Wednesday, October 28, 2009

Simple firewall for Ubuntu using iptables

Linux's built-in firewall iptables is very useful, but pretty hard to configure. I used to use lokkit, but this caused problems when moving between different networks. I was also having problems with the network configuration tools in Ubuntu, which work but aren't automatic enough for me. And I wanted to be able to switch the firewall and the network configuration simultaneously.

In the end, I bit the bullet and worked out how to write a simple iptables script. Here it is:
#!/bin/bash
# flush all chains
iptables -F
# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# drop everything else
iptables -A INPUT -i eth+ -p udp -j DROP
iptables -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP
# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT


I have network interfaces on eth0 and eth1, so this script has rules which cover both; if your interfaces have different names, you will need to edit the rules to cover that. This drops everything incoming, except for connections which were initially established by my outgoing packets (thanks Luke! - see comments); which means it's no good for servers.

I put this script in /opt/scripts/iptables.script and made it executable. Once you run it, you can find out whether it has worked by displaying your current iptables rules with:
sudo iptables -L -v


I then created a simple init script to start/stop the firewall (in /etc/init.d/firewall):
#!/bin/bash
if [[ $1 == start ]] ; then
sudo /opt/scripts/iptables.script
else
sudo iptables -F
fi

Then I symlinked this into my /etc/rc.* directories using the update-rc.d tool, so the firewall starts before the network comes up:
update-rc.d firewall start 20 2 3 4 5 . stop 99 0 1 6 .


I find having this script helps me a lot. I have it integrated with a start/stop script with my network, so I can easily switch network and firewall configuration from the command line.

Friday, October 23, 2009

How to Setup Transparent Squid Proxy Server in Ubuntu

Install Squid

Install squid and squid-common

sudo aptitude install squid squid-common

Edit the squid config file.

sudo vi /etc/squid/squid.conf

Set the allowed hosts.

acl internal_network src 192.168.0.0/24 (Where 192.168.0.0/24 is your IP range.)
http_access allow internal_network

Set the correct permissions.

sudo chown -R proxy:proxy /var/log/squid/
sudo chown proxy:proxy /etc/squid/squid.conf

You will need to restart squid for the changes to take affect.

sudo /etc/init.d/squid restart

Now open up your browser and set your proxy to point to your new squid server on port 3128

Authentication

If you wish to use authentication with your proxy you will need to install apache2 utilities

sudo aptitude install squid squid-common apache2-utils

To add your first user you will need to specify -c

sudo htpasswd -c /etc/squid.passwd first_user

Thereafter you add new users with

sudo htpasswd /etc/squid.passwd another_user

Edit the squid config file

sudo vi /etc/squid/squid.conf

Set the the authentication parameters and the acl
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid.passwd
auth_param basic children 5
auth_param basic realm NFYE Squid proxy-caching web server
auth_param basic credentialsttl 3 hours
auth_param basic casesensitive off

acl users proxy_auth REQUIRED

acl sectionx proxy_auth REQUIRED

http_access allow users

So this is what your squid.conf should look like.

acl all src 0.0.0.0/0.0.0.0
acl internal_network src 192.168.0.0/24
acl users proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl sectionx proxy_auth REQUIRED
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access allow users
http_access allow internal_network
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

Redirect the all HTTP traffic.

If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

Where eth1,eth0 are the LAN, WAN devices and 192.168.0.1 is the IP address of your LAN device.

Solved: 407 Proxy Authentication Required (Feisty)

In both :
1. System->Preferences->Network Proxy-> Set : Direct Internet Connection.
2. System->Administration->Synaptic Package Manager->Settings->Preferences->Network-> Set : Direct Internet Connection.

Then create a filename in:
/etc/apt/apt.conf

add the following lines:
Acquire::http::Proxy "http://username:password@proxy:port";
Acquire::ftp::Proxy "ftp://username:password@proxy:port";


and save the file.

In the terminal run:
sudo apt-get update

Both apt and synaptic should work now. (You might need to restart your networking or your PC)

Friday, September 11, 2009

Updatarea sistemului de porturi

Instalam:
/usr/ports/ports-mgmt/portaudit

Acest soft nu supraincarca memoria practic deloc si se starteaza ca un binar

portaudit -a -выводит отчет об уязвимости установленных портов
portaudit -C -выводит отчет об уязвимости порта, находящегося в текущей директории
portaudit -F -скачиваем последнюю базу по портам
portaudit -q - "тихий" режим
portaudit -d - смотрим,когда последний раз качалась база по портам
portaudit -V - покажет свою версию
portaudit -v - Verbose mode
portaudit -X days - загружает базу,если она старше "days"
portaudit -f - проверка пакетов,описанных(перечисленных) в файле
portaudit <пакет> - информация по дырам в конкретном пакете
portaudit -r - сам не понял.. Используется для тестирования новых включений.

In /etc/make.conf adaugam
DISABLE_VULNERABILITIES=yes


Mai instalam si
/usr/ports/ports-mgmt/portupgrade

acum putem updata porturile astfel:
potupgrade


portinstall

Pentru pachete aparte
portversion -v


Pentru crearea bazei de date necesare utilitarelor folosite in continuare, avem 2 posibilitati:
portsdb -Fu
- pe site-urile oficiale se reinoiesc fiecare 2 ore
sau
portsdb -Uu
- local, procesul ia ceva timp

Friday, July 3, 2009

Instalarea CPanel

Instalarea CPanel / WHM

In primul rand, conectati-va via SSH la server (Putty e foarte util).

Apoi din comand line, executati:

  • cd /home
  • wget http://layer1.cpanel.net/latest (va descarca ultima versiune CPanel)
  • sh latest (va executa instalarea arhivei)
  • /usr/local/cpanel/cpkeyclt (activeaza licenta dupa instalare)

Wednesday, March 11, 2009

Linux - acum 9 ani


lxf1.roundup.mandrake-2.pngCum arata Linux acum 9 ani? Mai tineti minte? GNOME era patratos, KDE arata ca scos din burta iar aplicatiile considerate la vremea aceea top-of-the-line ne starnesc acum zambete. Tin minte si acum cat de pierdut eram prin 2000, lucrand intr-un Mandrake, incercand sa fac XMMS sa recunoasca MP3-uri. Mi-a luat doua zile sa-mi dau seama ca trebuia sa activez un plugin. Deh - no net.
Click aici pentru o sesiune de craul in raul amintirilor.

Ubuntu 9.10 se va numi Karmic Koala

Mark Shuttleworth a făcut public ieri numele şi ţintele versiunii 9.10 a distribuţiei Ubuntu, versiune care va avea denumirea de Karmic Koala. La fel ca şi versiunile anterioare, aceasta va fi disponibilă în două ediţii, una pentru servere şi cealaltă pentru desktop-uri. Din versiunea pentru desktop-uri se va trage şi o versiune destinată notebook-urilor: Ubuntu Netbook Edition.

Printre noutăţile care ne aşteaptă în noua versiune se numără un înlocuitor pentru Usplash (cel mai probabil Plymouth-ul celor de la Red Hat), o temă GTK nouă fără nuanţe maronii şi (ca de obicei) timpi de boot mai buni.

Versiunea 9.10 a Ubuntu va fi lansată (desigur) în luna octombrie a anului 2009.