Saturday, July 7, 2012

Multi Boot Pendrive (Grub on USB)


Boot ISO Files directly from USB using Grub2 from Linux. Here is one way to create a Multiboot USB Flash Drive from a running Ubuntu (I used the Live CD). You may eventually need a large Flash Drive or USB Hard Drive in order to include every bootable ISO entry. I will add more Bootable ISO files to the grub.cfg file as I find time to test them. Contact me to submit working Bootable Linux ISO grub.cfg entries for inclusion.
I. Format your USB Flash Drive to use a Single Partition:
Open a terminal and type sudo su
Type fdisk -l (and note which device is your USB Drive)
Type fdisk /dev/sdx (replacing x with your actual usb device)
Type d (to delete the existing partition)
Type n (to create a new partition)
Type p (for primary partition)
Type 1 (to create the first partition)
Press Enter (to use the first cylinder)
Press Enter again (to use the default value as the last cylinder)
Type a (for active)
Type 1 (to mark the first partition active “bootable”)
Type w (to write the changes and close fdisk)
II. Create a Fat32 Filesystem on the USB Flash Drive:
Type umount /dev/sdx1 (to unmount the mounted partition)
Type mkfs.vfat -F 32 -n MULTIBOOT /dev/sdx1 (to format the partition as fat32)
III. Install Grub2 on the USB Flash Drive:
Type mkdir /media/MULTIBOOT (to create a directory for the mountpoint)
Type mount /dev/sdx1 /media/MULTIBOOT (to mount the USB)
Type grub-install –force –no-floppy –root-directory=/media/MULTIBOOT /dev/sdx (to install Grub2)
Type cd /media/MULTIBOOT/boot/grub (to change directory)
Type wget pendrivelinux.com/downloads/multibootlinux/grub.cfg (to get the grub.cfg file)
IV. Test to make sure your USB Device Boots into Grub2:
Reboot your Computer, and enter your BIOS or Boot Menu. Set the Boot Order to boot from the USB Device. Save your changes and Reboot. If all goes well, you should be presented with a Grub2 Boot Menu.
V. Adding the Bootable ISO files:
Type cd /media/MULTIBOOT (assuming USB is still mounted here)
Follow the instructions for the ISO Distro you would like to add below. Simply click to expand the instructions.
Ubuntu 10.10 IS0
Type wget “releases.ubuntu.com/10.10/ubuntu-10.10-desktop-i386.iso” -O ubuntu.iso
Or rename your existing ISO ubuntu.iso and copy it to the USB device
Linux Mint 10 Gnome IS0
Type wget ftp.heanet.ie/pub/linuxmint.com/stable/10/linuxmint-10-gnome-cd-i386.iso -O linuxmint10.iso
Or rename your existing ISO linuxmint10.iso and copy it to the USB device
DBAN IS0
Type wget “downloads.sourceforge.net/project/dban/dban/dban-2.2.6/dban-2.2.6_i586.iso?r=&ts=1292340298&use_mirror=surfnet” -O dban.iso
Or rename your existing ISO dban.iso and copy it to the USB device
TinyCore IS0
Type wget “distro.ibiblio.org/pub/linux/distributions/tinycorelinux/2.x/release/tinycore-current.iso” -O tinycore.iso
Or rename your exisitng ISO tinycore.iso and copy it to your USB device
Memtest86+
Type wget memtest.org/download/4.10/memtest86+-4.10.zip
Type unzip memtest86+-4.10.zip
Type cp memtest86+-4.10.bin memtest86+.bin
Or extract the contents of your memtest86+ zip. Rename the bin to memtest86+.bin and copy it to your USB device
Link: http://www.pendrivelinux.com/boot-multiple-iso-from-usb-via-grub2-using-linux/

Zero Configuration Proxy Setup (WPAD)


Zero configuration proxy is advanced version of Auto PAC. It uses some additional techniques. As you know in proxy auto config system, you have to enter the pac url (the url directed to proxy autoconfig file) in the browser settings. So its a bit lengthy to configure all the clients PC (Although you can instruct the users with a splash/proxy welcome page).


So the next technology comes in is WPAD (Web Proxy Auto Discovery Protocol), this makes you free from the above task, this WPAD will publish the pac file which will be automatically configured at the browser.


How To Configure

WPAD can be configured in two ways, it can be published on DHCP server or the DNS server, All the DHCP server has priority this is not used because firefox and non-window chrome does not support WPAD -DHCP.

ok if u want to use the DHCP then just install a web server on the same machine where DHCP server is running, if you are using windows ICS (Internet connection Sharing) then its a DHCP server also so you can host the pac file in that pc. But you should use the DNS for better support.

ok if you choosed the DNS then you have to place the pac file on a server adress on any of its parent level adresses.

For example the address of the DNS is
\
pc.dept.physics.com
then you can use a location wpad.dept.physics.com
wpad.physics.com


MIME Type Settings on the webserver
Even though most clients will process the script regardless of the MIME type returned in the HTTP request, for the sake of completeness and to maximize compatibility, the web server should be configured to declare the MIME type of this file to be either application/x-ns-proxy-autoconfig or application/x-javascript-config.MIME type configuration is necessary.

open the Apache configuration file, search for
any of these lines

 AddType application/x-compress .Z
 AddType application/x-gzip .gz .tgz
 AddType application/x-tar .tgz
 AddType image/x-icon .ico
 AddType application/vnd.wap.wmlc .wmlc
 AddType application/x-httpd-php .phtml .pwml .php5 .php4 .php3 .php2 .php .inc
 AddType text/vnd.wap.wml .wml
 AddType text/vnd.wap.wmlscript .wmls
 AddType text/vnd.wap.wmlscriptc .wmlsc
 AddType image/vnd.wap.wbmp .wbmp

add this line


        AddType application/x-ns-proxy-autoconfig .pac
or

           AddType  application/x-javascript-config  .pac


There is little evidence to favor the use of one MIME type over the other. It would be, however, reasonable to assume that application/x-ns-proxy-autoconfig will be supported in more clients than application/x-javascript-config as it was defined in the original Netscape specification, the latter type coming into use more recently.

Captive Portal with Transparent Proxy

Captive portal and transparent proxy both are good, the only difference at client end is that In captive Portal the first page is a advertising or agreement or login or all of these. But proxy server generally comes with system login window, where you cannot communicate (Show agreement / advertisement / notice about data limit) with the user.

So if we can add this thing to our proxy server then our proxy server will be enough to act like a captive portal. This can be done by adding splash page. Detail documentation is also available at the squid site.

But here is the idea in few lines skipping the long manual files.

Splash page is a page to which an user is redirected on first HTTP request ( the first page request). This sets a session for the user at the server. If the user goes silent for long duration(configurable) it will again redirect the user to the splash page.


NOTE: in the examples below:



  • The session overall timeout is 7200 seconds. Once this length of time has passed, the splash screen will be shown again to the user. If you want a fixed timeout, use the "-T" option instead (available in version 1.1 of the session helper).
  • The session is checked once every 60 seconds at most. This means that the splash screen will be shown to the user for 60 seconds, during which time they will not be able to browse any other websites.
  • The ACL is called "splash_page". This can be changed as required.
  • It is assumed that the Squid helpers are installed in /usr/local/sbin/squid. Change this as required for your installation.
  • A session database file is required. Create an empty file "/var/lib/squid/session.db" and ensure it is writeable to by the Squid user




For Squid versions less than 3.2


# mind the wrap. this is one line:
external_acl_type splash_page ttl=60 concurrency=100 %SRC /usr/local/sbin/squid/squid_session -t 7200 -b /var/lib/squid/session.db

acl existing_users external splash_page

deny_info http://example.com/splash.html existing_users

http_access deny !existing_users


Squid 3.2 and after




# mind the wrap. this is one line:
external_acl_type splash_page ttl=60 concurrency=100 %SRC /usr/local/sbin/squid/ext_session_acl -t 7200 -b /var/lib/squid/session.db

acl existing_users external splash_page

http_access deny !existing_users

# Deny page to display
deny_info 511:/etc/squid/splash.html existing_users



You may find that when using the example above that the splash page is not always displayed to users. That is because other processes on the user's computer (such as automatic security updates) can reset the session counter, so it is that process rather than the user's browsing which receives the splash screen.
The following configuration example adds in a url_regex rule to force the user to browse to a particular website before the session is reset. This example is for Squid 3.2 and later, but can be adapted for earlier versions.
# Set up the session helper in active mode. Mind the wrap - this is one line:
external_acl_type session concurrency=100 ttl=3 %SRC /usr/lib/squid3/ext_session_acl -a -T 10800 -b /var/lib/squid/session/

# Pass the LOGIN command to the session helper with this ACL
acl session_login external session LOGIN

# Set up the normal session helper. Mind the wrap - this is one line:
external_acl_type session_active_def concurrency=100 ttl=3 %SRC /usr/lib/squid3/ext_session_acl -a -T 10800 -b /var/lib/squid/session/

# Normal session ACL as per simple example
acl session_is_active external session_active_def

# ACL to match URL
acl clicked_login_url url_regex -i a-url-that-must-match$

# First check for the login URL. If present, login session
http_access allow clicked_login_url session_login

# If we get here, URL not present, so renew session or deny request.
http_access deny !session_is_active

# Deny page to display
deny_info 511:/etc/squid/splash.html session_is_active



Transparent proxy Setup


I don't know whether it is a certified terminology or not, but the system which is famous as transparent proxy is very interesting. If u don't want to annoy your clients for the proxy updates like port change server address change. Here in this configuration the user will acess through a proxy without any configuration (its not about auto proxy file or auto proxy protocol). Although auto proxy gives the same thing but in that case you have to configure the DNS also.

  The main hack used here is the packet redirection. All the http packets coming to the Router is redirected to the proxy port of the server.

Redirect the all HTTP traffic (Editing iptables of router)
If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

Where eth1,eth0 are the LAN, WAN devices and 192.168.0.1 is the IP address of your LAN device.

I guess  this is enough for geeks, rest of the things are easy but this will block all other ports like ftp smtp pop, so you have to configure for all these ports also.




Tuesday, July 3, 2012

Sharing and Controling without Squid

There are lot more to learn about the http proxy squid. how can you add user authentication with a windows server using NCSA, and how to control bandwidth other ACL properties.

You can also use proxy PAC with proxy.pac file or full automaic client configuration with Auto proxy protocol which is linked with the DNS server.

Any way now i want to do it without a proxy server, i will use just a firewall with authentication.


There are authentication based on MAC but i want it to be browser based, what they call "Captive Portal" and the service is called "Network access control (NAC)"


These are generally used in hotspots where you can connect without any security key, and as u typed and entered a web address it will redirect to a welcome page with login GUI.


OK this is what i want and this should be installed in a windows system.

I have listed here some open source captive portal software and network access control (NAC) systems.
1.     ChilliSpot – http://www.chillispot.info
2.     Wifidog – http://dev.wifidog.org
3.     PacketFence – http://www.packetfence.org
4.     HotSpotPA – http://www.hotspotpa.com
5.     NoCat – http://nocat.net
6.     CoovaChilli – http://coova.org
7.     Utangle – http://www.untangle.com
8.     pfSense – http://www.pfsense.org
9.     PepperSpot – http://pepperspot.sourceforge.net
10. Zeroshell – http://www.zeroshell.net/eng/
11. m0n0wall – http://m0n0.ch
12. Kattive – http://www.kattive.it
13.  EasyHotSpot – http://easyhotspot.inov.asia/
14. WilmaGate - http://intelligent-optimization.org/wilmagate.html
15. Air Marshal software based for Linux platform (commercial)
16. Amazingports, Linux based software with integrated billing and payment implementing service-oriented provisioning, free and commercial
17. ChilliSpot, open source Linux daemon [abandoned]
18. CoovaChilli, open source Linux daemon based on ChilliSpot
19. LogiSense, Billing & OSS / Network Access Control (commercial)
20. m0n0wall, FreeBSD based firewall distribution
21. PacketFenceLinux based Network Access Control software featuring a captive portal (open source)
22. pfSenseFreeBSD based firewall software derived from m0n0wall
23. Untangle Captive Portal, Firewall featuring Captive Portal (Linux-based, free basic functionality, commercial directory integration)
24. WiFiDog Captive Portal Suite, small C based kernel solution (embeddable)
25. Wilmagate, C++ based and is executable both in Linux and Windows/Cygwin environments
26. ZeroshellLinux based network services distribution
27. Zentyal

From all of the above Zero shell is preferable or else use zentyal.