Month: February 2011

IT

iptables and dynamic DNS

Please read other posts in this section as well.
They may provide better options.

I just found back an old note about using iptables in combination with dyndns to open up access from a remote location. For instance, if you have a laptop that you take everywhere and you want to connect to your home or office. The script the other site suggested was broken, so let's write a new one.

Step 1: Create a new chain in the firewall

Create a new chain in the firewall where we can plug in the dynamic rules. On my Fedora machine, the firewall is located in /etc/sysconfig/iptables. I added the bold lines to this example.



*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

<b>:DYNAMIC - [0:0]

-A INPUT -j DYNAMIC</b>

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

Step 2: Write a script

#!/bin/bash
 
HOSTNAME=myname.dyndns.org
CHECK_INTERVAL=60 #once a minute
 
/sbin/iptables -F DYNAMIC #flush all existing rules
IP="" #initialize $IP
while [ true ]; do
    OIP=$IP
    IP=$(host $HOSTNAME | grep -iE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" |cut -f4 -d' '|head -n 1)
    if [ "$OIP" != "$IP" -a "$IP" != "" ]; then
         echo "Changing ip to $IP"
         /sbin/iptables -F DYNAMIC #flush all old rules
         /sbin/iptables -I DYNAMIC -s $IP -j ACCEPT #the new rule
    fi
    sleep $CHECK_INTERVAL
done

In this case, the firewall accepts all traffic from $IP, but of course you could restrict it to 1 port. Also, I focussed on IPv4, but you could easily rewrite this script to IPv6 using ip6tables. I saved the file to /usr/local/bin/dynfirewall.sh

Step 3: Run the script

I'd prefer running the script from inittab, but since Fedora doesn't work like this anymore, I put the following line in /etc/rc.d/rc.local:

/usr/local/bin/dynfirewall.sh >>/var/log/dynfirewall 2>>/var/log/dynfirewall &

Please don't forget the ampersand at the end to fork the script!!

© GeekLabInfo iptables and dynamic DNS is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...
IT

Recover the password of a 3COM 4250T switch

Last weekend, one of my 3com 4250T switches stopped functioning. I used a multimeter and the fuse seems okay, but it's dead as a doorknob. Since my switches are stacked to one virtual unit, I bought a second hand 4250T to replace the broken one.

As often with second hand crap, this switch contained settings from the last location. Including an unknown password.

Fortunately, the switches have a recovery mode (which can also be disabled, so below instructions may not work on another switch).

Recovery mode

I connected the switch to a RS232 port using a null-modem cable. If you know the switches IP, you can also use telnet.

Login: recover
Password: recover

*** Password Recovery Mode ***
The administrative password will be cleared if a hard reset operation is
carried out on the device within 30 seconds.

If a hard reset operation is not carried out during this period, the device
will return to the CLI login prompt

countdown = 30...29...28...

Pull the plug of the switch before the countdown reaches 0. When you boot it again, you can login using the default user "admin" and simply press enter for 'password'.

This manual may work on:
3COM SuperStack 3 4400
3COM SuperStack 3 4900
3COM SuperStack 3 4924
3COM SuperStack 3 4950
3COM SuperStack 3 4300
3COM SuperStack 3 Webcache
3COM SuperStack 3 Webcache 1000
3COM SuperStack 3 Webcache 3000
3COM SuperStack 4200 series
3COM SuperStack 3 Switch 4250T
3COM SuperStack 3 Switch 4226T
3COM Switch 4050
3COM Switch 4060
3COM 3C16115
3COM 3C16116

© GeekLabInfo Recover the password of a 3COM 4250T switch is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 4.50 out of 5)
Loading...
IT

Transparent proxy with iptables and squid

Today, my dear wife asked me to help her with her facebook addiction. She wondered if I could block facebook, gmail, some news sites and more during her work hours. Sure, I can. And since she's running Linux as well, I could even do it on her own computer.

Step 1: Install squid

Squid is a FLOSS proxy server that runs on Linux and several other sytems. It's capable of filtering and behaving transparently. Just what we need.

yum -y install squid

Step 2: Configure squid

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Here I define the times and what file contains the rules
acl playtime1 time SMTWHFA 8:30-9:30
acl playtime22 time SMTWHFA 16:00-17:00
acl addiction url_regex -i "/etc/squid/addiction"

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# The next few lines actually do the work
http_access allow playtime1 addiction
http_access allow playtime2 addiction
http_access deny addiction
# If this ACL is triggered, show the user the WORKONLY error message.
deny_info WORKONLY addiction

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
# I added the word "transparent", so squid behaves a little different:
# it makes itself transparent. NOTE TO SELF: This is the line you're
looking for. Used to be httpd_accel_uses_host_header in squid 2

http_port 3128 transparent

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# Don't show squid to the outside world
forwarded_for delete

# I don't need to log what she's doing
access_log none
# Nor do i need icap logs
icap_log none
# And i don't want to know what is stored in cache
cache_store_log none
# To not break web apps, I don't want caching either
cache deny all

Step 3: Define blocked sites

Type a list of blocked websites in /etc/squid/addiction. You can use complete urls, domains or even just words. Ie. "facebook" blocks http://www.facebook.com, but also http://wikipedia.org/wiki/facebook

Step 4: Leave a message

In the configuration, I put: deny_info WORKONLY addiction. This means that I can leave the user a message in /usr/share/squid/errors/templates/WORKONLY and /usr/share/squid/errors/en/WORKONLY. Since it's my wife's PC, I decided to leave her a sweet message :-D

Step 5: Route network traffic

I could configure her Firefox to use the proxy. But then she'd use Google Chrome or Konqueror to surf the web. And she could turn the proxy off. So I need to catch all http-traffic that did not pass squid. I used iptables:

#Allow user 'root' to surf the web, for yum update etc.
iptables -t nat -A OUTPUT -m tcp -p tcp --dport 80 -m owner --uid-owner root -j RETURN
# Allow user 'squid' to pass on http requests
iptables -t nat -A OUTPUT -m tcp -p tcp --dport 80 -m owner --uid-owner squid -j RETURN
# Redirect all other traffic to the proxy.
iptables -t nat -A OUTPUT -m tcp -p tcp --dport 80 -j REDIRECT --to-ports 3128
© GeekLabInfo Transparent proxy with iptables and squid is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.25 out of 5)
Loading...