Oh Hai, I Rebuilt Your Server
October 02, 2008

Over the weekend I rebuilt my home server system with a fair bit of excitement. I'm incredibly thankful that I've finally got Linux running at home again and have nice quality hardware to route my delicious packets with. I'm aware that I've been lacking in postings lately, so thought that I would post up my firewall script for sharing. Enjoy. :)

#!/bin/bash

INTERNAL=eth0
EXTERNAL=eth1

PORTS="22 80 443"

# Clear out existing stuff...
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Restricting all incoming traffic...
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Allowing specified ports...
for i in $PORTS; do (
	iptables -A INPUT -j ACCEPT -i $EXTERNAL -p tcp --destination-port $i
	iptables -A INPUT -j ACCEPT -i $INTERNAL -p tcp --destination-port $i
	echo "Allowed incoming connections on port $i."
); done


# Allow all local connections...
iptables -A INPUT -j ACCEPT -i $INTERNAL

# Allowing all local interfaces...
iptables -A INPUT -j ACCEPT -i lo

# Allowing ping...
iptables -A INPUT  -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type 0 -s 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Related traffic should be OK...
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forwarding to squid...
iptables -t nat -A PREROUTING -i $INTERNAL -p tcp --dport 80 -j REDIRECT --to-port 3128

# Restricting hosts...  
for i in $RESTRICTED_HOSTS; do (
    iptables -A INPUT  -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP

    iptables -A INPUT  -i $EXTERNAL -s $i -j DROP
    iptables -A OUTPUT -o $EXTERNAL -s $i -j DROP
    iptables -A INPUT  -i $EXTERNAL -p udp -s $i -j DROP
    iptables -A INPUT  -i $EXTERNAL -p icmp -s $i -j DROP
); done


# NAT forwarding...
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
iptables -A FORWARD -i $INTERNAL -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "SUCCESS"

Linux Printserver With HP C3180
January 12, 2008

I fumbled through a good bit of this and would rather have found a simple how-to on getting this setup. Alas, one was not readily accessible and I hope to remedy this! Please note, this is a print server not necessarily a Samba file server so I will only highlight the portions relevant to printing.

First, you must install cupsys using "aptitude install cupsys" and the HP drivers by "aptitude install hpijs. This will get all the software installed that you need to get going. If you're doing this from scratch, you'll also want to install Samba at this point.

Now that you've got cups installed, you'll need to configure it by editing "/etc/cups/cupsd.conf". In here you'll be needing to change the "Listen" option to listen on your local ethernet interface and enabling /admin and /admin/conf access to all by doing the following:

<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  #Allow localhost
  Allow all
</Location>

for both "/admin/conf" and "/admin". This will allow you to connect to the admin panel from any machine on your network. You'll need to go in to the web site through the interface specified earlier and select "Add Printer" . I found that the "HP PhotoSmart P100 Foomatic/cdj1600" driver works quite well for the HP C3180 that I have.

Once you've gotten the printer added into cups, go ahead and print a test page through the web interface. Did that work? Good. You're almost there!

Now the Samba configuration is pretty simple. Just add printing = cups to the top of you /etc/samba/smb.conf and the following to the bottom:

[printers]
  comment = SMB Print Spool
  path = /var/spool/samba
  guest ok = Yes
  printable = Yes
  #use client driver = Yes
  default devmode = Yes
  browseable = Yes

This is from the Secure Office Networking guide from the Samba site. You'll notice that I commented out "use client driver", however. I did this so that I could use the printer as a delicious raw Postscript printer and not have to both with much clientside configuration.

That's it. Now you've got (or at least I've got) a shiny new print server. You should probably restrict your admin rights by re-editing "/etc/cups/cupsd.conf" and then you're golden. If you've got any questions, feel free to leave them in the comments section and I'll try to lend a hand. Good luck!

Ubuntu Procmail / Fetchmail Issues
December 17, 2007

For some reason Ubuntu ships with the SUID bit set on procmail. This causes all mail to be delivered by procmail as though it were root, which is not that helpful to users trying to check their mail. I have no idea why I have to do this, but on every Ubuntu system I setup I have to run...

... in order to actually get mail incoming. Symptoms are that users will continually get new mail notifications without any actual mail being visible to them. Administrators can see that some new mail files are in users' directory, but are owned by root instead of the user in question. Any thoughts on why, oh Intertron?

Regenerating Courier SSL Certificates on Ubuntu Linux
December 14, 2007

Waking up groggily as usual, I booted up Thunderbird to go through all the mail that had accumulated over the night and found a new dialog gracing me. Apparently, as it was telling me, the auto-generated SSL cert had expired. Oh well, all that I needed to do was track down how to regenerate it and go about my business. Well, this actually ended up being a little bit more troublesome than usual - so I decided to record it here as a is the usual case when I come into issues (because I know that five years from now I'll have the same issue and will have forgotten this).

Anyway, it's as simple as backing up the existing certificate:

Then generating a new one to move into place:

This will generate the necessary certificate in whatever directory you're in. You could run it as root directly in the courier configuration directory, but we don't do that since we value our configuration files too much. Go ahead and move it into place:

Now that that's in place just restart the courier-imap-ssl service and you should be good to go!

Tada! Now you've got a brand new SSL certificate. I suppose that you could play with expiring the cert sooner or later by modifying the -days parameter. 365 is probably too high for any amount of auto-expiring security to take effect but I'm not amazingly concerned since I use it more for encryption than server identify verification. Enjoy your fresh new certificate now!

Thanks to Ivar Abrahamsen who's Mail Server Setup Howto led me to the generation command.

Ubuntu 7.04 Released!
April 19, 2007

The latest version of Ubuntu has been released into the wild! I'm currently grabbing the torrents off of our lovely fast unfiltered internet connection from Citescape. The joys of testing a new server O/S! I've put both of the torrent files up for download off of my site since Ubuntu's site is slow, but it's just a test - if it hammers my site too much I'll be taking them down.

What's new in this release? The biggest thing for me is built-in virtualization allowing easy testing of O/Ss and major patches before deployment. It will be interesting to see how well this works out. Off to testing I go!

- > Ubuntu 7.04 Desktop (i386)

- > Ubuntu 7.04 Server (i386)