The Answer Gang

By Jim Dennis, Karl-Heinz Herrmann, Breen, Chris, and... (meet the Gang) ... the Editors of Linux Gazette... and You!

We have guidelines for asking and answering questions. Linux questions only, please.
We make no guarantees about answers, but you can be anonymous on request.
See also: The Answer Gang's Knowledge Base and the LG Search Engine

Contents:

¶: Greetings From Heather Stern

Network Connection Problem

Linux and SCSI tape drives

Opening bz2/Z file in ViM

Greetings from Heather Stern

Welcome to a summer day among The Answer Gang. We're having a quiet little picnic here... hmm, perhaps a little too quiet. Nonetheless we've got some juicy Answers for you to enjoy reading.

If you've got a good juicy question I encourage you to please email it to The Answer Gang (tag@linuxgazette.net). I mean, sure, we have these nice guidelines we'd like you to try out first - but we welcome the stumpers. There's a lot more distros than there used to be and even we learn something from our fellow Gang members occasionally.

As the question of how big business takes Linux to heart is now taken a bit more seriously than in past years, we'd like to encourage corporate types to ask us their tricky questions too. We can't promise the speediest response time (although many have been pleasantly surprised) or that we really will answer (although we have quite a few people now - your chances are good). If you want to be anonymous we can take it a step further and try to sanitize things like IP addresses when you describe your network... feel free to go into detail, or to sanitize your notes yourself (encouraged). If you've got one of those "this may be confidential" notes, make sure you've explicitly granted us permission to publish the thread worldwide.

"The enterprise" is such an incredibly vague buzzword these days I'm surprised Viacom/Paramount doesn't get mad about the press abusing it. Of course they're the ones who named their now famous line of starships after a verb that we've turned into this planet's most abused group noun. But let's take a serious look at the question, shall we?

What draws the line between simply a decent sized company and an "enterprise"? Multiple sites, sure. Is a family chain of restaurants an "enterprise" then? Maybe. Divisions and departments and layers of management who have never met each other, because the heirarchy has grown over time to handle so many groups of people? Yeah, definitely getting there. So we need project planning software. OpenOffice serves charting needs and presentation, plus the usual word processing. How about planning large networks? Some of the logic I've seen for keeping departments out of each others business via internal firewalling ... defies all logic but slicing through the Gordian knot and redesigning the layout. There's social questions too (what, you think internal policies grow on trees? Cut down quite a few, maybe) and development plans that may span 5 or 6 years.

Oops, 6 years ago we weren't nearly so impressive. I think that some companies will only see Linux creep into units as their plans turn out to be met by it. So for a long while to come, it's going to be very important how we handle working with multiple platforms - whether they're the Borg of Redmond, or Sun, or Macintoshes. That means coughing up schematics and documents that their software will handle too - or making sure that our open source stuff runs on a world of other systems. The latter is a better answer for the long term - applying new logic of ergonomics and workplace expectations into the results - but sucks for the short term, because units don't necessarily want to fire all their software - or risk being unable to work on the same documents as other divisions do. Or their partner companies in a consortium. Which came first, the chicken or the egg? Something that's not quite a chicken, generally waits for the chicken to "lay an egg" in the idiomatic sense: Linux or another free solution will be tried when an expensive one is either too painfully expensive to contemplate first, or flops so horribly that departments stray from the golden path of Fully Paid Support Contracts to get something that Just Works.

And, as my husband has discovered in small business of years gone by, there will be times that when such solutions work they will be left to stay and serve. In fact it will be insisted upon, as department heads change and the server continues to operate a given system will retain its traditional bearing... and it will be just as hard for a $DISTRO driven company to switch to $DISTRO2 if the first does not serve them optimally - because there will be years of unit dependence on features that work "just so" on $DISTRO. This is the real thing any new distro - or in fact any distro which seeks to move people around the new "enterprise" linux users over to their userbase - has to make easy, or it will be an uphill battle every step of the way.

We already know that at least some of "the enterprise" is ready for Linux... here and there. Is "the enterprise" ready for the change in paradigm to go with it, of how our software changes and open source projects flow into and out of the equation? We don't know. Are the brand name distros up to the combined challenge of having their toes nibbled by specialty distributions (see LWN's Distributions page) at the same time as trying to play both the "Try us, we're different" and "no problem, we're the same" cards in the battlefield... err, marketplace, yeah, that's what they call it.

Speaking of the battlefield, in my country, the last Monday in May was Memorial Day, when we honor our war veterans of all varieties. So I'd like you to stop, and consider those you know, or who your families know, who have fought great battles and won... especially those who won at the cost of their lives or livelihood, and also of those who fought for the lives and livelihood of people they never knew or understood.

Thanks for reading. Have a great summer. See you next month.

Network Connection Problem

From Chris Gibbs

Hi ya,

I think this is more a Microslop question, but maybe you can help.

I have 2 PC's on 10baseT network, normally both run linux and everything is fine. I have a fairly paranoid setup where hawklord.universe.com is 192.168.0.1 and cannot ftp gigahawk.universe.com. But hawklord can http gigahawk ok. (confession... my modem is ISA, hawklord has ISA slots, gigahawk does not... so hawklord is just a box I can ssh to and run Netscape from, its also where I keep documentation on an Apache server, so the ability to http hawklord would be good)

[Faber] I didn't quite follow this. I think you're saying that everything works the way you want it to, right?

And are these names related to that Saturday morning cartoon where all the heroes had wings? I think one of them was called Hawkman.

gigahawk (192.168.0.2) can ftp hawklord, http hawklord whatever. Security don't matter at all for hawklord, I just assume its insecure.

If I boot Windoze ME on gigahawk I just can't find hawklord. ping just times out.

[Faber] Oh, that's easy enough to fix. Don't boot into Windows ME! <bah-da dump> <rimshot>

So like er, how do I get MS ping to find the linux box? Everything on hawklord works fine.

[Faber] You can ping hawklord by IP address, right? Go no further until you do can that. Run winipcfg to make sure it has the IP Address/subnet mask you think it does. If you can ping hawklord by the IP Address (NOT the name!), then you may read on.

[Ben] If you can't find "winipcfg", try "ipconfig" from the CLI. There are several versions of Wind0ws that don't have the GUI version.

People complain Linux is hard to configure but is (at least for me) simplistic compared to Wintendo. I've found places in Windoze to put DNS numbers, what I can't find is hosts.allow;

[Faber]

And you won't. What you're looking for it the /etc/hosts file. hosts.allow is used only for, IIRC, tcp-wrappers.

[Ben] BZZT. It's just a host access control mechanism, not dependent on TCP wrappers AFAIK (although you can do some interesting additional stuff if you have it; see "man hosts.allow".)

[JimD]

Well, actually, hosts.allow and hosts.deny are used by tcpd and other programs compiled against libwrap (the TCP Wrappers libraries) which include things like the Linux portmapper (used by NFS, and other ONC RPC services).

So you're sort of both right, depending on what you mean by "TCP Wrappers" (the binary /usr/sbin/tcpd, or the library, libwrap.so against which it's linked).

[Faber] The file you want is in $(WINDIR)/System32/etc/hosts.sam (I'm pretty sure that's where it is. At worst, search for "etc"). You need to populate it and rename it to simply "hosts".

[Ben] "hosts" does not have the functionality of "hosts.allow" or "hosts.deny"; it just does IP to-hostname-mapping. Chris is right: there's no equivalent file in Wind0ws - although you can get the functionality in other ways (not that I'm an expert on obsolete OSes, but I've had to set up a few mixed networks.)

[Faber] You will also see a "lmhosts.sam"; don't bother with that unless you have Samba running on hawklord. And if you're going to play with Samba and lmhosts, be sure to read up on MS netbios technology; that oughtta make you not want to do it.

[JimD] If you can't ping it by IP address, and it's on your LAN; that

suggests an ARP problem on one side or the other. Try arp -d $IPADDR on the Linux side of things. Then try running tcpdump -e -v to watch the ARPs and other traffic between the two. The -e will force tcpdump to print MAC addressing info on each dataframe it captures --- so you can spot if some other ethernet card is responding to the ARP requests. Of course you can use ethereal or "tethereal" (the text mode of ethereal) in lieu of tcpdump if you prefer.

[Ben]

BTW, there's a really good intro to reading what I think of as "libpcap syntax" - the stuff that's put out by tcpdump, ethereal, etc., by Karen Kent Frederick at SecurityFocus. In fact, it's a four-part series:

"Studying Normal Traffic":

<http://www.securityfocus.com/infocus/1221/>; <http://www.securityfocus.com/infocus/1222/>; <http://www.securityfocus.com/infocus/1223/>;

"Abnormal Traffic":

<http://www.securityfocus.com/infocus/1200/>;

Ok I tried winipcfg and I think it gives the clue cause there is a tick in the NetBIOS Resolution Uses DNS checkbox. Apart from that its what I expect. ping 192.168.0.1 continues to time out.

[Faber] Since you're pinging the IP address, name resolution (DNS, /etc/hosts, etc.) doesn't work into it. (But does Windows try to do a NetBIOS name resolution with the IP Address? Hmm...)

If you can't ping using the IP address, something is screwed up on your network, either the IP address (the other box isn't on the 192.168.[something other than 0] network, is it?), the subnet mask is wrong, or the Windows box isn't configured for networks.

Did you try Jim's suggestion about ARP? That information would be useful.

Does that mean I must set up a name server on hawklord? Also I'm confused about bindings seems I must check client for MS networks or printer sharing else I don't get anything. I don't really seem able to alter anything (situation normal for me in Microkak)

[Faber] Get it to ping ith the IP Address, then we'll worry about name servers (but in general, no you don't have to set up a name server).

You do have TCP/IP installed on the Windows box, yes? "Client for MS networks" enables SMB/NEtBIOS stuff. PRinter sharing uses the same stuff; I don't know why they're separate.

[David] Silly idea, try having the MS boxen ping itself. Have seen times that the MS boxen was so confused that it could not ping itself let alone someone else. It took a reboot, removal of all networking, reboot, reinstall networking, reboot and finally it would ping itself and low and behold it could ping the rest of the network too.

[Ben] I'm with David on this one, and will confirm the above as standard behavior (I've seen it a number of times), although I think of it in different terms:

ping 127.1		# Test the local TCP/IP stack
ping localhost		# Test the local hosts file
ping xxx.xxx.xxx.xxx	# Test "outside" - ping the immediate upstream IP
ping foo.bar		# Test all by pinging an "outside" host by name

Finding out where this breaks is the first key to troubleshooting this kind of problems, whatever the OS.

Linux and SCSI tape drives

From Becca Putman

In your webpage, you said, "If you can't access your tape drive, try loading the st.o module."

I'm very new at this, so please bear with me... how do I load that module? I did a simple installation of RedHat 9(Shrike). When I installed my Adaptec aha-2940 card, RH saw it immediately. It also sees my tape drive (a DEC TZ87 - supposed to be the same as a Quantum DLT2000), but it doesn't load a driver for it. Suggestions?

[Faber] Are you sure RH hasn't loaded a driver for you? Sounds like it did. Why do you say it didn't load the module?

Anywho, you can look at the list of loaded modules with 'lsmod' to see if it is loaded. To load a module, you can type "modprobe st" and the system will load the st.o modules and any dependencies.

I created the tape with high density and 6250 blocksize. However, restore is complaining about a tape read error on first record. If I take out the blocksize argument, it says:

[root@tara tape]# restore -x -v -f /dev/st0 *
Verify tape and initialize maps
Input is from tape
restore: Tape block size (80) is not a multiple of dump block size
(1024)

[K.-H] /dev/st0 rewinds automatically on closing of the filehandle. /dev/nst0 is the no-rewind version which will not rewind the tape automatically

This is valid for all commands using the /dev/[n]st0 icluding mt

[Faber] Isn't this saying that you should be using 80 instead of 6250?

[Ben] Probably not. I suspect that what it's seeing is a header that it doesn't understand, which happens to have "80" in the position where the block size would normally go.

The tape was created with OpenVMS v6-something back in 1997. Please tell me there is some way to read it...? Pretty please? Pretty please with sugar on top?

[Faber] Can anyone help the lass? I can't remember the last time I did a tape retore let alone doing one from an different OS (waitaminnit! can you restore a VMS tape to a un*x/Linux box?).

[Ben] Erm, well... only if you wanted to make it into a VMS box. In short, no - at least as far as I know. You should be able to extract the tape contents, though - and I seem to remember that there's a VAX/VMS emulator available for Linux, so you might even be able to run what you extract.

I found a free product called vmsbackup, which will take a tape made with VMS and extract it to a unix (read, Linux) box. It can be found at http://vms.process.com/ftp/vms-freeware/FREE-VMS, if anyone is interested.

Anyway, I've come to the realization that my tape has a bad block - right at the very front. sigh I tried to use mt to move the tape past it, but it appears that just before mt exits, it rewinds the tape. Real helpful.

Opening bz2/Z file in ViM

From Ashwin N

Hi,

I am facing a strange problem. ViM has a plugin that enables users to edit a compressed file just like a normal file. Say you open a file.txt.gz in ViM, it directly shows and allows you to edit the uncompressed test. But, strangely on my system this is working for .gz files but not working for .bz2 files!

The plugin file in question is gzip.vim (on my system it is in /usr/share/vim/vim61/plugin/gzip.vim). The file insides look OK to me, the right commands are being called for .Z, .gz and .bz2 files. But, when I open a text file compressed using bzip2 I get junk in ViM, whereas .gz files open correctly.

Hoping a solution/lead from you guys

[Kapil] It works here! What I have is:

Package: vim
Version: 6.1
Debian version: 320+1

You didn't say what version etc. you have!

One possible problem that you may have is that your gzip.vim calls "bunzip2" rather than "bzip2 -d". The former may not exist in some broken installations of "bzip2".

Mine is ViM Version 6.1, from RedHat 8.0.

No, it uses "bzip2 -d". And both "bzip2 -d" and "bunzip2" work at the shell. I even changed "bzip2 -d" to "bunzip2" in the gzip.vim file, but it is still not working

This strange problem is really bugging me. I am lost wrt to the solution for this. Any other things I need to check?

[Jason] The 'gzip.vim' in /usr/share/vim/plugin has last change date as 2003 Apr 06

My version uses the '-d' flag and doesn't rely upon gunzip and bunzip2.

This is just a shot in the dark, but you might want to try list the autocommands in the 'gzip' group in vim, like this:

:au gzip

....which should dump a list that looks something like this:

--- Auto-Commands ---
gzip  BufRead
    *.gz      call s:read("gzip -d")
    *.bz2     call s:read("bzip2 -d")
    *.Z       call s:read("uncompress")
gzip  BufReadPre
    *.gz      setlocal bin
    *.bz2     setlocal bin
    *.Z       setlocal bin
gzip  BufWritePost
    *.gz      call s:write("gzip")
    *.bz2     call s:write("bzip2")
    *.Z       call s:write("compress -f")

This was where I got the clue to the problem.

When I did a ":au gzip" I got -

--- Auto-Commands ---
gzip  BufRead
    *.gz      let ch_save = &ch|set ch=2
              '[,']!gunzip
              set nobin
              let &ch = ch_save|unlet ch_save
              execute ":doautocmd BufReadPost " . expand("%:r")
gzip  BufReadPre
    *.gz      set bin
gzip  BufWritePost
    *.gz      !mv <afile> <afile>:r
              !gzip <afile>:r
gzip  FileAppendPost
    *.gz      !mv <afile> <afile>:r
              !gzip <afile>:r
gzip  FileAppendPre
    *.gz      !gunzip <afile>
              !mv <afile>:r <afile>
gzip  FileReadPost
    *.gz      let ch_save = &ch|set ch=2
              '[,']!gunzip
              set nobin
              let &ch = ch_save|unlet ch_save
              execute ":doautocmd BufReadPost " . expand("%:r")
gzip  FileReadPre
    *.gz      set bin
gzip  FileWritePost
    *.gz      !mv <afile> <afile>:r
              !gzip <afile>:r

All .gz related stuff, nothing to do at all with .bz2 and .Z. At this point, I realized that after the commands in gzip.vim were being loaded, they were being overridden by the above somewhere.

I checked the global vimrc file, which is in /usr/share/vim/vim61/macros and I hit bull's eye. In that file, the gzip command was getting overridden with the stuff shown above. So, I just deleted the gzip autocommands in the global vimrc file and everything is working fine now. All the three supported files (.gz, .Z, ,bz2) are opening properly.

News Bytes

By Michael Conry

Contents: Legislation and More Legislation Linux Links News in General Distro News Software and Product News

Selected and formatted by Michael Conry

Submitters, send your News Bytes items in PLAIN TEXT format. Other formats may be rejected without reading. You have been warned! A one- or two-paragraph summary plus URL gets you a better announcement than an entire press release. Submit items to bytes@linuxgazette.net

European Software Patents

The subject of European software patents has returned to the news in the past few weeks. As was reported some months ago, when the European Parliament last looked at the question of software patents it included several amendments to the original proposals. These amendments were seen by many in the small-medium-enterprise and open-source communities as representing a welcome move away from unfettered and universal patenting of software. Now, however, the European Council of Ministers has reversed many of the Parliament-introduced changes, to the anger of many MEPs.

For a while, it looked like hard lobbying by members of the public and representatives of the Free and Open Source communities might succeed in luring the Council away from its new plan. However the final Council vote stuck with the proposals with just some minor alterations.

This latest twist in the European patent saga is far from being the end of the story. The common position agreed by the Council of Ministers must now pass the law before parliament again for a second reading, and only when both bodies agree on it can it be passed and become law. If any European readers have specific views on this issue, it is a very opportune time to raise it with your MEP, and with the other candidates running for MEP in your constituency (European Parliament elections are on June 11th 2004).

Independent?

The Age has published an interesting article by Leon Brooks discussing the "independence" of various policy think-tanks. For most GNU/Linux users and enthusiasts, these bodies only become visible when they issue pronouncements on the undesirability of Free and Open Source Software. Brooks makes insightful, and useful, comparisons between these organisations' opinions on Free Software, and on other issues of economic and social freedom. The facts behind the rhetoric indicate that though the terms free trade and free market are often invoked, the underlying ideology is one of protectionism and the support of vested interests.

I Am A Lawyer

Slashdot published a very interesting interview with attorney, Mike Goodwin. It covers a lot of themes related to what one might call "Cyberlaw".

Chain of trust to help avoid intellectual property claims against Linux kernel.

Chrooting Apache.

Introduction to Cfengine.

www.linuxstolescocode.com

Novell will start shipping Novell Open Enterprise Server, which combines both NetWare and Linux kernels by the end of this year.

Ulterior motives behind industry computer recycling (rather than re-use) initiatives.

What does "Linux forking" mean?

Behind the scenes at an embedded systems conference.

Disaster and disaster recovery

Are IT Textbooks for MBA students a bit light on Linux?

Mail Server Filtering:

• "putting a mail server on the Internet without filtering is like covering yourself with barbecue sauce and breaking into the Charity Home for Badgers with Rabies."

On the subject of which, you could always try installing Linux on a dead badger (from /.)

Linux gaining traction in industrial automation and control.

Getting a job in open source software, and how to reflect your experience in your resumé. Or you could be a muffler man (or woman).

A look at Linux on the Nintendo GameCube.

An overview of email filtering strategies at O'Reilly.

Connexions

Connexions is a Content Commons of free, open-licensed educational materials in fields such as music, electrical engineering and psychology. Mostly college level, but some content for younger students too. a place for communities of authors and instructors to create, find, and share content.

X.org

The X.org foundation has issued their first release of the X Window System since the formation of the Foundation in January of this year. The new X.Org release, called X Window System Version 11 Release 6.7 (X11R6.7), builds on the work of the X.Org X11R6.6 and XFree86TM Project Inc. V4.4RC2 releases to combine many of the latest developments from a large number of the participants and companies working with the X Window community.

To assure consistency with industry and community requirements and practices, it was developed from the X.Org X11R6.6 code base and the XFree86 V4.4RC2 code base, with the addition of bug fixes and enhancements. These enhancements include: new IPv6 functionality, Freetype V2.1.7, fontconfig V2.2.2, Xft V2.1.6, Xcursor V1.1.2, and Xrender V0.8.4, with corresponding changes in documentation and notices. Additional source and binary releases are anticipated during 2004.

Debian

Nice overview of Debian, from Serverwatch.

Debian From Scratch is a rescue/installer CD that can be used to do a Gentoo-like installation of i386-wood/sarge/sid and amd64-sid. (From Debian Weekly News)

As an alternative to the normal Debian CD downloading procedure, you can now use the wonder of Bittorrent to get Debian goodness onto your system.

Gentoo

The Gentoo Linux Release Engineering team has proudly announced the release of Gentoo Linux 2004.1. You can download the new release from mirrors or purchase it in the online store.

OSNews has published a rapid Gentoo installation guide.

Slashdot compiled a selection of links on recent Gentoo goings on, including the departure of Daniel Robbins, and the possibility of a major push into the enterprise sector.

Linux From Scratch

The Linux From Scratch community has proudly announced the release of LFS-5.1. This patch release contains many bug fixes and package upgrades since LFS-5.0. In particular, this release features the Linux kernel 2.4.26, GNU C Library (glibc) 2.3.3 and the GNU Compiler Collection (gcc) 3.3.3. The book's layout has also been improved, leading to enhanced readability and improved clarity.

Red Hat

Red Hat appears to have reversed its decision to abandon the Linux desktop market. Customer demand has led to a company U-turn which will result in a Red Hat desktop offering being made available in the coming summer.

SuSE

SuSE has announced the release of SuSE Linux version 9.1.

vnc2swf

vnc2swf is a screen recording tool for X-Window (X11), Windows and Mac OS Desktop. Vnc2swf captures the live motion of a screen through VNC protocol and converts it a Macromedia Flash(TM) movie (.swf).

Mozilla

Mozilla 1.7 is to become the new stable branch, replacing 1.4 in this role.

Mick is LG's News Bytes Editor.

Born some time ago in Ireland, Michael is currently working on a PhD thesis in the Department of Mechanical Engineering, University College Dublin. The topic of this work is the use of Lamb waves in nondestructive testing. GNU/Linux has been very useful in this work, and Michael has a strong interest in applying free software solutions to other problems in engineering. When his thesis is completed, Michael plans to take a long walk.

How Linux is Changing the Face of Education in Africa

By A.J. Venter

Okay, let's get the formalities out of the way first, so we can get on with what this article is actually about: the FOSS revolution happening in African Educational institutions today.

My name is A.J. (It stands for an unpronounceably long Afrikaans name so just don't ask), and what I do is to develop FOSS solutions for Education. I work as lead developer for a company called DireqLearn. We are South-African in origin, but have offices in several other African countries now. The past two years have been very exciting for us. But this is not about my company, it's an attempt to share what I have learned and seen over this period about what is happening in Africa today: the successes, the failures, and the alteration in mindset we are witnessing.

Two years ago, we started deploying LTSP-based thin-client solutions in schools. As we progressed, we found that there were so many specific setups and enhancements that we were doing over and over again, that we started doing single pre-installed disk images, which we then just dd'd onto the drives for the schools.

This worked for a little while, but it didn't scale up far enough. Our answer was to develop our own distribution that meets the needs of schools specifically. We called it OpenLab. There are a number of other similar projects out there, although as best I am able to ascertain, OpenLab is currently the most advanced project to create a distribution specifically tailored to the needs of the African education market.

But why is education in Africa different from anywhere else? Why not just use K12LTSP and be done with it? Because the first thing you realize if you do this for a while, is that when you put a computer lab into a school in rural Namibia where there is only dirt roads and solar power, the teachers - petrified of damaging this valuable gift, and generally petrified - will lock up the lab, and never open it up again. In direct contrast, put children in front of these computers and they will start exploring, digging, learning - not just about computers; it becomes a means of accessing the wealth of knowledge that is just a google away. A way for a little 8 year old boy who lives essentially in the middle of knowhere [ I don't know if A.J. intended to use this word or if it's a misspelling, but I'm leaving it in just as it is - I like it. - Ben ] to become a citizen of the world.

But you need to overcome the teacher barrier first. That means training teachers until they are comfortable with the technology. Only then will they let the children use them. Only then can you see growth, and learning. I am an African, born and raised, and all too aware that the continent is in shambles (and we do not gain anything by denying that fact.) I know that at least part of the answer is education. It takes a lot more than computers in schools to fix education, but it is a step in the right direction.

FOSS in this world is not just an idea, but a crucial requirement to success, I believe. It's not just about cost, in fact with some of the "education initiatives" a certain huge software developer has launched in Africa, you could well find the costs basically equalling out. It's about at least two other things.

There is a philosophical side to it. Africa cannot proceed into the twenty-first century as just a software consumer, we have a lot of programming talent and potential on this continent, and we want to participate in the global software industry as equals. That means skills development. FOSS is just that, a form of skills development everyone can afford. Universities and colleges are out of the price-league of most Africans by far, but anyone can download and study source-code. By giving more people access to FOSS systems, we improve the market for skills attained on them, we increase the abilities of these people to gain and expand those skills and perhaps most importantly, we keep our markets alive and vibrant with the reality that alternatives exist.

There is also a practical, technical side to it. Thin-client computing doesn't just save money, it actually works much better in educational environments. Suddenly, you are talking about a user-based system, rather than a machine-based system. This means that you can let the children explore and learn without worrying that they'll break the system for everybody else. If a user in a Wind0ws(tm) lab hides the 'My Computer' icon, the teacher has to waste time helping the next user get his system standardized again in order to do the days lesson. This leads to draconian measures - suddenly everyone just follows the rules, there is no personal data, no exploration, no development. LTSP solves this nicely: if a user hides an icon from the desktop, it's hidden on his desktop, no problem. Also for the first time, users can learn to customize desktops to really suit their working style, despite sharing resources. Some people prefer a taskbar at the bottom, some prefer it on the left hand side. Neither is better, each just a matter of preference. The more the computer works like you think, the easier it is to work on. LTSP makes this possible.

Finally FOSS offers one thing that is absolutely crucial to education, and which no other model can compete with. Language support. First language education is proven to be by far the most effective kind. FOSS systems simply have better language support. Anyone can translate open code. The number of African languages for which desktops, spellcheckers, and useful applications are available is increasing almost daily, with the translate.org.za project taking a leading position here, including teaching translation skills to people doing similar work in other countries.

So all this sounds nice, but I said there is a revolution happening, so I need to back that up. Here are just some of the projects which are currently running OpenLab or similar systems, such as K12LTSP and SkoleLinux.

In Nigeria, the Education Tax Fund along with SchoolNet Nigeria has already deployed 35 school sites with LTSP based systems.

In Uganda, a project launched by SchoolNet Uganda has convinced the ministry of education to mandate thin-clients for all future funded school lab roll-outs.

In Namibia a project currently running led by Schoolnet Namibia, will be placing thin-client labs with wireless Internet access into over 200 schools. The largest non-Microsoft based lab roll-out in Africa to date. Schoolnet Namibia aims to eventually put such labs into every school in Namibia.

Apart from the thin-client labs which is the area I am most heavily involved in, there are numerous other projects currently running. The OSSMS project as well as the schooltool project at schooltool.org are working on creating viable school administration software. Currently both are in advanced, stable and usable states. In South-Africa the CSIR also has a number of FOSS education projects under way.

Simply put there is a revolution under way in Africa, education is being revamped and taken to new levels. FOSS, and especially Linux is a key part of this. Will it be successful? Will Africa move out of it's legacy of poverty, disease, corruption and war? Perhaps not, it probably takes a lot more than any given type of software to achieve a social revolution on that scale, but it is not unattainable, and education is a key factor in uplifting any society, and FOSS is changing the face of education in Africa for the better.

A Bare-Bones Guide to Firewalls

By John Murray

An Overview for Home Computer Users

Security is an issue that every Internet-connected user needs to consider. Attackers are using increasingly sophisticated tools to attempt to access our computers, and unfortunately they sometimes succeed. Denial of service attacks, worms, viruses, data theft and plain old vandalism are common, and chances are that if you haven't yet been affected, you know someone who has. Even home dial-up users should be aware of the risks. Firewalling is one of the primary tools for controlling computer security, and in this article I'll try to explain what a firewall is and what it does, without getting bogged down in too much technical jargon. So do you need a firewall? If you connect to the 'net, even via dial-up, the answer is probably yes.

Who This Article Is For

It's for ordinary users who run Linux on their home computers, and who'd like to improve their security without having to wade through reams of documentation. I've tried to write in plain English, keeping it as simple as possible. As a result, this article only just scratches the surface of Linux firewalling, and the areas I've covered are somewhat oversimplified. Hopefully though, there'll be enough detail to get you started.

Whatever you do, don't think that just because you are using Linux that you'll be safe - sure, you'll be immune to most of the worms and viruses out there, but that doesn't mean your machine won't get "owned". And let's face it; some Linux distros as-installed are as insecure as MS Windows...

Firewalls - What They Are and What They Do

Originally, the term Firewall was used to describe a wall isolating one section of a building from another in case of fire. In a computing environment, a firewall performs a similar protective and isolating function, and forms a sort of security gate between your computer and the Internet.

Firewalls can take a variety of physical forms, using both hardware and/or software. They can be dedicated hardware devices, or combined with other devices such as modems or routers. Sometimes a computer will be set up to do nothing but act as a firewall to protect a local network. For the home computer user however, firewalling is usually implemented as a software package installed and configured to protect not just the home computer, but any other computers on the local network that share the Internet connection.

How do They Work?

In simple terms, we could say that firewalls are used to control traffic between your computer (or LAN) and the Internet. More accurately, a firewall is a way of enforcing a policy or a set of rules governing the flow of data packets to and from the outside world. Firewalls that are used to protect home computers are usually based on packet filtering, i.e. data packets are admitted or rejected according to the way the rules are configured. Most firewalling tools for end users will come with a sensible set of rules by default, so that they can benefit from at least some protection even without any configuration.

Some Jargon

Here are a few of the basic terms you are likely to encounter when setting up a firewall. You might already be familiar with them; if so read on anyway to see how they relate to firewalling...

Hosts - A host is simply a computer that is connected to (or a part of) a network. This includes the Internet, which is basically just a network of networks. Firewalls can be configured to prohibit access by specific hosts.

Ports- These are the virtual connection points used by networking services; not to be confused with physical ports like the serial or USB ports. They are allocated an identifying number, and common services are associated with specific ports by convention. For example web servers generally use port 80, outgoing email uses port 25 and so on. Many operating systems will have lots of ports open unnecessarily - these are potential access points for attackers. You could think of ports as being analogous to the doors of a building. For a building to be of any use it must allow some access; on the other hand trying to maintain security in a building with dozens of open or unlocked doors will be impossible. A firewall can not only control access through these doors, it can make the unused doors invisible to hosts on the outside.

Packets - Data doesn't flow between hosts on a network in a continuous stream, but rather it is broken down into manageable chunks called packets. Each packet contains information related to the type of packet it is, where it is going to and where it has come from, as well as the data itself. Firewalls will handle individual packets in one of these ways, depending on how the packet matches the firewall rules:

• Accept (a.k.a. allow) - This lets the packet through the firewall. Same as no firewall.
• Reject - Prohibits the package from passing through. A "destination-unreachable" message is normally sent back to the sending host.
• Drop (a.k.a. deny, blackhole)- Prohibits the packet from passing, with no response sent back to host.

Protocols are the methods or systems that define how networking clients and servers will communicate. You are probably familiar with at least some of these listed here; they are common protocols that can be controlled with firewall filtering rules.

• TCP/IP (Transmission Control Protocol/Internet Protocol) - The main protocol for data delivery over the Internet
• HTTP (HyperText Transfer Protocol) - used for the Web
• FTP (File Transfer Protocol) - used for downloading and uploading files
• UDP (User Datagram Protocol) - used for one-way data flow, e.g. streaming media
• ICMP (Internet Control Message Protocol) - this one allows routers to pass messages to each other, amongst other things. It also allows hosts to "ping" others, which can sometimes reveal useful info to a potential intruder.
• SMTP (Simple Mail Transport Protocol) - for sending email
• Telnet - used to log in to a remote computer, telnet is notoriously insecure. If you really need to do this, use something like SSH instead

Rules - Firewalling is simply the enforcement of a set of configurable rules. Each packet of data is assessed and then accepted or rejected depending on how it compares to criteria set in the rules. Firewall applications allow the user to configure the rules, and then implement them.

Monitoring and Logging

As well as controlling network traffic, firewalling tools also allow you to monitor or log network activity. The type of activity that's reported on is configurable, so that you only need be shown the interesting stuff, and not be overwhelmed with tons of entries describing legitimate traffic. Log files can be somewhat cryptic unless you know what to look for, and can quickly become huge. GUI apps like Firestarter have a big advantage in this area; they can monitor and display the information in a way that is easy to understand.

How Linux Implements Firewalling

Firewalls under Linux (using software) utilize a tool called iptables with the 2.4 series kernels, and ipchains with the earlier 2.2 series kernels. In fact, it's quite possible to run an effective firewall simply by entering ipchains/iptables commands from a shell prompt. These commands configure the rules, and start the packet filtering process. Entering these commands manually would be difficult though, and here's why: first, you'd have to be familiar with the iptables/ipchains syntax to know what to type in. Secondly, because firewall rules tend to be rather complex, it'd be time consuming. Thirdly, you'd have to go through the exercise every time you booted, and fine-tuning would involve typing in more obscure (to the average user) commands. For these reasons, iptables/ipchains is generally run from a script rather than directly from the command line. This way the script can be automatically run at boot-up, and tuning carried out simply by editing the script with a text editor or alternatively from a GUI front end. There are plenty of pre-configured scripts available, and if you prefer your firewalls point'n'clicky, you can do it all with a mouse. So in fact, when we talk about firewall programs, we're really talking about front-ends for iptables/chains. Firewalls for home computers are generally based around iptables' packet filtering capabilities - however, iptables is capable of doing much more.

Setting up your Firewall

Which firewall tool should you choose? This is a bit like asking which editor is best, or which distro to choose - ask twenty different users and you'll get nearly as many different answers. In other words, it doesn't really matter, they all do the job so just use something that suits your own preferences. Running a firewall on a home machine needn't be difficult, and often requires no more than a couple of mouse clicks. Here are your options:

• Use your existing distro-supplied tools - This should probably be your first choice. Most, if not all distros, will set up basic firewalling by default. Mandrake, for example, does this using rules whose "strictness" is determined by the security level you select. The lowest security level under Mandrake doesn't provide any firewalling, while the highest enables a firewall using relatively restrictive rules. You can change the security level at any time, not just at installation. Other home-desktop style distros will have similar tools, but they aren't always listed in the menus or some other conspicuous place. This means you might have to dig through your distros documentation to find out what tools are available (there may be several, including GUI tools), and how to run them. Most distros (e.g. Mandrake again) include a great tool named Bastille that allows easy firewall configuration, as well as many other security related tasks. Some Internet related programs (e.g. Roaring Penguin's ppp-oe package) can also set up a firewall, though the configuration options may be somewhat limited.
• Use a Pre-Configured Script - There are plenty of these available for download on the 'net. These scripts usually have a well-commented configuration section that you can edit to suit your own requirements. This makes it easy to tailor your firewall without having to understand lots of obscure iptables options. They are usually sensibly configured by default, so will provide reasonable protection for most users as-is. Most people will probably want to add their firewall script to their start-up scripts to enable the firewall on boot-up.
• Use a GUI Firewall - For those who prefer graphical, mouse-click type tools, there are some of these available as well. These are basically graphical front ends for iptables scripts, and are an exceptionally easy way to configure and run a firewall. They have the advantage of being a simple way to monitor network activity like uninvited connections and port scans etc.
• The Hardware Firewall - It's unlikely that you'd run a dedicated hardware firewall on your home computer or network, but that doesn't mean some sort of hardware option is out of the question. There are quite a few ADSL modems/routers on the market that include firewalling capabilities, and they're often no more expensive than a plain modem. The firewalling functions on these devices require little or no setup, so for some they can be an attractive option.
• The Dedicated Firewall PC - Yet another option for those running a home network is an old PC (e.g. 486) set up as a dedicated firewall/router. There are distros designed for this type of application (e.g. Smoothwall) that are easily set up via a web browser. If you have a few machines on your network, this might be a good way to set up a cheap and secure gateway.

Configuration

Before you even start, make sure you have no unnecessary services running. Some of the older distros in particular would run all sorts of servers by default, so turn 'em off and strip them from your startup scripts. Whichever way you choose to run your firewall, you'll probably need to configure a few things. In general, I'd recommend starting off by blocking just about everything, and only opening things up if they prove to be too restrictive. The general idea is to shut off anything that you don't need. Some questions you may be asked include:

• Your Internet and LAN interface, e.g. ppp0 and eth0
• Ports you will allow access to. For the average home user who just wants to browse the web and do email etc. you can just close them all. You might find that some apps (p2p filesharing apps, or online gaming for example) will complain, but you can always open ports later if you need to. Of course, those running servers will need to keep the appropriate ports available - but then if you are running servers, you should be taking security very seriously, and I strongly recommend that you get more detailed advice than what's available here...
• Permitted protocols - Again, only allow what you need.
• The address of the internal LAN
• The addresses of any hosts that you want to explicitly exclude from accessing your computer.
• What to do with unwanted packets - i.e. set to "REJECT" or "DENY"

Testing your firewall

It's important to check that your firewall is actually running, and doing what it's supposed to be doing. The easy way to do this is to connect to one of the online services like ShieldsUp or Sygate Online Services. These can tell you quite a bit (using wanky buzzwords like "stealthed"), such as which ports are open, closed or blocked, how your computer responds (or doesn't) to different types of requests and so on.

Links

There is an abundance of firewall related stuff on the web. Here are a few that may interest you:

Some Ready-Made Firewall Scripts:
MonMotha's Firewall Scripts are popular, and a good choice for non-techie users. The configuration section is brief and simple, and the script is well commented.
Arno's Firewall Script is another popular choice, but more complex and detailed than MonMotha's.

Graphical (GUI) Firewalling Tools:
Firestarter is very widely used, and has a graphical interface and firewall setup and monitoring capabilities.
TurtleFirewall is an easy to use tool with a graphical configuration via Webmin.
Guarddog A firewall setup tool for KDE users..

Other Tools
Smoothwall is a software package designed to turn a PC into a dedicated firewall/router. Configured through a web browser, and a cost effective way of protecting a local network.

Documentation
The comp.os.linux.security FAQ is an excellent source of further security related information.
The Internet Firewalls FAQ - the name says it all..
The Linux iptables HOWTO For the more adventurous, this HOWTO shows how to work with iptables directly.
Netfilter/iptables Firewall Page - A comprehensive list of links to firewall related sites.

Disclaimer - I don't claim to be an expert on firewalls or security (or anything else for that matter). In other words, use the information in this article at your own risk.

John is a part-time geek from Orange, Australia. He has been using Linux for four years and has written several Linux related articles.

Firewalling with netfilter/iptables

By Barry O'Donovan

Introduction

iptables is Linux's firewall which has been a part of the kernel since version 2.4. It is often referred to as a packet filter as it examines each packet transferred in every network connection to, from, and within your computer. iptables replaced ipchains in the 2.4 kernel and added many new features including connection tracking (also known as stateful packet filtering). In this article we will use iptables to build simple but effective firewalls for the following scenarios using allow/disallow rules based on IP addresses, ports, and states:

1. a standard home computer;
2. a home/small office network with a single Internet connection;
3. port forwarding for a home/small office network.

Rules, Targets, Chains, Tables, States, and all that jazz

iptables makes decisions on what to do with a packet based on rules that the system administrator creates. Data is passed through the Internet in the form of packets of information; connecting from your computer to a website will cause many packets to be exchanged in both directions. A rule specifies the criteria necessary for a packet to match it. A decision is known as a target and it can be a user-defined chain (not covered in this article) or one of the following:

ACCEPT
	Allow the packet through the firewall.
DROP
	Drops the packet; the packet is not allowed through the firewall
	and the sender of the packet is not notified.  

Rules are grouped into chains which in turn are contained in tables. There are three default tables which the packets may traverse; we are only concerned with one of these right now: the filter table. This is the default table and contains three chains:

OUTPUT
	For packets generated by and leaving your computer; for example
	when you connected to the Linux Gazette's web site your browser
	created a packet and sent it out of your computer to the Gazette's
	server.
INPUT
	Any packets coming into your computer; for example the packets
	containing the Gazette's web page sent back by its server to your
	browser.
FORWARD
	For packets being routed through your computer; for example
	entering one network card and leaving through the other. We will
	cover this in more detail later.

The two other tables available by default are the nat table and the mangle table; we will use nat later for setting up a home network when only one network connection is available.

As I mentioned in the introduction, iptables is capable of stateful packet filtering. This means that we can create rules not only based on IPs and ports but also on whether a packet exists in any of the following states:

NEW
	The packet is trying to start a new connection; for example when
	you first connected to the Linux Gazette website your browser
	attempted to create a new connection with the Gazette's web server.
ESTABLISHED
	A connection that has seen packets travel in both directions; once
	the Gazette's web server replied to your browser the connection is
	established.
RELATED
	A packet that is starting a new connection but is related to an
	existing connection. An example of this is downloading a file over
	FTP. When you first connect to an FTP server you are creating a new
	connection to its FTP port. However, when you download a file from
	the FTP server using this connection a second new connection is
	made between your computer and the FTP server for the file
	download. Although it is a new connection it is related to the
	first. This stateful packet filtering is useful as this new
	connection does not use the FTP port and simple port based rules
	are not appropriate for this.
INVALID
	This packet is associated with no known connection. These packets
	should be dropped.

Creating and Storing Rules

Rules can be appended to the chains directly by using the iptables command. For example, to add a new rule to allow new connections to a web server running on your computer from anywhere we would execute the following:

$ iptables -A INPUT -s 0/0 -d 1.2.3.4 -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT

-s (or --src or --source) and -d (or --dst or --destination)
	is the source and destination specification of the packet. It is
	usually an IP address with an optional mask. 

0/0 is shorthand for 0.0.0.0/0.0.0.0 meaning that the source can be any IP address. 

1.2.3.4 is the IP our your machine and is equivalent to writing 1.2.3.4/32
or 1.2.3.4/255.255.255.255 meaning the destination must be this and only
this IP. Other examples include:

1.2.3.0/24
    Any IP in the range 1.2.3.0 to 1.2.3.255 (256 possible IPs). Could also
    have been written as 1.2.3.0/255.255.255.0

1.2.0.0/16
    Any IP in the range 1.2.0.0 to 1.2.255.255 (65536 possible IPs). Could
    also have been written as 1.2.0.0/255.255.0.0

! 1.2.3.0/24
	The exclamation mark inverts the match so this will result is a
	match if the IP is anything except one in the given range 1.2.3.0
	to 1.2.3.255.

-m state --state NEW
	matches only packets that have a status of NEW. This can be anyone
	of or a comma separated list of the four possible states.

-p tcp
	apply this rule to packets using the TCP protocol only. This can be
	anyone of tcp, udp, icmp or all (default). The exclamation mark can
	be used to invert the match.

--dport 80 (or --destination-port)
	matches a packet trying to connect to port 80. The exclamation mark
	can be used to invert this match also. A range of ports can be
	given in the format begin:end.

-i eth0 (or --in-interface eth0)
	name of an interface via which a packet is going to be received.
	Possible interfaces on your computer can be found using the command
	'ifconfig'. In this example your computer is connected to
	the Internet through the first (or only) ethernet card.

-j ACCEPT
	the target. In this case, if the incoming packet is creating a new
	TCP connection from anywhere to port 80 on your computer through
	the first ethernet card, we will allow it through.

Note that in all of the following examples I am assuming that your computer is connected to the Internet through an ethernet card. Change eth0 for wifi0, ppp0, etc., as appropriate for your computer. Furthermore I'm assuming that your computer's IP address is 1.2.3.4.

Obviously we do not want to set up the firewall manually everytime we boot the computer. Most Linux distributions will give you the option of having these rules loaded automatically at boot from a file; in fact most distributions will come with a preconfigured firewall as standard. The location of this file will vary from distribution to distribution but it should be easily found by executing locate iptables'. For RedHat or Fedora Core users it can be found at /etc/sysconfig/iptables.

The essential elements of this file are:
(I have added the line numbers for explanation - they should not appear in a file intended for use with iptables):

1 # Firewall configuration
2 *filter
3 :INPUT <target> [0:0]
4 :FORWARD <target> [0:0]
5 :OUTPUT <target> [0:0]
6
7 # your rules here
8 
9 COMMIT

Line 2 of this file tells iptables that the following rules apply to the filter table. The next three lines (3-5) define the default targets for the three chains. We place our rules after these and before COMMIT, which does just that; commits our rules to the firewall.

Each packet traverses the rules of the appropriate chain from the first to the last. If a packet matches a rule then it stops traversing the chain at that rule and its fate is decided by that rule's target. If the packet does not match any rule then its fate is the default target of its chain.

I would recommend using the following skeleton configuration for all your firewalls:

 1 *filter
 2 :INPUT DROP [0:0]
 3 :FORWARD DROP [0:0]
 4 :OUTPUT ACCEPT [0:0]
 5
 6 # allow local loopback connections
 7 -A INPUT -i lo -j ACCEPT
 8
 9 # drop INVALID connections
10 -A INPUT   -m state --state INVALID -j DROP
11 -A OUTPUT  -m state --state INVALID -j DROP
12 -A FORWARD -m state --state INVALID -j DROP
13
14 # allow all established and related
15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
16 
17 # add anymore rules here
18
19 COMMIT

I've set the default target for the INPUT and FORWARD chains to DROP, while allowing all outgoing connections (lines 2-4). On a standard server or home computer we should not be routing any packets as standard (we will later and we will look at this in more detail then). Any outgoing connections will come from our computer and we can generally assume that they are not a security problem. In contrast, all incoming packets should be treated as a security risk unless we have explicitly allowed them.

Line 7 tells iptables to allow all connections originating from the local loopback network interface. This is used by many applications to connect to local services and you must permit these connections. Lines 10-12 drop all connections with a state of INVALID.

Line 15 should be self explanatory - it allows all incoming established or related connections through the firewall. For a connection to become established or related it must first have had a state of NEW and have been allowed though the firewall via a matching rule (had it not been allowed through it would have been dropped by default and could not result in an established or related connection).

Scenario 1: Standard Home Computer

For the standard user using his/her home computer for Internet browsing, e-mail, etc. then the above firewall is all that is needed as it allows all connections out while preventing any connections that are not related.

For a more paranoid user that wants to control and log all outgoing connections we might use a firewall configuration such as the following:

 1 *filter
 2 :INPUT DROP [0:0]
 3 :FORWARD DROP [0:0]
 4 :OUTPUT DROP [0:0]
 5
 6 # allow local loopback connections
 7 -A INPUT -i lo -j ACCEPT
 8
 9 # drop INVALID connections
10 -A INPUT   -m state --state INVALID -j DROP
11 -A OUTPUT  -m state --state INVALID -j DROP
12 -A FORWARD -m state --state INVALID -j DROP
13 
14 # allow all established and related
15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
16 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
17
18 # allow connections to my ISP's DNS servers
19 -A OUTPUT -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
20 -A OUTPUT -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
21
22 # allow outgoing connections to web servers
23 -A OUTPUT -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -j ACCEPT
24 -A OUTPUT        -m state --state NEW -p tcp --dport https -o eth0 -j ACCEPT
25
26 # allow outgoing mail connections to my ISP's SMTP and POP3 server only
27 -A OUTPUT -d 2.3.4.5 -m state --state NEW -p tcp --dport smtp -o eth0 -j ACCEPT
28 -A OUTPUT -d 2.3.4.5 -m state --state NEW -p tcp --dport pop3 -o eth0 -j ACCEPT
29
30 # log all other attempted out going connections
31 -A OUTPUT -o eth0 -j LOG
32 # default is to DROP out-going connections
33 
34 COMMIT

This configuration denies all connections by default and only allows those we explicitly define rules for. Line 16 adds a second rule based on the established or related rules for outgoing connections. Just as with line 15, this is necessary as the default rule of the OUTPUT chain is DROP. Also note that when we specifying the interface for the OUTPUT chain rules we use -o (or --out-interface) as opposed to -i.

The first rules we have added (lines 19 and 20) are to allow outgoing connections to your ISP's DNS server; I am assuming your ISP has a primary and a secondary DNS server with IPs 2.3.4.10 and 2.3.4.11 respectively. These connections are essential so your computer can convert a domain name (such as www.linuxgazette.net) into its IP address; without that conversion we would not be able to connect to the website. DNS lookups are usually done via the UDP protocol. Unless you are doing anything out of the ordinary this should be sufficient.

The next two rules (lines 23 and 24) allow your Internet browser to connect to any website using both the normal and the encrypted protocols. You'll notice that I have used http and https to specify the ports here instead of 80 and 443. This makes the rules more readable and you can substitute the service name for any port so long as it appears in the file /etc/services. You should also notice that in the second rule I omitted the destination IP mask; this is equivalent to writing 'match any destination IP' (-d 0/0). Lastly, I could have turned these two rules into one using:
-A OUTPUT -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -j ACCEPT

Another standard operation that a home computer would be used for is e-mailing. E-mailing requires two services: SMTP to send mail and POP3 (or IMAP in some cases) to receive mail. I have added a rule for each of these (lines 27 and 28) where I am assuming that your ISP uses the same server for both (2.3.4.5). In most cases your ISP will not give you the IPs of its mail servers, but instead their domain names; e.g. mail.my-isp.com. We can rewrite these rules using this as follows:
-A OUTPUT -d mail.my-isp.com -m state --state NEW -p tcp --dport smtp -o eth0 -j ACCEPT
-A OUTPUT -d mail.my-isp.com -m state --state NEW -p tcp --dport pop3 -o eth0 -j ACCEPT
It is generally a better idea to use IPs wherever possible.

The final rule has a target we have not come across yet: the LOG target. This logs the details of a matching packet. You can review the log with the dmesg command or via syslogd. Some distributions have a utility called logwatch which will format these reports into an e-mail sent to the root account. The LOG target is a non-terminating target; the packet will continue traversing the chain. So in the above example we log all outgoing packets that have not matched one of the rules, that packet continues traversing the chain and as there are no other rules, the default target for the OUTPUT chain is used (DROP).

If you use any other services, such as Jabber, IRC, file sharing clients, etc., you will have to add rules for these also. Just follow the above example. If you don't know what ports to open and you can't find it in /etc/services, then add a logging rule at the beginning of the rules, e.g.
-A OUTPUT -i eth0 -j LOG
and examine the output of the command dmesg (look for the destination port, DPT=???). I also feel I should mention that filtering the OUTPUT chain in this manner can be quite problematic; you might find some programs hanging or freezing while they try and establish connections you never thought of allowing, or using the UDP protocol instead of the TCP, etc. Unless you really want or need to lock the OUTPUT chain down, it might be just as easy to set the default rule to ACCEPT and then block the outgoing connections on a case by case basis.

Scenario 2: Home Network with a Single Connection

Most home users and small offices connect to the Internet via a single dial-up, ISDN or broadband (DSL) connection. This scenario covers the problem: 'I only have a single network connection, but I would like all my computers to have Internet access. How is this possible?' The examples in this scenario will enable you to set up a home or office network using your networked computer as a gateway for your other computers.

Figure 1 - Author's Home Network

My own situation is depicted in Figure 1; I have a single broadband connection with a static IP address (1.2.3.4) connected to eth0. My second ethernet card (eth1) is a wireless PCI card. In my home there are two laptops, each also with wireless cards built in.

The first issue is that every computer on the Internet needs to be uniquely identifiable by an IP address. Irrespective of whether you have a dial-up or a broadband connection, you will only have been assigned one IP address. This can either be static (some broadband ISPs will allocate you a single IP that will not change) or dynamic (you will be assigned different IPs every time you reconnect to the network). When you send out a packet it includes the destination address and the source address. Although we can send a packet with any source address, only replies to ones with your source address will return to you.

Now we must assign an IP to every network interface on the network. In the case of eth0, it was assigned by my ISP. But what IPs will we give the wireless interface and the laptops? ICANN (Internet Corporation For Assigned Names and Numbers) has assigned certain blocks of IPs for use in private networks. One of these blocks is given by the IP mask 192.168.0.0/255.255.0.0. Which IPs of this set you choose to use is entirely up to you. As you can see from Figure 1, I have assigned 192.168.0.1 to my wireless PCI card, and 192.168.0.2 and 192.168.0.3 to the laptops.

The nat (network address translation) table of iptables allows us to use one IP address for many different computers and works as follows: if the first laptop tries to connect to a website it sends a packet with the source address of 192.168.0.2 to eth1 of the networked computer. The networked computer will then forward this packet from eth1 to eth0. Just before the packet is transmitted, the nat table will change the source address from 192.168.0.2 to 1.2.3.4. iptables will automatically remember that it did this and when the reply packets arrive with a destination of 1.2.3.4 and change it to 192.168.0.2, routing it through eth1 to the laptop.

Let's begin with the firewall configuration:

 1 *filter
 2 :INPUT DROP [0:0]
 3 :FORWARD DROP [0:0]
 4 :OUTPUT DROP [0:0]
 5
 6 # allow local loopback connections
 7 -A INPUT -i lo -j ACCEPT
 8 
 9 # drop INVALID connections
10 -A INPUT   -m state --state INVALID -j DROP
11 -A OUTPUT  -m state --state INVALID -j DROP
12 -A FORWARD -m state --state INVALID -j DROP
13
14 # allow all established and related
15 -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
16 -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
17 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
18 
19 # allow connections to my ISP's DNS servers
20 -A OUTPUT  -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
21 -A OUTPUT  -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
22 -A FORWARD -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT
23 -A FORWARD -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT
24 
25 # allow outgoing connections to web servers
26 -A OUTPUT  -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -j ACCEPT
27 -A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 \
	-i eth1 -j ACCEPT
28 
29 # allow outgoing mail connections to my ISP's SMTP and POP3 server only
30 -A OUTPUT  -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 \
	-o eth0 -j ACCEPT
31 -A FORWARD -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 \
	-o eth0 -j ACCEPT
32
33 # log all other attempted out going connections
34 -A OUTPUT -o eth0 -j LOG
35 -A FORWARD -j LOG
36 # default is to DROP out-going connections
37 
38 COMMIT
39 
40 *nat
41 
42 # set up IP forwarding and nat
43 -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
44 
45 COMMIT

As well as demonstrating NAT, this example also introduces the use of the FORWARD chain. The networked computer is now also working as a router; as well an nat-ing the packets from the laptops, it is also routing them from eth1 to eth0 and vice-versa. As such we have adding another ESTABLISHED,RELATED rule on line 17, this time for the FORWARD chain.

Similarly, on lines 22,23,27,31, and 35, I have added in lines to allow the same connections we were allowing previously to come from the FORWARD chain. However, there is one big security risk here: I have not specified any source address. Anyone within range of the wireless network can assume an unused IP and use your broadband connection. We would prevent this by changing line 27, for example, to:

-A FORWARD -s 192.168.0.2 -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https \
	-o eth0 -i eth1 -j ACCEPT
-A FORWARD -s 192.168.0.3 -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https \
	-o eth0 -i eth1 -j ACCEPT

The iptables NAT-ing magic happens in the nat table with one rule:
-A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 It's as simple as that! Almost. IP forwarding is disabled in the kernel by default and you must execute the following to turn it on:
$ echo 1 > /proc/sys/net/ipv4/ip_forward
You can place this line in the iptables startup scripts (usually /etc/rc.d/init.d/iptables) or, preferably, in the /etc/rc.d/rc.local script which is the last script executed during startup.

What if you are using a dynamic IP? Simply change line 43 to:
-A POSTROUTING -o eth0 -j MASQUERADE
This is a special case where the source IP of the outgoing packets are changed to the IP of the outgoing interface; i.e. the IP of eth0. This can be used for a static IP as well but you are advised to use the appropriate version for your set-up.

Using the wireless network as depicted will also require setting the essid and mode parameters of the wireless card. The essid is simply a one-word name for the wireless network. The mode in this example will be Ad-Hoc as opposed to Managed (usually the default) as the network cards are communicating directly as opposed to using a base station. These settings can usually be configured with the following commands:
$ iwconfig eth1 essid barry_home
$ iwconfig eth1 mode Ad-Hoc
(replacing eth1 with eth0, wifi0, etc. as appropriate.

This scenario will work just as well if your set-up is a more typical small office set-up as depicted in Figure 2.

Figure 2 - Typical small office network

In this case the networked computer is connected to a port on the switch or hub through eth1, and all other office computers are each connected to one of the other ports. The exact same firewall configuration as that in Listing 4 can be used.

Required network settings for this configuration

To be able to access the Internet using NAT a number of network configuration settings are required by each computer; the DNS server(s) IP address(es), the gateway IP, subnet mask and an IP address. For the networked computer these will all be supplied by the ISP; let's assume that the ISP provided the following:

  
IP address: 1.2.3.4

Subnet mask: 255.255.255.192

Primary DNS: 2.3.4.10

Secondary DNS: 2.3.4.11

Gateway: 2.3.4.1

The settings for each of the computers using NAT will then be:

  
IP address: 192.168.0.???

Subnet mask: 255.255.255.0

Primary DNS: 2.3.4.10

Secondary DNS: 2.3.4.11

Gateway: 192.168.0.1

Note that the gateway for the NAT-ed computers is the second network interface of the networked computer.

Scenario 3: Port forwarding

For the last scenario, let us imagine that instead of hosting your web server on the firewall machine you want to host it on one of the others, say 192.168.0.3. Let us also assume that you're using the Jakarta Tomcat web server which listens on port 8080 by default. Can we use iptables to forward all requests from the firewall to the web server, and to forward all the responses back through the firewall to the originating request? Absolutely and, again, we can do it through the magic that is NAT.

Figure 3 - Port forwarding

There are two types of NAT; source NAT (SNAT) and destination NAT (DNAT). Scenario 2 used SNAT where we altered the source address of the packets coming from our internal network. This scenario will use DNAT to change the destination address of packets coming into our networked machine from the Internet.

This can be accomplished by adding one simple line (44) to our firewall:

40 *nat
41 
42 # set up IP forwarding and nat
43 -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
44 -A PREROUTING -i eth0 -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.0.3:8080
45
46 COMMIT

Ensure you have enabled the kernel's IP forwarding when using the nat table. Now all connections originally bound for port 80 on our networked machine will be forwarded to port 8080 of 192.168.0.3.

Last Remarks

One type of connection we did not cover was 'pings'. If you are running a server it is generally a good idea to allow echo-requests pings through the firewall using the following rule:
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
You can use the -s option to limit the source IPs that are allowed to ping your machine.

Lastly, a common misconception among many people is that a firewall is "the last line of defence". It is not. It is only the first line of defense in what should be a properly secured, configured and up-to-date machine.

Community Disclaimer

This article is intended as introduction to iptables with practical and useful examples. It is nothing more and nothing less.

More Information

The best place for reading more on iptables and firewalling is the iptables homepage. It contains many how-to documents and tutorials:
http://www.netfilter.org/
And, as always, the man page for iptables gives a quick overview of the default options and tables.

If you found this article interesting then you might be interested in looking up some of the other features of iptables:

• the mangle table; used for specialised packet alteration
• the string module; allows rule matching based on strings occurring anywhere within the data payload of a packet
• time-based rules; allows rules based on time of day and day of week
• tarpits; allows you to "catch and hold" connections from potential hackers, using up their resources but not your own
• control over limits on quota and bandwidth usage
• randomising; match packets randomly. Can be used for load balancing with DNAT, to simulate a faulty connection, etc.

Barry O'Donovan graduated from the National University of Ireland, Galway with a B.Sc. (Hons) in computer science and mathematics. He is currently completing a Ph.D. in computer science with the Information Hiding Laboratory, University College Dublin, Ireland in the area of audio watermarking.

Barry has been using Linux since 1997 and his current flavor of choice is Fedora Core. He is a member of the Irish Linux Users Group. Whenever he's not doing his Ph.D. he can usually be found in the local pub or running in the local park.