Thursday, November 28, 2013

Manually manipulating iptables in CentOS and Redhat

The iptables rules in redhat based distro is being kept by default in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. To manipulate the firewall, just add or remove rules from this file, and restart iptables services. For example, we want to allow tftp port, which is port 69 udp:

  1. Edit /etc/sysconfig/iptables
    • # vi /etc/sysconfig/iptables
  2. Add the following lines, before the final LOG and DROP lines for INPUT chain:
    • -A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT
  3. Save and close the file
  4. Restart iptables service:
    • # /etc/init.d/iptables restart
  5. Check your new iptables rules, where -L is to list all rules in the selected chain, and -n is for printing port in numeric output:
    • # sudo iptables -L -n
  6. And you can see that 
    "ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:69"
    line is in the iptables file.
  7. To save the new rules permanently, just run:
    • # /etc/init.d/iptables save

To block any particular port, you just need to edit /etc/sysconfig/iptables, remove the ACCEPT line that contain that port, and restart iptables, and you are done :)

Posted by blackorga at Thursday, November 28, 2013 0 comments
Labels: , , , ,

Easily open port and service on iptables using lokkit

Lokkit is an iptable manipulating tool, and it belongs to system-config-firewall-base rpm package. This tool has many usage, but in this article, I just want to share on how to open a port in iptables using lokkit. Let's say we want to open a tcp port 1234, below is the command to do it (you must be root, or using sudo do execute this):

# lokkit -q -p 1234:tcp

where -q is for quiet mode, where no message will appear once the operation is done, and -p is for the port and protocol, in this case port 1234 using tcp protocol.

If you want to open a common service like ssh, it can be done easily by using the -s flag
# lokkit -s ssh

To list all available services that lokkit can manage, use:
# lokkit --list-services

Predefined Services with Default Environment:

ipp-client: Network Printing Client (IPP)

    default: desktop

ipp: Network Printing Server (IPP)

mdns: Multicast DNS (mDNS)

    default: desktop

ipsec: IPsec

    default: desktop

ssh: SSH



    default: server



...

To see more verbose output, you can use -v flag, like below:
# lokkit -s tftp -v
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
ip6tables: Flushing firewall rules:                        [  OK  ]
ip6tables: Setting chains to policy ACCEPT: filter         [  OK  ]
ip6tables: Unloading modules:                              [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
ip6tables: Applying firewall rules:                        [  OK  ]



Posted by blackorga at Thursday, November 28, 2013 0 comments
Labels: , ,

Tuesday, November 12, 2013

How to capture top output to a readable format

For this case, we use batch mode in top. From top's manpage:
Starts  top in 'Batch mode', which could be useful for sending output from top to other programs or to a file.  In this mode, top will not accept input and runs until the iterations limit you've set with the '-n' command-line option or until killed.

To use it is very easy, you must provide -b for batch mode, and -n for number of iteration that you desire. You can pipe it to less, tail, head or pipe it to a file, according to your need.

foo@thorium:~$ top -b -n 1 | head

top - 10:47:15 up 3 days, 23:52,  1 user,  load average: 2.01, 0.99, 0.57

Tasks: 140 total,   2 running, 136 sleeping,   0 stopped,   2 zombie

Cpu(s): 13.2%us,  4.9%sy,  0.0%ni, 81.6%id,  0.3%wa,  0.0%hi,  0.0%si,  0.0%st

Mem:   1025608k total,   865376k used,   160232k free,    80332k buffers

Swap:   522236k total,    66468k used,   455768k free,   273996k cached


  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                              
1192 root      20   0  122m  65m  10m R 13.8  6.6 559:31.01 Xorg                                                                                                  
19333 foo   20   0  234m  61m  13m S  9.8  6.2 626:59.69 nxplayer.bin                                                                                            
19440 foo   20   0  175m  14m 9612 S  7.9  1.5   0:44.78 lxterminal  

The above command will list 10 lines of top output in batch mode, and being set to iterate only once.



Posted by blackorga at Tuesday, November 12, 2013 0 comments
Labels: ,

Monday, November 11, 2013

Autospawn screen session on ssh connection

This is particularly useful in a situation where your ssh connection always get disconnected, and you have no privilege to tweak the ssh server settings to avoid that.


  1. First method, simple and easy, but will create multiple screens if you have more ssh sessions: 
    echo "screen -R" >> ~/.bash_profile; source ~/.bash_profile
  2. 2nd method, smarter than the above, will attach to the existing screen session if there is any, and create new one if none is available 
    echo "if $(screen -ls | grep -q pts); then screen -x; else screen -R; fi" >> ~/.bash_profile; source ~/.bash_profile

Posted by blackorga at Monday, November 11, 2013 0 comments
Labels: ,
Subscribe to: Posts (Atom)