NAS Synology : résoudre l’erreur rsync “permission denied” lors de la connexion au NAS après mise à jour du DSM

30/10/2017 Categories: Logiciel, Système Tags: , , , Comments off

Mon NAS Synology vient de mettre à jour son firmware DSM et je constate en lançant ma sauvegarde rsync que la connexion rsync vers le NAS ne se fait plus : après saisie du mot de passe, on obtient une erreur “permission denied”.

Voici comment remédier à ce petit désagrément en deux minutes montre en main.

Problème : connexion SSH refusée

Lors de la connexion initiale, démarrée par :

rsync --ignore-existing --progress -vr --rsh='ssh -p22222' /home/backup/* root@example.com:/volume1/video

on obtient le message d’erreur suivant, après saisie du mot de passe:

Permission denied, please try again.
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(226) [sender=3.1.1]

Après vérification que les identifiants (user/password) sont bien corrects, il s’avère que la solution réside dans l’utilisation de l’argument --rsync-path afin d’expliciter le chemin de l’exécutable rsync présent sur le NAS.

Lire la suite…

Categories: Logiciel, Système Tags: , , ,

La liste des touches utilisables sur un Mac lors du démarrage

16/10/2017 Categories: Système Tags: , , , Comments off

Si vous êtes l’heureux propriétaire d’un Mac, j’imagine que vous savez qu’en cas de problème technique, il est possible au démarrage de l’ordinateur de remettre à zéro certaines mémoires (PRAM, NVRAM) ou de partir sur un mode recovery.

Mais à chaque fois, ces raccourcis clavier à faire au démarrage du Mac sont une galère à retrouver. C’est pourquoi je vais tous les passer en revue ici et vous n’aurez plus qu’à bookmarker cette page pour la prochaine fois.

Pour utiliser ces raccourcis, vous devez d’abord éteindre complètement l’ordinateur, puis le rallumer, et immédiatement dès que vous avez appuyé sur le bouton d’allumage, maintenir enfoncées les touches suivantes :

Shift (maj) : Permet de démarrer le Mac en mode « safe ». C’est à dire en mode de base, sans toutes les applications que vous auriez pu installer au démarrage. Cela permet de savoir si votre souci est provoqué par une de vos applications ou par un processus propre au système macOS.

Option (alt) : Lance le gestionnaire de boot qui vous permettra de choisir le disque sur lequel vous voulez booter.

Command + R : Démarre en mode récupération (Recovery Mode). Cela vous permettra de remettre à zéro votre Mac, de réinstaller macOS, de restaurer une TimeMachine, ou d’utiliser la ligne de commande ou l’utilitaire de disques pour réparer ou formater un disque dur.

Shift + Command + Option + R : Lance aussi le mode Internet Recovery. C’est comme le mode de récupération décrit ci-dessus sauf que tout se lance à partir d’Internet. Cela permet de réinstaller macOS ou autre, même quand la partition de récupération est totalement HS.

Lire la suite…

Categories: Système Tags: , , ,

macOS Boot Option Cheatsheet

16/10/2017 Categories: Constructeur, Système Tags: , , , , Comments off

To access some specialized Mac features you’ll need to hold down one or more keys during startup. If you’re having trouble with your Mac, this can be a great way to troubleshoot and analyze your options.

To use any of these boot keys, hold down the listed key combo as soon as you press your Mac’s power button. If you’re restarting your Mac, press and hold the keys immediately after your Mac begins to restart. Don’t release the keys until you see the described behavior.

Shift: Start your Mac in Safe Mode. Since safe mode only loads essential software, you can determine whether a system process or a user-installed application is causing your problem.

Option: Boot into Startup Manager. From here you can select different startup disks if any bootable partitions are available.

Command + R: Boot into Recovery Mode. Recovery Mode is macOS’s powerful recovery suite with a bunch of options for saving or wiping your Mac. You can use it to reinstall macOS, restore from a Time Machine backup or use Disk Utility to repair or format your hard drive.

Shift + Command + Option + R: Start in Internet Recovery Mode, skipping your system’s hard drive. This allows you to reinstall the build of macOS that came with your computer from the factory. macOS might do this one on its own if your installation is so messed up that you can’t boot into Recovery Mode.

Command + S: Start in single user, command-line-only mode. This is useful for running diagnostic Terminal commands or fsck, but it can’t do much beyond that.

Command + V: Boot in verbose mode. This mode displays logging and diagnostic messages as your Macboots. If your Mac is showing the Apple logo but failing to start completely, try this step to see where in the boot process the error occurs.

Lire la suite…

2 awesome open source apps to share your terminal over the web

06/10/2017 Categories: Logiciel, Système Tags: , Comments off

Want to share your terminal over the web for demo, learning or collaboration purpose? Try these two applications to share your terminal as a web application.

Please note that accepting input from remote clients is dangerous for most commands. When you need interaction with the TTY for some reasons, consider starting following tools with tmux or GNU Screen and run your command on it. Use following tools with trusted parties or inside VM. Let us see how to install and use gotty and ttyd on a Unix-like system.

1. gotty

GoTTY is a simple command line tool that turns your CLI tools into web applications. It is written in go programming language.

Installation

You can install gotty on macOS using the brew command:
$ brew install yudai/gotty/gotty

Sample outputs:

Updating Homebrew...
==> Tapping yudai/gotty Cloning into '/usr/local/Homebrew/Library/Taps/yudai/homebrew-gotty'...
remote: Counting objects: 5, done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 5 (delta 1), reused 2 (delta 0), pack-reused 0
Unpacking objects: 100% (5/5), done.
Tapped 1 formula (30 files, 22.7KB)
==> Installing gotty from yudai/gotty
==> Downloading https://github.com/yudai/gotty/releases/download/v1.0.1/gotty_darwin_amd64.tar.gz
==> Downloading from https://github-production-release-asset-2e65be.s3.amazonaws.com/40808571/c401bd34-7bd9-11e7-8
######################################################################## 100.0%
==> Caveats GoTTY! ==> Summary
🍺 /usr/local/Cellar/gotty/v1.0.1: 3 files, 8.2MB, built in 1 minute

Another option for Linux or Unix like system is to type the following command if you have a go language dev setup installed:

$ go get github.com/yudai/gotty

Usage

The syntax is:

gotty command
$ gotty htop

Sample outputs:

2017/09/23 22:31:19 Server is starting with command: htop
2017/09/23 22:31:19 URL: http://127.0.0.1:8080/
2017/09/23 22:31:19 URL: http://[::1]:8080/
2017/09/23 22:31:19 URL: http://[fe80::1]:8080/
2017/09/23 22:31:19 URL: http://[fe80::1c3a:3312:311b:cca4]:8080/
2017/09/23 22:31:19 URL: http://192.168.225.106:8080/
2017/09/23 22:31:19 URL: http://[fe80::6c1b:58ff:fe8a:4e6e]:8080/
2017/09/23 22:31:19 URL: http://[fe80::526a:bad6:960f:369f]:8080/
2017/09/23 22:31:19 URL: http://10.8.0.2:8080/

Fire a browser and type the url:
http://127.0.0.1:8080/
OR from another computer in your LAN/VLAN:
http://192.168.225.106:8080/

Sample outputs:

Gif 01: gotty in action

Gif 01: gotty in action


For more info and documentation see gotty home page.

2. ttyd

ttyd is a simple command-line tool for sharing terminal over the web, inspired by GoTTY. It is built on top of Libwebsockets with C for speed. Works with macOS, Linux, FreeBSD, OpenWrt/LEDE, and MS-Windows oses.

Installation

If you are using macOS, run the following brew command:
$ brew install ttyd
Sample outputs:

Viveks-MacBook-Pro:~ veryv$ brew install ttyd
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/core).
No changes to formulae.
 
==> Installing dependencies for ttyd: json-c, libwebsockets
==> Installing ttyd dependency: json-c
==> Downloading https://homebrew.bintray.com/bottles/json-c-0.12.1.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring json-c-0.12.1.sierra.bottle.tar.gz
🍺  /usr/local/Cellar/json-c/0.12.1: 27 files, 156.2KB
==> Installing ttyd dependency: libwebsockets
==> Downloading https://homebrew.bintray.com/bottles/libwebsockets-2.2.1.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring libwebsockets-2.2.1.sierra.bottle.tar.gz
🍺  /usr/local/Cellar/libwebsockets/2.2.1: 29 files, 4.2MB
==> Installing ttyd
==> Downloading https://homebrew.bintray.com/bottles/ttyd-1.3.3.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring ttyd-1.3.3.sierra.bottle.tar.gz
🍺  /usr/local/Cellar/ttyd/1.3.3: 6 files, 282.6KB

If you are using a Debian/Ubuntu Linux, run:
$ sudo apt-get install -y software-properties-common
$ sudo add-apt-repository ppa:tsl0922/ttyd-dev
$ sudo apt-get update
$ sudo apt-get install ttyd

Usage

The syntax is:
$ ttyd command
$ ttyd bash

Sample outputs:

[2017/09/23 22:57:32:9322] NOTICE: ttyd 1.3.3 (libwebsockets 2.2.0)
[2017/09/23 22:57:32:9323] NOTICE: tty configuration:
[2017/09/23 22:57:32:9323] NOTICE:   start command: bash
[2017/09/23 22:57:32:9323] NOTICE:   reconnect timeout: 10s
[2017/09/23 22:57:32:9323] NOTICE:   close signal: SIGHUP (1)
[2017/09/23 22:57:32:9323] NOTICE: Initial logging level 7
[2017/09/23 22:57:32:9323] NOTICE: Libwebsockets version: 2.2.0 brew@Sierra.local-
[2017/09/23 22:57:32:9323] NOTICE: IPV6 not compiled in
[2017/09/23 22:57:32:9323] NOTICE: libev support not compiled in
[2017/09/23 22:57:32:9323] NOTICE: libuv support not compiled in
[2017/09/23 22:57:32:9324] NOTICE:  Threads: 1 each 256 fds
[2017/09/23 22:57:32:9325] NOTICE:  mem: platform fd map:  2048 bytes
[2017/09/23 22:57:32:9325] NOTICE:  Compiled with OpenSSL support
[2017/09/23 22:57:32:9325] NOTICE:  SSL disabled: no LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT
[2017/09/23 22:57:32:9326] NOTICE: Creating Vhost 'default' port 7681, 2 protocols, IPv6 off
[2017/09/23 22:57:32:9337] NOTICE:  Listening on port 7681
[2017/09/23 22:57:32:9338] NOTICE:  mem: per-conn:          568 bytes + protocol rx buf
[2017/09/23 22:57:32:9339] NOTICE:  canonical_hostname = Viveks-MacBook-Pro.local

Fire a web browser and type url:
127.0.0.1:7681
Sample session:

Gif. 02: bash-ttyd demo


For more info and docs see project home page.

 
Categories: Logiciel, Système Tags: ,

macOS High Sierra Supplemental Update Released for Mac Users

06/10/2017 Categories: Constructeur, Logiciel Tags: , Comments off

Apple has released the first supplemental update to macOS High Sierra 10.13, complete with bug fixes, improvements, and security fixes.

General release notes accompanying the supplemental update suggests the release includes improvements to stability, reliability, and security. Specifically, the update is said to “improve installer robustness” (it is unclear if this addresses the issue where some users are unable to download a complete macOS High Sierra installer without third party utility assistance), includes a fix for cursor graphics bugs when using Adobe InDesign, and resolves and issue with Mail app was unable to delete email from Yahoo accounts. Additionally, the update includes a security fix to address a problem where Disk Utility could be used to reveal the password of an encrypted AFPS volume, and the update also resolves a security bug relating to Keychain passwords. Complete security update release notes are below for those interested. The supplemental update is recommended for all macOS High Sierra users to install.

Mac users running macOS 10.13 High Sierra can find the update available to download and install now in the Mac App Store Updates section. The update is labeled as “macOS High Sierra 10.13 Supplemental Update”.

Note the supplemental update is separate from the beta versions of 10.13.1 currently under the beta testing programs.

Always back up a Mac before installing any system software update, including smaller bug fix updates like this macOS High Sierra Supplemental Update.

The complete security related supplemental update release notes are as follows:

macOS High Sierra 10.13 Supplemental Update
Released October 5, 2017
StorageKit
Available for: macOS High Sierra 10.13
Impact: A local attacker may gain access to an encrypted APFS volume
Description: If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.
CVE-2017-7149: Matheus Mariano of Leet Tech
Security
Available for: macOS High Sierra 10.13
Impact: A malicious application can extract keychain passwords
Description: A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access.
CVE-2017-7150: Patrick Wardle of Synack
New downloads of macOS High Sierra 10.13 include the security content of the macOS High Sierra 10.13 Supplemental Update.

Separately, iPhone and iPad users can find iOS 11.0.2 available as an update, which also includes various bug fixes for that system software release, and watchOS 4.0.1 for Apple Watch is out as well.

Categories: Constructeur, Logiciel Tags: ,

How to Downgrade iOS 11 to iOS 10.3.3 on iPhone and iPad

06/10/2017 Categories: Constructeur, Logiciel Tags: , , Comments off

Don’t like iOS 11 on your iPhone or iPad? You can downgrade to iOS 10.3.3 if you act quickly. Maybe you don’t like the update, maybe you find iOS 11 battery life to be poor, or app compatibility to be a problem, or perhaps you think the performance is subpar. Whatever the reason, you can easily downgrade iOS 11 if you need to, but the ability to downgrade is only available for a limited time while Apple continues to sign the prior operating system release of iOS 10.3.3.

We’ll walk through how you can downgrade iOS 11 back to iOS 10 on an iPhone or iPad.

This guide requires iTunes and a computer, internet access, an iOS 10.3.3 ISPW file, and a USB cable. There is no way to downgrade iOS 11 without iTunes and a computer.

Important note: downgrading iOS 11 to iOS 10.3.3 can cause data loss, including the removal of important data or everything on your iPhone or iPad. Thus it is critical to have a backup that is compatible with iOS 10 available before downgrading (one should have been made prior to updating to iOS 11 in the first place), this is because iOS 11 backups are not compatible with iOS 10 or other prior releases. If you only have a backup for iOS 11, then downgrading to iOS 10 may require you to update again to iOS 11 in order to restore from that iOS 11 backup. If you don’t know what you are doing and do not have adequate backups, do not attempt to downgrade or you may experience permanent data loss on the iPhone or iPad.

We’ll cover two ways to downgrade, a simple way that should work for most users, and an approach that requires Recovery Mode if the first downgrade method fails.

Lire la suite…

How to Download a Full macOS High Sierra Installer App

04/10/2017 Categories: Constructeur, Logiciel Tags: , , , Comments off

Many Mac users who are attempting to download macOS High Sierra from the Mac App Store will find that a small 19 MB version of “Install macOS High Sierra.app” downloads to the /Applications folder of the target Mac, rather than the complete 5.2 GB Installer application for macOS High Sierra. This is annoying because it prevents a single download from being used on multiple computers, plus the small installer requires an internet connection during usage to download the rest of the High Sierra update files. Additionally, the tiny 19 MB incomplete installer prevents users from being able to create a macOS High Sierra USB installer drive or other custom update options available through the command line, like skipping the APFS update.

This tutorial will show you a workaround trick that allows Mac users to download the full macOS High Sierra “Install macOS High Sierra.app” file at 5.2 GB with the complete installer tool set and all dmg files and associated Install macOS High Sierra.app/Contents/Resources/ tools, rather than the tiny incomplete truncated installer at 19 MB.

How to Download the Full “Install macOS High Sierra.app” Application

Warning: this method relies on a third party tool from an unverified third party source, if you are not comfortable with using unvetted and unverified software, and if you do not understand the risks associated with using potentially dubious software, do not follow this process. This is for advanced users only.

    1. Go to dosdude1.com here and download the High Sierra patcher application*
    2. Launch “MacOS High Sierra Patcher” and ignore everything about patching, instead pull down the “Tools” menu and choose “Download MacOS High Sierra”

    1. Confirm that you want to download the complete macOS High Sierra install application, and then point it to a location to save on the local hard drive

    1. The patcher app will notify you when the download is complete, when it is done downloading quit out of the patcher app

    1. Locate the “Install macOS High Sierra.app” file you downloaded, it will be the complete installer application with the full Contents/Resources/ toolkit available

* The “macOS High Sierra Patcher” application is intended for those with unsupported Macs and Hackintosh users, but any Mac user can use the app to be able to download the complete installer file from Apple servers. The source of this patcher application is a MacRumors Forums

You can confirm that you have the complete Install macOS High Sierra.app application by getting info on the file, the complete installer should be around 5.2 GB rather than the tiny 19 MB incomplete installer that requires additional downloads.

The complete macOS High Sierra installer downloaded

Why do some users get a small incomplete version of macOS High Sierra installer from the App Store?

This is not yet known, but it happens with the final version of macOS High Sierra installer as well as with some of the beta versions.

It is unclear why some users will get a 19MB version of “Install macOS High Sierra.app” when downloaded from the App Store, while others users will get the complete 5.2GB version of “Install macOS High Sierra.app” when downloading from the App Store. Interestingly, once a user ends up with the 19 MB version of the incomplete installer, that seems to be the only thing that will download for that user regardless of how many times the incomplete installer app is deleted and re downloaded.

Incomplete macOS High Sierra installer

The installer size and completeness inconsistency appears random, and has no relation to disk space, beta enrollment, software catalog, and other theories seem to be incorrect as well.

How to Create a Bootable Install Drive for macOS High Sierra

04/10/2017 Categories: Système Tags: Comments off

Some Mac uses like to create a bootable USB installer drive for macOS High Sierra. A bootable install volume of macOS 10.13 allows users to perform a variety of tasks including formatting and clean installs, updating multiple Macs from the same USB flash drive installer (and without re downloading), and to use as a troubleshooting boot drive should the need arise, amongst other benefits for advanced and more technical users.

This walkthrough will detail how to make a bootable USB install drive for macOS High Sierra.

Requirements to Create a macOS High Sierra Bootable USB Installer

To create a functioning macOS High Sierra installer boot drive, you will need the following:

Beyond that you’ll just need a bit of patience and a bit of technical know-how or comfort following technical instructions. Making a USB install drive requires the usage of precise syntax at the command line with superuser privileges, using the wrong syntax could lead to unintended data loss.

How to Make a Bootable USB Installer for macOS High Sierra

    1. Connect the USB flash drive to the Mac, if you need to format it go ahead and do so
    2. Download macOS High Sierra installer application from the App Store* and be sure the complete installer is located in the /Applications/ directory
    3. When the installer has completed downloading, it will automatically launch – quit out of the installer when this occurs
    4. Open the “Terminal” application found in /Applications/Utilities/ directory on the Mac
    5. Enter the following command syntax at the command line, replacing “UNTITLED” with your USB drive name if necessary:

sudo /Applications/Install\ macOS\ High\ Sierra.app/Contents/Resources/createinstallmedia --volume /Volumes/UNTITLED && say Boot Installer Complete

    1. Confirm the syntax is exactly as written, then hit the RETURN key and enter the administrator password to start making the High Sierra installer drive *

  1. Let the installer complete, when finished you will be informed that the process has completed

Once you have created the USB boot installer drive for macOS High Sierra, you can either launch it immediately to install macOS High Sierra on the current Mac, reboot and startup from the USB installer drive, or eject it and use it on another Mac.

* Note: if you are getting a “command not found” error and you are certain your syntax is correct, be sure to check the file size of the “Install macOS High Sierra.app” as found in the /Applications folder. If the file size of the High Sierra installer is not over 5GB then you have the incomplete installer and will need to download the complete macOS High Sierra installer application as described here in order to create a bootable installer drive.

Booting from the macOS High Sierra USB Installer Drive

With the newly created macOS High Sierra USB installer drive connected to the Mac, reboot the computer. Immediately on reboot, start holding down the “OPTION” (ALT) key to load the boot menu. Select the High Sierra installer at this screen.

Once booted from the USB drive you can proceed with installing macOS High Sierra, using the Disk Utility tools to format or erase a volume, work with Time Machine, and other similar tasks.

If you had previously created a boot installer for the High Sierra beta you may notice the syntax is different for createinstallmedia is different with the final version, part of that is to accommodate the new file name of the application installer, and the remainder removes the necessity of the –applicationpath flag and directive.

Keep in mind that macOS High Sierra can only be installed onto supported hardware, if you’re uncertain whether or not a particular computer supports the release you can check this list of macOS High Sierra compatible Macs.

Categories: Système Tags:

How to Disable or Enable Auto-Brightness in iOS 11 for iPhone and iPad

04/10/2017 Categories: Constructeur, Logiciel Tags: , Comments off

Auto-Brightness is a screen setting on the iPhone and iPad which causes the device to automatically adjust the display brightness depending on ambient lighting conditions. For example, if you’re outdoors or in bright lighting, the screen would adjust to be brighter so that it is more visible, and if you’re in a dim room or outdoors at night, the screen would adjust to lower the brightness so that the screen isn’t as glaringly bright. Auto-brightness in iOS also can improve battery life by adjusting the brightness of the iPhone or iPad display down as the ambient lighting permits.

Lire la suite…

Categories: Constructeur, Logiciel Tags: ,

Linux: 20 Iptables Examples For New SysAdmins

28/09/2017 Categories: Réseau, Sécurité, Système Tags: , , , , , , Comments off

According to the official project site:

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend that you first read our quick tutorial that explains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux. This post lists most simple iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders.

IPTABLES Rules Example

  • Most of the actions listed in this post written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on the remote system as it will disconnect your access.
  • For demonstration purpose, I’ve used RHEL 6.x, but the following command should work with any modern Linux distro that use the netfliter.
  • It is NOT a tutorial on how to set iptables. See tutorial here. It is a quick cheat sheet to common iptables commands.

#1: Displaying the Status of Your Firewall

Type the following command as root:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Above output indicates that the firewall is not active. The following sample shows an active firewall:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
  394 43586 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   93 17292 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    1   142 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    0     0 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain wanout (1 references)
 pkts bytes target     prot opt in     out     source               destination

Where,

  • -L : List rules.
  • -v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix ‘K’, ‘M’ or ‘G’ for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
  • -n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.

#1.1: To inspect firewall with line numbers, enter:

# iptables -n -L -v --line-numbers
Sample outputs:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
3    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
5    wanin      all  --  0.0.0.0/0            0.0.0.0/0
6    wanout     all  --  0.0.0.0/0            0.0.0.0/0
7    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain wanin (1 references)
num  target     prot opt source               destination

Chain wanout (1 references)
num  target     prot opt source               destination

You can use line numbers to delete or insert new rules into the firewall.

#1.2: To display INPUT or OUTPUT chain rules, enter:

# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers

#2: Stop / Start / Restart the Firewall

If you are using CentOS / RHEL / Fedora Linux, enter:
# service iptables stop
# service iptables start
# service iptables restart

You can use the iptables command itself to stop the firewall and delete all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT

Where,

  • -F : Deleting (flushing) all the rules.
  • -X : Delete chain.
  • -t table_name : Select table (called nat or mangle) and delete/flush rules.
  • -P : Set the default policy (such as DROP, REJECT, or ACCEPT).

#3: Delete Firewall Rules

To display line number along with other information for existing rules, enter:
# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1

You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
# iptables -D INPUT 4
OR find source IP 202.54.1.1 and delete from rule:
# iptables -D INPUT -s 202.54.1.1 -j DROP
Where,

  • -D : Delete one or more rules from the selected chain

#4: Insert Firewall Rules

To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:
# iptables -L INPUT -n –line-numbers
Sample outputs:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  202.54.1.1           0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 

To insert rule between 1 and 2, enter:
# iptables -I INPUT 2 -s 202.54.1.2 -j DROP
To view updated rules, enter:
# iptables -L INPUT -n --line-numbers
Sample outputs:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  202.54.1.1           0.0.0.0/0
2    DROP       all  --  202.54.1.2           0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED

#5: Save Firewall Rules

To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables save
In this example, drop an IP and save firewall rules:
# iptables -A INPUT -s 202.5.4.1 -j DROP
# service iptables save

For all other distros use the iptables-save command:
# iptables-save > /root/my.active.firewall.rules
# cat /root/my.active.firewall.rules

#6: Restore Firewall Rules

To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
# iptables-restore < /root/my.active.firewall.rules
To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables restart

#7: Set the Default Firewall Policies

To drop all traffic:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n
#### you will not able to connect anywhere as all traffic is dropped ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#7.1: Only Block Incoming Traffic

To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n
### *** now ping and wget should work *** ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#8:Drop Private Network Address On Public Interface

IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:
# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface)

  • 10.0.0.0/8 -j (A)
  • 172.16.0.0/12 (B)
  • 192.168.0.0/16 (C)
  • 224.0.0.0/4 (MULTICAST D)
  • 240.0.0.0/5 (E)
  • 127.0.0.0/8 (LOOPBACK)

#9: Blocking an IP Address (BLOCK IP)

To block an attackers ip address called 1.2.3.4, enter:
# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP

#10: Block Incoming Port Requests (BLOCK PORT)

To block all service requests on port 80, enter:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 only for an ip address 1.2.3.4, enter:
# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

#11: Block Outgoing IP Address

To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter:
# host -t a cyberciti.biz
Sample outputs:

cyberciti.biz has address 75.126.153.206

Note down its ip address and type the following to block all outgoing traffic to 75.126.153.206:
# iptables -A OUTPUT -d 75.126.153.206 -j DROP
You can use a subnet as follows:
# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
# iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP

#11.1: Example – Block Facebook.com Domain

First, find out all ip address of facebook.com, enter:
# host -t a www.facebook.com
Sample outputs:

www.facebook.com has address 69.171.228.40

Find CIDR for 69.171.228.40, enter:
# whois 69.171.228.40 | grep CIDR
Sample outputs:

CIDR:           69.171.224.0/19

To prevent outgoing access to www.facebook.com, enter:
# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
You can also use domain name, enter:
# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP

From the iptables man page:

… specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address …

#12: Log and Drop Packets

Type the following to log and block IP spoofing on public interface called eth1
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

By default everything is logged to /var/log/messages file.
# tail -f /var/log/messages
# grep --color 'IP SPOOF' /var/log/messages

#13: Log and Drop Packets with Limited Number of Log Entries

The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#14: Drop or Accept Traffic From Mac Address

Use the following syntax:
# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

#15: Block or Allow ICMP Ping Request

Type the following command to block ICMP ping requests:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

Ping responses can also be limited to certain networks or hosts:
# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
The following only accepts limited type of ICMP requests:
### ** assumed that default INPUT policy set to DROP ** #############
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#16: Open Range of Ports

Use the following syntax to open a range of ports:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT 

#17: Open Range of IP Addresses

Use the following syntax to open a range of IP address:
## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ##
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

## nat example ##
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25

#18: Established Connections and Restaring The Firewall

When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:

IPTABLES_MODULES_UNLOAD = no

#19: Help Iptables Flooding My Server Screen

Use the crit log level to send messages to a log file instead of console:
iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit

#20: Block or Open Common Ports

The following shows syntax for opening and closing common TCP and UDP ports:

Replace ACCEPT with DROP to block port:
## open port ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
 
## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
 
## allow time sync via NTP for lan users (open udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT
 
## open tcp port 25 (smtp) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
 
# open dns server ports for all ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
 
## open http/https (Apache) server port to all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## open tcp port 110 (pop3) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
 
## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
 
## open access to Samba file server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
 
## open access to proxy server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT
 
## open access to mysql server for lan users only ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

#21: Restrict the Number of Parallel Connections To a Server Per Client IP

You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

Set HTTP requests to 20:
# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
Where,

  1. –connlimit-above 3 : Match if the number of existing connections is above 3.
  2. –connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.

#22: HowTO: Use iptables Like a Pro

For more information about iptables, please see the manual page by typing man iptables from the command line:
$ man iptables
You can see the help using the following syntax too:
# iptables -h
To see help with specific commands and targets, enter:
# iptables -j DROP -h

#22.1: Testing Your Firewall

Find out if ports are open or not, enter:
# netstat -tulpn
Find out if tcp port 80 open or not, enter:
# netstat -tulpn | grep :80
If port 80 is not open, start the Apache, enter:
# service httpd start
Make sure iptables allowing access to the port 80:
# iptables -L INPUT -v -n | grep 80
Otherwise open port 80 using the iptables for all users:
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# service iptables save

Use the telnet command to see if firewall allows to connect to port 80:
$ telnet www.cyberciti.biz 80
Sample outputs:

Trying 75.126.153.206...
Connected to www.cyberciti.biz.
Escape character is '^]'.
^]

telnet> quit
Connection closed.

You can use nmap to probe your own server using the following syntax:
$ nmap -sS -p 80 www.cyberciti.biz
Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-13 13:19 IST
Interesting ports on www.cyberciti.biz (75.126.153.206):
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds

I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.

CONCLUSION:

This post only list basic rules for new Linux users. You can create and build more complex rules. This requires good understanding of TCP/IP, Linux kernel tuning via sysctl.conf, and good knowledge of your own setup. Stay tuned for next topics:

  • Stateful packet inspection.
  • Using connection tracking helpers.
  • Network address translation.
  • Layer 2 filtering.
  • Firewall testing tools.
  • Dealing with VPNs, DNS, Web, Proxy, and other protocols.