A quick and useful command for checking if a server is under ddos:
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
That will list the IPs taking the most amounts of connections to a server. It is important to remember that ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
Another very important thing to look at is how many active connections your server is currently processing.
netstat -n | grep :80 |wc -l
netstat -n | grep :80 | grep SYN |wc -l
The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.
To Block a certain IP address that on server .Please use following commands
—————–command——————————
route add ipaddress reject
for example route add 192.168.0.168 reject
You can check whether given IP is blocked on server by using following command
route -n |grep IPaddress
—————–command——————————
OR
use follwoing command to block a ip with iptables on server
—————–command——————————
iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT
service iptables restart
service iptables save
—————–command——————————
Then KILL all httpd connection and restarted httpd service by using following command
killall -KILL httpd
service httpd startssl
additionally you can check the connection ports here
lsof | grep ESTABLISHED
lsof | grep LISTEN
lsof -p PID
Tuesday, November 23, 2010
Friday, November 19, 2010
POSTGRESQL ERROR
IF you get an error given below
FATAL 1: IDENT authentication failed for user "postgres"'
Do the following to fix it.
# vi /var/lib/pgsql/data/pg_hba.conf
Add the line
host all 127.0.0.0 255.255.255.255 trust
:wq // save the file
The /var/lib/pgsql/data/pg_hba.conf will look like this.
# TYPE DATABASE USER CIDR-ADDRESS METHOD
#local all all ident sameuser
host all all 127.0.0.1/32 trust
# service postgresql restart
FATAL 1: IDENT authentication failed for user "postgres"'
Do the following to fix it.
# vi /var/lib/pgsql/data/pg_hba.conf
Add the line
host all 127.0.0.0 255.255.255.255 trust
:wq // save the file
The /var/lib/pgsql/data/pg_hba.conf will look like this.
# TYPE DATABASE USER CIDR-ADDRESS METHOD
#local all all ident sameuser
host all all 127.0.0.1/32 trust
# service postgresql restart
INSTALLING MAVEN
# cd /opt
# wget -c http://www.eng.lsu.edu/mirrors/apache//maven/binaries/apache-maven-3.0-bin.tar.gz
# tar xvzf apache-maven-3.0-bin.tar.gz
# vi /etc/profile
Add the following lines to the end of the file
M2_HOME=/opt/apache-maven-3.0
export M2_HOME
PATH=$PATH:$M2_HOME/bin
:wq // save the file
# source /etc/profile
Apache maven is installed and ready to use.
# wget -c http://www.eng.lsu.edu/mirrors/apache//maven/binaries/apache-maven-3.0-bin.tar.gz
# tar xvzf apache-maven-3.0-bin.tar.gz
# vi /etc/profile
Add the following lines to the end of the file
M2_HOME=/opt/apache-maven-3.0
export M2_HOME
PATH=$PATH:$M2_HOME/bin
:wq // save the file
# source /etc/profile
Apache maven is installed and ready to use.
Monday, November 1, 2010
Tux blog: INSTALLING OPENNMS
Tux blog: INSTALLING OPENNMS: "OpenNMS is the world's first enterprise-grade network management system developed under the open source model. As with any complex and power..."
INSTALLING OPENNMS
OpenNMS is the world's first enterprise-grade network management system developed under the open source model. As with any complex and powerful system, getting it installed and configured can take a little effort.
Minimum Requirements
--------------------
* A 1 GHz Pentium III (or equivalent processor) or better. OpenNMS can also take advantage of multiple processors.
* A minimum of 256 MB of RAM, although 512 MB is strongly recommended. The OpenNMS Java Virtual Machine benefits from large amounts of memory, up to 2 GB, and more if using a 64-bit processor.
* OpenNMS requires about 200 MB of disk space for the program files. In addition, each data variable collected requires, by default, a little under 300 KB of disk space.
Configure RPM-based Distributions with Yum
-------------------------------------------
[root@localhost ~]# yum install yum-fastestmirror
Install the OpenNMS Repository RPM
-----------------------------------
rpm -Uvh http://yum.opennms.org/repofiles/opennms-repo-snapshot-fc7.noarch.rpm
Or, to install the latest unstable release on CentOS or RHEL 5, you would run:
rpm -Uvh http://yum.opennms.org/repofiles/opennms-repo-unstable-rhel5.noarch.rpm
Installing Java on RPM-based Distributions Using Yum
----------------------------------------------------
[root@localhost ~]# yum install jdk
Installing PostgreSQL on RPM-Based Distributions Using Yum
----------------------------------------------------------
[root@localhost ~]# yum -y install postgresql-server
Configure PostgreSQL
--------------------
Locate the Postgres "data" directory. Often this is /var/lib/pgsql/data. You should then find the two files we need to modify in that directory.
First we need to make sure PostgreSQL is listening on an IP socket, and not just a local unix socket.
Edit postgresql.conf File and add the following.
listen_addresses = 'localhost'
max_connections = 256
max_connections = 256
Customizing the pg_hba.conf File
--------------------------------
Add the below lines.
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all trust
host all all 127.0.0.1 255.255.255.255 trust
host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust
Creating the PostgreSQL Database
---------------------------------
# /etc/init.d/potgresql start
Installing JICMP on RPM-Based Distributions Using YUM
-----------------------------------------------------
[root@localhost ~]# yum install jicmp
Installing OpenNMS
------------------
------------------
[root@localhost ~]# yum install opennms-*
Configure Java for OpenNMS
--------------------------
[root@localhost ~]# /opt/opennms//bin/runjava -s
The desired outpu is given below:
runjava: Looking for an appropriate JRE...
runjava: Checking for an appropriate JRE in JAVA_HOME...
runjava: skipping... JAVA_HOME not set
which: no java in (/usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/opennms/bin:/root/bin)
runjava: did not find a JRE in user's path
runjava: searching for a good JRE...
runjava: found a good JRE in "/usr/java/jdk1.5.0_18/bin/java"
runjava: value of "/usr/java/jdk1.5.0_18/bin/java" stored in configuration file
You have new mail in /var/spool/mail/root
Configure a specific JRE
-------------------------
If you need to configure specific JRE do the following:
[root@localhost]# /opt/opennms/bin/runjava -S
Run the OpenNMS Installer Application
-------------------------------------
[root@localhost ~]# /opt/opennms/bin/install -l /usr/local/lib -dis
Login to the Web Application
-----------------------------
By default, OpenNMS's built-in web server listens on port 8980, so point your browser at http://:8980/opennms/
The initial user name is "admin" and the password is "admin".
Enjoyyyy...............
If you need any further assistance. Ping me
Email: vasanth462@gmail.com
Minimum Requirements
--------------------
* A 1 GHz Pentium III (or equivalent processor) or better. OpenNMS can also take advantage of multiple processors.
* A minimum of 256 MB of RAM, although 512 MB is strongly recommended. The OpenNMS Java Virtual Machine benefits from large amounts of memory, up to 2 GB, and more if using a 64-bit processor.
* OpenNMS requires about 200 MB of disk space for the program files. In addition, each data variable collected requires, by default, a little under 300 KB of disk space.
Configure RPM-based Distributions with Yum
-------------------------------------------
[root@localhost ~]# yum install yum-fastestmirror
Install the OpenNMS Repository RPM
-----------------------------------
rpm -Uvh http://yum.opennms.org/repofiles/opennms-repo-snapshot-fc7.noarch.rpm
Or, to install the latest unstable release on CentOS or RHEL 5, you would run:
rpm -Uvh http://yum.opennms.org/repofiles/opennms-repo-unstable-rhel5.noarch.rpm
Installing Java on RPM-based Distributions Using Yum
----------------------------------------------------
[root@localhost ~]# yum install jdk
Installing PostgreSQL on RPM-Based Distributions Using Yum
----------------------------------------------------------
[root@localhost ~]# yum -y install postgresql-server
Configure PostgreSQL
--------------------
Locate the Postgres "data" directory. Often this is /var/lib/pgsql/data. You should then find the two files we need to modify in that directory.
First we need to make sure PostgreSQL is listening on an IP socket, and not just a local unix socket.
Edit postgresql.conf File and add the following.
listen_addresses = 'localhost'
max_connections = 256
max_connections = 256
Customizing the pg_hba.conf File
--------------------------------
Add the below lines.
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all trust
host all all 127.0.0.1 255.255.255.255 trust
host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust
Creating the PostgreSQL Database
---------------------------------
# /etc/init.d/potgresql start
Installing JICMP on RPM-Based Distributions Using YUM
-----------------------------------------------------
[root@localhost ~]# yum install jicmp
Installing OpenNMS
------------------
------------------
[root@localhost ~]# yum install opennms-*
Configure Java for OpenNMS
--------------------------
[root@localhost ~]# /opt/opennms//bin/runjava -s
The desired outpu is given below:
runjava: Looking for an appropriate JRE...
runjava: Checking for an appropriate JRE in JAVA_HOME...
runjava: skipping... JAVA_HOME not set
which: no java in (/usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/opennms/bin:/root/bin)
runjava: did not find a JRE in user's path
runjava: searching for a good JRE...
runjava: found a good JRE in "/usr/java/jdk1.5.0_18/bin/java"
runjava: value of "/usr/java/jdk1.5.0_18/bin/java" stored in configuration file
You have new mail in /var/spool/mail/root
Configure a specific JRE
-------------------------
If you need to configure specific JRE do the following:
[root@localhost]# /opt/opennms/bin/runjava -S
Run the OpenNMS Installer Application
-------------------------------------
[root@localhost ~]# /opt/opennms/bin/install -l /usr/local/lib -dis
Login to the Web Application
-----------------------------
By default, OpenNMS's built-in web server listens on port 8980, so point your browser at http://
The initial user name is "admin" and the password is "admin".
Enjoyyyy...............
If you need any further assistance. Ping me
Email: vasanth462@gmail.com
Thursday, October 28, 2010
To Speed up the installation using YUM
You may want to install the yum-fastestmirror RPM if your distro supports it. This can often speed up downloads of large packages. See the CentOS Wiki
# yum install yum-fastestmirror
# yum install yum-fastestmirror
Wednesday, October 13, 2010
Wednesday, September 29, 2010
DANSGUARDIAN,SQUID,IPTABLES
If you want to filter a net browsing in a linux gateway server using iptables,squid and Dansguardian follow my steps
etho=Internet ipaddress
eth1=192.168.0.229
Do the necessary steps to make Linux machine as router and gateway
# yum install squid
Open the configuration file of the squid.
# vi /etc/squid/squid.conf
Enter the following line
http_port 3128 transparent
Add the Acls
acl home_network src 192.168.0.0/24
http_access allow home_network
# service squid start
# iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
# service iptables save
# service iptables restart
This Will block your employess from connecting to squid directly.
1 . Install Dansguardian from the source or RPM
I am using RPM here
The files are installed in /etc/dansguardian. Open Main configuration file of dansguardian. Enter the following details.
# vi /etc/dansguadian/dansguardian.conf
proxyip = 192.168.0.229
proxyport = 3128
filterport = 8080
save the file.
Run the following redirect
# iptables -A PREROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
In the clients set the gateway as 192.168.0.229(in my case)
etho=Internet ipaddress
eth1=192.168.0.229
Do the necessary steps to make Linux machine as router and gateway
# yum install squid
Open the configuration file of the squid.
# vi /etc/squid/squid.conf
Enter the following line
http_port 3128 transparent
Add the Acls
acl home_network src 192.168.0.0/24
http_access allow home_network
# service squid start
# iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
# service iptables save
# service iptables restart
This Will block your employess from connecting to squid directly.
1 . Install Dansguardian from the source or RPM
I am using RPM here
The files are installed in /etc/dansguardian. Open Main configuration file of dansguardian. Enter the following details.
# vi /etc/dansguadian/dansguardian.conf
proxyip = 192.168.0.229
proxyport = 3128
filterport = 8080
save the file.
Run the following redirect
# iptables -A PREROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
In the clients set the gateway as 192.168.0.229(in my case)
Wednesday, September 22, 2010
Shell script to start Authdeamon
#! /bin/sh
case "$1" in
start)
echo "Initializing authdaemon. (Courier)"
/usr/local/sbin/authdaemond start
;;
stop)
echo "Shutting down authdaemon:"
/usr/local/sbin/authdaemond stop
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0
~
case "$1" in
start)
echo "Initializing authdaemon. (Courier)"
/usr/local/sbin/authdaemond start
;;
stop)
echo "Shutting down authdaemon:"
/usr/local/sbin/authdaemond stop
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0
~
Tuesday, September 21, 2010
Sunday, September 19, 2010
YUM THROUGH PROXY
If your internal network is protected with a proxy server and firewall use the following settings to use yum
1. Open a shell
2. export http_proxy=http://proxyhost:port number
Eg: http_proxy=http://192.168.0.229:3128
3. yum list
Enjoyyyy
1. Open a shell
2. export http_proxy=http://proxyhost:port number
Eg: http_proxy=http://192.168.0.229:3128
3. yum list
Enjoyyyy
Saturday, September 18, 2010
OPENVZ COMMANDS
OpenVZ is an Operating System-level server virtualization solution, built on Linux. OpenVZ creates isolated, secure virtual environments.
FILES
/etc/vz/vz.conf
/etc/vz/conf/veid.conf
/proc/vz/veinfo
/proc/vz/vzquota
/proc/user_beancounters
/proc/fairsched
Log file /var/log/vzctl.log
vzctl Commands
Usage: vzctl [options] [parameters]
Help : vzctl --help
1. stop a VE (start/stop/restart) -
#vzctl stop VEID
2. to stop a VE in fast mode -
#vzctl stop VEID --fast
3. to see all the VE's -
#vzlist -a
4. to enter a VE -
#vzctl enter VEID
5. to see the uptime of a VE - run this from the node -
#vzctl exec VEID uptime
6. to see all the running process in a VE from the node -
#vzctl exec VEID ps aux
7. list the load of each VE -
#for vps in `vzlist -1`; do echo "$vps: `vzctl exec2 $vps uptime`"; done
8. when you think it is a RAM issue (Out Of Memory)-
#less /var/log/messages|grep OOM|grep VEID|wc -l
9. Reinstall a VE - all data will be lost and a fresh install will be there -
#vzctl reinstall VEID
10. number of running VE's in the node -
#vzlist|grep running|wc -l
11. To find the status of a VC:
#vzctl status VEID
12. You can execute commands inside a VC from the node itself
#vzctl exec VEID COMMAND
13. Check inodevalue
#df -i
14. Set inodevalue
#vzctl set VEID --diskinodes 2000000:2000000 --save
15. Check numiptent value
#egrep numiptent /proc/user_beancounters
numiptent 336 336 2147483647 2147483647 0
16. Set numiptent value
#vzctl set VEID --numiptent 2000000:2000000 --save
17. To permanently remove this VE:
#vzctl destroy VE_ID
Configuration Commands
1) vzctl set VEID –-hostname vps.domain.com -–save : To set the Hostname of a VPS.
2) vzctl set VEID –-ipadd 1.2.3.4 –-save : To add a new IP to the hosting VPS.
3) vzctl set VEID –-ipdel 1.2.3.4 –-save : To delete the IP from VPS.
4) vzctl set VEID –-userpasswd root:new_password -–save : To reset root password of a VPS.
5) vzctl set VEID -–nameserver 1.2.3.4 -–save : To add the nameserver IP’s to the VPS.
6) vzctl exec VEID command : To run any command on a VPS from Node.
7) vzyum VEID install package_name : To install any package/Software on a VPS from Node.
FILES
/etc/vz/vz.conf
/etc/vz/conf/veid.conf
/proc/vz/veinfo
/proc/vz/vzquota
/proc/user_beancounters
/proc/fairsched
Log file /var/log/vzctl.log
vzctl Commands
Usage: vzctl [options]
Help : vzctl --help
1. stop a VE (start/stop/restart) -
#vzctl stop VEID
2. to stop a VE in fast mode -
#vzctl stop VEID --fast
3. to see all the VE's -
#vzlist -a
4. to enter a VE -
#vzctl enter VEID
5. to see the uptime of a VE - run this from the node -
#vzctl exec VEID uptime
6. to see all the running process in a VE from the node -
#vzctl exec VEID ps aux
7. list the load of each VE -
#for vps in `vzlist -1`; do echo "$vps: `vzctl exec2 $vps uptime`"; done
8. when you think it is a RAM issue (Out Of Memory)-
#less /var/log/messages|grep OOM|grep VEID|wc -l
9. Reinstall a VE - all data will be lost and a fresh install will be there -
#vzctl reinstall VEID
10. number of running VE's in the node -
#vzlist|grep running|wc -l
11. To find the status of a VC:
#vzctl status VEID
12. You can execute commands inside a VC from the node itself
#vzctl exec VEID COMMAND
13. Check inodevalue
#df -i
14. Set inodevalue
#vzctl set VEID --diskinodes 2000000:2000000 --save
15. Check numiptent value
#egrep numiptent /proc/user_beancounters
numiptent 336 336 2147483647 2147483647 0
16. Set numiptent value
#vzctl set VEID --numiptent 2000000:2000000 --save
17. To permanently remove this VE:
#vzctl destroy VE_ID
Configuration Commands
1) vzctl set VEID –-hostname vps.domain.com -–save : To set the Hostname of a VPS.
2) vzctl set VEID –-ipadd 1.2.3.4 –-save : To add a new IP to the hosting VPS.
3) vzctl set VEID –-ipdel 1.2.3.4 –-save : To delete the IP from VPS.
4) vzctl set VEID –-userpasswd root:new_password -–save : To reset root password of a VPS.
5) vzctl set VEID -–nameserver 1.2.3.4 -–save : To add the nameserver IP’s to the VPS.
6) vzctl exec VEID command : To run any command on a VPS from Node.
7) vzyum VEID install package_name : To install any package/Software on a VPS from Node.
PERMENETLY MOUNTING THE REMOTE WINDOWS SHARE USING /etc/fstab
To permanently mount the Windows share to Linux enter the following entry to the /etc/fstab and run
//192.168.1.21/D /mnt cifs defaults,credentials=/root/samba_credentials 0 0
:wq
# mount -a
//192.168.1.21/D /mnt cifs defaults,credentials=/root/samba_credentials 0 0
:wq
# mount -a
PRIVATE READ WRITE SHARE
Private write share.
Create a share like below in /etc/samba/smb.conf
security = share
[privatewrite]
path = /private
writable = yes
create mask = 0765
valid users = vasanth
# smbpasswd -a vasanth
# smbpasswd -e vasanth
Create a share like below in /etc/samba/smb.conf
security = share
[privatewrite]
path = /private
writable = yes
create mask = 0765
valid users = vasanth
# smbpasswd -a vasanth
# smbpasswd -e vasanth
MAPPING LINUX FOLDER TO WINDOWS
MAPPING LINUX FOLDER TO WINDOWS
In winbox open cmd
Type trhe following command
> net use * \192.168.1.12\privatewrite /user:vasanth
It will prompt for password. Give it the remote Linux folder is mapper to my computer as drive Z: in windox
> net use // this command will display the current connections to the our windows server
To disconnect the drive
right click >> disconnect
or
> net use z: /delete
In winbox open cmd
Type trhe following command
> net use * \192.168.1.12\privatewrite /user:vasanth
It will prompt for password. Give it the remote Linux folder is mapper to my computer as drive Z: in windox
> net use // this command will display the current connections to the our windows server
To disconnect the drive
right click >> disconnect
or
> net use z: /delete
TO MAKE A HIDDEN SHARE IN WINDOWS
Enter the share in smb.conf
[privatewrite]
path = /private
writable = yes
create mask = 0765
valid users = vasanth
browseable = no
//this line cause the share to became invisible.
The above entry in the smb.conf make the share hidden but . It is still accessible using unc path.
On windows network places address bar please type
\\192.168.1.12\privatewrite
# smbclient -L server1
[privatewrite]
path = /private
writable = yes
create mask = 0765
valid users = vasanth
browseable = no
//this line cause the share to became invisible.
The above entry in the smb.conf make the share hidden but . It is still accessible using unc path.
On windows network places address bar please type
\\192.168.1.12\privatewrite
# smbclient -L server1
TO FIND OUT THE STATUS OF A FILE IN LINUX
# stat smb.conf
OUTPUT:
File: `smb.conf'
Size: 10041 Blocks: 24 IO Block: 4096 regular file
Device: 803h/2051d Inode: 1901530 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-17 07:12:01.000000000 +0530
Modify: 2010-06-17 07:09:52.000000000 +0530
Change: 2010-06-17 07:09:52.000000000 +0530
OUTPUT:
File: `smb.conf'
Size: 10041 Blocks: 24 IO Block: 4096 regular file
Device: 803h/2051d Inode: 1901530 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-17 07:12:01.000000000 +0530
Modify: 2010-06-17 07:09:52.000000000 +0530
Change: 2010-06-17 07:09:52.000000000 +0530
STEPS TO SHARE PRINTER FROM LINUX TO WINDOWS.
STEPS TO SHARE PRINTER FROM LINUX TO WINDOWS.
1.connect the printer and share it properly for all the hosts.
2.Restart smb daemon.
3.Samba reads the /etc/printcap file.
4.Search the printer from windows. You will surely get the printer there.
The section that is responsible for sharing printers in smb.conf is as follows.
load printers = yes
// Load the printer from cups.
cups options = raw
// This option assume that the windows system has a driver that has been shared by the samba and spool the jobs through the samba.
; printcap name = /etc/printcap
printing = cups
NOTE: The driver for the shared printer should be in stalled in the windows host.
1.connect the printer and share it properly for all the hosts.
2.Restart smb daemon.
3.Samba reads the /etc/printcap file.
4.Search the printer from windows. You will surely get the printer there.
The section that is responsible for sharing printers in smb.conf is as follows.
load printers = yes
// Load the printer from cups.
cups options = raw
// This option assume that the windows system has a driver that has been shared by the samba and spool the jobs through the samba.
; printcap name = /etc/printcap
printing = cups
NOTE: The driver for the shared printer should be in stalled in the windows host.
INSTALLING NEW KERNEL FROM THE SOURCE
Download the latest kernel from http:www.kernel.org
wget -c http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.tar.gz
# tar xvzf linux-2.6.33.tar.gz
# cd linux-2.6.33
# cp /boot/config-`uname -r` .config
# make menuconfig
# make bzImage
# make modules
# make modules_install
# make install
wget -c http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.tar.gz
# tar xvzf linux-2.6.33.tar.gz
# cd linux-2.6.33
# cp /boot/config-`uname -r` .config
# make menuconfig
# make bzImage
# make modules
# make modules_install
# make install
Friday, September 17, 2010
IPTABLES SCRIPT THAT CAN BE USED IN GATEWAYS
LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"
/sbin/modprobe ip_conntrack_ftp
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# $IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp --destination-port 80 -j DROP
$IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -d 192.168.0.0/24 -j ACCEPT
# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Blocking direct internet access
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 -m state --state NEW -j DROP
# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# Allow ssh from LAN to INTERNET interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# Allow FTP connections FROM LAN to INTERNET
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
-- INSERT --
#$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state --state NEW -j ACCEPT
# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT
# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state --state NEW -j ACCEPT
# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state --state NEW -j ACCEPT
# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP
# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP
INTERNET="eth0"
IPTABLES="/sbin/iptables"
/sbin/modprobe ip_conntrack_ftp
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# $IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp --destination-port 80 -j DROP
$IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -d 192.168.0.0/24 -j ACCEPT
# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Blocking direct internet access
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 -m state --state NEW -j DROP
# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# Allow ssh from LAN to INTERNET interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# Allow FTP connections FROM LAN to INTERNET
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
-- INSERT --
#$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state --state NEW -j ACCEPT
# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT
# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state --state NEW -j ACCEPT
# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state --state NEW -j ACCEPT
# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP
# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP
Subscribe to:
Posts (Atom)