Monday, January 24, 2011

IPTABLES on CentOS / Fedora / RedHat

Since kernel version 2.4, there is a built in system for package filtering known as Netfilter. To use Netfilter, during kernel compiling CONFIG_NETFILTER must be included. Also ip_forward must be enabled:
echo 1 > /proc/sys/net/ipv4/ip_forward
Package filtering works on Internet layer of TCP/IP protocol. Filtering rules can be defined based on a transport layer header(port number) and connection layer (source IP address). During filtering, package content is not being checked.
Netfilter filtering chains work in kernel mode. In user mode works special tool called – iptables, which requires root user privilegies and it's used to configure:
- filter chains,
- NAT tables,
- mangle tables.
Netfilter uses three filters, INPUT, OUTPUT, FORWARD, realised in form of chains. Each chain contains a set of rules that filters packages. If some package sattisfies a rule, an action gets to be applied, like accepting or rejecting package.
Iptables commands:
-A (Add rule to the end of chain).
-D (Delete rule from chain).
-R (Replace rule in chain).
-I (Add numeric rule in chain).
-L (List rules).
-F (Delete all rules from chain).
Deleting the chains:
# iptables -F INPUT
# iptables -F OUTPUT
# iptables -F FORWARD
Here are some basic examples of iptables usage.
1. Blocking IP with iptables:
# iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
# iptables -A OUTPUT -d xxx.xxx.xxx.xxx -j DROP
* instead xxx.xxx.xxx.xxx www.abc.com can be added.
2. Opening ports:
First thing you need to do is check if ports are already opened. It's done using nmap, free program, and it's distributed in most distros.
# nmap -sT xxx.xxx.xxx.xxx
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap run completed -- 1 IP address scanned in 0.941 seconds.
As we see, on this list port 25 is not opened. Let's open port 25 for SMTP traffic.
# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
3. Enabling other hosts to ping:
# iptables -A INPUT -p icmp -s xxx.xxx.xxx.xxx/xx –icmp-type echo-request -j ACCEPT
# iptables -A INPUT -p icmp -d xxx.xxx.xxx.xxx/xx –icmp-type echo-reply -j ACCEPT
4. Restricting access by time of the day:
# iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d xxx.xxx.xxx.xxx --dport 22 -m state
--state NEW,ESTABLISHED -m time --timestart 09:00 --timestop 18:00
--days Mon,Tue,Wed,Thu,Fri -j ACCEPT  

5. Keeping logs about rejected packages:

# iptables -A OUTPUT -j LOG
# iptables -A OUTPUT -j DROP
# iptables -A INPUT -j LOG
# iptables -A INPUT -j DROP
# iptables -A FORWARD -j LOG
# iptables -A FORWARD -j DROP

Tuesday, January 11, 2011

Crontab for Fedora / RedHat / CentOS / Ubuntu

Crontab can run scripts at regular intervals and perform various tasks. Those intervals can be from 1 minute to 1 year, repeatedly.

To list current crontabs:

# crontab -l


You can create a crontab file by entering the following terminal command:

 # crontab -e


A crontab file has six fields for specifying minute, hour, day of month, month, day of week and the command to be run at that interval:

#################################################################
#minute (0-59),                                                 #
#|      hour (0-23),                                            #
#|      |       day of the month (1-31),                        #
#|      |       |       month of the year (1-12),               #
#|      |       |       |       day of the week (0-6 with 0=Sun)#
#|      |       |       |       |       commands                #
#################################################################


Some examples:

* * * * * #Runs every minute
*/5 * * * * #Runs at every 5 minutes
30 * * * * #Runs at 30 minutes past the hour
45 6 * * * #Runs at 6:45 am every day
45 18 * * * #Runs at 6:45 pm every day
00 1 * * 0 #Runs at 1:00 am every Sunday
00 1 * * 7 #Runs at 1:00 am every Sunday
00 1 * * Sun #Runs at 1:00 am every Sunday
30 8 1 * * #Runs at 8:30 am on the first day of every month
00 0-23/2 02 07 * #Runs every other hour on the 2nd of July

You can also use some special strings:

@reboot #Runs at boot
@yearly #Runs once a year [0 0 1 1 *]
@annually #Runs once a year [0 0 1 1 *]
@monthly #Runs once a month [0 0 1 * *]
@weekly #Runs once a week [0 0 * * 0]
@daily #Runs once a day [0 0 * * *]
@midnight #Runs once a day [0 0 * * *]
@hourly #Runs once an hour [0 * * * *]

You can use multiple commands for the same crontab:

@daily &&


Specifying a crontab file to use

# crontab -u

Example:
# crontab -u tux ~/crontab

-would set Tux's crontab file to that of the file named "crontab" residing in Tux's home directory.

To remove a crontab file for current user:
# crontab -r

Monday, January 10, 2011

Command Line Wi-Fi for Fedora

[rajat@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.35.6-45.fc14.i686 #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686 i386 GNU/Linux


[root@localhost rajat]# iwlist eth1 scan
eth1      Scan completed :
          Cell 01 - Address: 00:90:4C:91:00:01
                    ESSID:"DevEnablers"
                    Mode:Managed
                    Frequency:2.437 GHz (Channel 6)
                    Quality:1/5  Signal level:-82 dBm  Noise level:-93 dBm
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : CCMP
                        Pairwise Ciphers (1) : CCMP
                        Authentication Suites (1) : PSK
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
                              24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
                              12 Mb/s; 48 Mb/s
what is available in your area.

#iwconfig eth1 essid network-essid

ESSID your route name
NETWORK-ESSID An SSID is a 32-character alphanumeric key uniquely identifying a wireless LAN.

#iwconfig eth1 freq 2.422G
#iwconfig eth1 channel 6


Frequency:2.437 GHz (Channel 6)

iwlist eth1 frequency
eth1      13 channels in total; available frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 12 : 2.467 GHz
          Channel 13 : 2.472 GHz
          Current Channel:6

[root@localhost rajat]# iwlist eth1 bitrate
eth1      12 available bit-rates :
      1 Mb/s
      2 Mb/s
      5.5 Mb/s
      6 Mb/s
      9 Mb/s
      11 Mb/s
      12 Mb/s
      18 Mb/s
      24 Mb/s
      36 Mb/s
      48 Mb/s
      54 Mb/s
          Current Bit Rate=8 Mb/s

Set the maximum number of retries

#iwlist eth1 retry 8

Set maximum lifetime 300 millisecond

#iwconfig eth1 retry lifetime 300m

Set maximum fragment size

#iwconfig eth1 frag 512

Some cards may not apply these settings changes immediately.

#iwconfig eth1 commit

Monday, January 3, 2011

Command line BitTorrent client Fedora / RedHat /CentOS

BitTorrent is the name of a peer-to-peer (P2P) file distribution protocol, and of a free software implementation of that protocol.



[root@example ~]# python -V
Python 2.7

[root@example ~]# yum install bittorrent -y


[root@example ~]# rpm -qa |grep bittorrent
bittorrent-4.4.0-15.fc14.noarch


[root@example rajat]# bittorrent-curses CD704DCEEA6555A6DA95E8EB233E1956C825B8AE.torrent