Friday, December 21, 2012

Linux Firewall Important Rule Commands


Firewall Builder is GUI firewall for to see all firewall policy rule structured view. You can install this tool going through this link
https://help.ubuntu.com/community/DynamicFirewall

You can install also Firestarter firewall just by executing the 
apt-get install firestarter

#Export a firewall rules in a text file
iptables-save>rules.txt

#Restore a firewall rule from a text file (make sure you will lost your existing firewall rules after restoring)
iptables-restore<rules.txt

#Check the firewall rules
iptables -L -n -v

#Check the firewall chain rule through line numbers
INPUT==>iptables -L  INPUT --line-numbers
OUTPUT==>iptables -L  OUTPUT  --line-numbers
FORWARD==> iptables -L  FORWARD --line-numbers

#Delete the particular firewall rule from a particular chain
Step1: First check the line numbers from about command
Step2: Ececute this command on your terminal==> iptables -D POLICY-NAME LINE-NUMBER
LIKE: for INPUT POLICY==> iptables -D INPUT 13


#FTP Port in terminal
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT

#For to open 80 and 443 port
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

#UDP Port for SIP SERVER
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT

#VPN SERVER Firewall Rules
iptables -A INPUT -i eth1 -p tcp --dport 1723 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1723 -j ACCEPT

#Coovachilli Hotspot port
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 4990 --syn -j ACCEPT

#Other Port for Coovachilli Hotspot(if facing any issue check these port also)
iptables -I INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 67:68 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 3306 --syn -j ACCEPT

#SSH Accept from tun0
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 22 --dst 192.168.3.1 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j ACCEPT

#Open UDP Port for sip server
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT


Tuesday, August 7, 2012

Installation and Configuration daloRADIUS

Step1: Download daloRadius going through this link http://sourceforge.net/projects/daloradius/files/
Step2:  Extract the daloradius-0.0-9.tar.gz and copy in your web root directory(default /var/www/).
            tar -xzvf daloradius-0.9-9.tar.gz
            cp daloradius-0.9-8 /var/www -R    
Step3: Change owner permission for the www-data
            chown www-data:www-data /var/www/daloradius-0.9-9 -R
            chown www-data:www-data /var/www/daloradius-0.9-9 -R
            chmod 644 /var/www/daloradius-0.9-9/library/daloradius.conf.php
Step4: Install daloRADIUS database sql script into mysql
            mysql  -u root -p radius </var/www/daloradius-0.9-8/contrib/db/mysql-daloradius.sql
Step5: Change database Configuration as follows:
            gedit /var/www/daloradius-0.9-8/library/daloradius.conf.php
change user name and password for mysql. Make sure this mysql user name and password is correct
CONFIG_DB_HOST = 127.0.0.1
CONFIG_DB_USER = root
CONFIG_DB_PASS = password #your mysql password
CONFIG_DB_NAME = radius

Step6:  Install the php program
            apt-get install php5-common php5-gd php-pear php-db libapache2-mod-php5
Step6: Add touch and set the permission to log files. Please check your log file directory is same if different then change directory path and set permission
  • touch /var/log/freeradius/radacct/sql-relay
  • touch /var/log/freeradius/radutmp
  • touch /var/log/daloradius.log
  • chown 755 /var/log/freeradius
  • chown freerad:freerad /var/log/freeradius/radutmp
Step7: Successfully Configured just test going through link: http://your-ipaddress/daloradius-0.9-9/login.php
You should get login page like below:

If you configure another IP change it and open the daloRADIUS login page. if there is any issue check log file or check comment on this link: http://manajung.blogspot.com/2010/01/daloradius-on-ubunto-910.html

Wednesday, July 25, 2012

Install and Configure CoovaChilli Hotspot


**Download Coova Chilli Updated new package from this link.

Download CoovaChilli 1.2.6 and install by double click on package coova-chilli_1.2.6_i386.deb via Ubuntu Software Center.

Step1: Good Practice to keep backup of CoovaChilli original config file by executing this command on your terminal:
Edit file by entering this command on terminal: nano /etc/network/interfaces.
cp /etc/chilli/defaults /etc/chilli/config

Step2: Create a hotspot folder inside www root directory for to keep the hotspot script by executing following command on your terminal.
mkdir /var/www/hotspot
mkdir /var/www/hotspot
cd /var/www/hotspot
cp /etc/chilli/www/* /var/www/hotspot

Replace the string in following javascript file by executing below command on your terminal. Make sure IP 192.168.0.1 is your local ethernet.
sed -i 's/1.0.0.1/192.168.0.1/g' /etc/chilli/www/ChilliLibrary.js
sed -i 's/1.0.0.1/192.168.0.1/g' /var/www/hotspot/ChilliLibrary.js

Step3: Now make changes in a file /etc/default/chilli just run this command
nano /etc/default/chilli and change
START_CHILLI=0 to
START_CHILLI=1

Step4: Configure the CoovaChilli /etc/chilli/config config file. Run this command on your terminal
nano /etc/chilli/config

Make following change:
HS_LANIF=eth1 # Internet Ethernet
HS_NETWORK=192.168.0.0 # HotSpot Network Series
HS_NETMASK=255.255.255.0 # HotSpot Network Netmask
HS_UAMLISTEN=192.168.0.1 # Local Ethernet IP
HS_UAMPORT=3990 # HotSpot Port

HS_NASID=nas01
HS_UAMSECRET=your-uam-password
HS_RADIUS=127.0.0.1
HS_RADIUS2=127.0.0.1
HS_RADSECRET= your-rad-password
HS_UAMALLOW=www.google.com,192.168.0.0/24 # allow this

HS_UAMSERVER=192.168.0.1 #local ethernet IP
HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html
HS_UAMSERVICE=https://192.168.0.1/cgi-bin/hotspotlogin.cgi

HS_ANYIP=on # Allow any IP address on subscriber LAN
#
HS_MACAUTH=on  #To turn on MAC Authentication
HS_MACPASSWD=XXXXXX #
The password must be the same as in the string /etc/chilli/functions

Step5: Now Configure your apache2. Install the SSL by run this command on your terminal
            apt-get install libapache2-mod-auth-mysql

Step6: Install SSl Certificate by run this command on your terminal
            apt-get install ssl-cert

Step7: Create ssl directory in /etc/apache2 directory. Run this command on your terminal
            mkdir /etc/apache2/ssl

Step8: Check your hostname and modify if you want to change it.
            hostname -f

Step9: Add your host name to use the ssl certificate. Run this command on terminal
            make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Step 10: Enable Module ssl and reload the changes. Run this command on your terminal
            a2enmod ssl
            /etc/init.d/apache2 force-reload

Step11: Edit your host file by running this command on your terminal
            nano /etc/hosts

Make these Changes:
            127.0.0.1           localhost
            127.0.1.1           hotspotwifi # this is my hostname
            192.168.0.1       hotspotwifi

Step12: Create configuration file for to create hotspot site. Run this command on your terminal
            nano /etc/apache2/sites-available/hotspot

Copy and paste in this hotspot file. Save and close:
NameVirtualHost 192.168.0.1:443
<VirtualHost 192.168.0.1:443>
ServerAdmin webmaster@domain.org
DocumentRoot "/var/www/hotspot"
ServerName "192.168.0.1"
<Directory "/var/www/hotspot/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/"
<Directory "/usr/share/freeradius-dialupadmin/htdocs/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

<Directory "/var/www/hotspot/cgi-bin/">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/hotspot-error.log
LogLevel warn
CustomLog /var/log/apache2/hotspot-access.log combined

ServerSignature On
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>

Step13: Enable the hotspot site to load new configuration in order to run apache. Run this command on your terminal
a2ensite hotspot

Step14: make following changes in ports.conf file. Run this command and make following changes:
nano /etc/apache2/ports.conf

Add following line:
Listen 443
Listen 80

Edit also apache file nano /etc/apache2/apache2.conf and add following line in it.
ServerName 192.168.0.1

Step15: Edit the apache default configuration file. Run this command:
nano /etc/apache2/sites-available/default

Add this line on the top of this file:
NameVirtualHost *:80

Step16: Create the login page for hotspot. Download this package and extract in /var/www/hotspot directory. Run these command:
cd /var/www/hotspot/
wget http://www.truesoft.co.th/wifi/uam.tgz
tar xvf uam.tgz

Step17: Run this command to start the CoovaChilli on boot up time:
update-rc.d chilli defaults

Step18: Download(http://haserl.sourceforge.net/) and Install Haserl for to redirect the page. Run these command to install it.

sudo apt-get install gcc  #install the gcc for to install haserl
tar xvf haserl-0.8.0.tar.gz

cd haserl-0.8.0/

Now you should be in this directory: /var/www/hotspot/haserl-0.8.0#

Configure and Install it:
./configure
make
make install

Edit also this file to change the haserl directory variable:

Run this command
nano /etc/chilli/wwwsh file
and replace file haserl=$(which haserl 2>/dev/null)
with this
haserl=/usr/local/bin/haserl
 
Step19: Install Syslog-ng just by executing this command from  your terminal

apt-get install syslog-ng

edit the syslog config file. Good practice to backup original config file
cp /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.bak
nano /etc/syslog-ng/syslog-ng.conf

Add following line in it
destination remote {
udp("192.168.20.104" port(514));
};


Now Restart your syslog-ng
/etc/init.d/syslog-ng start

Step20: Edit the rc.capture service. Run this command nano /etc/init.d/rc.capture

Add Following line in this file:
#!/bin/bash
tail -F /var/log/squid/access.log logger -t squid -p local3.info &
tail -F /var/log/radius/radacct/127.0.0.1/details logger -t radiusd -p local3.info &

chmod a+x /etc/init.d/rc.capture
ln -s /etc/init.d/rc.capture /etc/rcS.d/S88rccapture

Step21: Edit this file by execution command on your terminal nano /etc/freeradius/modules/detail

Replace this line :
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
with this
detailfile = ${radacctdir}/%{Client-IP-Address}/details

Install NTP Server as a Log Server     

Step1: Just execute this command on your terminal for to install ntp
            apt-get install ntp

Step2: Took backup of original ntp.conf file and edit this file /etc/ntp.conf
cp /etc/ntp.conf /etc/ntp.conf.bak

Make following changes:
restrict default kod nomodify notrap noquery nopeer
restrict 127.0.0.1
# Allow Internal network Access
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap

# You can give your own server or localhost or gps device

server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/ntp.drift
broadcastdelay 0.008


Step4: On chkconfig service and restart ntp service
Run these command on your terminal:
chkconfig ntp on
/etc/init.d/ntp restart

Now you have CoovaChilli Hotspot WIFI. Switch On your access point
Make Sure Access Point IP Address Configuration should be like this:

IP Address: same series of your local ethernet. In my case:
local ethernet IP: 192.168.0.1
Access Point IP: 192.168.0.245
Net Mask: 255.255.255.0
#Gateway should be same as local ethernet IP
Gateway: 192.168.0.1

Now connect any client pc to your wifi and open any site. It should be redirect on login page. Login the usename: guest password:guest  and test internet.
If there is any issue check log file or drop your comment.

Monday, July 23, 2012

Install and Configure Zentyal Web Interface

Zentyal (ebox is renamed to Zentyal) is an open source unified network server software package for small and medium enterprises (SMEs). Zentyal can act as a Gateway, Network Infrastructure Manager, Unified Threat Manager, Office Server, Unified communications Server or a combination of them. Besides, Zentyal includes a development framework to ease the development of new Unix based services.
Zentyal (eBox Platform) development was first published in 2005 as an open-source, collaborative project of two companies. On 16 November 2006 Zentyal (eBox Platform) was officially approved as a NEOTEC project, receiving public funds from the CDTI (a Spanish public organization, under the Ministry of Industry, Commerce and Tourism) to complete the development of version 1.0. Zentyal (eBox Platform) was first included in Ubuntu in 2007, in the Gutsy Gibbon Tribe 3, the third alpha release of Ubuntu 7.10. The first stable release candidate of Zentyal (eBox Platform 1.0) was published in 2008.

Update your system by run this command from your ubuntu system
sudo apt-get update

After successfully updating, Check you should have another user account in your ubuntu pc except root account. This another account will be login user of your Zentyal Web Interface

To install the Zentyal Web Interface, run this command from your
sudo apt-get install ebox

During the installation you may be asked to supply a password for the ebox user, if not then no need to worry just login with your another ubuntu pc login except root.

After successfully installation of Zentyal(ebox), You can access your Zentyal Web Interface by going through this link: https://youripaddress/ebox

An important thing to remember when using eBox is that when configuring most modules there is a Change button that implements the new configuration. After clicking the Change button most, but not all, modules will then need to be Saved. To save the new configuration click on the “Save changes” link in the top right hand corner. Once you make a change that requires a Save, the link will change from green to red

eBox Modules
By default all eBox Modules are not enabled, and when a new module is installed it will not be automatically enabled.

For to enable the modules just right click on Modules status in left panel and select the modules. After doing any changes don't forget to save changes.


Default Modules
This section provides a quick summary of the default eBox modules.
  • System: contains options allowing configuration of general eBox items.
    • General: allows you to set the language, port number, and contains a change password form.
    • Disk Usage: displays a graph detailing information about disk usage.
    • Backup: is used to backup eBox configuration information, and the Full Backup option allows you to save all eBox information not included in the Configuration option such as log files.
    • Halt/Reboot: will shutdown the system or reboot it.
    • Bug Report: creates a file containing details helpful when reporting bugs to the eBox developers.
  • Logs: allows eBox logs to be queried depending on the purge time configured.
  • Events: this module has the ability to send alerts through rss, jabber, and log file.
    • Available Events:
      • Free Storage Space: will send alert if free disk space drops below a configured percentage, 10% by default.
      • Log Observer: unfortunately this event does not work with the eBox version shipped with Ubuntu 7.10.
      • RAID: will monitor the RAID system and send alerts if any issues arise.
      • Service: sends alerts if a service restarts multiple times in a short time period.
      • State: alerts on the state of eBox, either up or down.
    • Dispatchers:
      • Log: this dispatcher will send event messages to the eBox log file /var/log/ebox/ebox.log.
      • Jabber: before enabling this dispatcher you must first configure it by clicking on the “Configure” icon.
      • RSS: once this dispatcher is configured you can subscribe to the link in order to view event alerts.
Install Additional Modules
Here is a quick description of other available eBox modules. For to add follwing modules in your Zentyal Web Interface just run command from your terminal one by one Syntax: sudo apt-get install pkg-name

PackageName
ModulesName
Description
Zentyal - Certification Authority
Configure a Certificate Authority for the server
Zentyal - DHCP Service
Configuring a DHCP server with an interface
Zentyal - DNS Service
Configure your dns server
Zentyal - Firewall
Configures firewall rules for all chain
Zentyal - Network Configuration
Allows configuration of the server's network
Zentyal - NTP Service
Set Network Time Protocol Options
Zentyal - Network Objects
Configuration of Network Objects, which allow you to assign a name to an IP address or group of IPs
Zentyal - VPN Service
Setup your vpn server through OpenVPN
Zentyal - Printer Sharing
Configure your printers
Zentyal - File Sharing
Configuration Samba service for file sharing
Zentyal - Network Services
Check configuration of your available services to the network
Zentyal - HTTP Proxy (Cache and Content Filter)
Configuration your Squid proxy server
Zentyal - Users and Groups
Through thiss module you can manage users and groups contained in an OpenLDAP LDAP directory

Now you should have completely working Zentyal Web Interface with modules. You can manage your server networks. If there is any issue in installation check log, internet should be work duration of intallation.

Saturday, July 21, 2012

Install and Configure Freeradius and Coovachilli Hotspot wifi on your Ubuntu Server

Ubuntu + Freeradius2 + CoovaChilli1.2.6 + Daloradius.
 
eth1 = 192.168.1.225 to the Internet.
eth0 = 192.168.0.1 LAN.

Note: Good Practice before modifying any file just take backup of original file. So your original file will be safe and anytime you can restore.

Step1. Setup your network in /etc/network/interfaces file according to your network Ethernet.

Edit file by entering this command on terminal: nano /etc/network/interfaces.
iface eth1 inet static
address 192.168.1.225
netmask 255.255.255.0
gateway 192.168.1.1
auto eth0

Step2. For allowed to forward packet edit file by entring this command on terminal: nano /etc/sysctl.conf

            Remove # from the begining of this line to enable it==>  #net.ip4.ip_forward = 1
            Run this command on your teminal echo 9 sudo tee /proc/sys/net/ipv4/ip_forward

Step3. Install tasksel package by entring this command on your terminal: sudo apt-get install tasksel

Step4. After installation tasksel, just run tasksel and Install LAMP Server DNS Server and Openssh-Server(just select these three package by pressing space key and enter).

Step5. Now we have apache running, DNS server and Openssh. Now we are going to freeradius.

Type this command on your terminal (make sure your pc should be connected to internet)
apt-get install freeradius freeradius-mysql

If there is any issue to install freeradius then do this
·         check log file
·         remove freeradius by this command apt-get purge freeradius
·         restart your pc and run this command apt-get update
·         Now again follow the step5.

Step6. After Successfully installation of freeradius create a database and execute sql scripts for to create sql tablesa script to create tables in radius database.

Run these command on your terminal:
 mysqladmin -pmysqlpasswd create radius #mysqlpasswd mean your mysql root password
 mysql -u root -p radius </etc/freeradius/sql/mysql/schema.sql
 mysql -u root -p radius </etc/freeradius/sql/mysql/nas.sql
 mysql-u root-p
 mysql> GRANT ALL PRIVILEGES ON radius. * TO 'radius'@'localhost' IDENTIFIED BY 'your-password   for mysql user radius'
 mysql> FLUSH PRIVILEGES;
 mysql> quit

Step7. Now enable the database mysql database for freeradius by making following changes:    
nano /etc/freeradius/sql.conf.

            server = "localhost".
            login = "radius".
            password = "your mysql password for radius user".
            Readclient = yes #enable this by removing the # from begining of this line

Now save and close this file and open radiusd.conf file by run this command
nano /etc/freeradius/radiusd.conf

Make following changes in this follwing.
modules {
......................
$ INCLUDE sql.conf. # remove  #from the beginning of this line
$ INCLUDE sql/mysql/counter.conf  #from the beginning of this line
.....................
}
Step8. Modify client.conf to compile Daloradius Coova-chilli and freeradius to work with them.
nano /etc/freeradius/clients.conf
client 127.0.0.1 {
secret = your MySql password for user radius
}
Step9. Modify also this file for to enable the database
nano /etc/freeradius/sites-available/default

 Findout authorize module and make changes
authorize {
            File       #comment line by putting # in begging of this line
            # sql     #remove # for to enable the database
            # add bellow three in the end of this file
            noresetcounter
            dailycounter
            monthlycounter
}


Findout authorize module and make changes
accounting {
            detail
            radutmp
            #sql      # remove # from the beginning of this file
}

Findout session module and make changes
session {
            #sql      # remove # from the beginning of this file
}

Step10. Now test the freeradius.
Add test user into the database and restart the freeradius
            mysql -u root -p
            enter password for your mysql user root
            change database by entering executing this command use radius;
 Now execute this query:
                        ·         INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('guest', 'Password', 'guest');

Exit from the mysql and restart the freeradius  /etc/init.d/freeradius restart

Run this command from your terminal
 radtest guest guest 127.0.0.1 0 your-mysql-user password
 You should get reply something like this
 Access-Accept packet from host 127.0.0.1:1812, id = 144, length = 20.
If there is any issue, check log file.