Linux in a Windows Workstation Environment, Part I

Even if the users still want to use Windows on the desktop, you can put Linux behind the scenes.
Current Configuration

In the summer of 2004, the resort owners expanded and refurbished the computer room, replacing all the old computer equipment with 39 new Windows XP workstations connected to the Internet by way of a T-1 line. This was a perfect opportunity to upgrade the server using the fastest of our old computers, an AMD Athlon 1800+. It had 256MB of RAM, two disk drives with a storage total of 10GB and two network interfaces. The SuSE 9.1 distribution, which has a 2.6.x kernel, was the basis for the new system. The two hard drives were partitioned using the following scheme:

  • Swap partitions, the equivalent of the swap file on Windows systems, were placed on each drive, with 2.0 GB on /dev/hda--the master drive on the primary IDE system, C: in Windows terminology--and 0.5 GB on /dev/hdb, the slave drive. Splitting the swap space between drives improves the system response; however, this system swaps infrequently and it probably doesn't matter.

  • The remainder of /dev/hda, 7.8 GB, was formatted as a Reiser filesystem mounted as /, the root of the filesystem.

  • The remainder of /dev/hdb, 4.0 GB, was formatted as a Reiser filesystem mounted on /home, which is the location characteristically dedicated to user file storage.

One of the advantages of Linux is it supports several distinct filesystems, and the user can choose among them. I selected the Reiser filesystem for its journaling capability, which avoids long recovery times in case of system crashes or power failures. It also is more efficient than the Linux-default ext2 filesystem when there are large numbers of small files. Linux also presents multiple disk drives in what appears to be a monolithic filesystem. Even remote filesystems, mounted across a network, are referenced using a path with exactly the same form as local files.

Our current Windows environment consists of 38 user stations, each with a 2.4GHz Celeron processor, 256MB of RAM and a 40GB hard drive. The single instructor's machine has a 3.0GHz P4 processor, 512MB of RAM and and 80GB hard drive. All of the machines have Windows XP Pro, DVD ROM - CD/RW optical drives and 17" flat-screen LCD monitors. Other equipment includes an XGA projector, an HP2300N b/w laser printer, an HP4650N color laser printer and two scanners. We also have several free RJ-45 ports so users can connect to the Internet using personal notebook computers. In addition, free Wi-Fi access is being provided throughout the park. Figure 1 shows a view of part of our computer facility.

Every resident of the RV park is eligible to use the computers; however, during the winter season (Nov. 1 - March 31), only members of the club can use either printer or take classes. During the remainder of the year, access to the color printer is blocked, but the b/w printer is available. In season, the computers are available from 7AM to 9PM, seven days a week, with roughly 25,000 individual user sessions per season. This season, all 38 machines frequently are busy and more users are waiting. Club rules prevent an individual user from installing new programs, storing files on any of the computers or changing any settings. A software program that restores each machine in the middle of each night enforces these rules.

Now that I have become more familiar with Linux, I would like to offer one or more systems with a Linux desktop; however, I don't think our user base would support this. In fact, many of our users operate the computer by rote and are lost if even a desktop icon is missing.

Firewall

The most important functions of the Linux box in the current setup are to act as the gateway for the Windows workstations, perform network address translation for them and protect the network from outside intrusion. These tasks are accomplished by using a boot-time script that utilizes the iptables facility of Linux. The first step is to make certain the necessary kernel modules are loaded. These probably would be autoloaded; however, these instructions generate an error if any of these modules are missing.


modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

The next step is to turn off packet forwarding and turn on route verification on all interfaces to prevent IP spoofing. This syntax is appropriate for the bash shell. N.B. /proc is a pseudo filesystem containing information that describes and controls drivers and processes.


echo 0 > /proc/sys/net/ipv4/ip_forward
for i in /proc/sys/net/ipv4/conf/*/rp_filter 
do
  echo 1 > $i
done

The next set of commands defines the symbol IPTABLES as the absolute path of the iptables binary, deletes all existing rules and removes all user-defined chains.


IPTABLES="/usr/local/sbin/iptables"
$IPTABLES -F                            # delete all the rules
$IPTABLES -X                            # delete all user-defined chains

We now set the policies for the standard chains. Incoming packets are dropped unless we have a rule that accepts them; whereas outgoing and forwarded packets are accepted unless a rule drops them.


$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

We now establish network address translation (NAT). This rule will source NAT everything heading out the eth1 (external) interface to the IP of that interface. This form is correct for a dynamic IP.


$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE

We now create three logging chains and a silent chain to drop packets that will be identified by rules entered later. Packets are dropped rather than rejected to hide our existence from a potential intruder. To help prevent any denial-of-service attack from succeeding, the maximum rate at which log entries are generated is limited. The backslash (\) character is used to continue a command onto a new line.


$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG \
      --log-prefix "*** Firewall:"
$IPTABLES -A firewall -j DROP
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG \
      --log-prefix "*** Dropwall:"
$IPTABLES -A dropwall -j DROP
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG \
      --log-prefix "*** Badflags:"
$IPTABLES -A badflags -j DROP
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

The local loopback device (127.0.0.1 or lo) and the internal Ethernet interface (eth0) are deemed to be trusted, and any packets destined for the outside are routed without further inspection. This assumption may not be appropriate for your network, depending on your users.


$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A OUTPUT -i lo -j ACCEPT
$IPTABLES -A INPUT  -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -i eth0 -j ACCEPT

All packets originating from our nameservers, which are external, are accepted.


$IPTABLES -A INPUT -i eth1 -s 198.6.1.4 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -s 198.6.1.5 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -s 198.6.1.195 -j ACCEPT

The next set of rules catches all malformed packets that have illegal combinations of flags and places them on the badflags chain, which logs and drops them.


$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
       -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

The next section silently drops packets that generate a lot of log entries but are not deemed harmful, including the netbios stuff that Windows machines generate.


$IPTABLES -A INPUT -i eth1 -s 167.216.187.186 -j silent
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent

Most icmp packets are dropped. Only type 8 (ping) and type 0 (ping reply) are accepted. Pings are limited to one per second.


$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit \
       --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall

Secure-shell packets coming in on eth1 are accepted only from networks 10.10.x.0.


$IPTABLES -A INPUT -i eth1 -s 10.10.0.0/16 -p tcp --dport 22 -j ACCEPT

Any remaining packets coming from the external interface (eth1) are dropped unless their state is ESTABLISHED or RELATED. No external computer can create a connection to any computer on the inside.


$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

The final rule is to send anything still on INPUT to the dropwall chain. That way we don't get silent drops.


$IPTABLES -A INPUT -j dropwall

The final step is to turn on packet forwarding and echo an appropriate line to the console.


echo 1 > /proc/sys/net/ipv4/ip_forward
echo "The MRCC Firewall is up and running."

The above rules have protected our network from external attacks for nearly four years now.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Correction for OUTPUT chain of lo and eth0

Reinhard's picture

This is a very nice article and it helped me to setup a personal firewall.
I have 1 correction: the rules for OUTPUT chain for lo and eth0 seem to have a typo. You wrote:

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -i eth0 -j ACCEPT

But iptables (v1.3.3 on Debian sarge i386) complains that -i can't be used with OUTPUT. The correct rules should read as:

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT

Reinhard

the firewall rule listed in

marc's picture

the firewall rule listed in the article:

$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

can be deceptive.

imagine if you are trying to debug your network and you use PING to do it.... and there is one other person trying to do the same:

one person = 0% packet loss (everything looks fine here)
two persons = 50% packet loss (1 packet per second max, remember?)
three persons = 66% packet loss, etc..

just a FYI in case you're debugging a network using ping from multiple locations.

Linux Routers and WinXP Sp2

Anonymous's picture

I Enjoyed your article very much. I really don't have a comment but a question.

We have a LAN with 5 XP SP2 system running as workstations. All of them access the Internet through a Linux router without any problems. But, on 1 workstation, every request to a link that redirects from the http to https protocol fails with the browser displaying "page cannot be displayed". Using one of our test applications that also implements the redirect from http to https, we have discovered that the error is 10061 (http error 12029), connection refused. In our CSP trace, we can see that the handshake actually occurs, but it appears that the session key is never transmited to the web server. We have used tracert and telnet in a dos-box and with them, we can access the secure site. At that level the connections appear to work. What do you think could be our problem?

I would greatly appreciate any advise you could give.

Thanks in advance

I have question about what looks like initials in your article

ChiJoan's picture

Hi,

I enjoyed your article and wonder when part 2 will arrive. But I am confused by the: N.B. /proc... What do the initials "N.B." stand for? I likewise am trying to enter the I.T. field, but I'm already in my 50's and took my Unix and Linux classes where we had no Linux server to really work on. To do a server for myself I have to learn how to do it from behind my DSL router. I likewise did volunteer work rebuilding and recycling computers for the disabled for over 160 hours here in Reno. I also help my local community college with donated PCs in their Re-Entry program, of which I am a client as well.

Your article gives me hope for my future, thanks.

Joan Leach

Meaning of N.B.

Larry's picture

Sorry for any confusion. N.B. or NB is an abbreviation for the Latin 'nota bene', and is used to direct attention to the referenced item.

Parts 2 and 3 of my series have been published. The URLs are as follows:
http://www.linuxjournal.com/article/8121
http://www.linuxjournal.com/article/8126

Thanks for your interest.

Larry

let's put the "X" in windows

bobby's picture

Larry, Tom, Thanks. You guys spur me on. As for the "I don't know how to use Linux" line, I hear it all the time. Then they look over my shoulder & respond to my "recognize this?" query with "Yup, that's windozes!". I go "well, yea, but X-windows! and it does everything you're used to". I know that Ice will let me put any icon I want on the quick launch bar (my brother uses Nautilus as his desktop manager with Ice and has the best of all worlds!) so I imagine one could create an 'e' icon for mozilla!

Happy 'Putin
bobby

Mandrake 10.1 - MC is your friend!

Don't worry about existing users - migrate new ones

Dave's picture

Great article!

When it comes to migrating some users to Linux, I would not worry about it. Yes, there are some people that even changing the background color will disturb. They are not your target audience for Linux.

You want to get a handful of Linux desktops going, and train your new users on them. They should not have any problem with it if it's what they're taught from the start.

FWIW - I've got my old Itallian in-laws using Debian Linux as their primary desktop. When they received their PC from my brother-in-law it had Windows ME on it. I said "No way are you getting on broadband with that" and rebuilt it using Debian.

They love the fact that they can exchange documents with anyone, not have to worry about spyware & viruses, have a ton of games for the grand kids, and all the other benefits of Linux at a cost to them of $0.00.

It's really hard to beat free, and with most retired folks on a limited budget I can see that it could really help provide them the tools they need at a price (nothing!) that they can afford.

Regards,
- Dave

Good work. Have you tried K12LTSP.org stuff?

Anonymous's picture

The work you are doing is very interesting. You might want to take a close look at what is happening at K12LTSP.org. One of the problems with shared computers is that the use of previous users means that problems can exist. I don't ever feel good using a computer online that someone else uses as well.

For limited use purposes you can also look into the use of LTSP for creating a internet machine kiosk. Some students at a university created a way where they could put the Linux internet kiosk out on campus (all over the place)... and users could use the internet (limitd apps were available) and after their use the machine(s) X-Terminal session would reset and the next user would have a clean session to use. There were never any ghosts left from any previous sesson to worry about. It's been working for a few years. You can find it on the LTSP.org site, or you can look on the internet for some information about how to do this!

You can also use all those windows machines in a cluster (even while running the windows applications)! IBM had a document about this recently).

Links:
http://www.ltsp.org
http://www.k12ltsp.org
http://www.law.uvic.ca/rmccue/cali2003/ltsp_presentation/
http://www-106.ibm.com/developerworks/linux/library/l-colinux/
http://www.disklessworkstations.com

Good work. Have you tried K12LTSP.org stuff?

Anonymous's picture

The work you are doing is very interesting. You might want to take a close look at what is happening at K12LTSP.org. One of the problems with shared computers is that the use of previous users means that problems can exist. I don't ever feel good using a computer online that someone else uses as well.

For limited use purposes you can also look into the use of LTSP for creating a internet machine kiosk. Some students at a university created a way where they could put the Linux internet kiosk out on campus (all over the place)... and users could use the internet (limitd apps were available) and after their use the machine(s) X-Terminal session would reset and the next user would have a clean session to use. There were never any ghosts left from any previous sesson to worry about. It's been working for a few years. You can find it on the LTSP.org site, or you can look on the internet for some information about how to do this!

You can also use all those windows machines in a cluster (even while running the windows applications)! IBM had a document about this recently).

Links:
http://www.ltsp.org
http://www.k12ltsp.org
http://www.law.uvic.ca/rmccue/cali2003/ltsp_presentation/
http://www-106.ibm.com/developerworks/linux/library/l-colinux/
http://www.disklessworkstations.com

Good work. Have you tried K12LTSP.org stuff?

Anonymous's picture

The work you are doing is very interesting. You might want to take a close look at what is happening at K12LTSP.org. One of the problems with shared computers is that the use of previous users means that problems can exist. I don't ever feel good using a computer online that someone else uses as well.

For limited use purposes you can also look into the use of LTSP for creating a internet machine kiosk. Some students at a university created a way where they could put the Linux internet kiosk out on campus (all over the place)... and users could use the internet (limitd apps were available) and after their use the machine(s) X-Terminal session would reset and the next user would have a clean session to use. There were never any ghosts left from any previous sesson to worry about. It's been working for a few years. You can find it on the LTSP.org site, or you can look on the internet for some information about how to do this!

You can also use all those windows machines in a cluster (even while running the windows applications)! IBM had a document about this recently).

Links:
http://www.ltsp.org
http://www.k12ltsp.org
http://www.law.uvic.ca/rmccue/cali2003/ltsp_presentation/
http://www-106.ibm.com/developerworks/linux/library/l-colinux/
http://www.disklessworkstations.com

Hi Larry, I'm really encoura

WL's picture

Hi Larry,
I'm really encouraging to read of someone still passionate about computers and the Linux system at your age. I kinda sometimes worry about age discrimination when it comes to IT... I'm 30 and changing industry, trying to break into IT, because I love databases and application logic. I think that the discrimination is hard for people who are in their 40s, especially in IT. I'd love to hear your views on this. Thanks!

WL

LOL -- 46 and going strong

Larry T's picture

Back in the day, George Orwell's 1984 had people thinking about going into computers just to stay king of their castle once computers starting moving into the homes. At least that's how I thought when I switched from Elec Engineering to Accounting and finally stuck with Business Data Processing for my associates. As a bass player, it allowed me to pick a career where I could still be creative and make people happy. (Still playing bass, too). A B.S. and a M.S.CS came later. With over 26 years of UNIX, VM/CMS, VMS, SQL, DOS, UNIX, X10, X11, UIL, MOTIF, WFW and everything that's right about the Internet on Linux, UNIX, Windows, whatever since then -- it's been a blast. "Discover missions" in the virtual universe that started as the arpanet was standard assignment -- that was 15 years before the big 'www' and altavista. I researched what people in the think tanks were saying and later at a government contractor was able to let them know how to aim proposals because how obvious it was (okay, maybe just to me) who was reviewing the responses and knowing from reading their work what they would respond to. Of course, the solution had to make sense to us system integrators or no dice.

If you want to ask if anyone discriminates -- ask Maddog AKA Jon Hall. We met in 1987 and made UNIX happen at Digital (DEC) and LINUX later with Linus (sent him a Alpha system and that's why the Alpha kernel was born in Linux).

Stay at the emerging edge of technology and there is never a need to worry. While there are many that say you can only be an expert at one thing, replay that by thinking that only for 'starters'.

The top people are always in demand. The more you publish, etc. helps get some recognition. Staying involved in the speaker circuit and conferences keeps your name available.

Wow, discrimination. The only problem people have is 'intimidation'. At least if someone talks with someone with a Ph.D. in Physics, they know it might be over their head but they feel the difference in knowledge doesn't really effect them -- it's not personal. When someone is exasperated because their home PC is slow or their business is still using DOS and Novell, some folks are intimidated by those that easily cross between Internet, security, home use best practices, business policies for compliance, data warehousing, latest free-format web-based forums, etc.

Get real experience and you'll never know discrimination.

Best advise -- network yourself in organizations, volunteer frequently to help non-profits, charities, alumni groups, etc. Always give back and you won't worry about discrimination.

All the best,
Larry T

WL, The subject of your comm

Larry's picture

WL,
The subject of your comment was not one I was expecting. I worked in academia and effectively had tenure. Such jobs are very difficult to get, but you have them for life. This background hasn't given me much insight into age discrimination issues. Regarding your career change, I hope you have the formal background to support this move. In my former life in science, it was understood that your interests would, and should, deviate from the fields of training; however, a solid background in physis or chemistry and mathematics was essential. Similar rules apply here.

Larry

Age Discrimination...

Lou's picture

Hi:

Wait until you're 37 and puertorrican then we'll talk :) (Yes, I'm 37 and puertorrican, born in the island. 1.8% of the technical staff in my company is hispanic.).

Regretfully our industry is fed by the fact that younger, cheaper coders are out there willing to work long hours and drink jolt cola in the process, and the fact that many older programmers do not want to move from one technology to another (i. e. the forced adjusted COBOL programmer). What you'll see in the field is that the older you get, the less technical work you do. You are usually moved to training, project management, program management or regular management. Therefore, I think it is important to start getting those skills early on your career in addition to keep yourself fresh in technologies of your interest that are on demand. I also believe that if for some reason you've gotten stale, a good idea is to join an open source project with the technologies you want to polish.

My 2 cents...

Lou

Our users love it

Anonymous's picture

We've being selling Linux Server Business Apps for a while now and our customers are happy to reap the rewards of Linux and mix their client / desktops with windows. This makes sense for alot of people because they don't instantly have to worry about rolling out a new way of doing across the whole company just because the business engines change.. what d'all think? Have a look here www.cgram.com. Best, Paul.

Linux Desktop

tcurl's picture

I've run into the objection you mention, "Our users could never figure out . . . if a single icon is missing, etc." I've heard that from managers responsible for implementing desktops.

Basically those sentiments are nonsense.

I am 67 years old. I've spent the last year implementing an LTSP based system in Public Libraries for the, mostly, non-computer literate patrons to use. The apps of choice are Mozilla and Open Office. In one library recently, we moved out the Win'98 computers one day and had LTSP Thin Clients in place the next.

The following day the manager called me and said "I can't believe it! The patrons don't seem to know there's a difference. They sit down, use the system, and go about there business as if there were no changes at all."

Don't underrate your user community Larry, they may be more adept than you think.

Of course working with 55+ folks in AZ may be entirely different. Grin - Grin.

Tom
tcurl@enertex.com

RE: Linux Desktop

Larry's picture

Tom,
I congratulate you on your volunteer efforts for the libraries. I hope your management appreciates you.

I know that 95% of my users would take to a Linux desktop with little or no difficulty; however, I do have 1-2% that find double clicking to be an impossible task. If the "little blue e" is not located in the quick-launch area of the task bar, they are unable to reach ther Internet. Fortunately, the death grip doesn't kill mice. For some, it is due to the ravages of arthritus - for others it is fear of computers, despite all our reasurances.

As to the quality of AZ seniors, ours are as good as any others ;-). Two years ago, I taught a class on Linux. A major portion involved installing SuSE 8.1 on a spare hard drive on the instructor's computer. Each student also received a copy of the distribution. One of the students, who was continually messing up his Windows system, called and said that he was having a problem with Linux. I expected a trivial question. What was truly amazing was that his problem involved the last step in burning a CD, and that it took a lot of research on my part to answer the question. He took to Linux with no problems.

Larry

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix