2001 01 18

                    LINUX NEWS
            Thursday, January 18, 2001


1) Sean’s Notes

2) Linux News

Stand up and Be Counted!
Linux as Least Secure?
Run Ebay on Linux!
Cobalts to use Athlon

3) Linux Resources

What's Kerberos Doing Here?
Bugs, Bugs, Bugs
Load Balancing Clusters
Booting off of a RAID-1 Device
The Personal Side of Being a Sysadmin

4) App o’ the week

~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~ FREETECHMAIL.ORG

Tired of looking everywhere for newsletters with the technical information you need? FreeTechMail.org can help. It has the largest network of high quality opt-in newsletters on the Net. FreeTechMail’s search engine enables you to find all the newsletters to keep you at the forefront of the IT industry. Subscribe to your IT newsletters today at:


For information on how to advertise in this newsletter
please contact mailto:adsales@BrainBuzz.com or visit

1) Sean's Notes
One of the new features of the 2.4 kernel is an updated
version of the IP packet filtering code. Users of 2.2 are
familiar with IP chains, and should become familiar with IP
tables. Luckily, it's not too much different for basic
packet filtering.

With ipchains and iptables alike, there are three default
chains for filtering:

input - rules on this chain are applied to packets as they
        enter an interface

output - rules on this chain are applied to packets as they
         leave an interface

forward - rules on this chain are applied to packets that
          cross from one interface to another

There are some major differences, however.

iptables capitalizes the name of the default chains, so it's

With ipchains, a packet that was to be routed crossed the
input, forward, and output chains in that order. With
iptables, routed packets hit only FORWARD. INPUT and OUTPUT
are for packets that originate or terminate on that interface.

Instead of DENYing a packet in ipchains, you DROP it in
iptables (more on this later).

If you just want to do basic filtering and masquerading,
those are the differences. Under the hood, however, you have
been given direct access to packets at various stages of
processing known as "tables" (hence iptables). For example,
we'll hook into the NAT table to get address translation.
Modules can also be written to interface with packets.

We'll become acquainted with NAT in a second, but first load
in the module:

modprobe iptable_nat

Those familiar with ipchains will remember that we could
masquerade out our PPP interface via:

ipchains -A forward -i ppp0 -j MASQ

...In iptables, we now run:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Say what? -t nat? -A POSTROUTING?  What's going on here?
Time to discuss the "filter" table.

INPUT, OUTPUT, and FORWARD chains are part of the "filter"
table, which is the default. This is where packets go before
they're accepted or transmitted. When a new connection is
started, the "nat" table is consulted. It has it's own chains,
namely PREROUTING, POSTROUTING, and OUTPUT. The one we're
interested in, POSTROUTING, is checked before a packet is
sent on the wire (but not before it hits the filter table!)
At this point, we're just sending any packets going out the
ppp0 interface to the MASQERADE chain. Subtle differences
from ipchains here -- the chain is no longer MASQ, and on
the forwarding chain you can specify the incoming (-i) or
outgoing (-o) interface. Previously, you could only specify
the outgoing interface via -i.

That aside, your basic packet filtering is the same:

iptables -A INPUT -s -j DROP

This will drop all packets coming from the 10.x.x.x network.
The -j parameter sends the packet matching this rule to
either another chain (you can make up extras to optimize
stuff), or to a built in target, in this case "DROP". Others
are "ACCEPT" and "REJECT". A REJECTed packet causes an ICMP
message to be sent back, while a DROPped packet is ignored.

Those of you who want a bit more time with ipchains (or even
the 2.0 ipfwadm) can opt to have support for that. Load in
the "ipchains" or "ipfwadm" modules instead of the above and
go to town. I encourage you to learn this exciting new way of
handling packets (OK, maybe it's not exciting... My day job
is as a network guy so these kinds of things turn me on).

You can get a lot of useful information from the iptables man
page or at http://netfilter.samba.org/

The kind folks at Brainbuzz.com have given us our own board
to sound off on:


Long live the Penguin,


2) Linux News

Stand up and be counted!
I remember that Slackware used to (and probably still does)
put a link to the Linux counter in root's mail box by
default. Sign up for the Linux counter; you can even see
who else is signed up in your area!


Linux as least secure?
This is a fun read... Some mainframers decided that the
good 'ol mainframe is the most secure place to store data,
and that Linux is the worst. Their reasoning isn't much
better than "It's too hard to use". Sigh.


Run Ebay on Linux!
Ebay runs on some high-end Sun hardware. As good as the
stuff is, they've had some serious outages in the past.
Would Linux be a good alternative? Lots of cheap hardware
rather than a little expensive gear? One only has to look
at Google to see what four thousand Linux boxes can do...


Cobalts to use Athlon
I love AMD. For desk tops and low end servers, you can't
beat the price/performance. SUN, after their recent
acquisition of Cobalt, is going to use Athlon chips in the
new appliances. This article points out some interesting
things with regard to scalability of the chips.


3) Linux Resources

What's Kerberos doing here?
I was rebuilding Apache and PHP on a new Red Hat 6.2 box
yesterday. I found out the hard way that the imap packages
in 6.2 are linked against Kerberos, a distributed
authentication architecture. Even though I wasn't going to
use them, I still had to link PHP against the libraries. I
needed kerberos-devel and this handy tip:


Bugs, bugs, bugs
I encourage everyone to follow linuxsecurity.com's advisory
watch to keep on top of the latest problems. This week's
advisories include some serious issues, including a bug in
glibc 2.2, the system libraries that ship with Red Hat 7.


Load balancing clusters
Most people are familiar with Beowulf, a clustering project
for Linux. Here is Mosix, a general purpose cluster that's
a lot more transparent to applications. It's good for
building web clusters and the like.


Booting off of a RAID-1 device
RAID-1 is otherwise known as mirroring, a process whereby
copies of data are stored (mirrored) on two drives. Lose
one, the other takes over. It's a bit tricky to make your
root partition a mirror, however. This article shows you
the ropes. It also focuses on another aspect of mirroring,
namely backing out of changes. Break the mirror before you
do your work. If something hits the fan, you've got a pre-
change copy of the system.


The personal side of being a Sysadmin
System administration isn't easy work... Besides the
technical stuff, you have to deal with people. Here's
some helpful advice for anyone in the system or network
administration role!


4) App o' the week
Looking for some CD writing software for Linux? Look no
further than gcombust. I was up and running within minutes.
Lots of options, helpful troubleshooting, and a clean
interface make it the App o'the week.


(C) 2001 BrainBuzz.com. All Rights Reserved.


         This message is from BrainBuzz.com.

You are currently subscribed to the
   Hottest Linux News and Resources
   as: sean@ertw.com

To un-subscribe from this newsletter by e-mail:
   send a blank email message to:


To Subscribe to this newsletter by e-mail:
   send a blank email message to: