my final year project
DESCRIPTION
This is my final year project based on a linux platform. This is a server which handles all the IP in the same or different network, like in case of an organization(school), which have different networks- hostel, office, library etc. It provides IP to all the systems; serves as a proxy server; provide subscription to internet access; provide security based on Mac address of the system etc.TRANSCRIPT
A Project Report
On
Titled
“AUTO-IP MANAGER”
Submitted in partial fulfillment for the
Award of degree of
BACHELOR OF ENGINEERING
IN
COMPUTER SCIENCE & ENGINEERING
Submitted By: - Submitted To:- VARUN KUMAR HEMANT SHARMAOMVEER SINGH Lect. CS/IT
July, 2009
PREFACE
“AUTO-IP MANAGER”
First of all using dialog utility it collects all information for configuration
according to the administrator by the user manually. Security is provided by using
“IP-table advanced rules”. It makes user-friendly environment by “dialog” utility.
Dynamic Host Configuration Protocol (DHCP) is a protocol used by
networked devices (clients) to obtain various parameters necessary for the
clients to operate in an Internet Protocol (IP) network. By using this protocol,
system administration workload greatly decreases, and devices can be added to
the network with minimal or no manual configurations. When a DHCP-configured
client (be it a computer or any other network aware device) connects to a
network, the DHCP client sends a broadcast query requesting necessary
information from a DHCP server .
The SQUID server is used for filtering. Its main job is to allow or deny any
host or destination. It automatically works on port no. 3128. We can also filter the
contents of the packets. Squid has one primary configuration file, squid.conf.
Iptables is used to set up, maintain, and inspect the tables of IP packet
filter rules in the Linux kernel. Several different tables may be defined. Each table
contains a number of built-in chains and may also contain user-defined chains.
Acknowledgement
I express my sincere thanks to my project guide, Mr. HEMANT SHARMA,
Lecturer, Deptt CS/IT, for guiding me right form the inception till the successful
completion of the project. I sincerely acknowledge him/her/them for extending
their valuable guidance, support for literature, critical reviews of project and the
report and above all the moral support he/she/they had provided to me with all
stages of this project.
I would also like to thank the supporting staff of CS/IT Department, for
their help and cooperation throughout our project.
VARUN KUMAR
OMVEER SINGH
CERTIFICATE
This is to certify that Mr. OMVEER SINGH and MR. VARUN
KUMAR from COMPUTER SCIENCE AND ENGINEERING has successfully
delivered a project named ”AUTO-IP MANAGER” and has submitted a
satisfactory report about it as per partial fulfillment of the requirement for the
degree of B.E. (Comp.Sc.) According to the syllabus of UNIVERSITY OF
RAJASTHAN , JAIPUR during the academic year 2008-09.
Date:22 July 09
Mr. Kailash Maheshwari Mr. HEMANT SHARMA
( H.O.D ,C.S.E & I.T ) (Project Guide )
4
IINDEXNDEX
Sl. No. TOPIC PAGE No.
01 Introduction
02 Requirements
03 Working of Project
04 Dialog Box
05 Linux as Router
06 Shell Scripting
07 Working of DHCP
08 Working of Squid
09 Working of Gateway
10 Working of IP Tables
11 Coding (Shell Scripting)
12 Conclusion
13 References
5
1. INTRODUCTION
This project “AUTO-IP CONFIGURATION” is practically implementable for
MNC’s and colleges in both live and laboratory conditions. In the project, we are using
the concepts of assigning IP addresses to the required user (via DHCP), gateway
assignments and implementations of proxy server, all using IP-tables.
This project is useful on the administrator end. The project automatic configures
the whole procedure of assigning and implementation according to the requirement of
users.
First using dialog utility it collects all information for configuration according to
the administrator by the user manually. Security provided by using “IP-table advanced
rules”. It makes user-friendly environment by “dialog” utility.
If gateway receives any of the client’s requests of port no. 80, it redirects the
requests to the proxy server on port no. 3128. Proxy filters the requests according to the
rules and again sends these packets to the gateway .Now gateway send it to connect
the internet.
The OS – “REDHAT- LINUX” is use because of its high secure functionality and
it provides many of the options for configuring the servers. Packages for the project
required; are inbuilt in REDHAT-LINUX, or we can download it through the internet.
6
2. REQUIREMENTS OF THE PROJECT
2.1 HARDWARE REQUIREMENTS:
The project can be implemented on both live and laboratory conditions. That
mean the minimum requirement is –
Processor: Pentium 3-4.
RAM min. of 256 MB.
Ethernet card that supports OS-LINUX.
Fast Ethernet cables.
These requirements may change according to the load and according to the
working environment.
2.2 SOFTWARE REQUIREMENTS:
OS- REDHAT LINUX.
RPM for DHCP server with all known dependencies.
RPM of Squid with all known dependencies.
RPM of Dialog.
7
3. WORKING OF PROJECT:
STEP 1: Client requests for IP address.
STEP 2: DHCP server checks the Mac address of the client; if rule matches in IP
tables, then server responses to the client with its assigned IP address as well as the
gateway entry.
STEP 3: Now client wants to go for internet; so it requests to the gateway.
STEP 4: The gateway now redirects the incoming packets to the PROXY server via IP
tables D-netting.
STEP 5: The proxy server filters the requests and again sends it to the gateway.
STEP 6: The gateway connects to the internet, gets the response of internet for the
client requests, and sends it to the proxy server.
STEP 7: Proxy server sends the response direct to the desired client.
8
4. Dialog Box:
4.1 Definition
A dialog box is a small window or message box that appears temporarily in
a GUI (graphical user interface) to alert the user to a condition and/or to request
information.
Dialog boxes appear on top of other open windows and whatever else is
currently on the display screen, and they are sometimes accompanied by a beeping or
other sound effect. They always contain at least one button, the purpose of which is to
allow the user to close the box (i.e., remove it from the display screen). Often they also
contain additional buttons and one or more means for users to provide information, such
as check boxes and spaces to enter text.
Dialog boxes can be classified in several ways, including according to the
function they perform and their complexity. The simplest type of dialog box is theAlert,
which displays a message and requires the user to acknowledge it by clicking on a
button in order to close it. Alerts are commonly used to provide simple confirmation of
an action (such as to confirm that the user really wants to terminate a program), to
9
indicate a user error, and to provide notification that a program that has stopped
functioning (i.e., frozen or crashed).
Dialog boxes can also be classified by whether they are modal or non-modal.
Modal dialog boxes are those which temporarily halt part or all of the GUI until the user
closes the box and, depending on what caused the box to appear, provides some
information. System modal dialog boxes freeze the entire GUI,application modal dialog
boxes freeze just the application that caused the box to appear, and document
modal dialog boxes, the newest and least intrusive modal type, merely freeze a single
window in an application (such as a document in a word processing program).
Non-modal dialog boxes, also called modeless dialog boxes, are used when the
requested information is not essential to continue, and thus no windows or other parts of
the GUI are frozen.
A commonly encountered type of dialog box on Linux is that which appears when
an ordinary user tries to open a program that requires root (i.e., administrative)
permission. For example, when a user attempts to open kppp, the KDE Internet dial-
up utility, a small, non-modal dialog box appears that asks the user to enter the root
password in a text space labeled Password for root. Entry of the correct password and
clicking on the OK button causes this box to close and a secondary (again, modeless)
box to appear. The second box allows the user to modify the connection setup if desired
and to push a button labeledConnect that initiates the connection to the Internet.
The Microsoft Windows and Macintosh operating systems use an ellipsis (i.e.,
three consecutive dots) after GUI menu items to indicate that clicking on such items will
not result in a direct action but rather will open up a dialog box that provides additional
information and options for the user.
One problem with the design of some operating systems and application
programs is that dialog boxes are inappropriately used and/or poorly designed. For
example, they may appear when not really necessary and/or contain cryptic messages
10
that most users cannot understand. This can be frustrating for users and waste their
time and energy.
An excellent example of inappropriate use is provided by some web browsers
that open a dialog box that informs the user that a page will not display, even though it
is obvious that the page will not display, and requires the user to click on a button to
close the box. Moreover, if the user is working on another application with the browser
in the background, the dialog box will interrupt that application and move the browser
window to the foreground, thus requiring the user to also restore the application window
to the foreground after closing the dialog box. A well-known example of clumsy and
misleading wording on a dialog box is the message that resembles you has performed
an illegal action and this program will shut down.
Good software design calls for dialog boxes to (1) be used only where necessary
and/or helpful, (2) be as unobtrusive as possible, (3) use wording that has meaning to
users and (4) maximize user flexibility. This implies that dialog boxes should be non-
modal whenever possible, and, if they are modal, they should be document modal or
application modal to the extent possible.
The term popup window is also sometimes used to refer to a dialog box, although
this term often implies an unrelated (and usually unwanted) advertisement, whereas a
dialog box is related to the program, operating system or hardware currently being
used,
4.2 CLI Magic: Creating basic front ends with dialog and Xdialog
New Linux users are often afraid of the command line. They prefer graphical
alternatives to commands and scripts. For help, they can turn to dialog and Xdialog, two
simple tools that can be used to create front ends to command-line tools.
The fundamental difference between the tools is that while dialog can create
console or text-based front ends, Xdialogcan generate an X interface for any terminal-
11
based program.
Dialog creates the simple front ends that until recently were used in almost all
Linux distributions' installations. Remember old Red Hat and Slackware installations
that were characterized by a grey screen with a blue background? Since these front
ends are text-based, you can't use a mouse to click on buttons.
Xdialog, on the other hand, creates X interfaces, meaning that you have full use
of your mouse. It uses GTK+ for creating the front ends, and offers functions such as
directory selectors and range boxes.
Once you have installed dialog, open a shell and write dialog --title "Testing Dialog" --
yesno "This is the message" 8 25, then press Enter. This creates a very basic yesno
box. You specify box options using the general syntax dialog [common option] [box-
option] text width height . So, the 8 and 25 above are the width and height. --title is a
common option. Common options are applied to all the box options. The common
options can be omitted, you you cannot make a box without specifying the box options.
To test Xdialog, just change dialog in the above command to Xdialog. Both dialog
and Xdialog can implement several types of dialog boxes, such as checklist, form,
radiolist, menu, and textbox. Each dialog box has its own set of box options. Let's create
a simple menu to better understand the [common] and [box] options.
4.2.1 Creating a menu
When making a menu, you may be overwhelmed by all the available choices. I
am going to start with a simple menu that lets you select one value out of several.
#!/bin/sh
tempfile=`tempfile`
dialog --title "Most used linux command" \12
--menu "Please choose the most usefull command line tool:" 15 55 5 \
"man" "To read man pages" \
"ls" "To display the contents of a directory" \
"vi" "Text editor" \
"mount" "To mount partitions" \
"su" "Super user permissions" 2> $tempfile
return_value=$?
you_chose=`cat $tempfile`
case $return_value in
0)
echo "'$you_chose' is the command you find most usefull.";;
1)
echo "You pressed cancel.";;
255)
echo "You hit Esc.";;
esac
Save this code in a file called basic_menu.sh. To make this script executable,
run chmod u+x basic_menu.sh. Now you can run the script: ./basic_menu.sh.
13
This creates a very basic menu, where you can choose any command using the
up and down keys. The most noteworthy lines of this script are tempfile
='tempfile' and2> $tempfile. The first line creates a temporary file using the tempfile
utility. Dialog, by default, writes its output to standard error, so we need the second line
to redirect the output from standard error to the tempfile. We can also use the --
stdout option to send the output to standard output. We'll look at --stdout in a moment.
$? is a variable that stores the program's return value, which is either 0, when
you press OK; 1, if you press cancel; or 255, if you press Esc. return_value is another
variable where we store the value of the $? variable.
To see how this dialog would appear in X, change dialog to Xdialog. Everything else
remains the same.
You never see this type of menu in the real world. You see either a radiolist,
where you can select just one value, or a checklist, which allows you to select multiple
values. To create a radiolist, replace --menu with --radiolist, keeping rest of that line
intact. You also need to change some options as below:
"man" "To read man pages" off\
"ls" "To display the contents of a directory" off\
"vi" "Text editor" off\
"mount" "To mount partitions" off\
"su" "Super user permissions" ON 2> $tempfile
See how each of the options has either "off" or "on" at the end? "On" signifies a
selected option. To select any option, move to your choice using the up and down keys
and press the spacebar.
Unlike a radiolist, a checklist allows you to select multiple values. If you change --
radiolist to --checklist, you get a checklist.
There's more
14
Most of us are so accustomed to working in graphical environments that we
cannot imagine some of the dialogs that you can create on the command line. For
example, you can easily make a progress bar or percentage gauge bar, which is part of
every software installation, with dialog and Xdialog. The syntax is --
gauge text height width [percent]. The percent value shows the initial value of the
progress bar. By default it is zero.
Let's create a shell script to see how the gauge works.
#!/bin/sh
percent=0
(
while test $percent != 110
do
echo $percent
echo "XXX"
echo "This is how the gauge appears"
echo "XXX"
echo "See how the message changes"
15
echo "XXX"
percent=`expr $percent + 10`
sleep 1
done
) |
dialog --title "Gauge works!" --gauge "This is how a gauge appears on the command
line" 10 60 0
As explained in the man page, if the standard input reads the string "XXX," then
subsequent lines up to another "XXX" are used for a new prompt. If you use the "XXX"
method of displaying messages, then the text supplied to --gauge is ignored. In our
case, the message This is how a gauge appears on the command line is ignored
because of the messages in "XXX."
Another common dialog is file selection. When attaching a file to an email
message or opening a file in OpenOffice.org Writer, we frequently encounter the select
file dialog. You can create that on a command line too. We are going to use --stdout for
this.
#!/bin/sh
selection=`dialog --stdout --title "Use this dialog to select a file by pressing spacebar" --
fselect $HOME/ 10 68`
case $? in
0)
echo "You chose \"$selection\"";;
1)
echo "You pressed cancel.";;
255)
echo "You hit Esc.";;
esac
16
The file selection dialog is made up of two panes; you can use the tab key to
switch between them. Select a file by pressing the spacebar once you have scrolled to
the file name using the up and down keys. You can also write the path of the file in the
input box at the bottom of the file selection dialog. The --fselect option creates the file
selection dialog. It accepts [filepath] height width as options. The $HOME/ argument
means that we want to choose a file within the home directory.
4.3 Conclusion
Both dialog and Xdialog are complex tools that can create many types of dialog
boxes. They allow a high degree of control on all aspects of the dialogs. The detailed
man pages discuss all the features of these tools, and are a must read. With a little shell
scripting knowledge you can start making front ends to all your favorite command line
tools.
5. LINUX AS ROUTER:
5.1 Linux Router
Routers are amongst the most crucial components of the Internet, as each bit of
information on the Internet passes through many routers. Most of the routers used on
the Internet are made by Cisco. Although these have good performance, they come at a
high price.
In situations where we need to economize, the Linux router is an attractive
alternative. When used as a simple gateway for a LAN, it can be almost free. All that is
needed is a machine with more than one network interface.
If one has a small lab with several LANs and wishes to set up a reliable, as well
as secure, connection to the Internet, the cost of a commercial router may not be
17
justifiable. The most economical solution in this case is to use a low-cost processor
running the LRP.
It makes the building and maintenance of firewall, routers, switches, hubs, and so
on, cheap and straightforward.
In this article we show how to set up a Linux router for two to four LANs and test
its performance under different conditions. For comparison we also used Pentium Is and
IIs. Here we present the results of our investigation into the performance of the Linux
router and compare it with a commercial router.
5.2 Setting Up a Linux Router
The most common function of the Linux router is a connection between two
networks. Typically, this would be a LAN and the Internet. For our experiments, given
the unavailability of a connection to the Internet fast enough to stress the router
sufficiently, we used a server to simulate the Internet.
5.3 Performance of Linux Router
The test setup in our computer lab uses a 100Base-T Ethernet. The NICs and
switching hubs are 100Base-T. All platforms are running Linux 2.2 kernels, and the
Linux router is the default gateway for all of them.
5.4 Bandwidth Measurement
The first configuration uses one client and one server. We connected the server
at the first NIC on the LRP box (eth0) and the client at the second NIC (eth1) through
cross-UTP 100Mb cables. Then we set the ipchains rules on the Linux router for
forwarding the traffic between client and server by issuing the following command:
18
ipchains -I forward -j ACCEPT -s 192.168.1.0/24
-d 192.168.0.0/24 -b
Figure 1. Setup Number One for Measurement of Bandwidth of LRP Box
The ipchains rules for this setup would look like:
ipchains -I forward -j ACCEPT -s 192.168.0.0/24
-d 192.168.1.0/24 –b
ipchains -I forward -j ACCEPT -s 192.168.0.0/24
-d 192.168.2.0/24 –b
ipchains -I forward -j ACCEPT -s 192.168.0.0/24
-d 192.168.3.0/24 –b
ipchains -I forward -j ACCEPT -s 192.168.1.0/24
-d 192.168.2.0/24 –b
ipchains -I forward -j ACCEPT -s 192.168.1.0/24
-d 192.168.3.0/24 –b
19
ipchains -I forward -j ACCEPT -s 192.168.2.0/24
-d 192.168.3.0/24 –b
You can write a script to run these rules eliminating the need to enter them at the
command prompt every time you boot your LRP box. It should be placed in the root
directory so that the user is able to run all the rules by just entering ./filename. We
measured the bandwidth of the router when there was traffic between the server and
more than one client (clients may be from the same or different LANs).
Figure 2. Setup Number Two for Measurement of Bandwidth of LRP Box
For the third configuration we set up multiple servers and multiple clients (cross-
pinging). In this test setup we used two servers connected on eth0 and eth2 of the LRP
box.
20
Figure 4. Setup for Cross-Pinging
5.5 Easy to Handle
The Linux router is easy to handle and configure. It does not require any special
care for its use other than that required for a normal PC. If there is a problem,
configuring it only takes a few minutes. Moreover, it is basically software on a floppy
disk; if your LRP box gets damaged because of power fluctuations (a common problem
in the third world), you can instantly convert another available PC into your router by
adding NICs from the corrupted LRP (if they are not corrupted) and boot it off the floppy
disk. No configuration will be required for this router at all, except the runtime
configuration. You can imagine what a great advantage this is—think of what would
happen if your Cisco router were to be corrupted.
21
5.6 Comparison with a Commercial Router
The following is a comparison of the Linux router with the Cisco 2620 router
available in our laboratory.
The cost of building a good Linux router (based on a Pentium I, 200MHz MMX)
with 1FDD, 32MB of RAM is less than $100 US. (It may be nearly free if you use the
minimum required hardware, i.e., a 486DX with 16MB RAM.) A monitor is not
necessarily required. You can use a borrowed monitor temporarily at configuration time
or configure via a remote serial connection (if you include support for that through the
serial.lrp package). On the other hand, the cost of the Cisco 2620 with a 50MHz
Motorola Processor, 16MB Flash RAM and 40MB DRAM is more than $3,500 US.
Although power consumption here is not of great concern, in most applications it
is notable that the Linux router (running on PI 200MHz, MMX) consumes less than 30W
of power, while Cisco 2600 series routers consume 75W.
You can add as many NICs in the Linux router as you wish (limited by the
number of slots on the main board). In Cisco 2600 there is only one Fast Ethernet card
available.
The modularity of the Linux router is matchless. Its packaging system allows
easy removal and addition of features. You can add/remove packages, even at runtime,
using the lrpkg command. You need to shut down the Linux router to add a module
only if it requires some additional hardware. However, the kernel module for the
hardware can be installed at runtime using insmod. The design of the Cisco router is
not as modular.
For the Linux router there are a large variety of hardware and software products
available in the open market as it has the complete structure of the ordinary Linux
operating system. You can use the product of any manufacturer that has support for the
22
Linux router. Cisco routers, on the other hand, are limited in this respect. Usually only
Cisco products are used with Cisco routers.
Having Linux as the operating system on your router gives you the extra
advantage that you can build your own packages according to your needs using shell
scripting. You also can get a lot of help from the available literature for Linux. Cisco
routers have their own specific operating system called Internet Operating System. The
Cisco 2620 uses IOS release 12.1. Although it is developed on a regular basis, you can
use only those features that are available in the specific IOS release used on your
specific router.
Like Cisco routers, the Linux router also supports the multiprotocol feature. It has
support for RIP, BGP, OSPF and many more that are added through packages.
Services such as Ethernet router, firewall, DNS and ISDN may be initialized on a
Linux router. However, initializing services like DNS (which is highly CPU-bound) will
degrade its performance. It is better to use a separate machine as a DNS server. The
Cisco router has multiservice integration of voice, data and video. As with Cisco routers,
IP masquerading, port translation, load balancing, transparent proxy and interface alias
may all be implemented on a Linux router.
Cisco routers support IPX, Token Ring, VLAN, VPN, Apple Talk and DDR for
advance routing. The Linux router also can support these features through proper
packages. Although to do so, some expertise in Linux and some additional hardware
are required, which will increase the cost of Linux router, but it still will be much less
than that of a Cisco router.
Depending upon the model and series of the Cisco router, it has a limited number
of WAN slots. In the 2620 there are two WIC (WAN Interface Cards) slots, one network
module and one advance integrated mode slot. The two-port serial WAN card has a
asynchronous speed of 115.2Kbps, and synchronous speed equals 2.048Mbps. Port 1
supports only synchronous mode. The Linux router also has support for WAN interface
23
cards. Sangoma WICs , which have a synchronous data rate of 8Mbps, are quite
popular among LRP users. With these cards you can combine many LRP boxes.
However, the disadvantage is that the cost of the LRP box increases—this card costs
about $400 US.
Figure 7. Typical Configuration for a Small Business
5.7 Routing
Routing is the process of selecting paths in a network along which to send
network traffic. Routing is performed for many kinds of networks, including the network,
electronic (such as the Internet), and transportation networks. This article is concerned
primarily with routing in electronic data networks using packet switching technology.
24
In packet switching networks, routing directs packet forwarding, the transit of
logically addressed packets from their source toward their ultimate destination through
intermediate nodes; typically hardware devices
called routers, bridges, gateways, firewalls, or switches. General-purpose computers
with multiple network cards can also forward packets and perform routing, though they
are not specialized hardware and may suffer from limited performance. The routing
process usually directs forwarding on the basis of routing tables which maintain a record
of the routes to various network destinations. Thus, constructing routing tables, which
are held in the routers' memory, is very important for efficient routing. Most routing
algorithms use only one network path at a time, but multipath routing techniques enable
the use of multiple alternative paths.
Routing, in a more narrow sense of the term, is often contrasted with bridging in
its assumption that network addresses are structured and that similar addresses imply
proximity within the network. Because structured addresses allow a single routing table
entry to represent the route to a group of devices, structured addressing (routing, in the
narrow sense) outperforms unstructured addressing (bridging) in large networks, and
has become the dominant form of addressing on the Internet, though bridging is still
widely used within localized environments.
Routing schemes differ in their delivery semantics:
1. unicast delivers a message to a single specified node;
2. broadcast delivers a message to all nodes in the network;
3. multicast delivers a message to a group of nodes that have expressed interest in
receiving the message;
4. anycast delivers a message to any one out of a group of nodes, typically the one
nearest to the source.
Unicast is the dominant form of message delivery on the Internet, and this article
focuses on unicast routing algorithms.
25
Topology distribution
Small networks may involve manually configured routing tables (static routing),
while larger networks involve complex topologies and may change rapidly, making the
manual construction of routing tables unfeasible. Nevertheless, most of the public
switched telephone network (PSTN) uses pre-computed routing tables, with fallback
routes if the most direct route becomes blocked (see routing in the PSTN). Adaptive
routing attempts to solve this problem by constructing routing tables automatically,
based on information carried by routing protocols, and allowing the network to act nearly
autonomously in avoiding network failures and blockages.
Dynamic routing dominates the Internet. However, the configuration of the
routing protocols often requires a skilled touch; one should not suppose that networking
technology has developed to the point of the complete automation of routing.
5.7.1 Unicast
In computer networking, unicast transmission is the sending of information
packets to a single network destination.
The term "unicast" is formed in analogy to the word "broadcast" which means
transmitting the same data to all destinations. Another multi-mode distribution
method, multicasting, is similar to IP broadcasting, but implemented in more efficient
manner.
Unicast messaging is used for all network processes where a private or unique
resource is requested making most networking traffic Unicast in form. Unicast is used
where two way connections are needed to complete the network transaction.
Certain network applications which are mass-distributed are too costly to
implement on Unicast. These include streaming media of many forms. And when
26
multicasting is unavailable, unicasting the exact same content to many users can be
costly. Internet radio stations may have high bandwidth costs because of this.
These terms are also used by streaming content providers' services. Unicast based
media servers open and provide a stream for each unique user. Multicast servers can
support a larger audience by serving content simultaneously to multiple users.
In computer networking, broadcasting refers to transmitting a packet that will be
received (conceptually) by every device on the network. In practice, the scope of the
broadcast is limited to a broadcast domain. Contrast unicasting and multicasting.
Not all computer networks support broadcasting; for example,
neither X.25 nor frame relay supply a broadcast capability, nor is there any form of
Internet-wide broadcast. Broadcasting is largely confined to local area network (LAN)
technologies, most notably Ethernet and Token Ring, where the performance impact of
broadcasting is not as large as it would be in a wide area network.
Both Ethernet and IPv4 use an all-ones broadcast address to indicate a
broadcast packet. Token Ring uses a special value in the IEEE 802.2 control field.
Due to its "shotgun" approach to data distribution, broadcasting is being
increasingly supplanted by multicasting. For example, IPv6 supports neither directed
broadcasts nor local broadcasts.
5.7.2 Multicast
Multicast addressing is a network technology for the delivery of information to a
group of destinations simultaneously using the most efficient strategy to deliver the
messages over each link of the network only once, creating copies only when the links
to the multiple destinations split.
The word "multicast" is typically used to refer to IP multicast which is often employed
for streaming media and Internet television applications. In IP multicast the
implementation of the multicast concept occurs at the IP routing level,
where routers create optimal distribution paths for datagrams sent to a multicast
27
destination address spanning tree in real-time. At the Data Link
Layer, multicastdescribes one-to-many distribution such as Ethernet multicast
addressing, Asynchronous Transfer Mode (ATM) point-to-multipoint virtual circuits
or Infiniband multicast.
5.7.3 Anycast
Anycast is a network addressing and routing scheme whereby data is routed to
the "nearest" or "best" destination as viewed by the routing topology.
The term is intended to echo the terms unicast, broadcast and multicast.
In unicast, there is a one-to-one association between network address and network
endpoint: each destination address uniquely identifies a single receiver endpoint.
In broadcast and multicast, there is a one-to-many association between network
addresses and network endpoints: each destination address identifies a set of receiver
endpoints, to which all information is replicated.
In anycast, there is also a one-to-many association between network addresses
and network endpoints: each destination address identifies a set of receiver endpoints,
but only one of them is chosen at any given time to receive information from any given
sender.
On the Internet, anycast is usually implemented by using BGP to simultaneously
announce the same destination IP address range from many different places on the
Internet. This results in packets addressed to destination addresses in this range being
routed to the "nearest" point on the net announcing the given destination IP address.
In the past, Anycast was suited to connectionless protocols (generally built
on UDP), rather than connection-oriented protocols such as TCP that keep their own
28
state. However, there are many cases where TCP Anycast is now used, including on
carrier networks such as Prolexic.
With TCP Anycast, there are cases where the receiver selected for any given
source may change from time to time as optimal routes change, silently breaking any
conversations that may be in progress at the time. These conditions are typically
referred to as a "pop switch". To correct for this issue, there have been proprietary
advancements within custom IP stacks which allow for healing of stateful protocols
where it is required. However, without any technology to heal pop switches, systems
like GeoDNS are more appropriate.
For this reason, anycast is generally used as a way to provide high availability
and load balancing for stateless services such as access to replicated data; for
example, DNS service is a distributed service over multiple geographically dispersed
servers.
5.6 Forwarding
Forwarding is the relaying of packets from one network segment to another
by nodes in a computer network.
29
A unicast forwarding pattern, typical of many networking technologies including the
overwhelming majority of Internet traffic
A multicast forwarding pattern, typical of PIM
A broadcast forwarding pattern, typical of bridged Ethernet. The simplest
forwarding model - unicasting - involves a packet being relayed from link to link along a
30
chain leading from the packet's source to its destination. However, other forwarding
strategies are commonly used. Broadcasting requires a packet to be duplicated and
copies sent on multiple links with the goal of delivering a copy to every device on the
network. In practice, broadcast packets are not forwarded everywhere on a network, but
only to devices within a broadcast domain, making broadcasta relative term. Less
common than broadcasting, but perhaps of greater utility and theoretical significance
is multicasting, where a packet is selectively duplicated and copies delivered to each of
a set of recipients.
Networking technologies tend to naturally support certain forwarding models. For
example, fiber optics and copper cables run directly from one machine to another form
natural unicast media - data transmitted at one end is received by only one machine at
the other end. However, as illustrated in the diagrams, nodes can forward packets to
create multicast or broadcast distributions from naturally unicast media. Likewise,
traditional Ethernet (10BASE5 and 10BASE2, but not the more modern 10BASE-T) are
natural broadcast media - all the nodes are attached to a single, long cable and a
packet transmitted by one device is seen by every other device attached to the cable.
Ethernet nodes implement unicast by ignoring packets not directly addressed to them.
A wireless network is naturally multicast - all devices within a reception radius of a
transmitter can receive its packets. Wireless nodes ignore packets addressed to other
devices, but require forwarding to reach nodes outside their reception radius.
At nodes where multiple outgoing links are available, the choice of which, all, or
any to use for forwarding a given packet requires a decision making process that, while
simple in concept, is of sometimes bewildering complexity. Since a forwarding decision
must be made for every packet handled by a node, the total time required for this can
become a major limiting factor in overall network performance. Much of the design effort
of high-speed routers and switches has been focused on making rapid forwarding
decisions for large numbers of packets.
The forwarding decision is generally made using one of two processes: routing,
which uses information encoded in a device's address to infer its location on the
31
network, or bridging, which makes no assumptions about where addresses are located
and depends heavily on broadcasting to locate unknown addresses. The heavy
overhead of broadcasting has led to the dominance of routing in large networks,
particularly the Internet; bridging is largely relegated to small networks where the
overhead of broadcasting is tolerable. However, since large networks are usually
composed of many smaller networks linked together, it would be inaccurate to state that
bridging has no use on the Internet; rather, its use is localized.
6. What is Linux Shell ?
Computer understand the language of 0's and 1's called binary language. In early
days of computing, instruction are provided using binary language, which is difficult for
all of us, to read and write. So in Os there is special program called Shell. Shell accepts
your instruction or commands in English (mostly) and if its a valid command, it is pass to
kernel.
Shell is a user program or it's environment provided for user interaction. Shell is
an command language interpreter that executes commands read from the standard
input device (keyboard) or from a file.
Shell is not part of system kernel, but uses the system kernel to execute
programs, create files etc.
Several shell available with Linux including:
Shell Name Developed by Where Remark
BASH ( Bourne-Again
Shell )
Brian Fox and Chet
Ramey
Free Software FoundationMost common shell in
Linux. It's Freeware shell.
CSH (C SHell) Bill Joy University of California
(For BSD)
The C shell's syntax and
usage are very similar to
the C programming
language.
KSH (Korn SHell) David Korn AT & T Bell Labs --
32
TCSH See the man page.
Type $ man tcsh
-- TCSH is an enhanced but
completely compatible
version of the Berkeley
UNIX C shell (CSH).
Tip: To find all available shells in your system type following command:
$ cat /etc/shells
Note that each shell does the same job, but each understand a different command syntax and
provides different built-in functions.
In MS-DOS, Shell name is COMMAND.COM which is also used for same purpose, but
it's not as powerful as our Linux Shells are!
Any of the above shell reads command from user (via Keyboard or Mouse) and tells
Linux Os what users want. If we are giving commands from keyboard it is called command line
interface ( Usually in-front of $ prompt, This prompt is depend upon your shell and Environment
that you set or by your System Administrator, therefore you may get different prompt ).
Tip: To find your current shell type following command
$ echo $SHELL
What is Shell Script ?
Normally shells are interactive. It means shell accept command from you (via
keyboard) and execute them. But if you use command one by one (sequence of 'n'
number of commands) , the you can store this sequence of command to text file and tell
the shell to execute this text file instead of entering the commands. This is know as shell
script.
Shell script defined as:
"Shell Script is series of command written in plain text file. Shell script is just like batch
file is MS-DOS but have more power than the MS-DOS batch file."
33
Why to Write Shell Script ?
Shell script can take input from user, file and output them on screen.
Useful to create our own commands.
Save lots of time.
To automate some task of day today life.
System Administration part can be also automated.
Here is where the fun begins
With the thousands of commands available for the command line user, how can
you remember them all? The answer is, you don't. The real power of the computer is its
ability to do the work for you. To get it to do that, we use the power of the shell to
automate things. We write scripts.
Scripts are collections of commands that are stored in a file. The shell can read
this file and act on the commands as if they were typed at the keyboard. In addition to
the things you have learned so far, the shell also provides a variety of useful
programming features to make your scripts truly powerful.
What are scripts good for? A wide range of tasks can be automated. Here are
some of the things I automate with scripts:
A script gathers up all the files (over 2200) in this site on my computer and
transmits them to my web server. Every Friday night, all my computers copy their files to
a "backup server" on my network. This is performed by a script.
A script automatically gets the current updates from my Linux vendor and maintains a
repository of vital updates. It sends me an email message with a report of tasks that
need to be done. As you can see, scripts unlock the power of your Linux machine. So
let's have some fun!
34
Writing your first script and getting it to work
To successfully write a shell script, you have to do three things:
1. Write a script
2. Give the shell permission to execute it
3. Put it somewhere the shell can find it
Writing a script
A shell script is a file that contains ASCII text. To create a shell script, you use
a text editor. A text editor is a program, like a word processor, that reads and writes
ASCII text files. There are many, many text editors available for your Linux system, both
for the command line environment and the GUI environment. Here is a list of some
common ones:
Now, fire up your text editor and type in your first script as follows:
#!/bin/bash
# My first script
echo "Hello World!"
The clever among you will have figured out how to copy and paste the text into your text
editor ;-)
If you have ever opened a book on programming, you would immediately
recognize this as the traditional "Hello World" program. Save your file with some
descriptive name. How about my_script?
The first line of the script is important. This is a special clue given to the shell
indicating what program is used to interpret the script. In this case, it is /bin/bash. Other
scripting languages such as perl, awk, tcl, Tk, and python can also use this mechanism.
35
The second line is a comment. Everything that appears after a "#" symbol is ignored
by bash. As your scripts become bigger and more complicated, comments become
vital. They are used by programmers to explain what is going on so that others can
figure it out. The last line is the echo command. This command simply prints what it is
given on the display.
Setting permissions
The next thing we have to do is give the shell permission to execute your script.
This is done with the chmod command as follows:
[me@linuxbox me]$ chmod 755 my_script
The "755" will give you read, write, and execute permission. Everybody else will
get only read and execute permission. If you want your script to be private (i.e., only you
can read and execute), use "700" instead.
Putting it in your path
At this point, your script will run. Try this:
[me@linuxbox me]$ ./my_script
You should see "Hello World!" displayed. If you do not, see what directory you
really saved your script in, go there and try again.
Before we go any further, I have to stop and talk a while about paths. When you type in
the name of a command, the system does not search the entire computer to find where
the program is located. That would take a long time. You have noticed that you don't
usually have to specify a complete path name to the program you want to run, the shell
just seems to know.
36
Well, you are right. The shell does know. Here's how: the shell maintains a list of
directories where executable files (programs) are kept, and just searches the directories
in that list. If it does not find the program after searching each directory in the list, it will
issue the famous command not found error message.
This list of directories is called your path. You can view the list of directories with
the following command:
[me@linuxbox me]$ echo $PATH
This will return a colon separated list of directories that will be searched if a
specific path name is not given when a command is attempted. In our first attempt to
execute your new script, we specified a pathname ("./") to the file.
You can add directories to your path with the following command, where directory is the
name of the directory you want to add:
[me@linuxbox me]$ export PATH=$PATH:directory
A better way would be to edit your .bash_profile file to include the above
command. That way, it would be done automatically every time you log in.
Most modern Linux distributions encourage a practice in which each user has a specific
directory for the programs he/she personally uses. This directory is called bin and is a
subdirectory of your home directory. If you do not already have one, create it with the
following command:
[me@linuxbox me]$ mkdir bin
Move your script into your new bin directory and you're all set. Now you just have
to type:
[me@linuxbox me]$ my_script
and your script will run.
37
Variables in Shell
To process our data/information, data must be kept in computers RAM memory.
RAM memory is divided into small locations, and each location had unique number
called memory location/address, which is used to hold our data. Programmer can give a
unique name to this memory location/address called memory variable or variable (Its a
named storage location that may take different values, but only one at a time).
In Linux (Shell), there are two types of variable:
(1) System variables - Created and maintained by Linux itself. This type of variable
defined in CAPITAL LETTERS.
(2) User defined variables (UDV) - Created and maintained by user. This type of
variable defined in lower letters.
You can see system variables by giving command like $ set, some of the
important System variables are:
System Variable Meaning
BASH=/bin/bash Our shell name
BASH_VERSION=1.14.7(1) Our shell version name
COLUMNS=80 No. of columns for our screen
HOME=/home/vivek Our home directory
LINES=25 No. of columns for our screen
LOGNAME=students students Our logging name
OSTYPE=Linux Our Os type
PATH=/usr/bin:/sbin:/bin:/usr/sbin Our path settings
PS1=[\u@\h \W]\$ Our prompt settings
PWD=/home/students/Common Our current working directory
SHELL=/bin/bash Our shell name
38
USERNAME=vivek User name who is currently login to this PC
NOTE that Some of the above settings can be different in your PC/Linux environment.
You can print any of the above variables contains as follows:
$ echo $USERNAME
$ echo $HOME
How to define User defined variables (UDV)
To define UDV use following syntax
Syntax:
variable name=value
'value' is assigned to given 'variable name' and Value must be on right side = sign.
Example:
$ no=10# this is ok
$ 10=no# Error, NOT Ok, Value must be on right side of = sign.
To define variable called 'vech' having value Bus
$ vech=Bus
To define variable called n having value 10
$ n=10
Rules for Naming variable name (Both UDV and System Variable)
(1) Variable name must begin with Alphanumeric character or underscore
character (_), followed by one or more Alphanumeric character. For e.g. Valid shell
variable are as follows
HOME
SYSTEM_VERSION
vech
no
39
(2) Don't put spaces on either side of the equal sign when assigning value to variable.
For e.g. In following variable declaration there will be no error
$ no=10
But there will be problem for any of the following variable declaration:
$ no =10
$ no= 10
$ no = 10
(3) Variables are case-sensitive, just like filename in Linux. For e.g.
$ no=10
$ No=11
$ NO=20
$ nO=2
Above all are different variable name, so to print value 20 we have to use $ echo $NO
and not any of the following
$ echo $no # will print 10 but not 20
$ echo $No# will print 11 but not 20
$ echo $nO# will print 2 but not 20
(4) You can define NULL variable as follows (NULL variable is variable which has no
value at the time of definition) For e.g.
$ vech=
$ vech=""
Try to print it's value by issuing following command
$ echo $vech
Nothing will be shown because variable has no value i.e. NULL variable.
(5) Do not use ?,* etc, to name your variable names.
How to print or access value of UDV (User defined variables)
To print or access UDV use following syntax
Syntax:
$variablename
40
Define variable vech and n as follows:
$ vech=Bus
$ n=10
To print contains of variable 'vech' type
$ echo $vech
It will print 'Bus',To print contains of variable 'n' type command as follows
$ echo $n
Caution: Do not try $ echo vech, as it will print vech instead its value 'Bus' and $ echo n,
as it will print n instead its value '10', You must use $ followed by variable name.
echo Command
Use echo command to display text or value of variable.
echo [options] [string, variables...]
Displays text or variables value on screen.
Options
-n Do not output the trailing new line.
-e Enable interpretation of the following backslash escaped characters in the strings:
\a alert (bell)
\b backspace
\c suppress trailing new line
\n new line
\r carriage return
\t horizontal tab
\\ backslash
For e.g. $ echo -e "An apple a day keeps away \a\t\tdoctor\n"
41
Shell Arithmetic
Use to perform arithmetic operations.
Syntax:
expr op1 math-operator op2
Examples:
$ expr 1 + 3
$ expr 2 - 1
$ expr 10 / 2
$ expr 20 % 3
$ expr 10 \* 3
$ echo `expr 6 + 3`
Note:
expr 20 %3 - Remainder read as 20 mod 3 and remainder is 2.
expr 10 \* 3 - Multiplication use \* and not * since its wild card.
For the last statement not the following points
(1) First, before expr keyword we used ` (back quote) sign not the (single quote i.e. ')
sign. Back quote is generally found on the key under tilde (~) on PC keyboard OR to the
above of TAB key.
(2) Second, expr is also end with ` i.e. back quote.
(3) Here expr 6 + 3 is evaluated to 9, then echo command prints 9 as sum
(4) Here if you use double quote or single quote, it will NOT work
For e.g.
$ echo "expr 6 + 3" # It will print expr 6 + 3
$ echo 'expr 6 + 3' # It will print expr 6 + 3
42
The read Statement
Use to get input (data from user) from keyboard and store (data) to variable.
Syntax:
read variable1, variable2,...variableN
Following script first ask user, name and then waits to enter name from the user
via keyboard. Then user enters name from keyboard (after giving name you have to
press ENTER key) and entered name through keyboard is stored (assigned) to variable
fname.
$ vi sayH
#
#Script to read your name from key-board
#
echo "Your first name please:"
read fname
echo "Hello $fname, Lets be friend!"
Run it as follows:
$ chmod 755 sayH
$ ./sayH
Your first name please: vivek
Hello vivek, Lets be friend!
7. WORKING OF DHCP:
7.1 WHAT IS DHCP?
Dynamic Host Configuration Protocol (DHCP) is a protocol used by networked
devices (clients) to obtain various parameters necessary for the clients to operate in an
Internet Protocol (IP) network. By using this protocol, system administration workload
greatly decreases, and devices can be added to the network with minimal or no manual
43
configurations. DHCP is also useful for directly assigning addresses to servers and
desktop machines, and, through a Point-to-Point Protocol (PPP) proxy, for dialup and
broadband on-demand hosts, as well as for residential Network address translation
(NAT) gateways and routers. DHCP is usually not appropriate for infrastructure such as
non-edge routers and DNS servers. The dynamic host configuration protocol (DHCP)
provides automatic configuration like IP address DNS server, NIS server, gateway etc.
on client machine.
7.2 ROLE IN THIS PROJECT:
When a DHCP-configured client (be it a computer or any other network aware
device) connects to a network, the DHCP client sends a broadcast query requesting
necessary information from a DHCP server. The DHCP server manages a pool of IP
addresses and information about client configuration parameters such as the default
gateway, the domain name, the DNS servers, other servers such as timeservers, and
so forth. Upon receipt of a valid request the server will assign the computer an IP
address, a lease (the length of time for which the allocation is valid), and other IP
configuration parameters, such as the subnet mask and the default gateway. The query
is typically initiated immediately after booting and must be completed before the client
can initiate IP-based communication with other hosts. It is providing automatic gateway
and IP addresses to the client machines here according to their requests.
44
7.4 Screenshots and working of DHCP:
As the above dialog box is showing the 3 menu boxes for configure, add and delete the
dhcp server.
If the user presses “configure” then the dhcp wizard will be opened that will ask
for the configuration information for dhcp as below:
45
If the user presses “add” or “delete”, then a dialog box will open that will ask for the mac
address of the client machine as below:
46
8. WORKING OF SQUID:
The SQUID server is use for filtering. Its main job is to allow or deny any host or
destination. It automatically works on port no. 3128. We can also filter the contents of
the packets. Squid has one primary configuration file, squid.conf. This file is generally
located in /etc/squid/, or if you compiled Squid from source, the default location is
/usr/local/squid/etc/.
47
8.1 Access control lists
The primary use of ACLs is to control access, but they can also be used to route
requests through a hierarchy, control request rewriting, and manage quality of service.
Access controls divides into two parts: elements and rules. ACL elements are
things such as IP addresses, port numbers, hostnames, and URL patterns. Each ACL
element has a name, which you refer to when writing the access list rules. The basic
syntax of an ACL element is:
ACLname type value1 value2
Squid has more than 20 ACL types, including types for source and destination IP
addresses, time, URLs, port numbers, and transfer protocols. After defining the ACL
elements, the next step is to combine them with Access list rules. Rules combine
elements to allow or deny certain actions. The syntax for an access control rule is:
access_list allow/deny [!]ACLname
For example, the rule:
http_access allow MyClients
8.2 ROLE IN THIS PROJECT:
The squid here is working as the transparent proxy server.
In transparent proxy, no work, procedure, or configuration works on the client end;
rather everything is perform on the server side.
In the project, by using IP table’s dnating rules, transparent proxy is use.
We use rule of dnating in the IP tables on every packet for port no. 80 that it
automatically transfer to the proxy server on port no. 3128.
48
Rule is-
iptables –t nat –A PREROUTING -p tcp -- dport 80 -j DNAT --to-dest proxy-
IP:3128
Now we add the rules in /etc/squid/squid.conf that is the configuration file of
proxy server; for different host name and IP.
8.3 Screen shots and working:
The following screen shot represents the dialog box where it asks to the user
whether to configure the server or to add a new rule.
If it is pressed “configure” then a new squid server be configured; else if it is chosen to
add a new rule it will be done asked for the host name and IP as shown below:
49
When all the entries are being done, then automatically rules are added in
/etc/squid/squid.conf on the top and services are restarted automatically.
When it is preesed OK ,then it is beng asked for adding another rule as below:
50
When the user presses OK, then again it asks for entry otherwise it closes the dialog
box.
9. WORKING OF GATEWAY:
If a client receives another network’s requests then it passes it to the gateway.
And the gateway works as a router here and forwards the packets in another network.
51
9.1 Configure Linux for packet forwarding
First, we need to enable packet forwarding on the kernel level (more on what the
hell this means later). Edit your /etc/sysctl.conf so it contains the following:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Since most people have dynamic IP's, you will probably also want:
# Enable dynamic-ip address hacking
net.ipv4.ip_dynaddr = 1
For other potentially worthwhile settings, you can check out my whole sysctl.conf file.
Now set the eth01 interface up, which we will manually assign as 192.168.3.1 on
our internal network. This is done by editing /etc/sysconfig/network-scripts/ifcfg-eth1 like
so:
DEVICE= eth1
ONBOOT= yes
BOOTPROTO= none
# (put your correct value below)
HWADDR= XX:XX:XX:XX:XX:XX
IPADDR=192.168.3.1
9.2 ROLE IN THIS PROJECT:
Packets that are routed through the router are governed by rules in the
FORWARD chain. Connections from and to the router itself are managed by the INPUT
and OUTPUT chains. Rules should be written as if no NAT occurs, using the 'real'
addresses.
Here if a client wants to connect to the internet, then it requests to the gateway.
The gateway transfers the requests on the proxy server. It filters the packets and again
52
transfers it to the gateway; because proxy also has the entry of gateway. The gateway
gives the response to the proxy and proxy sends it to the destination client.
9.3 CONFIGURATION OF THE GATEWAY:
53
10. WORKING OF IP TABLES:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules
in the Linux kernel. Several different tables may be defined. Each table contains a
number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what
to do with a packet that matches. This is called a 'target', which may be a jump to a
user-defined chain in the same table.
10.1 Targets
A firewall rule specifies criteria for a packet, and a target. If the packet does not
match, the next rule in the chain is the examined; if it does match, then the next rule is
specified by the value of the target, which can be the name of a user-defined chain or
one of the special values ACCEPT, DROP, QUEUE, or RETURN.
ACCEPT means to let the packet through. DROP means to drop the packet on
the floor. QUEUE means to pass the packet to userspace. (How the packet can be
received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x
kernels up to 2.6.13 include the ip_queue queue handler. Kernels 2.6.14 and later
additionally include the nfnetlink_queue queue handler. Packets with a target of QUEUE
will be sent to queue number '0' in this case. Please also see the NFQUEUE target as
described later in this man page.) RETURN means stop traversing this chain and
resume at the next rule in the previous (calling) chain. If the end of a built-in chain is
reached or a rule in a built-in chain with target RETURN is matched, the target specified
by the chain policy determines the fate of the packet.
10.2 Tables
There are currently three independent tables (which tables are present at any
time depends on the kernel configuration options and which modules are present).
54
-t, --table table
This option specifies the packet matching table which the command should
operate on. If the kernel is configured with automatic module loading, an attempt will be
made to load the appropriate module for that table if it is not already there.
The tables are as follows:
10.2.1 Filter:
This is the default table (if no -t option is passed). It contains the built-in chains
INPUT (for packets destined to local sockets), FORWARD (for packets being routed
through the box), and OUTPUT (for locally-generated packets).
10.2.2 nat:
This table is consulted when a packet that creates a new connection is
encountered. It consists of three built-ins: PREROUTING (for altering packets as soon
as they come in), OUTPUT (for altering locally-generated packets before routing), and
POSTROUTING (for altering packets as they are about to go out).
10.2.3 Mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two
built-in chains: PREROUTING (for altering incoming packets before routing) and
OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18,
three other built-in chains are also supported: INPUT (for packets coming into the box
itself), FORWARD (for altering packets being routed through the box), and
POSTROUTING (for altering packets as they are about to go out).
55
10.2.4 Raw:
This table is used mainly for configuring exemptions from connection tracking in
combination with the NOTRACK target. It registers at the netfilter hooks with higher
priority and is thus called before ip_conntrack, or any other IP tables. It provides the
following built-in chains: PREROUTING (for packets arriving via any network interface)
OUTPUT (for packets generated by local processes)
10.3 ROLE IN THIS PROJECT:
10.3.1 Packet Filtering
Traffic moves through a network in packets. A network packet is collection of
data in a specific size and format. In order to transmit a file over a network, the sending
computer must first break the file into packets using the rules of the network protocol.
Each of these packets holds a small part of the file data. Upon receiving the
transmission, the target computer reassembles the packets into the file.
Every packet contains information which helps it navigate the network and move
toward its destination. The packet can tell computers along the way, as well as the
destination machine, where it came from, where it is going, and what type of packet it is,
among other things. Most packets are designed to carry data, although some protocols
use packets in special ways. For example, the Transmission Control Protocol (TCP)
uses a SYN packet, which contains no data, to initiate communication between two
systems.
The Linux kernel contains the built-in ability to filter packets, allowing some of
them into the system while stopping others. The 2.4 kernel's netfilter has three built-in
tables or rules lists. They are as follows:
Filter — this is the default table for handling network packets.
56
Nat — this table used to alter packets that create a new connection.
Mangle — this table is used for specific types of packet alteration.
Each of these tables in turn have a group of built-in chains which correspond to
the actions performed on the packet by the netfilter.
The built-in chains for the filter table are as follows:
INPUT — This chain applies to packets received via a network interface.
OUTPUT — This chain applies to packets sent out via the same network interface which
received the packets.
FORWARD — This chain applies to packets received on one network interface and sent
out on another.
The built-in chains for the nat table are as follows:
PREROUTING — This chain alters packets received via a network interface when they
arrive.
OUTPUT — This chain alters locally-generated packets before they are routed via a
network interface.
POSTROUTING — This chain alters packets before they are sent out via a network
interface.
The built-in chains for the mangle table are as follows:
57
PREROUTING — This chain alters packets received via a network interface before they
are routed.
OUTPUT — this chain alters locally-generated packets before they are routed via a
network interface.
11. CODING:
AUTO IP:
dialog --title "" --backtitle "by varun and omveer" --pause "Loading AUTO-IP
CONFIGURATOR TUI..." 10 60 2
sh /grras/wel
DHCP CONF:
dialog --colors --title "DHCP CONFIGURATION" --backtitle "varun n omveer" --form "\Z7
enter valid IP values" 18 40 10 "Subnet" 1 4 "192.168.1.0" 1 12 20 16 "Netmask" 3 4
"255.255.255.0" 3 12 20 16 "Range_start" 5 4 "198.168.1.2" 5 16 16 16 "Range_end" 7
4 "192.168.1.254" 7 16 16 16 "Gateway" 9 4 "192.168.1.1" 9 16 16 16 2> /tmp/dhcp$
tmp=$?
subnet=`head -1 /tmp/dhcp$$`
netmask=`head -2 /tmp/dhcp$$ | tail -1`
s_range=`head -3 /tmp/dhcp$$ | tail -1`
e_range=`head -4 /tmp/dhcp$$ | tail -1`
g_way=`head -5 /tmp/dhcp$$ | tail -1`
case $tmp in
0)
echo "ddns-update-style interim;
ignore client-updates;
subnet $subnet netmask $netmask {
58
# --- default gateway
option routers $g_way;
option subnet-mask $netmask;
# option nis-domain "domain.org";
# option domain-name "domain.org";
# option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
range dynamic-bootp $s_range $e_range;
default-lease-time 21600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
}" > /etc/dhcpd.conf
ser=$?
if [ $ser = "0" ]
then
service dhcpd restart
chkconfig dhcpd on
sh /grras/menu;
else
dialog --pause "Error Occured TRY AGAIN" 20 20 3
sh /grras/menu;
fi
59
;;
1)
sh /grras/dhcpmenu
;;
*)
clear
esac
DHCP EDIT:
dialog --colors --title "DHCP EDIT" --backtitle "varun n omveer" --form "\Z7 enter valid IP
values" 18 40 10 "Subnet" 1 4 "192.168.1.0" 1 12 20 16 "Netmask" 3 4 "255.255.255.0"
3 12 20 16 "Range_start" 5 4 "198.168.1.2" 5 16 16 16 "Range_end" 7 4
"192.168.1.254" 7 16 16 16 "Gateway" 9 4 "192.168.1.1" 9 16 16 16 2> /tmp/dhcp$$
tmp=$?
subnet=`head -1 /tmp/dhcp$$`
netmask=`head -2 /tmp/dhcp$$ | tail -1`
s_range=`head -3 /tmp/dhcp$$ | tail -1`
e_range=`head -4 /tmp/dhcp$$ | tail -1`
g_way=`head -5 /tmp/dhcp$$ | tail -1`
case $tmp in
0)
echo "ddns-update-style interim;
ignore client-updates;
subnet $subnet netmask $netmask {
# --- default gateway
option routers $g_way;
option subnet-mask $netmask;
# option nis-domain "domain.org";
60
# option domain-name "domain.org";
# option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
range dynamic-bootp $s_range $e_range;
default-lease-time 21600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
}" > /etc/dhcpd.conf
ser=$?
if [ $ser = "0" ]
then
service dhcpd restart
chkconfig dhcpd on
sh /grras/menu
else
dialog --pause "Error Occured TRY AGAIN" 20 20 3
fi
;;
1)
sh /grras/dhcpmenu
;;
*)
clear
echo "error $?"
;;
61
esac
DHCP MENU:
dialog --colors --title "DHCP" --backtitle "\Z7Do you want to make new configuration or
edit old configuration" --menu "select" 10 50 5 CONFIGURE "make new dhcp setting"
EDIT "edit old dhcp setting" 2> /tmp/dhcpmenu$$.tmp
tmp=$?
opt=`cat /tmp/dhcpmenu$$.tmp`
case $tmp in
0)
if [ "$opt" = "CONFIGURE" ]
then
sh /grras/dhcpconf;
elif [ "$opt" = "EDIT" ]
then
sh /grras/dhcpedit;
fi
;;
*)
sh /grras/menu;
;;
esac
rm /tmp/dhcpmenu$$.tmp
INSTALL.sh:
rpm -ivh ./dhcp-3.0.5-7.el5.i386.rpm
rpm -ivh ./squid-2.6.STABLE6-4.el5.i386.rpm
rpm -ivh ./dialog-1.0.20051107-1.2.2.i386.rpm62
rm -rf /grras
mkdir /grras
cp -rf ./* /grras
echo "PATH=$PATH:/grras" >> /root/.bashrc
echo "please re login"
LOGS :
cat /var/log/squid/access.log
MENU:
dialog --colors --title "SERVICES" --backtitle "\Z7 select a service you want to configure"
--menu "Service List" 20 50 10 DHCP "configure and edit dhcp" PROXY "allow and
deny websites" MANAGE_USER "add or remove users" ROUTER "configure router"
LOGS "view logs" 2> /tmp/menu$$.tmp
run=$?
opt=`cat /tmp/menu$$.tmp`
case $run in
0)
if [ "$opt" = "DHCP" ]
then
sh /grras/dhcpmenu;
elif [ "$opt" = "PROXY" ]
then
sh /grras/proxymenu;
elif [ "$opt" = "ROUTER" ]
then
sh /grras/routermenu;
elif [ "$opt" = "MANAGE_USER" ]
then63
sh /grras/usermenu;
elif [ "$opt" = "LOGS" ]
then
sh logs;
fi
;;
*)
clear
echo "
thankyou
";
;;
esac
rm -rf /tmp/menu$$.tmp
PASSWORD:
dialog --passwordbox "enter password" 10 30 2> /tmp/pas$$.tmp
tmp=$?
var=`cat /tmp/pas$$.tmp`
case $tmp in
0)
if [ "$var" = "redhat" ]
then
sh /grras/menu
else
dialog --pause "ACCESS DENIED" 10 50 1
64
sh /grras/passwrd
fi
;;
*)
clear
;;
esac
PLAN:
iptables -D INPUT -m mac --mac 88:88 -j ACCEPT; service iptable save; chconfig
iptables on
PROXY ADD:
dialog --colors --title "\Z1ADD PROXY" --backtitle "\Z7enter a valid site name or ip" --
inputbox "Enter the sites name or IP address" 10 110 2> /tmp/file$$.tmp
tmp=$?
head=`cat /grras/count`
head -2520 /etc/squid/squid.conf > /tmp/head$$.tmp
tail -$head /etc/squid/squid.conf> /tmp/tail$$.tmp
let hi=$head+2
var=`cat /tmp/file$$.tmp`
echo $hi > /grras/count
case $tmp in
0)
cat /tmp/head$$.tmp > /etc/squid/squid.conf
echo "acl grras$$ dst $var
http_access allow grras$$" >> /etc/squid/squid.conf
cat /tmp/tail$$.tmp >> /etc/squid/squid.conf
service squid restart &> /dev/null
65
sh /grras/proxymenu
;;
1)
sh proxymenu
;;
*)
clear
;;
esac
PROXY CONF:
cp -rf /grras/squid /etc/squid/squid.conf
chkconfig squid on
service squid restart &> /dev/null
ser=$?
if [ "$ser" = "0" ]
then
dialog --pause "PROXY CONFIGURED,THANKYOU" 10 30 2
echo "1805" > /grras/count;
sh /grras/proxymenu
else
dialog --pause "Sorry, Again configure" 10 30 2
sh /grras/proxymenu
fi
PROXY MENU:
dialog --colors --title "\Z1PROXY" --backtitle "varun n omveer" --menu "To add/remove
sites" 20 40 5 CONF "to configure proxy" ADD "add site to proxy" REMOVE "remove
site from proxy" 2> /tmp/pxm$$.tmp
66
tmp=$?
opt=`cat /tmp/pxm$$.tmp`
case $tmp in
0)
if [ "$opt" = "ADD" ]
then
sh /grras/proxyadd;
elif [ "$opt" = "REMOVE" ]
then
sh /grras/proxyremove;
elif [ "$opt" = "CONF" ]
then
sh /grras/proxyconf;
fi
;;
*)
sh /grras/menu;
;;
esac
PROXY REMOVE:
dialog --colors --title "\Z1ADD PROXY" --backtitle "\Z7enter a valid site name or ip" --
inputbox "Enter the sites name or IP address" 10 110 2> /tmp/file$$.tmp
tmp=$?
head=`cat /grras/count`
head -2520 /etc/squid/squid.conf > /tmp/head$$.tmp
tail -$head /etc/squid/squid.conf> /tmp/tail$$.tmp
let hi=$head+2
var=`cat /tmp/file$$.tmp`
echo $hi > /grras/count
case $tmp in
67
0)
cat /tmp/head$$.tmp > /etc/squid/squid.conf
echo "acl grras$$ dst $var
http_access deny grras$$" >> /etc/squid/squid.conf
cat /tmp/tail$$.tmp >> /etc/squid/squid.conf
service squid restart &> /dev/null
sh /grras/proxymenu
;;
1)
sh proxymenu
;;
*)
clear
;;
esac
ROUTER MENU:
dialog --colors --title "ROUTER SETTING" --backtitle "VARUN" --menu "" 30 50 10
ROUTE "route IP packets to proxy" TRANSPARENT "enable transparent proxy" 2>
/tmp/r$$.tmp
opt=`cat /tmp/r$$.tmp`
tmp=$?
cp -f sysctl.conf /etc/sysctl.conf
sysctl -p
case $tmp in
0)
if [ "$opt" = "ROUTE" ]
then
dialog --title "ENTER YOUR IP" --backtitle "varun n omveer" --inputbox "" 30 50 2>
/tmp/ip$$.tmp
tmp=$?
68
ip=`cat /tmp/ip$$.tmp`
ifconfig eth0 $ip
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-dest $ip:3128
service iptable save
chkconfig iptables on
sh /grras/routermenu;
else
sh /grras/transmenu;
fi
;;
1)
sh /grras/menu
;;
esac
rm /tmp/r$$.tmp
rm /tmp/ip$$.tmp
TRANSPARENCY OFF:
head -72 /etc/squid/squid.conf > /tmp/sq$$
let rajat=`wc -l /etc/squid/squid.conf | cut --delimiter=" " -f1`-73
tail -$rajat /etc/squid/squid.conf > /tmp/sqd$$
cat /tmp/sq$$ > /etc/squid/squid.conf
echo "http_port 3128" >> /etc/squid/squid.conf
cat /tmp/sqd$$ >> /etc/squid/squid.conf
TRANSPARENCY ON:
head -72 /etc/squid/squid.conf > /tmp/sq$$
let rajat=`wc -l /etc/squid/squid.conf | cut --delimiter=" " -f1`-73
tail -$rajat /etc/squid/squid.conf > /tmp/sqd$$69
cat /tmp/sq$$ > /etc/squid/squid.conf
echo "http_port 3128 transparent" >> /etc/squid/squid.conf
cat /tmp/sqd$$ >> /etc/squid/squid.conf
service squid restart
TRANSPARENCY MENU:
dialog --title "TRANSPARENT" --backtitle "varun n omi" --menu "Select" 20 70 10 ON
"to on proxy for clients (remotely)" OFF "to off proxy for client" 2> /tmp/trans$$
tmp=$?
opt=`cat /tmp/trans$$`
case $tmp in
0)
if [ "$opt" = "ON" ]
then
sh /grras/tranon
dialog --pause "TRANSPARENCY IS ON" 20 20 1
sh /grras/transmenu;
else
sh /grras/tranoff
dialog --pause "TRANSPARENCY IS OFF" 20 20 1
sh /grras/transmenu;
fi
;;
1)
sh /grras/menu;
;;
esac
70
USER ADD:
dialog --title "ADD USER" --backtitle "varun omveer" --form "user information" 20 50 5
"mac_add" 1 4 "" 1 12 30 30 2> /tmp/add$$
tmp=$?
opt=`cat /tmp/add$$`
mac=$opt
case $tmp in
0)
iptables -I INPUT -m mac --mac $mac -j ACCEPT
error=$?
if [ "$error" != "0" ]
then
dialog --pause " SORRY PLEASE ENTER RIGHT MAC ADDRESS" 10 60 3
sh /grras/useradd
fi
service iptable save
chconfig iptables on
dialog --colors --no-shadow --title "\Z1PLANS" --backtitle "\Z2SECURE INTERNET" --
radiolist "PERIODS" 10 110 5 1month "for one month" "" 2month "for two months" ""
3month "for three months" "" 4month "for four months" "" 6month " for six months" ""
1year "for one year" "" 2> /tmp/file$$.tmp
var=`cat /tmp/file$$.tmp`
echo "iptables -D INPUT -m mac --mac $mac -j ACCEPT; service iptable save; chconfig
iptables on" > plan
at now+$var < plan
sh /grras/useradd
;;
1)
sh /grras/menu
;;
71
*)
clear
;;
esac
USER MENU:
dialog --title "MANAGE USERS" --backtitle "varun" --menu "Add or Remove a USER" 20
30 10 ADD "add a user" REMOVE "remove a user" 2> /tmp/user$$.tmp
tmp=$?
opt=`cat /tmp/user$$.tmp`
case $tmp in
0)
if [ "$opt" = "ADD" ]
then
sh /grras/useradd;
elif [ "$opt" = "REMOVE" ]
then
sh /grras/userrem;
fi
;;
*)
sh /grras/menu;
;;
esac
rm /tmp/user$$.tmp
USER REMOVE:
72
dialog --title " REMOVE USER" --backtitle "varun omveer" --form "user information" 20
50 5 "mac_add" 1 4 "" 1 12 30 30 2> /tmp/add$$
tmp=$?
opt=`cat /tmp/add$$`
mac=$opt
case $tmp in
0)
iptables -D INPUT -m mac --mac $mac -j ACCEPT
error=$?
if [ "$error" != "0" ]
then
dialog --pause " SORRY PLEASE ENTER RIGHT MAC ADDRESS" 10 60 3
sh /grras/useradd
fi
service iptable save
chconfig iptables on
;;
1)
sh /grras/menu
;;
*)
clear
;;
esac
WELCOME:
dialog --colors --title "\Z2 AUTO IP CONFIGURATOR" --backtitle "\Z7
WELCOME" --yesno "\Z5 Configure network" 10 100
tmp=$?
case $tmp in
0)
sh /grras/passwrd
73
;;
1)
dialog --pause " THANK YOU
....logging out TUI" 10 60 3
clear
;;
Esac
74
12. CONCLUSION
The conclusion can be made like this, the project “AUTO-IP MANAGER”
is useful on the administrator end .The project automatic configures the whole
procedure of assigning and implementation according to the requirement of users.
The project is using the dialog box utilities that makes it quite user friendly and
easy to configure. Moreover the project plays a role of a highly secure mechanism in the
IP configuration and accessing the web, manually.
All the processes will be made on the server side thus the administrator has to do
fewer efforts and the clients are having a much easier approach to gain the IP address
automatically and connect to the internet.
Thus this project, due to its easy and secure approach, can be used in any of the
lab. And live condition according to the load of work and requirements.
75
13. REFERENCES
WEBSITES:
www.linux.org
www.squid –cache.org
www.google.com/linux/dhcp
www.linux-live.org/
www.amazon.com/Linux-Shell-Script-Programming-Meadors
BOOKS:
Fedora-Bible 2006(TMH).
Red hat Linux essentials.
Red hat Linux security specialists333.
76
77