Aug 01

Setup OpenVPN

shell scripts No Comments »

Setup OpenVPN 2.0 with LZO compression library

cd /usr/local/src
wget http://oberhumer.com/opensource/lzo/download/lzo-1.08.gz
cd lzo-1.08
./configure
make
make check
make test
make install
# export LD_LIBRARY_PATH=/usr/local/lib
cd /usr/local/src
wget http://openvpn.net/release/openvpn-2.0.tar.gz
tar xzf openvpn-2.0.tar.gz
cd openvpn-2.0
./configure
make
make install

# Perform loopback tests
./openvpn –genkey –secret key
./openvpn –test-crypto –secret key

load TUN/TAP kernel module
modprobe tun
lsmod|grep tun
./openvpn –cd /etc/openvpn –config local.conf
 
cat >>/etc/rc.d/rc.local
if [ -x /etc/rc.d/rc.openvpn ]; then
 . /etc/rc.d/rc.openvpn
fi

EOF

Aug 01

Masqurade LAN

Firewall scripts No Comments »

#
# Turning IP Forwarding on
#

echo 1>/proc/sys/net/ipv4/ip_forward ; ha 0
$ vi /etc/sysctl.conf   ; net.ipv4.ip_forward = 1

#
# Allow masquerading from LAN PC
# Save settings for next boot
#

$ iptables -t nat -A POSTROUTING -o eth1 -s 192.168.30.20 -j MASQUERADE
$ iptables-save > /etc/sysconfig/iptables

Aug 01

RedHat 9 network settings

shell scripts No Comments »


#
# RedHat Linux 9 Server
# Network Setup
#

cat >/etc/sysconfig/network
NETWORKING=yes
HOSTAME=homebox
GATEWAY=192.168.30.254
EOF

cat >/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.30.1
NETMASK=255.255.255.0
GATEWAY=80.98.111.254
EOF

cat >/etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=dhcp
ONBOOT=yes
EOF

Aug 01

iptables firewall script

Firewall scripts, shell scripts No Comments »


#!/bin/bash

# firewall script using iptables
# Platform: Red Hat Linux 9 (Shrike)
# Author: webHauser
# Created: 2005.08.10.

IPTABLES="/sbin/iptables"
LAN="eth1"
WAN="eth0"

# Flush rules and delete all user chains
$IPTABLES -t filter -F
$IPTABLES -t filter -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X

# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP

# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Forward all packets from internal network to eth0 (the internet).
$IPTABLES -A FORWARD -i $LAN -o $WAN -j ACCEPT
# Forward packets that are part of existing and related connections from eth0 to eth1.
$IPTABLES -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ICMP echo requests on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT

# Allow DNS resolution on all interfaces
$IPTABLES -A INPUT -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --destination-port 53 -m state --state NEW -j ACCEPT

# Allow ntp synchronization
$IPTABLES -A INPUT -i $WAN -p udp --destination-port 123 -m state --state NEW -j ACCEPT

# Allow OpenVPN Port and VLAN tunnel
$IPTABLES -A INPUT -p udp --destination-port 1194 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 1194 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i tun+ -p udp -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i tun+ -p tcp -m state --state NEW -j ACCEPT
/sbin/iptables-save > /root/iptables-new

Aug 01

iptables segédlet

Magyar nyelven, Firewall scripts No Comments »

iptables láncok (chains):
 INPUT
 OUTPUT
 FORWARD

Az iptables a csomagokat a filter táblázatban az alábbi láncokban kezeli:
-Ha a csomag errol a szamitogeprol indul ki (egy olyan program generalta, amely erre a gepre lett telepitve) akkor a csomag CSAK az OUTPUT chain-be fog menni.
-Ha a csomag erre a gepre erkezik, akkor CSAK az INPUT chain-en halad keresztul.
-Ha a csomag valahova mashova megy, akkor CSAK a FORWARD chain-en fog keresztul haladni.

Tehat egy mashova meno csomag SOHA sem erinti az INPUT chaint, hasonloan egy tovabbitott csomag (forwarded packet) SOHA nem lesz benne az OUTPUT chain-ben.
Az iptables minden kapcsolatot nyilvantart amit a `cat /proc/net/ip_conntract` paranccsal lehet listazni.

Mikor es hogyan kell letrehozni es hasznalni egyedileg letrehozott chaineket?
A kovetkezo peldaban letre fogunk hozni egy sajat “mychain”-t annak erdekeben, hogy az INPUT es FORWARD chain-ek szinten felhasznaljak a szabalyait.


# iptables -N mychain
# iptables -A mychain -m state --state ESTABLISHED,RELATED -j ACCEPT
# ...tovabbi tuzfal szabalyok...
# iptables -A mychain -j DROP
# iptables -A INPUT -j mychain
# iptables -A FORWARD -j mychain

Ezzel a modszerrel azt ertuk el, hogy nem kell kulon programozni az INPUT es FORWARD chaineket, hanem felhasznaljak az uj “mychain” szabalyait.

A tuzfalak rendszerint legalabb ket halozati kartyat tartalmaznak. Az egyik az internet fele, a tobbi pedig a lokalis halozatnak biztositja az eleresi feluletet. Ha egy csomag a kulso illeszton keresztul beerkezik azt lehet, hogy tovabbitani kell a helyi halozat fele (FORWARD chain), ami a halozat szempontjabol INPUT chain. Ezert tehat elkepzelheto, hogy egy csomag vezerlesehez tobb szabalyra van szukseg.

Az iptables az alabbi tablakat tartalmazza (`cat /proc/net/ip_tables_names`):

  • A “filter” az elso es alapertelmezett tabla, amely tartalmazza az INPUT (a gepre cimzett csomagok), OUTPUT (lokalisan generalt csomagok), es FORWARD (a gepen keresztul routolando csomagok) lancokat.
  • A “nat” tablaban olyan csomagok vannak amelyek uj kapcsolatokat hoztak letre. A nat tabla harom alapertelmezett lancot tartalmaz. Ezek PREROUTING (az eppen beerkezo csomagok megvaltoztatasara), OUTPUT (helyileg generalt csomagok routolas elotti megvaltoztatasara) es POSTROUTING (a gepet eppen elhagyo csomagok megvaltoztatasara) lancok.
  • A “mangle” tabla a csomagok specialis megvaltoztatasara van fenntartva. Lancai a PREROUTING (beerkezo csomagok routolas elotti modositasara) es OUTPUT (lokalisan generalt csomagok megvaltoztatasara).

További hasznos iptables parancsok:

# iptables -t nat -L -n (Nem kell idot vesztegetni a DNS lekereshez a helyi cimek forditasahoz: -n )
# iptables -p tcp --help
# iptables -m state --help
# iptables -j LOG --help

MEGJ. Ezt a cikket Hauser István írta, először 2005 május. 23.-án.

Aug 01

Make a hole into firewall to make your web server visible to others

Firewall scripts No Comments »

# Make a hole into firewall to make your web server visible to others.

iptables -I INPUT 1 -p tcp –dport 80 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
 

Aug 01

Startup script for Tomcat Servlet Engine

shell scripts, Java No Comments »

Example shell script usage:

  • /etc/rc.d/tomcat start
  • /etc/rc.d/tomcat stop
  • /etc/rc.d/tomcat restart


#!/bin/sh
#
# Startup script for Tomcat, the Apache Servlet Engine
#
# chkconfig: 345 80 20
# description: Tomcat is the Apache Servlet Engine
# processname: tomcat
# pidfile: /var/run/tomcat.pid
#
# Mike Millson <mmillson@meritonlinesystems.com>
#
# version 1.02 - Clear work directory on shutdown per John Turner suggestion.
# version 1.01 - Cross between RedHat Tomcat RPM and Chris Bush scripts
# Tomcat name :)
TOMCAT_PROG=tomcat
# if TOMCAT_USER is not set, use tomcat like Apache HTTP server
if [ -z “$TOMCAT_USER” ]; then
 TOMCAT_USER=”tomcat”
fi
RETVAL=0
# start and stop functions
start() {
    echo -n “Starting tomcat: ”
    chown -R $TOMCAT_USER:$TOMCAT_USER /usr/java/jakarta-tomcat/*
    chown -R $TOMCAT_USER:$TOMCAT_USER /home/tomcat/*
    su -l $TOMCAT_USER -c ‘/usr/java/jakarta-tomcat/bin/startup.sh’
    RETVAL=$?
    echo
    [ $RETVAL = 0 ] && touch /var/lock/subsys/tomcat
    return $RETVAL
}stop() {
    echo -n "Stopping tomcat: "
    su -l $TOMCAT_USER -c '/usr/java/jakarta-tomcat/bin/shutdown.sh'
    RETVAL=$?
    echo
    [ $RETVAL = 0 ] && rm -f /var/lock/subsys/tomcat /var/run/tomcat.pid
}
#    rm -rf /usr/java/jakarta-tomcat/work/*

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        stop
        # Ugly hack
        # We should really make sure tomcat
        # is stopped before leaving stop
        sleep 2
        start
        ;;
  *)
        echo "Usage: $0 start|stop|restart"
        exit 1
esac
exit $RETVAL

Aug 01

iptables firewall script

Firewall scripts No Comments »


#!/bin/bash
###############################################
#
# Copyright (c) webHauser
# iptables packet filtering firewall script
# RedHat Linux 9
# Kernel 2.4.20-8

NET=eth0
LAN=eth1
IPTABLES=/sbin/iptables

#
# ipkernel security settings
# /etc/sysctl.conf
#
# This setting is default
# echo 1 > /proc/sys/net/ipv4/ip_forward
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
# Flush all tables and chains
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t filter -F
$IPTABLES -t filter -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X

# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy FORWARD DROP
$IPTABLES --policy OUTPUT DROP
# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow unlimited outbound traffic
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow incoming 80 (http) connections from LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
# Allow incoming 8080 (tomcat) connections from LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 8080 -m state --state NEW -j ACCEPT
# Create a LOGDROP chain to log and drop packets to /var/log/messages
####$IPTABLES -N LOGDROP
####$IPTABLES -A LOGDROP -j LOG
####$IPTABLES -A LOGDROP -j DROP
####$IPTABLES -A INPUT -j LOGDROP

# Drop all other traffic
$IPTABLES -A INPUT -j DROP

/sbin/iptables-save > /root/setup/firewall/iptables-new

Jul 31

Port forwarding

Network No Comments »

Port forwarding forwards all traffic on a specific port (or range of ports) from the firewall to a computer on the internal LAN. This can be required to support special situations. For instance, this is the only way to support file transfers with an ICQ client on an internal computer. It’s also required if an internal system hosts a service such as a web server. However, it’s also a dangerous option. It allows Internet computers access to your internal network. Use it carefully and only if you’re certain you know what you’re doing.

Jul 31

Enable TCP/IP Forwarding

Network No Comments »

This help working only at Win32 systems.

1. Use Registry Editor (Regedt32.exe) to view the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 

2. Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1

NOTE: A value of 1 enables TCP/IP forwarding for all network connections installed and used by this computer.  

Previous Entries
WebSite Powered by webHauser
Entries RSS Comments RSS Login