Linux as Wireless Windows Terminal with Printer

Tietopaimen Oy
Kalle Hallivuori

Debian GNU/Linux Wireless Terminal
Microsoft Remote Desktop Client Only
Printing to local HP LaserJet 1015 with Samba

Version 0.3, 2004-04-27


1.  Debian Installation

1.1  first phase

1.1.1  Configuring a PCI Network Card

Skip to "Configuring a PCMCIA Network Card" if that applies more closely to your configuration.

  •  use virtual terminal #2 (1) to determine your network card

    ifconfig -a

    •  when you see an entry labeled 'eth0', your card has been detected and associated with a kernel driver module
      •  otherwise, try to find the card in the PCI bus:

        grep 'Ethernet' /proc/pci

  •  in kernel/drivers/net, select the driver matching your network card
  •  check that you now have an 'eth0' entry reported by 'ifconfig -a'

1.1.2  Configuring a PCMCIA Network Card

The PCMCIA subsystem will take care of finding the network card and installing associated kernel modules. Just take care not to remove PCMCIA support when asked about it.

1.2  after reboot

1.2.1  mail configuration

  •  choose "3) Satellite system"
  •  system name: use default
  •  domain name: enter your domain name
  •  mail server name: usually 'smtp'
  •  redirect mail to the created user account ("winuser")

1.3  Update from Woody (Stable) to Sarge (Testing)

1.3.1  if you use a wireless network connection

  •  allow unencrypted connections (at least from the current machine's MAC address) through your Access Point until you get the 'wireless-tools' package installed from the network
    •  this will open your network for wireless intrusion; take appropriate care.
  •  if you haven't yet configured your network connection, you have to do it now:

    cat >> /etc/network/interfaces

    auto eth0
    iface eth0 inet dhcp


    (insert an empty line before the input)

    ifup eth0

1.3.2  Change Package Repository Address

  •  if you installed from CDROM, change the package repository now:

    cat > /etc/apt/sources.list

    deb sarge main
    deb sarge/updates main


  •  otherwise just change from stable to sarge in the apt configuration:

    perl -wi- -pe 's/stable/sarge/g' /etc/apt/sources.list

1.3.3  Upgrade

  •  upgrade the system with the following commands:

    apt-get update
    apt-get dist-upgrade

  •  use 'Dialog' or 'Readline' for package configuration to avoid problems with graphical frontends
  •  'medium' is a reasonable configuration detail level
  •  select keymap from arch list: qwerty, Finnish, Standard
  •  safest policy for PCMCIA cards during installation is 'ask'
  •  no system wide readable home directories; this is something you should define a security policy with appropriate user groups for.
  •  'autosave once' is probably a good setting for setserial (YMMV)
  •  let the installation turn your system upside-down now to keep you from any problems in production:
    •  install new glibc
    •  restart daemons
    •  change passwd
    •  install new PAM configuration files
  •  avoid security problems by not installing man as setuid
  •  you may have to restart PCMCIA if you used a network connection through it:

    /etc/init.d/pcmcia restart

1.3.4  Activate Intelligent Command Line Completion

echo '. /etc/bash_completion' >> /etc/profile

  •  now you can use tabulator key to fill in or see a list of options and parameters to commands like 'apt-get' and 'iptables'

1.4  install miscellaneous support packages

1.4.1  Wireless Network Encryption (WEP) Support

If you use WLAN, install the 'wireless-tools' package:

apt-get install wireless-tools

Then you can deny unencrypted traffic at the Access Point, and configure the WEP identification:

  •  for PCMCIA network cards:

    nano /etc/pcmcia/wireless.opts

    •  remove the entry '*,*,*,*)' as per comments
    •  set the identification ('ESSID','KEY' for Orinoco cards) in the entry related to your network card
    •  save and exit with Control-O, Enter, Control-X
    •  restart the PCMCIA services:

      /etc/init.d/pcmcia restart

  •  FIXME: PCI WLAN card WEP configuration

1.4.2  Remote Administration

For remote administration, install 'ssh' along with your favourite helpers:

apt-get install ssh less

  •  let ssh install keysign as SUID and run the sshd server.

1.4.3  Kernel

  •  install a fresh and safe kernel

    apt-get install kernel-image-[VERSION]-[ARCHITECTURE]

    •  if you enabled command line completion (and logged in again), you can pound on tabulator key to find out and fill in the current versions and architectures
    •  missing completion, look for the output of

      apt-cache search kernel-image-2.6

    •  if in doubt, you can check your machine's architecture with

      cat /proc/cpuinfo

  •  if you are asked to stop because of a missing initrd image, change to another virtual terminal (2) and do

    nano lilo.conf

    •  anywhere before "image=" lines, add a line


    •  Control-O, Enter, Control-X finishes the editing.
  •  Refuse to stop the installation.

Reboot to the new kernel to ensure it works correctly. Should it fail, you can choose to boot to the old kernel instead at the LILO prompt (2).

What you have at this point is a plain, current Debian system that can be further (remotely) configured either as a server, a terminal, a workstation or a mix of any of those. Now you can just pick up any of the following parts that fit your purpose.


This is yet to be written exactly. Rough outline:

3.  Secure the Machine

This is a very subjective area. Feel free to implement security otherwise.

3.1  set up packet filter to protect from hostile network traffic

The 'iptables' package should be installed by default.

You can see standard network services and their port numbers in the /etc/services file.

You can inspect your current packet filter rules with command

iptables -L

3.1.1  create your packet filter rules

Start each of the given rules with the command

iptables -A INPUT

to append it after any existing rules, or

iptables -I INPUT 1

to insert it before them.

  •  allow established TCP connections to continue

    -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

  •  allow all local traffic

    -i lo -j ACCEPT

  •  allow ICMP (ping) messages up to some limit:

    -p icmp -m limit -j ACCEPT

  •  allow SSH access only from a specific administration address

    -p tcp --dport ssh -s [ADMIN IP] -j ACCEPT

  •  allow all traffic between this machine and your firewall



  •  allow UDP packets between name server and this machine

    -p udp -d [DNS IP] --dport 53 -j ACCEPT

    -p udp -s [DNS IP] --sport 53 -j ACCEPT

  •  if you run any services on this machine, enable access to them

    -p [tcp|udp] --dport [SERVICE] -j ACCEPT

    •  for instance, to accept all Samba traffic in local address space

      -p udp --dport netbios-ns -d [LOCALNET] -j ACCEPT

      -p udp --dport netbios-dgm -d [LOCALNET] -j ACCEPT

      -p tcp --dport microsoft-ds -d [LOCALNET] -j ACCEPT

      -p tcp --dport netbios-ssn -d [LOCALNET] -j ACCEPT

  •  logging may generate huge log files (/var/log/syslog by default), but is a great help in testing phase

    -m limit -j LOG

  •  finally, deny everything else

    iptables -P INPUT DROP

3.1.2  When you have what you need

  •  save your settings

    mkdir /var/lib/iptables

    /etc/init.d/iptables save active

  •  load your settings at boot

    ln -s ../init.d/iptables /etc/rcS.d/S41iptables

    If your IP address changes with DHCP, ask me for a modified iptables init script to run from /etc/dhcp-exit-hooks.

3.2  refine file system security

3.2.1  move /tmp from root partition to virtual memory

echo 'tmpfs /tmp tmpfs defaults 0 0' >>/etc/fstab

mount /tmp

3.2.2  disable writing to partitions holding most binaries

perl -wi- -pe '/boot|usr/ and s/defaults/defaults,ro/' /etc/fstab

mount -o remount /boot

mount -o remount /usr

You can always remount the partitions for writing:

mount -o remount,rw /usr

3.2.3  disable devices on any other than root partition

perl -wi- -pe 's/defaults/defaults,nodev/' /etc/fstab

3.3  harden user accounts

Lock user accounts that are not used for logins

passwd -l winuser

Set root password to a string of line noise

3.4  harden boot loader

nano lilo.conf


4.  Miscellaneous Finishing Touches

4.1  correct your locale information

apt-get install localeconf

4.2  install ntpdate to keep the time right

apt-get install ntpdate

4.3  make DHCP set host and domain name

cat >>/etc/dhclient-exit-hooks

perl -we 'use Socket; `ifconfig eth0` =~ /addr:([0-9.]+)/ && system("hostname", scalar(gethostbyaddr(inet_aton($1),AF_INET)))'

4.4  clean up installed packages

apt-get clean

4.5  speed up boot sequence

nano /etc/lilo.conf


5.  Windows Remote Desktop Terminal Only

5.1  install a minimal X11 graphical user interface server

apt-get install x-window-system-core

This installs quite some cruft with it, but avoids a lot of hassle with configurations. You are free to try more optimal combinations of the packages it chooses to install.

5.2  rdesktop

apt-get install rdesktop

That's all there is to install rdesktop.

5.3  automatic startup

What you have now is a system that will start X11 at startup, and run rdesktop indefinitely. When X11 is terminated (presumably by pressing Ctrl-Alt-Backspace) the physical terminal will shut down.

6.  Install Printer

Here we assume a traditional parallel connection to the printer.

6.1  test printer

Connect the printer and power it up.

cat >/dev/lp0

You should get that plain text printed. Otherwise you have hardware or kernel level problems beyond our scope.

6.2  install CUPS printing system with HP printer driver

6.2.1  Technical breakdown

  •  Ghostscript (gs) is a Postscript interpreter
  •  HP printer driver (hpijs) is a plugin for gs
  •  Foomatic is a printing system that can offer the gs+hpijs combination as a printer
  •  Common Unix Printing System (CUPS) is a full-fledged print job management system that can use Foomatic.

All these together are combined into a neatly installing set of Debian packages that only require one command to put the printer to use.

6.2.2  installation

apt-get install cupsys cupsys-client foomatic-db-hpijs

  •  this will install quite a few packages, so it takes a while
  •  A4 is a good choice for paper size.

6.3  Obtain the printer description file

Below "Printing system interfaces", select your printer from the pull-down menu, check "download" and "GUI texts limited to 39 characters", and click on "Generate PPD file". Save the resulting file as


6.4  configure CUPS to use your printer

lpadmin -p LaserJet -E -v parallel:/dev/lp0 -m HP-LaserJet_1015-hpijs.ppd

6.5  test the printing system

lp /etc/motd

7.  Share Printer with Samba

7.1  install Samba

apt-get install samba smbclient

After the installation finishes, you should be able to access the machine's service list from a Windows machine.

7.2  configure Samba to print to LaserJet through a call to gs

nano /etc/samba/smb.conf

8.  Share Windows Printer Drivers through Samba

Thorough documentation is available at

8.1  Configure Samba for Remote Printer Administration

nano /etc/samba/smb.conf

8.2  Install the CUPS PostScript Printer Windows Driver

8.3  Delegate Sharing of the Drivers to Samba

cupsaddsmb -v -U root laserjet

8.4  Test Printing from Windows Client

Install the printer as a network printer to a Windows machine. It should download and install the CUPS printer driver. You can do this from a remote session as a normal user.

8.5  Close root account on Samba

nano /etc/samba/smb.conf

You may of course consciously choose to take the risk of someone accessing the host over Samba with root privileges.

9.  Open Problems

9.1  The '@' character is blocked by rdesktop

A.  Footnotes

1)  Virtual Terminals

Virtual terminals provide multiple access points to Linux through its single physical console. A terminal is chosen and its screen shown by a key combination

#x marks both the number of the Function key and the number of the virtual terminal. How convenient! Default virtual terminal is #1 in text mode; graphical terminals start from #7 up.

To get started with virtual terminals in text mode, hit Alt-F2 to see another screen appear. Type a few random letters just to convince yourself that it's an actual, working interface. Hit Alt-F1 to get back to the default terminal.

To get started with virtual terminals in graphical mode, hit Control-Alt-F1 to see the text mode screen as it was before the X11 graphics system changed to virtual terminal #7. Hit Alt-F7 (no Control needed since we now are in text mode) when you want to return to the graphical screen.

2)  Boot Tricks

After first phase of installation you can always get into your system, even if LILO doesn't start up correctly or you forget the root password.

If LILO starts up (you can see the text 'LILO' on your screen), you can force it to show a prompt by holding down the Control key. At the 'boot:' prompt you can see your available boot commands by hitting the tabulator key. The default boot command is usually 'Linux'. If you need to change the root password, type the following;

Linux init=/bin/bash

to get straight into shell without being prompted for a password. Then change the root password with the following commands:

mount -o remount,rw / (mount root file system as writable)
passwd (change root password)
mount -o remount,ro / (finish writing to disk)

Then just do a cold, hard reboot.

If you want to manage the system without starting all the services, type the following at the LILO prompt:

Linux 1

If LILO doesn't start up, you can use the Debian install media for booting. At the Syslinux prompt, type

rescue root=/dev/hda5

This will load the kernel from the install media but boot from your own root partition. Then you can edit the lilo configuration

nano /etc/lilo.conf

then try to boot normally.

3)  Package Management Basics

You can search for packages with the command

apt-cache search [what]

where [what] is a name the thing you are looking for. If you get too many answers, you can

Files contained in an installed package can be listed with the command

dpkg -L [package]

The package that contained a given file can be found out fith

dpkg -S [fullfilename]

Whenever you want to reconfigure a package, just run

dpkg-reconfigure [package-name]

from the command line as root.

If you accidentally install packages you'd do better without, do

dpkg --purge [package-names]

to remove their configuration files with them.