I now have the Acer C7 Chromebook which is a great second device to have offering a nice screen in a highly portable 11 inch, 3 pound package. If you would like a little more functionality, you can install on your Acer C7 Crouton, a change root (chroot) Ubuntu environment which provides easy switching between Chrome OS and Ubuntu. I like to try things in a virtual machine before going on the real deal. Crouton requires developer mode which will erase the user accounts before you enter into it. I do have many things setup such as OpenVPN and many images stored locally. The Virtualbox configuration will let me play around enough to really determine if I will try out Crouton on my Chromebook.
You can play around with Crouton in a virtual machine before trying it on your Chromebook and I have found it works fine, as expected, but the screen changed modes to the hideous garbage on the left during the install and the good news is there is no need to worry. I pressed CTRL-ALT-F2 followed by CTRL--ALT-F1 to get the screen back to normal. So, install Chromium using Hexxeh's instructions on his site. Then follow the Crouton install guide and if you get the garbage screen, you'll know what to do.
Here is the CTRL-ALT-F1, or normal Chrome OS view showing Crosh in developer mode shell right after entering the Crouton change root (chroot) environment.
Here is the screen of CTRL-ALT-F2
Crouton Xfce4 in Virtualbox
Here is the Xfce4 session running in Crouton. Note that switching between windows doesn't always work. Sometimes getting here requires CTRL-ALT-F2 and then CTRL-ALT-F3.
The default KDE theme is nice as it is, but it can also be customized in just a few easy steps. First, I like to copy my applications into the panel. You can drag them from the launcher to the panel and select link here.
Next, add some widgets using the Plasma control in the top right of the screen.
Right click desktop area and select Default Desktop Settings. Install a background and select it after installation completes.
Applying the desktop picture.
Well go to System Settings from the Launcher and we'll use Application Appearance and Workspace Appearance.
I chose Krita Dark, which comes with Kubuntu 12.10.
Add a theme in WorkSpace Appearance like Slim Glow And Activate
So, now you have a modified Kubuntu 12.10 KDE desktop in a few easy steps minus the time to download the custom backgrounds and themes. Hope this helps.
I wrote a Home Network with IPv4 DMZ article which showed you how to get a website up and running at home on the Internet with the servers in alternate NAT area. The design works but NAT can make other services, like FTP, difficult to manage. IPv6 is ready to save us from network address translation making all nodes equal citizens on the Internet ending our dependance on IP masquerading. What do you have to do to build your IPv6 home network DMZ? The simple answer may surprise you once you realize you don't have to do anything beyond installing the software and setting up domain name service (DNS) since your IPv6 enabled node is already Internet facing. If you have enabled IPv6, you are ready to go.
You can activate IPv6 at home and utilize any machine, virtual or physical, to be your Internet server. Keep in mind that virtual servers and wireless IPv6 bridging may bring you more problems than they are worth, so make sure you have wired networking available if you want to run in a virtualized machine. All you need after you install your Internet server software is a DNS provider and you are ready to go. But, many of you like something a little more complex like keeping your Internet facing systems in a nice little DMZ, away from your main network while minimizing exposure of other services that don't need to be on the Internet.
To do this, I decided to create an IPv6 subnet for the DMZ within my assigned /48 block. This DMZ consists of three tiers with tier one using a globally scoped network to face the Internet clients, while tiers two and three use unique local networks. This subnet sits behind a router that has firewall rules installed on it similar to my pfSense network in the previous article. Tiers two and three cannot be reached from the Internet since their network prefixes are not routable. All servers have fully qualified domain names but the website is configured to run off the vanity URL http://azcrumpty.dyndns.org, which you can only view if you are using IPv6.
The basic building block of my IPv6 homenetwork DMZ is the Ubuntu Linux based IPv6 router. The router consists of four network interfaces: external (eth0), internet facing tier one (eth1), application logic tier two (eth2), and a database in tier three (eth3). All of these functions could have been placed on one host, of course, but doing so would have made for one boring article.
This IPv6 multi-subnet Linux based router runs Ubuntu Server 12.04 in a VirtualBox virtual machine. Setup is simply a matter of setting IPv6 forwarding, net.ipv6.conf.all.forwarding=1 in the sysctl.conf file and setting static addresses on the interfaces.
The bind9 and squid3 packages are installed to support domain name service forwarding and http proxying for the DMZ nodes which have no internet access.
Lastly, the main router needs some static routes since the local network addresses need to be specified and I didn't subnet the router interfaces for the tier 1 LAN.
Squid cache proxy needs a few tweaks to enable ACLs for the new subnets. The private block is already included so I added the tier 1 block in the ACLs: acl localnet src fd00::/7 2001:470:f379:31::/64.
NTP is not used here but other virtual machines may need time synchronization so plan for it if your clock drifts while running in the virtual machine. You would set your NTP host to the corresponding router's tier network address.
I wanted to build an IPv6 only environment, but Ubuntu's repository's doesn't always respond with a quad A records (AAAA) so I have to enable IPv4 on eth0 (dhclient eth0) so the proxy on the router can reach IPv4 sites for updates. This series of articles is configured for IPv6 only and the firewall script removes the IPv4 interface when run.
The router software was installed with the Basic Server option menu choice in the Ubuntu server config screen. The unique local addresses are not pseudorandom, as the RFC 4193 calls for.
Add Static IPv6 Routes to DD-WRT
Adding a static IPv6 route to your main router may be different than what lies below.
The forwarders are needed due to the IPv6 only network stack preventing some lookups.
Generating firewall rules tend to be the most discussed subject, but you must tell Firewall Builder that you wish to work with IPv6 in the property file to have it generate the rules you want. I had assumed if I defined IPv6 addresses that it would automatically make the configuration IPv6 ready, which wasn't the case. So, I had to activate some settings in the GUI but the policy setting is the most important. Neighbor discovery and rule generation order aren't used here as IPs are static and there are no IPv4 rules.
This firewall design exists to prevent the hosts in the DMZ from reaching the home IPv6 network while ensuring the Internet clients can reach the tier 1 reverse proxy, but still enabling flow from tier 1 to tier 2 and tier 2 to tier 3.
The firewall design allows all hosts on the main network to reach all tiers in the DMZ.
The first few rules in the diagram are anti-spoof rules (Rule 0) which prevent the internal networks from being spoofed outside the firewall where they could not originate as source addresses. Next, Rule 1 allows loopback rules and Rule 2 allows the firewall to accept IPv6 multicasts on its external interface.
Next, Rule 3 lets the router's external interface connect to the outside world so the router's services can reach the Internet as needed. This helps the squid proxy and DNS queries reach the Internet. Without it, there would be no access to the Internet for the router itself.
Rule 4 is redundant but it is a holdover from the template allowing SSH from the main network to the router. The router doesn't run SSH so this is not needed as I make changes on the router via the console. Some people like to SSH into the router, but I find I rarely do once I have a router setup just right.
Rules 5, 6, and 7 allow each to reach the services it needs on the tier's gateway interface in this case network time protocol (NTP), http proxy, and domain name service (DNS).
The block all rule (Rule 8) is next denying all other access to the firewall for whatever wasn't defined as being allowed.
Rule 9 makes ident functions reject quickly so no delays exist when an application tries to do an ident call to one of the servers.
Rule 11 allows mail to anywhere but Main Network and Tiers 2 and 3. Tiers 2 and 3 have no reverse DNS and many mailer daemons complain anyway. Tiers 2 and 3 can send mail to tier 1 so tier 1 could be configured as a smart relay host, which isn't shown in this series of articles.
Rule 12 allows tier 1 to reach tier 2 via HTTP. You can add Apache Tomcat HTTP/AJP (8080/8009) or similar ports you need for tier 2 access here.
Rule 13 allows the tier two server to reach tier three's MySQL port for database access.
Note that multiple servers within each tier would have full access to all ports on all servers within the same tier using the configuration as servers on the same tier don't pass through the firewall interface for analysis.
Rule 14 denies any other access to the home IPv6 network but is already covered by Rule 17. I like to see this one explicitly defined but it isn't really necessary.
Rule 15 allows the main network to do whatever it wants to any host in the DMZ. You might want to restrict this to trusted hosts or a jump server in your network.
Rule 16 allows any host to reach the HTTP and HTTPS ports and savvy readers will note that also enables tiers 2 and 3 to reach tier 1 HTTP services.
Rule 17 denies all other connections that aren't allowed.
Fire wall rules don't have to stop here. I could have told the DD-WRT router to deny all incoming connections from the networks 2001:470:f379:31://64 and fd01:/16 and I could tell the host based firewalls on hosts in the main network to drop those networks as well.
The following section shows the external test network is denied when trying to reach hosts.
The tier one Internet facing server is an Ubuntu 12.04 server that runs the Squid caching proxy in reverse proxy mode, which is overkill for this site but this series of articles is just a demo so anything else can dropped into place.
The server's real host name tier 1 is different from its vanity name.
The configuration consists of static resolv.conf files and static interface definitions. The proxy IP and port are added to /etc/environment so services that do HTTP/FTP can reach the web. The base file for resolvconf is gets nameservice using the same interface as the proxy since the router provides these services to the host. The /etc/interfaces file has has the static assignments to activate networking.
Application configuration comes next. Postfix is told to receive mail as the vanity domain azcrumpty.dyndns.org while the apt package manager is told to use the proxy. Squid Proxy server is configured to listen on port 80 which is HTTP in plaintext, connect to its peer on tier 2, and ensure ACLs are permissible.
Apt Proxy Configuration
The tier two server runs application logic for WordPress 3.4.2. The LAMP install option was chosen in the Ubuntu Server install page, and this server uses static configuration files for name service and network configuration like the other nodes.
Note that the environment file uses tier 2 addresses unlike the tier 1 server. I could have opened the firewall ports for services to all one interface so the environment files would use the same values.
WordPress was installed into /var/www and configured to talk to the MySQL database in tier three. You can see the WordPress config has the tier3 name in the database field and that all WordPress files are installed into /var/www.
This tier three server is configured with MySQL, Apache, and phpMyAdmin. The MySQL option was chosen in the Ubuntu Server installer page. PhpMyAdmin can only be reached internally due to the firewall rules granting access and the tier 2 and tier 3 ip addresses being local.
Like tier 2, the environment must be setup to tell software to use the proxy on the nearest interface and apt-get is configured this way as well. This is seen in the configuration files below.
The Onion Router can be used to simulate an external network for IPv4, but Teredo Tunneling works well for the same purpose and doesn't have exit node restrictions. You will need this test network available so you can simulate external clients since your main network is fully trusted.
An Ubuntu Live CD behind NAT in a VirtualBox virtual machine with miredo tunneling installed so IPv6 would be activated is all you need to get up running with an external IPv6 at your premises. Placing it behind NAT keeps it from receiving route advertisements from the main network so your IPv6 client wont be on your main IPv6 network.
Boot the virtual machine and ensure a Teredo type tunnel is installed. For Ubuntu, sudo apt-get miredo does the trick. There are clients for other operating systems and GoGo6 is one of the more popular choices.
You now have an external network that you can use while at home without needing to leave your premises.
Configuration steps from NAT to test are shown below along with logs showing access and denial of the external client.
You can see the external client accessing the reverse proxy in tier 1 below.
Below is the firewall preventing the external client from accessing other resources.
I took advantage of a FreeDNS provider for these systems. Reverse DNS only works on tier one since that uses a prefix that can be defined in the DNS provider. Hurricane Electric's tunnel broker makes delegation for reverse number to name mapping easy so use it to your advantage.
All hosts are in the chickenkiller.com domain and use the simple names tier1, tier2, and tier3. However, the site uses a vanity domain of azcrumpty.dyndns.org for presentation.