Category Archives: Networking

Linux_Logo_Photos

Test firewall with netcat

Overview

“The nc (or netcat) utility is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets.
It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet does with some.” (NetCat Manual)

You can use netcat to listen on any available port and connect to it from a remote client, this way you can test that the firewall actually allows you to pass.

netcat installation

On CentOS you just need to use:

yum install nc -y

Test firewall with netcat

netcat server

Run netcat server on port 12345:

nc -v -l 12345

You should receive a blank line.
During connection you will see “Connection from 10.0.0.2 port 6666 [tcp/ircu-2] accepted” and whatever you write on the server will appear on the client.

netcat client

Connect to port 12345 on a remote server 10.0.0.1:

nc 10.0.0.1 12345

You should receive a blank line and whatever you write on the client will appear on the server.

netcat man page

Enjoy!

ddwrt_979

DD-WRT set date manually

dd-wrt set date manually

dd-wrt set date manually – In this tutorial I’ll explain how to set the date and time in dd-wrt based routers.

 

dd-wrt set date manually

My dd-wrt system is dd-wrt v24-sp2 (11/02/09) std
(SVN revision 13064M VINT Eko).

It may not work on your system but I’ll explain the basics so you should be able to find your own way.

 

dd-wrt set date manually

in dd-wrt set date manually using command-line. you can do this by:

  • SSH to your dd-wrt machine, or
  • use the web interface to run command line

Becuase ssh is not opened by default on all dd-wrt machines I’ll explain how to set the date and time using the second method – using the web interface. but the same command and rules apply also to SSH connection.

 

Admin Panel

go to your dd-wrt admin managment panel on your browser and view the Administration / Commands page. it may be different in your system version but you should able to find quickly where the Commands page is.

dd-wrt set date

dd-wrt set date

Date

You can use the Date command inside your dd-wrt box to read and set your system time and date.

View current date (NOW)

to view your current date as configured in your dd-wrt machine use the ‘date‘ command.
Just fill the commands input box with ‘date’ and click on the ‘Run Commands‘ button.

date

dd-wrt-date

 

dd-wrt set date manually

Here it may be tricky. I’ve found several online blogs and manuals but nothing worked. to set the dd-wrt date manually I’ve succeded with the following command:

date 022720012014

Month Day Hours Minutes Year
02 27 20 01 2014

 

 

dd-wrt-set-date

 

that’s it. I hope It helped you to configure your dd-wrt set date manually.

Development Specialist, Artist and Activist
Personal Website
Linux_Logo_Photos

iptables examples on CentOS

Overview

“iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.”

In this tutorial I will give a few essential examples of how to use iptables on CentOS

iptables

There are several ways to configure iptables on CentOS.
The simplest way is to use the command system-config-firewall/system-config-firewall-tui, it will help you set up standard rules like Web Server, FTP Server and a few more.
The second way is to use iptables command to edit the configuration – this method is best for testing since it will NOT save the settings until you run the command:

/etc/init.d/iptables save

The third way is to edit the file /etc/sysconfig/iptables and that is what I will show you today.

iptables chains

First we clear the content of /etc/sysconfig/iptables using:

echo > /etc/sysconfig/iptables

Set all the default chains to DROP and save the file:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

Now we are ready to insert the necessary rules to our chains.

Stateful configuration

Using a stateful rule to allow all established connections:

#Allow all Established connections
-A INPUT -p all -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p all -m state --state ESTABLISHED -j ACCEPT

Some services requires you to allow related connections (ftp,tftp…):

#Allow all Related connections
-A INPUT -p all -m state --state RELATED -j ACCEPT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

iptables examples

Allow LocalHost

First we need to insert a rule to allow localhost to communicate:

#All localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

Allow Web Browsing

#Out Internet Access
-A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#Out Internet Access SSL
-A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow Outgoing SSH

#Out SSH
-A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH

Allow Incoming SSH from a specified subnet/ip address

#In SSH
-A INPUT -p tcp -s 10.0.0.0/24 --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH from all

#In SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming Web Server

#In Internet Access Port 80
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#In Internet Access SSL Port 443
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow DHCP Client

#In/Out DHCP Client
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT

Allow DHCP Server

#In/Out DHCP Server
-A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT

Allow DNS requests

#Out DNS
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

Allow Incoming ping

#In ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Outgoing ping

#Out ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Zabbix Agent

#In Zabbix Agent
-A INPUT -p tcp --dport 10050 -m state --state NEW -j ACCEPT

Allow Outgoing RDP

#Out RDP
-A OUTPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow Incoming RDP Server

#In RDP
-A INPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow SMTP Server

#In SMTP
-A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTP Client

#Out SMTP
-A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTPs Server

#In SMTPs
-A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTPs Client

#Out SMTPs
-A OUTPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTP TLS Server

#In SMTP TLS
-A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow SMTP TLS Client

#Out SMTP TLS
-A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow POP Server

#In POP
-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POP Client

#Out POP
-A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POPs Server

#In POPs
-A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow POPs Client

#Out POPs
-A OUTPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow IMAP Server

#In IMAP
-A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAP Client

#Out IMAP
-A OUTPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAPs Server

#In IMAPs
-A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow IMAPs Client

#Out IMAPs
-A OUTPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow mySQL Server

#In mySQL
-A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow mySQL Client

#Out mySQL
-A OUTPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow NTP Server

#In NTP
-A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow NTP Client

#Out NTP
-A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow rsync

#In rsync
-A INPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

#Out rsync
-A OUTPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

Allow rsyslogd

#In rsyslogd
-A INPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

#Out rsyslogd
-A OUTPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

Allow SAMBA Server

#In Samba
-A INPUT -p udp --dport 137:139 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m multiport --dport 139,445 -m state --state NEW -j ACCEPT

Allow NFS Server

NFS uses random ports on startup so we need to fix the port numbers, add the following lines to ‘/etc/sysconfig/nfs’:

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
RDMA_PORT=20049

#In NFS
-A INPUT -p tcp -m multiport --dport 111,662,875,892,2020,2049,20049,32803 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dport 111,662,875,892,2020,2049,20049,32769 -m state --state NEW -j ACCEPT

Allow TFTP Server

TFTP needs an iptables module called “nf_conntrack_tftp”, edit ‘/etc/sysconfig/iptables-config’ and make sure you have:

IPTABLES_MODULES="nf_conntrack_tftp"

#In TFTP
-A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 69 -m state --state NEW -j ACCEPT

#You also need to allow related OUTPUT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

Allow Routing

Allow routing between Network-1 to Network-2 using 2 different NICs:

#Allow routing from eth0 to eth1
-A FORWARD -i eth0 -o eth1 -j ACCEPT

Specify port range

For example allow all communication from ports 100-200 to ports 200-300:

-A OUTPUT --sport 100:200 --dport 200:300 -j ACCEPT

Speciy IP Address range

IP Address range requires the ‘iprange’ module,
For example allow all communication to and from 10.0.0.1-10.0.0.100:

-A OUTPUT -m iprange --dst-range 10.0.0.1-10.0.0.100 -j ACCEPT
-A INPUT -m iprange --src-range 10.0.0.1-10.0.0.100 -j ACCEPT

Enjoy!

adito

OpenVPN ALS Adito SSL VPN Gateway on CentOS

Overview

OpenVPN ALS Adito SSL VPN Gateway is a web-based SSL-VPN server written in Java and it is completely free and open-source.
The installation on CentOS 6 Linux Operating System is fairly simple using the next few steps (we will use CentOS Minimal x86_64).
Continue reading

ddwrt_979

Configure DD-WRT Router as an Access Point or Wireless Repeater

Overview

This tutorial will explain how to use your DD-WRT router as a Repeater or Access Point.

“DD-WRT is a Linux based alternative Open-Source firmware suitable for a great variety of WLAN routers and embedded systems.
The main emphasis lies on providing the easiest possible handling while at the same time supporting a great number of functionality within the framework of the respective hardware platform used.”

Continue reading