LINUX MADE EASY

Sunday, November 01, 2020

Mastering Iptables Firewall Course

Security of the network is the most important thing. We want security mechanisms which are easy to implement, open source, robust, flexible and affordable. Linux based iptables firewall satisfy all these parameters.

We are going to cover the following topics in this course.

- Firewall Introduction

- Types of Firewall

- Direction of Firewall

- What can be blocked/permitted

- Lab Setup Details

- Working with INPUT Chain

- Working with OUTPUT Chain

- Working with FORWARD Chain

- How to Block Layer 3 Traffic

- How to Block Layer 4 Traffic

- How to Block Layer 2 Traffic

- Handling ICMP Traffic

- Using SNAT

- Using DNAT

- Setting Default Policy

- Directional Filtering

- Connection Tracking

- Allowing Different Services in Default DROP Policy

- Using REJECT Target

- Create Custom Chains

The Course is available at Udemy. Click on Join Course.

https://www.udemy.com/course/mastering-iptables-firewall/?referralCode=4C477A430BFE7B4B51BE

Thursday, September 04, 2008

BOSS(Bharat Operating System Solutions)

BOSS (Bharat Operating System Solutions) is a GNU/Linux distribution developed by C-DAC (Centre for Development of Advanced Computing) for enhancing the use of Free/ Open Source Software throughout India. BOSS Linux - a key deliverable of NRCFOSS is an Indian GNU/Linux distribution & currently localized to Tamil / Hindi. Targeting Indian user it is designed as a user-friendly Desktop environment coupled with Indian language support and other packages that are highly relevant for use in the government domain.Subsequent version will support the educational domain as well. The ultimate goal is to localize into all 22 official Indian regional languages. So this benefits non-english speakers to reach technology that bridge digital divide in India
The Aim of BOSS is to provide trouble free & protection against virus, piracy, spyware. It is available in many installation formats & in both server/Desktop editions
- BOSS is available in Pen drive ( Live & installable Format)
- CD Pack
for more details you can visit the sites
www.bosslinux.in
www.nrcfoss.org.in
www.cdac.in
NRCFOSS
NRCFOSS has been promoted by the Department of information technology, MCIT, Government of India to address the issues related to FOSS in the Indian context and to explore how FOSS can play the twin roles of helping to bridge the digital divide as well as strengthening the Indian software industry.

Wednesday, January 16, 2008

Public/private key, Digital Signature, Fingerprints

Sunday, January 13, 2008

ACTIVE/PASSIVE FTP & IPTABLES FIREWALL

ACTIVE PASSIVE FTP & IPTABLES FIREWALL

FTP Server : To control FTP server is very tricky. To be able to control FTP you must first know how the ftp server behaves. The ftp server behaves in two modes active mode (this is default in windows) passive mode (this is default in linux) first we will try to understand these terms & then how to control ftp through firewall Active FTP: one connection is made by client (FIREWALL) & other connection in opposite direction by FTP Server. in the case of stateless firewalls, active ftp poses great threats. In active ftp, the server makes connections to random ports of client (in this case FIREWALL) so from FIREWALL point of view it becomes difficult which ports to open.

How Active FTP works: (1) client (FIREWALL) connects from port 1024 (>1023, assume 1024) to the control port (cmd port) 21 on FTP server side & also sends the PORT 192,168,0,211,154,208 . (2) Sever acknowledges to clients control port 1024 (3) FTP server connection from data port 20 to client's (FIREWALL) data port (154x256+208=39632) (4) client (FIREWALL) sends acknowledgement from data port 39632 to FTP server data port 20 we have written following rules keeping in mind above scenario

# iptables -t filter -A OUTPUT -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT # iptables -t filter -A INPUT -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT # iptables -t filter -A INPUT -p tcp –sport 20 -m state –state ESTABLISHED,RELATED -j ACCEPT # iptables -t filter -A OUTPUT -p tcp –dport 20 -m state –state ESTABLISHED -j ACCEPT

Passive FTP: both the connections are made by the client (FIREWALL) in the same direction, one of them to port higher than 1023 on server side.

How Passive FTP works: (1) client (FIREWALL) connects from port 1024 (>1023, assume 1024) to the control port (cmd port) 21 on FTP server side & also sends the PASV. (2) Sever acknowledges to clients control port 1024 & sends 192,168,0,201,122,8 (3) client connection from data port 1025 to FTP server data port (122x256+8=31240) (4) Server sends acknowledgement from data port 31240 to client (FIREWALL) data port 1025 we have written following rules keeping in mind above scenario

# iptables -t filter -A OUTPUT -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT # iptables -t filter -A INPUT -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT # iptables -t filter -A OUTPUT -p tcp –sport 1024: --dport 1024: -m state –state ESTABLISHED,RELATED -j ACCEPT # iptables -t filter -A INPUT -p tcp –sport 1024: --dport 1024: -m state –state ESTABLISHED -j ACCEPT

NEW : a client requesting new connection ESTABLISHED: a connection that is part of already established connection RELATED: a connection that is requesting a new connection but part of existing connection INVALID: if none of the above states then invalid

Full Course on Mastering Iptables Firewall available at Udemy. Join Course

Wednesday, January 09, 2008

Setting DMZ with iptables

DMZ (Demilitarised Zone)

What is DMZ : we are segmenting our network in such a way that all the users coming through public network (internet) should be able to access our Web, Mail, DNS servers without a danger of compromising our internal network i.e we have divided our resources into two zones, one highly secured (internal) and one semi-secured (DMZ). Also we want that if any how our DMZ gets compromised, no should be able to access our internal network from DMZ zone, but at the same time we want that internal network should be able to access DMZ servers)

Lab set up : Take a system with 3 lan cards & configure it as a router
eth0 (192.168.10.1/24) connected to internal network
eth1 (200.0.0.1/24 (assume)) connected to internet (public network)
eth2 (192.168.20.1/24) connected to DMZ network (web server 192.168.20.2/24, mail server 192.168.20.3/24, dns server at 192.168.20.4)

# set the default policy to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# to configure the system as a router, enable ip forwarding by
sysctl -w net.ipv4.ip_forward=1

# allow traffic from internal (eth0) to DMZ (eth2)

iptables -t filter -A FORWARD -i eth0 -o eth2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i eth2 -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# allow traffic from internet (eth1) to DMZ (eth2)

iptables -t filter -A FORWARD -i eth1 -o eth2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT

#redirect incoming web requests at eth1 (200.0.0.1) of FIREWALL to web server at 192.168.20.2
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 200.0.0.1 –dport 80 -j DNAT –to-dest 192.168.20.2
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 200.0.0.1 –dport 443 -j DNAT –to-dest 192.168.20.2

#redirect incoming mail (SMTP) requests at eth1 (200.0.0.1) of FIREWALL to Mail server at 192.168.20.3

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 200.0.0.1 –dport 25 -j DNAT –to-dest 192.168.20.3

#redirect incoming DNS requests at eth1 (200.0.0.1) of FIREWALL to DNS server at 192.168.20.4

iptables -t nat -A PREROUTING -p udp -i eth1 -d 200.0.0.1 –dport 53 -j DNAT –to-dest 192.168.20.4
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 200.0.0.1 –dport 53 -j DNAT –to-dest 192.168.20.4

Friday, January 04, 2008

RHEL5 : YUM SERVER

Installing/uninstalling/updating software on linux distributions (in our case RHEL5/Fedora Core 8) has not been very easy. There was always a chance of dependency problem. There are 2 methods of installing packages on Red Hat systems, through using binary .rpm format or source format (tar.gz,tar.bz2) format.
For effortless installation YUM(Yellow Dog Updater,Modified) was developed. Yum is extremely powerful. Here we will be learning how to make your linux system as a YUM Server & also how to use yum on client side.

Making RHEL5 as Yum Server.

RHEL5 comes in 5 Cd's. Here we are giving step by step procedure of configuring the Yum Server.
First put the 1st cd into cdrom/dvd drive of your system.
[root@server1 ~]# mkdir /dvd
[root@server1 ~]# mount /dev/cdrom /dvd
[root@server1 ~]# cp -a /dvd/. /var/ftp/pub/
[root@server1 ~]# umount /dvd
Repeat the above process for all the five cds. If it is giving any overwriting messages press 'y' there to confirm overwriting.
To create FTP Server based yum server do the following 2 steps
[root@server1 ~]# service vsftpd start
[root@server1 ~]# chkconfig vsftpd on

[root@server1 ~]# cd /var/ftp/pub/
[root@server1 pub]# rpm –import RPM-GPG-KEY-*
or
rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-*
[root@server1 pub]# cd Server
[root@server1 Server]# rpm -ivh createrepo-0.4.4-2.fc6.rpm

your version of createrepo can be little bit different so always make a habit of using Tab Completion after typing few characters.

[root@server1 Server]# cd ..
[root@server1 pub]# createrepo .
createrepo creates your collection of files into repository data.

Now above steps have created the yum server. You can now configured the client system to use the yum server. You can use the server itself as a client to test all the yum commands. In present case we are just doing that.

[root@server1 pub]# mkdir /yum
[root@server1 pub]# mv /etc/yum.repos.d/. /yum/
this will move all the files in /etc/yum.repos.d/ to /yum directory. We do not need these files. If any need arises in future then these files can be moved back into original position. open the file yum.conf on yum server or client systems and add these lines at bottom
[root@server1 pub]# vi /etc/yum.conf
[abcd]
name=yum-server
baseurl=ftp://192.168.0.201/pub
enabled=1
gpgcheck=1
save the file & your yum server is ready
[root@server1 pub]# cd
[root@server1 ~]# yum install zip
will install the zip package & dependencies. It will ask for confirmation press 'y' there
[root@server1 ~]# yum remove zip
will remove the zip package
[root@server1 ~]# yum update zip
will update the package if new version is available
[root@server1 ~]# yum list telnet
will list the specific telnet package
[root@server1 ~]# yum search telnet
it will find all the packages that have anything related to telnet
[root@server1 ~]# yum provides /etc/inittab
it will list the packages that contains /etc/inittab file
[root@server1 ~]# yum list tel\*
it will list all the packages that begin with tel word
[root@server1 ~]# yum list available
this will list all the packages available in repositories that can be installed
[root@server1 ~]# yum list installed
this will list all installed packages
[root@server1 ~] yum check-update
this will let you know if there are any updates available
[root@server1 ~] yum update
this will update all the currently installed packages
[root@server1 ~]# yum info telnet
it gives the detailed information about telnet package

There are graphic tools available for package management & updations. The tools are pirut & pup. Go to graphic mode, open the terminal window & type pirut or pup. These graphic tools are very easy to use & learn

[root@server1 ~]# cat /etc/yum.conf
[main]
cachedir=/var/cache/yum
keepcache=1
debuglevel=2
logfile=/var/log/yum.log
pkgpolicy=newest
distroverpkg=redhat-release
tolerant=1
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
metadata_expire=1800
[local]
name=local
#baseurl=file:///var/ftp/pub
baseurl=ftp://192.168.0.201/pub
enabled=1
gpgcheck=1

The meanings of different [main] options are :
cachedir : the directory where yum stores cache data. Default is /var/cache/yum
keepcache : 1 means keep cache
0 means do not keep cache
debuglevel : increase/decrease the no. of things printed in log file (/var/log/yum.log)
range 0-10 (0-min,10-max)
logfile : absolute yum log file (tail -f /var/log/yum.log)
distroverpkg : the package used by yum to determine distribution version. Default is redhat-release
tolerant : 1 means tolerant of command line errors. Suppose you are giving command yum install telnet zip if one of these is already installed then it will not give error.
0 does not tolerate errors
exactarch : 1 means use the exact architect i.e do not update an i386 package by using i686 package
0 do not bother
obsoletes : it enables obsolete processing logic. Useful when the distribution version changes.
gpgcheck : 1 means perform gpg signature check
0 means do not perform gpg signature check
plugins : yum's power can be extended through use of plugins
1 means enable plugins
0 means disable plugins
metadata_expire: time in seconds after which metadata will get expired
assumeyes : 0 mean yum will prompt you for confirmation
1 mean it will not prompt for confirmation (e.g yum -y install telnet)
assumeyes=1 behaves like -y option at the command line
Repositories Details :
[local] it is the repository ID unique and single word
name=local this is the name of the repository
baseurl :
baseurl=ftp://192.168.0.201/pub
or
baseurl=file:///var/ftp/pub
or
baseurl=http://192.168.0.201/pub

If repository is local the use the 'file' & if the repository on remote system then use http/ftp method

enabled 1 mean use the repository
0 mean do not use the repository
How to use additional repository (in this case web server based) :
[root@server1 ~]# cat >/etc/yum.repos.d/web.repo
[web]
name=web based yum repository
baseurl=http://192.168.0.201/pub
enabled=1
gpgcheck=1
save the file & after that open the file /etc/yum.conf
[root@server1 ~]# vi /etc/yum.conf
and in the [local] repository section change 'enabled=1' to 'enabled=0'
[root@server1 ~]# yum install telnet
now the yum on client side will be using 'web' repository instead of 'local' repository.

What is a package: is basically a collection of compressed files & dependency information. The RPM(Red Hat Package Manager) greatly simplifies the installation/removal/updation of packages. Let us consider one package “telnet-0.17-38.el5.i386.rpm”
the package uses the following format
packagename-version-release.architecture.rpm
where 'version' points to open source version, 'release' points Red Hat specific patch, 'architecture' points to hardware architecture of system. It could be i386,ppc,noarch.

What is a repository: is a directory containing packages & support files. Yum uses this directory locally/remotely for package management (i.e for installing/removing/upgrading & automatically resolving the dependencies)
when we run createrepo command it creates many support files
primary.xml.gz : contains the list of all rpms & their dependencies
filelists.xml.gz : contains the list of all the files in all the packages
other.xml.gz : contains additional information like changelog

repomd.xml : contains checksum, timestamps value of above three files. After client has used the yum server, the client caches all files for future reference. So if the repository is changed then the timestamp and checksum will get changed. So repomd.xml will indicate changes in repository & so the client will refresh the cache.

comps.xml : this optional file contains information about groups.
All these files all located in subdirectory 'repodata'