Archive

Articles taggués ‘Ubuntu’

Rsync : Sync Files/Directories

21/07/2017 Aucun commentaire

Copy files or directories from one location to an another host by rsync.

If you’d like to set rsync automatically by cron or others, it need to configure like follows because authentication is required without settings. For example, Copy files or directories under the [/root/work] on dlp.srv.world to [/home/backup] on www.srv.world.

[1] Configure on source host.

root@dlp:~# apt-get -y install rsync
root@dlp:~# vi /etc/rsync_exclude.lst
# specify files or directories you'd like to exclude to copy
test
test.txt
[2] Configure on destination host.

root@www:~# apt-get -y install rsync
root@www:~# vi /etc/default/rsync
# line 8: change
RSYNC_ENABLE=true
root@www:~# vi /etc/rsyncd.conf
# create new
# any name you like
[backup]
# destination directory to copy
path = /home/backup
# hosts you allow to access
hosts allow = 10.0.0.30
hosts deny = *
list = true
uid = root
gid = root
read only = false
root@www:~# mkdir /home/backup
root@www:~# systemctl start rsync
[3] It’s OK. Execute rsync on Source Host like follows.

root@dlp:~# rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /root/work/ www.srv.world::backup
# Add in cron if you'd like to run reguraly
root@dlp:~# crontab -e
# for example, run at 2:00 AM in a day
00 02 * * * rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /root/work/ www.srv.world::backup
Categories: Système Tags: , , ,

How to save rules of the iptables?

18/03/2017 Comments off
iptables-save

Saving iptables rules for reboot

On a server, iptables rules don’t reload automatically at reboot. You need to reload the rules using ax executable shell scripture a dedicated utility that will load them at the same time as the program itself, i.e. with the kernel.

Depending of the version of Linux you use, you can select different methods:

sudo su
iptables-save > /etc/iptables.rules

In /etc/network/if-pre-up.d/iptables, put:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

After, in /etc/network/if-post-down.d/iptables, put:

#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.rules ];
       then iptables-restore < /etc/iptables.rules
fi
exit 0

After, give permission to the scripts:

sudo chmod +x /etc/network/if-post-down.d/iptables sudo chmod +x /etc/network/if-pre-up.d/iptables

Another scenario is to is to install iptables-persistent:

sudo apt-get install iptables-persistent

After it’s installed, you can save/reload iptables rules anytime:

    sudo /etc/init.d/iptables-persistent save 
    sudo /etc/init.d/iptables-persistent reload

Or if you use Ubuntu server 16.04, things are simpler:

The installation as described above works without a problem, but the two commands for saving and reloading above do not seem to work with a 16.04 server. The following commands work with that version:

    sudo netfilter-persistent save
    sudo netfilter-persistent reload

Easy Ubuntu 16.04 Server Firewall

23/02/2017 Comments off

If you read our previous article Easy Ubuntu Server Firewall, then you may have noted that on Ubuntu 16.04 the described method no longer works. This is due to systemd. In the article below we will walk through creating a persistent IPTables based firewall on Ubuntu 16.04 LTS. First we need to install some required software packages. As seen in the command below, install iptables-persistent. Next we will make netfilter-persistent run at boot. This is the most important step as it will ensure your rules are reloaded at boot time.

# Install IPTables Persistent Package
apt-get install -y iptables-persistent
# Add netfilter-persistent Startup
invoke-rc.d netfilter-persistent save
# Stop netfilter-persistent Service
service netfilter-persistent stop

Once the packages above are installed and the service is stopped, you will have a new directory at /etc/iptables/. This directory holds the IPTables filter rules that will be reloaded at boot time. These files are named rules.v4 and rules.v6 respectively. IPV4 rules are loaded into rules.v4 and IPV6 rules are loaded into rules.v6. For the purpose of this article we will focus on IPV4 rules. Next we will want to copy the rules below into our rules.v4 file. Of course the rules will need to be modified to fit your environment.

# Generated by iptables-save v1.3.3 on Wed Apr 9 10:51:08 2008
# Flush out any rules that are already in there
*filter
:INPUT ACCEPT [146:11332]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104:9831]
 
# Allow internal loopback connections
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
 
# Allow pinging
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
# Allow any outbound data, and any inbound data related to a connection that is already in use
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 
# =========BEGIN SERVER SPECIFIC PORT OPEN RULES=========
# Allow SCP/SSH Access from Green & Blue Subnet
-A INPUT -s 172.16.12.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.10.12.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
 
# Allow HTTP Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
 
# Allow HTTPS Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
 
# Allow MySQL Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 3306 -j ACCEPT
 
# Allow FTP Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 58000:58010 -j ACCEPT
# =========END SERVER SPECIFIC PORT OPEN RULES=========
 
# Drop everything that hasn't been picked up by one of the rules above
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j DROP
 
COMMIT
# Completed on Wed Apr 9 10:51:08 2008

Lastly, in order for our new rules to take affect, we simply need to start the netfilter-persistent service as seen below. That’s it, you now have a fully functional IPTables based firewall.

# Start netfilter-persistent Service
service netfilter-persistent start

# Check if IPTables were applied
iptables -L

How can I find out if a specific program is installed?

07/11/2016 Comments off

there’s always apt-cache policy <package-name> (no sudo needed).

Not installed:

olivier@neews:/$ apt-cache policy gnuift
 gnuift:
   Installed: (none)
   Candidate: 0.1.14-11
   Version table:
      0.1.14-11 0
         500 http://archive.ubuntu.com/ubuntu/ oneiric/universe amd64 Packages

Installed:

olivier@neews:/$ apt-cache policy firefox
 firefox:
   Installed: 8.0+build1-0ubuntu0.11.10.3
   Candidate: 8.0+build1-0ubuntu0.11.10.3
   Version table:
  *** 8.0+build1-0ubuntu0.11.10.3 0
         500 http://archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
         500 http://archive.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
         100 /var/lib/dpkg/status
      7.0.1+build1+nobinonly-0ubuntu2 0
         500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages

Or dpkg: dpkg -l | grep -E '^ii' | grep <package name>. When it’s not installed it won’t show output. When it is, it’ll show something like:

olivier@neews:~$ dpkg -l | grep -E '^ii' | grep firefox
 ii  firefox                                                     8.0+build1-0ubuntu0.11.10.3                            Safe and easy web browser from Mozilla
 ii  firefox-branding                                            8.0+build1-0ubuntu0.11.10.3                            Safe and easy web browser from Mozilla - transitional package
 ii  firefox-globalmenu                                          8.0+build1-0ubuntu0.11.10.3                            Unity appmenu integration for Firefox
 ii  firefox-gnome-support                                       8.0+build1-0ubuntu0.11.10.3                            Safe and easy web browser from Mozilla - GNOME support
 ii  firefox-locale-en                                           8.0+build1-0ubuntu0.11.10.3                            English language pack for Firefox
It's obviously a fuzzier search but handy if you're not sure which package you're looking for.
 
 For manually installed things...
 
 A bit harder but if they're on the current path, you could just run them. That's a bit of mission so I'd rather just run:
 
 oli@bert:/$ which chromium-browser
 /usr/bin/chromium-browser

And:

oli@bert:/$ which gnuift
# returns nothing

Which is better?

That depends on the sanity of user. There’s nothing to stop somebody installing something called chromium-browser that isn’t Chromium. They could even package it up incorrectly and install that. Neither method can be 100% certain.

But assuming the owner is sane – packages should be good enough for most people.

Categories: Système Tags: , , ,

How do I replicate installed package selections from one Debian system to another? (Debian Wheezy)

07/11/2016 Comments off

To clone a Debian installation, use the apt-clone utility. It’s available (as a separate package, not part of the default installation) in Debian since wheezy and in Ubuntu since 12.04. On the existing machine, run

apt-clone clone foo

This creates a file foo.apt-clone.tar.gz. Copy it to the destination machine, and run

apt-get install apt-clone
apt-clone restore foo.apt-clone.tar.gz

If you’re working with an old system where apt-clone isn’t available, or if you just want to replicate the list of installed packages but not any configuration file, here are the manual steps.

  • On the source machine:
cat /etc/apt/sources.list /etc/apt/sources.list.d >sources.list
pkg --get-selections >selections.list
apt-mark auto >auto.list
  • On the target machine:
cp sources.list /etc/apt/
apt-get update
/usr/lib/dpkg/methods/apt/update /var/lib/dpkg/
dpkg --set-selections <selections.list
apt-get dselect-upgrade
xargs apt-mark auto <auto.list

I believe that you’re affected by an incompatible change in dpkg that first made it into wheezy. See bug #703092 for background.

The short story is that dpkg --set-selections now only accepts package names that are present in the file /var/lib/dpkg/status or /var/lib/dpkg/available. If you only use APT to manage packages, like most people, then /var/lib/dpkg/available is not kept up-to-date.

After running apt-get update and before running dpkg --set-selections and apt-get -u dselect-upgrade, run the following command:

apt-cache dumpavail >/tmp/apt.avail
dpkg --merge-avail /tmp/apt.avail

From jessie onwards, you can simplify this to

apt-cache dumpavail | dpkg --merge-avail

Alternatively, run

/usr/lib/dpkg/methods/apt/update /var/lib/dpkg/

or even simpler

apt-get install dctrl-tools
sync-available

Another simple method that doesn’t require installing an additional package but will download the package lists again is

dselect update

See the dpkg FAQ for more information. (This is mentioned in the dpkg man page, but more in a way that would remind you of the issue if you were already aware, not in a way that explains how to solve the problem!)

Note that cloning a package installation with dpkg --set-selections doesn’t restore the automatic/manual mark in APT. See Restoring all data and dependencies from dpkg –set-selections ‘*’ for more details. You can save the marks on the source system with

apt-mark showauto >auto.list

and restore them on the target system with

xargs apt-mark auto <auto.list

Ubuntu Check RAM Memory Chip Speed and Specification From Within a Linux System

22/06/2016 Comments off

I want to add more RAM to my server running Ubuntu Linux. How do I find out my current RAM chip information such as its speed, type and manufacturer name within a Linux system without opening the case?

You need to use the dmidecode command which is a tool for dumping a computer’s DMI (some say SMBIOS) table contents in a human-readable format. This table contains a description of the system’s hardware components (such as RAM), as well as other useful pieces of information such as serial numbers and BIOS revision. Thanks to this table, you can retrieve hardware information without having to probe for the actual hardware. Open a command-line terminal (select Applications > Accessories > Terminal), and then type:

$ sudo dmidecode --type memory

OR

# dmidecode --type memory | less

OR

$ sudo dmidecode --type 17

Sample outputs:

# dmidecode 2.10
SMBIOS version fixup (2.51 -> 2.6).
SMBIOS 2.6 present.
Handle 0x0011, DMI type 16, 15 bytes
Physical Memory Array
	Location: System Board Or Motherboard
	Use: System Memory
	Error Correction Type: None
	Maximum Capacity: 4 GB
	Error Information Handle: Not Provided
	Number Of Devices: 4
Handle 0x0012, DMI type 17, 27 bytes
Memory Device
	Array Handle: 0x0011
	Error Information Handle: No Error
	Total Width: 72 bits
	Data Width: 64 bits
	Size: 2048 MB
	Form Factor: DIMM
	Set: 1
	Locator: DIMM#1A
	Bank Locator: Bank 1
	Type: DDR2
	Type Detail: Synchronous
	Speed: 667 MHz
	Manufacturer: Not Specified
	Serial Number: Not Specified
	Asset Tag: Not Specified
	Part Number: Not Specified
Handle 0x0013, DMI type 17, 27 bytes
Memory Device
	Array Handle: 0x0011
	Error Information Handle: No Error
	Total Width: 72 bits
	Data Width: 64 bits
	Size: 2048 MB
	Form Factor: DIMM
	Set: 1
	Locator: DIMM#2A
	Bank Locator: Bank 2
	Type: DDR2
	Type Detail: Synchronous
	Speed: 667 MHz
	Manufacturer: Not Specified
	Serial Number: Not Specified
	Asset Tag: Not Specified
	Part Number: Not Specified
Handle 0x0014, DMI type 17, 27 bytes
Memory Device
	Array Handle: 0x0011
	Error Information Handle: No Error
	Total Width: 72 bits
	Data Width: 64 bits
	Size: 2048 MB
	Form Factor: DIMM
	Set: 1
	Locator: DIMM#1B
	Bank Locator: Bank 1
	Type: DDR2
	Type Detail: Synchronous
	Speed: 667 MHz
	Manufacturer: Not Specified
	Serial Number: Not Specified
	Asset Tag: Not Specified
	Part Number: Not Specified
Handle 0x0015, DMI type 17, 27 bytes
Memory Device
	Array Handle: 0x0011
	Error Information Handle: No Error
	Total Width: 72 bits
	Data Width: 64 bits
	Size: 2048 MB
	Form Factor: DIMM
	Set: 1
	Locator: DIMM#2B
	Bank Locator: Bank 2
	Type: DDR2
	Type Detail: Synchronous
	Speed: 667 MHz
	Manufacturer: Not Specified
	Serial Number: Not Specified
	Asset Tag: Not Specified
	Part Number: Not Specified

How To Secure Nginx with Let’s Encrypt on Ubuntu 14.04

09/06/2016 Comments off

Introduction

nginx lets encrypt ubuntuLet’s Encrypt is a new Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, letsencrypt, that attempts to automate most (if not all) of the required steps. Currently, as Let’s Encrypt is still in open beta, the entire process of obtaining and installing a certificate is fully automated only on Apache web servers. However, Let’s Encrypt can be used to easily obtain a free SSL certificate, which can be installed manually, regardless of your choice of web server software.

In this tutorial, we will show you how to use Let’s Encrypt to obtain a free SSL certificate and use it with Nginx on Ubuntu 14.04. We will also show you how to automatically renew your SSL certificate. If you’re running a different web server, simply follow your web server’s documentation to learn how to use the certificate with your setup.

Nginx with Let's Encrypt TLS/SSL Certificate and Auto-renewal

 

Prerequisites

Before following this tutorial, you’ll need a few things.

You should have an Ubuntu 14.04 server with a non-root user who has sudo privileges. You can learn how to set up such a user account by following steps 1-3 in our initial server setup for Ubuntu 14.04 tutorial.

You must own or control the registered domain name that you wish to use the certificate with. If you do not already have a registered domain name, you may register one with one of the many domain name registrars out there (e.g. Namecheap, GoDaddy, etc.).

If you haven’t already, be sure to create an A Record that points your domain to the public IP address of your server. This is required because of how Let’s Encrypt validates that you own the domain it is issuing a certificate for. For example, if you want to obtain a certificate for example.com, that domain must resolve to your server for the validation process to work. Our setup will use example.com and www.example.com as the domain names, so both DNS records are required.

Once you have all of the prerequisites out of the way, let’s move on to installing the Let’s Encrypt client software.

 

Step 1 — Install Let’s Encrypt Client

The first step to using Let’s Encrypt to obtain an SSL certificate is to install the letsencrypt software on your server. Currently, the best way to install Let’s Encrypt is to simply clone it from the official GitHub repository. In the future, it will likely be available via a package manager.

Install Git and bc

Let’s install Git and bc now, so we can clone the Let’s Encrypt repository.

Update your server’s package manager with this command:

sudo apt-get update

Then install the git and bc packages with apt-get:

sudo apt-get -y install git bc

With git and bc installed, we can easily download letsencrypt by cloning the repository from GitHub.

Clone Let’s Encrypt

We can now clone the Let’s Encrypt repository in /opt with this command:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

You should now have a copy of the letsencrypt repository in the /opt/letsencrypt directory.
Lire la suite…

How to Install and Configure UFW – An Un-complicated FireWall in Debian/Ubuntu

01/03/2016 Comments off

ufw debian ubuntuSince computers are connected to each other, services are growing fast. Email, Social Media, Online Shop, Chat until Web Conferencing are services that used by user. But on the other side this connectivity just likes a double-side knife. It’s also possible to send bad messages to those computers like Virus, malware, trojan-apps are one of them.

Install UFW Firewall

The Internet, as the biggest computer network is not always fill with good people. In order to make sure our computers / servers are safe, we need to protect it.

One of the must have component on your computer / servers is Firewall. From Wikipedia, a definition is:

In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic by analysing the data packets and determining whether they should be allowed through or not, based on applied rule set.

Iptables is one of the firewall that widely used by servers. It is a program used to manage incoming and outgoing traffic in the server based on a set of rules. Generally, only trusted connection is allowed to enter the server. But IPTables is running at console mode and it’s complicated. Those who’re familiar with iptables rules and commands, they can read the following article that describes how to use iptables firewall.

Installation of UFW Firewall in Debian/Ubuntu

To reduce the complexity of how-to setting IPTables, there is a lot of fronted. If you’re running Ubuntu Linux, you will find ufw as a default firewall tool. Lets start to explore about ufw firewall.

What is ufw

The ufw (Uncomplicated Firewall) is an frontend for most widely used iptables firewall and it is well comfortable for host-based firewalls. ufw gives a framework for managing netfilter, as well as provides a command-line interface for controlling the firewall. It provides user friendly and easy to use interface for Linux newbies who are not much familiar with firewall concepts.

While, on the other side same complicated commands helps administrators it set complicated rules using command line interface. The ufw is an upstream for other distributions such as Debian, Ubuntu and Linux Mint.

Basic Usage ufw

First, check if ufw is installed using following command.

$ sudo dpkg --get-selections | grep ufw
ufw 		install

If it’s not installed, you can install it using apt command as shown below.

$ sudo apt-get install ufw

Before you use, you should check whether ufw is running or not. Use the following command to check it.

$ sudo ufw status

If you found Status: inactive, it mean it’s not active or disable.

NEW! An indispensable ebook for every Linux administrator!

Enabling / Disabling ufw

To enable it, you just need to type the following command at the terminal.

$ sudo ufw enable

Firewall is active and enabled on system startup

To disable it, just type.

$ sudo ufw disable

List the current ufw rules

After the firewall is activated you can add your rules into it. If you want to see what are the default rules, you can type.

$ sudo ufw status verbose
Sample Output
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
$

Lire la suite…

UFW: an Uncomplicated Firewall

01/03/2016 Comments off

Introduction

For an introduction to firewalls, please see Firewall.

UFW – Uncomplicated Firewall

The default firewall configuration tool for Ubuntu is ufw. Developed to easeiptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.

Gufw is a GUI that is available as a frontend.

Basic Syntax and Examples

Default rules are fine for the average home user

When you turn UFW on, it uses a default set of rules (profile) that should be fine for the average home user. That’s at least the goal of the Ubuntu developers. In short, all ‘incoming’ is being denied, with some exceptions to make things easier for home users.

Enable and Disable

Enable UFW

To turn UFW on with the default set of rules:

sudo ufw enable

To check the status of UFW:

sudo ufw status verbose

The output should be like this:

youruser@yourcomputer:~$ sudo ufw status verbose
[sudo] password for youruser:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
youruser@yourcomputer:~$

Note that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:

sudo ufw show raw

You can also read the rules files in /etc/ufw (the files whose names end with .rules).

Disable UFW

To disable ufw use:

sudo ufw disable

Lire la suite…

Iptables HowTo

01/03/2016 Comments off

Basic iptables howto

Iptables is a firewall, installed by default on all official Ubuntu distributions (Ubuntu, Kubuntu, Xubuntu). When you install Ubuntu, iptables is there, but it allows all traffic by default. Ubuntu 8.04 Comes with ufw – a program for managing the iptables firewall easily.

There is a wealth of information available about iptables, but much of it is fairly complex, and if you want to do a few basic things, this How To is for you.

Basic Commands

Typing

sudo iptables -L

lists your current rules in iptables. If you have just set up your server, you will have no rules, and you should see

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Basic Iptables Options

Here are explanations for some of the iptables options you will see in this tutorial. Don’t worry about understanding everything here now, but remember to come back and look at this list as you encounter new options later on.

  1. -A – Append this rule to a rule chain. Valid chains for what we’re doing are INPUT, FORWARD and OUTPUT, but we mostly deal with INPUT in this tutorial, which affects only incoming traffic.
  2. -L – List the current filter rules.
  3. -m conntrack – Allow filter rules to match based on connection state. Permits the use of the --ctstate option.
  4. --ctstate – Define the list of states for the rule to match on. Valid states are:
    • NEW – The connection has not yet been seen.
    • RELATED – The connection is new, but is related to another connection already permitted.
    • ESTABLISHED – The connection is already established.
    • INVALID – The traffic couldn’t be identified for some reason.
  5. -m limit – Require the rule to match only a limited number of times. Allows the use of the --limit option. Useful for limiting logging rules.
    1. --limit – The maximum matching rate, given as a number followed by « /second« , « /minute« , « /hour« , or « /day » depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is « 3/hour« .
  6. -p – The connection protocol used.
  7. --dport – The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive.
  8. -j – Jump to the specified target. By default, iptables allows four targets:
    1. ACCEPT – Accept the packet and stop processing rules in this chain.
    2. REJECT – Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
    3. DROP – Silently ignore the packet, and stop processing rules in this chain.
    4. LOG – Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
  9. --log-prefix – When logging, put this text before the log message. Use double quotes around the text to use.
  10. --log-level – Log using the specified syslog level. 7 is a good choice unless you specifically need something else.
  11. -i – Only match if the packet is coming in on the specified interface.
  12. -I – Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.
    1. -I INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.
  13. -v – Display more information in the output. Useful for if you have rules that look similar without using -v.
  14. -s --source – address[/mask] source specification
  15. -d --destinationaddress[/mask] destination specification
  16. -o --out-interface – output name[ ] network interface name ([ ] for wildcard)

Allowing Established Sessions

We can allow established sessions to receive traffic:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  1. The above rule has no spaces either side of the comma in ESTABLISHED,RELATED

If the line above doesn’t work, you may be on a castrated VPS whose provider has not made available the extension, in which case an inferior version can be used as last resort:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allowing Incoming Traffic on Specific Ports

You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.

To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Referring back to the list above, you can see that this tells iptables:

  1. append this rule to the input chain (-A INPUT) so we look at incoming traffic
  2. check to see if it is TCP (-p tcp).
  3. if so, check to see if the input goes to the SSH port (–dport ssh).
  4. if so, accept the input (-j ACCEPT).

Lets check the rules: (only the first few lines shown, you will see more)

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Now, let’s allow all incoming web traffic

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Checking our rules, we have

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www

We have specifically allowed tcp traffic to the ssh and web ports, but as we have not blocked anything, all traffic can still come in.

Lire la suite…