Installing Knoppix As A LAN Server

1. Introduction

Why this document?

Once upon a time I cofounded a company which had as it's mission to make a linux distribution targetted specifically for small and medium businesses. These days I am not actively involved in the company anymore, but I still like to configure linux boxes, and I still do it as an aside job to more profitable consulting jobs in the macintosh world.

Scope

Roadmap

There are still many things to do and the list will never end. I am thinking of things I need, and things a Small or Medium Enterprise may need. Currently, I think the document describes most of the functionality commonly needed, and I think if you go through it all you may have a clue on expanding the functionality.

It is not currently a business plan, but I might consider offering paid support for systems installed like this in the future. I do this already for a small set of chosen customers.

2. Why Knoppix?

Because I like it, mainly! Apparently I am not even alone. There are a lot of people out there these days that have turned it into their favourite distribution, and this for various reasons. The main reasons as I see them, however are twofold.

Excellent Hardware Detection

Firstly, it has the most excellent hardware detection there is. Usually, you can just download the cd and put it in your computer and chances are high it will just work. That is an amazing feat. Generally, people use it to just try out a linux distribution without actually installing it, or to try out new linux software that one is not just willing to install yet, like a new linux kernel or a new kde or gnome distribution.

Debian Based

Second reason is that it is a debian distribution. Now, debian has the name of being the geekiest of distributions, but this is mainly because of it's reputation on the installer part of debian. Debian however, has one of the nicest and historically oldest package management systems in the linux world. It also has a very nice model of distributing the software, in that it comes in three flavours: the stable, the unstable and the testing. The experience is, however, that even the testing distribution does not give much trouble compared to what I used to get when installing RedHat before up2date came around, and using the stable and unstable distributions hardly ever gives any trouble at all. Installing new software is almost always a one-command step.

New alternatives

Links

3. Trying Out Knoppix

Downloading Knoppix

Downloading is not all that difficult, you just need an url for an iso image, and you download the iso image on your favourite machine. As long as it has a cd burner in it, you are fine.

You can find the url for the iso image on the knoppix website mentioned earlier. You can download the most recent iso image, knoppix does not release that frequently, but if you plan on following the tutorial, it is good to know that it is mainly based on Knoppix 3.3, but it has also been known to work on Knoppix 3.2. Take an http link to a mirror close to you, that generally works best. Don't take an rsync link, unless you know what you are doing. Also check the md5 sum on the downloaded iso, that can save you some trouble in burning invalid disks.

I have yet to find a tutorial on burning iso images for various platforms, but it should be easy. On windows, if you have Nero, you can find a "Burn Image..." button in the File-menu. On a Mac, you can use the "Disk Copy" utility in the Utilities folder of your Application folder, and drag and drop the iso on the main window, then select "Burn Image..." from the File menu. On MacOS X you can check the md5sum by opening a terminal window, and typing md5sum, a space and then drag and drop the iso image on the terminal window and press enter in it. After a while you should see the calculated sum and it should correspond to the one you can find on the mirror you have downloaded from.

Booting Knoppix

Insert the cd you just burnt into your pc. After starting up, if your bios is configured to first boot from cd, then from hard disk, as most bioses are, you should be booting knoppix in no time. If not, go into your bios and change the configuration.

The initial boot screen already features a graphical screen, and you are prompted to type the boot image and parameters. Just press enter to boot the default and you are fine. Knoppix start booting and after a short period of time, in which the hardware is detected, the X server is booted, and the KDE is initialized, you are presented with the info pages in the default browser, konquerer.

Figure 3.1: Initial Screen After Bootup

All hard disk partitions known to Knoppix are shown on the desktop, even NTFS partitions. When clicking on them, they are automatically mounted. You should be able to browse the internet if you are on a network that has a dhcp server on it. You should be able to use your mousewheel etc... all these things that are sometimes so hard to configure in linux, right there!

Using Knoppix

As promised, you can enjoy the full Knoppix distribution without it even touching your hard disk. Granted, it is a bit slow, but keep in mind you are running it from a CD. Some of the nicer tools to play with:

Tool	Description
OpenOffice	This office suite has charmed a lot of users, even so much that some governments are switching to it. I think the GUI is still a bit clumsy, though, especially compared to ubertools like vi.
The Gimp	A graphics emulator like Photoshop, but cheaper. I use it, next to the infamous GrapicConverter which came registered with my Mac, to manipulate images, since I can and will not afford PhotoShop.

But that is just a small sample of the great long list of software that comes on that cd you have in your computer. Go ahead and try out anything you like, see if it is useable for you.

Editing Text Files

One thing you will have to learn is to use a text editor on linux, since editing text files, more specifically configuration files, is one thing that we are going to do frequently while installing our Knoppix box.

As always with linux, you have a variety of possibilities. However, if you have used a text editor in linux before, chances are that you already have a favourite text editor. If you don't, I could recommend the nedit program, which is like notepad on windows. You can find it in the KDE menu in the toolbar, in the section "Editors".

Another thing which is still a bit unavoidable, even though we will try to avoid it as much as possible, is going into the command shell. You can do this by clicking on the shell icon in the toolbar, that's the computer screen with a shell on top of it. You get a command-line prompt. What you do next is type "ne" and press the tab-key twice shortly after each other.

You get a list with all programs that are executable and that the shell is currently able to find for you. Amongst them you see nedit listed, and typing nedit and then enter will bring up the editor in a new window. From there on, you can use it as if it was like notepad.

Figure 3.2: Starting nedit

When Things Go Wrong

Well, I hate to admit it, but sometimes things do go wrong, mainly in detecting your hardware, and that is when the linux trouble could start for you. However, there is never a reason to panic immediately, because there are still a lot of options open even if everything does not work as it was described here.

Those options mainly exist in giving extra hints to knoppix when it boots as to what kind of hardware it will encounter and what it should or should not do with it. They are called Knoppix cheat codes.

There is a long list of knoppix cheat codes, and generally what you can do is think about what is special about your hardware and search the wide internet or just the knoppix forums, using google for instance, to see if anyone has ever encountered a similar problem, and what may be the cheat code to use to tackle it.

Last time, and the only time, I had trouble running the Knoppix cd, I figured it should have to do with the hyper threading on the new P4 box I just brought from the hardware shop, maybe also because I was using a SATA hard drive, both of which are rather new technologies. Anyway, it was a neat new box, and after a bit of searching I found this link on the knoppix which explained a lot to me. Not that it solved all of my problems immediately, but it helped me a lot. This just to say that since Knoppix became popular, there is a lot of activity on the forum there and a lot of information can be found.

But, as said, chances are high you won't be needing any of that.

4. Installing Knoppix

Since you got Knoppix to at least boot on your system, it should not be too hard to get it onto your hard disk. After all, all hardware was detected and that's usually the trickiest part in installing any linux distribution. And then, most guys I know, seem to always go for the latest and greatest hardware, which is really like begging for trouble.

For installing Knoppix onto your hard disk, there is a tool available, but unfortunately, at the time of writing it is still in heavy development. It looks like it will one day be a promising tool, but as for now, we will have to live with a couple of it's shortcomings and nuisances, from which I will try to spare you.

Partitioning The Hard Disk

I am not going to give an extended list with things that go wrong if you try to partition your hard disk from within the installation program we will use later on, but believe me: it is better to partition your hard disk(s) beforehand, and save yourself a lot of trouble.

To do this, we will use fdisk. Granted, it is not the most intuitive tool to do the job, and if you get by using qtparted or cfdisk anything else, fine for you, but I've found fdisk to work always, while others work most of the times.

What you need to figure out first is under which names your hard disks have been detected. When the system boots up it holds a lot of information in it's "kernel ring buffer", and from there you can find out how your hard disks are named. You could just show the whole of the kernel ring buffer, using the dmesg command, but since this one usually also contains a lot of things we don't want to read at the moment we are going to filter a bit using grep, so that we get only the information we are interested in.

knoppix@ttyp1[knoppix]$ dmesg | grep drive$
hda: Maxtor 51536H2, ATA DISK drive
hdb: WDC WD1200JB-00DUA3, ATA DISK drive
hdc: HITACHI GD-2000, ATAPI CD/DVD-ROM drive
knoppix@ttyp1[knoppix]$ 
	

There you are. In the example the Maxtor disk drive has been named hda, the Western Digital one hdb and my cdrom drive has been named hdc. This is directly related to whether the disks are primary or secondary master or slave on your ide bus. Serial ATA disks will usually get letters later in the alfabet.

Starting of the fdisk program will now give us an interface to remove and add partitions. I am not going to cover all of the usage for the fdisk program. It is a menu based program, very old style user interface, but it will do the job. You don't have to be afraid to do any harm since you should have no data to do harm to on your hard disk, plus you have to tell the program explicitly to write the partition table to disk before you exit fdisk or it will not have written anything. That way you can always verify your configuration before you do the final write.

(substitute "/dev/hda" with the device name of the hard disk you are
trying to partition)
knoppix@ttyp1[knoppix]$ sudo fdisk /dev/hda

There is an excellent tutorial on partitioning hard disks, including discussions about how big your swap space should be and so on, on this place: http://www.lissot.net/partition/. Especially chapter five is a must-read if you feel unsure about this part.

As a small reminder you can use the following table to see what commands are doing what. You will only need the commands listed here, though help will provide you with a longer list of commands.

For our home router, we will create three or four partitions:

1. The boot partition, which will be our system partition. It should be big enough to hold all software you will install on your system. Expect to use about 3 Gigabyte of data if you want to install most of the commonly used software from linux, but you could optimize that down of course. For the installation of Knopix 3.3, you need a primary partition of at least about 3 Gigabytes before the configuration tool will allow you to start. Beware of that!
2. The data partition, which will be the partition that will hold most of the data used by the applications. I.e. all of your web pages, all of the files served on the filesystem, all of your mail, etc... should fit onto this partition.
3. The backup partition, which will be big enough to hold a full backup and a sleuce of incremental backups. The size of incremental backups is hard to predict, and depends on the amount of data changed, but guess on the safe side. If you don't plan on installing a backup service, you don't need this of course.
4. The swap partition. As a rule of thumb, make it as big as the memory you have in your system.

After we have written out the partition table, we still have to activate the swap partition, because of a bug in the installer. If we were to start the installer now, we would be stuck in an infinite loop in the main menu, since it tries to check for a swap partition and does not find it, and therefore decides that you have not partitioned your hard drive yet. You can try it if you want, but we will continue activating the swap partition.

(You will have to replace "/dev/hda3" with the name of the device you want to
use as a swap partition. 3 Is the order number of the swap partition in the partition
table in that device.)
knoppix@ttyp1[knoppix]$ sudo mkswap /dev/hda3
knoppix@ttyp1[knoppix]$ swapon -a
knoppix@ttyp1[knoppix]$ 

Now we should be able to start the knoppix installer. From the console you can just type

knoppix@ttyp1[knoppix]$ sudo knoppix-installer
knoppix@ttyp1[knoppix]$ 

And you should get a menu screen with five options that will gide you through the installer.

Figure 4.1: Installer Startup Screen

Choosing the "Configure Installation" item from the menu will go through a wizard that will ask all of the necessary information required to perform the installation, such as:

1. The partition to install Knoppix to. This is the boot partition we just created.
2. Your full name.
3. Your user name.
4. Your user password.
5. Your administration password. This is the root password for the installed system.
6. Your preferred hostname.
7. Whether the boot loader needs to be installed on the Master Boot Record or on the partition itself. We want to use the Master Boot Record, since no other operating systems are installed on the hard disk.
8. Choose your system type. There are two ways to install a knoppix system. We want to install a debian style system. The alternative would be a knoppix style system, in which the hardware is automatically detected on every startup.

Now we just start the installation and after some warning confirmation the installer does it's part, showing a long progress bar. We are ready to go and have a meal and a beer.

When the installer is done, ideally, we would just have to reboot the system.

This is only necessary if you got a warning about genliloconf crashing, and it
should only occur if you are using a different partition than /dev/hda1 to install the
system on.
knoppix@ttyp1[knoppix]$ sudo mount -t ext3 /dev/hdc1 /mnt/hdc1
knoppix@ttyp1[knoppix]$ sudo chroot /mnt/hdc1
knoppix@ttyp1[knoppix]$ cat /etc/lilo.conf | sed s/\\/dev\\/hda$/\\/dev\\/hdc/g > /etc/lilo.conf
knoppix@ttyp1[knoppix]$ sudo /sbin/lilo
knoppix@ttyp1[knoppix]$ 

At the end of the installation the system prompts to write a floppy with the existing configuration, which we just say no to, and a message saying that the installation was successful. Don't worry if you see some errors on the console, the knoppix-installer script is still not bugfree, and I don't think many of these matter (screendump from my system).

Booting The System

Now that the system has been installed we can safely reboot the system. Just pressing control-alt-delete will log off the knoppix user and restart after ejecting the cd tray. Or try typing sudo shutdown -r 0 on a console window. Don't forget to get out the Knoppix CD, you won't need it anymore, so you can safely add it to the big black box of old CDs on the attic.

5. Logging on

User or root?

First time log on

When the system is rebooted you will see that you can log in with the username and password you gave in the installation configuration. First time around the system will ask you for some defaults, which you can set to your lnkings. In screenshots and descriptions I will assume you have chosen the defaults.

It is recommended to check if everything has been installed as we wanted it to. One of the things we can check immediately is to see if everything has been mounted correctly. Again from the console

kristof@knoppixbox:~/$ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda1             9.2G  2.5G  6.3G  29% /
/dev/root.old         2.2M  341K  1.8M  16% /initrd
kristof@knoppixbox:~/$ 

The fact that the root.old partition is mounted is nothing to be worried about and is a consequence of the boot sequence as done by Knoppix.

6. Configuring The Network

The configuration file

After you have installed knoppix to your hard disk, the network autodetection has been disabled. This is because we chose to install a debian style system. So, now we will need to do the configuration manually.

The configuration file that is controlling how the network is handled is /etc/network/interfaces, so we are going to edit this file. This is how the file should look like in our setup of the box with two network cards.

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
# automatically added when upgrading
auto lo eth0 eth1
iface lo inet loopback
iface eth1 inet static
        address 192.168.1.1
        netmask 255.255.255.0
iface eth0 inet dhcp

This file is saying we have automatically configured interfaces for loopback (lo), eth0 and eth1 interfaces. loopback is a virtual network interface, used by some programs to connect to the local computer. Hence it's name. eth0 and eth1 are the real network interfaces in your computer. eth1 is the one we will assume is connected to your local network and eth0 is the one that will be connected to the internet. This choice is rather arbitrary and could be vice versa, but we will for the rest of this document assume you have configured everything like this.

The interface eth1 is configured as a static network interface, which means it will never change it's ip address. You are allowed to choose an ip address here, since it will not be used anywhere else but on your local network, but for safety reasons it is best if you use an address in one of the reserved ranges, which are listed below.

The interface eth0 is configured as a dhcp client interface, which may not be appropriate for your configuration, since it is dependent of the upstream Internet Service Provider, and mine delivers dhcp addresses. Other options usually are dialup kinds and network configuration there is different. However, sometimes you can buy routers that dial up for you and provide you a dhcp address anyway, so in case you have one like this, this configuration may be still valid in your situation. If not, you are at the moment, on your own. Sorry, but I have to limit the scope for now ;-)

Verifying the network interface configuration

Afterwards, we can test the configuration by typing the following set of commands:

kristof@knoppixbox:~/$ ifup eth0
kristof@knoppixbox:~/$ ifup eth1
kristof@knoppixbox:~/$ ifconfig
eth0      Link encap:Ethernet  HWaddr 52:54:05:C3:FF:0E  
          inet addr:10.0.1.3  Bcast:255.255.255.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:40495 errors:0 dropped:107 overruns:0 frame:12
          TX packets:30324 errors:0 dropped:0 overruns:0 carrier:0
          collisions:1338 txqueuelen:100 
          RX bytes:21385539 (20.3 MiB)  TX bytes:4947621 (4.7 MiB)
          Interrupt:12 Base address:0xc000 

eth1      Link encap:Ethernet  HWaddr 00:D0:09:5F:7E:83  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13509602 errors:301 dropped:16108 overruns:261 frame:0
          TX packets:12756299 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:783185984 (746.9 MiB)  TX bytes:3534492144 (3.2 GiB)
          Interrupt:11 Base address:0x5000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2171 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2171 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:12300096 (11.7 MiB)  TX bytes:12300096 (11.7 MiB)

This could be enough to get you going if your ISP gives you a name server via dhcp, but some don't. Then you need to additionally add your nameserver into the nameserver configuration file, /etc/resolv.conf, so that it contains the single line nameserver 195.130.132.17 or whatever ip address your ISP provides you with. The command to do this is sudo nedit /etc/resolv.conf. There will be more details about this in the dns section, but you need to get your network going at this stage in order to install some of the tools we'll need in the following sections.

Proxy Servers

Some providers want all traffic to go through their proxy servers, in order to provide some "content caching". Of course, in the mean time it is easier for them to watch what you are doing, but anyway.

When you need to set a proxy server, you have to influence the environment variable that most tools look at. What you need to do is execute the following command.

Code listing 6.3: Setting a proxy server

Substitute your proxy server in this command kristof@knoppixbox:~/$ export set http_proxy="http://proxy.servers.com:8080/" kristof@knoppixbox:~/$ echo $http_proxy http://proxy.pandora.be:8080/

Of course, setting this all the time becomes a nuisance in no time, so we should be able to set it in one place. What you can do is add this command to the end of the file /etc/profile and you should get the same effect without every time issuing the command.

Troubleshooting

Again, I hate to admit it, but sometimes things go wrong. Generally, it is not a problem to fix it. What you need to figure out is the source of the problem and this requires a little networking knowledge. However, some things are easy verifiable, and a small checklist is provided here:

• Check if all network interfaces are up, using ifconfig. If they are up, you can start pinging. In case you got an ip address via a DHCP server, you can be happy with that part already, you got an IP address and the connection to your upstream provider is probably ok.
• Can you connect to your upstream provider? You can first start pinging IP addresses of server like your name server. If this ping is ok, you can assume the network is ok. Is your nameserver filled in in /etc/resolv.conf, like it should be? Then you can try and ping your nameserver, or any other address that responds to ping (most websites addresses do), to check if the name resolution works.

Code listing 4: successful ping to name server

kristof@knoppixbox:~# cat /etc/resolv.conf nameserver 195.130.130.130 nameserver 195.130.131.2 search pandora.be kristof@knoppixbox:~# ping -c 5 195.130.131.2 PING 195.130.131.2 (195.130.131.2): 56 data bytes 64 bytes from 195.130.131.2: icmp_seq=0 ttl=60 time=13.3 ms 64 bytes from 195.130.131.2: icmp_seq=1 ttl=60 time=18.4 ms 64 bytes from 195.130.131.2: icmp_seq=2 ttl=60 time=18.3 ms 64 bytes from 195.130.131.2: icmp_seq=3 ttl=60 time=17.3 ms 64 bytes from 195.130.131.2: icmp_seq=4 ttl=60 time=15.4 ms --- 195.130.131.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 13.3/16.5/18.4 ms kristof@knoppixbox:~#

• If you got this far, you should be able to surf the internet. Take Konquerer for a spin and check it out. While you're at it, maybe something new is on on slashdot? If you can't get there, don't forget some providers have a proxy server to be configured in the browser, and not all browsers pick up the environment variable.

7. Configuring the Package Manager

The configuration of the sources

Debian comes with a very nice package update tool. What this means is that for each package in debian someone is responsible for making sure it is packaged in such a way that it is readily installable in three different flavors: stable, testing and unstable.

To get to those packages, you can use a bunch of mirrors. Knoppix comes with a list of mirrors, but Knoppix decided to include a bunch of mirrors that don't seem so stable. So, what we should be doing is try to stick with the official debian mirrors. They are hardly ever down and will cover most of the software available in the Free Software World.

This list can be found on your system in /etc/apt/sources.list and needs to be updated from the command line. You need to edit this file and comment out any line not pointing to a debian.org mirror, or at least that is the safest. You do this by making sure the lines that we don't need are commented out, i.e. start with a hash-sign (#). Just keep the lines for debian stable and debian testing, that are the only ones you will need.

Then, typing sudo apt-get update will connect to the mirrors and download the information about the packages available there to your system. This is an operation that is best done before any installation of software. Now for the tricky bit: sudo apt-get upgrade will make sure your debian installation is up to date with all of the existing packages.

This will all take some time and some packages will interactively prompt you for some settings, but this should all be rather straightforward.

Installing a package

Well, why would we not try to install a package. Especially since lately we don't seem to have the SSL libraries we need to install webmin properly, this section is a good place to learn to install these via the package management system. Should you skip this stage, you would find that the next section will give you a warning about ssleay libraries gone missing, and webmin would be started on a normal http port instead of the https port we want it to be on.

So, what we will do is search the Debian packages website for the ssleay library, and we end up at http://packages.debian.org/cgi-bin/search_packages.pl?keywords=ssleay&searchon=names&subword=1&version=stable&release=all. There are three choices, so it would seem we have to make a choice.

You can browse the website further to find out what is in the packages, which packages are available for your architecture, and short descriptions about what they do, the known bugs, etc... It turns out we need to install libnet-ssleay-perl, to get webmin to work properly, so that's what we'll do.

To install a package, you need superuser privileges, so you should prepend the apt-get command with sudo.

Code listing 7.1: Installing libnet-ssleay-perl

kristof@knoppixbox:~/$ sudo apt-get install libnet-ssleay-perl

The package manager warns how many packages will be removed, how many will be upgraded and how many will be installed. If the package you are installing needs other non installed packages, you will see them appear in this list.

That's all there is to it, really. You can install the latest version of kde if you want, but I would not just do that. You see, sometimes things do go wrong.

Troubleshooting

Well, you know by know how I hate to admit it, but sometimes... yep, things do go wrong. For instance, in the DNS section later on, you will find things went wrong at the time I wrote the section, and I had to do a manual installation of a package. Not so good.

Not so bad as this guy though, which seemed to have nearly everything going against him. You have to be good though to fuck up things, but I've done it at least once. His advice is to never ever have testing in your sources list, but I've tried that and you soon miss a couple of packages you really really want to install. So, my advice is to be conservative as to what packages you install, and use this Knoppix as a base for all the packages you don't have to get from the internet.

One thing I encountered once though, is this:

Code listing 7.2: When apt-get just does not cut it

kristof@knoppixbox:/etc# sudo apt-get install resolvconf Reading Package Lists... Done Building Dependency Tree... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. Since you only requested a single operation it is extremely likely that the package is simply not installable and a bug report against that package should be filed. The following information may help to resolve the situation: The following packages have unmet dependencies: resolvconf: Depends: initscripts (>= 2.85-15) but it is not going to be installed E: Broken packages

You have to admit to it, it's not such a bad error message. It is extremely likely that the package is simply not installable and a bug report against that package should be filed. How's that for a mea culpa?

Ok, things went wrong, but we need to continue, so what did I do? Download the deb package from the debian website manually. Like this:

Code listing 7.3: Installing a dpkg manually

You should never have to do this. Ok, only in rare circumstances. kristof@knoppixbox:/home/kristof/download# sudo dpkg --unpack resolvconf_1.21_all.deb (Reading database ... 110800 files and directories currently installed.) Unpacking resolvconf (from resolvconf_1.21_all.deb) ... kristof@knoppixbox:/home/kristof/download# sudo dpkg --force-depends --configure resolvconf dpkg: resolvconf: dependency problems, but configuring anyway as you request: resolvconf depends on initscripts (>= 2.85-15); however: Package initscripts is not installed. Setting up resolvconf (1.21) ... mkdir: created directory `/etc/resolvconf/run' mkdir: created directory `/etc/resolvconf/run/interface'

This then asks about whether or not to add the old resolv.conf file to the new dynamic configuration, to which we can reply "No".

Figure 7.1: Configuration question of the resolvconf package

And guess what? That does it too... it's not orthodox, as can be seen in the --force-depends parameter, which basically just tells apt-get to go on, no matter what dependency criteria are not resolved. Not to be repeated oftenly!

8. Installing Webmin and Usermin

Installing webmin is a separate chapter because it really is a bit of a pain in the butt. I don't know why, but for some reason webmin has been split up into several debian packages, and I have not ever once been able to use it like I would think it is supposed to be used. Upgrade functionality seems to be broken, the user interface does not look so nice as upon default install from the website etc etc... In short, I've give up on the debian packages of the webmin interface.

So, for now, let's just download and install webmin from the website, it's pretty easy anyway. Your ISP might expect you to set a proxy, like mine, but in case he doesn't you can skip the first line. The wget command uses an url that may be wrong by the time you read this, but you can easily find another location for the tar.gz file on the side of webmin, www.webmin.com, in the download section. You need the URL of the archive closest to you. For me that was a url pointing to the belnet mirror in Belgium, for you that may differ.

Use the proper wget url.  The current version of webmin may vary.
kristof@knoppixbox:~/$ wget http://belnet.dl.sourceforge.net/sourceforge/webadmin/webmin-1.130.tar.gz
kristof@knoppixbox:~/$ tar xvfz webmin-1.130.tar.gz
kristof@knoppixbox:~/$ cd webmin-1.130
kristof@knoppixbox:~/webmin-1.130$ sudo ./setup.sh /usr/local/webmin
kristof@knoppixbox:~/webmin-1.130$ cd ..
kristof@knoppixbox:~/$ rm -rf webmin-1.130
kristof@knoppixbox:~/$ rm webmin-1.130.tar.gz

The setup command will get you through a big deal of configuration options, but all the options have a very good guess at the default you would want, and thus can be readily accepted by just pressing return. As for the operating system type, you have a Debian Linux system (option 6) and the version is Debian Linux 3.0 (option 5). As a password you can use the same password as the root user, since using the webmin interface will give you the same privileges anyway.

Afterwards, we remove the downloaded archive and the installation directory.

Got there? From now on, we will be using mostly webmin to configure the server, since it is way easier to do than using the command line interface. Or, that's what I want you to think, because maybe it's just easier for me to explain to you what to do, of course.

Let's test this. You have provided an admin password when the setup was run right? So, we should be able to connect to it using our web browser and play around with it already. Let's see. Take your Konquerer browser on the knoppixbox and point it to https://127.0.0.1:10000/. Make sure that you have set up the proxy configuration of your browser so that it does not go over a proxy for this local address. This will pop up the certificate warning that the authenticity of the server's certificate can not be verified. This is because webmin uses a self signed certificate, which is generated on your server and belongs to your server. Signing it by a trusted authority will cost you money and is under this configuration not necessary. So, we accept this certificate.

After logging in, using admin as username and the correct password and we are in. First off, it may be interesting to change the IP Access Control setting, to Only allow from listed addresses, and make sure the list is our local network, 192.168.1.0. You can find the IP Access Control setting in the Webmin main menu, subsection Webmin Configuration.

We can check the configuration of the network, like we configured it in one of the previous chapters. Going to the Networking section, Network Configuration -> Network Interfaces, we can verify the Interfaces Active Now and the Interfaces Activated at Boot Time. You should see that when browsing around on the interfaces activated at boot time, it is essentially laying out the configuration file we entered in the last chapter for you. In the mean time it also provides a nice interface for changing this configuration file, without any further need to use any text editor, and without even being at the computer itself.

Figure 8.1: Viewing the Network Configuration using Webmin

Installing Usermin

Absolutely the same process will get us to install usermin. The link we need now is http://www.usermin.com/ and from there we can go through the similar setup, just substituting /usr/local/webmin/ with /usr/local/usermin/, and webmin with usermin where necessary.

All we need to do now is to make sure usermin starts at boot time. All this can be done from the webmin interface. See the next section for that.

Configuring Webmin and Usermin

To start up Usermin, you can go to the Webmin interface, and check the Usermin configuration in the section Webmin -> Usermin Configuration, and at the bottom you should see buttons to change the settings to start Usermin at boot time, and also a button to immediately start it.

Figure 8.2: Starting Usermin at Bootup and Immediately

Now, we should be able to connect to the same url, except on a different port, to connect to usermin. Take Konquerer to https://127.0.0.1:20000/ and log on as your normal unprivileged user. You can look around the interface and see what can be done. That's quite a lot, but we won't need it all.

From now on, I will not talk about URLs anymore to refer to the Webmin or the Usermin interface, since you should know them. Once you have your local network running you will be able to connect to it from anywhere on your local network, or, if you configure webmin like that, from anywhere on the internet.

Configuring Webmin and Usermin

You will have to admit to it that there are way too many modules available. You have three mailservers, you have two types of databases, you have things that are out of our scope, like clusters of Webmin boxes etc...

Luckily, you can show or hide the modules to your Webmin administrators. That's right, you can have various administrators too. Let's just keep to one for now though. In the Webmin section, in the Webmin Users section you can edit what modules the admin user is allowed to see. Mine are set like this.

Other things you may like to change is the network on which the webmin is reachable. To me, it would sound like a good idea to just enable Webmin and Usermin on the local network, even without taking into consideration the firewall we will install later on.

You do this by going to the Webmin -> Webmin Configuration -> IP Access Control panel. My configuration is to allow only from the local network.

Installing a Package using Webmin or Usermin

In the System section you will find a Software Packages entry which also allows for installation of debian packages. This will work, provided there is no input required from the user. However, it is never sure whether input will be needed or not, so I would advise to always use the way described in the package manager section to install a package.

For the remainder of this document we will just refer to installing a package for using sudo apt-get install ... from the command line.

9. Installing ShoreWall Firewall

Why Shorewall

If you are a hardcore linux geek you don't need a user interface for your firewall. After all, all can be done with some iptables hacking, and it's a lot more flexible.

But we want a knoppix installation for non linux geeks, don't we? Shorewall is the nicest firewall product I could find and it has a brilliant Webmin module, which is all we need and more. The documentation on the website is brilliant and the product is regularly maintainted. Maybe too regularly: I had to do several updates on this chapter already because of updates on the software. Don't worry though: minor updates.

Installation and Configuration

Since we know how to install a package, installing the shorewall package should be a straightforward process.

From the webmin interface we can now configure shorewall. In the networking group, we find an entry for shorewall. If we go through them from left to write, top to bottom, we go through them in the most natural way possible, defining the basic things first and refining the settings as we go.

First item on the list is Network Zones. Here we can safely delete the dmz entry, we are not going to install a dmz anyway. A demilitarized zone, stupid. Don't know about them? You don't need them in a simple setup, sweetie.

Then, we can define the Network Interfaces. We have two interfaces, one of which will be connected to the internet and one of which will serve the local network. We accept all defaults, except for dhcp, which we select for each interface, as one will serve as a dhcp server and the other will act as a dhcp client. Both cases need the option selected.

Figure 9.1: The first network interface configuration in shorewall

Checking the Default Policies, one can see that the default policy is what you would like and expect: allow everything from your local network to the internet, disallow (DROP) anything in the other direction. Sounds safe enough hey?

We need to at least add one firewall rule, i.e., one that will allow us to use the webmin interface. Otherwise, we will simply lock ourselves out after enabling the firewall. So we add a rule, to ACCEPT any traffic from Any zone (Source zone) to the firewall (Destination zone or port) with Protocol being TCP and Destination port being 10000 (select both the radiobutton and enter the destination port), and there we are.

Figure 9.2: The rule to allow webmin traffic to the box

We are going to leave the Types Of Service for what they are, there are some default values there, but they won't bother us. Straight on to Masquerading. There is a default rule there, you can just change it and leave most of the defaults, except that the Outgoing interface is eth0 and the Network to masquerade is the subnet on interface eth1.

Figure 9.3: Rules to enable masquerading

When the firewall is stopped, the default behaviour is to disallow everything. That would mean we need to hook up a screen to our knoppix box whenever we want to stop the firewall, a situation we will try to avoid as much as possible. Especially since once in a while it might come in handy to stop the firewall, just to see if something is being blocked by it or not. Therefore, we define that the interface eth1 is still allowed to be connected to by adding this to the configuration for Edit Stopped Addresses in the When Stopped (routestopped) section.

Figure 9.4: The configuration for when the firewall is stopped

The other categories, Proxy Arp, Static NAT, VPN Tunnels, Zone Hosts and Blacklist Hosts, we are going to leave set to their defaults. They are advanced settings which are not needed in the scope of this document.

Change /etc/default/shorewall to have start=1 instead of start=0, since we want to start the firewall when the machine is booted.

One more thing is still necessary since the debian package sets default masquerading behaviour to keep whatever masquerading state is already present, but we always want to enable masquerading. Therefore, change the value for IP_FORWARDING to "On" instead of "Keep" in /etc/shorewall/shorewall.conf.

That is basically it. We should be ready to start the firewall. Press the button in the shorewall configuration window, and see... we have got our firewall running. Don't believe me? You're right, test it first, I like that mentality.

Testing the Firewall

Well, go and try to surf the web the way you used to. It should be unable to connect. The firewall is "REJECT"iing all packages, because we are on the firewall, connecting to the internet and the default policy is to REJECT all packages there, as can be deducted from the Default Policies list. As we're not in the Source Zone "loc" or "net", we fall back to the "any" source zone, which has as a rule to REJECT all traffic to any destination zone.

Let's enable it. Let's add a Firewall Rule to ACCEPT all the traffic from the <Firewall> with destination port 80 (or destination port 8080 if you use a proxy), add a firewall rule to enable dns trafic to your nameserver from the firewall (port 53), and then...

We "Apply the configuration", and after the shorewall firewall is restarted, and we are ready. We should be able to surf the internet again from the firewall.

There is more...

It's beyond the scope to describe all possible configuration decisions that can be made for your firewall. For now, we will just leave this default setup and refine every setting as we go through this document.

One nice side effect of the configuration of this firewall is that now, you can configure a client on the intranet side of your firewall and start surfing on the clients. Further details on configuring the client will be given in the DNS and DHCP sections that are described next, so maybe it's better to wait with that test.

10. DNS

Introduction

There are two possibilities to get the name resolution going on the clients. We could set up every client to use the name server of our service provider. This would mean that the firewall is configured in such a way that it allows dns traffic to pass. This is a valid approach, but has some disadvantages. When there are multiple clients some programs will sometimes query the dns server for a reverse lookup. It could then happen that they ask your ISP's name server something like "what is the name of the server with IP address 192.168.1.5", which is a computer on your local network. The DNS server does not know about this address, and will usually not respond.

DNSMasq

A better approach is to install a little program that forwards dns queries to your ISP but is intelligent enough to know about what IP addresses not to forward to your ISP. One such a program is dnsmasq. On top of it's functionality it also caches the responses for the clients, thus lowering the traffic to your outside network.

Installing it is a straightforward package install of the dnsmasq package. This will also remove bind, which is a full fledged dns server, but way over the top for our project.

Configuring DNSMasq

There is not much to configure about dnsmasq, but some things need to be done however.

First, we don't want dnsmasq to be listening on both network interfaces, it should only server our intranet, not the internet. So, we uncomment the line in the /etc/dnsmasq.conf file, so that it says interface=eth1.

So, how will this thing work? You get your nameservers from your ISP, in our setup via a DHCP client interface to the internet. This is handled by a DHCP client program called pump. This will update the nameserver list in /etc/resolv.conf and your computer can do name resolving of every address on the internet.

But, what we want is for this computer to also do name resolving for the intranet via de dnsmasq cache. So, what we need is a static entry in the /etc/resolv.conf file pointing to this computer, and this computer only. As a consequence, this setup conflicts with pump trying to change the /etc/resolv.conf file. What to do?

Actually, this situation is common and there is a solution for it in a little program called resolvconf. Installing it will make both pump and dnsmasq behave a little differently and update the /etc/resolv.conf file in a way that they cooperate instead of conflict.

So, installing this resolvconf package will do. Unfortunately, at the time of writing, installing this package was not easy because of a bug in the package, and the troubleshooting section of the Configuring the Package Manager section was written for this specific case. It's not that hard, but it's a bit of a stain on the carpet, I must admit. Go for it, though!

Afterwards, we can just start dnsmasq by typing the command /etc/init.d/dnsmasq start.

Firewall Configuration

All DNS traffic is running on port 53. You need to make sure that the firewall can connect to the nameservers of your ISP, so that dnsmasq can do it's lookups when a new request is served from the intranet or from the knoppixbox self. For the intranet to be able to connect to DNSMasq, you need to make sure there is a rule that allows connection from the intranet to the firewall on port 53 too. Mind you, DNS uses both TCP/IP and UDP to connect to a nameserver, so you should enable both. That should be all.

For clarity, here's the table for your firewall:

Action	Source	Destination	Protocol	Source ports	Destination ports
Accept	Firewall	Zone Net	TCP	Any	53
Accept	Firewall	Zone Net	UDP	Any	53
Accept	Zone Local	Firewall	TCP	Any	53
Accept	Zone Local	Firewall	UDP	Any	53

11. DHCP server

Configuring the DHCP server

Having a dhcp server is once again not The Only Way. We could easily setup the local network with only devices with static IP addresses. This, however, would have the disadvantage that you will need to add some information into the configuration files of the Knoppix server, like the name of the client and the IP address for instance, for every computer on your local subnet. Using a DHCP server is an easy way for the server to know about all the clients it is providing services for without to much effort: they have all requested an IP address and have to do so, so the server knows about them.

The dhcp server comes preinstalled with your Knoppix distribution, it just needs configuration. Unfortunately, webmin is not totally compatible with the dhcp server, as it still expects an older version of the dhcp server. Therefore we would do better tweaking the configuration file by hand. It is located at /etc/dhcp3/dhcpd.conf and it should look like this:

Change the 192.168.1.* setting to your local configuration.
ddns-update-style none;
option domain-name "pandora.be";
option domain-name-servers 192.168.1.1;

default-lease-time 3600;
max-lease-time 7200;

subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.5 192.168.1.20;
        option routers 192.168.1.1;
}

log-facility local7;

This is the configuration file assuming your host is at IP address 192.168.1.1, and with a range for 5 client IP addresses. Most options should be equal to the default and pretty self explanatory. Every client will get the lease saying that the name server is the Knoppix box.

The ddns-update-style should be set to none because we do not use a dns server that supports this anyway. Dnsmasq has it's own way of finding out what IP addresses are on your local network by interpreting the leases file. We do, however still need to update the /etc/dnsmasq.conf file, because it expects a different place for the leases file than the one dhcpd3 uses. So, you need to change the line in /etc/dnsmasq.conf from dhcp-leasefile=/var/lib/dhcp/dhcpd.leases to dhcp-leasefile=/var/lib/dhcp3/dhcpd.leases.

The domain-name is not really that important, but I think it makes sence to just use the ISP's domain name, in my case pandora.be. I have made the lease times a bit higher than they are by default, because I thought that requesting a new dhcp every other minute or so was useless and only polluted the log files with loads of useless information.

The domain-name-servers directive tells the clients that they should use this server as a Nameserver. This is because we set up the DNSMasq program in the previous section.

The subnet section basically tells about the network our box is routing for, and the range of dhcp addresses to hand out. The option routers makes sure that every dhcp client uses the router as a gateway. In normal language: whenever a clients does not know where to send it's IP traffic too, it sends it to the gateway, the knoppixbox, which does know where to send the traffic to.

Make sure to change /etc/defaults/dhcp3-server so that it says INTERFACES="eth1", which makes sure the dhcpd server only listens on the intranet interface. And also issue the following command: update-rc.d dhcp3-server defaults, which adds the dhcp server to the bootup sequence, and makes sure we get the dhcp server running again after a reboot.

To make sure we get the dhcp server running at start up we need to issue another command: update-rc.d dhcp3-server defaults.

To make sure the dhcp server only listens on one interface, adapt /etc/default/dhcp3-server to have INTERFACES="eth1".

Surfing from the clients

Here we are! You're firewall is set (remember we checked the DHCP setting for both interfaces?), and your dhcp server is running. You can try surfing from a client computer by requesting a new IP address from the server. The configuration of the clients is different for different Operating Systems, but it should not be too hard to do.

12. Activating a new partition

Introduction

After installation it is necessary to activate all partitions that are not activated by default. Knoppix uses automount to mount the filesystems it finds automatically when you click on the icons on the desktop, but since we want to make a server system we need the partitions to be mounted at boot time.

Whether it will be to create backups on or to make a data directory, or anything else for that matter, the process of activating a partition is always similar. We will assume that the partition is already created using fdisk, but has not been made into a filesystem yet.

Formatting the partition

When you have just layed out the partition table there have been no filesystems initialized on the partitions knoppix did not need itself. The installer formatted the primary partition that it would install itself upon, but that's it. Other partitions need to be initialized before they can be used. You need to make them into a certain filesystem for these partitions to be usable. Here we describe how to do this.

The choice of a filesystem is something one can debate about forever and ever. Benchmarks favour one over another, comparing efficiency and reliability. In general, I think going for ext3 or xfs is a valid choice and both are supported by the knoppix kernel. Be aware that if you choose other filesystems some of them require kernel recompilation.

The recommended choice made here is an xfs filesystem. It has built in support in the kernel distributed by Knoppix, and support for ACLs on the filesystem.

Intitializing a partition is rather easy as the Webmin interface gives you an excellent interface to do this. All you need to do is go to Hardware section in which you should find the Partitions on Local Disks panel.

Choose a partition to initialize, and you will be provided with an interface to change the partition type, which at this moment should be "Linux", and also to Create a filesystem on this partition. After choosing "SGI (xfs)" from the popup, you can click on the "Create Filesystem" button, accept all the defaults and you are done. Here's a link to the interface page for initializing a partition.

For the interested, from the command line sudo mkfs.xfs /dev/hdb7 should do the same thing. You need only to find out the device number of the partition you wish to initialize.

Activating the partition

To activate the partion it suffices to mount it at boot time. At boot time, the file /etc/fstab decides on what partitions get to be mounted. You will need to add a line there corresponding with the partition you want to automount.

But, of course, also here you can call on Webmin to help you out. In the System section, there is a "Disk and Network Filesystems" control panel, which manages exactly this configuration file. There, you can "Add Mount" a new mount point and choose a partition on one of the disks from your knoppixbox. You can also browse the dev-tree, if you know what to look for. It's easier to choose your partition from the popup, I think. This is what it looks like.

From the command line, for instance, to mount /dev/hdb1 as the partition on which the /home/ directories will reside, add the following line to your fstab if in the case of a xfs partition:

Code listing 12.1: Adding this line to /etc/fstab will have the same effect

/dev/hdb1 /home xfs defaults 0 2

The first parameter describes the location of the partion, /dev/hdb1. The second one the mount point, /home. The third one is for the filesystem type, xfs, and the fourth one is dependent on the type of the file system, and is the place where you could add extra options to mount the filesystem. Usually, "defaults" is what you will want. The 0 describes whether or not the filesystem needs to be dumped sometime. No, not dumping, but dumping, which is a backup mechanism. Finally, the 2 is a number describing the pass the filesystem is checked in. First pass is for the root filesystem, second pass is for "after the root filesystem", so you can specify a 2 for all your self added filesystems. You need to specify 1 or 2 for every filesystem you want to be mounted at boot time.

Moving the /home/ partition

We will do this for the /home/ partition. You have seen how to do this, so you may just go ahead and do this as described, but one caveat is in order. There is already valid information in the /home/ directory, but mounting a new partition on that path will not throw away any files on the path in the root partition, so that's no worry.

13. Mail server

Introduction

Back in the days I used to be a big fan of qmail. However, lately that has changed. Qmail sure has it's merits. It is simple, it is secure and it delivers to maildirs, just to name a few. DJ Bernstein, the author of qmail is a legendary and controversial figure in the world of open source, and he surely has bright ideas about everything.

But, even though it has merits, it has drawbacks too. It has not been updated for years. If you ever need to do anything special that qmail does not do, you need to apply patches, and recompile qmail. DJ Bernstein will then however refuse to give support whatsoever, because it is not an official distribution. Of course this is not always handy. If you want to do SMTP authentication, if you want to enable TLS or lots of other things you need patches and you are thus left on your own with it. But that is just geek chat. Back to what you do need to know.

There is another package which has gained a lot of popularity and which drew my attention because it has been adopted by Apple to be included in their Mac OS X since 10.3. It's called postfix and forfills all our needs, and more.

First of all, we want maildir storage for our mails. Plainly said, this means one mail is stored as one file. This sounds like it should be evident, but it isn't. Traditionally, mail servers on unix systems used to store a big file with all your mail, seperated merely be a special character. This is called mbox format, and is still used by a variety of applications. Apple Mail, to name just one. Try writing a script that injects each of your mail messages into gmail, for example. Or try to do some advanced searching on your mail that is not supported by your mail client.

All of these requirements are met in the mailserver PostFix. It can store in maildir format and is not too difficult to configure. It has a webmin interface, of which we will only use the basic features.

Installation

Installation is the usual sudo apt-get install postfix. For convenience, I've put a couple of screenshots with some explanations on what to answer.

Figure 13.1: Warning explaining the various setups (press OK)

Figure 13.2: Which kind of setup would you like... (answer Internet With Smarthost)

Figure 13.3: Mail for the root user should go to... (answer is the main user)

Figure 13.4: The hostname portion of the address... (accept default answer)

Figure 13.5: Append domain for outgoing mail... (answer NO)

Figure 13.6: Smarthost outgoing mail... (answer your ISP's SMTP server's name)

Figure 13.7: Final destination for this machine is... (accept default)

Figure 13.8: Synchronous updates ... (answer YES)

And we're done. Personally, I think that's a couple of questions too much, but maybe that's to do with taking all these screenshots.

There are more programs that need installation, so here we go for another series: sudo apt-get install courier-imap-ssl will install an IMAP mailserver, and will only ask one question:

Figure 13.9: Create directories for web-based administration... (answer NO)

One more package is needed, fetchmail-ssl. The -ssl suffix is because it is necessary to be able to connect to POP-servers that require a secure connection for the password. On top of that, the normal fetchmail has an annoying bug that sometimes gives an error message when connecting to the server. So, fetchmail-ssl is better. This one does not ask any questions, so just sudo apt-get install fetchmail-ssl.

There are some post installation instructions to this section. When adding a new user, the Maildir file will need to be created. Therefore, it is handy to create it in the skeleton that will be created as a home directory when adding a new user. This can be done with the command sudo maildirmake /etc/skel/Maildir. You will also need to do this for every user known to the system already. This actually means you will need to do this for the main user you configured at Knoppix installation time, since we haven't add any other users yet.

Another thing we need to do is make sure that all daemons are started at boot time. For fetchmail this means some extra setup because it is not really happy to be run in daemon mode. We will need to force it a bit. You can change the fetchmail settings in /etc/default/fetchmail to have SERVICE set to true and to have RUNASROOT set to true. This should suffice to have it automatically started up at boot time.

The same goes for the courier authdaemon, which is necessary for the courier IMAP server to be able to authenticate any user. So, we issue the command sudo update-rc.d courier-authdaemon defaults to get the authentication daemon started up at boot time.

Verifying and Adapting the Settings

Now we will manually verify and adapt all these settings. To do this, we have a Webmin control panel at hand, in the Servers section, the Postfix Configuration panel. As can be seen from this panel, the user interface is elaborate. Too elaborate for us, we will only need a couple of catogories.

Figure 13.10: The Postfix elaborate Configuration Panel

We need to do a couple of things. First of all, the default settings don't allow any computer on the local network to use this server as an SMTP server. This could be ok, if the local users would each set the SMTP server of their mail client to the SMTP server of the ISP, and the firewall would be justly adapted. But, far handier would be that they use this knoppixbox as an SMTP server. This will later allow for archiving of mail, virus checking of mail, etc...

So, we add the local network, 192.168.1.0/24, to the "Local Networks" setting in the "General Options" section. While we're at it, take a look at the exquisite help provided here. Each setting has a link which will open a popup window with some explanation on the setting. Sometimes this can be very helpful! Don't forget to "Save and Apply" this setting.

Another thing we need to change is the "Home-relative pathname of user mailbox file" in the "Local Delivery" section. We will change this to be "Maildir/", with the very important slash on the end. The slash will make sure we have maildir delivery. This setting will immediately change the "home_mailbox" setting in the /etc/postfix/main.cf file. So, every homedir will have it's Maildir directory that will be used to deliver and store the mails in.

My ISP at least, and with the spam explosively growing more and more ISP's, will not allow mail from kristof@knoppixbox. Since we are using a simple LAN, there is no Fully Qualified Domain Name with which we can reach our knoppixbox. So, mail with the From-address set to kristof@knoppixbox will not be delivered. It is not always interesting, but sometimes the knoppixbox will generate mail messages. If we don't make sure these e-mail messages get through our ISP's mail server, these will get lost. So, we need Canonical Maps, in Postfix terminology, to change this e-mail address to something that can be sent back.

And, you wouldn't have expected it, there is a Configuration Panel called "Canonical Mapping", to do just this. We will change the setting of "Address mapping lookup tables" to point to the file /etc/postfix/canonical. With the Edit Canonical Maps button we can change the canonical maps known to the postfix system. There, we set a valid e-mail adress for every user that can generate e-mail on the knoppixbox. That is, if you plan running scheduled commands or something like that, you need to provide a mapping that will translate root@knoppixbox to something that will get the e-mail through your ISP, and, should the e-mail be undeliverable, is also a valid return address.

This is what my canonical mapping configuration panel looks like and this is what my canonical maps look like. If you would like to receive the messages generated by your knoppixbox, make sure to set it to something similar, in which every e-mail address @coin-c is valid and any e-mail address @ghandi is not.

Letting users POP their e-mail

Of course, this does not help us much as we are on a cheap subscription and our ISP will only let us POP e-mail. Well, that's what you think. Since we've installed this fetchmail-ssl tool, we can let the users configure their e-mail pop addresses as much as they like. All they need to do is start the Usermin interface and add an e-mail address to pop and fetchmail will pop it for them and deliver it in their Maildir. So, the users can read it.

Now, reading your mail from an internal network can be done using various methods. There could have be an installation of webmail, but in general that is clumsy to use and not always what you want. It could be added later on in this document, though, because having webmail around is a handy feature anyway. But for now, we will go with another viable solution: reading your mail via the IMAP protocol.

Imap is a protocol like POP3 to read mail, but which leaves the opportunity to read mail on the client without moving it from the server. This way, both client and server retain copies of the e-mail and only a synchronization is necessary, every time we connect to our mailbox.

This is extremely handy when reading on different clients, and is also very handy when trying to backup the mails. You can backup on your client, or you can backup on your server, depending on your preference.

Firewall Configuration

Also in this section, we have made some assumptions which you need to change your firewall for. This table sums up a valid configuration for your mail server firewall.

Action	Source	Destination	Protocol	Source ports	Destination ports	Comment
Accept	Firewall	Zone Net	TCP	Any	25	Allow the knoppixbox to send mail to the upstream SMTP server.
Accept	Zone Local	Firewall	TCP	Any	25	Allow local clients to use the knoppix box as an SMTP server.
Accept	Zone Local	Firewall	TCP	Any	993	Allow the local clients to read e-mail via IMAP
Accept	Firewall	Zone Net	TCP	Any	110	Allow the knoppixbox to pop mail for the users that want to use fetchmail to pop their mail.

14. Installing subversion

Introduction

You may not be a programmer. You may not be a website designer. You may think you don't need subversion at all. Yet, you may not know Subversion at all and therefore you may think that it is another version of Much Ado About Nothing, originally by Shakespear, wasn't it? Well, you're wrong.

I'm pretty sure you have some documents that you modify once in a while, but not always on the same location. An address book anywhere? Hm... Or a list of CDs? Or a Calendar? Etc... there are plenty of applications to be found for a version control system and it all boils down to one thing: if you need to modify a document with various persons or from various locations, a Versioning System is bloody easy to have around.

So, I admit that the main reason this chapter is included is because it is my main concern to have it working on my personal server. I manage my websites with this tool, I manage my source code with this tool, I manage the list of birthdays of my friends with this and the list of CDs. Yep, let's just say Subversion will make you a better person. Or a better computer user at least!

And it's bloody easy to configure & install...

Installing and Configuring Subversion

Subversion needs Apache2. Nice thing of the package system is that when you install subversion it will automatically detect that it depends on Apache2 and will install it for you as well. In theory that is. In practice the package maintainers have chosen to not depend upon Apache2, and you need to install it seperately.

Allright, allright... something can be said for this approach. You don't need to have it running over apache, and it would make the installation process for those that don't need an apache 2 server ridiculously clumsy. So, let's just go for it.

What we need to do is install this list of packages:

• sudo apt-get install subversion
• sudo apt-get install apache2
• sudo apt-get install libapache2-svn

Ok, that's it for installing what we need. We need some configuration settings however. This can't be done with webmin, so you will need to do some manual hacking with nedit on your knoppixbox. Somehow, Webmin has not updated to Apache2 yet. It's not the only one, PHP4 on Debian Apache2 is also still a bit of a pain. Somehow, people don't seem to see any advantage of Apache2 over Apache, so they stick with what works. Perfectly viable of course.

Luckily we can run both Apache2 and normal Apache servers side by side and we can later change the port of this Subversion server to something different if we want to install a regular Apache with PHP enabled on our knoppixbox.

Now that subversion is installed we need to create a repository. It's pretty easy. It involves choosing a path to store the repository in. I would suggest something like /home/subversion/. Issuing the command svnadmin create /home/subversion/ will do the trick, if we also make sure the apache2 daemon has access:

Code listing 14.1

kristof@knopppixbox:~/ sudo svnadmin create /home/subversion/ kristof@knopppixbox:~/ sudo chown -R www-data.www-data /home/subversion/

To make the repository accessible via the Apache2 web server, we need to enable the module by creating a link in the mods-enabled section of the configuration, change the configuration settings a bit and restart the web server.

So, let's start with this:

Code listing 14.2

kristof@knoppixbox:~/ sudo cp /etc/apache2/mods-available/dav_svn.conf /etc/apache2/mods-enabled/dav_svn.conf kristof@knoppixbox:~/ sudo nedit /etc/apache2/mods-enabled/dav_svn.conf

Now, we need to uncomment the lines that say # DAV svn to DAV svn, and the line saying # SVNPath /var/lib/svn to SVNPath /home/subversion. Now, restarting apache2, with the command /etc/init.d/apache2 restart is all we need to get going!

Firewall Configuration

As always, the firewall needs to be set so that it will allow

Action	Source	Destination	Protocol	Source ports	Destination ports	Comment
Accept	Zone Local	Firewall	TCP	Any	80	Allow the local network to connect to the Apache2 server, and thus to Subversion.

15. Fileserver

Introduction

Installation

Configuration

For now, we'll keep the configuration pretty simple. It can and updated later on, and annotated too, but just for now, make sure your configuration file looks like this.

Code listing 15.1: The /etc/samba/smb.conf file

[global] netbios name = HOSTNAME workgroup = WORKGROUP # we are commenting out following line, which would be of # use if we did not use an ldap backend: passdb backend = smbpasswd, guest # ldap admin dn = "cn=admin,ou=People,dc=bliir,dc=word,dc=mine,dc=nu" # ldap ssl = off # passdb backend = ldapsam:ldap://127.0.0.1 # ldap user suffix = ou=People # ldap group suffix = ou=Groups # ldap machine suffix = ou=Computers # ldap suffix = dc=bliir,dc=word,dc=mine,dc=nu # ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) # idmap gid = 1000-2000 # idmap uid = 1000-2000 os level = 33 preferred master = yes domain master = yes local master = yes security = user encrypt passwords = true domain logons = yes logon path = \\%N\%U\profile logon drive = Z: logon home = \\%L\%u\.profiles logon script = logon.cmd add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u wins support = yes interfaces=eth1 printing = bsd printcap name = /etc/printcap load printers = yes guest account = pcguest # log level = 3 [netlogon] path = /var/lib/samba/netlogon read only = yes write list = ntadmin browseable = no [homes] path = /home/%U/ read only = no create mask = 0600 directory mask = 0700 veto files = /Maildir/ [common] path = /home/common/share read only = no force directory mode = 0770 force group = common [printers] comment = All Printers browseable = no printable = yes public = no writable = no create mode = 0700

All you need to change is HOSTNAME into something appropriate for your knoppixbox, like the hostname, and WORKGROUP to something that describes your local network. Use WORKGROUP if you don't have any inspiration if you want. It doesn't matter all that much.

We need to make sure it's started at boot time, because that's what is not enabled by default. However, this simple command will help us out.

Code listing 15.2: Making sure Samba starts at boot time

kristof@knoppixbox:~# sudo update-rc.d samba defaults Adding system startup for /etc/init.d/samba ... /etc/rc0.d/K20samba -> ../init.d/samba /etc/rc1.d/K20samba -> ../init.d/samba /etc/rc6.d/K20samba -> ../init.d/samba /etc/rc2.d/S20samba -> ../init.d/samba /etc/rc3.d/S20samba -> ../init.d/samba /etc/rc4.d/S20samba -> ../init.d/samba /etc/rc5.d/S20samba -> ../init.d/samba kristof@knoppixbox:~# sudo /etc/init.d/samba start Starting Samba daemons: nmbd smbd.

Since we've chosen to use as a password backend smbpasswd, we will need to add every user that is able to connect to the server manually with the smbpasswd -a command. This is not difficult, but it is not elegant either. A more elaborate configuration of user management is high priority on the list of todo items for this document.

That should be it. If you've configured your firewall, you should be able to connect to the fileserver.

Configuration of the Firewall

As usual, the Firewall will need some adaptation for every client to be able to connect to the file server. This table sums it up. It is based on the table provided by the Shorewall team.

Action	Source	Destination	Protocol	Source ports	Destination ports	Comment
Accept	Zone Local	Firewall	UDP	Any	137:139	These two ports require UDP traffic enabled.
Accept	Firewall	Zone Local	UDP	Any	137:139	These two ports require UDP traffic enabled in both directions.
Accept	Zone Local	Firewall	TCP	Any	137,139,445	These three ports require TCP traffic enabled.
Accept	Firewall	Zone Local	TCP	Any	137,139,445	These three ports require TCP traffic enabled in both directions.
Accept	Zone Local	Firewall	UDP	137	1024:	Source port 137 can call back to any port higher than 1024.
Accept	Firewall	Zone Local	UDP	137	1024:	Source port 137 can call back to any port higher than 1024 in both directions.

Todo

Actually, there is a lot more to be described that what the timeframe allowed. You not only have a samba server, you have a full fledged samba server. You can use it for user management, for ACLs, for print server, etc... this is all to be done.

16. Printserver

Introduction

It's easy to share the printer connected to your parralel port of the knoppixbox. Really easy. So, why not?

What you need to realize, is that the print server that we are installing on our knoppixbox is dumb. So dumb, it would not know a PDF file from a porn piccy. Actually all it does is get the data via a TCP/IP connection and dump it to the printer. You will need to make sure the data is formatted for your printer client side.

This means you will have to install the Printer Drivers on each and every client on the LAN. There are ways around this using the Fileserver from the last section, but for now we'll have to do with just this: install every printdriver on every client using the printer.

Installing and Configuring the Printserver

Actually, it's easy as installing one package, and starting it. All we need is to install the lpr package, and it's installed like any other package, with the apt-get command.

For some reason, the default comes with only local printing, so we need to change the /etc/default/lpd file to not have the OPTIONS="-s" line. Replace that line with a regular OPTIONS= empty line.

Once again, for the configuration file, I will just dump you my configuration file. It could do with some annotation, I know, but if you have a printer connected to the parallel port of your computer, this should do.

Code listing 16.1: The /etc/printcap file

# /etc/printcap: printer capability database. See printcap(5). # You can use the filter entries df, tf, cf, gf etc. for # your own filters. See /etc/filter.ps, /etc/filter.pcl and # the printcap(5) manual page for further details. Laserjet1100|Generic dot-matrix printer entry:\ :lp=/dev/lp0:\ :sd=/var/spool/lpd/lp:\ :af=/var/log/lp-acct:\ :lf=/var/log/lp-errs:\ :pl#66:\ :pw#80:\ :pc#150:\ :mx#0:\ :sf: :sh:

Once you've done this, you can just start the printer by issuing /etc/init.d/lpd start and you should see the printer popping up in the explorer of a windows client if you connect to the computer via the Fileserver (i.e. samba). If you connect with an Apple client you will not be able to use this approach and you need to manually add the printer with the proper IP-address.

Configuring the Firewall

Should you connect to the printer only using the Samba fileserver, you will not need to have any adaptations on your firewall, as all network traffic will go over the SMB channels. However, if you are like me, and you print from a Mac once in a while, you want to talk with the lpd daemon directly, and you need to open the port on the firewall. This table shows the one line you need to add to the configuration of the firewall.

Action	Source	Destination	Protocol	Source ports	Destination ports	Comment
Accept	Zone Local	Firewall	TCP	Any	515	Allow traffic from the local network to the lpd daemon.

17. SSH

Introduction

Installation and Configuration

It's already installed! Another one of those easy installations delivered to you by KNOPPIX. All you need to do is go to the Webmin interface and start it. And to make sure it starts every time your knoppixbox is started, you can issue sudo update-rc.d ssh defaults to add the necessary init links to your startup sequence.

You can find the SSH section in Servers section of your Webmin interface. The configuration panel is called "SSH Server" and you can leave all the settings set to their defaults.

Configuration of the Firewall

The SSH protocol is on Port 22, so you need to enable all TCP traffic to the firewall on this port. In a table:

Action	Source	Destination	Protocol	Source ports	Destination ports	Comment
Accept	Any	Firewall	TCP	Any	22	Allow traffic from anywhere to the ssh daemon.

18. Shutting down the server

You would not expect it, but shutting down the server is one of the things most frequently asked. While it should be easy, the button in Webmin is not always easy to find. So, I've summed up your possibilities here.

• From the command line you can do sudo shutdown -h 0.
• From Webmin: System -> Bootup and Shutdown -> Reboot System or Shutdown System (scroll all the way down).
• special key combination, change /etc/inittab so that it will have ca::ctrlaltdel:/sbin/shutdown -h now instead of ca::ctrlaltdel:/sbin/shutdown -r now. This will make sure that pressing CTRL-ALT-DEL on the server shuts down the server instead of restarting it. Also very handy if you don't have a screen attached to the server
• On the graphical logon screen, there is a "Shutdown" button.

19. Roadmap And Todo

• Time management.
• Provide a url to get random passwords and warn about security on passwords.
• Translation into Dutch.
• More chapters for more software of course.
• Get sudo figured out.
• Checklist per chapter on the settings.
• Configuration files per chapter.
• Feedback.
• Show which versions of software the document is based on.
• User management
• ddclient.

20. Credits

This document was made with the excellent guide style sheet also used to make the gentoo documentation, with some minor adaptations done by myself.

A big hug also to all those resources on the internet that made this document possible. There are too many to name and I don't have a list anyway, but I hope they know who they are. Also, I hope that by sharing this document publicly I have given something back.