Firewalld and iptables commands

i) firewall-cmd (iptables):

  • yum install  firewalld  firewall-config
  • systemctl status|start|stop|enable|disable firewalld
  • firewall-cmd –state
  • firewall-cmd –reload
  • all:
    • firewall-cmd –list-all | –list-ports
  • zones:
    • firewall-cmd  –get-zones|–get-default-zone|–get-active-zone
    • firewall-cmd  –set-default-zone=trusted  [–permanent] 
  • services:
    • firewall-cmd –list-services
    • firewall-cmd –add-service=ftp         [–permanent]  [–zone=public]
    • firewall-cmd –remove-service=ftp  [–permanent] [–zone=public]
  • ports:
    • firewall-cmd –list-ports
    • firewall-cmd  –add-port=80/tcp         [–permanent [–zone=trusted]
    • firewall-cmd –remove-port=80/tcp  [–permanent]   [–zone=trusted]
  • IP Address:
    • firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.4″ accept’ [–zone=public]
    • firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.4″ reject’   [–zone=public]
  • panic:  (Block any incoming or outgoing traffic)
    • firewall-cmd –panic-on |–panic-off
  • Config:
  • /etc/firewalld/firewalld.conf
  • Error:
    Unable to connect to remote host: No route to host
  • Enable following if using multiple network interfaces:
    • echonet.ipv4.ip_forward=1” >> /etc/sysctl.conf
    • sysctl -p

ii) iptables (net-filter):

  • yum install iptables-services
  • Save and Restore rules:
    • iptables-save  >  /etc/sysconfig/iptables
    • iptables-restore  <  /etc/sysconfig/iptables
  • Reload policies:
    • firewall-cmd –reload
  • Flush rules:
    • iptables -F [INPUT|OUTPUT|FORWARD]
  • List all rules:
    • iptables –list (-L) [–line-numbers]  [INPUT|OUTPUT|FORWARD]
    • iptables –list-rules (-S)  [INPUT|OUTPUT|FORWARD]
  • Block all traffic by updating default chain policy:
    • iptables  -P INPUT|OUTPUT|FORWARD   DROP|ACCEPT
  • Append (-A) or Insert (-I):
    • Block inbound and outbound traffic for a interface:
      iptables -I INPUT     -i lo|eth0   -j DROP
      iptables -I OUTPUT -o lo|eth0  -j REJECT
    • Block traffic on a specific port:
      iptables  I  INPUT  -p tcp  –dport 22  -j  DROP      (Range: –dport 1024:65535)
    • Block incoming and outgoing icmp traffic (ping):
      iptables -I INPUT     -p icmp  [-i ens33]  -j DROP      (Block incoming ping)
      iptables -I OUTPUT  -p icmp  -j DROP                        (Block outgoing ping)
    • Block an traffic from a specific IP address:
      iptables -I INPUT -s 192.168.254.137/24 -j REJECT       (All IPs: -s 0/0)
    • Forward traffic from eth1 to eth0 interface:
      iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT
    • Allow all returning traffic:
      iptables -I INPUT -m state –state=ESTABLISHED,RELATED -j ACCEPT
  • Delete (-D):
    • iptables -D  INPUT|OUTPUT|FORWARD  1
    • iptables -D INPUT -p icmp -j REJECT
  • Replace (-R):
    • iptables -R INPUT 1 -p icmp -j ACCEPT
  • Options:
    • man pages:
      • man iptables | iptables-extensions
    • -A (–append) : Append rule at the bottom of the chain
    • -I  (–insert) : Insert rule at the top of the chain
    • -R (–replace) : Replace or update an existing rule in the chain
    • -D (–delete) : Delete rules from the chain
    • -p (–protocol) protocol (tcp|udp): the protocol involved in a rule
    • -sport (–source-port) port: the port where the packet originated
    • -dport (–destination-port) port: the port where the packet is destined
    • -s (–source)  address[/mask]: the source IP or network/mask
    • -d (–destination) address[/mask]: the destination IP or network/mask.
    • -m state –state state (NEW, ESTABLISHED, RELATED, or INVALID): manage packets depending on whether they are part of a state connection
    • -i (–in-interface) interface (lo|eth0): input interface of the packet.
    • -o (–out-interface) interface (lo|eth0): the output interface.
    • -j (–jump) target (ACCEPT|REJECT|DROP) : what to do when the packet matches the rule.
    • Chains:
      • INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
    • Targets:
      • ACCEPT: Allow the packet
      • REJECT: Send a reply why packet is not allowed (connection refused)
      • DROP: Send no message to the packet just ignore it
    • Tables:
      • Filter (default): Deals with packet bound for, being routed through, or generated by the process on the local machine.
        • INPUT, OUTPUT, FORWARD
      • Nat: Network address translation
        • PREROUTING, OUTPUT, POSTROUTING
      • Mangle: Specialize manipulation of network packets
  • Configs:
    • /etc/sysconfig/iptables-config

iii) TCP Wrappers (tcp_wrappers):

  1. /etc/hosts.allow   (<daemon> : <client>)
    • sshd,vsftpd : ALL
    • ALL : LOCAL
    • ALL : .example.com  EXCEPT untrusted.example.com
    • ALL : 192.168.254.  EXCEPT 192.168.254.137
  2. /etc/hosts.deny
    • ALL : ALL
  3. man hosts_access

 

Advertisements
Posted in LFCE, LFCS, Linux

Setup NFS and Samba servers in Linux

i) NFS server setup:

  1. yum install nfs-utils
  2. Create a shared directory and assign appropriate permission:
    • mkdir   /share
    • chown  nfsnobody:nfsnobody   /share  (Optional: As set in LFS211 )
    • chmod a+rwx  /share                (All users must have access to directory)
  3. Enter the following into /etc/exports:
    • /nfs   192.168.254.132/24(rw)   192.168.254.0/24(ro)
  4. Restart and enable nfs and rpcbind services:
    • exportfs -rv
    • systemctl  enable nfs | rpcbind ]
    • systemctl  restart  [ nfsrpcbind ]
  5. Allow nfs, rpc-bind and mountd services in the firewall:
    • firewall-cmd   –add-service=[ nfs | rpc-bind | mountd ]   –permanent
    • firewall-cmd –reload
  6. Mount it at the client:
    • Temporary mount via mount command:
      • showmount  -e  server
      • mount  server:/share   /mnt
    • Persistent mount via /etc/fsatb:
      • server:/share    /mnt    nfs   _netdev  0  0
      • systemctl daemon-reload
      • mount -a
    • Automatic mount using systemd.automount (man systemd.mount):
      • server:/share  /mnt  nfs  x-systemd.automount,noauto,_netdev   0  0
      • systemctl daemon-reload
    • Verify mount directory by:
      • df -hT
  7. (Optional) Verify mount and get NFS server port:
    • exportfs -av                  (All-export as defined in /etc/exports)
    • exportfs -rv                  (Re-export)
    • exportfs -s                    (Show export list)
    • rpcinfo -p | grep nfs   (Get NFS server port)                

ii) Samba: setup writable directory for guest (public) users:

  1. yum install samba  samba-client cifs-utils
  2. Create a directory and set permissions:
    mkdir  /public
    chcon  -t  samba_share_t  /public
    chown  nobody:nobody    /public
  3. Add the following into /etc/samba/smb.conf
    [public]
    path = /public
    writeable = yes
    public = yes           (Synonymous -> guest ok = yes)
  4. systemctl restart smb; systemctl enable smb
  5. firewall-cmd –add-service samba –permanent; firewall-cmd –reload
  6. mount  -o guest  //server/public  /mnt
  7. echo “//server/public  /mnt  cifs  guest  0 0”  >> /etc/fstab
  8. smbclient:
    • smbclient -L server                                  (List all samba shared folders) 
    • smbclient  //server/public                       (Connect via samba client)
  9. testparm                                                              (Checks syntax errors)

iii) Samba: setup private share for a single user:

  1. Create a directory and set permissions:
    mkdir  /private
    chcon  -t  samba_share_t  /private
    chown  student:student  /private
  2. Add the following into /etc/sama/smb.conf:
    [private]
        path = /private
        writeable = yes
        write list = student       (valid users = student)
  3. Add a user:
    1. useradd -s /sbin/nologin student
    2. smbpasswd -a student        
    3. pdbedit -Lv                           (List all samba users)
  4. systemctl restart smb 
  5. mount -o  username=student,password=student  //server/private   /mnt
  6. df -hT
  7. smbclient
    • smbclient  -L server     (List all samba share directories)
    • smbclient  -U student   //server/private
  8. Persistent mount via /etc/fstab
    1. echo “username=student” > /etc/samba/cred
    2. echo “password=student” >> /etc/samba/cred
    3. chmod 600 /etc/samba/cred
    4. //server/private  /mnt  cifs   credentials=/etc/samba/cred,_netdev   0   0
    5. systemctl daemon-reload
    6. mount -a
    7. df -hT
  9. Persistent auto mount via systemd.automount (man systemd.mount):
    • //server/private  /mnt  cifs  credentials=/etc/samba/cred,x-systemd.automount,noauto,_netdev   0  0
    • systemctl daemon-reload
    • mount -a
    • df  -hT
Posted in LFCE, LFCS

Setup Squid proxy server in Linux

Squid:

  • Allow access for a local network:
    1. yum install squid
    2. Add the following in /etc/squid/squid.conf after:
      # INSERT YOUR OWN RULE(S) HERE
      acl mynetwork src 192.168.254.0/24
      http_access allow mynetwork
      #http_access allow localnet       (Comment it because it contains 192.168.0.0)
    3. squid -k parse
    4. systemctl restart squid
    5. firewall-cmd   –add-service squid   –permanent
      1. firewall-cmd –reload
      2. firewall-cmd –list-all
    6. curl -x http://squidhost:3128   http://google.com
  • Restrict access by website:
    • acl googlemaps url_regex “^http://.*.google.com/maps/.*$
    • http_access deny googlemaps
  • Restrict access by client:
    • acl mynetwork src 192.168.254.0/24
    • acl  host  src 192.168.254.104
    • http_access allow mynetwork  !host
  • Restrict access by domains:
    • acl mynetwork src 192.168.254.0/24
    • acl forbidden dstdomain “/etc/squid/forbidden
    • http_access allow mynetwork !forbidden
  • Restrict Access by user authentication:
    • htpasswd   -c /etc/squid/passwd   student
    • Add the following into /etc/squid/squid.conf:
      auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
      auth_param basic credentialsttl 30 minutes auth_param basic casesensitive on
      auth_param basic realm Squid proxy-caching web server for Tecmint’s LFCE
      series acl ncsa proxy_auth REQUIRED
      http_access allow ncsa
  • Setup cache:
    • Make a cache directory, set SELinux context and grant access for squid user:
      • mkdir  -m 775  /var/cache/squid
      • chcon  -t cache_squid_t   /var/cache/squid
      • chgrp  squid  /var/cache/squid
    • Add the followings into /etc/squid/squid.conf
      maximum_object_size 100 MB
      cache_dir ufs /var/cache/squid 1000 16 256
      refresh_pattern -i .*\.(mp4|iso) 2880 10080
    • squid -k parse
    • systemctl restart squid
Posted in LFCE, LFCS, Linux

Setup NTP and Chrony

ntp:

  1. yum install ntp
  2. Un-comment or add the following lines in /etc/ntp.conf
    server 0.centos.pool.ntp.org iburst
    server 1.centos.pool.ntp.org iburst
    server 2.centos.pool.ntp.org iburst
    server 3.centos.pool.ntp.org iburst
    restrict 192.168.254.0 netmask 255.255.255.0 nomodify notrap
  3. systemctl start ntpd; systemctl enable ntpd
  4. firewall-cmd –add-service=ntp –permanent; firewall-cmd –reload  (ntp->123/udp)
  5. ntpq -p; date -R

chrony:

  1. yum install chrony
  2. Un-comment or add the following in  /etc/chrony.conf
    server 0.centos.pool.ntp.org iburst
    server 1.centos.pool.ntp.org iburst
    server 2.centos.pool.ntp.org iburst
    server 3.centos.pool.ntp.org iburst

    allow 192.168.254.0/24
  3. systemctl start chronyd
  4. chronyc tracking|sources -v|sourcestats
Posted in LFCE, LFCS

Setup route between two hosts

i) centos host:  (IP: 10.20.45.1; Netmask: 255.255.255.0; Gateway: 10.20.45.1)

  1. Add the following into /etc/sysconfig/network-scripts/ifcfg-ens33
    NAME=ens33                              

    DEVICE=ens33
    BOOTPROTO=static
    ONBOOT=yes
    IPADDR=10.20.45.1
    NETMASK=255.255.255.0   (No GATEWAY here because its defined in route-ens33)
  2. Add the following into /etc/sysconfig/network-scripts/route-ens33
    172.16.45.0/24 via 10.20.45.1 dev ens33
  3. Add the following into /etc/resolve.conf
    namesever 10.20.45.1
  4. systemctl restart network

ii) ubuntu host:  (IP: 172.16.45.1; Netmask: 255.255.255.0; Gateway: 172.16.45.1)

  1. Add the following into /etc/network/interfaces
    auto ens33
    iface ens33 inet static
    address 172.16.45.1
    netmask 255.255.255.0   (No gateway here because its defined in up route)
    up route add -net 10.20.45.0 netmask 255.255.255.0 gw 172.16.45.1
  2. Reboot VM

iii) Test by pinging each other:

  • ubuntu: ping 10.20.45.1
  • centos: ping 172.16.45.1
Posted in Linux, Other

Setup FTP server in Linux

Install vsftpd server:

  • yum  install  vsftpd  ftp                 (vsftpd-> server; ftp-> client)
  • systemctl  start|enable  vsftpd

Allow FTP upload for anonymous users:

  1. Update the following parameters in /etc/vsftpd/vsftpd.conf:
    • anon_upload_enable=YES
    • no_anon_password=YES               
    • anonymous_enable=YES                (Default enabled)
    • anon_root=/srv/ftp/                         (Default directory /var/ftp)
    • write_enable=YES                            (Default enabled)  
    • ftpd_banner=Greeting message    
  2. Create and grant appropriate permissions for uploads directory:
    • mkdir -m 755 /var/ftp/uploads    (-m 730 to forbid read/download files)
    • chgrp   ftp  /var/ftp/uploads
  3. Update SELinux context:
    • chcon   -t  public_content_rw_t    /var/ftp/uploads
    • setsebool  -P   allow_ftpd_anon_write on
    • systemctl restart vsftpd
  4. Test by uploading a sample file:
    • ftp hostname
    • Name: anonymous
    • put  ~/file   uploads/file
  5. P.S. Verify ftp user exist already, if not then create one:
    • getent passwd | grep ftp
    • useradd   -m /var/ftp  -s /sbin/nologin   -c “ftp user”  ftp 
Posted in LFCE, Linux | Tagged ,

Setup Postfix and Dovecot in CentOS7

i) Install Postfix:

  1. yum install postfix
  2. postconf   inet_interfaces=all                           (Listen on all configured interfacesIPs)
  3. postconf   mynetworks_style=subnet             (Enable trusted subnet)
  4. systemctl restart postfix; systemctl enable postfix
  5. Allow smtp (25) service in the firewall:
    1. firewall-cmd   –permanent  –add-service smtp
    2. firewall-cmd –reload
    3. firewall-cmd –list-all
  6. Configs:
    1. /etc/postfix/main.cf
    2. /etc/postfix/master.cf
    3. /var/log/maillog                                (log file)
    4. /var/mail/*; /home/user/mail          (user inbox file)
    5. postqueue -p|-f                               (-p: List; -f: Flush)
    6. main 5 postconf                              (Explain main.cf params)

ii) Install Dovecot:

  1. yum install dovecot
  2. Un-comment the following into /etc/dovecot/dovecot.conf
    protocols = imap pop3 lmtp
    listen = *
  3. Add following into /etc/dovecot/conf.d/10-mail.conf
    mail_location = mbox:~/mail:INBOX=/var/mail/%u
    mail_privileged_group = mail
  4. chmod 0600 /var/mail/*     (Ref: http://wiki2.dovecot.org/Errors/ChgrpNoPerm)
  5. systemctl restart dovecotsystemctl enable dovecot
  6. Allow imap (143) and pop3 (110) services in the firewalls:
    • firewall-cmd  –add-service imap  –add-service pop3  –permanent
    • firewall-cmd –reload; firewall-cmd –list-all
  7. Test the dovecot server using mutt:
    #? usermod -G user mail   (Error: Operation not permitted in /var/log/maillog)
    mutt -f imap://user@hostname/
  8. Configs:
    • /etc/dovecot/dovecot.conf
    • /etc/dovecot/conf.d/*.conf
    • /var/log/maillog

iii) Enable SASL authentication in Postfix and Dovecot:

  • Dovecot:
    1. Un-comment the following lines in /etc/dovecot/conf.d/10-master.conf:
      unix_listener /var/spool/postfix/private/auth {
          mode = 0666
      }
    2. systemctl restart dovecot
  • Postfix:
    1. postconf  smtpd_sasl_type=dovecot
    2. postconf  smtpd_sasl_auth_enable=yes
    3. postconf  smtpd_sasl_path=private/auth 
    4. postconf  smtpd_recipient_restrictions=permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination
    5. systemctl restart postfix

iv) Enable StartTLS for Postfix:

  1. Create a new PEM certificate:
    • cd /etc/pki/tls/certs/
    • make /etc/postfix/postfix.pem
  2. Change the Postfix configuration to enable and enforce TLS:
    • postconf   smtpd_tls_auth_only=yes
    • postconf   smtpd_tls_security_level=may
    • postconf   smtpd_tls_cert_file=/etc/postfix/postfix.pem
    • postconf   smtpd_tls_key_file=/etc/postfix/postfix.pem
    • systemctl restart postfix
  3. Test SMTP StartTLS
    • echo -en “\0student\0password” | base64
    • gnutls-cli –crlf –starttls –insecure –port 25 192.168.254.133
    • ehlo centos
    • starttls
    • ctrl+d
    • auth plain AHN0dWRlbnQAcGFzc3dvcmQ=  (Output of echo|base64 command)
    • mail from:student
    • rcpt to:root@192.168.254.133
    • data
    • Subject: I sent this using SASL SMTP auth protected by TLS
    • Cool no?
    • And secure!
    • .
    • quit

v) Send test mail:

  1. mutt:
    1. echoTest message” | mutt -s “Test mail” user@hostname
  2. mail:
    • Script to send three test mails:
      for i in one two three; do
      echo $i | mail -s “test $i” student@hostname;
      done
  3. telnet:
    1. echo -en “\0student\0password” | base64
    2. $ telnet hostname 25
    3. auth plain AHN0dWRlbnQAc3R1ZGVudA==   (Output of echo cmd)
    4. helo localhost
    5. mail from:student@hostname
    6. rcpt to:user@hostname2
    7. data
    8. Subject: testing telnet email
    9. This is root
    10.  .
    11. quit

vi) Add email aliases:

  • Add the following into /etc/postfix/aliases
    user: user1, user2
    admin: admin1, admin2
  • postalias /etc/postfix/aliases
  • P.S. Alias are like groups, so when an email sent to @user, it’s actually delivered to user1 and user2.

vii) Restricting access to the SMTP server:

  • postconf  smtpd_helo_required = yes
  • postconf  smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
  • postconf smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain
  • postconf smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
  • systemctl restart postfix

viii) postconf:

  • postconf  -df                                        (List all parameters from main.cf)
  • postconf   mynetworks_style=all     (Edits a parameter value in main.cf)
  • postconf -X mynetworks_style         (Deletes a parameters from main.cf)
Posted in LFCE, LFCS, Linux | Tagged