the details in this post apply to version 11.10 (Oneiric Ocelot), and may or may not work with other versions. as always i offer no guarantees of the following working for you. you should be comfortable working with linux already if you want to recreate any of what i do, and i can't be held responsible for anything that might go wrong...
if you want to play around with VMs, go and download the free VMware player. it's pretty good for most people's needs. i prefer VMware workstation as it has some useful features like snapshots, and the ability to create virtual networks between VMs. (snapshots are great, once you've installed the OS and got it configured to a basic state you can take a snapshot and easily get back to that point whenever you like)
Turn off the screen lock
i will often get sidetracked when working with the VM, so turning off the screen lock etc is a must as it's annoying to have to keep entering my password to unlock when i finally come back to it.
System Settings > Personal > Screen
Turn off after: Never
Make sudo usable
in Ubuntu the root account exists but logins are disabled by default. sudo (superuser do) is available to allow normal users to execute commands with root privileges.
i like to set up sudo so that i can use it without having to enter a password. this does present a security risk but it saves a bit of time if you're working with multiple terminals, or rebooting frequently when making significant system changes.
to do this open a terminal (Ctrl+Alt+T) and type
sudo visudoit will prompt for the password. at the bottom of the file (and i do mean the very last line; read the man pages if you want the full details of how it's parsed) add a line
username ALL=(ALL) NOPASSWD: ALLthen press Ctrl+O, Return, Ctrl+X. you will be back at the terminal. now you can use sudo without a password. once you've finished making changes to the system you can always open visudo again and comment the line out until you need it again. if you have only a handful of commands that you regularly need sudo for you can also configure sudo to skip the password for specific things, check the man pages.
Install VMware tools
this enables nice features like dynamic display resolution changes, copy and paste between host and guest etc.
open-vm-tools is a project that's undergoing development so don't expect all the vmware tools features you get in, for example, a windows guest to be working out-of-the-box.
open a terminal
sudo apt-get install open-vm-toolsit will take a moment to download the required bits and pieces. once done restart Ubuntu.
Set up a basic firewall
Ubuntu has iptables installed, but not configured to actually do anything by default.
if you've been playing with iptables, it's a good idea to start by flushing any existing rules
sudo iptables -Fit is always better to start with everything closed and open what you need, rather than having an 'open' policy and then blocking things. change the default policies of the INPUT, FORWARD and OUTPUT chains to DROP.
sudo iptables -P INPUT DROPthe loopback interface needs two rules to function correctly
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A INPUT -i lo -j ACCEPTnow create a rule to handle connections already established by the host
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTand some rules to allow basic web browsing (UDP port 53 for DNS lookups, TCP port 80 for http, TCP port 443 for https)
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPTand that's a very simple firewall set up. if you are using a POP3/SMTP client for handling your emails then you might like to add some specific rules to limit traffic only to specific email servers (depends how paranoid you're feeling!)
sudo iptables -A OUTPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
e.g. if you were using yahoo's pop and smtp servers you could use nslookup to find the ip addresses and add rules for them
sudo iptables -A OUTPUT -p tcp --dport 110 -d 18.104.22.168/32 -j ACCEPTrefer to the man pages if you want to do anything particularly fancy like NAT, packet marking/mangling etc.
sudo iptables -A OUTPUT -p tcp --dport 25 -d 22.214.171.124/32 -j ACCEPT
Make your firewall persistent
sudo nano /etc/network/if-post-down.d/iptables.moo
iptables-save > /somewhere/accessible/current.iptables
sudo nano /etc/network/if-pre-up.d/iptables.moo
iptables-restore < /somewhere/accessible/current.iptables
sudo chmod +x /etc/network/if-pre-up.d/iptables.moo
sudo chmod +x /etc/network/if-post-down.d/iptables.moo
as of Ubuntu 12.04 (and possibly earlier) this method no longer works due to the way in which Network Manager handles if-pre-up.d (it doesn't, basically).
just use iptables-persistent instead, it's less ballache.
Install Wireshark and configure it to play nicely
if you're doing stuff with iptables, chances are you've heard of Wireshark. if not, it's a great little tool to monitor network traffic. it can be installed with the following
sudo apt-get install wiresharkyou will notice though that if you run it from the dash home you can't capture on any interfaces. this is because by default dumpcap needs root privileges. in a terminal issue the following command
sudo dpkg-reconfigure wireshark-commonand answer yes to the question "should non-superusers be able to capture packets?" this will create a user group called wireshark that will allow packet capturing. all that remains is to add yourself (or the user account that will be running wireshark) to the group.
sudo usermod -a -G wireshark usernamenow you can run wireshark and capture packets on all available interfaces. N.B. you will need to log off and back on before it will work.
running wireshark inside a VM is particularly useful because in the VM settings you can select the network to operate in bridge mode and then assign the VM its own IP address on the host NIC. this is useful for things like short-term DMZ monitoring etc.
think that'll do for now...i might write another post if i think of anything that might be useful