Month: February 2011

Add Iptables Chain

bmiller55 Leave a comment

 
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

Add Chain Example (from command line):

Create a new chain in iptables:

# iptables -N chainname

Insert the chain into the input chain at the head of the list:

# iptables -I INPUT 1 -j chainname

Flush all the rules in the chain:

# iptables -F chainname

Some Iptables Commands in Detail:

-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.

-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all chains are listed.

-F, --flush [chain]
Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-N, --new-chain chain
Create a new user-defined chain by the given name. There must be no target of that name already.

Dynamic Firewall Rules

bmiller55 Leave a comment

Would you like to block everyone from remotely accessing your server but still be able to access it from your dynamic IP address at home? To do this, you will need to create an account with a dynamic DNS service provider (i.e. http://www.dyndns.com). Your home computer will tell the dynamic DNS service what your home computer’s external IP address is.

Now you will need to add rules on your firewall for the hostname. However, since iptables does a single lookup when adding rules you will need a script to repeatedly lookup the IP for your home computer. The script below looks up up a hostname’s IP address, caches it to a directory, and adds a rule to allow it. When the script observes that the host’s IP address has changed, the old IP is removed from iptables and the new IP is added.

You may want to put all your dynamic hosts into a separate chain. That way you can easily see what dynamic hosts are trusted.

Type the following to create and edit a new file named firewall-dynhosts.sh.

# vim firewall-dynhosts.sh

 
Insert the following text into firewall-dynhosts.sh:

HOST=$1
HOSTFILE=“/root/dynhosts/host-$HOST”
CHAIN=“dynamichosts” # change this to whatever chain you want.
IPTABLES=“/sbin/iptables”# check to make sure we have enough arguments passed.
if [ “${#@}” -ne “1” ]; then
echo “$0 hostname”
echo “You must supply a hostname to update in iptables.”
exit
fi

# lookup host name from DNS tables
IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`

if [ “${#IP}” = “0” ]; then
echo “Couldn’t lookup hostname for $HOST, failed.”
exit
fi

OLDIP=“”
if [ -a $HOSTFILE ]; then
OLDIP=`cat $HOSTFILE`
# echo “CAT returned: $?”
fi

# save off new ip.
echo $IP>$HOSTFILE

echo “Updating $HOST in iptables.”
if [ “${#OLDIP}” != “0” ]; then
echo “Removing old rule ($OLDIP)”
`$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT`

fi
echo “Inserting new rule ($IP)”
`$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`

 
Now all you have to do to use this script is run:

# firewall-dynhosts.sh examplesite.dyndns.org

 
This would insert a rule for examplesite.dyndns.org into your firewall.

You can then create a script of trusted DNS hosts using cron.d. I have created the following cron job in the /etc/cron.d/ directory.

# Run the dynamic firewall script every (1) hour
0 * * * * root /script/location/firewall-dynhosts.sh examplesite.dyndns.org >/dev/null 2>&1

 
Done!

Thanks to Dave Horner’s Website for this information.

Option to Create Virtual Private Network Connection is Grayed Out

bmiller55 Leave a comment

 
Do you see the following when trying to create a Virtual Private Network Connection in Windows XP Pro?

If so, you will need to make sure that the following services are started and enabled.
– Telephony
– Remote Access Auto Connection Manager
– Remote Access Connection Manager

To check if the above services are started and enabled you will need to access Windows Services.

Listed below are a few different ways to access Windows Services using Windows XP Pro
Classic View
Start -> Control Panel -> Administrative Tools -> Services

Category View
Start -> Control Panel -> Performance and Maintenance -> Administrative Tools -> Services

Run Line
Start -> Run then type services.msc and press enter

If the Telephony column “Startup Type” is set to disabled you should right click on Telephony -> Properties and choose “Manual” from the “Startup type” drop down menu. Finally, check that “Remote Access Auto Connection Manager” and “Remote Access Connection Manager” have started.

You should now be able to create your Virtual Private Network Connection!