Installation of Ubuntu is generally performed with the Live CD. By booting it, a user can first choose to “test-drive” the Ubuntu OS (albeit with a performance loss due to loading applications from a CD), providing the opportunity to test hardware compatibility and driver support. The CD also contains the Ubiquity installer,[30] which guides the user through the permanent installation process. CD images of all current and past versions are available for download at the Ubuntu web site. Installing from the CD requires a minimum of 256 MB RAM. Users can download a disk image of the CD which can then be written to a physical medium, or run from a hard drive via UNetbootin.

Canonical offers Ubuntu and Kubuntu installation CDs at no cost, including paid postage for destinations in most countries around the world, via a service called ShipIt. After a request for CDs is made and approved, disks are sent via post. Delivery is estimated at six to ten weeks.

A Microsoft Windows migration tool, called Migration Assistant, was introduced in April 2007 (with Ubuntu 7.04).[33] It imports Windows users’ bookmarks, desktop background (wallpaper), and various settings for immediate use in the Ubuntu installation.[34]

Ubuntu and Kubuntu can be booted and run from a USB Flash drive (as long as the BIOS supports booting from USB), with the option of saving settings to the flashdrive. This allows a portable installation that can be run on any PC which is capable of booting from a USB drive.[35] In newer versions of Ubuntu, the USB creator program is available to install Ubuntu on a USB drive (with or without a LiveCD disc).

Wubi, which is included on the Live CD, allows the distribution to be installed on a virtual Windows loop device. This requires no partitioning of a user’s hard drive, allowing the installation of Ubuntu to a file on a Windows drive. This also allows the user to manage Ubuntu as a Windows program, configuring and uninstalling Wubi as another program via the Control Panel (Windows). Wubi also makes use of the Migration Assistant to import users’ settings. Initially developed as an independent project for versions 7.04 and 7.10, Wubi was later merged with Ubuntu and is included on Ubuntu Live CD as of the 8.04 release.

The Xtables framework, used by ip_tables, ip6_tables and arp_tables, allows the system administrator to define tables containing chains of rules for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by traversing the chains. A rule in a chain can send a packet to another chain, and this can be repeated to whatever level of nesting is desired. Every network packet arriving at or leaving from the computer traverses at least one chain.

The source of the packet determines which chain it traverses initially. There are three predefined chains (INPUT, OUTPUT, and FORWARD) in the “filter” table. Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.

Each rule in a chain contains the specification of which packets it matches. It may also contain a target. As a packet traverses a chain, each rule in turn examines it. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target, which may result in the packet being allowed to continue along the chain or it may not.

The packet continues to traverse the chain until either (1) a rule matches the packet and decides the ultimate fate of the packet (for example by calling one of the ACCEPT or DROP targets); or (2) a rule calls the RETURN target, in which case processing returns to the calling chain; or (3) the end of the chain is reached.

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost.localdomain localhost.localdomain
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


This example shows an already-configured workstation firewall. The command “iptables -L” is executed by user root to display an abridged view of the firewall configuration. (The complete state can be obtained with iptables-save -c, and should be used when reporting problems.)

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all — localhost.localdomain localhost.localdomain
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
REJECT all — anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

RELATED, ESTABLISHED rule uses statefullness so that most client programs (web browser, ssh…) work.

$ w3m http://en.wikipedia.org/wiki/Main_Page

(The main Wikipedia web page opens)

Computer does not respond to ping and no services are offered. Connections are rejected (REJECT) or timeout (with DROP) when ports are being scanned.

$ ping -c 1 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
— 62.78.243.6 ping statistics —
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Trying to connect to HTTP port (TCP 80)

$ telnet 10.0.0.1 80
Trying 10.0.0.1…
telnet: connect to address 10.0.0.1: Connection refused

[edit] Redirection example

This simple example of its use illustrates how to redirect all traffic on the default HTTP port, port 80, to port 8080, allowing the HTTP daemon to run as a non-privileged user, unable to listen on port numbers below 1024.

iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080

Note: if you launch this command on your computer it will only work for external IP addresses connecting to your machine. Connections from localhost do not traverse the PREROUTING chain in the “nat” table. If you also want this feature to work, use the following rule:

iptables -t nat -A OUTPUT -o lo -p tcp –dport 80 -j REDIRECT –to-port 8080

which reroutes packets on the loopback (lo) interface from port 80 to port 8080.

[edit] Front-ends and scripts

There are numerous third-party software for iptables that tries to facilitate setting up rules. Front-ends in textual or graphical fashion allow users to click-generate simple rulesets; scripts usually refer to shell scripts (but other scripting languages are possible too) that call iptables or (the faster) iptables-restore with a set of predefined rules, or rules expanded from a template with the help of a simple configuration file. Linux distributions commonly employ the latter scheme of using templates. Such a template-based approach is practically a limited form of a rule generator, and such generators also exist in standalone fashion, for example, as PHP web pages.

Such front-ends, generators and scripts are often limited by their built-in template systems and where the templates offer substitution spots for user-defined rules. Also, the generated rules are generally not optimized for the particular firewalling effect the user wishes, as doing so will likely increase the maintenance cost for the developer. Users who reasonably understand iptables and want their ruleset optimized are advised to construct their own ruleset.

Two Indian government organizations have placed orders for 250,000 X0-1 laptop computers. The laptops, designed by the One Laptop Per Child Association, will be distributed to students in nearly 1,500 schools.

The order stands in contrast to criticism the Indian government had previously voiced over the OLPC organization. The Indian government had even started its own $100 laptop program, although it was soon abandoned.

OLPC India CEO Satish Jha has repeatedly stated he would like to sell three million OLPC laptops to India this year.