Advertisment

Using Linux on Notebooks

author-image
PCQ Bureau
New Update

When it comes to installing and using Linux on notebooks, many people panic. But,really, it is not tough at all. I have installed Linux on several popular brandsof notebooks, including IBM, Dell, Acer, Toshiba, and even on a large number of unbranded bargain notebooks. I’ll not go as far as saying that installing Linux was no trouble at all, but, with minor tweaking, all notebooks are now happily running Linux. Several of them are dual boot as well.

Advertisment

Many manufacturers give you the choice of getting Linux factory installed on your notebook, much in the same way, as they would preinstall Windows. The problem comes when you have rogue or proprietary hardware like sound cards and Windows modems. But the good news is that more and more hardware is becoming compatible with Linux.

If you have the space on your notebook, I’d say, take a deep breath and go ahead and install Linux. But remember the golden rule of computing: have a full backup before you start. Also try and gather as much information about your hardware as possible before you start–what sound card you have, what IRQ it uses, etc.

Once you’ve installed Linux, you’ll see how well it works. Let me tell you my personal experience with it. I converted my old P/100with 1.3 GB hard disk notebook into a Linux notebook. I didn’t even have the choice of making it dual boot because of lack of space. I must say here that I have no regrets at all. In fact, my notebook has got more or less a new life. I can do all my normal work under Linux without any problems. Let’s see here what I use my Linux notebook for.

Advertisment

E-mail Using e-mail on Linux is no problem at all. However, I do have one complaint. Though several good GUI mail clients are available, none are really good. Fortunately, there are many good and powerful text-based mail clients. So, after trying many GUI mail clients I settled for PINE, a character-based e-mail client. Remember when VSNL started its services and shell accounts had e-mail access only via PINE? Well, that’s what I use. It’s a very powerful and customizable e-mail client and can beat most GUI client hands down on features and ease of use. I use it along with procmail for filtering and am very happy with it.

Surfing the Net Another task I use my Linux notebook for is to surf the Net. Here the choices are Netscape, which is quite bulky but still very useable, or lynx, a complete text-based browser. When I need to do some really quick surfing I use lynx; the rest of the time I use Netscape. Sometime back Opera released its browser for Linux, and though it’s still in beta stage it’s great. Once it’s available I shall definitely settle for that.

Configuring Ipchains

To block all packets from a particular source, issue the following command at the Linux shell prompt:

Advertisment

ipchains —A input —i eth0 —s hackers.com -j DENY

Here —A is to add a rule (to deny any packets from hackers.com) to the input chain. It’s assumed that this Linux box is connected to the Internet over the Ethernet network. So the packets will arrive on the Ethernet card interface named eth0 specified by —i eth0. If you have more than one ethernet card, omitting the -i option will mean all interfaces including non-Ethernet interfaces like the PPP interface for a dial-up Internet connection. All Ethernet interfaces can be included with —i eth+. Next,—s stands for the source of packets, which in this case is hackers.com. You can also use the IP address instead of a domain name. Finally, the —j DENY option instructs Ipchains to deny such packets. When you use DENY, the packets are simply trashed without giving any error message to the source. The source doesn’t know anything about what happened to the incoming request. We can use REJECT in place of DENY to tell the source that a packet has been discarded. The Opposite of DENY and REJECT is ACCEPT. Note that we are not using any port number, which means that access will be denied to all packets from any port.

This was for someone from hackers. com trying to access your network. Now, if you don’t want users in your network to access hackers.com then add a rule to the output chain:

Advertisment

ipchains —A output —i eth0 -d hackers.com -j REJECT

Here —d specifies the destination address.

Now, suppose one of the machines in your network, with IPaddress 192.168.1. 10, has very sensitive data, which is used by people in your private network, but that machine must not be accessed by anyone from theInternet–that is, from outside the range of IP addresses assigned to local network. A rule added to the input chain as below protects 192.168.1.10.

Advertisment

ipchains —A input —s ! 192.168.1.0/255.255.255.0 —d192.168.1.10 —j DENY

The ! (NOT) specifies that if the source of the packets is not between 192.168.1.1 to 192.168.1.254, then access is to be denied.

Telnet and ftp are important, but insecure services. You can block access to these services to users other than in your private network.Suppose the machine 192.168.1.15 on your network provides Telnet and FTP access to others.

Advertisment

ipchains —A input —p tcp —s ! 192.168.1.0/255.255.255.0—d 192.168.1.15 telnet —j REJECT

ipchains —A input —p tcp —s ! 192.168.1.0/255.255.255.0—d 192.168.1.15 ftp —j REJECT

These rules specify that, if the machine sending the request is not between 192.168.1.1 to 192.168.1.254 and if the destination is the Telnet(first command) or FTP port (second command) of the destination (192.168.1.15),then reject the packets. Since Telnet and FTP use TCP protocol, you must specify the protocol with the —p option.

Advertisment

In place of the words telnet and ftp you can specify the portnumbers (23 for Telnet and 21 for FTP). You can look into the /etc/services file for the well-known ports and their names.

Ports below 1024 are used by standard or defined services like HTTP, FTP, Telnet, SMTP etc.; and ports above 1024 are used by non-standard services, for example, by Instant Messengers like ICQ and streaming audio/video like Realaudio and Realvideo. Now, if you don’t want your network users to use non-standard services then you can block access (incoming as well as outgoing)to these ports with:

ipchains -A input —p tcp -s 0/0 ! 0:1024 —j REJECT

ipchains —A output —p tcp —d 0/0 ! 0:1024 —j REJECT

ipchains -A input —p udp -s 0/0 ! 0:1024 —j REJECT

ipchains —A output —p udp -d 0/0 ! 0:1024 —j REJECT

Since we are concerned with blocking the incoming as well as outgoing packets using the non-standard ports, we add rules in both the input and output chains. The services, whether standard or non-standard, use either TCP or UDP protocol. The protocol is specified by the —p option. Next, a source 0/0 and a destination 0/0 is specified where 0/0 means any machine.Finally the port range is specified as :. And our command is about packets NOT(!) falling within the specified range.

When browsing the Internet, you will want to connect to machines on the Internet but would not want to allow them to connect to (as different from accessing) your machines. TCP packets which initialize a connection, have the SYN flag set (to 1) in their header. So, we have to block all the incoming TCP packets, which have this flag set. This is done as follows:

ipchains —A input —i eth1 -p tcp -s !192.168.1.0/255.255.255.0 —y —j REJECT

This will deny connection to all the TCP-based services like Telnet, FTP, HTTP. Substitute eth1 with the name of the external interface (the interface to the Internet). The —y option checks for SYN flag set. For dial-up connections, the external interface would be ppp0.

The following rule can be used by a desktop user using a dial-up connection to deny connections to his machine.

ipchains —A input —i ppp0 -p tcp —s 0/0 —y —jREJECT

The machine acting as your Internet gateway has an (static ordynamic) IP address provided by your ISP. The other machines in your network–whichdo not have an ISP assigned IP–use this machine to connect to the Internet.The gateway transfers the IP packets from the private network to the Internet replacing the source address of each packet with its own IP address. In case of incoming packets from the Internet, it replaces their IP address with the IP address of the destination machine on the private network. This substitution of IP addresses is called IP Masquerading. You can set up IP masquerading using Ipchains by inserting the following rule in the forward chain.

ipchains -A forward -i eth1 -s 192.1.8.1.0/255.255.255.0 —d! 192.168.1.0/255.255.255.0 -j MASQ

Note that here masquerading is done only if the destinationis outside the private network.

If you are using the machine as a HTTP proxy server, then you need to go through the hassle of configuring all the machines with the IPaddress and port of the proxy server. An easy way out is transparent proxying.Using Ipchains, you can redirect all the TCP requests at port 80 (named www) to the port (say port 8000) to which the proxy server is listening to. This is doneusing the REDIRECT option as follows:

ipchains -A input -p tcp -d 0/0 www -j REDIRECT 8000

Closed and Open chains

What we had been working on so far is open chains and we wereDENYing access to specific services. An open output chain is specified as:

ipchains —P output ACCEPT

A closed chain is one in which you deny access to everything.Subsequently you can allow access (using ACCEPT option) to the requiredservices. A closed input chain is specified with the —P (policy) option as:

ipchains —P input DENY

You can also use REJECT in place of DENY.

Testing and debugging

We can list all the rules in all the chains using —Loption. To see the rules defined in a particular chain:

ipchains —n —L output

This displays all the rules for the output chain. If you wantto see machine names instead of their IP addresses, remove the —n option.

We can use the —C option to simulate an actual transactionto test the integrity of the rules defined in Ipchains. To test the examplewhere we were denying access to the machine 192.168.1.10, we send a udp packetfrom a source 202.54.90. 63 (an address outside the range of your privatenetwork) to the machine 192.168.1.10. We must use a source and a destinationport ( for example 8888) This is done as below:

ipchains —C input —i eth0 —p udp —s 202.54.90.63 8888—d 192.168.1.10 8888

You will get a "denied" message, which proves thatthe rule works.

If you use the —l option while adding a rule, before the—A option, then all the packets which match the rule are logged. For example,to log the matching packets for the rule specified in example of IPmasquerading:

ipchains —l -A forward -i eth1 -s 192.168.1.0/255.255.255.0—d ! 192.168.1.0 /255.255.255.0 -j MASQ

You can view the log using:

dmesg | grep "Packet log"

You can delete a rule in a chain using —D option. You caneither specify the number of the rule in the chain. For example, we can deletethe fifth rule in the output chain as:

ipchains —D output 5

This can easily lead to errors. So, a more specific method isto type the entire rule, as when adding a rule, but replacing —A with —D.

To delete all the rules in a chain use the —F option.

ipchains —F

Here can be input, output orforward.

Note that after a reboot, all the rules that are entered atthe command prompt are lost. Hence you need to type the rules in a start upscript.

Shekhar Govindarajan

Advertisment