Linux in a Windows Workstation Environment, Part I

Even if the users still want to use Windows on the desktop, you can put Linux behind the scenes.

This series of articles covers the development of a Linux-based server that supports a number of workstations running MS Windows in the computer laboratory of a 55+ RV Resort in Mesa, Arizona. The age-old stereotype of senior citizens playing shuffleboard by day and bingo by night is outdated, if ever true. Such activities have their role; however, our residents are equally as likely to be in the computer room, sending and receiving e-mail or browsing the Web to research their latest financial, medical or recreational question. Our facility protects the local machines from inexperienced and/or inept users, but it also offers sophisticated services for the user that needs them.

Background

Prior to beginning this project, I had experience using a wide variety of computer systems; however, my UNIX and Linux experience was minimal. My computer background began in 1963 as a Fortran programmer on mainframes in support of my own scientific research. In the early 1970s, I was a part of a small team that developed real-time software and hardware for interfacing PDP-11's to scientific instruments. In 1981, I became system manager for a VAX-11/780 and ran various systems. At this position, I gained some experience with UNIX and Linux systems until my retirement came in mid 1999. At that time, I became a full-time RV resident, dedicated to the avoidance of cold weather.

In November 1999, we arrived in Mesa, Arizona, and occupied a site in the Mesa Regal RV Resort, which is a 55+ community. Given my long-time involvement with computers, I naturally joined the computer club. It had been established six or seven years earlier, when one of the residents transported his personal computer to a classroom once a week to teach the residents how to use such a machine. The next step was for him and his students to conduct fund-raising and purchase a single PC for teaching purposes.

By the time of my arrival in Mesa, the computer club had expanded from that humble beginning to a dedicated computer room, populated with 8 Windows-based PCs. These machines shared a DSL broadband Internet connection with routing and network address translation services provided by WinGate software running on one of the PCs. This configuration was proposed and implemented by a consultant, as the computer club had no internal expertise in networking.

During my first season in Mesa, the club facilities expanded to 12 computers. The following summer (2000), the RV resort was sold to Cal-Am Properties, Inc., which has a commitment to providing computer access to the residents of its properties. The company's initial contribution was to add ten new workstations and replace the two oldest computers. At this point, however, we ran into a problem: our WinGate license would support only 5 concurrent Internet sessions, which was not nearly enough for 22 workstations. Because I had more networking experience than did the others, I was asked to propose solutions to this problem. I rejected the first option of purchasing additional licenses for the WinGate software, as this would have been relatively expensive. In addition, my real-time background and experiences with Windows made me highly distrustful of using Windows 98 in a mission-critical role.

The second option was to convert one of the recently retired machines, which did not have sufficient resources to run Windows 98, into a router. I learned that Linux could operate nicely on minimal hardware, so I began developing a router on a 133MHz Pentium with 16MB of RAM, a 1.4GB hard drive and two Ethernet interfaces. The resulting system was built from a SuSE 6.4 distribution, employing a 2.2.x kernel. The firewall and network address translation functions were provided by the ipchains facility. Not only was this system built from surplus equipment at no cost for hardware, it clearly could handle all the workstations. It also added firewall functionality. The only "cost" was development time. This system went into service in November 2000 and served us well for more than one year.

In January 2002, the router memory was upgraded from 16MB to 32MB, the kernel was upgraded to the 2.4.x series, and the firewall was rewritten using iptables functionality, which added stateful information regarding each packet. Not only could we block external connection attempts based on TCP or UDP port, we also could pass only those packets that contain information explicitly requested.

In late 2002, a computer with a 400MHz processor, 64MB of RAM and a 6GB hard drive became available. The router system was transferred to this machine, and the previous unit became a cold spare. It never was called on, though, as the newer unit also was stable. It ran until June 2004, with reboots needed only for kernel upgrades and long power failures that exhausted the battery backup unit. At one time, the router had run in excess of one year between reboots.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Correction for OUTPUT chain of lo and eth0

Reinhard's picture

This is a very nice article and it helped me to setup a personal firewall.
I have 1 correction: the rules for OUTPUT chain for lo and eth0 seem to have a typo. You wrote:

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -i eth0 -j ACCEPT

But iptables (v1.3.3 on Debian sarge i386) complains that -i can't be used with OUTPUT. The correct rules should read as:

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT

Reinhard

the firewall rule listed in

marc's picture

the firewall rule listed in the article:

$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

can be deceptive.

imagine if you are trying to debug your network and you use PING to do it.... and there is one other person trying to do the same:

one person = 0% packet loss (everything looks fine here)
two persons = 50% packet loss (1 packet per second max, remember?)
three persons = 66% packet loss, etc..

just a FYI in case you're debugging a network using ping from multiple locations.

Linux Routers and WinXP Sp2

Anonymous's picture

I Enjoyed your article very much. I really don't have a comment but a question.

We have a LAN with 5 XP SP2 system running as workstations. All of them access the Internet through a Linux router without any problems. But, on 1 workstation, every request to a link that redirects from the http to https protocol fails with the browser displaying "page cannot be displayed". Using one of our test applications that also implements the redirect from http to https, we have discovered that the error is 10061 (http error 12029), connection refused. In our CSP trace, we can see that the handshake actually occurs, but it appears that the session key is never transmited to the web server. We have used tracert and telnet in a dos-box and with them, we can access the secure site. At that level the connections appear to work. What do you think could be our problem?

I would greatly appreciate any advise you could give.

Thanks in advance

I have question about what looks like initials in your article

ChiJoan's picture

Hi,

I enjoyed your article and wonder when part 2 will arrive. But I am confused by the: N.B. /proc... What do the initials "N.B." stand for? I likewise am trying to enter the I.T. field, but I'm already in my 50's and took my Unix and Linux classes where we had no Linux server to really work on. To do a server for myself I have to learn how to do it from behind my DSL router. I likewise did volunteer work rebuilding and recycling computers for the disabled for over 160 hours here in Reno. I also help my local community college with donated PCs in their Re-Entry program, of which I am a client as well.

Your article gives me hope for my future, thanks.

Joan Leach

Meaning of N.B.

Larry's picture

Sorry for any confusion. N.B. or NB is an abbreviation for the Latin 'nota bene', and is used to direct attention to the referenced item.

Parts 2 and 3 of my series have been published. The URLs are as follows:
http://www.linuxjournal.com/article/8121
http://www.linuxjournal.com/article/8126

Thanks for your interest.

Larry

let's put the "X" in windows

bobby's picture

Larry, Tom, Thanks. You guys spur me on. As for the "I don't know how to use Linux" line, I hear it all the time. Then they look over my shoulder & respond to my "recognize this?" query with "Yup, that's windozes!". I go "well, yea, but X-windows! and it does everything you're used to". I know that Ice will let me put any icon I want on the quick launch bar (my brother uses Nautilus as his desktop manager with Ice and has the best of all worlds!) so I imagine one could create an 'e' icon for mozilla!

Happy 'Putin
bobby

Mandrake 10.1 - MC is your friend!

Don't worry about existing users - migrate new ones

Dave's picture

Great article!

When it comes to migrating some users to Linux, I would not worry about it. Yes, there are some people that even changing the background color will disturb. They are not your target audience for Linux.

You want to get a handful of Linux desktops going, and train your new users on them. They should not have any problem with it if it's what they're taught from the start.

FWIW - I've got my old Itallian in-laws using Debian Linux as their primary desktop. When they received their PC from my brother-in-law it had Windows ME on it. I said "No way are you getting on broadband with that" and rebuilt it using Debian.

They love the fact that they can exchange documents with anyone, not have to worry about spyware & viruses, have a ton of games for the grand kids, and all the other benefits of Linux at a cost to them of $0.00.

It's really hard to beat free, and with most retired folks on a limited budget I can see that it could really help provide them the tools they need at a price (nothing!) that they can afford.

Regards,
- Dave

Good work. Have you tried K12LTSP.org stuff?

Anonymous's picture

The work you are doing is very interesting. You might want to take a close look at what is happening at K12LTSP.org. One of the problems with shared computers is that the use of previous users means that problems can exist. I don't ever feel good using a computer online that someone else uses as well.

For limited use purposes you can also look into the use of LTSP for creating a internet machine kiosk. Some students at a university created a way where they could put the Linux internet kiosk out on campus (all over the place)... and users could use the internet (limitd apps were available) and after their use the machine(s) X-Terminal session would reset and the next user would have a clean session to use. There were never any ghosts left from any previous sesson to worry about. It's been working for a few years. You can find it on the LTSP.org site, or you can look on the internet for some information about how to do this!

You can also use all those windows machines in a cluster (even while running the windows applications)! IBM had a document about this recently).

Links:
http://www.ltsp.org
http://www.k12ltsp.org
http://www.law.uvic.ca/rmccue/cali2003/ltsp_presentation/
http://www-106.ibm.com/developerworks/linux/library/l-colinux/
http://www.disklessworkstations.com

Good work. Have you tried K12LTSP.org stuff?

Anonymous's picture

The work you are doing is very interesting. You might want to take a close look at what is happening at K12LTSP.org. One of the problems with shared computers is that the use of previous users means that problems can exist. I don't ever feel good using a computer online that someone else uses as well.

For limited use purposes you can also look into the use of LTSP for creating a internet machine kiosk. Some students at a university created a way where they could put the Linux internet kiosk out on campus (all over the place)... and users could use the internet (limitd apps were available) and after their use the machine(s) X-Terminal session would reset and the next user would have a clean session to use. There were never any ghosts left from any previous sesson to worry about. It's been working for a few years. You can find it on the LTSP.org site, or you can look on the internet for some information about how to do this!

You can also use all those windows machines in a cluster (even while running the windows applications)! IBM had a document about this recently).

Links:
http://www.ltsp.org
http://www.k12ltsp.org
http://www.law.uvic.ca/rmccue/cali2003/ltsp_presentation/
http://www-106.ibm.com/developerworks/linux/library/l-colinux/
http://www.disklessworkstations.com

Good work. Have you tried K12LTSP.org stuff?

Anonymous's picture

The work you are doing is very interesting. You might want to take a close look at what is happening at K12LTSP.org. One of the problems with shared computers is that the use of previous users means that problems can exist. I don't ever feel good using a computer online that someone else uses as well.

For limited use purposes you can also look into the use of LTSP for creating a internet machine kiosk. Some students at a university created a way where they could put the Linux internet kiosk out on campus (all over the place)... and users could use the internet (limitd apps were available) and after their use the machine(s) X-Terminal session would reset and the next user would have a clean session to use. There were never any ghosts left from any previous sesson to worry about. It's been working for a few years. You can find it on the LTSP.org site, or you can look on the internet for some information about how to do this!

You can also use all those windows machines in a cluster (even while running the windows applications)! IBM had a document about this recently).

Links:
http://www.ltsp.org
http://www.k12ltsp.org
http://www.law.uvic.ca/rmccue/cali2003/ltsp_presentation/
http://www-106.ibm.com/developerworks/linux/library/l-colinux/
http://www.disklessworkstations.com

Hi Larry, I'm really encoura

WL's picture

Hi Larry,
I'm really encouraging to read of someone still passionate about computers and the Linux system at your age. I kinda sometimes worry about age discrimination when it comes to IT... I'm 30 and changing industry, trying to break into IT, because I love databases and application logic. I think that the discrimination is hard for people who are in their 40s, especially in IT. I'd love to hear your views on this. Thanks!

WL

LOL -- 46 and going strong

Larry T's picture

Back in the day, George Orwell's 1984 had people thinking about going into computers just to stay king of their castle once computers starting moving into the homes. At least that's how I thought when I switched from Elec Engineering to Accounting and finally stuck with Business Data Processing for my associates. As a bass player, it allowed me to pick a career where I could still be creative and make people happy. (Still playing bass, too). A B.S. and a M.S.CS came later. With over 26 years of UNIX, VM/CMS, VMS, SQL, DOS, UNIX, X10, X11, UIL, MOTIF, WFW and everything that's right about the Internet on Linux, UNIX, Windows, whatever since then -- it's been a blast. "Discover missions" in the virtual universe that started as the arpanet was standard assignment -- that was 15 years before the big 'www' and altavista. I researched what people in the think tanks were saying and later at a government contractor was able to let them know how to aim proposals because how obvious it was (okay, maybe just to me) who was reviewing the responses and knowing from reading their work what they would respond to. Of course, the solution had to make sense to us system integrators or no dice.

If you want to ask if anyone discriminates -- ask Maddog AKA Jon Hall. We met in 1987 and made UNIX happen at Digital (DEC) and LINUX later with Linus (sent him a Alpha system and that's why the Alpha kernel was born in Linux).

Stay at the emerging edge of technology and there is never a need to worry. While there are many that say you can only be an expert at one thing, replay that by thinking that only for 'starters'.

The top people are always in demand. The more you publish, etc. helps get some recognition. Staying involved in the speaker circuit and conferences keeps your name available.

Wow, discrimination. The only problem people have is 'intimidation'. At least if someone talks with someone with a Ph.D. in Physics, they know it might be over their head but they feel the difference in knowledge doesn't really effect them -- it's not personal. When someone is exasperated because their home PC is slow or their business is still using DOS and Novell, some folks are intimidated by those that easily cross between Internet, security, home use best practices, business policies for compliance, data warehousing, latest free-format web-based forums, etc.

Get real experience and you'll never know discrimination.

Best advise -- network yourself in organizations, volunteer frequently to help non-profits, charities, alumni groups, etc. Always give back and you won't worry about discrimination.

All the best,
Larry T

WL, The subject of your comm

Larry's picture

WL,
The subject of your comment was not one I was expecting. I worked in academia and effectively had tenure. Such jobs are very difficult to get, but you have them for life. This background hasn't given me much insight into age discrimination issues. Regarding your career change, I hope you have the formal background to support this move. In my former life in science, it was understood that your interests would, and should, deviate from the fields of training; however, a solid background in physis or chemistry and mathematics was essential. Similar rules apply here.

Larry

Age Discrimination...

Lou's picture

Hi:

Wait until you're 37 and puertorrican then we'll talk :) (Yes, I'm 37 and puertorrican, born in the island. 1.8% of the technical staff in my company is hispanic.).

Regretfully our industry is fed by the fact that younger, cheaper coders are out there willing to work long hours and drink jolt cola in the process, and the fact that many older programmers do not want to move from one technology to another (i. e. the forced adjusted COBOL programmer). What you'll see in the field is that the older you get, the less technical work you do. You are usually moved to training, project management, program management or regular management. Therefore, I think it is important to start getting those skills early on your career in addition to keep yourself fresh in technologies of your interest that are on demand. I also believe that if for some reason you've gotten stale, a good idea is to join an open source project with the technologies you want to polish.

My 2 cents...

Lou

Our users love it

Anonymous's picture

We've being selling Linux Server Business Apps for a while now and our customers are happy to reap the rewards of Linux and mix their client / desktops with windows. This makes sense for alot of people because they don't instantly have to worry about rolling out a new way of doing across the whole company just because the business engines change.. what d'all think? Have a look here www.cgram.com. Best, Paul.

Linux Desktop

tcurl's picture

I've run into the objection you mention, "Our users could never figure out . . . if a single icon is missing, etc." I've heard that from managers responsible for implementing desktops.

Basically those sentiments are nonsense.

I am 67 years old. I've spent the last year implementing an LTSP based system in Public Libraries for the, mostly, non-computer literate patrons to use. The apps of choice are Mozilla and Open Office. In one library recently, we moved out the Win'98 computers one day and had LTSP Thin Clients in place the next.

The following day the manager called me and said "I can't believe it! The patrons don't seem to know there's a difference. They sit down, use the system, and go about there business as if there were no changes at all."

Don't underrate your user community Larry, they may be more adept than you think.

Of course working with 55+ folks in AZ may be entirely different. Grin - Grin.

Tom
tcurl@enertex.com

RE: Linux Desktop

Larry's picture

Tom,
I congratulate you on your volunteer efforts for the libraries. I hope your management appreciates you.

I know that 95% of my users would take to a Linux desktop with little or no difficulty; however, I do have 1-2% that find double clicking to be an impossible task. If the "little blue e" is not located in the quick-launch area of the task bar, they are unable to reach ther Internet. Fortunately, the death grip doesn't kill mice. For some, it is due to the ravages of arthritus - for others it is fear of computers, despite all our reasurances.

As to the quality of AZ seniors, ours are as good as any others ;-). Two years ago, I taught a class on Linux. A major portion involved installing SuSE 8.1 on a spare hard drive on the instructor's computer. Each student also received a copy of the distribution. One of the students, who was continually messing up his Windows system, called and said that he was having a problem with Linux. I expected a trivial question. What was truly amazing was that his problem involved the last step in burning a CD, and that it took a lot of research on my part to answer the question. He took to Linux with no problems.

Larry

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix