Archive for January, 2010

iptables – port forwarding

January 30, 2010

My linux gateway server is the only one visible to the internet, while all other machines are in an internal subnet not visible to the outside internet, but can access the outside net using Iptables based Network Address Translation (NAT).

In this setup if I want to run a public service like httpd, not on the gateway server ( where it is visible to outside ) but on an internal machine ( which is not visible outside ) how do I make it available to the outside internet.To make the above scenario of exposing and internal machine’s service to outside we need to use port forwarding on the gateway server. Which is assigning a port on the gateway to accept all connections and forward it to the internal machines port where the service is listening to.

Let x.x.x.x be the IP address of the gateway server connected to the cable modem and 192.168.0.2 , the IP address of the internal machine. And say we want to run a web server ( httpd ) on 192,168.0.2 on port 80 which should be avaialble to the outside internet. We can forward the port 80 on xxx.xxx.xxx.xxx to port 80 of 192.168.0.2

Source: xxx.xxx.xxx.xxx:80 — forwarded to -> 192.168.0.2:80

Port Forwarding using Iptables
First set the rule,

iptables -t nat -A PREROUTING -p tcp -i eth1 –dst [public IP] –dport 80 -j DNAT –to-destination 192.168.0.2:80

Here
-t, table
-A, Append rule to end of a chain
PREROUTING, a pre-defined “chain” rule available with iptables
-p, protocol
-i, Match “input” interface on which the packet enters
-o, Match “output” interface on which the packet exits
–dst, The flag –dst is an alias for the option -d
–dport, Tcp destination port
-j, Jump to the specified target chain when the packet matches the current rule
DNAT, Valid in POSTROUTING chain. Output
–to-destination, Destination address of packet

To view the rules applied with NAT tables –

iptables -t nat -vnL –line

Now to finally port forwarding –

iptables -I FORWARD 3 -o eth1 -s 192.168.0.2 -j ACCEPT

Here 3 means line number three or rule three on NAT list

To delete an existing rule –

iptables -t nat -D PREROUTING 4

Here, 4 means line number 4 on NAT table.

Broadcast message to login user through terminal

January 27, 2010

Let say you was unable to call your friend, maybe he forgot to bring his cellphone and you know he is login to a linux server doing something, and you have permission to ssh to that particular server, then you can write him a message.

First, type:

who

who will list of all user have login and and login to which terminal, you will see something like pts/0, pts/1.

Example output:

bob pts/0 2007-03-10 02:21 (:0.0)

With the information, now you can write messages to the user bob.

write bob pts/0

After typing the command line above, you can start to type your messages. When you hit enter, you message will be send to that terminal. Terminate the write by ctrl+D.

You can cat a file and pipe to write command too.

cat memo.txt | write bob pts/0

You can broadcast your message to all login user with wall command. wall, write to all.

cat announcement.txt | wall

Or simply type wall, then start to write your message. For wall, the message will be send only after you hit ctrl+D. And the message will be send to all users that login including you.

user alias and command alias with sudo

January 27, 2010

sudo is a package which will allow privileged users to run commands as other users. This is sort of like assigning users to different groups to give them special permissions to files. However, this can allow users access to specific commands on specific machines, making it a more effective and more organized way of giving special privileges to users.

The /etc/sudoers File

General sudoers file record format –

usernames/group servername = (usernames command can be run as) command

1. Granting All Access to Specific Users

You can grant users tarique and bony full access to all privileged commands, with this sudoers entry.

bonny, tarique ALL=(ALL) ALL

The keyword ALL can mean all usernames, groups, commands and servers

2. Granting Access To Specific Users To Specific Files

This entry allows user tarique and all the members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/local/apps/check.pl. Notice how the trailing slash (/) is required to specify a directory location:

tarique, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.pl

3. Granting Access to Specific Files as Another User

The sudo -u entry allows allows you to execute a command as if you were another user, but first you have to be granted this privilege in the sudoers file.

tarique ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill

tarique is on the team developing a financial package that runs a program called fsystem as user accounts.From time to time the application fails, requiring “tarque” to stop it with the /bin/kill, /usr/bin/kill or /usr/bin/pkill commands but only as user “accounts.

User tarique is allowed to stop the fsystem process with this command:

sudo -u accounts pkill fsystem

4. Using Aliases in the sudoers File

User aliases are groups of users, and are labeled with the string User_Alias. They contain a list of users that are in that alias.

User_Alias DNSADMINS = tarique,bonny

The user alias DNSADMINS contains two users, tarique and bonny.

A Runas alias is a special type of user alias. This lists users that other users can run commands as

Runas_Alias APPADMIN = named,dbuser,operator

A command alias is a list of commands. They’re labeled with the string Cmnd_Alias. Here, we have an alias that includes all the commands necessary to back up to tape, or restore the system from backup.

Cmnd_Alias BACKUPS = /bin/mt,/sbin/restore,/sbin/dump

To use an alias, just put the alias name in the rule where you would normally list the user, command, or hostname. We’ve previously defined a user alias DNSADMINS. The users listed in the DNSADMINS alias get to run any commands at all on all of our servers.

DNSADMINS ALL = (ALL) ALL

or want to allow particular commands with particular users on all servers

DNSADMINS ALL = (APPADMIN) BACKUPS

Let’s suppose that user tarique has to manage an application that runs as a particular user. He can run any command on the system as this application user. We defined a Runas alias in the above for the user alias APPADMIN, and an alias for commands needed to run the application, DBCOMMANDS.

tarique ALL = (APPADMIN) DBCOMMANDS

As the application administrator, tarique might also have to run backups. We have already given the APPOWNER Runas alias operator privileges, and we have a separate command alias for backup commands. We can combine them all like this.

tarique ALL = (APPOWNER) DBCOMMANDS, (APPOWNER)BACKUPS

This is much simpler to read than what this rule expands to.

tarique ALL = (dbuser,operator)/usr/home/dbuser/bin/*,\
(dbuser,operator)/bin/mt, (dbuser,operator)/sbin/restore,\
(dbuser,operator)/sbin/dump