Category Archives: Server Administration

How long have I been asleep?

…It has been quite a while since i last updated my blog. There are so many things going on in my life lately (in a good way) and I can say that I’m in a verge of a major shift of paradigm and perspective especially with regards to my career & future. And yes, Open Source is still the key element of it. 🙂

Recently I’ve been leading a project to implement a solution consisting of Nagios and OCS Inventory (with GLPI) fo a local company which have a large number of IT assets spreaded all over Malaysia. It was quite an experience and I can say the scale of the project is the largest I’ve been involved so far in my career. There are a lot of chalenges, hiccups, headaches and even frustations during the project but at the end everything completed successfully.

I will provide the details if I have spare time, so stay tuned for more updates

Vuurmuur firewall management interface for Linux Iptables

In my previous post regarding iptables, I’ve mention about an iptables management tool called Vuurmuur (http://www.vuurmuur.org/). Most people have probably heard about FireStarter, KMyFirewall and ShoreWall. Basically Vuurmuur serves the same purpose, which is providing easy way to manipulate iptables rules for users to manage their firewall without having to worry about all those complex iptables commands. Those tools give us the ability to play around with iptables either by using graphical interface or adjusting configuration files.

Vuurmuur Rules List

The thing I like about vuurmuur is that it uses Ncurses GUI interface, meaning that you can manage it via a terminal console or SSH. The drawback of using tools such as FireStarter, KmyFirewall is you need to have a graphical desktop, thus making it hard to manage them remotely especially via slow internet connection or if you are using Windows machine to do the administration process. While some other tools provide web-based management interface such as Smoothwall (via Webmin) or a dedicated firewall box like IpCop and Astaro Internet Security, allowing those web interface to the internet wouldn’t be a recommended practice. Furthermore, the web interface provided by Astaro Internet Security is too slow for a remote user.

So if you need a very light (and yet POWERFUL) solution suitable for frequent remote administration, its either you use the pure command line iptables command, or using config file based tool such as ShoreWall, or lastly if you really need non web-based GUI then Vuurmuur would be an ideal answer. You can simply SSH from anywhere (provided that you allow SSH remotely) or by using Windows SSH interface called Putty.

Apart form that, I am also pleased with it’s ability to do other things such as providing realtime log viewer, traffic shaping, traffic volume monitoring and lots more. Combine those things with Iptraf, then you will get hooked if front of your ‘blue screen’ for the whole day, even worse than watching blue film. 😉

Vuurmuur realtime log viewer

Simple port forwarding with Iptables in linux

One of the most common question I received from my customers is how to setup a simple port forwarding on top of their existing iptables firewall rules. Most of my customers are using Centos 5 and only uses the standard iptables provided by default upon operating system installation. For a more complicated setup I usually recommend existing iptables manipulation interface/packages (my favorite is Vuurmuur), but for those who just need one simple rule the the guide below should be enough to handle them.

Assumptions:

  • Only use IPV4
  • Two unit of machines involved, the linux machine that will act as the gateway/forwarder (IP: 192.168.0.1) and the destination machine (IP: 192.168.0.100)
  • The port to be forwarded is 5901 (Change to whatever port you want)
  • This guide is based on linux Centos 5, some other distros could also use the same setup but some other might need additional modification
  • Iptables service is turned on, and SELinux is turned off

Firstly, we have to make sure that the kernel allow port forwarding. Edit /etc/sysctl.conf and make the amendment below

net.ipv4.ip_forward = 1

To activate the rule above immediately without a reboot, run

sysctl -p /etc/sysctl.conf

Then run each of the commands below

To allow forwarding rule specifically to machine 192.168.0.100 in the FORWARD chain

iptables -I FORWARD -p tcp -d 192.168.0.100 --dport 5901 -j ACCEPT

The actual port forwarding rule

iptables -t nat -A PREROUTING -i lo -p tcp --dport 5901 -j DNAT --to-destination 192.168.0.100:5901

To masquerade the routed connection so that the firewall will treat it as local connection.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The port forwarding rules should be ready by now, you can test it by using some common tools like telnet.

To view the current rules, run

/etc/init.d/iptables status

Bear in mind that the iptables modification above will only effective on this boot session. It will be destroyed/reverted back to original setup after reboot. To make the rules permanent, make sure you backup your existing iptables template first. Simply copy /etc/sysconfig/iptables to another place or name.

After that, just run command

service iptables save

This will store your modified iptables rules into /etc/sysconfig/iptables thus making it persist even after reboot.

Creating internal/local Centos 5 repository with rsync

Below is the bash script I use to mirror Centos repository into our local server. Due to storage limitation, we have to be selective and only copies the packages/branches that we need. Currently we only mirror Centos 5 for “os and updates” base packages limited to i386 and x86_64 architecture only.

During the initial intensive downloading when the server is replicating for the first time, I run the script below in cron for every 30 minutes. The script will check whether the previous instance is still running or dead (sometimes we got disconnected). If dead then it will restart and continue the rsync process. Once everything is in place and all needed packages have been downloaded, I modify the cron job to do the job once in every 6 hours to make sure my server is up to date.

The script below is inspired by the script posted here by jlar310

#!/bin/sh
# created by Jalte @ http://www.ridinglinux.org

DATE=`/bin/date +%Y-%m-%d`
OUTFILE=/var/www/html/mirror/centos-mirror.log
RSYNC="/bin/nice /usr/bin/rsync --verbose --progress --delete-excluded --stats --archive --partial --timeout=600"
MIRROR=mirrors.kernel.org::centos
VER=5
ARCHLIST="i386 x86_64"
BASELIST="os updates"
LOCAL=/var/www/html/mirror/centos

date >> /var/log/rsynccentos.log

if [ -f "/var/run/rsynccentos.pid" ]; then
   RUNPID=`cat /var/run/rsynccentos.pid`
   if ps -p $RUNPID; then
      echo "Mirror is already running..."
      echo "Mirror is already running..." >> /var/log/rsynccentos.log
      exit 1
   else
      echo "Mirror pid found but process dead, cleaning up"
      rm -f /var/run/rsynccentos.pid
      echo "Mirror pid found but process dead, cleaning up" >> /var/log/rsynccentos.log

   fi
else
   echo "No process Detected"
   echo "No process Detected" >> /var/log/rsynccentos.log

fi

echo $$ > /var/run/rsynccentos.pid

echo -n "Rsync Started at "
echo "Rsync Started " >> /var/log/rsynccentos.log
date

for ARCH in $ARCHLIST
do
  for BASE in $BASELIST
    do
        DIR=$LOCAL/$VER/$BASE/$ARCH/
        if [ -d $DIR ]
        then
         echo "Directory exists."
        else
         echo "Directory does not exist, and will be created."
         mkdir -p $DIR
        fi
        REMOTE=$MIRROR/$VER/$BASE/$ARCH/
        $RSYNC $REMOTE $DIR > $OUTFILE 2>&1
    done
done

echo "`date`" > /var/www/html/mirror/centos-last-updated.log
chown -R apache:apache $LOCAL

Any comments are greatly appreciated

Installing Kolab Groupware Solution + Horde

My team has been assigned with the task to identify suitable email/collaboration suite to be proposed to our customers. We need some basic features such as email (with imap & pop support) calendaring, to do list and mail/groupware clients connection capabilities such as Kontact, Evolution and optionally MS Outlook.

For a start we decided to tryout Kolab Groupware Solution as some their features are suitable for our client’s environment such as using OpenPkg as the installation medium (our clients could use any type of distro), the usage of Postfix, OpenLDAP and Cyrus IMAP as the back end and last but not least the solution utilize Horde as their front end interface.

Below is the simplified installation guide for installing the solution. We are using a fresh installed Centos 5 machine with minimum package installation.

– Make sure SELinux is disabled (use setup)

– Install GCC for compilation process
yum install gcc

– Install GCC (compatibility 3.4) for to resolve gcc conflict
yum install compat-gcc-34

– Making GCC-34 as default gcc tool
mv /usr/bin/gcc /usr/bin/gcc41
ln -sf /usr/bin/gcc34 /usr/bin/gcc

– Create kolab template directory
mkdir /kolab-template
cd /kolab-template

– Download kolab sources
wget -r -l1 -nd --no-parent http://ftp.belnet.be/packages/kolab/server/release/kolab-server-2.1.0/sources/

– Verify file integrity (optional)
gpg --verify MD5SUMS
md5sum -c MD5SUMS

[Checkpoint #1]

– Create kolab production directory
cp -afv /kolab-template /kolab
cd /kolab

– Make sure that the following names are not in /etc/passwd or /etc/groups,
“kolab” “kolab-r” “kolab-n” if exist delete and run “pwconv”

– Start compilation.
sh obmtool kolab 2>&1 | tee kolab-build.log

*This process takes some time, so it is advisable to use ‘screen’ if your are connected remotely.

– If compilation failed, simply delete/rename the /kolab folder
and restart process at [Checkpoint #1]

– Start installation
/kolab/etc/kolab/kolab_bootstrap -b

– Start the services
/kolab/bin/openpkg rc all start

– Try access (using your web browser)
https://kolab_adress/admin

– Stop kolab services
/kolab/bin/openpkg rc all stop

– Download modified kolab sources (for horde support)
mv obmtool.conf obmtool.conf.bak
wget -r -l1 -nd --no-parent http://build.pardus.de/downloads/kolab-horde-tmp

– Some hacking to the obmtool.conf due to links provided already dead
– Change
URL="ftp://ftp.klaralvdalens-datakonsult.se/pub/kolab/server/current/2.1"
– to
URL="http://build.pardus.de/downloads/kolab-horde-tmp"

– Start re-compilation
sh obmtool kolab 2>&1 | tee kolab-build.log

– Start re-installation
/kolab/etc/kolab/kolab_bootstrap -b

– Re-start the kolab services
/kolab/bin/openpkg rc all start

– Try access (using your web browser)
http://kolab_address/horde

REFERENCES
http://wiki.kolab.org/index.php/Kolab2_Installation_-_Source
http://wiki.kolab.org/index.php/Fedora_6
http://wiki.kolab.org/index.php/Kolab2_Installation_-_Horde

Continue reading Installing Kolab Groupware Solution + Horde