Iptables Basic Introduction

Iptables are the Firewall of many Unix based Systems. Its quite easy to install and more easy to manage than most ppl would think of. Lately I became the SysAdmin of an Linux based Root Server and wanted to secure it as much as possible. So I went for my first exercise with Iptables and found that they are quite to manage as long as you know some important things.

1.) The Chains
The Iptables are in fact tables. There are three possible "Chains": Input, Forward and Output.

2.) Position Counts
The Position of an Rule in these tables is VITAL!
I.e. normally you start with the Input Table and write in which Services are allowed to access your server. I.e. Apache (Webserver), SSH, etc. Then you set an big DROP. Everything after this Drop, even if it says Accept - does not count: The Packet gets dropped. Watch out for your chain and the position of the rules!

3.) Established Sessions
If you server asks for an service or website, it maybe would call over Port 80. But the answer from the other server could come on an different port. The Iptables would then drop this answer as it does not know what to do with that. If you set in an Global Allow on Input for all Established or Related Connection (i.e. already running connections, things we sent out ourselves and such..) this will not happen and your stuff will run without problems. You NEED to do that.

Show current Iptables and rules:
iptables -L

Show current Iptables and rules with more details:
iptables -L -v

Allow incoming traffic on Webport for Webserver:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

This does say the iptables to Append this rule to the Input Table
The pRotocol is tcp. The dEstinationport is 80.
jUmp to Accept and let the Packet pass

Allow incoming traffic for SSH:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow everything on the Loopback Interface:
iptables -A INPUT -i lo -j ACCEPT
-i means the interface

Allow Established Sessions (see 3.!)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
if error:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Drop everything else:
iptables -A INPUT -j DROP

After the last line, everything except the Apache and SSH Server will not be accessible anymore.
To insert an new Accept Rule before the drop, use
iptables -I INPUT 1 -p tcp --dport 21 -j ACCEPT
INsert on place 1 the new Rule with TCP on Telnet Port and Accept everything connection.

To save iptables enter:
iptables-save > /etc/iptables.rules
You write the iptables to the named file

To load the iptables enter:
iptables-restore < /etc/iptables.rules

Delete all rules and therefor disable the firewall temporarily:
iptables -F

Everything taken from: https://help.ubuntu.com/community/IptablesHowTo

Appendix for Ubuntu:
Autoloading and Saving Iptables?

Autoloading: Create in /etc/network/if-pre-up.d an chmod+x file i.e. iptablesload:
#!/bin/sh
iptables-restore < /etc/iptables.rules ip6tables-restore < /etc/ip6tables.rules exit 0 Autosaving: Create in /etc/network/if-post-down.d an chmod+x file i.e. iptablessave: #!/bin/sh iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules fi ip6tables-save -c > /etc/ip6tables.rules
if [ -f /etc/ip6tables.downrules ]; then
ip6tables-restore < /etc/ip6tables.downrules fi exit 0

[Jasager] Fon/Fon+ Newbie Guide to Installlation of Jasager 1.0 Firmware

Pre Info:
This guide has been made with an Fon+ (2201), but should work with any other
Fonera Classic as well. Only limitation is that I have Problems with my
Jasager in Terms of SSIDs, there seems to be a Problem which hasn't been
addressed by Digininja, but the Rest should work.
(Problem described here: http://hak5.org/forums/index.php?showtopic=13883 )

This guide should be quite useful and has been written by using guides and
stuff from this Forum, I just wrote it together and added my own experiances.
Maybe that will turn out as a good starting point and help some newbies.

This Guide ain't perfect and if you think I could add some info - just write me,
I would be happy to provide more accurate Information to make life for new Jasager Friends easier!

Good Luck,
Yours, Nico

0.) Get it started!
- Get the Jasager 1.0 Firmware from Digininja
http://www.digininja.org/jasager/download.php
- Built an Serial Adapter
Its not that hard and you should built one - so you can recover an dead Fonera.
I.e. http://www.dd-wrt.com/wiki/index.php/LaFonera_Hardware_Serial-Cable-Port
I built that myself ("the ugly one") and it works.
Just to add two things:
i) You need to wire RS232 TX to the RX of the Serial (S2) and RS232 RX to the TX
(S3) of the Serial Connector (and 5 is the Ground)
ii) If you use an Fon+ (2201), the Serial Connector on the Phone is like that:

ethernet port

c x VCC 3,3 V MEMORY
a x TX
s x RX CPU
e x GND

1.) Flashing the Fon+ to Jasager
a) With Serial Port only:
- Extract the two Firmware Files onto your PC
- Connect to Serial (9600 baud, 8 Bit Data, 1 Stop Bit, No Software/Hardware Flow Control)
- Power Up the Fonera and Press CTRL+C (within 2 Seconds)
You end up in RedBoot>

Enter fconfig and press Enter until you come to the point Console Baud Rate.
Change the 9600 to 115200. Press enter again till the end and accept the flash with y.
Enter Reset and change the Serial Port settings to 115200 baud.
Repower the Fonera and Press CTRL+C (within 2 Seconds)
You end up in RedBoot>

Enter these Commands:
// Complete Kill of the Fonera Software:
fis init -f
// Download the Firmware Header and Root (fis can take about 20 Minutes!)
load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma -m xmodem
fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.17
load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs -m xmodem
fis create -l 0x6F0000 rootfs
// Configure Bootup, enter:
fconfig
// Enter Bootup Script, enter these two lines and press Enter a third time
fis load -l vmlinux.bin.17
exec

// The complete Config should look like that (nothing else changed as the Bootup Script!)
RedBoot> fconfig
Run script at boot: true
Boot script:
Enter script, terminate with empty line
>> fis load -l vmlinux.bin.17
>> exec
>>
Boot script timeout (1000ms resolution): 2
Use BOOTP for network configuration: false
Gateway IP address:
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot>
// Reboot, you're done with flashing!
reset

b) With Serial Port and Tftp Server:
- Extract the two Firmware Files onto an reachable tftp Server
- Connect the Wan Port to your Network
- Connect to Serial (9600 baud, 8 Bit Data, 1 Stop Bit, No Software/Hardware Flow Control)
- Power Up the Fonera and Press CTRL+C (within 2 Seconds)
You end up in RedBoot>

Enter these Commands:
// First IP is the Fonera IP/Subnet, Second is the TFTPServer
ip_address -l 192.168.2.99/24 -h 192.168.2.8
// Complete Kill of the Fonera Software:
fis init -f
// Download the Firmware Header and Root (fis can take about 20 Minutes!)
load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.17
load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
fis create -l 0x6F0000 rootfs
// Configure Bootup, enter:
fconfig
// Enter Bootup Script, enter these two lines and press Enter a third time
fis load -l vmlinux.bin.17
exec

c) Via Fon Flash:
- Get FonFlash (and install wpcap Drivers as well, are included in Wireshark)
- Start FonFlash
- Select your Network Interface Card
- Select Rootfs (openwrt-atheros-root.squashfs)
- Select Kernel (openwrt-atheros-vmlinux.lzma)
- Press Flash Router now and Power Up the Fonera.
- Takes approx. 20 Minutes

2.) Connect and Basic Settings
// telnet to 192.168.1.1 and change the root passwd to enable SSH.
telnet 192.168.1.1
passwd
ilovepineapples
ilovepineapples

3.) Fixing Webif
You got two Webinterfaces on the Jasager.
First the Karma/Jasager one at 192.168.1.1:1471,
and Second the Webif/X-Wrt on 192.168.1.1.
In Webif, you can change things like IP Adresses and watch a bunch of data.
Easy configuration for your Fon+ if you're not so used to the CLI in Linux.
Now that you have changed the root password and therefor have access to ssh,
you can use putty to connect to 192.168.1.1

a) Opkg
echo "src X-Wrt http://downloads.x-wrt.org/xwrt/kamikaze/8.09/atheros/packages" >> /etc/opkg.conf
opkg update
opkg remove -recursive luci-*
opkg update
opkg install webif
reboot

Manual
// Remove Previous Install
opkg -recursive remove haserl
// Download and move these files to the tmp directory on the fon using winSCP
haserl_0.9.24-1_mips.ipk
webif_0.3-4709_mips.ipk
webif-theme-xwrt_0.3-4709_all.ipk
// Install the files using putty.
opkg install haserl_0.9.24-1_mips.ipk
opkg install webif_0.3-4709_mips.ipk
opkg install webif-theme-xwrt_0.3-4709_all.ipk

4.) Enable Wireless
uci set wireless.wifi0.disabled=0
uci commit wireless && wifi
reboot

5.) Duplicate Ports (only on Fon+ 2201)
http://www.frontiernet.net/~beakmyn/JasagerIntercept_Install.html

6.) There is no Step 6. Have fun!

(( http://hak5.org/forums/index.php?showtopic=14973 More Info on Jasager on http://www.digininja.org/jasager/ ))

XModem Flash Recovery of new c3560, c3560e, c3750, c3750e, etc...

Right at the moment I'm sitting in one of our wireclosets, watching an c3750 (hopefully) recovering its mind to its old function and behavior - through an XModem transfer of its current IOS. Because of an power failure on our campus the unit actually "bricked" - the flash system became corrupted and the unit did end up in the ROMMON Mode "switch:".

Thats pretty bad - but not as bad as we couldn't fix it.

1. Connect to the console port with the usual settings of 9600 Baud, 8 Bit, No Control, 1 Parity.

2. Power up the switch and hold the mode button until it comes to the ROMMON - and yeah, if you did delete the IOS or your switch is bricked like mine, it does come to this point by its own - no need to do that.

3. Before doing anything, check the file system with fsck flash: - if that gives error you should really format the flash - as it is corrupted and theres no need in flashing it a second time - because the new IOS will become bricked as well (I figured that out myself some minutes ago...). So if you don't have any important data like an non-saved config on that flash, erase it with format flash: and reboot the switch with reset. Test again with fsck, if there are still errors: Forget the switch, send it to Cisco. If not, we're going on with our mission:

4. set BAUD 115200
After that you will see nice looking stuff. Set your console to 115200 BAUD as well. Its important to do that as the download of the IOS will take 2-4 hours otherwise. But don't forget to set it back after everything is done with set BAUD 9600

5. flash_init
init the flash

6. load_helper
does load the helper. sometimes useful.

7. copy xmodem: flash:IOSFILENAME
That will start the xmodem download. In Tera Term, klick File, Transfer, Xmodem, Sene and choose the IOS binary. Yes, important: Not an tar File, only the IOS bin.

8. The Download begins, that will take 20 Minutes or so... Some sweet time, but as we know it could be really worse. So kick back, do something useful - like writing this tutorial ;-)...

9. Its done. Enter boot and it will boot. If not its bricked. Don't forget to set back with set BAUD 9600

Cisco AP1231 Autonomous LWAPP to Auto Downgrade

Downgrading an LWAPP Cisco Access Point which was used with this Wirless Controll System can be very time consuming. Can. Doesn't need to. Cisco did some nice stuff to make life easier: An auto "downgrade" function. To use this you need to get following:

- Tftpd32 Server or similar tftp Server
- An autonomous IOS File for your Access Point (i.e. for the 1231 the file c1200-k9w7-tar.123-8.JEC.tar)

1. Setup your tftpserver and give it an ip out of the range 10.0.0.2 - 10.0.0.30 with the Subnetmask 255.0.0.0
2. Copy the IOS File to the tftpserver root, mostly called tftpboot in Linux
3. Rename the file from - for example c1200-k9w7-tar.123-8.JEC.tar to c1200-k9w7-tar.default
4. Plug in the Ethernet Port on your Access Point (direct Connection from PC to AP needs an Crossover Cable!), connect the AP also to the serial console if you want.
5. Press and hold the "Mode" Button on the AP and plug in power.
6. Wait until the orange blinking middle led turns solid red (ca. 30 sec) and then release the "Mode" Button
7. The AP will start downloading the firmware and reflash itself. DO NOT TURN IT OFF OR KILL THE CONNECTION!

[Asterisk] Part 2: Installation, Configuration of an Askozia PBX and getting it working with Snom 360

- Download and burn the latest 1.0 Release as PC Live ISO (www.askozia.com,i.e. pbx-cdrom-1.0.3.iso, 30 MB)
- Insert and boot from in your target PC
( You could now already use this as live running Askozia Version - but we're going to install it onto the HDD )
- Just choose option "Install to Harddrive", choose the HDD you want to install onto and accept the questions, warning that your Data will be erased.
- Reboot and remove the CD from the drive.
- Choose Option 2 and set IP, Subnet (default 24), Gateway, DNS, choose wheter you want to go back to http or use ssl encrytpted https
- Go to your PC and enter http://ipoftheaskoziapbx or https://ipoftheaskoziapbx depending on your reacion to the last installation step.
- The default login data is admin, askozia
- Go to the General Setup, change Username, Password and other Settings you would like and save.
- Go to Voicemail, enter an E-Mail Account (username, pw, email, smtp server) you would like to use for the Voice Mail feature. Save the configuration and enter your own E-Mail Adress in "Test E-Mail" and press E-Mail Me - if that does work, you got Voicemail working.
- Go to Interfaces, change the Interface settings to your like and add ISDN or Analog Interface if you got such.
- Now your basic installation is done, go to reboot and restart your system.

Create an Sip Account and connect Snom 360
- Login to your Askozia again
- Choose Phones and click on "Add Sip"
- Enter the needed Information:
- Extension is your phone number
- Caller ID is the Name of the personal behind that number
- Password is needed to secure the SIP Account
- Voicemail is the E-Mail Adress of the Person, so Askozia can send you a) missed call notifications, b) your Mailbox Entrys as wav
- You need to activate for a) "send missed call notifications" as well
- Choose your Language
- And you may enter an Description and Advanced Settings if you want
- Press Save

- Login to your Snom 360
- Choose Identity 1 (i.e.)
- Enter the needed Information:
- Identity active: on
- Displayname you can choose to your like - maybe Sip Askozia
- Account is the Extension / Phone Number
- Password is the Sip Password
- Registrar is the IP of your Askozia PBX
- Press Save and Re-Register
- Enter your Password again on the Snom 360 and press the "Check Mark" button

Now you're done and can phone. Just enter the number of the other SIP Phone and press "Check Mark" to start calling.

Conferencing:
Under Services, Conferencing you got an Conference Room in the Askozia. On default calling number 2663 will get you there and you can conference with other Sip Users

Applications:
Under Dialplan, Applications you can call 3 Applications. 00003246 - Echo Test, 00009253 - WakeMe (an Wake Up Call Manager), 000064554 (1000Hz Test Tone)

Call Groups:
Under Dialplan, Call Groups you can set Call Groups (one Extension does ring multiple Phones)

Interfaces:
Under Interfaces you can change Interface settings - i.e. configure an ISDN Interface like an AMV Fritz Card ISDN which is recognized in Askozia Stable 1.0.3

Providers:
Under Accounts, Providers you may add an Sipgate Account i.e. to the PBX

Phones:
Under Accounts, Phones you can change Phone settings and add Provider Accounts to the Phone

[Asterisk] Part 1: Basics and Choosing the right OS

Finally the time has come for our first VoIP or Voice over IP Project. The final goal of this project shall be to integrate an Software Asterisk VoIP System into an already existing PBX / ISDN Enviroment, allowing Users on Analog and ISDN Phones to recieve and send VoIP Calls by using the Asterisk Gateway - and vice versa. An good starting point is the most famous open source Voice PBX, called Asterisk. Asterisk is aviable in many flavors and colors: As commandline on little OpenWRT enabled Routers to an Highpowered Cluster Solution running ten thousands of phones at the same time - beeing managable via an nice looking Webinterface and Batch Files.

As an starting point, myself and Co Worker Sebastian picked out the three most popular releases and integrations of the Asterisk server:

- AsteriskNoW! ( http://www.asterisk.org/asterisknow/ )
AsteriskNow is an development of dignium which does also develop Asterisk.
Uses CentOS.

- trixbox ( http://www.trixbox.org/ )
Trixbox is an PBX which has been build for business use and therefor has many options and special settings.
Uses CentOS.

- Askozia ( http://www.askozia.com/ )
Askozia is using the same system the m0n0wall and FreeNAS Appliances are build upon and is therefor very small and very lightweight.
Uses FreeBSD / m0n0wall / FreeNAS System.

AS for the test systems, we did decide to put all three Systems on real world servers, the first two ones because of their quite heavy weight resource needs onto 2 identical Tyan Tomcat Servers, powered by Pentium 4, 3 GhZ, 1 GB of Ram and an Sata Raid Controller, Mirroring the 160 GB Drive (Raid 1) to a second HDD. We got two 1 Gbit NICs and other stuff.

The test node for the Askozia is an Pentium 2 MMX, 500 MhZ, 64 MB Ram, 8 GB Hdd. 1 100 Mbit NIC and an AMV Fritz Card.

After extensiv tests of the systems we came to choose two favorites:
- Askozia
Because of its very lightweight, very simple configuration and low impact even on the tiny system
Downside: Not many options, shell access only with additional packages, limited expert options

- trixbox
For beeing very powerful and posessing many options.
Downside: Hardware hungry, VERY much options

Having these said we did shut down the two big servers and concentrated on the low end HP Desktop running Askozia. For beeing able to connect to an ISDN PBX we needed support for the AMV Fritz Card. Luckily we found this support included in the stable 1.0.3 release. The current 2.0.0 beta does NOT run with AVM and does not even recognize the Card. I wrote an report on the Forum and the admin did quickly reply to this, I'm waiting for an fix of the problem and therefor continued the work with the 1.0.3. Actually including Voicemail, two Sipphones, Conference Room and such is so easy that anyone can do it within less than 5 Minutes. But first things first - in the Installation How To.

Snom 360 Update and Password Reset

WARNING, this is ONLY for Users on an Snom 360 with Firmware Revision 6.X.
If you got an different Revision the steps could be different.
Check out the Snom Wiki in that case ( http://wiki.snom.com/Firmware ).
Basically we just do reflash the Firmware with the same Revision again to erase data and passwords and unlock the Phone.
Than we do an automatic update to the latest release.

- Download the latest Snom 360 Firmware from the Snom Website for your Revision ( http://wiki.snom.com/Firmware/V6/Latest_Release )
- Download tftpd32 or an similar tftp Server
- Rename the Firmware to snom360.bin and upload it to the root Directory of the tftp Server
- Plug in the Network Port and Power to the Snom
- As the message "To Update by TFTP: Press Any Key" appears, press any key on the phone
- Enter valid IP Data for the Phone. Always press Next. I.e. the IP, the Subnet, the Gateway, DNS and the IP of your tfp Server.
- As you're finished, it will ask for this again and again, press Check Mark right beside the big X Button. The tfp Download will start. Don't unplug the phone during the Firmware Update. The Phone will automatically reboot after the flash is done.
- After this flash we have reset all data - including the passwords, so we now can press the Help Button on the phone and get the ip adress of the phone, connect to it by using an HTML Browser. But before you access the website, you need to enter the Administrative mode of the phone, otherwise you won't be able to set any setting or update the phone. So press the Settings Button and press "Administrative Mode" - password is 0000 on default. Press Check Mark to accept. Now access the Website.
- To update to version 7 Firmware (the latest Firmware, experimental) you need to go to the Advanced Tab, scroll down to Update. Set the Update Policy to "Update automatically" and the Setting URL to "http://provisioning.snom.com/update6to7/update_once.php". Press Save and Reboot, Accept with Yes. The Phone will Reboot.
- After the reboot, the phone will access the internet and check automatically for an update, download it and start flashing. It will reboot serval times, don't power it off until its done. It should take something like 10 Minutes or more, depending on your Internet connection. If it doesn't reboot anymore and does show the normal menu for longer than half an minute you can consider it ok.
- You can now create Identitys (Profiles) for your Sip / VoIP Accounts and reregister them via the Webinterface.

[EEE901/1000] Use Windows XP Bluetooth-Stack on Asus 901/1000

- Deactivate Bluetooth in the Asus-Tray-Utility
- Open C:\WINDOWS\INF\BTH.INF with the Editor.
- Look for:
[Manufacturer]
%Microsoft%=Microsoft
ALPS=ALPS, NT.5.1
Belkin=Belkin, NT.5.1
...

- Now add "Asus=ASUS, NT.5.1". It should look like this:
[Manufacturer]
%Microsoft%=Microsoft
ALPS=ALPS, NT.5.1
Asus=ASUS, NT.5.1
Belkin=Belkin, NT.5.1
...

- Now look for "[Zeevo.NT.5.1]". It should look like this:
[Zeevo.NT.5.1]
Zeevo Bluetooth Solution= BthUsb, USB\Vid_0b7a&Pid_07d0&Rev_0126
Zeevo Bluetooth Solution= BthUsb, USB\Vid_0b7a&Pid_07d0&Rev_0133

- Beneath it, add following:
[Asus.NT.5.1]
Asus BT-253= BthUsb, USB\VID_0B05&PID_B700

- Result:
[Zeevo.NT.5.1]
Zeevo Bluetooth Solution=                        BthUsb, USB\Vid_0b7a&Pid_07d0&Rev_0126
Zeevo Bluetooth Solution=                        BthUsb, USB\Vid_0b7a&Pid_07d0&Rev_0133
[Asus.NT.5.1]
Asus BT-253=                        BthUsb, USB\VID_0B05&PID_B700

- Save and leave the editor
- Now it depends wheter you did install the Widcomm Software or wheter you start with an fresh Win XP Installation

With Widcomm-Software:
- Activate Bluetooth in the Asus-Tray-Utility, Bluetooth Symbol should be white
- Go to System, Software and remove Widcomm-Bluetooth-Software
- At the end, system want that you deactivate Bluetooth - do that via the Tray Utility
- Than, it wants to reboot - DON'T do that.
- Activate Bluetooth again in the Asus-Tray-Utility
- Windows should start installing its own Bluetooth Stack
- Reboot after that, you're done

Without Widcomm-Software:
- Just activate Activate Bluetooth in the Asus-Tray-Utility and it should start installing
- If not, go to the Hardware Manager and "search for changed Hardware"

Internal Notes:
C:\WINDOWS\INF\BTH.INF
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
bthprops.cpl

I found it btw in an german forum and did roughly translate it, because I found it very useful as I only use Bluetooth for s25@once with my Handy.

Windows 2000 / XP Password Special

So, you logged out of Windows and need to get your password back? Thats for what this little collection is for.

Lets say you need to "crack" an Windows 2000 / XP Password. For i.e. login data. Then you should go for Ophcrack: http://ophcrack.sourceforge.net/

If you just want to login into Windows 2000 / XP / Linux etc. without using or cracking the password with admin rights, go for konboot: http://www.piotrbania.com/all/kon-boot/

And should you stumble across the problem of having forgotten your network drive passwords and login but still have access to Windows and got these pw saved, use Nir Soft Network Password Recovery: http://www.nirsoft.net/utils/network_password_recovery.html

Be advised ONLY to use these programs if they come from the orginal website as other websites do add keyloggers and other nice stuff to them. And only use these tools if you own the pc or have the rights to - check your local law!

Quick'n Dirty Moodle Learning Platform Setup

Download and Install TurnKey LAMP (Vmware Appliance)
http://www.turnkeylinux.org/redir.php?url=http%3A%2F%2Fswitch.dl.sourceforge.net%2Fproject%2Fturnkeylinux%2Fturnkey-lamp%2F2009.10-hardy-x86%2Fturnkey-lamp-2009.10-hardy-x86.zip

go to http://IP

go to Webmin (https://IP:12321)
change root pw
change root pw in mysql
create mysql table utf8-unicode "moodle"
mkdir /var/moodledata
chown nobody /var/moodledata
chmod 777 /var/moodledata

root@lamp:/var# apt-get update
root@lamp:/var# apt-get install wget
root@lamp:/var# apt-get install php5-gd
root@lamp:/var# apt-get install php5-curl
root@lamp:/var# apt-get install php5-xmlrpc

cd /var/www
wget http://download.moodle.org/download.php/direct/stable19/moodle-weekly-19.zip
unzip moodle-weekly-19.zip

Access http://ip/moodle

(create config.php in /var/www/moodle)

change pwd,
user admin, pw admin

upload user.csv as iso8859-1 (if you're using öüä!) batch import

setting up firewall
setting up nat
setting up dyndns server for dyndns adress

with phpmyadmin moodle`.`mdl_mnet_host` change to:
Bearbeiten Löschen 1 0 http://DYNDNSADRESS/moodle CORRECTDNSADRESS.COM 0 0 0 0 0 0 NULL 1

$ apt-cache search php | grep gd
php5-gd - GD module for php5