Iptables-apply or how to avoid unnecessary site visits when changing firewall configuration

Today’s post is definitely of the short and sweet variety. I happened across the file list for iptables the other day and noticed a binary I had not come across before “iptables-apply”. Iptables-apply is a script that applies firewall rules and then waits a configurable amount of time, for user input, to confirm the changes were successful. In other words if you aren’t a perfect admin (who is right!) and manage to accidentally lock yourself out by putting an iptables rule in wrong, iptables-apply will automatically revert back to the previous set of rules and you’ll get access again.

Could’ve saved me literally some diesel over the past few years that one!

From the iptables-apply man page:

iptables-apply   will  try  to  apply  a  new  ruleset  (as  output  by
iptables-save/read by iptables-restore) to iptables,  then  prompt  the
user  whether the changes are okay. If the new ruleset cut the existing
connection, the user will not be able to answer affirmatively. In  this
case,  the  script rolls back to the previous ruleset after the timeout
expired. The timeout can be set with -t.

This has the advantage over Shorewall in that Shorewall will only keep existing connections open when new rules are applied. If you happen to lose connectivity, tough luck, Shorewall will obediently block further connections on your borked firewall.

Transparent bridging firewalls

The commands in this article can be used on any Ubuntu/Debian machine.

A transparent bridging firewall is a firewall which can be inserted anywhere on a network, but usually between the network segment containing internet access and the rest of a LAN. Generally they are used to silently police and log traffic from the network to the internet and vice versa, the main advantage being that they can easily be inserted and removed without any network reconfiguration.

Further to this the segment between and including the bridged firewall and internet router can be considered a DMZ where internet facing servers can be placed. Personally I think it is a good idea to place all servers in this no mans land as they are as likely to come under attack from Windows clients on their own LAN as any hacker from the internet. The bridged firewall provides protection for both sides.

Continue reading “Transparent bridging firewalls”

Ubuntu as a wireless 80211g/n access point/router

Following relatively recent improvements in the Linux wireless stack and driver support it is now possible to setup a Linux machine as an access point, even if you don’t have an Atheros chipset (which was historically the case). Support is patchy but I would say there is a good chance you can do this if you have purchased a laptop with built in wireless in the last 2 years. It is even possible to set one up with a USB wireless adapter (which even Madwifi couldn’t do) if you have an Ralink chipset.

Why would you want to do this? Well, there aren’t that many reasons considering ISP’s routinely hand out wireless routers these days, but I will give you a couple:-

Continue reading “Ubuntu as a wireless 80211g/n access point/router”

Remove residual config files in Ubuntu – A one liner

I have spent literally hours over the last year or two searching for an elegant way to remove configuration files left over from package installs, in a command line environment, with Ubuntu.

Googling would provide a frustrating list of solutions that would either involve installing extra packages, using a complicated command line, or script, solutions that I would never be happy with and would “redo” the search again, each time I wanted to perform the same task, in the hope of finding something better.

In the end Aptitude and Xargs were my friends. Without further ado ….

Continue reading “Remove residual config files in Ubuntu – A one liner”

Remotely upgrading a server from 32 to 64 bit linux

This post isn’t designed to be a “how to” merely an overview of how I achieved the subject. It is possible to do this without any physical intervention but in practice I have had to visit site at least once to fix a boot error on every one I have done.

Disclaimer:- When attempting this having some sort of remote access solution that will give access to the server even when it won’t boot is desirable i.e. BMC, DRAC or KVM over IP. Obviously resizing and deleting partitions and file systems is very dangerous so you need to be ultra careful and ultra sure you understand the process and exactly what you are doing at each step. It may also be helpful to draw the partition layout at each stage so you have a clear view of what is happening. Don’t come crying to me when it all blows up in your face. You have been warned!

Continue reading “Remotely upgrading a server from 32 to 64 bit linux”

Setup DNS, DHCP and Content Filtering using DNSMASQ and HAVP in Ubuntu.

The idea here is to setup DNSMASQ and HAVP to provide DNS, DHCP and content filtering in a Windows 7/Vista/XP client environment on Ubuntu Server Edition. DNSMASQ is a light package which will provide DNS caching and DHCP to a network (amongst other things). HAVP is a proxy server which uses a third party virus scanner (usually ClamAV) to scan internet content for viruses. This assumes that you already have Ubuntu Server Edition installed on a suitable machine and have a working internet connection. In the settings “192.168.1.254” refers to this machine which is acting as a router/firewall, you could equally set it to the ip of another router on the network. “192.168.1.253” refers to the ip of a Windows server. First off install DNSMASQ:-

apt-get install dnsmasq

Edit “/etc/dnsmasq.conf”:-

nano -w /etc/dnsmasq.conf

We now need to set the relevant options:-

Continue reading “Setup DNS, DHCP and Content Filtering using DNSMASQ and HAVP in Ubuntu.”

A cost effective alternative to KVM over IP switches

Whether in a co-location centre or at a remote site, looking after a server when you aren’t there in person can be a challenge, particularly if you are conscientious and update your servers regularly – updating a Windows server almost always requires reboot, updating a Linux server will require reboot if the kernel has been updated. What happens if the server doesn’t come up after said reboot? This happens more often than might be expected, so I find it desirable to have a way of accessing the server even if the operating system isn’t available. Traditionally this would be provided by a KVM over IP switch, which redirects Keyboard, Video and Mouse input/output via a web server integrated into a box. KVM over IP switches are expensive (the cheapest one I could find at time of print was €250 and doesn’t work well with mice IMO). However, there is an alternative which is elegant and affordable …

Continue reading “A cost effective alternative to KVM over IP switches”

Recover a failing Windows hard disk using only free software and your Windows CD.

Scenario.

You have a Windows machine which will not boot up but you can still access the disk, even though it makes various clunking and thunking noises.

Solution.

Install a new hard disk and Partedmagicos on a USB stick or CD and run either “ntfsclone” (the easiest and quickest option) or “dd_rescue”. If the NTFS structure is damaged and you cannot repair it fully using the windows recovery console the latter option is the one you want. Of course you may have Windows installed on a FAT32 partition in which case use dd_rescue.

Continue reading “Recover a failing Windows hard disk using only free software and your Windows CD.”

Wake On LAN over wireless

What is it?

Wake On LAN is a mature technology for switching on computers over a network or remotely.

Why would I want it?

Perhaps you are a techy such as myself and you want to be able to switch customers computers on and work on them remotely (saves having to tell people to leave machines on if you are working after hours).

I also use it to switch on my Ubuntu machine upstairs when I am downstairs (saves me or my better half having to wait for boot or to get a file to or from the machine without physically going up there).

Is it easy to do?

Yes when you know how ;)

Before I go any further I will mention a caveat. Almost all of the WOL howto’s out there mention using a “magic packet” packet to wake the machine. Unfortunately I found out after much head banging and googling “magic packet” doesn’t work over wireless networks, apparently because wireless frames screw the magic packet up so that the wakee doesn’t recognise it any more.

So if you want to use WOL by sending the wake up through a wireless network your options are limited and it depends on the network card you have. At least 2 of the cards I have support a variety of WOL options “pumbg” and the other one only supports “pg”.

  • P stands for PHY activity
  • U stands for Unicast activity
  • M stands for Multicast activity
  • B stands for Broadcast activity
  • G stands for Magic Packet activity

Firstly I tried phy activity that had the unfortunate effect of starting the machine every few seconds. Then I graduated to broadcast which started the machine periodically (my thick wireless router is sending out broadcasts every hour or so). Eventually I settled on unicast here is how to get it working.

Continue reading “Wake On LAN over wireless”

The importance of a minimal firewall.

I have long been an avid user of the well known interface to iptables – Shorewall. Of late though I have suspected it is slowing my network down. I once decided to see what actual iptables rules it was creating and ran “iptables -L”. There was a lot of output and I wasn’t sure was all of it necessary. It niggled away at the back of my brain for the last few months, and I decided yesterday it was time to do something about it.

I first looked at another “user-friendly” interface that would perhaps give me more control and proper ipv6 support, so I installed Firewall Builder. However it seemed quite complex and after spending some time trying to get to grips with the interface I decided it would be easier to type the rules in manually and anyway that would be the only way I was 100% sure everything in there was needed.

I familiarised myself with the Packet Filtering HOWTO and thought the easiest thing to do would be use “iptables-save” to copy the existing Shorewall rules into an iptables friendly format. The resultant file was 9k long and appeared to have a lot of user defined chains for no good reason. It also didn’t make good use of the multi-port option for tcp connections and therefore there were dozens of rules where there only needed to be one.

Continue reading “The importance of a minimal firewall.”