JTK – Notes and Ramblings Things we have found …

It was a real PITA to get sendmail to cooperate with sending via a secure SMPT relay. I found instructions on several websites that resulted in a 95% solution.

First you will need to install sendmail-cf. It is a separate package the is require to modify recompile the sendmail config.

dnl# This is the default sendmail .mc file for Slackware. To generate
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`Linux Home Automation FC6 Gmail')dnl
OSTYPE(`linux')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
dnl FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
EXPOSED_USER(`root')dnl
FEATURE(`authinfo',`hash /etc/mail/authinfo')dnl
LOCAL_DOMAIN(`yourlocaldomainhere.com')dnl
define(`SMART_HOST',`smtp.gmail.com')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')
define(`ESMTP_MAILER_ARGS', `TCP $h 587')
dnl#
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl#
define(`confCACERT_PATH', `/etc/pki/tls/certs')
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')
define(`confCLIENT_CERT', `/etc/pki/tls/certs/sendmail.pem')
define(`confCLIENT_KEY', `/etc/pki/tls/certs/sendmail.pem')
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
MASQUERADE_AS(`yourdomain.com') dnl
FEATURE(genericstable, `hash -o /etc/mail/genericstable') dnl
dnl GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')dnl
dnl #
dnl # Leave these at the end, sendmail prefers these last (for the most part)
dnl #
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

Rebuild the csendmail.cf with m4 sendmail.mc > sendmail.cf

You will need to create /etc/mail/authinfo.

AuthInfo:smtp.gmail.com "U:smmsp" "I:username" "P:mysecret" "M:PLAIN"
AuthInfo:smtp.gmail.com:587 "U:smmsp" "I:username" "P:mysecret" "M:PLAIN"

This is built into authinfo.db with makemap hash /etc/mail/authinfo < /etc/mail/authinfo

Be sure to chmod o-rx /etc/mail/authinfo.

You will also want to edit /etc/mail/local-host-names to include your hostname.

At this point you should be able to mail outside the system using sendmail and the gmail SMTP servers.

Using the AsteriskNOW 1.7 distribution as the starting point for the gateway we needed to get the right stuff into iptables.

# Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011
*mangle
:PREROUTING ACCEPT [527652:250920735]
:INPUT ACCEPT [83766:27202814]
:FORWARD ACCEPT [443523:223508833]
:OUTPUT ACCEPT [81940:39515916]
:POSTROUTING ACCEPT [525477:263026885]
COMMIT
# Completed on Sun Aug 7 00:35:02 2011
# Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i ppp1 -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp+ --dport 0:1023 -j DROP
-A INPUT -p udp -m udp -i ppp+ --dport 0:1023 -j DROP
-A INPUT -p tcp -m tcp -i ppp+ --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p icmp -m icmp -i ppp+ --icmp-type 8 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i ppp1 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.5.0/255.255.255.0 -i ppp0 --dport 1723 -j ACCEPT
-A FORWARD -p gre -s 192.168.5.0/255.255.255.0 -i ppp0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Sun Aug 7 00:35:02 2011
# Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011
*nat
:PREROUTING ACCEPT [14513:1101990]
:POSTROUTING ACCEPT [18:2069]
:OUTPUT ACCEPT [2186:142852]
-A POSTROUTING -o ppp+ -j MASQUERADE
COMMIT
# Completed on Sun Aug 7 00:35:02 2011

Most of the actual creation was done via the webmin interface. The basics are:

1. For FORWARD we DENY by default and only allow specific traffic.
2. For INPUT we DENY by default and only allow certain traffic.
3. For OUTPUT we ACCEPT by default and do nothing to change that.
4. For the nat table we MASQUERADE ppp0.
5. miniupnpd will be used.

Starting from the AsteriskNow 1.7 CD image we built a router/gateway. One of the more complicated parts was the install of miniupnpd to handle UPnP and NAT-PMP. The project homepge is miniupnp.free.fr. As of this writing the current stable version is 1.6.

The INSTALL instruction file included in the tgz distribution is a very good start. You will need to install iptables-devel. According to the miniupnp.tuxfamily.org forums you may need to:

what you need to do is determine the exact version of iptables you have installed:

rpm -q iptables
rpm -q iptables-devel

Then download the source from netfilter.org, and copy the include/libiptc directory to your /usr/include/libiptc directory (create it if it’s not there)

The INSTALL notes will guide you through the little bit that needs to be configured fro interfaces and ports.

The forum discussion mentioned above also includes a replacement /etc/init.d/miniupnpd script for Red Hat/CentOS. This allows for start, stop and status in the same manner as other services. You may need to copy the netfilter/iptables_display.sh script to the /etc/miniupnpd folder.

use chkconfig --add miniupnpd to add to startup.

#!/bin/sh
#
# "$Id: miniupnpd.init.d.rhel,v 1.00 2008/10/25 03:16:12 pmcgee Exp $"
#
#   Startup/Shutdown/Restart script for miniupnpd daemon (init.d)
#   on Red Hat Enterprise Linux
#
#   Linux chkconfig stuff:
#
#   chkconfig: 2345 90 30
#   description: startup/shutdown/reset script for miniupnpd \
#                on Red Hat Enterprise Linux
#
#   processname: miniupnpd
#   pidfile:  /var/run/miniupnpd.pid
#   configpath: /etc/miniupnpd/
#   configfile: miniupnpd.conf

# Source function library.
. /etc/init.d/functions

# Include user config file if available
if [ -f /etc/sysconfig/miniupnpd ]; then
        . /etc/sysconfig/miniupnpd
fi

# assign default values if nothing specific in /etc/sysconfig/miniupnpd
prog=${BINARY-"miniupnpd"}
binpath=${BINPATH-"/usr/sbin/"}
pidfile=$"${PIDPATH-"/var/run/"}$prog.pid"
configpath=${CONFIGPATH-"/etc/miniupnpd/"}
configfile=${CONFIGFILE-"miniupnpd.conf"}
iptinit=${IPTABLES_INIT-"iptables_init.sh"}
iptrm=${IPTABLES_REMOVE-"iptables_removeall.sh"}
iptshow=${IPTABLES_SHOW-"iptables_display.sh"}

ARGS=$"-f $configpath$configfile"
PROG=$"$binpath$prog"
IPT_INIT=$"$configpath$iptinit"
IPT_DELE=$"$configpath$iptrm"
IPT_SHOW=$"$configpath$iptshow"
RETVAL=0

start() {
        echo -n $"Starting miniupnpd ($PROG): "
        $IPT_INIT > /dev/null 2>&1
        $PROG $ARGS && success || failure
        RETVAL=$?
        echo
}

stop() {
        echo -n $"Stopping miniupnpd ($PROG): "
        if [ -n "`pidfileofproc $PROG`" ] ; then
                killproc $PROG
        else
                failure $"Stopping miniupnpd ($PROG)"
        fi
        RETVAL=$?
        $IPT_DELE > /dev/null 2>&1
        echo
}

mystatus() {
        status $PROG
        RETVAL=$?
        echo
        echo -n "Dumping IPTABLES Information: "
        if [ -f $IPT_SHOW ]; then
                echo
                $IPT_SHOW
        else
                failure $"IP Tables display script not found"
        fi
        echo
}

# Parse CLI arguments
case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        restart|reload|force-reload)
                stop
                sleep 2
                start
                ;;
        status)
                mystatus
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|status}"
                RETVAL=1
esac

exit $RETVAL

After install we tested using a Transmission as the client. We also tested the resulting firewall against several online scanner with good results.

tftpd32 from http://tftpd32.jounin.net/ is a good option for setting up a tftp and dhcp server on windows for PXE boot.

You will need the pxelinux.0 and vesamenu.c32 files from the syslinux distribution. Editing the default file in the pxelinux.cfg folder will also be required.

A ssh server can be easily accomplished with cygwin using openssh server. Once you install the openssh(from Net group) and cygrunsrv(from Admin group) packages in cygwin you will need to run ssh-host-config. You can then use ‘net start sshd’ and ‘net stop sshd’.

In many cases a privilege separation user is useful but that is not always possible.

A nfs server can also be handled with cygwin. You will need the nfs-server(from Net group), sunrpc(from Libs group) and cygrunsrv(from Admin group). After installing you will need to run nfs-server-config.

/etc/hosts.allow and /etc/hosts.deny control access on a host level.

/etc/hosts.allow :
nfsd: 192.168.0.0/255.255.255.0

/etc/exports controls which folders to share.

/etc/exports :
/pub 192.168.0.0/255.255.255.0(ro, no_root_squash)

We created a link from our main tftpdboot folder to cygwin root for simplicity.

You can now ‘net start mountd’ and ‘net start nfsd’. This will automatically start the portmap service, also. ‘net stop portmap’ will stop all three services.

We suggest you set all of the cygwin services to Manual start to prevent starting unneeded services at Windows boot.

VBoxManage internalcommands createrawvmdk -filename -rawdisk /dev/sda -register

Can use the option below to restrict the access to specific partitions
-partitions #

Use the option below to install an alternate boot record for the vmdk
-mbr ./myBootRecord.mbr

There are several methods of creating the mbr file. One is
apt-get install
install-mbr --force myBootRecord.mbr

Do NOT boot the same partion in the VirtualBox as you are currently running.

You must be a member of the “disk” group for creation and access to the vmdk file.

http://www.virtualbox.org/wiki/Migrate_Windows – VirtualBox’s intsructions on converting a WinXP install to a virtual machine.

http://mesbalivernes.blogspot.com/2008/01/virtual-box-booting-from-existing.html – Blog entry describing Boot a physical WinXP install inside a VBox.

http://go2.wordpress.com/?id=725X1342&site=blarts.wordpress.com&url=http%3A%2F%2Fwww.virtualbox.org%2Fattachment%2Fwiki%2FMigrate_Windows%2FMergeIDE.zip – MergeIDE is require to prevent WinXP from halting on boot from hardware differences.