Zentyal as a firewall (gateway).

Zentyal is the Linux Small Business Server, it lets you manage all your network services through one single platform. It's a Network Gateway, as well as an Infrastructure, UTM (Unified Threat Manager), Office and Communications Server. All these features are fully integrated and easy to configure, it truly helps to save system administrators time.

In this LINK(tutorial), you will see how to set up a Zentyal Server to act as a gateway in a very common scenario. Zentyal will provide basic network infrastructure, load balancing between two Internet providers, firewall and HTTP proxy caching and content filtering. All these steps are well explained in the Zentyal Documentation, which is a really recommended reading.

How to install an IRC server on Fedora 20 (ngircd)

Below instructions are steps to install ngircd(IRC) server on Fedora 20.

ngIRCd is a free, portable and lightweight Internet Relay Chat server for small or private networks, developed under the GNU General Public License (GPL). It is easy to configure, can cope with dynamic IP addresses, and supports IPv6, SSL-protected connections as well as PAM for authentication. It is written from scratch and not based on the original IRCd. The steps:

Install server:

[root@localhost ~]# yum install ngircd

Edit config file:

[root@localhost ~]# vi /etc/ngircd.conf

# $Id$

#
# This is a sample configuration file for the ngIRCd, which must be adepted
# to the local preferences and needs.
#
# Comments are started with "#" or ";".
#
# A lot of configuration options in this file start with a ";". You have
# to remove the ";" in front of each variable to actually set a value!
# The disabled variables are shown with example values for completeness.
#
# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
# server interprets the configuration file as expected!
#

[Global]
        # The [Global] section of this file is used to define the main
        # configuration of the server, like the server name and the ports
        # on which the server should be listening.

        # Server name in the IRC network, must contain at least one dot
        # (".") and be unique in the IRC network. Required!
        Name = irc.the.net

        # Info text of the server. This will be shown by WHOIS and
        # LINKS requests for example.
        Info = Server Info Text

        # Global password for all users needed to connect to the server
        ;Password = abc

        # Information about the server and the administrator, used by the
        # ADMIN command. Not required by server but by RFC!
        ;AdminInfo1 = Description
        ;AdminInfo2 = Location
        ;AdminEMail = admin@irc.server

        # Ports on which the server should listen. There may be more than
        # one port, separated with ",". (Default: 6667)
        ;Ports = 6667, 6668, 6669

        # comma seperated list of IP addresses on which the server should
        # listen. Default values are:
        # "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
        # so the server listens on all IP addresses of the system by default.
        Listen = 127.0.0.1,192.168.5.51

        # Text file with the "message of the day" (MOTD). This message will
        # be shown to all users connecting to the server:
        ;MotdFile = /etc/ngircd.motd

        # A simple Phrase (<256 chars) if you don't want to use a motd file.
        # If it is set no MotdFile will be read at all.
        MotdPhrase = "Hello world!"

        # User ID under which the server should run; you can use the name
        # of the user or the numerical ID. ATTENTION: For this to work the
        # server must have been started with root privileges! In addition,
        # the configuration and MOTD files must be readable by this user,
        # otherwise RESTART and REHASH won't work!
        ServerUID = ngircd

        # Group ID under which the ngircd should run; you can use the name
        # of the group or the numerical ID. ATTENTION: For this to work the
        # server must have been started with root privileges!
        ServerGID = ngircd

        # A directory to chroot in when everything is initialized. It
        # doesn't need to be populated if ngIRCd is compiled as a static
        # binary. By default ngIRCd won't use the chroot() feature.
        # ATTENTION: For this to work the server must have been started
        # with root privileges!
        ;ChrootDir = /var/empty

        # This tells ngircd to write its current process id to a file.
        # Note that the pidfile is written AFTER chroot and switching uid,
        # i. e. the Directory the pidfile resides in must be writeable by
        # the ngircd user and exist in the chroot directory.
        PidFile = /var/run/ngircd/ngircd.pid

        # After  seconds of inactivity the server will send a
        # PING to the peer to test whether it is alive or not.
        ;PingTimeout = 120

        # If a client fails to answer a PING with a PONG within 
        # seconds, it will be disconnected by the server.
        ;PongTimeout = 20

        # The server tries every  seconds to establish a link
        # to not yet (or no longer) connected servers.
        ;ConnectRetry = 60

        # Should IRC Operators be allowed to use the MODE command even if
        # they are not(!) channel-operators?
        ;OperCanUseMode = no

        # Mask IRC Operator mode requests as if they were coming from the
        # server? (This is a compatibility hack for ircd-irc2 servers)
        ;OperServerMode = no

        # Allow Pre-Defined Channels only (see Section [Channels])
        PredefChannelsOnly = yes

        # Don't do any DNS lookups when a client connects to the server.
        ;NoDNS = no

        # try to connect to other irc servers using ipv4 and ipv6, if possible
        ;ConnectIPv6 = yes
        ConnectIPv4 = yes

        # Maximum number of simultaneous connection the server is allowed
        # to accept (0: unlimited):
        MaxConnections = 0

        # Maximum number of simultaneous connections from a single IP address
        # the server will accept (0: unlimited):
        ;MaxConnectionsIP = 5

        # Maximum number of channels a user can be member of (0: no limit):
        MaxJoins = 10

        # Maximum length of an user nick name (Default: 9, as in RFC 2812).
        # Please note that all servers in an IRC network MUST use the same
        # maximum nick name length!
        ;MaxNickLength = 9

[Operator]
        # [Operator] sections are used to define IRC Operators. There may be
        # more than one [Operator] block, one for each local operator.

        # ID of the operator (may be different of the nick name)
        ;Name = TheOper

        # Password of the IRC operator
        ;Password = ThePwd

        # Optional Mask from which /OPER will be accepted
        ;Mask = *!ident@somewhere.example.com

[Operator]
        # More [Operator] sections, if you like ...

[Server]
        # Other servers are configured in [Server] sections. If you
        # configure a port for the connection, then this ngircd tries to
        # connect to to the other server on the given port; if not it waits
        # for the other server to connect.
        # There may be more than one server block, one for each server.
        #
        # Server Groups:
        # The ngIRCd allows "server groups": You can assign an "ID" to every
        # server with which you want this ngIRCd to link. If a server of a
        # group won't answer, the ngIRCd tries to connect to the next server
        # in the given group. But the ngircd never tries to connect to two
        # servers with the same group ID.

        # IRC name of the remote server, must match the "Name" variable in
        # the [Global] section of the other server (when using ngIRCd).
        Name = irc2.the.net

        # Internet host name or IP address of the peer (only required when
        # this server should establish the connection).
        ;Host = connect-to-host.the.net

        # IP address to use as _source_ address for the connection. if unspecified,
        # ngircd will let the operating system pick an address.
        Bind = 192.168.5.51

        # Port of the server to which the ngIRCd should connect. If you
        # assign no port the ngIRCd waits for incoming connections.
        Port = 6667

        # Own password for the connection. This password has to be configured
        # as "PeerPassword" on the other server.
        ;MyPassword = def

        # Foreign password for this connection. This password has to be
        # configured as "MyPassword" on the other server.
        ;PeerPassword = ghi

        # Group of this server (optional)
        ;Group = 123

        # Set the "Passive" option to "yes" if you don't want this ngIRCd to
        # connect to the configured peer (same as leaving the "Port" variable
        # empty). The advantage of this option is that you can actually configure
        # a port an use the IRC command CONNECT more easily to manually connect
        # this specific server later.
        ;Passive = no

[Server]
        # More [Server] sections, if you like ...

[Channel]
        # Pre-defined channels can be configured in [Channel] sections.
        # Such channels are created by the server when starting up and even
        # persist when there are no more members left.
        # Persistent channels are marked with the mode 'P', which can be set
        # and unset by IRC operators like other modes on the fly.
        # There may be more than one [Channel] block, one for each channel.

        # Name of the channel
        Name = #TheName

        # Topic for this channel
        Topic = a great topic

        # Initial channel modes
        Modes = tn

        # initial channel password (mode k)
        Key =

        # maximum users per channel (mode l)
        MaxUsers = 23

[Channel]
        # More [Channel] sections, if you like ...

Enable Server on boot:

[root@localhost ~]# systemctl enable ngircd

Start irc service:

[root@localhost ~]# service ngircd start

As for IRC client to use, I am using Nettalk. It is a free (open source) IRC-client. Cheers...

How To Install MySQL On CENTOS 7

Below instructions are steps to install mysql server on CentOS 7.

The default replacement for mysql server is MariaDB. MariaDB is a community-developed fork of the MySQL relational database management system. For whatever reasons you might like to install the previous MySQL server, this guide walk you through the process of the installation. The steps:

Setup MySQL repository

[root@localhost ~]# sudo rpm -Uvh http://dev.mysql.com/get/mysql-community-release-el7-5.noarch.rpm

Install Server:

[root@localhost ~]# yum install mysql-server

Start Server:

[root@localhost ~]# systemctl start mysqld

Enable Server on boot:

[root@localhost ~]# systemctl enable mysqld

Change root password:

[root@localhost ~]# mysqladmin -u root password

Install Keepalived on CentOS 7

Keepalived is a solution that provides a strong & robust health-check framework, and also implementing a Hot Standby protocol. It allows load balancing services to have HA and prevent Single Point of Failure.

The following is a set of instructions on setting up Keepalived service on CentOS7.

Assume network as below:
LB1:Loadbalancer 1:192.168.1.80
LB2:Loadbalancer 2:192.168.1.81
Vip1:Virtual IP:192.168.1.82

We want to use LB1 as the master LB, LB2 as standby. If LB1 fails, LB2 will take over as master. Whoever is the master will take over the Vip of 192.168.1.82.

To configure LB1:192.168.1.80, ssh into LB1:

[root@LB1 ~]# yum install keepalived

To allow kernel binding non-local IP into the hosts and apply the changes:

[root@LB1 ~]# echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf
[root@LB1 ~]# sysctl -p

[root@LB1 ~]# vi /etc/keepalived/keepalived.conf 

! Configuration File for keepalived 

global_defs { 
   notification_email { 
        admin1@domain.com 
   } 
   notification_email_from admin@local 
   smtp_server 192.168.1.99 
   smtp_connect_timeout 30 
} 

vrrp_script chk_curl { 
    script "/usr/bin/curl http://192.168.1.80" 
    interval 2 
    weight -4 
    timeout 5 
    fall 2 
    rise 2 
}

vrrp_instance VI_1 { 
    state MASTER 
    interface eth0 
    virtual_router_id 51 
    priority 101 
    advert_int 1 
    authentication { 
        auth_type PASS 
        auth_pass 1111 
    } 
    virtual_ipaddress { 
        192.168.1.82/32 dev eth0 
    } 
    track_script { 
        chk_curl 
    } 
} 

[root@LB1 ~]# service keepalived start

Next configure LB2:192.168.1.81, ssh into LB2:

[root@LB2 ~]# yum install keepalived

To allow kernel binding non-local IP into the hosts and apply the changes:

[root@LB2 ~]# echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf
[root@LB2 ~]# sysctl -p

[root@LB2 ~]# vi /etc/keepalived/keepalived.conf 

! Configuration File for keepalived 

global_defs { 
   notification_email { 
        admin1@domain.com 
   } 
   notification_email_from admin@local 
   smtp_server 192.168.1.99 
   smtp_connect_timeout 30 
} 

vrrp_script chk_curl { 
    script "/usr/bin/curl http://192.168.1.81" 
    interval 2 
    weight -4 
    timeout 5 
    fall 2 
    rise 2 
}

vrrp_instance VI_1 { 
    state MASTER 
    interface eth0 
    virtual_router_id 51 
    priority 100 
    advert_int 1 
    authentication { 
        auth_type PASS 
        auth_pass 1111 
    } 
    virtual_ipaddress { 
        192.168.1.82/32 dev eth0 
    } 
    track_script { 
        chk_curl 
    } 
} 

[root@LB2 ~]# service keepalived start

chk_curl is a checking script, in above is to check if the httpd service is functioning. 192.168.1.80 is having higher piority(101),1.80 will be master while 1.81 will be backup. If the curl fails, eg httpd down, the vip(192.168.1.82) will swing to 192.168.1.81.

This custom checking script is useful, if you have other checking criteria, you script it in. Basically vrrp_script will check the return value of the script.(eg $? in bash)

Centos 7 firewall (firewalld)

Centos 7 is using firewalld instead of iptables. Below are the steps to enable/disable firewalld.

To check the status of the firewall:

#  service firewalld status 

To disable the firewall:

#  service firewalld stop 

To start the firewall:

#  service firewalld start 

To enable firewall on boot:

#  systemctl enable firewalld

To disable firewall on boot:

#  systemctl disable firewalld

To check on how to configure firewall:

#  man firewall-cmd

To get the default zone:

#  firewall-cmd --get-default-zone

To list all services in public zone:

#  firewall-cmd --zone=public --list-all

To accept http service in public zone permanently:

#  cat /etc/firewalld/zones/public.xml
#  firewall-cmd --permanent --zone=public --add-service=http
#  firewall-cmd --reload
#  cat /etc/firewalld/zones/public.xml

To deny http service in public zone permanently:

#  cat /etc/firewalld/zones/public.xml
#  firewall-cmd --permanent --zone=public --remove-service=http
#  firewall-cmd --reload
#  cat /etc/firewalld/zones/public.xml

The GUI screen to control the firewall is available from the menu.

To install using yum:

# yum install firewall-config

To get to Firewall GUI:

Fedora : System > Administration > Firewall
RHEL7/OL7 : Applications > Sundry > Firewall

CentOS 7: "-bash: ifconfig: command not found"

After new installed Centos 7, entering network command "ifconfig", caused this error "-bash: ifconfig: command not found". This was due to "net-tools" not installed by default. Install "net-tools" will solve the problem.

# yum install net-tools
# ifconfig

Apache http server ldap authentication (by group)

To setup the apache server to use 389 Directory Server as access manager you will need to make sure the mod_ldap was setup with the apache server:

yum install mod_ldap

vi /etc/httpd/conf.modules.d/01-ldap.conf

# This file configures the LDAP modules:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

And that these lines are in the httpd.conf file:

AuthType Basic
AuthName "Protected Area"
AuthBasicProvider ldap
AuthLDAPURL "ldap://r65-1.local/dc=local"
Require ldap-group cn=Managers,ou=Groups,dc=local