LINUX NEWS
RESOURCES & LINKS FROM BRAINBUZZ.COM
Thursday, January 18, 2001
TABLE OF CONTENTS
1) Sean’s Notes
2) Linux News
Stand up and Be Counted!
Linux as Least Secure?
Run Ebay on Linux!
Cobalts to use Athlon
3) Linux Resources
What's Kerberos Doing Here?
Bugs, Bugs, Bugs
Load Balancing Clusters
Booting off of a RAID-1 Device
The Personal Side of Being a Sysadmin
4) App o’ the week
~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~ FREETECHMAIL.ORG
Tired of looking everywhere for newsletters with the technical information you need? FreeTechMail.org can help. It has the largest network of high quality opt-in newsletters on the Net. FreeTechMail’s search engine enables you to find all the newsletters to keep you at the forefront of the IT industry. Subscribe to your IT newsletters today at:
http://ad.brainbuzz.com/?RC06&AI03
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For information on how to advertise in this newsletter please contact mailto:adsales@BrainBuzz.com or visit http://cramsession.brainbuzz.com/marketing/default.asp
1) Sean’s Notes
One of the new features of the 2.4 kernel is an updated version of the IP packet filtering code. Users of 2.2 are familiar with IP chains, and should become familiar with IP tables. Luckily, it’s not too much different for basic packet filtering.
With ipchains and iptables alike, there are three default chains for filtering:
input - rules on this chain are applied to packets as they enter an interface
output - rules on this chain are applied to packets as they leave an interface
forward - rules on this chain are applied to packets that cross from one interface to another
There are some major differences, however.
iptables capitalizes the name of the default chains, so it’s really INPUT, OUTPUT, and FORWARD.
With ipchains, a packet that was to be routed crossed the input, forward, and output chains in that order. With iptables, routed packets hit only FORWARD. INPUT and OUTPUT are for packets that originate or terminate on that interface.
Instead of DENYing a packet in ipchains, you DROP it in iptables (more on this later).
If you just want to do basic filtering and masquerading, those are the differences. Under the hood, however, you have been given direct access to packets at various stages of processing known as “tables” (hence iptables). For example, we’ll hook into the NAT table to get address translation. Modules can also be written to interface with packets.
We’ll become acquainted with NAT in a second, but first load in the module:
modprobe iptable_nat
Those familiar with ipchains will remember that we could masquerade out our PPP interface via:
ipchains -A forward -i ppp0 -j MASQ
…In iptables, we now run:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Say what? -t nat? -A POSTROUTING? What’s going on here? Time to discuss the “filter” table.
INPUT, OUTPUT, and FORWARD chains are part of the “filter” table, which is the default. This is where packets go before they’re accepted or transmitted. When a new connection is started, the “nat” table is consulted. It has it’s own chains, namely PREROUTING, POSTROUTING, and OUTPUT. The one we’re interested in, POSTROUTING, is checked before a packet is sent on the wire (but not before it hits the filter table!) At this point, we’re just sending any packets going out the ppp0 interface to the MASQERADE chain. Subtle differences from ipchains here – the chain is no longer MASQ, and on the forwarding chain you can specify the incoming (-i) or outgoing (-o) interface. Previously, you could only specify the outgoing interface via -i.
That aside, your basic packet filtering is the same:
iptables -A INPUT -s 10.0.0.0/8 -j DROP
This will drop all packets coming from the 10.x.x.x network. The -j parameter sends the packet matching this rule to either another chain (you can make up extras to optimize stuff), or to a built in target, in this case “DROP”. Others are “ACCEPT” and “REJECT”. A REJECTed packet causes an ICMP message to be sent back, while a DROPped packet is ignored.
Those of you who want a bit more time with ipchains (or even the 2.0 ipfwadm) can opt to have support for that. Load in the “ipchains” or “ipfwadm” modules instead of the above and go to town. I encourage you to learn this exciting new way of handling packets (OK, maybe it’s not exciting… My day job is as a network guy so these kinds of things turn me on).
You can get a lot of useful information from the iptables man page or at http://netfilter.samba.org/
The kind folks at Brainbuzz.com have given us our own board to sound off on:
http://boards.brainbuzz.com/boards/vbt.asp?b2
Long live the Penguin,
Sean swalberg@brainbuzz.com
2) Linux News
Stand up and be counted!
I remember that Slackware used to (and probably still does) put a link to the Linux counter in root’s mail box by default. Sign up for the Linux counter; you can even see who else is signed up in your area!
http://counter.li.org
Linux as least secure?
This is a fun read… Some mainframers decided that the good ‘ol mainframe is the most secure place to store data, and that Linux is the worst. Their reasoning isn’t much better than “It’s too hard to use”. Sigh.
http://www.vnunet.com/News/1116290
Run Ebay on Linux!
Ebay runs on some high-end Sun hardware. As good as the stuff is, they’ve had some serious outages in the past. Would Linux be a good alternative? Lots of cheap hardware rather than a little expensive gear? One only has to look at Google to see what four thousand Linux boxes can do…
http://www.internetweek.com/newslead01/lead011101.htm
Cobalts to use Athlon
I love AMD. For desk tops and low end servers, you can’t beat the price/performance. SUN, after their recent acquisition of Cobalt, is going to use Athlon chips in the new appliances. This article points out some interesting things with regard to scalability of the chips.
http://www.techweb.com/wire/story/OEG20010112S0082
3) Linux Resources
What’s Kerberos doing here?
I was rebuilding Apache and PHP on a new Red Hat 6.2 box yesterday. I found out the hard way that the imap packages in 6.2 are linked against Kerberos, a distributed authentication architecture. Even though I wasn’t going to use them, I still had to link PHP against the libraries. I needed kerberos-devel and this handy tip:
http://www.geocrawler.com/archives/3/5/2000/5/50/3818227/
Bugs, bugs, bugs
I encourage everyone to follow linuxsecurity.com’s advisory watch to keep on top of the latest problems. This week’s advisories include some serious issues, including a bug in glibc 2.2, the system libraries that ship with Red Hat 7.
http://linuxsecurity.com/articles/forums_article-2287.html
Load balancing clusters
Most people are familiar with Beowulf, a clustering project for Linux. Here is Mosix, a general purpose cluster that’s a lot more transparent to applications. It’s good for building web clusters and the like.
http://www.mosix.org/
Booting off of a RAID-1 device
RAID-1 is otherwise known as mirroring, a process whereby copies of data are stored (mirrored) on two drives. Lose one, the other takes over. It’s a bit tricky to make your root partition a mirror, however. This article shows you the ropes. It also focuses on another aspect of mirroring, namely backing out of changes. Break the mirror before you do your work. If something hits the fan, you’ve got a pre- change copy of the system.
http://www.samag.com/linux/articles/v10/i01/a7.shtml
The personal side of being a Sysadmin
System administration isn’t easy work… Besides the technical stuff, you have to deal with people. Here’s some helpful advice for anyone in the system or network administration role!
http://www.linux.com/sysadmin/newsitem.phtml?sid=1&aid529
4) App o’ the week
Looking for some CD writing software for Linux? Look no further than gcombust. I was up and running within minutes. Lots of options, helpful troubleshooting, and a clean interface make it the App o’the week.
http://www.abo.fi/~jmunsin/gcombust/
(C) 2001 BrainBuzz.com. All Rights Reserved.
This message is from BrainBuzz.com.
You are currently subscribed to the Hottest Linux News and Resources as: sean@ertw.com
To un-subscribe from this newsletter by e-mail: send a blank email message to: mailto:leave-linuxnews-3825955Y@list.cramsession.com
To Subscribe to this newsletter by e-mail: send a blank email message to: