Apache
Backup (tar/local)
Backup (tar/remote/ssh)
BIND
Commands (Linux)
Cron
DHCP Server
DRBD

scp user1@remoteip:/etc .      # copied files from remote/etc to current directory.
scp /etc user1@remoteip:/tmp      # copied directory on local machine to remote /tmp directory.

howto link: http://www.desy.de/uco/sshhowto.html

howto link: http://www.fluidthoughts.com/howto/tar-gzip

fdisk / cfdisk (create and view partition tables)

date --set='Sat Feb 10 02:59 PST 2001' (setting time on linux machine)

mount -t smbfs -o username=user,passwd=password //server/share /mnt (this command will mount a Windows share)

rm -rf (remove directory and files stored in directory)

elm -f mailbox

mutt -f mailbox

uname -ra (show current kernel version)

sendmail -bt -d0 (info on sendmail version and more)

sendmail -bi (run this commands to refresh the /etc/mail/aliases and
/etc/mail/majordomo.aliases files)

sendmail -q (this command will process all files in the sendmail queue, which is usually located under /var/spool/mqueue)

whereis, locate, and find are all search commands

fg (fore ground) when running a task and using crtl-z to exit that task
run fg to move between applications.

jobs - list all jobs running in foreground

ps -aux ( show all processes that are being ran on this system)
ps -aux | grep %file% (search for a process that is running)

## restarting sendmail hashes files as needed. (even aliases)

makemap hash mailertable < mailertable (run in the /etc/mail directory
this will refresh the .db table)

who or w - show all users logged in

last -n - show the last user or users that logged onto your system. You can also specify the "n" command to specify the number of lines you'd like to view.

talk - used to talk with other users on the system

chown - change the current ownership of a file or folder (using the "-r" parameter will change ownership of a file/directory recursively.)

chmod - change the file attributes on a system

chgrp - change group ownership of a file or folder

mkdir - make a directory

rm - remove a file (use the "-rf" paramter to force a recursive removal of files and directories. Be very careful when using these paramters, or you'll nuke your system entirely.)

rmdir - remove a directory

ln -sf creates a symbolic link to a folder or file (example: "ln -sf /www/html www" will create a shortcut to /www/html called "www", also might want to check out hardlinks/softlinks)

e2fsck /dev/hda - use to fix problems with ext2 volumes (remember to umount the device you're attempting to check. If the device is root, simply reboot in "single" mode and run the e2fsck /dev/hda/sdaxx command)

fdisk - use to partition a harddrive

cfdisk - view and edit partitions running in bash shell.

mkfs.ext2 - use after creating a partition with fdisk

# ifconfig: alias and setup gateway/netmask
! /sbin/ifconfig eth0:1 10.0.0.35
! route add -net 190.6.9.0 netmask 255.255.255.0 gw 1.2.3.33 eth0:1
! route add default gw 1.2.3.33 metric 1 eth1

# view all packets from host 10.0.0.35 and not port 22 (SSH)
tcpdump -i eth0 host 10.0.0.35 and not port 22

Applying a patch (Most of the time you will be supplied with instuctions)

1) Copy file to patch location mv patch.x.gz /web/src/main
2) Change to directory where patch is run command "cat patch.x.gz | patch -d0" or "gunzip patch.tar | patch -d0"
gunzip = the type of compression that was applied with the patch (cat would mean 0).
| = execute command while displaying output
patch = linux program that is used to apply patches
-d0 = -d dir or --directory=dir Change to the directory dir immediately, before doing anything else.
3) Finally you will need to recompile the program.

Another example of a patch being applied to an application:

bzip2 -dc patchname.bz2 | patch

howto link: http://www.linuxhq.com/patch-howto.html

---------------------------------------------------------------------------

Samba: Sample configurations and syntaxes

Samba is used to allow Windows Clients to access directories stored on an ext2 filesystem

# Here are some common solutions to some common problems.

- IPC$ password is being requested on Windows clients -
check > smbpasswd -a %username% (add user for samba, will need to also be in /passwd)
check > smbpasswd %username% (change the password for samba users)
check > security = share or user (set this to share)

- Cannot print even though it can connect and view properties.
check > permissions for spool directory (/etc/printcap)
check > spool path
check > restart lpd
- Password is being requested for printing
check >

[printers]
guest ok = yes

Samba contains 3 primary sections by default:

(1) [global]
workgroup = (windows workgroup)
server string = (name)
printing = lprng
(2) [homes]
comment = (windows comment)
path = /home
writable = yes
guest ok = yes
(3) [printers]
comments =
path = (spool path)
printable = yes
browseable = yes
guest ok = yes

Here is a working smb.conf file:

smb.conf

samba commands (default redhat 7.2 install) :

smbadduser - add users to /etc/samba/smbpasswd
smbcacls - modify/add/delete or change acl of a file on a samba share.
smbclient - used to connect to another samba server.
smbcontrol - send messages to smbd or nmbd processes
smbprint - print to a samba printer share
smbstatus - display status of samba server
smbmount - mount a share on a samba server
smbumount - un-mount a share on a samba server
smbtar - backup/restore a Windows PC directories to a local tape file
smbpasswd - change a user's SMB password

howto link: http://www.tldp.org/HOWTO/SMB-HOWTO.htm

VNC: Information on Configuring VNC Server and VNC Client on Linux

logon as the user you wish to start vncserver for:
[jplane@proxy jplane]$ vncserver (this will start the vncserver for
"jplane" and will assign you a number to your host. It will display this
number once you start the vncserver.

1> Before connected assign your Xserver a display. Simple just type
vncpasswd and then it will ask you for a password.

2> On the Windows Client you will enter the number as host:number.
Example I started the Vncserver and was assigned number 10. I would
connect to 64.64.222.4:10.

# You may only be able to connect as root. This can be fixed by adding
full permissions to /tmp/.X11-unix directory.
# Also it is recommend to connect to a VNCserver you have a connection of
10+ Mbps at least.

# you will also need to have the following path statement in .bash_profile
> PATH=/usr/local/bin:/usr/local/sbin:$PATH:$HOME/bin

# Changing you Session manager can be done by editing Xstartup file in
/home/user/.vnc/Xstartup
gnome-session
twm &
kde &
startkde &

howto link: http://www.psych.upenn.edu/cattell/vnc.htm

IPChaines: Sample configurations and syntaxes

# utility that works ! http://www.pointman.org/PMFirewall PMFirewall !

# simple ip chains setup (remember to MASQ first then set "filters")
# MASQ aka NAT

Key:
A = append
D = delete
j = rule
s = source
d = destination
L = list
F = flush
R = replace
Z = zero counters to all chains
C = test this packet on chain
N = create a new user defined chain
X = delete a user defined chain
X = list current masquerading connections
p = proto by number or name
s = source
m = number to mark on matching packet
l = turn on logging
v = verbose mode
V = version

eth0 (internal network) 192.168.1.0/24
#adds rule
ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
#delete rule
ipchains -D forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0

#delete rule
ipchains -R "output/input/or/forward" 1 (number goes here)

ipchains -F input (flush all input commands)
ipchains -F output (flush all output commands)
ipchains -F forward (flush al forward commands)

# MASQ
echo "1" > /proc/sys/net/ipv4/ip_forward
ipchains -P forward DENY
ipchains -A forward -j MASQ -s x.x.x.x/24 -d 0.0.0.0/0

# ipchains filters

# prevent all ipaddresses from 127.0.0.0/8 from entering machine.
ipchains -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0
ipchains -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth1 -d 0.0.0.0/0

# filter by ip address x is the ipaddress you want to block

ipchains -A input -j DENY -p all -l -s x.x.x.x/x -d 0.0.0.0/0

# filter by port number deny access to port for y.y.y.y machines

ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -d y.y.y.y/32 port
ipchains -A input -j DENY -p tcp -l -s x.x.x.x/x -d y.y.y.y/32 10:100

# port redirection (use ipmasqadm for port redirection)
ipmasqadm portfw -a -P tcp -L xx.xx.xx.xx 5800 -R 192.168.1.1 5800

ipchains -A input -j REDIRECT 8080 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/80

# ip accounting! ipchains -L chain -v
ipchains -N acctin
ipchains -N acctout
ipchains -N acctio

# adding routing on startup
create a script that will start the above rules
add the following lines to /etc/rc.d/rc.sysinit
if [ -f /sbin/ipchains ] ; then
/route/./start_route
echo Router is now starting.
fi

howto link: http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

IPTables: Sample configurations and syntaxes

# iptables - IP packet filter administration
# Excellent Tutorial : http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html#AEN971

# First remember to load all the modules for IPTABLES

Modules: # Insert the module
/sbin/modprobe iptable_nat
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp

# Set NAT up for MASQUERADING
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Simple Redirect Rule (This will redirect a IP Address to a inside machine and port.

/sbin/iptables -A PREROUTING -t nat -p tcp -d 63.102.133.191 --dport 80 -j DNAT --to 10.0.0.21:80

# IP Address Block Incoming

iptables -A FORWARD -p TCP --dport 80 -j REJECT -s 205.190.152.44/255.255.255.255

# IP Address Block Outgoing

iptables -A PREROUTING -t nat -s 10.0.0.2 -j DROP

# Port Blocking Outgoing (This will block a port from going out e.g. Music City?)

iptables -A FORWARD -j DROP -p tcp --dport 6300:6400

# Block all Packets that match icmp-type "echo-reply" e.g. pings.

iptables -A OUTPUT -p icmp -o ! lo --icmp-type echo-reply -d ! 127.0.0.1 -j DROP

howto link: http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Cron Daemon: Basic cron daemon syntaxes

* Cron is a task schedule that looks in /etc/cron.hourly,daily,weekly,monthly.
* Crond is the daemon that runs in the background.
* /etc/crontab is the conf file that contains all the info to run jobs and when.

> crontab
- u username displays the users jobs running
- l displays the current job
- r remove a job
! format of a cron job

/etc/crontab
05 15 01 01 01 /sbin/shutdown -r now

05 = minute
15 = hour
01 = day of the month
01 = month
01 = day of the week

/sbin/shutdown -r now = command

** = everyday

if this file where used as jplane

crontab -u jplane jplane.ct

this would save the crontab as jplane.ct

howto link: http://www.lysator.liu.se/~forsberg/linux/cron.html

Sendmail: Sample config files and basic config information

Available online and working configuration files for sendmail mail transport agent:

sendmail.cf
sendmail.mc
submit.cf
submit.mc
access
aliases
local-host-names
relay-domains

The following two files requiring hashing after they've been changed: access, virtusertable, aliases.

Useful commands:
makemap hash aliases < aliases
makemap hash access < access
makemap hash virtusertable < virtusertable

howto link: http://www.redhat.com/support/resources/howto/RH-sendmail-HOWTO/book1.html
sendmail.org faqs: http://www.sendmail.org/faq

POSTFIX: Configuration files and commands

Available online and working configuration files for postfix mail transport agent:

main.cf
master.cf
access
aliases
virtual
postfix-script

Inside each of the above files there are detailed descriptions and examples.

postfix website: http://www.postfix.org

EXIM: Configuration files and commands

Available online and working configuration files for exim mail transport agent:

configure

The preceeding file is part of a exim/amavis mta configuration.

exim website: http://www.exim.org
amavis website: http://www.amavis.org

Apache: Configuration and howto files.

The following was taken from the sample httpd.conf file included with apache:

httpd.conf

Creating Virtual Hosts:

virtual-host.html

Sample .htaccess with IPADDR restrictions

AuthUserFile /usr/local/phpadmin/.htpasswd
AuthName "User Authentication"
AuthType Basic
require valid-user
order deny,allow
deny from all
allow from 10.0.0.0/24

* Security Alert! June, 2002 http://www.cert.org/advisories/CA-2002-17.html

# Error (after compiling and loading PHP module)
[Fri Aug 2 10:28:06 2002] [warn] Loaded DSO libexec/libphp4.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI)
# This configure should fix this problem - /configure --with-apache=/usr/local/src/apache_z.z.z --with-ssl=/usr/local/src/openssl-x.x.x --prefix=/usr/local/apache --enable-module=ssl --enable-module=most --enable-shared=max --enable-rule=EAPI
howto link: http://www.tldp.org/HOWTO/WWW-HOWTO-7.html

NFS: Configuration files required to access a NFS mount.

Add hosts names to /etc/exports - restart xinetd

/etc/exports:

/ 10.0.0.17/255.255.255.0(rw) # this will mount 10.0.0.17 and allow read/write access

mount server:mount mount point (example: mount 10.0.0.17:/mnt /mnt)

Required services for NFS to work: rpc, nfs, portmap, check services with netstat -na

Sample nfs mount from linux bootdisk
linux ks=nfs:10.0.0.30:/images/rh7-3/ksfull.cfg

howto link: http://www.ibiblio.org/pub/Linux/docs/HOWTO/mini/other-formats/html_single/NFS-Root-Client-mini-HOWTO.html

SpamAssassin: How to d/l and install via CPAN and how to use SpamAssassin globally; rather than, per user basis.

Installing SpamAssassin
-----------------------
The easiest way to do this is using CPAN.pm, like so:
perl -MCPAN -e shell [as root]
o conf prerequisites_policy ask
install Mail::SpamAssassin quit

Make sure you've installed DCC, Pyzor, and Razor which will be integrated as part of the Spam Assassin scans on e-mails.
(only file you should have to edit is located in /etc/mail/spamassassin/local.cf)

edit /etc/procmailrc (this will send all mail with the subject "Spam-Status:Yes" to /var/spool/mqueue/caughtspam-2

:0fw
| spamc
:0: * ^X-Spam-Status: Yes
caughtspam-2

howto link: http://www.spamassassin.org/dist/INSTALL

BIND Configuration Files and Commands:

The following configuration files were taken from a working "split" name server:

named.conf
external-domain.com
internal-domain.com
root.hints

In the preceeding example our name server will choose between the "external-domain.com" zone and the "internal-domain.com" zone depending on where the client is requesting the resolution.

Named Chrooting:
:
mkdir /named/chroot
cd /named_chroot
mkdir -p dev etc/namedb/slave var/run

cp /etc/named.conf /named_chroot/etc
cp -a /var/namedb/* /named_chroot/etc/namedb

chown -R named:named /named_chroot/etc/namedb/slave

cd /named_chroot/dev
ls -ls /dev/null /dev/random
mknod null c 1 3
mknod random c 1 8
chmod 666 null random

starting named:
named -u named -t /named_chroot

setting up view with BIND 9: http://sysadmin.oreilly.com/news/views_0501.html
howto link: http://langfeldt.net/DNS-HOWTO/
Securing your NAME SERVER: http://www.lazarev.com/security/SecuringINS.htm
howto chroot named: http://oldwww.losurs.org/docs/howto/Chroot-BIND-2.html#ss2.1
Redhat 7.3 BIND DOCS: http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-bind-configuration.html

SSL: Command syntax used to create a CA (Certificate Authority)

Creating the Certificate for Apache

Create a Private Key
To create a private key using the triple des encryption standard (recommended), use the following command:
openssl genrsa -des3 -out filename.key 1024

Create a Certificate Signing Request
Locate the private key that you would like to creat a CSR from. Enter the following command:
openssl req -new -key filename.key -out filename.csr

Creating a Self-Signed Certificate
To create a self-signed certificate:
openssl req -new -key filename.key -x509 -out filename.crt

Configure httpd.conf to be SSL ready
http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO-4.html#configure

Creating your own CA is very simple:
/usr/share/ssl/misc/CA

howto link: http://tud.at/programm/apache-ssl-win32-howto.php3
howto link: http://www.flatmtn.com/computer/Linux-SSLCertificates.html
howto link: http://mia.ece.uic.edu/~papers/volans/settingupCA.html

Scripts: Useful scripts to allow or deny access to system ports

desc: block a port number
--------------------------------------------------------------------------
#!/bin/bash
echo Please, enter port number
read PORT
/sbin/iptables -A FORWARD -j DROP -p tcp --dport $PORT
echo "Blocking, $PORT!"
--------------------------------------------------------------------------

desc: unblocks a port
--------------------------------------------------------------------------
#!/bin/bash
echo Please, enter port number
read PORT /sbin/iptables -D FORWARD -j DROP -p tcp --dport $PORT
echo "Removing Block From, $PORT!"
--------------------------------------------------------------------------

desc: redirect ip addresses
--------------------------------------------------------------------------
#!/bin/bash
T1=10.0.0.154
T2=216.239.33.101
case $1 in
1) /sbin/iptables -A PREROUTING -t nat -p tcp -s $T1 --dport 80 -j DNAT --to $T2:80
exit 0 ;;
2) /sbin/iptables -D PREROUTING -t nat -p tcp -s $T1 --dport 80 -j DNAT --to $T2:80
exit 0 ;;
help) echo "Option 1 will start rule to redirect $T1 to $T2"
echo "Option 2 will stop rule to redirect $T1 to $T2"
esac

desc: backup remote systems with encryption
--------------------------------------------------------------------------
#!/bin/bash
echo Enter Username
read username
echo Enter Hostname
read hostname
echo Enter Remote Directory/Filename
read remote
echo Enter Local Temp Directory/Filename
read local
scp -r -p $username@$hostname:$remote $local echo
Would you like this zipped? [Y/n]
read zipped
if [[ $zipped = "Y" ]];
then
echo name of zip file?
read zipname
tar -czvf $zipname $local
rm -rf $local
else
quitting
fi
--------------------------------------------------------------------------

desc: another direct ip & port number
--------------------------------------------------------------------------
!/bin/bash
echo Please, enter destination computer!
read TO
echo Please, enter destination port number!
read PORT
/sbin/iptables -A PREROUTING -t nat -p tcp -d 65.102.146.106 --dport $PORT -j DNAT --$ echo "Redirecting 65.102.146.105:$PORT to $TO:$PORT"
--------------------------------------------------------------------------

desc: stop the above redirect
--------------------------------------------------------------------------
!/bin/bash
echo Please, enter destination computer!
read TO
echo Please, enter destination port number!
read PORT
/sbin/iptables -A PREROUTING -t nat -p tcp -d 65.102.146.106 --dport $PORT -j DNAT --$ echo "Redirecting 65.102.146.105:$PORT to $TO:$PORT"

desc: howto-linux-apache+mod_ssl/link
--------------------------------------------------------------------------
http://www.kordy.dircon.co.uk/misc/mod_ssl.html

Netware: Connecting to Volumes on a Netware Server

fist run the following commands to connect or print to Netware

insmod ipx
ipx_configure --auto_primary=on --auto_interface=on

here are a list of possible netware commands:
ipx_cmd - bridge between Novell's SCMD driver and local IPX network
ipx_configure - query/configure IPX behavior
ipx_interface - add, delete, or display an IPX interface
ipx_route - add or delete IPX route
ipxdump - similar to tcpdump, but uses the IPX protocol
ipx_internal_net - add or delete the IPX internal network
ipxparse

ncpmount - mount a Netware File System (ncpmount -S Server -V Volume /mnt -U Username -P Password
ncpumount - unmount a Netware File System (ncpumount /mntpoint)

LDAP: Information and Configuration Files

What it is: LDAP is a client-server protocol for accessing a directory service. It was initially used as a front-end to X.500, but can also be used with stand- alone and other kinds of directory servers.
Download: http://www.openldap.org/

Client-side Configuration file:
/usr/local/ldapserver/etc/openldap/ldap.conf
/usr/local/ldapserver/etc/openldap/ldap.conf.default

Server-side Configuration file:
/usr/local/ldapserver/etc/openldap/sldap.conf
/usr/local/ldapserver/etc/openldap/sldap.conf.default

Sample ldif file
/usr/local/ldapserver/etc/openldap/sample.ldif

Utilties:
ldapadd - LDAP add entry tools
ldapadd -D cn=root, o=redhat-30, c=com -x -f newentry -W
ldapdelete - LDAP delete entry tools
ldapmodify - LDAP modify entry and LDAP add entry tools
ldapmodrdn - LDAP rename entry tool
ldappasswd - change the password of an LDAP entry
ldapsearch -b o=redhat-30,c=com objectclass=* -x
sldap # sldap is the server binary that is executed to start the service.

howto: http://www.tldp.org/HOWTO/LDAP-HOWTO-1.html
http://yolinux.com/TUTORIALS/LinuxTutorialLDAP.html#EXAMPLE
excellent windows ldap browser: http://www.ldapadministrator.com

What it is and why would you use it? Rysnc provides a way to mirror data between two differnt systems. This provides a very fault tolerant environment.

On both computer #A and #B make sure that the binary rsync exsists

Computer A# /etc/ryncd.conf

uid = root
gid = root
use chroot = no
max connections = 0
syslog facility = local5
pid file = /var/run/rsyncd.pid
read only = true
hosts allow = 10.0.0.32
hosts deny = 0.0.0.0/0.0.0.0

[home]
# path points to the user data directory
path = /home
comment = user data
auth users = root
secrets file = /etc/rsyncd.secrets

A# Add user and password to secrets file.
A# echo user:password>/etc/ryncd.secrets;chmod 600 /etc/rsyncd.secrets

B# Set up accessing rights on computer B.
B# echo password > ~/.rsyncd-pwd ; chmod 600 ~/.rsync-pwd

B# vi /usr/local/sbin/realtimesync

# BEGIN FILE
# Computer B
rsync -a --password-file ~/.rsyncd-pwd rsync://user@10.0.0.31/home/ $1
# END FILE

B# /usr/local/sbin/realtimesync

B# ps ax | grep /usr/local/sbin/realtimesync | grep -qv grep || /usr/local/sbin/realtimesync /home/

Article can be found in:
Sys Admin
July 2002 - Volume 11 - Number 7 "An Economical Scheme for Quasi Real-Time Backup" pg. 20

# l2tp.conf
[global]                                                                                        ; Global parameters:
port = 1701                                                                                 ; * Bind to port 1723
auth file = /etc/l2tp/l2tp-secrets                                              ; * Where our challenge secrets are
access control = yes
require authentication = yes (make sure that /etc/ppp/pap-secrets & /etc/l2tp/l2tp-secrets both contain the correct entries)

[lns default]
ip range = 10.0.0.40-10.0.0.45                                           ; * Allocate from this IP range
local ip = 10.0.0.33                                                                ; * Our local IP to use
lac = 10.0.0.193                                                                      ; * These can connect as LAC's (only if access control is on)

l2tpd/ipsec: http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#L2TPconfigLinux
l2tpd mail thread index: http://l2tpd.graffl.net/threads.htm

PPTP: Configuration file

# /etc/ppp/options
lock
proxyarp
name pptplocal
auth require-chap
ms-dns 10.0.0.21
domain domain.com
modem
crtscts
10.0.0.30:
netmask 255.255.255.0

# /etc/pptpd.conf

localip 10.0.0.30
remoteip 10.0.0.40-45

# Make sure these two variables are set or you might have some trouble communicated ont he local LAN
IPFORWARDING ( echo 1 > /proc/sys/net/ipv4/ip_forward )
PROXYARP is setup in /etc/ppp/options

pptpd/server: http://www.poptop.org

Squid: Sample configuration file used for transparent proxy servers
The squid.conf for Squid 2.3 needs to be something like the following:

## begin
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

acl all src 0.0.0.0/0.0.0.0 ;(although this is not recommended, this will accomplish a web proxy)
http_access all
## end
Squid 2.4 needs an additional line added:
httpd_accel_single_host of

Also add the following IPtables rule:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.22.33:3128

Squid 3.0 (Development) has removed "httpd_accel" options. Please read "RELEASENOTES.html" for more information.

## Another squid.conf file. This squid file is a little more complex then the previous one.

acl blocked_sites url_regex www.ebay.com
acl blocked_sites url_regex www.qvc.com
acl blocked_sites url_regex www.creativememories.com

acl business_hours time M T W H F 8:00-17:00

http_access deny blocked_sites business_hours
http_access allow blocked_sites

acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0

http_access allow all

http_access deny all

http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

* Known issues with Windows Clients and dynamic ARP cache. To avoid poisoning Windows clients arp cache, you may need to add the following lines to your firewall system.

echo 1 > /proc/sys/net/ipv4/conf/all/arp_filter
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce

IPSec: Sample configuration files
These configuration files are intended to allow you to connect to a LINUX box from a Windows XP box.

Linux:
ipsec.conf:

config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.1.0/25

conn %default
keyingtries=0
disablearrivalcheck=no

conn roadwarrior
left=10.0.0.39
leftsubnet=10.0.0.0/255.255.255.0
right=10.0.0.165
dpddelay=30
auto=add
authby=secret

ipsec.secrets:

10.0.0.39 10.0.0.165 : PSK "secret"
10.0.0.39 10.0.1.192 : PSK "secret"
10.0.1.2 10.0.1.92 : PSK "secret"

Windows XP: (using ipsec.exe to convert ipsec.conf to secpol.msc rules (use secpol.msc to configure ipsec rules)

ipsec.conf:

conn roadwarrior
left=%any
right=10.0.0.39
rightsubnet=10.0.0.0/24
network=auto
auto=add
authby=secret
pfs=yes
presharedkey=secret
compress=yes

ipsec.secrets:
10.0.0.39 10.0.0.165 : PSK "secret"

OpenVPN

The following configuration will create a tunnel to allow access to a PRIVATE network, probably behind a firewall. Optionally, you can create server keys to enable SSL, which is highly recommended.

With the following configuration you can ping remote addresses behind 10.0.0.38. The host 10.0.0.38 contains another network 10.0.1.1. Once you connect to 10.0.0.38, you can ping 10.0.1.1, which is hosted on 10.0.0.38, but you cannot ping 10.0.2.2, which is another host on this network. The reason you cannot ping 10.0.2.2 is because PROXY ARP needs to be turned on. The following instructions will show you how to turn on PROXY ARP on 10.0.0.38.

server.conf

dev tap
ifconfig 10.0.2.1 10.0.2.2 (local ipaddr is always on the left-side)
verb 5
ping 15

Some routing problems that can be solved by enabling proxy_arp and ip_forwarding:
[1] echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
[2] echo 1 > /proc/sys/net/ipv4/ip_forward
[3] start the "server" with the command openvpn --config server.conf

client.conf

dev tap
remote 10.0.0.38 (eth0 of vpn-server)
ifconfig 10.0.2.2 10.0.2.1
verb 3

Additional Notes for Windows Clients:
[1] configure the TAP/TUN device on the XP machine with an IPADDR of 10.0.2.2.
[2] start this "remote" client with the command "openvpn --config client.conf"
[3] If you're running a Windows OS, remember to add this following route for the configuration above:
c:\> route add 10.0.1.0 mask 255.255.255.0 10.0.2.1 (< server machine's ipaddr)

OpenVPN Secure Configuration

The following configuration will provide some security, instead of the above transferring "clear text".

start:
[1] create the secret key to share for the client and server:
openvpn --genkey --secret secret.key

server.conf

dev tun
ifconfig 10.0.2.1 10.0.2.2
secret secret.key auth MD5
cipher DES-CBC
user nobody
group nobody
ping 15 ping-restart
45 ping-timer-rem
persist-tun
persist-key
verb 3

client.conf

dev tun
remote 10.0.0.38
ifconfig 10.0.2.2 10.0.2.1
secret secert.key
auth MD5
cipher DES-CBC
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3

OpenVPN Links:
http://openvpn.sourceforge.net/howto.html
http://mia.ece.uic.edu/~papers/volans/openvpn.html

Linux Printing

Popular Linux Printing Packages:

CUPS
LPRng (lp,lpr,lpd core linux printing office).

printcap.sample (sample file that is included with LPRng).