HP-UX: How Do I configure routing or add route?

Posted on in Categories Howto, HP-UX, Sys admin, Tips, UNIX last updated October 29, 2005

You can use route command to configure routing. Syntax is as follows:
route add net {network-address} netmask {subnet} {router-address}

Let us assume your router address is 192.168.1.254 and network ID is 192.168.1.0/24, then you can type route command as follows:
# route add net 192.168.1.0 netmask 255.255.255.0 192.168.1.254

OR

To add a default route:
# route add default 192.168.1.254

Verify that (display) routing table is updated (display routing table):
# netstat -nr

Test it i.e. try to ping or send nslookup request:
# ping mycorp.com

To flush all routing entries use command [quite handy to clean your gordian knot ;)] :
# route -f

However if I reboot HPUX box then above routing entries gets removed. To pick up your setting upon each reboot your need to configure Routes in HPUX networking configuration file – /etc/rc.config.d/netconf. To add default router/gateway 192.168.1.254:
# vi /etc/rc.config.d/netconf

Add or modify following entries

ROUTE_DESTINATION[0]="default"
ROUTE_MASK[0]=""
ROUTE_GATEWAY[0]="192.168.1.254"
ROUTE_COUNT[0]="1"
ROUTE_ARGS[0]=""

Reboot HP-UX system/server to take effect
# shutdown -ry 0

How do I build a Simple Linux Firewall for DSL/Dial-up connection?

Posted on in Categories Debian Linux, Gentoo Linux, Iptables, Linux, Networking, RedHat/Fedora Linux, Security, Suse Linux, Sys admin, Tips, Ubuntu Linux last updated October 28, 2005

If you’re new to Linux, here’s a simple firewall that can be setup in minutes. Especially those coming from a Windows background, often lost themselves while creating linux firewall.
This is the most common question asked by Linux newbies (noobs). How do I install a personal firewall on a standalone Desktop Linux computer. In other words “I wanna a simple firewall that allows or permits me to visit anything from my computer but it should block everything from outside world”.
Well that is pretty easy first remember INPUT means incoming and OUTPUT means outgoing connection/access. With following little script and discussion you should able to setup your own firewall.

Step # 1: Default Firewall policy

Set up default access policy to drop all incoming traffic but allow all outgoing traffic. This will allow you to make unlimited outgoing connections from any port but not incoming traffic/ports are allowed.
iptables -p INPUT DROP
iptables -p OUTPUT ACCEPT

Step # 2: Allow unlimited traffic from loopback (lo) device

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT

Step # 3: Setup connection oriented access

Some protocol such as a FTP, DNS queries and UDP traffic needs an established connection access. In other words you need to allow all related connection using iptables state modules.
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Step # 4: Drop everything else and log it

iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT

But wait you cannot type all above commands at a shell command prompt. It is a good idea to create a script called fw.start as follows (copy and paste following script in fw.start file):

#!/bin/sh
# A simple
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

You can enhance your tiny firewall with

  • Create a script to stop a firewall
  • This is optional, if you wish to start a firewall automatically as soon as Debian Linux boots up use the instruction outlined here
  • Finally if you wanna open incoming ssh (port 22) or http (port 80) then insert following two rules before #DROP everything and Log it line in above script:

iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT

Easy to use Linux firewall programs/tools

How do I use Iptables connection tracking feature?

Posted on in Categories News last updated October 27, 2005

Connection tracking is an essential security feature of Iptables. But, what is connection tracking?

It is the ability to maintain connection information in memory. This is new feature added in 2.4.xx Linux kernel. Eariler only commercial firewall has this feature but now it is part of Linux. It can remember connection states such as established & new connections along with protocol types, source and destination ip address. You can allow or deny access based upon state. Following are the states:

  • NEW – A Client requesting new connection via firewall host
  • ESTABLISHED – A connection that is part of already established connection
  • RELATED – A connection that is requesting a new request but is part of an existing connection.
  • INVALID – If none of the above three states can be referred or used then it is an INVAID state.

Let us try to understand four state with ftp example (our setup):

client                     FTP Server
202.54.1.10                64.67.33.76
client.me.com              ftp.me.com

A) Connet to ftp server:
You have to use ftp command as follows:
$ ftp ftp.me.com
It opens NEW (STATE) connection at ftp server.

client          NEW        FTP Server
202.54.1.10     --->       64.67.33.76
client.me.com              ftp.me.com

B) Download files
> get bigfile.tar.gz
When client download files from ftp server we call it ESTABLISHED connection.

client          ESTABLISHED   FTP Server
202.54.1.10              64.67.33.76
client.me.com                 ftp.me.com

Please note that when you see username/password prompt your connection get established and access to ftp server is granted upon successful authentication.

C)Passive ftp connections
In A passive ftp connection, client connection port is 20, but the trasfer port can be any unused port 1024 or higher. To enable passive mode ftp client can send pass command:
ftp> pass
Passive mode on.

You need to use RELATED state at firewall level if you wish to allow passive ftp access. Here is an example of SSH server, allow only new and established connection for SSH server IP 64.67.33.76.

iptables -A INPUT -p tcp -s 0/0 –sport 513:65535 -d 64.67.33.76 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 64.67.33.76 –sport 22 -d 0/0 –dport 513:65535 -m state –state ESTABLISHED -j ACCEPT

It also works with stateless protocol such as UDP. The following example allows connection tracking to forward only the packets that are associated with an established connection:

iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ALLOW

In the past we have covered lots of examples related to iptables connection tracking.

Update You may need to put following two lines in your script to use connection tracking feature:

modprobe ip_conntrack
modprobe ip_conntrack_ftp

Please see complete example script here.

Sun to update Solaris 10 by year end

Posted on in Categories News last updated October 25, 2005

Sun Microsystems plans to release the first update to Solaris 10 by the end of the year, adding an overhauled start-up process, software update feature and performance improvements.

It includes following features:

  • Newboot – A grub like software that can boot different operating system such as Linux/Windows/BSD (dual boot)
  • Sun Update Connection – A completely refreshing way to keep your systems up to date and secure like up2date from Red Hat and Windows update from Microsoft

Read full article

HP-UX Booting from a system recovery Tape

Posted on in Categories Backup, HP-UX, UNIX last updated October 25, 2005

Recently one of our HP-UX servers went down and it needed recovery. Since I’m new to HP UX one of our senior UNIX admin pointed me that they have a system recovery tape. After going through our internal docs and other resources, I was able to recover system 🙂

Here is what I did…

First I had put recovery tape into the tape driver

As soon as system started (auto boot) I had to interrupt the autoboot sequence (press ESC key) and load tape into driver
Next I had type ‘search ipl‘ command so that it will search for my recovery tape driver
> search ipl

It will give output of different devices such as Random access media, look for Sequential Access Media (and its path number or hw path).
Here is what I typed to boot from tape (in my system

> boot 8/16/5.0
OR
> boot p2

Replace 8/16/5.0 or p2 with your actual tape drive h/w path. Once booting started, it will automatically restore it.

It took almost an hour to recover but it did the job. This tape made my system bootable. Next task was to restore all data from full and incremental backup and install needed additional software. I had typed following command on HP-UX box to restore all files and directory:

# frecover –f /dev/rmt/0m –rv

This emergency came around 5pm evening last Friday. I was just closing for that day and I was about to go home. I had spent 4 hours to restore box and other stuff.

Well good news it that my diwali holidays starts from coming Friday and it will lasted until November 7, 2005 :). I really need a break guys :D.

How do I synchronise my single Debian Linux desktop clock to network?

Posted on in Categories Debian Linux, Howto, Linux, Ubuntu Linux last updated October 22, 2005

You will find lots of tutorials about how to setup NTP server. However if you just wanna synchronize single Linux desktop connected via A/DSL Internet connection use ntpdate command. It is very easy to configure and install ntp client. Following instructions are only compatible with Debian / Ubuntu Linux.

ntpdate client

ntpdate sets the local date and time by polling the Network Time Protocol (NTP) server(s) given as the server arguments to determine the correct time. It must be run as root on the local host. A number of samples are obtained from each of the servers specified and a subset of the NTP clock filter and selection algorithms are applied to select the best of these. Note that the accuracy and reliability of ntpdate depends on the number of servers, the number of polls each time it is run and the interval between runs.

Install ntpdate utility

ntpdate command sets the local date and time by polling the Network Time Protocol (NTP) server(s).

# apt-get install ntpdate

You are done by default /etc/default/ntpdate file is use to point pool.ntp.org server .

Allow access to NTP client via Iptables firewall

NTP client uses the udp port 123 to communicate with NTP server. Following rule opens/allows NTP client outgoing request:

# NTP outgoing client request
iptables -A output -p udp -s 192.168.1.1 --sport 1024:65535 -d 0/0  --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A input -p udp -s 0/0 --sport 123 -d 192.168.1.1  --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Add above rules to your existing iptables script. Please note if you have more than 2-3 computers, then it is better idea to setup your own NTP server. I will write on ntpserver configuration later on.

For more information visit public ntp time server for everyone NTP pool website and read ntpdate man page.

How Do I Burn MP3 onto an audio CD from Linux shell command prompt?

Posted on in Categories Howto, Linux, Linux desktop, Linux distribution, RedHat/Fedora Linux, Shell scripting, Tip of the day, Ubuntu Linux last updated October 21, 2005

Recently I decided to burn selected MP3 files on an audio CD from command prompt.

First, you need to convert your mp3 (myfile.mp3) into .wav (myfile.wav) file:
$ mpg123 -w myfile.wav myfile.mp3
Use above command to convert all files to mp3

Then burn all .wav file on to the CD
# cdrecord -dev=ATA:1,0,0 -eject speed=4 -pad -audio *.wav

For more information see:

Linux powered gaming gadget Gamepark Holdings GP2X-F100 by end of Oct-05

Posted on in Categories News last updated October 21, 2005

Finally, Linux is making its own place in entertainment world. You can play games, watch movies, read ebooks and much more. The Gamepark Holdings GP2X-F100 (console) features dual ARM9 processors, USB 2.0, a 3.5-inch color LCD, support for both native and emulated games, and a Linux SDK (software development kit). Look like a good holiday purchase 😀

More information available here or here

Red Hat RPM Dependency problem

Posted on in Categories News last updated October 21, 2005

Well when RPM works, you think life is better and when it does not works then you thinks life sucks 😉 However, RPM has –aid option that solves the Dependency problem. It is created to automatic installation of dependent packages. To use this –aid switch with rpm you need to install special RPM package first called rpmdb-redhat. Locate this package from CD and install it via rpm command:

# rpm -ivh rpmdb-redhat*

Once installed then use rpm command as follows:

# rpm -ivh --aid mysql*

OR

# rpm -ivh --aid rpm-file-name-version.rpm

It will install mysql client with all dependencies. If you are RHN subscriber then you don’t have to use rpmdb-redhat package use up2date command (see how to configure RHN):

# up2date -i -v mysql*

Please note that –aid switch does not works with third party RPM. Fedora user must use YUM. –aid works best if you have all rpm packages copied to single directory on hard disk or on ftp/http server. For example:

# rpm --aid -ivh http://installserver.mycorp.com/rpms/mysql*

See also: