Etikettarkiv: linux

IP-Tables control of traffic by Country

Recently I have had quite a few bouts with people trying all sorts of nefarious things with my VPS from various places in the world. I realized the best way is to take whole countries out of the equation and I wanted to make this a nice easy way of doing this.

First of all, I soon realized that I needed to be a little bit restrictive but since some of the domains that runs on the server is probably legitimately accessed I wanted to divide all countries up in three categories:

0 – No restrictions
1 – Restricted access, basically just allowing ICMP and http on port 80
2 – Complete blocking, drop all packets

So countries in the 0 class would be Sweden and all countries where there is a reasonable legal system and where I have not yet seen too many attempts on the security from. Class 1 would be places like Russia, where there are legit traffic but also a lot of crap coming from and Class 2 would be china where there is likely no legit traffic and still a lot of attempts on the security.

First of all, you need to get hold of a zone file divided on country by country. This is also called a CIDR file (Classless Internet Domain Routing) where all the IP blocks assigned on an international level are put in the right file. You can find this here. Just download the file with all the blocks in and keep it somewhere. You may want to refresh this now and then, say on a montly basis or so.

I am assuming you already have an iptables script file and that you are just looking at adding this functionality. Open the script file and add the following to it

# Loop over all lists of banned networks
# Any rules below this will not work on these ranges as they will
# drop before they reach any other rule. If you want to open some ports
# even for banned countries, then you need to put those rules in front
# of this rule!
echo "Kill line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/banned-hosts/*
do
  echo "Processing k-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

This script should be placed before any rules that will allow any traffic what so ever!

After this part you place the rules that allows any traffic you wish to allow from the restricted countries and then you place this after those rules:

# Restricted hosts here from CIDR files in the restricted session
# these guys will only be able to do ICMP and http, nothing else
# and that should be quite a few countries
echo "Restrict line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/restricted-hosts/*
do
  echo "Processing r-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

Now you should create the following directories:

sudo mkdir /etc/iptables
sudo mkdir /etc/iptables/banned-hosts/
sudo mkdir /etc/iptables/restricted-hosts/

Explode the file you downloaded with all the IP Blocks in country by country into the /etc/iptables/banned-hosts/ directory and you should get a bunch of files called af.zone, al.zone and so on. Each of these referrs to a ISO 2 letter country code.

Do not run the iptables script at this point. Start by removing the file for your own country. In my case that would be se.zone for Sweden. Your mileage may vary here. Refer to this page if you do not know the country codes (which are the same as these countries internet domains).

Delete the files that you do not wish to impose any restrictions on.

Move the files for the countries you want to restrict to the /etc/iptables/restricted-hosts/ dir.

Anything remaining when you are done in the /etc/iptables/banned-hosts/ will be denied access when you run your iptables script.

So run the script now, it may take some time.

When you are done run the command iptables-save > /etc/iptables/tables to save your iptables then add the line in /etc/rc.local or some other similar place iptables-restore < /etc/iptables/tables in order to automatically load your tables on boot time.

Full example

echo "### IP-tables ###"

IPTABLES=/sbin/iptables

echo "Default policies."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

echo "Flushing old rules"
$IPTABLES -F
$IPTABLES -X

echo "Create LOGDROP chain"
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG --log-prefix "IPT: DROP " --log-level 7
$IPTABLES -A LOGDROP -j DROP

echo "Create LOGACCEPT chain"
$IPTABLES -N LOGACCEPT
$IPTABLES -A LOGACCEPT -j LOG --log-prefix "IPT: ACCEPT " --log-level 7
$IPTABLES -A LOGACCEPT -j ACCEPT

echo "Create INVALIDDROP chain"
$IPTABLES -N INVALIDDROP
$IPTABLES -A INVALIDDROP -j LOG --log-prefix "IPT: INVALID " --log-level 7
$IPTABLES -A INVALIDDROP -j DROP

echo "Killfile certain IP chain"
$IPTABLES -N BANNED
$IPTABLES -A BANNED -j LOG --log-prefix "IPT: BANNED " --log-level 7
$IPTABLES -A BANNED -j DROP

echo "Create a country block chain"
$IPTABLES -N CBLK
$IPTABLES -A CBLK -j LOG --log-prefix "IPT: CBLK " --log-level 7
$IPTABLES -A CBLK -j DROP

# Loop over all lists of banned networks
# Any rules below this will not work on these ranges as they will
# drop before they reach any other rule. If you want to open some ports
# even for banned countries, then you need to put those rules in front
# of this rule!

echo "Kill line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/banned-hosts/*
do
 echo "Processing k-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

echo "Enabling ICMP"
$IPTABLES -A INPUT  -p icmp -j LOGACCEPT
$IPTABLES -A OUTPUT -p icmp -j LOGACCEPT

echo "Enabling http on standard port"
$IPTABLES -A INPUT  -p tcp --dport http -m state --state NEW         -j LOGACCEPT
$IPTABLES -A INPUT  -p tcp --dport http -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport http -m state --state ESTABLISHED -j ACCEPT

# Restricted hosts here from CIDR files in the restricted session
# these guys will only be able to do ICMP and http, nothing else
# and that should be quite a few countries

echo "Restrict line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/restricted-hosts/*
do
 echo "Processing r-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

echo "Dropping invalid packets"
$IPTABLES -A INPUT -m state --state INVALID -j INVALIDDROP

echo "Enabling DNS server connections."
$IPTABLES -A INPUT  -p tcp --sport domain -j ACCEPT
$IPTABLES -A INPUT  -p udp --sport domain -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport domain -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport domain -j ACCEPT

echo "Enabling NTP server connections."
$IPTABLES -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW         -j LOGACCEPT

echo "Applying rules for inbound and outbound ssh"
$IPTABLES -A INPUT  -p tcp --dport gopher -m state --state NEW         -j LOGACCEPT
$IPTABLES -A INPUT  -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT  -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT

echo "Applying rules for outbound ssh standard port"
$IPTABLES -A INPUT  -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT

echo "Enabling https traffic out from this machine"
$IPTABLES -A INPUT  -p tcp --sport 443  -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT  -p tcp --sport 443  -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443  -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443  -m state --state NEW         -j LOGACCEPT

echo "Dropping all other input packets."
$IPTABLES -A INPUT -j LOGDROP

echo "Done."

echo "IPV6 setting policy"

/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P OUTPUT DROP
/sbin/ip6tables -P FORWARD DROP

echo "IPV6 flushing tables"

/sbin/ip6tables -F

echo "IPV6 Done."

Netflix under Ubuntu 14.04

Det går utmärkt att köra Netflix under Ubuntu Linux 14.04 exempelvis. Har ingen anledning att tvivla på att det inte skulle fungera på andra varianter av Linux heller.

Netflix har ingen officiell applikation för Linux och det går inte köra i den vanliga webläsaren oavsett vad du kör eftersom det kräver en plattform som inte finns för Linux nämligen Microsoft Silverlight. Men Linux är ju förstås vänligt att hacka och det finns folk som har tagit fram en Silverlightemulator mm och projektet heter  Pipelight vilket löser det mesta åt en. Det är troligen det enklaste sättet att få in något som kan spela Silverlight och projektet Pipelight verkar fungera bra även om det är i betastadiet fortfarande.

Installera pipelight genom följande kommandon:

sudo apt-add repository ppa:pipelight/stable
sudo apt-get update
sudo apt-get install pipelight-multi

Därefter så skall vi slå på och konfigurera Silverlight:

sudo pipelight-plugin --enable silverlight

Därefter installerar vi själva netflixapplikationen som egentligen körs i Wine (en windowsemulator under Linux):

sudo apt-get install netflix-desktop

Nu när det är installerat kan du öppna unity och skriva Netflix eller så och köra.  Första gången kommer Wine säga att det saknas ett antal komponenter men den kommer också installera dem åt dig om du svarar att du vill det och om allt går väl skall du snart ha en Netflix på din Ubuntu och kunna njuta av alla filmer och tv-serier.

netflix-ubuntu-screenshot-launcher

Du behöver förstås fortfarande ett abonnemang hos Netflix, det löser vi inte med några kommandon inte :) Jag har precis provkört det på min Ubuntu 14.04 och det fungerar helt klockrent. Se till också att du har uppdaterade drivrutiner för ditt grafikkort så det kan nyttja 2D-acceleration så kommer det gå bra. Min maskin jag provkört på är inget fartvidunder, Nvidia 9700 och Dual Core-2 Duo men det rullar på helt ok.

Samba does not start on boot in my Linux

Remember you can always check the status of samba using the commands

# service smbd status
# service nmbd status

I found that they where running and started as they should but still did not accept connections. The bind interfaces in my samba.conf file is the interfaces rather than the ip address but it does not seem to solve the problem. However restarting samba did solve the problem and I nailed it down to the ”Samba IP sensitivity problem”.

Samba really does not like when you use DHCP for the server and even if you set it up so that it always gets the same IP from the DHCP server it does not matter, Samba does not like it.

The simple solution to this is to add the two following lines to the last part of /etc/rc.local which is the script that runs last upon boot.

service smbd restart
service nmbd restart

However, also changing your networking setup to fixed IP generally works well, this is in case you do not want to do that or can’t do that.

Another way would be to change it to the dhcp lease script so when the samba server gets a new lease, an automatic restart of the related daemons happen. However, that would also interrupt any service being served at the moment and break long file transfers or streams. I would therefore advice against it.

The best solution so far is to use a fixed IP. The above workaround is a kludge. You have been warned.

Running Samba in Linux in less than 5 minutes

So you want to share files over the network with perhaps windows machines or you want to be able to have networked file systems that are not requiring Kerberos to become secure but there are something fishy going on with your Samba installation?

Read on, here is the recipe to get it going. First of all make sure you have samba installed. An easy way to check this is to type the following two comnmands:

# service smbd status
 smbd start/running, process 27562
# service nmbd status
 nmbd start/running, process 27540

If either of those are not running, please install the samba package on your machine according to your OS recommendations, it may differ slightly depending on Linux distribution.

When you are done with this it’s time to modify the configuration file for Samba. Use your favorite editor (as root) and start by backing up your original configuration file.

# cp -a /etc/samba/smb.cfg /etc/samba/smb.bak

Then start your favorite editor and start off with this configuration:

[global]
 workgroup = WORKGROUP # change this to be unique on your network
 domain master = yes # there can only be one master
 local master = yes
 preferred master = yes
 os level = 65

 server string = %h server (Samba, Ubuntu)
 name resolve order = bcast host

 interfaces = 127.0.0.1 lo eth0
 bind interfaces only = yes

 log file = /var/log/samba/log.%m
 max log size = 10000
 syslog only = no
 syslog = 0

 map to guest = bad user

[guest]
 comment = networked file system
 path = /mnt/guest # set this to your preferred place
 read only = yes
 guest ok = yes

[anders]
 comment = private file system for anders
 path = /home/anders # be careful with your home folders
 read only = no
 guest ok = no
 valid users = anders

[google-drive]
 comment = private file system anders
 path = /mnt/raid/google-drive # another folder requiring password
 read only = no
 guest ok = no
 valid users = anders

[upload]
 comment = put your upload here
 path = /mnt/raid/upload # something where anyone can upload
 read only = no
 valid users = %S

Make sure the folders you have pointed out are actually valid folders. Then create the users needed to access the system:

# smbpasswd -a username

Type the password and create the users needed as per the shares that you have defined above. The valid users = %S means any user in the system can use that if they give the right password. To delete users from your samba system when no longer needed

# smbpasswd -x username

Next thing is to restard the name server for Samba and the actual server daemon:

# service nmbd restart
nmbd stop/waiting
nmbd start/running, process 28297
# service smbd restart
smbd stop/waiting
smbd start/running, process 28309

When this is done you should be able to connect giving the right username/password or as a guest if you have created the shares for the guest accounts.

Mounting the smb file system on a command line is done like this:

# mount -t cifs //server.name.or.ip/share /mnt/share -o username=yourname

If needed it will ask for your password also.

To list shares on an SMB server, use the following:

# smbclient -L //server.name.or.ip/ -U user%pass

You can skip -U user%pass if you prefer working as guest.

This should get you up and running easily. It’s not sophisticated and you have to manually work the passwords and they are not synced with with the rest of the users on the local machine, that is more complex to set up, this was meant to be a quick starter to get you going.

If you need to list the users in the database (to remove any you do not want any more) you can use the command:

# pdbedit -L

Read the man page for more information.

Linux snapshots med rsync

En klurig sak man kan göra för att ordna med snapshots om filsystemet man använder inte stöder det är att göra ett lokalt backupskript som genererar sådana med jämna mellanrum. Men för att spara diskplats skulle man ju vilja ha möjligheten att bara spara förändringarna mellan varje snapshot samtidigt som det vore lätt att gå tillbaka t.ex. tre dagar i tiden utan problem.

Detta kan lösas med hårda länkar i Linux och det finns en hel del skrivet om det på nätet. Det intressanta med hårda länkar är att en fil som är länkad på det sättet fortsätter existera tills den sista länken är borttagen. Det är alltså ingen som helst skillnad mellan en hård länk och den egentliga filen.

Om du skapar fil A och sedan hårdlänkar den till fil B så är A och B på riktigt alltså samma fil. Om du ändrar A så ändras också B. Däremot om du raderar A så raderas inte B, länken är då bruten och man kan säga att B är lika mycket originalfilen som A en gång var. Nu kommer det riktigt intressanta: Om du skriver en ny fil A så existerar den separat från B. Länkningen mellan dem är bruten från när du raderade den.

En fil raderas egentligen aldrig men när den har 0 hårda länkar är den inte längre åtkomlig och platsen den tog upp på disken är nu fritt villebråd för andra filer att använda.

Ett intressant fenomen med rsync är att när den skriver filer gör den alltid delete på dem först! Eller egentligen gör den ”unlink”, det är ju ett bättre namn. Därför kan vi börja med att göra en rsync på filerna vi vill bevara. Exempelvis är det vanligt att man vill backa upp /etc /home /root i ett Linux-system.

Först skapar vi någonstans att hållas:

# mkdir /bup
# chown root:root /bup
# chmod 700 /bup

Därefter kan vi synka katalogerna till /bup/snapshot med kommandot:

# cd /bup
# rsync -a --delete /etc /home /root /bup/snapshot/

Om vi kör ovanstående (som root) kommer vi få en backup på de tre utpekade katalogerna i /bup/snapshot och de kommer vara kopior av de riktiga filerna. Nu kommer finessen. När vi vill spara vår snapshot kopierar vi dem men gör bara hårdlänknin från kopian. Genom att göra detta tar vi inte upp nämnvärt med displats och vi länkar till samma data på disken!

# cp -al snapshot snapshot.1

Du kan verifiera detta genom att slå

# du -sh *

Du kommer då se att det är betydligt mindre data i snapshot.1 än i snapshot och det beror på att det är bara länkarna i sig som vi har sparat på.

Nästa steg är att ta en ny snapshot med rsynk. När vi gör det kommer länkarna mallan snapshot och snapshot.1 att brytas i de filer som rsync uppdaterar eftersom den gör först unlink, sedan skriver en ny fil till den!

Om vi vill ha dagliga snapshots som roterar t.ex. tre dagar bakåt i tiden kan vi köra detta skript:

#!/bin/bash

cd /bup

if [ -x snapshot.2 ]; then
    mv snapshot.2 snapshot.3
fi

if [ -x snapshot.1 ]; then
    mv snapshot.1 snapshot.2
fi

if [ -x snapshot ]; then
    cp -al snapshot snapshot.1
fi

rsync -a --delete /etc /home /root /bup/snapshot/

Lägg sedan upp detta som ett cronjobb genom att redigera crontab (som root) med

# crontab -e

Lägg sedan till en rad exempelvis:

00 04 * * *     /root/backup-daily

Spar sedan skriptet ovan som /root/backup-daily så körs det kl 4 varje morgon så du alltid har en snapshot att gå tillbaka till om du gjort något klantigt i din hemkatalog…

 

Your favourite prompt

Today’s Bash tip. Create a prompt that changes face depending on the return code of your last command. As long as the return code is OK you get a happy face. When it is false you get a sad one.

Open and edit the .bashrc file in your home directory and enter the following:

PS1="\u@\h:\[\e[33m\]\w\[\e[0m\] \[\`if [[ \$? = "0" ]]; \
then echo '\e[32m=)\e[0m'; else echo '\e[31m=(\e[0m' ; fi\`\] \$ "

Have fun.

Operating Systems I can not forget

Computer Sweden is running an article about nine operating systems that everyone who was a part of the personal computer revolution can not forget about.

TeleNova Compis
TeleNova Compis

First out is CP/M. I loved this OS, I was the first OS and micro computer I ever got in touch with in 7th grade in school. The actual machine was a Compis Telenova computer that was equipped with an Intel 80186 CPU running at 8 MHz. Later versions such as Compis II could also run MS-DOS early versions. The computer was ordered and sponsored by the state own telephone company, ”Televerket”, and was aimed to be an educational computer that could be used in schools. It was cheaper than IBM PC machines at the time and it had graphics that was way beyond what most other computers had. The original COMPIS was monochrome (green or amber) but there later came colour versions with upgrader 16 colour graphic cards. The entire machine was developed by a Swedish company Teli and the school where I was attending my 7th to 9th grade used these machines.

I learned my firs programming skills on these machines, they were equipped with a language called COMAL which was a cross between a traditional BASIC interpreter but with several add-ons borrowed from Pascal, making it a language with modern loop constructs and everything needed to teach basic programming to students. Actually a quite good language in itself – it even had built-in commands to do ”turtle graphics” a special way of programming graphics where you move a a virtual pen around a drawing board with command such att GOTO 320,480; PENDOWN; DRAWLINE -100,0; PENUP; GOTO 0,480; and so on. How many computers in 1985 could do graphics with 1280×800 pixels (monochrome) or 640×400 in colour? I later got a Commodore VIC-20 computer at home and I found it rather marvellous how different they were. I tried my best writing essays and stuff on the Commodore but it just screamed ”play games” and later ”learn how to make games”…

Then came the IBM PC machines with DOS. It was felt that DOS was a superior operating system, I don’t think it was technically better than CP/M and actually suffered from some of the same limitations and had even some drawbacks CP/M lacked. But it was picked up by IBM from a small upstart company called Microsoft and the rest is history. When I attended college the IBM machines started become increasingly popular and the PS/2 was the choice of most schools. During this time I used a Commodore 128D at home at this time, I had learned 6502 assembler and could do quite a bit of ”demos” programming. Techniques such as using interrupts for timing, programming the VIC and SID chips and so on was mastered during these days :)

Other people used Mac OS at this time, but I never had a Mac, liked them or came anywhere around where they where being used. In fact I think the only one in the school was in the music lab for the musicians to use as a MIDI controller.

Amiga OS 1.3 Workbench
Amiga OS 1.3 Workbench

Then came the Amiga. The revolution was complete. A proper, unix influenced OS, that was really powerful, came with enough tools to make a difference out of the box and friendly to be programmed and used, borrowing menu systems and ideas from both X-Windows System and Mac OS ”System” together with a powerful handling of various devices and a great shell command line interface. I loved my Amiga, I used it way into 1996 even though I had a 386SX 25 with 20 MB of memory (quite a lot in those days) but the Amiga was always the number one computer. I did BASIC and 68000 assembly language programming on it and this was the place where I learned C. The great language that is still my favourite among programming languages, one of the most versatile and useful languages. Hated and loved equally but never disputed as a very useful language I hacked away on a Lattice 3.1 compiler on the Amiga.

Then there was OS/2, a joint venture between IBM and Microsoft that went belly-up and the last thing I ever saw from it was in Arlanda airport around 1996 when they used it on the gate computers. MS Windows had already taken over completely, even at version 3.11 it was becoming the standard for the IBM PC computers. I never used any of those myself, I was already into Linux which was running on my 386 alongside with Amiga OS on the Amiga 500 I loved so dearly.

Linux of course! What a revolution! My first distribution was a bunch of diskettes called ”Slackware” which I installed. Finally you could hack your own kernel, I managed to run this on various architectures including the strange Micro-Channel Architecture that IBM put into some computers just to make a mess of the IDE interface, and I have been using Linux for most serious tasks ever since together with Windows 95 and now Windows XP. Not doing Vista just yet…