Debian/Ubuntu inter-vlan configuration

Suppose your switch is ready.
Install vlan package > add 802.1q module > config interface

1. apt-get install vlan

2. modprobe 8021q

3. vi /etc/network/interfaces
#add the following content, here I create 3 VLANs

auto vlan10 vlan20 vlan30

iface vlan10 inet static
address 192.168.10.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0

iface vlan20 inet static
address 192.168.20.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0

iface vlan30 inet static
address 192.168.30.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0

iptables in NAT (MASQUERADE, SNAT, DNAT)

Assumption in the case to config NAT
eth0 connection to external network
eth1 connection to internal network
Enable ip route
echo 1 > /proc/sys/net/ipv4/ip_forward

Set up IP FORWARDing and Masquerading
(this is the most simple method to config NAT for internal users)

[root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[root@linux ~]#iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@linux ~]#iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

For this case using MASQUERADE, there is alternative
[root@linux ~]#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

(suppose ppp0 is ready for external network)

More information (Just sample for your reference):
SNAT
Example: Internal users access external network with private IP

[root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 202.175.12.34
(Map source addresses to 202.175.12.34)

[root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 202.175.12.34-202.175.12.39
(Map source addresses to the range of 202.175.12.34~202.175.12.39)

DNAT
Example: External users access internal server

[root@linux ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.1.10
[root@linux ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.1.5-192.168.1.10
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.10:80 
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.10:8080
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp  --dport 80 -j REDIRECT --to-ports 8080

iptables general configuration

List iptables contents

[root@linux ~]# iptables -L -n
[root@linux ~]# iptables -L -nv
[root@linux ~]# iptables -t nat -L -n

Flush iptables contents
[root@linux ~]# iptables -F
[root@linux ~]# iptables -t nat -F
[root@linux ~]# iptables -F FORWARD
[root@linux ~]# iptables -X MYCHAIN

Set policy for chain
Example:
[root@linux ~]# iptables -P INPUT DROP
Result:
Chain INPUT (policy DROP)
target     prot opt source               destination 

Add rules to the chain
Template:
iptables [-AI Chain] [-io interface] [-p protocal] [-s source ip] [-d destination ip] -j [ACCEPT|DROP]
Example:
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.0.1 -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
[root@linux ~]# iptables -A INPUT -s 192.168.2.200 -j LOG
(log all traffic from 192.168.2.200 and record to /var/log/messages)
[root@linux ~]# iptables -A INPUT -p icmp -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP
[root@linux ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 \
> --sport 1024:65534 --dport ssh -j DROP
[root@linux ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
(Accept the response packet, here state can be NEW,RELATED,ESTABLISHED,INVALID)
[root@linux ~]# iptables -A INPUT -m state --state INVALID -j DROP
[root@linux ~]# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT

Insert a rule to the chain
[root@linux ~]# iptables -I INPUT 2 -i eth0 -p tcp --dport 21 -j DROP
(Insert to the 2rd rule)

Replace a rule
[root@linux ~]# iptables -R INPUT 2 -i eth0 -p tcp --dport 21 -j DROP
(Replace the 2rd rule)

Delete rules
[root@linux ~]# iptables -D INPUT -i eth0 -p tcp --dport 21 -j DROP
[root@linux ~]# iptables -D INPUT 2
(Delete the 2rd rule)

Save and Restore
Whatever you did in command, it will lost after system reboot, so we need to save
to the file that will load when system bootup. For redhat distribution, it will 
save in /etc/sysconfig/iptables
Two command used to backup and restore.
Example:
[root@linux ~]# iptables-save > filename
(Save iptables from running config to a file)
[root@linux ~]# iptables-save > /etc/sysconfig/iptables
(Save iptables from running config to startup config)
[root@linux ~]# iptables-restore < filename

vsftpd simple config

ref.: http://ubuntuforums.org
Basic Setup

To disable anonymous login and to enable local users login and give them write permissions:

Code:

# No anonymous login
anonymous_enable=NO
# Let local users login
# If you connect from the internet with local users, you should enable TLS/SSL/FTPS
local_enable=YES

# Write permissions
write_enable=YES

NOTE: It is not advisable to use FTP without TLS/SSL/FTPS over the internet because the FTP protocol does not encrypt passwords. If you do need to transfer files over FTP, consider the use of virtual users (same system users but with non system passwords) or TLS/SSL/FTPS (see below).

To chroot users

To jail/chroot users (not the vsftpd service), there are three choices. Search for "chroot_local_users" on the file and consider one of the following:

Code:

# 1. All users are jailed by default:
chroot_local_user=YES
chroot_list_enable=NO

# 2. Just some users are jailed:
chroot_local_user=NO
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the jailed users.

# 3. Just some users are "free":
chroot_local_user=YES
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the "free" users.

To deny (or allow) just some users to login

To deny some users to login, add the following options in the end of the file:

Code:

userlist_deny=YES
userlist_file=/etc/vsftpd.denied_users

In the file /etc/vsftpd.denied_users add the username of the users that can't login. One username per line.

To allow just some users to login:

Code:

userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users

In the file /etc/vsftpd.allowed_users add the username of the users that can login.

The not allowed users will get an error that they can't login before they type their password.

TLS/SSL/FTPS

NOTE: you definitely have to use this if you connect from the Internet.

To use vsftpd with encryption (it's safer), change or add the following options (some options aren't on the original config file, so add them):

Code:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
#listen_port=990

No need to create a certificate. vstfpd uses the certificate Ubuntu creates upon it's installation, the "snake-oil" certificate (openssl package, installed by default).

Install a VNC Server in Ubuntu

Step1: Install vnc4server and xinetd
sudo apt-get install vnc4server xinetd

Step2: Edit ~/.vnc/xstartup
Uncomment the lines that start with unset and exec. Comment out the lines that start with xsetroot, vncconfig, xterm, and twm.
The final file should look like:
#!/bin/sh
# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
#xsetroot -solid grey
#vncconfig -iconic &
#xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
#twm &


Step3: Stop vncserver
vnc4server -kill :1

Step4: start vncserver
vnc4server