Category Archives: Ubuntu

Try again: Unable to connect to the MTA

Saat kemaren saya setting email zimbra setelah usai install dan test server saya mendapatkan error Try again: Unable to connect to the MTA.

Setelah melakukan penelusuran hingga larut malam saya putuskan tidur dulu karena badan dah lemah gemulai. Dan setelah bangun pagi , saya lanjutkan dan ternyata masalahnya domainya tidak bisa query ke dns server, di karenakan di dns server saya pasang firewall config server sebagai aplikasi tambahan untuk cpanel.

Solusinya adalah ip server email saya whitelest dari config server setelah itu saya coba send email dan berjalan lancar.

How to protect Apache against DOS,DDOS or brute force attacks using mod_evasive and mod_security and mod_qos on Linux Ubuntu 11.04

In this article we will show how to install mod_evasive and mod_security or mod_qos.

These modules protect Apache against DOS,DDOS or brute force attacks on Linux Ubuntu 10.04 or other debian based distributions.

Here is first an description on mod_evasive and mod_security.

What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following: Continue reading

Install firefox 4.0, ubuntu maverick

Proses install firefox 4.0 bisa dilakukan dengan menjalankan perintah berikut:

sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa && sudo apt-get update

Setelah update selesai lanjutkan dengan perintah :

sudo apt-get install firefox-4.0

Selanjutnya untuk membuka bisa dilakukan pada Applications > Internet pada  GNOME, atau menggunakan command:


Setting proxy squid pada linux Ubuntu 10.04.1 LTS

Prigad berkesempatan untuk mensetting internet pada salah satu client , menggunakan speedy sebagi internetnya dan  di lewatkan gateway melalui proxy squid. Dengan asusmsi eth0 internet dari modem ke server, eth1 dari server ke client melalui switch Berikut langkah – langkah settingnya.

1. Setting ip :

Setting ip pada interfaces :  sudo vim /etc/network/interfaces

auto eth0
iface eth0 inet static
#       post-up iptables-restore < /etc/iptables.up.rules
        # dns-* options are implemented by the resolvconf package, if installed
#       dns-nameservers

#post-up iptables-restore < /etc/iptables.up.rules

auto eth1
iface eth1 inet static

2. Install squid  dan setting squid : sudo apt-get install squid

# Squid normally listens to port 3128
http_port 3128 transparent

acl our_networks src
acl localnet src
http_access allow our_networks
http_access allow localnet

#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl our_networks src
acl localnet src

# http_access deny all
http_access allow our_networks
http_access allow localnet

#  TAG: access_log
#       These files log client request activities. Has a line every HTTP or
#       ICP request. The format is:
#       access_log <filepath> [<logformat name> [acl acl ...]]
#       access_log none [acl acl ...]]
#       Will log to the specified file using the specified format (which
#       must be defined in a logformat directive) those entries which match
#       ALL the acl's specified (which must be defined in acl clauses).
#       If no acl is specified, all requests will be logged to this file.
#       To disable logging of a request use the filepath "none", in which case
#       a logformat name should not be specified.
#       To log the request via syslog specify a filepath of "syslog":
#       access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
#       where facility could be any of:
#       authpriv, daemon, local0 .. local7 or user.
#       And priority could be any of:
#       err, warning, notice, info, debug.
access_log /var/log/squid/access.log 

3. Selanjutnya copy script berikut : sudo vim /etc/fw.proxy

# squid server IP
# Interface connected to Internet
# Interface connected to LAN
# Squid port
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
#ssh agar server bisa diremote dari ip segmen ini
iptables -A INPUT -p TCP -s --dport 22 -j ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

4. Rubah permisi file tersebut : chmod +x /etc/fw.proxy

5. Masukkan path tersebut ke rc.local : sudo vim /etc/rc.local

#!/bin/sh -e
# rc.local
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# bits.
# By default this script does nothing.


6. Lanjutkan dengan mengecek hasil settingan  pada log : tail -f /var/log/squid/access.log

1294469829.027    220 TCP_MISS/200 1032 GET - DIRECT/ text/html
1294469829.115   3620 TCP_MISS/200 532 GET - DIRECT/ text/javascript
1294469829.360    562 TCP_MISS/200 910 GET - DIRECT/ application/x-javascript
1294469829.536    154 TCP_MISS/200 1030 GET - DIRECT/ text/html
1294469829.642     83 TCP_MISS/200 1132 GET - DIRECT/ text/html
1294469829.657    103 TCP_MISS/200 719 GET - DIRECT/ text/html
1294469829.715    172 TCP_MISS/200 5246 GET - DIRECT/ text/html
1294469829.758    142 TCP_MISS/200 1402 GET - DIRECT/ text/html
1294469829.804    221 TCP_MISS/200 3220 GET - DIRECT/ text/html
1294469829.810    191 TCP_MISS/200 472 GET - DIRECT/ image/gif
1294469830.056    356 TCP_MISS/200 281 GET - DIRECT/ text/html
1294469830.533    700 TCP_MISS/200 4101 GET - DIRECT/ text/html
1294469830.666    804 TCP_MISS/200 4281 GET - DIRECT/ text/html
1294469830.706    948 TCP_MISS/200 6882 GET - DIRECT/ text/html
1294469831.171    312 TCP_MISS/200 800 GET - DIRECT/ image/gif
1294469831.502    315 TCP_MISS/200 800 GET - DIRECT/ image/gif
1294469831.886    701 TCP_MISS/200 1421 GET - DIRECT/ text/javascript
1294469832.234    324 TCP_MISS/200 706 GET - DIRECT/ text/javascript
1294469832.427    172 TCP_MISS/200 3784 GET - DIRECT/ image/jpeg
1294469833.433   1533 TCP_MISS/200 707 GET - DIRECT/69.63.


7. Selesai.

Sumber bacaan

Internet ConnectionSharing

Internet Connection Sharing (ICS) provides the ability for one computer to share its Internet connection with another computer. To do this, a computer with an Internet connection must be configured to function as an Internet gateway. A second computer (or network of computers) connects to the Internet indirectly via the gateway computer.

Situations in which ICS may be necessary include:

  • dial up connection
  • authenticated (PPPoA/E) connection
  • wireless connection
  • When it is impractical (such as with distance) to run multiple network cables to each computer.


GUI Method via Network Manager (Ubuntu 9.10 and up)

In order to share an Internet connection, the computer that will do the sharing must have two network cards or ports. This assumes that you are using at least one Ethernet port and that it is identified as "eth0". eth0 will be the port that other computers will connect to you on.

When you are logged in:

  • Go to "System" on your top bar
  • Navigate to "Preferences" and select "Network Connections"
  • When that window opens, select "Auto eth0" and press "Edit" (This assumes that you are connected to the internet on some other port, for ex. wlan0 using wireless)

A new window will open. Navigate to the tab titled "IPv4 Settings" and change the Method to "Shared to other computers". After restarting the computer you should now be able to plug in any computer into your other Ethernet port or share through your wireless card.

Note: To clarify the above example here is an example configuration that will work – * 1. You are already connected to the internet using your wireless on port wlan0 * 2. The ethernet port eth0 is connected to the PC that needs to share your internet connection (or you could wire eth0 to a router for multiple machines)


Ubuntu Internet Gateway Method (iptables)

You will need two network cards in the gateway computer, or a PPP interface and a network card. One network card (or PPP interface) connects to the internet, we will call this card eth0. The other card connects to your internal network, we will call this eth1. It is also possible to do ICS with a single network card. In this case, use eth0 for the internet and eth0:0 for the internal network.

  1. Internet <<==>> eth0 <> Ubuntu gateway <> eth1 <<==>> Client PC

  2. Internet <<==>> ppp0 <> Ubuntu gateway <> eth1 <<==>> Client PC

  3. Internet <<==>> eth0 <> Ubuntu gateway <> eth0:0 <<==>> Client PC


Gateway set up

The following example will focus on the most common gateway setup; an Ubuntu computer with two wired network adapters (eth0 and eth1) hosting ICS to a static internal network configured for the 192.168.0.x subnet.

For this example, eth0 is used to represent the network card connected to the internet and eth1 represents the network card connected to a client PC. You can replace eth0 and eth1 as needed for your situation. Also, any private IP subnet can be used for the internal network IP addresses.

In summary:

  • eth0 = the network adapter with internet (external or WAN).
    eth1 = the network adapter to which a second computer is attached (internal or LAN).
    192.168.0.x = IP subnet for eth1

Your setup may be different. If so, make sure to change them accordingly in the following commands.


Configure internal network card

Configure your internal network card (eth1) for static IP like so:

sudo ifconfig eth1

(The external and internal network cards cannot be on the same subnet)

Configure NAT

Configure iptables for NAT translation so packets can be correctly routed through the Ubuntu gateway.

sudo iptables -A FORWARD -i eth0 -o eth1 -s -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE 

(rule1 allows forwarded packets (initial ones), rule2 allows forwarding of established connection packets (and those related to ones that started), rule3 does the NAT.)

IPtables settings need to be set-up at each boot (they are not saved automatically), with the following commands:

  • Save the iptables:


sudo iptables-save | sudo tee /etc/iptables.sav
  • Edit /etc/rc.local and add the following lines before the "exit 0" line:


iptables-restore < /etc/iptables.sav


Enable routing

  • Configure the gateway for routing between two interfaces by enabling IP forwarding:


sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"


  • Edit /etc/sysctl.conf and add these lines:



The /etc/sysctl.conf edit is required because of following Bug (Hardy and later releases) Launchpad Bug Report


Client set up

Any OS can connect to the internet as an ICS client as long as networking has been configured correctly. The following example will focus on how to set up an Ubuntu ICS client. For this example, it is assumed that the client is connected to an Ubuntu gateway which has been configured to share ICS on the 192.168.0.x subnet according to the gateway set up outlined above.

For this example, eth0 is the network card on the client which is connected (by crossover cable) to eth1 on the Ubuntu gateway. You can replace eth0 as needed for your situation. Also, any private IP subnet can be used for the internal network IP address, as long as it matches the subnet on the gateway.

Disable networking


sudo /etc/init.d/networking stop


Give the client a static IP address


sudo ifconfig eth0

This IP address can be anything within the gateway's private IP range.

Configure routing


sudo route add default gw

This address should match the IP address on the gateway's internal network card (eth1 in the above example).

Configure DNS servers

Unless your ICS gateway can also perform DNS, you must manually configure the client with your ISP DNS servers. If you do not know your ISP's DNS servers, you can use OpenDNS servers instead.

  • Backup your current /etc/resolve.conf file:


sudo cp /etc/resolv.conf /etc/resolv.conf.backup
  • Open /etc/dhcp3/dhclient.conf with your favorite text editor:


sudo nano /etc/dhcp3/dhclient.conf
  • Search for the line that starts "prepend domain-name-servers", and change it to look like this:


prepend domain-name-servers,; and are OpenDNS DNS servers. If you wish to use your ISP's DNS servers, use them here instead of the OpenDNS servers.


Restart networking


sudo /etc/init.d/networking restart

Once this is finished, your client will now have access to the internet via ICS. Please direct any questions/comments to the Internet Connection Sharing Documentation thread.

A beginner's working example of a Ubuntu Desktop with 2 nic cards, sharing internet connection


Advanced Gateway Configuration

The above example outlines how to do basic ICS on a static IP network. Once you have configured your Ubuntu computers for ICS and confirmed that everything works across your static network, there are a few advanced routing configurations which can make it much easier to set up the ICS client.

Advanced configurations include DHCP server, and DNS server. A DHCP server allows the client to get an ip address automatically without having to manually configure a static IP. A DNS server allows the client to resolve internet host names without manually configuring DNS addresses.


DHCP/DNS server

This is deceptively easy, and will be acceptable for most situations. However, it will not allow the ICS client to see computers on different subnets.

  • Install software


sudo aptitude install dnsmasq
  • Stop the server

After dnsmasq has been installed, it is automatically started, so it will need to be stopped before changes can be made.

sudo /etc/init.d/dnsmasq stop
  • Make a backup of the well commented configuration file (we won't use any of this, but it's handy to have a copy of for reference later)


sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf-backup
  • Edit /etc/dnsmasq.conf with your favorite text editor and add the following two lines:



Note: The "interface" should match the interface that your clients are connected to, and the "dhcp-range" should be within the gateway's private IP subnet you configured according to the "Gateway set up" directions above.

  • Start the DHCP/DNS server


sudo /etc/init.d/dnsmasq start

Now your clients should be able to pull an automatic ip address and resolve host names.


Other approaches

The following section includes a rough outline of some alternative methods for configuring an ICS gateway. They are incomplete and untested. They are included simply for the sake of information.


Alternate server software (CLI)

There are other ways to host ICS, but they are outside the scope of this article.


Alternate NAT

The ipmasq daemon does NAT routing so you don't have to configure iptables. The following directions are incomplete and should not be considered a full description of what needs to be done to configure ipmasq.


sudo aptitude install ipmasq

Configure ipmasq to allow dhcp requests, otherwise you need to stop ipmasq to make a connection. You need to copy a .rul from the documentation directory into the /etc config and edit the interface name. Then reconfigure ipmasq to start after networking has been started


sudo dpkg-reconfigure ipmasq.


Dedicated DHCP server

dhcp3 is an easy to configure and scalable true DHCP server that can be configured for many different aplications. dhcp3 configuration is more complex, but it can be useful in many situations:


Dedicated DNS server

BIND9 is a popular and well supported local DNS server. It is very versatile, and very powerful, but difficult to configure correctly:


Alternate gateway software (GUI)

Another approach — set up Firestarter, to run connection sharing, set up dhcp3-server, and set its configuration to listen to the correct eth*. To change this later, run sudo dpkg-reconfigure dhcp3-server.

Basically, you need to have Firestarter active/turned on/protecting, to have the connection shared.

When you install dhcp3-server, it will place a sample config file in your /etc/dhcp3 folder, called dhcpd.conf. I suggest you install dhcp3-server first, and then firestarter, cause if you are lucky, firestarter will set up a new config file for dhcp3 for you.

At any time that changes are made to your dhcpd.conf file, restart the server – sudo /etc/init.d/dhcp3-server restart will do it. Alternatively, every time you run the sudo dpkg-reconfigure dhcp3-server, at the end, your server will restart.

There are several issues that I had…first of all, the Firestarter firewall won't even start if you don't have it configured to listen to the right interface…You can change which one it listens to in Preferences –> Network Settings. The Local network connected device must be the same as you have dhcp3-server listening to, of course, both checkboxes under that need to be checked. The Internet connected network device will be the one that is configured for Internet. Now, I have two NICs, but I have pppoe configured on eth0, and I have Internet connection sharing configured on the same one, cause eth0 is also configured for a static 192.168 internal IP for my internal network.


simple iptables example

simple example wlan0 has the internet connection eth0 is being used to share the connection it could be directly with a single pc via a crossover cable or switch or you could have a router with a cable from eth0 to the wan port and a whole lan setup behind this. Interestingly the internet connection could be ppp0 a 3g or mobile Internet modem.

  • #!/bin/sh
    # internet connection sharing wlan0 is the gate way
    # eth0 is the lan port this might use a straight ethernet cable to a router wan port or a switch or a single PC
    # is the port that is being used by the lan for access I changed it to and set fixed addresses for the wan and router
    # change wlan0 to ppp0 and you can use this for mobile broadband connection sharing
    ifconfig eth0 up"
    ifconfig eth0
    echo “1” > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o wlan0 -s -j MASQUERADE
    iptables -t nat -A PREROUTING -i wlan0 -p tcp –dport 3074 -j DNAT –to-destination
    iptables -t nat -A PREROUTING -i wlan0 -p udp -m multiport –dports 88,3074 -j DNAT –to-destination
    iptables -A FORWARD -i wlan0 -d -p tcp –dport 3074 -j ACCEPT
    iptables -A FORWARD -i wlan0 -d -p udp -m multiport –dports 88,3074 -j ACCEPT

You could use the above as a bash script changing things to suit

  • If things go wrong The Following script should save you if things get badly messed up.


  • #!/bin/sh
    # rc.flush-iptables – Resets iptables to default values.
    # Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
    # This program is free software; you can redistribute it and/or modify
    # it under the terms of the GNU General Public License as published by
    # the Free Software Foundation; version 2 of the License.
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # GNU General Public License for more details.
    # You should have received a copy of the GNU General Public License
    # along with this program or from the site that you downloaded it
    # from; if not, write to the Free Software Foundation, Inc., 59 Temple
    # Place, Suite 330, Boston, MA 02111-1307 USA
    # Configurations
    # reset the default policies in the filter table.
    # reset the default policies in the nat table.
    # reset the default policies in the mangle table.
    # flush all the rules in the filter and nat tables.
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F
    # erase all chains that's not default in filter and nat table.
    $IPTABLES -t nat -X
    $IPTABLES -t mangle -X

  • Sources