Firewall

• Use iptables. Configure using sample below.
  

  # Generated by iptables-save v1.2.8 on Fri Feb 3 06:20:08 2006
  *mangle
  :PREROUTING ACCEPT [0:0]
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  COMMIT
  # Completed on Fri Feb 3 06:20:08 2006
  # Generated by iptables-save v1.2.8 on Fri Feb 3 06:20:08 2006
  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :FWALL-INPUT - [0:0]
  -A INPUT -j FWALL-INPUT

  # HTTP access
  -A FWALL-INPUT -p tcp -m tcp –dport 80 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
  # Tomcat access
  -A FWALL-INPUT -p tcp -m tcp –dport 8081 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
  # incoming SSH
  -A FWALL-INPUT -p tcp -m tcp –dport 22 -j ACCEPT
  # incoming FTP
  -A FWALL-INPUT -p tcp -m tcp –dport 21 -j ACCEPT
  # incoming SMTP
  -A FWALL-INPUT -p tcp -m tcp –dport 25 -j ACCEPT
  # DNS
  -A FWALL-INPUT -p tcp -m tcp –dport 53 -j ACCEPT –syn
  -A FWALL-INPUT -p udp -m udp –dport 53 -j ACCEPT
  -A FWALL-INPUT -p udp -m udp -s 0/0 -d 0/0 –sport 53 -j ACCEPT
  # incoming cvs
  #-A FWALL-INPUT -p tcp -m tcp –dport 2401 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
  # MySQL
  #-A FWALL-INPUT -p udp -m udp –dport 3306 -j ACCEPT
  #-A FWALL-INPUT -p tcp -m tcp –dport 3306 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
  # VZPP
  #-A FWALL-INPUT -p tcp -m tcp –dport 4643 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
  # CPanel
  #-A FWALL-INPUT -p tcp -m tcp –dport 2086 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
  # WHM
  #-A FWALL-INPUT -p tcp -m tcp –dport 2082 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
  # Webmin
  #-A FWALL-INPUT -p tcp -m tcp –dport 10101 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
  # localhost
  -A FWALL-INPUT -i lo -j ACCEPT
  # i don’t know
  -A FWALL-INPUT -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -j REJECT –reject-with icmp-port-unreachable
  -A FWALL-INPUT -p udp -m udp -j REJECT –reject-with icmp-port-unreachable
  # syn flooding protection
  -A FWALL-INPUT -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -m limit –limit 5/sec -j ACCEPT
  # Drop all other new requests not meeting any existing rule requirements applied to traffic
  -A FWALL-INPUT -p tcp -m tcp -j REJECT –syn
  -A FWALL-INPUT -p udp -m udp -j REJECT
  COMMIT
  # Completed on Fri Feb 3 06:20:09 2006

Miscellaneous

• VIM
• Install vim via yum.
• Set syntax highlight using :syntax on

CVS

• Install CVS via yum.
• Setup the listening port.
• Make sure the following lines exist in /etc/services
  

  cvspserver 2401/tcp

• Create file named cvspserver under /etc/xinetd.d with the following contents:

  service cvspserver
  {
  socket_type = stream
  protocol = tcp
  wait = no
  user = root
  server = /usr/bin/cvs
  server_args = –allow-root=/home/cvs pserver
  }

  • Make sure to set allow-root to correct cvs home.
  • Initialize the repository.

  cvs -d :local:/home/cvs init

  • Check if directory has appropriate permissions.
    

    chmod –R 775 /home/cvs
    chmod –R g+ws /home/cvs

  • Restart xinetd.d service.
    

    /etc/init.d/xinetd restart

• Test CVS Connection.

Java (Reference: http://www.mksearch.mkdoc.org/howto/jpackage-sun-fc3/)

• To add jpackage (prebuilt for RHEL4) repository to CentOS:
  

  cd /etc/yum.repos.d/
  wget http://www.jpackage.org/jpackage.repo
  vi jpackage.repo

• Enable the rhel specific repository. Keep the others enabled as well.
  

  [jpackage-rhel]
  name=JPackage (free) for Red Hat Enterprise Linux $releasever
  mirrorlist=http://www.jpackage.org/jpackage_rhel-$releasever.txt
  failovermethod=priority
  gpgcheck=1
  gpgkey=http://www.jpackage.org/jpackage.asc
  enabled=1

• These packages are signed with a GPG key so you will need to import the key
  ( as root ).

  rpm –import http://www.jpackage.org/jpackage.asc

• Build non-free java packages. (http://www.jpackage.org/rebuilding.php)

• • First, you need a build tree in user home directory. This build tree should have the following structure:
    

    rpm
    |– BUILD
    |– RPMS
    | |– i386
    | |– i586
    | `– noarch
    |– SOURCES
    |– SPECS
    |– SRPMS
    `– tmp

  • Now you need to do some rpm configuration. A simple ~/.rpmmacros with the following contents should be enough:

  %_topdir %(echo ${HOME}/rpm)
  %_tmppath %{_topdir}/tmp

  %packager Allan Tan

  # Uncomment to have built RPMs land in RPMS/ instead of RPMS//
  #%_rpmfilename %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm

  • Upload the following files and copy to ~/rpm/SOURCES:
    

    jta-1_0_1B-classes.zip
    jta-1_0_1B-doc.zip
    jdk-1_5_0_06-linux-i586.bin
    

  • Download, verify and install the java-1.5.0-sun package from Jpackage, again ignore the warnings about users not existing.
    

    $ wget http://mirrors.sunsite.dk/jpackage/1.6/generic/non-free /SRPMS/java-1.5.0-sun-1.5.0.06-1jpp.nosrc.rpm
    $ rpm -K java-1.5.0-sun-1.5.0.06-1jpp.nosrc.rpm
    $ rpm -Uvh java-1.5.0-sun-1.5.0.06-1jpp.nosrc.rpm

  • Next try building the package to see what is needed from the Sun site.
    

    $ cd ~/rpms/specs/
    $ rpmbuild -ba java-1.5.0-sun.spec

  • Now you should be ready to install the java-1.5.0-sun-devel-1.5.0.06-1jpp.i586.rpm package that JTA depends on, and any dependencies.
    

    $ rpm -Uvh ~/rpms/rpms/i586/java-1.5.0-sun-1.5.0.06-1jpp.i586.rpm
    $ rpm -Uvh ~/rpms/rpms/i586/java-1.5.0-sun-devel-1.5.0.06-1jpp.i586.rpm

  • In case error occurred for libXp.so.6, you need to install xorg-x11-deprecated-libs.i386 via yum.
  • Now we can go back to the jta build instructions above and try again; this time there should not be any errors.
    

    $ cd ~/rpms/specs/
    $ rpmbuild -ba jta.spec

  • And now install jta.
    

    $ rpm -Uvh ~/rpms/rpms/noarch/jta-1.0.1-0.b.4jpp.noarch.rpm