packages' filename usually starts with the word vsftpd followed by a version number, as in vsftpd-1.2.1-5.i386.rpm for Redhat/Fedora or vsftpd_2.0.4-0ubuntu4_i386.deb for Ubuntu.
How To Get VSFTPD Started
With Fedora, Redhat, Ubunbtu and Debian You can start, stop, or restart VSFTPD after booting by using these commands
[root@bigboy tmp]# /etc/init.d/vsftpd start
[root@bigboy tmp]# /etc/init.d/vsftpd stop
[root@bigboy tmp]# /etc/init.d/vsftpd restart
With Redhat / Fedora you can configure VSFTPD to start at boot you can use the chkconfig command.
[root@bigboy tmp]# chkconfig vsftpd on
With Ubuntu / Debian the sysv-rc-conf command can be used like this:
root@u-bigboy:/tmp# sysv-rc-conf on
Note: In RedHat Linux version 8.0 and earlier, VSFTPD operation is controlled by the xinetd process, which is covered in Chapter 16, "Telnet, TFTP, and xinetd". You can find a full description of how to configure these versions of Linux for VSFTPD in Appendix III, "Fedora Version Differences."
Testing the Status of VSFTPD
You can always test whether the VSFTPD process is running by using the netstat -a command which lists all the TCP and UDP ports on which the server is listening for traffic. This example shows the expected output.
[root@bigboy root]# netstat -a grep ftp
tcp 0 0 *:ftp *:* LISTEN
[root@bigboy root]#
If VSFTPD wasn't running, there would be no output at all.
The vsftpd.conf File
VSFTPD only reads the contents of its vsftpd.conf configuration file only when it starts, so you'll have to restart VSFTPD each time you edit the file in order for the changes to take effect. The file may be located in either the /etc or the /etc/vsftpd directories depending on your Linux distribution.
This file uses a number of default settings you need to know about.
VSFTPD runs as an anonymous FTP server. Unless you want any remote user to log into to your default FTP directory using a username of anonymous and a password that's the same as their email address, I would suggest turning this off. The configuration file's anonymous_enable directive can be set to no to disable this feature. You'll also need to simultaneously enable local users to be able to log in by removing the comment symbol (#) before the local_enable instruction.
If you enable anonymous FTP with VSFTPD, remember to define the root directory that visitors will visit. This is done with the anon_root directive.
anon_root=/data/directory
VSFTPD allows only anonymous FTP downloads to remote users, not uploads from them. This can be changed by modifying the anon_upload_enable directive shown later.
VSFTPD doesn't allow anonymous users to create directories on your FTP server. You can change this by modifying the anon_mkdir_write_enable directive.
VSFTPD logs FTP access to the /var/log/vsftpd.log log file. You can change this by modifying the xferlog_file directive.
By default VSFTPD expects files for anonymous FTP to be placed in the /var/ftp directory. You can change this by modifying the anon_root directive. There is always the risk with anonymous FTP that users will discover a way to write files to your anonymous FTP directory. You run the risk of filling up your /var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its own dedicated partition.
The configuration file is fairly straight forward as you can see in the snippet below where we enable anonymous FTP and individual accounts simultaneously.
# Allow anonymous FTP?
anonymous_enable=YES
...
# The directory which vsftpd will try to change
# into after an anonymous login. (Default = /var/ftp)anon_root=/data/directory
...
# Uncomment this to allow local users to log in.local_enable=YES...
# Uncomment this to enable any form of FTP write command.
# (Needed even if you want local users to be able to upload files)write_enable=YES
...
# Uncomment to allow the anonymous FTP user to upload files. This only
# has an effect if global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
...
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
...
# Activate logging of uploads/
downloads.xferlog_enable=YES
...
# You may override where the log file goes if you like.
# The default is shown below.
xferlog_file=/var/log/vsftpd.log
To activate or deactivate a feature, remove or add the # at the beginning of the appropriate line.
Other vsftpd.conf Options
There are many other options you can add to this file:
Limiting the maximum number of client connections (max_clients)
Limiting the number of connections by source IP address (max_per_ip)
The maximum rate of data transfer per anonymous login. (anon_max_rate)
The maximum rate of data transfer per non-anonymous login. (local_max_rate)
Descriptions on this and more can be found in the vsftpd.conf man pages.
FTP Security Issues
FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user's access to non-anonymous FTP, and you can change the configuration to not display the FTP server's software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted.
The /etc/vsftpd.ftpusers File
For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security.
Anonymous Upload
If you want remote users to write data to your FTP server, then you should create a write-only directory within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other users. The commands you need are:
[root@bigboy tmp]# mkdir /var/ftp/pub/upload
[root@bigboy tmp]# chmod 722 /var/ftp/pub/upload
FTP Greeting Banner
Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to determine the type of system you have. The directive in this file is.
ftpd_banner= New Banner Here
Using SCP As Secure Alternative To FTP
One of the disadvantages of FTP is that it does not encrypt your username and password. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection. Secure Copy (SCP) and Secure FTP (SFTP) provide encryption and could be considered as an alternative to FTP for trusted users. SCP does not support anonymous services, however, a feature that FTP does support.
Troubleshooting FTP
You should always test your FTP installation by attempting to use an FTP client to log in to your FTP server to transfer sample files.
The most common sources of day-to-day failures are incorrect usernames and passwords.
Initial setup failures could be caused by firewalls along the path between the client and server blocking some or all types of FTP traffic. Typical symptoms of this are either connection timeouts or the ability to use the ls command to view the contents of a directory without the ability to either upload or download files. Follow the firewall rule guidelines to help overcome this problem. Connection problems could also be the result of typical network issues outlined in Chapter 4, "Simple Network Troubleshooting".
Tutorial
FTP has many uses, one of which is allowing numerous unknown users to download files. You have to be careful, because you run the risk of accidentally allowing unknown persons to upload files to your server. This sort of unintended activity can quickly fill up your hard drive with illegal software, images, and music for the world to download, which in turn can clog your server's Internet access and drive up your bandwidth charges.
FTP Users with Only Read Access to a Shared Directory
In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access to a directory for downloading files. Here are the steps:
1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this:
1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this: #
Allow anonymous FTP?
anonymous_enable=NO
2) Enable individual logins by making sure you have the local_enable line uncommented in the vsftpd.conf file like this: # Uncomment this to allow local users to log in.
local_enable=YES
3) Start VSFTP.
[root@bigboy tmp]# service vsftpd start
4) Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of ftp-users for the remote users
[root@bigboy tmp]# groupadd ftp-users
[root@bigboy tmp]# mkdir /home/ftp-docs
5) Make the directory accessible to the ftp-users group.
[root@bigboy tmp]# chmod 750 /home/ftp-docs
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs
6) Add users, and make their default directory /home/ftp-docs
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@bigboy tmp]# passwd user1
[root@bigboy tmp]# passwd user2
[root@bigboy tmp]# passwd user3
[root@bigboy tmp]# passwd user4
7) Copy files to be downloaded by your users into the /home/ftp-docs directory
8) Change the permissions of the files in the /home/ftp-docs directory for read only access by the group
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*
[root@bigboy tmp]# chmod 740 /home/ftp-docs/*
Users should now be able to log in via FTP to the server using their new usernames and passwords. If you absolutely don't want any FTP users to be able to write to any directory, then you should set the write_enable line in your vsftpd.conf file to no:
write_enable = NO
Remember, you must restart VSFTPD for the configuration file changes to take effect.
Sample Login Session To Test Functionality
Here is a simple test procedure you can use to make sure everything is working correctly:
1) Check for the presence of a test file on the ftp client server.
[root@smallfry tmp]# ll
total 1
-rw-r--r-- 1 root root 0 Jan 4 09:08 testfile
[root@smallfry tmp]#
2) Connect to bigboy via FTP [root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): user1
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
As expected, we can't do an upload transfer of testfile to bigboy.
ftp> put testfile
local: testfile remote: testfile
227 Entering Passive Mode (192,168,1,100,181,210)
553 Could not create file.
ftp>
But we can view and download a copy of the VSFTPD RPM located on the FTP server bigboy.
ftp> ls
227 Entering Passive Mode (192,168,1,100,35,173)
150 Here comes the directory listing.
-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm
226 Directory send OK
ftp> get vsftpd-1.1.0-1.i386.rpm vsftpd-1.1.0-1.i386.rpm.tmp
local: vsftpd-1.1.0-1.i386.rpm.tmp remote: vsftpd-1.1.0-1.i386.rpm
227 Entering Passive Mode (192,168,1,100,44,156)
150 Opening BINARY mode data connection for vsftpd-1.1.0-1.i386.rpm (76288 bytes).
226 File send OK.
76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)
ftp> exit221 Goodbye.
[root@smallfry tmp]#
As expected, anonymous FTP fails.
[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
[root@smallfry tmp]#
Now that testing is complete, you can make this a regular part of your FTP server's operation.
Conclusion
FTP is a very useful software application that can have enormous benefit to a Web site or to collaborative computing in which files need to be shared between business partners. Although insecure, it is universally accessible, because FTP clients are a part of all operating systems and Web browsers. If data encryption security is of great importance to you, then you should probably consider SCP as a possible alternative. You can find more information on it in Chapter 17,
Introduction
Normally if you have a cable modem or DSL, you get your home PC's IP address dynamically assigned from your service provider. If you install a home cable/DSL router between your modem and home network, your PC will most likely get its IP address at boot time from the home router instead. You can choose to disable the DHCP server feature on your home router and set up a Linux box as the DHCP server.
This chapter covers only the configuration of a DHCP server that provides IP addresses. The configuration of a Linux DHCP client that gets its IP address from a DHCP server is covered in Chapter 3, "Linux Networking", on Linux Networking.
The /etc/dhcpd.conf Fil
root@u-bigboy:/tmp# dpkg --list grep dhcp
ii dhcp3-client 3.0.3-6ubuntu7 DHCP Client
ii dhcp3-common 3.0.3-6ubuntu7 Files used by all the dhcp3* packages
/usr/share/doc/dhcp-
You have to copy the sample dhcpd.conf file to the /etc directory and then you'll have to edit it. Here is the command to do the copying for the version 3.0p11 RPM file:
[root@bigboy tmp]# cp /usr/share/doc/dhcp-3.0pl1/dhcpd.conf.sample /etc/dhcpd.conf
Debian Note: With Debian / Ubuntu the configuration file name is /etc/dhcp*/dhcpd.conf and has the same syntax as that used by Redhat / Fedora.
Here is a quick explanation of the dhcpd.conf file: Most importantly, there must be a subnet section for each interface on your Linux box.
ddns-update-style interim
ignore client-updates
subnet 192.168.1.0 netmask 255.255.255.0 {
# The range of IP addresses the server
# will issue to DHCP enabled PC clients
# booting up on the network
range 192.168.1.201 192.168.1.220;
# Set the amount of time in seconds that
# a client may keep the IP address
default-lease-time 86400;
max-lease-time 86400;
# Set the default gateway to be used by
# the PC clients
option routers 192.168.1.1;
# Don't forward DHCP requests from this
# NIC interface to any other NIC
# interfaces
option ip-forwarding off;
# Set the broadcast address and subnet mask
# to be used by the DHCP clients
option broadcast-address 192.168.1.255;
option subnet-mask 255.255.255.0;
# Set the NTP server to be used by the
# DHCP clients
option ntp-servers 192.168.1.100;
# Set the DNS server to be used by the
# DHCP clients
option domain-name-servers 192.168.1.100;
# If you specify a WINS server for your Windows clients,
# you need to include the following option in the dhcpd.conf file:
option netbios-name-servers 192.168.1.100;
# You can also assign specific IP addresses based on the clients'
# ethernet MAC address as follows (Host's name is "laser-printer":
host laser-printer {
hardware ethernet 08:00:2b:4c:59:23;
fixed-address 192.168.1.222;
}
}
#
# List an unused interface here
#
subnet 192.168.2.0 netmask 255.255.255.0 {
}
There are many more options statements you can use to configure DHCP. These include telling the DHCP clients where to go for services such as finger and IRC. Check the dhcp-options man page after you do your install:
[root@bigboy tmp]# man dhcp-options
Note: The host statement seen in the sample dhcpd.conf file can be very useful. Some devices such as network printers default to getting their IP addresses using DHCP, but users need to access them by a fixed IP address to print their documents. This statement can be used to always provide specific IP address to DHCP queries from a predefined a NIC MAC address. This can help to reduce systems administration overhead.
How to Get DHCP Started
To get DHCP started:
1) Some older Fedora/RedHat versions of the DHCP server will fail unless there is an existing dhcpd.leases file. Use the command touch /var/lib/dhcp/dhcpd.leases to create the file if it does not exist.
[root@bigboy tmp]# touch /var/lib/dhcp/dhcpd.leases
2) Use the chkconfig command to get DHCP configured to start at boot:
[root@bigboy tmp]# chkconfig dhcpd on
With Debian / Ubuntu the equivalent command for the dhcp3-server package would be
root@u-bigboy:/tmp#sysv-rc-conf dhcp3-server on
3) Use the service command to instruct the /etc/init.d/dhcpd script to start/stop/restart DHCP after booting
[root@bigboy tmp]# service dhcpd start
[root@bigboy tmp]# service dhcpd stop
[root@bigboy tmp]# service dhcpd restart
With Debian / Ubuntu the equivalent commands would be:
root@u-bigboy:/tmp# /etc/init.d/dhcp*-server start
root@u-bigboy:/tmp# /etc/init.d/dhcp*-server stop
root@u-bigboy:/tmp# /etc/init.d/dhcp*-server restart
4) Remember to restart the DHCP process every time you make a change to the conf file for the changes to take effect on the running process. You also can test whether the DHCP process is running with the following command; you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep dhcpd
5) Finally, always remember to set your PC to get its IP address via DHCP.
DHCP Servers with Multiple NICs
When a DHCP configured PC boots, it requests its IP address from the DHCP server. It does this by sending a standardized DHCP broadcast request packet to the DHCP server with a source IP address of 255.255.255.255.
If your DHCP server has more than one interface, you have to add a route for this 255.255.255.255 address so that it knows the interface on which to send the reply; if not, it sends it to the default gateway. (In both of the next two examples, we assume that DHCP requests will be coming in on interface eth0).
Note: More information on adding Linux routes and routing may be found in Chapter 3, "Linux Networking".
Note: You can't run your DHCP sever on multiple interfaces because you can only have one route to network 255.255.255.255. If you try to do it, you'll discover that DHCP serving working on only one interface.
Temporary Solution
You can temporarily add a route to 255.255.255.255 using the route add command as seen below.
[root@bigboy tmp]# route add -host 255.255.255.255 dev eth0
If you want this routing state to be maintained after a reboot, then use the permanent solution that's discussed next.
Permanent Solution
The new Fedora Linux method of adding static routes doesn't seem to support sending traffic out an interface that's not destined for a specific gateway IP address. The DHCP packet destined for address 255.255.255.255 isn't intended to be relayed to a gateway, but it should be sent using the MAC address of the DHCP client in the Ethernet frame. To avoid this problem add the route add command to your /etc/rc.local script.
A better alternative is to create a route file. In Fedora Linux, permanent static routes are added on a per interface basis in files located in the /etc/sysconfig/network-scripts directory. The filename format is route-interface-name so the filename for interface wlan0 would be route-wlan0. In this example the single 255.255.255.255 host address is routed through interface wlan0 via the gateway 192.168.1.254.
#
# File /etc/sysconfig/network-scripts/route-wlan0#
255.255.255.255/32 via 192.168.1.254
Simple Linux routing is covered in Chapter 3, "Linux Networking" and will add more clarity to adding permanent static routes
Configuring Linux Clients to Use DHCP
A Linux NIC interface can be configured to obtain its IP address using DHCP with the examples outlined in , "Chapter 3, Linux Networking".
Please refer to this chapter if you need a quick refresher on how to configure a Linux DHCP client.
Configuring Windows Clients to Use DHCP
Fortunately Windows defaults to using DHCP for all its NIC cards so you don't have to worry about doing any reconfiguration.
Using a Single DHCP Server to Serve Multiple Networks
As stated before, DHCP clients send their requests for IP addresses to a broadcast address which is limited to the local LAN. This would imply that a DHCP server is required on each subnet. Not so. It is possible to configure routers to forward DHCP requests to a DHCP server many hops away. This is done by inserting the IP address of the router's interface on the DHCP client's network into the forwarded packet. To the DHCP server, the non-blank router IP address field takes precedence over the broadcast address and it uses this value to provide a DHCP address that is meaningful to the client. The DHCP server replies with a broadcast packet, and the router, which has kept track of the initial forwarded request, forwards it back towards the client. You can configure this feature on Cisco devices by using the ip helper-address command on all the interfaces on which DHCP clients reside. Here is a configuration sample that points to a DHCP server with the IP address 192.168.36.25:
interface FastEthernet 2/1
ip address 192.168.1.30 255.255.255.0
ip helper-address 192.168.36.25
Simple DHCP Troubleshooting
The most common problems with DHCP usually aren't related to the server; after the server is configured correctly there is no need to change any settings and it therefore runs reliably. The problems usually occur at the DHCP client's end for a variety of reasons. The following sections present simple troubleshooting steps that you can go through to ensure that DHCP is working correctly on your network
DHCP Clients Obtaining 169.254.0.0 Addresses
Whenever Microsoft DHCP clients are unable to contact their DHCP server they default to selecting their own IP address from the 169.254.0.0 network until the DHCP server becomes available again. This is frequently referred to as Automatic Private IP Addressing (APIPA). Here are some steps you can go through to resolve the problem:
Ensure that your DHCP server is configured correctly and use the pgrep command discussed earlier to make sure the DHCP process is running. Pay special attention to your 255.255.255.255 route, especially if your DHCP server has multiple interfaces.
Give your DHCP client a static IP address from the same range that the DHCP server is supposed to provide. See whether you can ping the DHCP server. If you cannot, double-check your cabling and your NIC cards.
DHCP uses the BOOTP protocol for its communication between the client and server. Make sure there are no firewalls blocking this traffic. DHCP servers expect requests on UDP port 67 and the DHCP clients expect responses on UDP port 68. Use tcpdump on the server's NIC to verify the correct traffic flows.
Other DHCP Failures
If the DHCP server fails to start then use your regular troubleshooting techniques outlined in Chapter 4, "Simple Network Troubleshooting", to help rectify your problems. Most problems with an initial setup are often due to:
Incorrect settings in the /etc/dhcpd.conf file such as not defining the networks for which the DHCP server is responsible;
Firewall rules that block the DHCP bootp protocol on UDP ports 67 and 68;
Routers failing to forward the bootp packets to the DHCP server when the clients reside on a separate network.
Always check your /var/logs/messages file for dhcpd errors and remember that mandatory keywords in your configuration file may change when you upgrade your operating system. Always read the release notes to be sure.
Conclusion
In most home-based networks, a DHCP server isn't necessary because the DSL router / firewall usually has DHCP capabilities, but it is an interesting project to try. Just remember to make sure that the range of IP addresses issued by all DHCP servers on a network doesn't overlap because it could possibly cause unexpected errors. You might want to disable the router/firewall's DHCP server capabilities to experiment with your new Linux server.
A DHCP server may be invaluable in an office environment where the time and cost of getting a network engineer to get the work done may make it simpler for Linux systems administrators to do it by themselves.
Creating a Linux DHCP server is straightforward and touches all the major themes in the previous chapters. Now it's time to try something harder, but before we do, we'll do a quick refresher on how to create the Linux users who'll be using many of the applications outlined in the rest of the book.
Setting up a Linux NFS server
NFS through IPTABLES Firewall Setup
Introduction
This note gives some hints and links to install an NFS server with a client on a LAN. It is a report of a specific experience, not a comprehensive how-to: you can find it at Linux NFS How-to. Note that we will use ip.pc.server and ip.pc.client as placeholders for the real IP address of NFS server and client, and daemon_name and packet_name as placeholders for the real names. Suggestions and corrections are welcome.
The software versions used for this report:
Server: RedHat 7.3 (nfs-utils 0.3.3-5 , portmap 4.0.41 , quota 3.03-1)
Clients: RedHat 7.2 (nfs-utils 0.3.1-13.7.2.1 , portmap 4.0-38, quota 3.01pre9-3) and RedHat 7.3
1.) If you want to export a brand new disk through nfs, you must find the corresponding device in the /dev directory. You can use the boot log messages in /var/log. We will assume that the new device is /dev/hdg.
2.)Now you must create the new partition on your disk with the command:
fdisk /dev/hdg
Follow the instructions and create one big partition /dev/hdg1.
3.) Format the new partition with the ext3 file system with the following command: mkfs -t ext3 -c /dev/hdg1
The "-c" options searchs for invalid disk sectors.
4.) Create the new directory that you will export, say /nfsdir, change the permission to 777 and mount the partition on it:
mkdir /nfsdir
chmod 777 /nfsdir
mount -t ext3 /dev/hdg1 /nfsdir
5.) Add the following line in the file /etc/fstab:
/dev/hdg1 /nfsdir ext3 defaults 1 2
Now the new device will be mounted on boot on the selected directory.
6.) Verify that the following packets are installed:
nfs-utils
portmap
quota
with the command:
rpm -qa grep packet_name
7.) Edit the file /etc/exports adding the line:
/nfsdir ip.pc.client1(rw) ip.pc.client2(rw)
Note that the list of authorized client provides a first security step: only the IP addresses listed here are allowed to access a share point. However this is not terribly secure: if someone is capable of spoofing or taking over a trusted address then they can access your mount point. With the default options we don't trust any request made as root on the client: if a user with UID 0 on the client attempts to access the file system, the server substitutes the UID of the server's "nobody" account. The important implication is that all important binaries and files on the server should be owned by root.
8.) Secure the daemons with TCP wrappers: in the file /etc/hosts.deny add a line like this: daemon_name: ALL
for each of the five daemons portmap, lockd, statd, mountd, rquotad. In the file /etc/hosts.allow the line should look like this:
daemon_name: ip.pc.client1 , ip.pc.client2
Start the services:
/etc/init.d/portmap start
/etc/init.d/nfs start
/etc/init.d/nfslock start
and add them to the start configuration with:
chkconfig --level 35 portmap on
chkconfig --level 35 nfs on
chkconfig --level 35 nfslock on
If the services are not present in the level management add them with "--add" chkconfig option.
10.) Verify that the daemons are running with
rpcinfo -p
You should see something like this:
programma vers proto porta
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100024 1 tcp 32768 status
391002 2 tcp 32769 sgi_fam
100011 1 udp 690 rquotad
100011 2 udp 690 rquotad
100011 1 tcp 693 rquotad
100011 2 tcp 693 rquotad
100005 1 udp 32769 mountd
100005 1 tcp 32770 mountd
100005 2 udp 32769 mountd
100005 2 tcp 32770 mountd
100005 3 udp 32769 mountd
100005 3 tcp 32770 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs 1
00021 1 udp 32770 nlockmgr
100021 3 udp 32770 nlockmgr
100021 4 udp 32770 nlockmgr
Client Setup
1.) Secure the daemons with TCP wrappers: in the file /etc/hosts.deny add a line like this: daemon_name: ALL
for each of the five daemons portmap, lockd, statd, mountd, rquotad. In the file /etc/hosts.allow the line should look like this:
daemon_name: ip.pc.server
2.) Verify that the services portmap and nfslock are running. The commands needed to verify, start and add this services to the running configuration are shown at the last two points of server setup. With the command
rpcinfo -p
you should get something like this:
programma vers proto porta
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100024 1 tcp 32768 status
391002 2 tcp 32769 sgi_fam
100021 1 udp 32811 nlockmgr
100021 3 udp 32811 nlockmgr
100021 4 udp 32811 nlockmgr
3.) With the daemons portmap, lockd, statd running you should be able to mount the remote directory. Try it typing:
mkdir /mntdir
mount -t nfs ip.pc.server:/nfsdir /mntdir
If the mount command works add the mounting at the start-up editing the file /etc/fstab and adding the following line
ip.pc.server:/nfsdir /mntdir nfs bg,hard,intr,nosuid,rw 0 0
The meanings of the options are:
bg: If the first NFS mount attempt times out, retry the mount in the background.
hard: The program accessing a file on a NFS mounted file system will hang when the server crashes.
intr: If an NFS file operation has a major time-out and it is hard mounted, then allow signals to interrupt the file operation and cause it to return.
nosuid: Do not allow set-user-identifier or set-group-identifier bits to take effect.
NFS through IPTABLES Firewall Setup
The step-by-step guide that follow is a summary of a very well done guide, that I suggest to read carefully, and it is referred to the server with RedHat 7.3. The same considerations apply to RedHat 8.0 and 9.0. To make it possible to configure a firewall that controls NFS, it is necessary to be able to "tie" down the ports used by these services to fixed values. In the following we suggest some fixed values, but of course you can use different numbers.
1.) Portmapper (portmap): uses port 111 on both TCP and UDP protocols.
2.) NFS daemon (rpc.nfsd): uses port 2049 on both TCP and UDP protocols.
3.) Status (rpc.statd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the "-p" command option when the program is launched. Edit the file /etc/init.d/nfslock, find the line "daemon rpc.statd" and add the option: daemon rpc.statd -p 4000
4.) NFS lock manager (rpc.lockd): normally uses a random port allocated by portmapper. On systems where the lock manager is implemented as a loadable module (RedHat 7.3 and greater, Mandrake 8.2 and greater) the port number used is set at module load time, and so is configured by adding (or editing) a line in the /etc/modules.conf file, as follows:
options lockd nlm_udpport=4001 nlm_tcpport=4001
5.) mountd (rpc.mountd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done by editing the file /etc/sysconfig/network and adding the following line:
MOUNTD_PORT=4002
6.) rquotad (rpc.quotad): if your system is not already running "quota" version 3.08 or later, download it from the linuxquota website. Remove the old version and install the new quota package:
tar zxvf quota-3.08.tar.gz
cd quota-tools
./configure
make
make install
cp rpc.rquotad /usr/sbin/
Now edit the file /etc/rpc and check that the following line is present:
rquotad 100011 rquotaprog quota rquota
It should be there, but if isnt, then add it yourself. Finally edit the file /etc/services and add the following lines:
rquotad 4003/tcp
rquotad 4003/tcp
Note that you can happily use NFS without quotas, and in such case you can skip this point.
7.) Now you have blocked the NFS services' port, and then a simple IPTABLES firewall might look like this:
iptables -A INPUT -f -j ACCEPT -s ip.pc.client
iptables -A INPUT -s ip.pc.client -d 0/0 4000:4003 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 4000:4003 -p 17 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 2049 -p 17 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 2049 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 111 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 111 -p 17 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p 6 -j DENY --syn --log-level 5
iptables -A INPUT -s 0/0 -d 0/0 -p 17 -j DENY --log-level 5
With IPCHAINS the equivalent commands are: ipchains -A input -f -j ACCEPT -s ip.pc.client
ipchains -A input -s ip.pc.client -d 0/0 4000:4003 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 4000:4003 -p 17 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 2049 -p 17 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 2049 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 111 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 111 -p 17 -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 -p 6 -j DENY -y -l
ipchains -A input -s 0/0 -d 0/0 -p 17 -j DENY -l
It is worth mentioning that NFS is not an encrypted protocol, and anyone on the same physical network could sniff the traffic and reassemble the information being passed back and forth.
