Expat-IT Tech Bits

Home

Contact

Links

Search this site:

Categories:

/ (287)
  Admin/ (122)
    Apache/ (10)
      HTTPS-SSL/ (4)
      PHP/ (3)
      performance/ (2)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (6)
    Monitoring/ (2)
      munin/ (2)
    SSH/ (6)
    SSL/ (1)
    Samba/ (1)
    VPN-options/ (6)
      OpenVPN/ (1)
      SSH-Proxy/ (3)
      Tinc/ (1)
      sshuttle/ (1)
    backups/ (17)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (2)
    commandLine/ (24)
      files/ (8)
      misc/ (10)
      network/ (6)
    crontab/ (1)
    databases/ (15)
      MSSQL/ (2)
      MySQL/ (8)
      Oracle/ (3)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (11)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (7)
      puppet/ (1)
    iptables/ (3)
    tripwire/ (1)
    virtualization/ (9)
      VMware/ (1)
      virtualBox/ (8)
  Coding/ (14)
    bash/ (1)
    gdb/ (1)
    git/ (3)
    php/ (5)
    python/ (4)
      Django/ (2)
  Education/ (1)
  Hosting/ (27)
    Amazon/ (18)
      EBS/ (3)
      EC2/ (10)
      S3/ (1)
      commandline/ (4)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (30)
    Android/ (1)
    Awesome/ (3)
    CPUfreq/ (1)
    China/ (2)
    Debian/ (8)
      APT/ (3)
      WPA/ (1)
    audio/ (1)
    encryption/ (3)
    fonts/ (1)
    misc/ (6)
    remoteDesktop/ (1)
    router-bridge/ (3)
  SW/ (45)
    Micro$soft/ (1)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (28)
      Drupal/ (9)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (7)
      WebERP/ (2)
      WordPress/ (1)
      eGroupware/ (1)
    chat/ (1)
    email/ (1)
    fileSharing/ (2)
      btsync/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (15)
    IMchat/ (2)
    circumvention/ (2)
    cryptoCurrency/ (1)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (2)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (14)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)

Archives:

  • 2016/07
  • 2016/05
  • 2016/02
  • 2016/01
  • 2015/12
  • 2015/11
  • 2015/06
  • 2015/01
  • 2014/12
  • 2014/11
  • 2014/10
  • 2014/09
  • 2014/07
  • 2014/04
  • 2014/02
  • 2014/01
  • 2013/12
  • 2013/10
  • 2013/08
  • 2013/07
  • 2013/06
  • 2013/05
  • 2013/04
  • 2013/02
  • 2013/01
  • 2012/12
  • 2012/10
  • 2012/09
  • 2012/08
  • 2012/07
  • 2012/06
  • 2012/05
  • 2012/04
  • 2012/03
  • 2012/01
  • 2011/12
  • 2011/11
  • 2011/10
  • 2011/09
  • 2011/08
  • 2011/07
  • 2011/06
  • 2011/05
  • 2011/04
  • 2011/02
  • 2010/12
  • 2010/11
  • 2010/10
  • 2010/09
  • 2010/08
  • 2010/07
  • 2010/06
  • 2010/05
  • 2010/04
  • 2010/03
  • 2010/02
  • 2010/01
  • 2009/12
  • 2009/11
  • 2009/10
  • 2009/09
  • 2009/08
  • 2009/07
  • 2009/06
  • 2009/05
  • 2009/04
  • 2009/03
  • 2009/02
  • 2009/01
  • 2008/12
  • 2008/11
  • 2008/10
  • 2008/09
  • Subscribe XML RSS Feed

    Creative Commons License
    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
    PyBlosxom

    This site has no ads. To help with hosting, crypto donations are accepted:
    Bitcoin: 1JErV8ga9UY7wE8Bbf1KYsA5bkdh8n1Bxc
    Zcash: zcLYqtXYFEWHFtEfM6wg5eCV8frxWtZYkT8WyxvevzNC6SBgmqPS3tkg6nBarmzRzWYAurgs4ThkpkD5QgiSwxqoB7xrCxs

    Thu, 31 May 2012


    /Admin/iptables: How to Delete an iptables Rule

    For instance, suppose we are blacklisting this IP:

    DROP all -- 224.33.200.440 anywhere

    First get the iptables listing with line numbers:

    $ iptables -L --line-numbers
    
    Chain INPUT (policy DROP)
    num  target     prot opt source               destination
    1    DROP       all  --  203-173-249-170.dsl.dyn.ihug.co.nz  anywhere            
    2    DROP       all  --  224.33.200.440       anywhere
    3    DROP       all  --  60.247.102.150       anywhere
    4    DROP       all  --  60.213.51.50         anywhere
    etc....
    

    And then just drop (in this case) line #2:

    iptables -D INPUT 2

    posted at: 03:19 | path: /Admin/iptables | permanent link to this entry

    Wed, 20 Jul 2011


    /Admin/iptables: Build A Router With iptables

    This[1] is a deeper reference, but it did not quite get the job done for me. (Nor did a lot of other recipes I looked at either, for that matter....) The "Example Scenario: SOHO" here[2] got me a working router.

    First make sure forwarding is enabled in your router OS. The standard way to do this on Debian is to edit /etc/sysctl.conf to turn on net.ipv4.ip_forward. My machine is not a full-time router, so I added a

    up echo 1 > /proc/sys/net/ipv4/ip_forward
    line to the /etc/network/interfaces clause that brings up my internal LAN interface, ie.
    iface static inet static
      address 10.1.1.1
      netmask 255.255.255.0
      network 10.1.1.0
      broadcast 10.1.1.255
      up echo 1 > /proc/sys/net/ipv4/ip_forward
    

    Then I added these lines to my "basic firewall":

    -A POSTROUTING -o eth0 -j MASQUERADE
    
    -A INPUT -s 10.1.1.0/24 -i eth4 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A FORWARD -s 10.1.1.0/24 -i eth4 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A FORWARD -d 10.1.1.0/24 -i eth0 -m state --state ESTABLISHED -j ACCEPT
    -A OUTPUT -d 10.1.1.0/24 -o eth4 -m state --state NEW,ESTABLISHED -j ACCEPT
    

    where eth0 is the outward/WAN interface, eth4 is the inward/LAN interface, and 10.1.1.0/24 is the IP address block used on the LAN. Note that only ESTABLISHED, not NEW, connections are allowed to come in on eth0/WAN.

    To configure DHCP[3] add this line to rules.v4:

    -A INPUT -i eth4 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
    and
    apt-get install dnsmasq

    Just configure the dhcp-range in /etc/dnsmasq.conf, ie.

    dhcp-range=10.1.1.50,10.1.1.150,12h

    and it should be all ready to go.

    [1] http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Masquerading_.28Many_to_One_NAT.29
    [2] http://fedorasolved.org/Members/kanarip/iptables-howto
    [3] http://www.faqs.org/docs/iptables/lettingdhcprequests.html

    posted at: 23:52 | path: /Admin/iptables | permanent link to this entry

    Tue, 21 Jun 2011


    /Admin/iptables: Build A Basic Firewall with iptables

    This seems like a good starting point[1], blocking everything except SSH, established, loopback, and outgoing connections:

    iptables -P INPUT ACCEPT
    iptables -F
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -L -v
    /etc/init.d/iptables-persistent save
    

    On my Debian system, the last "save" line puts a reloadable copy of the current running iptables rules in /etc/iptables/rules.v4 & /etc/iptables/rules.v6. Thereafter, it is also possible (advisable?) to edit these files directly to add/modify rules. For instance to open up the http port, add the following line to /etc/iptables/rules.v4:

    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    Then load the new ruleset using:
    iptables-restore < rules.v4

    [1] http://wiki.centos.org/HowTos/Network/IPTables

    posted at: 05:56 | path: /Admin/iptables | permanent link to this entry