Wed 30 Aug, 2006
Fri 25 Aug, 2006
I am not going to explain here about iptables basics because someone have already done that. You can get it from http://www.netfilter.org. I have given some iptables tips here which will be very useful for System Administrators who doesn’t have much idea on IPTables Firewall.
Note: After using every iptables commands you need to save it using
# iptables-save command else using # service iptables save command. You
must know some basics of networking and linux, so use the below commands
at your own risk and i am not responsible for any damages caused by using this commands.
1. To block a ping request
# iptables -A OUTPUT -p icmp – j REJECT
# iptables -A INPUT -p icmp – j REJECT
Note: Inorder to remove or enable ping use # iptables -D OUTPUT -p icmp -j REJECT
2. Enabling IP Forwarding
# echo “1″ > /proc/sys/net/ipv4/ip_forward
3. To drop request for IP and ports
a) To drop port 23 for all IP’s
# iptables -t nat -A POSTROUTING -o eth1 -p tcp -m tcp –dport 23 -j DROP
b) To drop port 22 and 23 for all IP’s
# iptables -t nat -A POSTROUTING -o eth1 -p tcp -m tcp –dport 22:23 -j DROP
c) To drop port 22 and 23 for one source IP
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp –dport 22:23 -j DROP
d) To drop all packets from an IP
# iptables -A INPUT -s 209.61.158.248 -j DROP
e) To drop only SSH packets from an IP
# iptables -A INPUT -s 209.61.158.248 -p tcp –dport 22 -j DROP
4. How to log the firewall activity
a) To log the ping (icmp) activity
# iptables -A OUTPUT -p icmp -j LOG –log-prefix “PING:> “
# iptables -A INPUT -p icmp -j LOG –log-prefix “PING:> “
Note: To see the log, open /var/log/messages file and find the lines which has prefix PING:> . You can use grep filter to see only firewall logs.
b) To log the FTP Port activity
# iptables -A OUTPUT -p tcp -s 0/0 –dport 21 -j LOG –log-prefix “FTP:> “
# iptables -A INPUT -p tcp -s 0/0 –dport 21 -j LOG –log-prefix “FTP:> “
c) To log the activity for one source IP
# iptables -t  nat POSTROUTING -s 192.168.0.88 -o eth1 -j LOG –log-prefix “
5. To redirect the ports request
a) Using Squid as Transparent Proxy
# iptables -t nat -A PREROUTING -p tcp –dport 80Â -j REDIRECT –to-ports 3128
b) To redirect the port 80 request to another computers port number 80
# iptables -t nat -A PREROUTING -p tcp -d 203.145.184.246 –dport 80 -j DNAT –to 192.168.0.88:80
# iptables -A FORWARD -p tcp -d 192.168.0.88 –dport 80 -j ACCEPT
c) To redirect group of ports request
# iptables -t nat -A PREROUTING -p tcp -d 203.145.184.246 –dport 20:23 -j DNAT –to 192.168.0.88:20-23
# iptables -A FORWARD -p tcp -d 192.168.0.88 –dport 20:23 -j ACCEPT
# iptables -t nat -A PREROUTING -p udp -d 203.145.184.246 –dport 20:23 -j DNAT –to 192.168.0.88:20-23
# iptables -A FORWARD -p udp -d 192.168.0.88 –dport 20:23 -j ACCEPT
d) To redirect all incoming SMTP request coming via interface eth0 to another computer inside local network
# iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 25 -j DNAT –to 192.168.0.88:25
# iptables -A FORWARD -p tcp -d 192.168.0.88 –dport 25 -j ACCEPT
6. To MASQUERADE ( Share the internet using the ip address as gateway )
a) When two NIC cards are used one connected to internet and other
connected to local network.
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Note: Where eth1 is the card connected to internet.
b) When dial up is used.
# iptables -t  nat  -A POSTROUTING -o ppp0 -j MASQUERADE
Note: You need to enable IP forwarding for enabling MASQUERADING.. It can
be achieved by using the tip number 2.
7. Do Masquerading only for one IP address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -j MASQUERADE
8. Do Masquerading for all IP except for one address
# iptables -t nat -A POSTROUTING -s ! 192.168.0.88 -o eth1 -j MASQUERADE
9. Do Masquerading only for one destination and for one source address
# iptables -t  nat -A POSTROUTING -s 192.168.0.88 -d 209.61.158.248 -o eth1 -j MASQUERADE
Note: 192.168.0.88 is local address and 209.61.158.248 is public address on internet
10. Do Masquerading for all destination except for one and for only one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -d ! 209.61.158.248 -o eth1 -j MASQUERADE
11. Do Masquerading only for one destination port and for one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp –dport 10000 -j MASQUERADE
12. Do Masquerading only for tcp ports and for one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp -j MASQUERADE
13. Do Masquerading only for specified tcp ports and for one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp -m multiport –dports 21,22,23,25,80,110,143,443 -j MASQUERADE
Note : Above command can also be written as below
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp -m multiport –dports ftp,ssh,telnet,smtp,http,imap,pop3,https -j MASQUERADE
14. To clear all IP Tables rules
# iptables -F
# iptables -X
# iptables -Z
15. To view list of rules all applied
# iptables -L
# iptables -nL
16. To see the iptables version
# iptables -V
Fri 25 Aug, 2006
alias It shows the current aliases
awk Used to search for a pattern within a file
banner Displays the string specified in banners
bc Basic Calculator
bdiff Compares two large files
bfs Scans a large file
cal Shows calendar
cat Concatenates and prints a file
cc C compiler
cd Change to specified directory
chgrb Changes a file groups ownership
chmod Changes the permission for the files specified
chown Changes the individual ownership of a file
cmp Compares two files
comm Compares two files so as to determine which lines are common to both
compress Compress the files specified
cp Copies file to another location
csh Change to C Shell
cu Calls another unix system
cut Cut a character or field
date Shows date and time
df Shows all mounted drives on your machine
diff Displays the difference between two files
du Shows the disk usuage in blocks for a directory
echo Echoes the data to the screen or file
ed Text editor
env Lists the current environment variables
ex Another text editor
expr Evaluates a mathematical formula
f77Â Fortran compiler
file Displays file type
find Finds a file
format Initializes a floppy disk
grep Searches for a pattern within a file
hello Online messaging
help Gives help
join Used to join files
kill Stops a running process
line To display a line typed
ln Creates a link between two files
lock Lock the terminal
logname Display login name
lpr Copies the file to line printer
ls Lists the files in a directory
mail Allows the user to send or receive mail
mesg Enable/disable messaging
mkdir Make directory
more Displays the contents of file to the screen
mv Used to move or rename files
news Offline messaging
nohup Allows a command to continue running even when you logout
nroff Used to format text
pack To pack all the specified files into a file
passwd Changes your password
pcat To read the file packed by pack command,without unpacking
pkgadd Installs a new program into your machine
ps Gives you list of current process status
pwd Displays the name of the working directory
rm Remove files
rmdir Removes directory
set Lists all the variables in the current shell
setcolor Used to set color
setenv Sets the environment variables
sleep Causes a process to become inactive for specifed seconds
sort Sort files
source Allows the user to execute a file and update any changed values in that file
spell Checks for spelling errors in a file
split Splits a file
stty Sets the terminal options
tail Displays the end of a file
talk Online chat
tar To zip all specified files into one
touch Creates an empty file or updates the time/date structure on a file
tr Translates one character format to another format
troff Outputs formatted output
tset Sets the terminal type
umask Specify a new creation mask
uncompress Uncompress the files compressed by compress command
uniq Compares two files
unpack To unzip all the files packed by pack command
uucp Unix to unix execute
vi Full screen editor
vidi Change video modes
vipw Opens the vi editor and passwd file for editing
volcheck Checks to see if there is a floppy disk mounted to your machine
wall Online messaging
wc Displays number of lines,words and characters in the specified file
who Displays list of users connected to the server
who am i Displays what’s your login name and loggin time details
write Online messaging
zcat To read the files compressed by compress command,without uncompressing
! repeat the command executed
Fri 25 Aug, 2006
Problem:
Network interface (or anything else on the pci bus) says “SIOCSIFFLAGS: Resource temporarily unavailable”
Cause:
No IRQ assigned to the device, check /proc/pci (irq says 0)
Solution:
Enter the bios setup (F1 or Del on boot), disable the option ‘Plug n Play OS’.
Reason:
This will make your bios set up IRQs for you.
Network interface (or anything else on the pci bus) says “SIOCSIFFLAGS: Resource temporarily unavailable”
Cause:
No IRQ assigned to the device, check /proc/pci (irq says 0)
Solution:
Enter the bios setup (F1 or Del on boot), disable the option ‘Plug n Play OS’.
Reason:
This will make your bios set up IRQs for you.
Problem:
USB mouse using /dev/psaux, the ps/2 mouse device.
Cause:
Bios usb legacy support in action, probably because Linux didn’t probe for USB devices (which causes the bios to release control of them).
Solution:
Compile the kernel with USB support, Input Core and USB HID.
Reason:
Duh.
USB mouse using /dev/psaux, the ps/2 mouse device.
Cause:
Bios usb legacy support in action, probably because Linux didn’t probe for USB devices (which causes the bios to release control of them).
Solution:
Compile the kernel with USB support, Input Core and USB HID.
Reason:
Duh.
Problem:
USB mouse still doesn’t work on /dev/input/mice, but /dev/psaux, even when USB support is compiled in.
Cause:
Legacy USB support again. You might not have compiled in support for your USB chipset (the UHCI parts in USB support).
Solution:
Compile UHCI. If not working, try the alternate drivers.
Reason:
Duh.
Problem:
CD-R[W] doesn’t work, as cdrecord uses SCSI, but I have an IDE.
Cause:
cdrecord only supports SCSI.
Solution:
Compile the kernel with ide-scsi emulation enabled (under IDE support), and make sure you have SCSI support for cdrom enabled.
Reason:
It’ll let you use scsi drivers to access IDE devices.
Problem:
Accidentally cat’ing a binary file causes the all the characters you type next to show up as odd symbols.
Cause:
The binary file contained a 016 (so, Shift Out) character.
Solution:
Print a 017 (Shift In) character. You can use echo -ne “17″ to do this. Even better, make it a shell script called ‘fix’ for easy access.
Reason:
Shift Out is canceled by a Shift In.
Problem:
You scanned an ext3 file system with fsck.ext2/e2fsck, and now you can’t boot.
Cause:
fsck.ext2 deleted the journaling inode, essentially making it an ext2 fs.
Solution:
Either use tune2fs -j device to add the journal node again, (more…)
