NFS Server Configuration
What is NFS?
The Network File System (NFS) was developed to allow machines to mount a disk partition on a remote machine as if it were on a local hard drive. This allows for fast, seamless sharing of files across a network.
Setting up the server will be done in two steps: Setting up the configuration files for NFS, and then starting the NFS services.
Required Services
Red Hat Enterprise Linux uses a combination of kernel-level support and daemon processes to provide NFS file sharing. NFS relies on Remote Procedure Calls (RPC) to route requests between clients and servers. RPC services under Linux are controlled by the portmap service. To share or mount NFS file systems, the following services work together:
· nfs — Starts the appropriate RPC processes to service requests for shared NFS file systems.
· nfslock — An optional service that starts the appropriate RPC processes to allow NFS clients to lock files on the server.
· portmap — The RPC service for Linux; it responds to requests for RPC services and sets up connections to the requested RPC service.
The following RPC processes work together behind the scenes to facilitate NFS services:
· rpc.mountd — This process receives mount requests from NFS clients and verifies the requested file system is currently exported. This process is started automatically by the nfs service and does not require user configuration.
· rpc.nfsd — This process is the NFS server. It works with the Linux kernel to meet the dynamic demands of NFS clients, such as providing server threads each time an NFS client connects. This process corresponds to the nfs service.
· rpc.lockd — An optional process that allows NFS clients to lock files on the server. This process corresponds to the nfslock service.
· rpc.statd — This process implements the Network Status Monitor (NSM) RPC protocol which notifies NFS clients when an NFS server is restarted without being gracefully brought down. This process is started automatically by the nfslock service and does not require user configuration.
· rpc.rquotad — This process provides user quota information for remote users. This process is started automatically by the nfs service and does not require user configuration.
NFS and portmap
The portmap service under Linux maps RPC requests to the correct services. RPC processes notify portmap when they start, revealing the port number they are monitoring and the RPC program numbers they expect to serve. The client system then contacts portmap on the server with a particular RPC program number. The portmap service redirects the client to the proper port number so it can communicate with the requested service.
Because RPC-based services rely on portmap to make all connections with incoming client requests, portmap must be available before any of these services start.
The portmap service uses TCP wrappers for access control, and access control rules for portmap affect all RPC-based services. Alternatively, it is possible to specify access control rules for each of the NFS RPC daemons. The man pages for rpc.mountd and rpc.statd contain information regarding the precise syntax for these rules.
Troubleshooting NFS and portmap
The rpcinfo command shows each RPC-based service with port numbers, an RPC program number, a version and an IP protocol type (TCP or UDP).
To make sure the proper NFS RPC-based services are enabled for portmap, issue the following command as root:
rpcinfo -p
Setting up the Configuration Files
There are three main configuration files you will need to edit to set up an NFS server: /etc/exports, /etc/hosts.allow, and /etc/hosts.deny. Strictly speaking, you only need to edit /etc/exports to get NFS to work, but you would be left with an extremely insecure setup.
/etc/exports
This file contains a list of entries; each entry indicates a volume that is shared and how it is shared. Check the man pages (man exports) for a complete description of all the setup options for the file, although the description here will probably satistfy most people’s needs.
An entry in /etc/exports will typically look like this:
directory machine1(option11,option12) machine2(option21,option22)
where
directory
the directory that you want to share. It may be an entire volume though it need not be. If you share a directory, then all directories under it within the same file system will be shared as well.
machine1 and machine2
client machines that will have access to the directory. The machines may be listed by their DNS address or their IP address (e.g., machine.company.com or 192.168.0.8). Using IP addresses is more reliable and more secure.
optionxx
the option listing for each machine will describe what kind of access that machine will have. Important options are:
· ro: The directory is shared read only; the client machine will not be able to write to it. This is the default.
· rw: The client machine will have read and write access to the directory.
· no_root_squash: By default, any file request made by user root on the client machine is treated as if it is made by user nobody on the server. (Excatly which UID the request is mapped to depends on the UID of user “nobody” on the server, not the client.) If no_root_squash is selected, then root on the client machine will have the same level of access to the files on the system as root on the server. This can have serious security implications, although it may be necessary if you want to perform any administrative work on the client machine that involves the exported directories. You should not specify this option without a good reason.
· no_subtree_check: If only part of a volume is exported, a routine called subtree checking verifies that a file that is requested from the client is in the appropriate part of the volume. If the entire volume is exported, disabling this check will speed up transfers.
· sync: By default, all but the most recent version (version 1.11) of the exportfs command will use async behavior, telling a client machine that a file write is complete – that is, has been written to stable storage – when NFS has finished handing the write over to the filesysytem. This behavior may cause data corruption if the server reboots, and the sync option prevents this.
Suppose we have two client machines, slave1 and slave2, that have IP addresses 192.168.0.1 and 192.168.0.2, respectively. We wish to share our software binaries and home directories with these machines. A typical setup for /etc/exports might look like this:
/usr/local 192.168.0.1(ro) 192.168.0.2(ro)
/home 192.168.0.1(rw) 192.168.0.2(rw)
Here we are sharing /usr/local read-only to slave1 and slave2, because it probably contains our software and there may not be benefits to allowing slave1 and slave2 to write to it that outweigh security concerns. On the other hand, home directories need to be exported read-write if users are to save work on them.
If you have a large installation, you may find that you have a bunch of computers all on the same local network that require access to your server. There are a few ways of simplifying references to large numbers of machines. First, you can give access to a range of machines at once by specifying a network and a netmask. For example, if you wanted to allow access to all the machines with IP addresses between 192.168.0.0 and 192.168.0.255 then you could have the entries:
/usr/local 192.168.0.0/255.255.255.0(ro)
/home 192.168.0.0/255.255.255.0(rw)
/etc/hosts.allow and /etc/hosts.deny
These two files specify which computers on the network can use services on your machine. Each line of the file contains a single entry listing a service and a set of machines. When the server gets a request from a machine, it does the following:
· It first checks hosts.allow to see if the machine matches a description listed in there. If it does, then the machine is allowed access.
· If the machine does not match an entry in hosts.allow, the server then checks hosts.deny to see if the client matches a listing in there. If it does then the machine is denied access.
· If the client matches no listings in either file, then it is allowed access.
The first step in doing this is to add the followng entry to /etc/hosts.deny:
portmap:ALL
Starting with nfs-utils 0.2.0, you can be a bit more careful by controlling access to individual daemons. It’s a good precaution since an intruder will often be able to weasel around the portmapper. If you have a newer version of nfs-utils, add entries for each of the NFS daemons (see the next section to find out what these daemons are; for now just put entries for them in hosts.deny):
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL
Even if you have an older version of nfs-utils, adding these entries is at worst harmless (since they will just be ignored) and at best will save you some trouble when you upgrade. Some sys admins choose to put the entry ALL:ALL in the file /etc/hosts.deny, which causes any service that looks at these files to deny access to all hosts unless it is explicitly allowed. While this is more secure behavior, it may also get you in trouble when you are installing new services, you forget you put it there, and you can’t figure out for the life of you why they won’t work.
Next, we need to add an entry to hosts.allow to give any hosts access that we want to have access. (If we just leave the above lines in hosts.deny then nobody will have access to NFS.) Entries in hosts.allow follow the format
service: host [or network/netmask] , host [or network/netmask]
Here, host is IP address of a potential client; it may be possible in some versions to use the DNS name of the host, but it is strongly discouraged.
Suppose we have the setup above and we just want to allow access to slave1.foo.com and slave2.foo.com, and suppose that the IP addresses of these machines are 192.168.0.1 and 192.168.0.2, respectively. We could add the following entry to /etc/hosts.allow:
portmap: 192.168.0.1 , 192.168.0.2
For recent nfs-utils versions, we would also add the following (again, these entries are harmless even if they are not supported):
lockd: 192.168.0.1 , 192.168.0.2
rquotad: 192.168.0.1 , 192.168.0.2
mountd: 192.168.0.1 , 192.168.0.2
statd: 192.168.0.1 , 192.168.0.2
If you intend to run NFS on a large number of machines in a local network, /etc/hosts.allow also allows for network/netmask style entries in the same manner as /etc/exports above.
Starting and Stopping NFS
To run an NFS server, the portmap service must be running. To verify that portmap is active, type the following command as root:
/sbin/service portmap status
If the portmap service is running, then the nfs service can be started. To start an NFS server, as root type:
To stop the server, as root type:
The restart option is a shorthand way of stopping and then starting NFS. This is the most efficient way to make configuration changes take effect after editing the configuration file for NFS.
To restart the server, as root type:
/sbin/service nfs restart
The condrestart (conditional restart) option only starts nfs if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
To conditionally restart the server, as root type:
/sbin/service nfs condrestart
To reload the NFS server configuration file without restarting the service, as root type:
By default, the nfs service does not start automatically at boot time. To configure the NFS to start up at boot time, use an initscript utility, such as /sbin/chkconfig, /sbin/ntsysv, or the Services Configuration Tool program
NFS Client Configuration Files
To begin using machine as an NFS client, you will need the portmapper running on that machine, and to use NFS file locking, you will also need rpc.statd and rpc.lockd running on both the client and the server. Most recent distributions start those services by default at boot time;
With portmap, lockd, and statd running, you should now be able to mount the remote directory from your server just the way you mount a local hard drive, with the mount command. Continuing our example from the previous section, suppose our server above is called master.foo.com,and we want to mount the /home directory on slave1.foo.com. Then, all we have to do, from the root prompt on slave1.foo.com, is type:
# mount master.foo.com:/home /mnt/home
and the directory /home on master will appear as the directory /mnt/home on slave1. (Note that this assumes we have created the directory /mnt/home as an empty mount point beforehand.)
You can get rid of the file system by typing
just like you would for a local file system.
Getting NFS File Systems to Be Mounted at Boot Time
NFS file systems can be added to your /etc/fstab file the same way local file systems can, so that they mount when your system starts up. The only difference is that the file system type will be set to nfs and the dump and fsck order (the last two entries) will have to be set to zero. So for our example above, the entry in /etc/fstab would look like:
# device mountpoint fs-type options dump fsckorder
master.foo.com:/home /mnt nfs rw 0 0
See the man pages for fstab if you are unfamiliar with the syntax of this file. If you are using an automounter such as amd or autofs, the options in the corresponding fields of your mount listings should look very similar if not identical.
At this point you should have NFS working, though a few tweaks may still be necessary to get it to work well.
Common NFS Mount Options
Beyond mounting a file system via NFS on a remote host, a number of different options can be specified at the time of the mount that can make it easier to use. These options can be used with manual mount commands, /etc/fstab settings, and autofs.
The following are options commonly used for NFS mounts:
· hard or soft — Specifies whether the program using a file via an NFS connection should stop and wait (hard) for the server to come back online if the host serving the exported file system is unavailable, or if it should report an error (soft).
If hard is specified, the user cannot terminate the process waiting for the NFS communication to resume unless the intr option is also specified.
If soft, is specified, the user can set an additional timeo=<value> option, where <value> specifies the number of seconds to pass before the error is reported.
· intr — Allows NFS requests to be interrupted if the server goes down or cannot be reached.
· nfsvers=2 or nfsvers=3 — Specifies which version of the NFS protocol to use.
· nolock — Disables file locking. This setting is occasionally required when connecting to older NFS servers.
· noexec — Prevents execution of binaries on mounted file systems. This is useful if the system is mounting a non-Linux file system via NFS containing incompatible binaries.
· nosuid — Disables set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program.
· rsize=8192 and wsize=8192 — These settings speed up NFS communication for reads (rsize) and writes (wsize) by setting a larger data block size, in bytes, to be transferred at one time. Be careful when changing these values; some older Linux kernels and network cards do not work well with larger block sizes.
· tcp — Specifies for the NFS mount to use the TCP protocol instead of UDP.
Many more options are listed on the mount man page, including options for mounting non-NFS file systems.
The exportfs Command
Every file system being exported to remote users via NFS, as well as the access level for those file systems, are listed in the /etc/exports file. When the nfs service starts, the /usr/sbin/exportfs command launches and reads this file, and passes to rpc.mountd and rpc.nfsd the file systems available to remote users.
When issued manually, the /usr/sbin/exportfs command allows the root user to selectively export or unexport directories without restarting the NFS service. When passed the proper options, the /usr/sbin/exportfs command writes the exported file systems to /var/lib/nfs/xtab. Since rpc.mountd refers to the xtab file when deciding access privileges to a file system, changes to the list of exported file systems take effect immediately.
The following is a list of commonly used options available for /usr/sbin/exportfs:
· -r — Causes all directories listed in /etc/exports to be exported by constructing a new export list in /etc/lib/nfs/xtab. This option effectively refreshes the export list with any changes that have been made to /etc/exports.
· -a — Causes all directories to be exported or unexported, depending on what other options are passed to /usr/sbin/exportfs. If no other options are specified, /usr/sbin/exportfs exports all file systems specified in /etc/exports.
· -o file-systems — Specifies directories to be exported that are not listed in /etc/exports. Replace file-systems with additional file systems to be exported. These file systems must be formatted the same way they are specified in /etc/exports. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported.
· -i — Ignores /etc/exports; only options given from the command line are used to define exported file systems.
· -u — Unexports all shared directories. The command /usr/sbin/exportfs -ua suspends NFS file sharing while keeping all NFS daemons up. To reenable NFS sharing, type exportfs -r.
· -v — Verbose operation, where the file systems being exported or unexported are displayed in greater detail when the exportfs command is executed.
If no options are passed to the /usr/sbin/exportfs command, it displays a list of currently exported file systems.
For more information about the /usr/sbin/exportfs command, refer to the exportfs man page.
DNS Server configuration
Domain Name System (DNS) converts the name of a Web site (www.linuxhomenetworking.com) to an IP address (65.115.71.34). This step is important, because the IP address of a Web site’s server, not the Web site’s name, is used in routing traffic over the Internet.
Introduction to DNS
DNS Domains
Everyone in the world has a first name and a last, or family, name. The same thing is true in the DNS world: A family of Web sites can be loosely described a domain. For example, the domain linuxhomenetworking.com has a number of children, such as www.linuxhomenetworking.com and mail.linuxhomenetworking.com for the Web and mail servers, respectively.
BIND
BIND is an acronym for the Berkeley Internet Name Domain project, which is a group that maintains the DNS-related software suite that runs under Linux. The most well known program in BIND is named, the daemon that responds to DNS queries from remote machines.
s
A DNS client doesn’t store DNS information; it must always refer to a DNS server to get it. The only DNS configuration file for a DNS client is the /etc/resolv.conf file, which defines the IP address of the DNS server it should use. You shouldn’t need to configure any other files. You’ll become well acquainted with the /etc/resolv.conf file soon.
s
Authoritative servers provide the definitive information for your DNS domain, such as the names of servers and Web sites in it. They are the last word in information related to your domain.
There are 13 root authoritative DNS servers (super duper authorities) that all DNS servers query first. These root servers know all the authoritative DNS servers for all the main domains – .com, .net, and the rest. This layer of servers keeps track of all the DNS servers that Web site systems administrators have assigned for their sub domains.
For example, when you register your domain my-site.com, you are actually inserting a record on the .com DNS servers that point to the authoritative DNS servers you assigned for your domain.
When to Use A DNS Caching Name Server
Most servers don’t ask authoritative servers for DNS directly, they usually ask a caching DNS server to do it on their behalf. The caching DNS servers then store (or cache), the most frequently requested information to reduce the lookup overhead of subsequent queries.
If you want to advertise your Web site www.my-site.com to the rest of the world, then a regular DNS server is what you require. Setting up a caching DNS server is fairly straightforward and works whether or not your ISP provides you with a static or dynamic Internet IP address.
After you set up your caching DNS server, you must configure each of your home network PCs to use it as their DNS server. If your home PCs gets their IP addresses using DHCP, then you have to configure your DHCP server to make it aware of the IP address of your new DNS server, so that the DHCP server can advertise the DNS server to its PC clients. Off-the-shelf router/firewall appliances used in most home networks usually can act as both the caching DNS and DHCP server, rendering a separate DNS server is unnecessary.
You can find the configuration steps for a Linux DHCP server in Chapter 8, “Configuring the DHCP Server.”
If your ISP provides you with a fixed or static IP address, and you want to host your own Web site, then a regular authoritative DNS server would be the way to go. A caching DNS name server is used as a reference only; regular name servers are used as the authoritative source of information for your Web site’s domain.
Note: Regular name servers are also caching name servers by default.
When to Use A Dynamic DNS Server
If your ISP provides your router/firewall with its Internet IP address using DHCP then you must consider dynamic DNS covered in Chapter 19, “Dynamic DNS.” For now, I’m assuming that you are using static Internet IP addresses.
Whether or not you use static or dynamic DNS, you need to register a domain.
Dynamic DNS providers frequently offer you a subdomain of their own site, such as my-site.dnsprovider.com, in which you register your domain on their site.
If you choose to create your very own domain, such as my-site.com, you have to register with a company specializing in static DNS registration and then point your registration record to the intended authoritative DNS for your domain. Popular domain registrars include VeriSign, Register Free, and Yahoo.
If you want to use a dynamic DNS provider for your own domain, then you have to point your registration record to the DNS servers of your dynamic DNS provider. (More details on domain registration are coming later in the chapter.).
Basic DNS Testing of DNS Resolution
As you know, DNS resolution maps a fully qualified domain name (FQDN), such as www.linuxhomenetworking.com, to an IP address. This is also known as a forward lookup. The reverse is also true: By performing a reverse lookup, DNS can determining the fully qualified domain name associated with an IP address.
Many different Web sites can map to a single IP address, but the reverse isn’t true; an IP address can map to only one FQDN. This means that forward and reverse entries frequently don’t match. The reverse DNS entries are usually the responsibility of the ISP hosting your site, so it is quite common for the reverse lookup to resolve to the ISP’s domain. This isn’t an important factor for most small sites, but some e-commerce applications require matching entries to operate correctly. You may have to ask your ISP to make a custom DNS change to correct this.
There are a number of commands you can use do these lookups. Linux uses the host command, for example, but Windows uses nslookup.
The Host Command
The host command accepts arguments that are either the fully qualified domain name or the IP address of the server when providing results. To perform a forward lookup, use the syntax:
[root@bigboy tmp]# host www.linuxhomenetworking.com
www.linuxhomenetworking.com has address 65.115.71.34
[root@bigboy tmp]#
To perform a reverse lookup
[root@bigboy tmp]# host 65.115.71.34
34.71.115.65.in-addr.arpa domain name pointer 65-115-71-34.myisp.net.
[root@bigboy tmp]#
As you can see, the forward and reverse entries don’t match. The reverse entry matches the entry of the ISP.
The nslookup Command
The nslookup command provides the same results on Windows PCs. To perform forward lookup, use.
C:> nslookup www.linuxhomenetworking.com
Server: 192-168-1-200.my-site.com
Address: 192.168.1.200
Non-authoritative answer:
Name: www.linuxhomenetworking.com
Address: 65.115.71.34
To perform a reverse lookup
C:> nslookup 65.115.71.34
Server: 192-168-1-200.my-site.com
Address: 192.168.1.200
Name: 65-115-71-34.my-isp.com
Address: 65.115.71.34
How To Get BIND Started
You can use the chkconfig command to get BIND configured to start at boot
[root@bigboy tmp]# chkconfig named on
To start, stop, and restart BIND after booting, use:
[root@bigboy tmp]# service named start
[root@bigboy tmp]# service named stop
[root@bigboy tmp]# service named restart
Remember to restart the BIND process every time you make a change to the configuration file for the changes to take effect on the running process.
The /etc/resolv.conf File
DNS clients (servers not running BIND) use the /etc/resolv.conf file to determine both the location of their DNS server and the domains to which they belong. The file generally has two columns; the first contains a keyword, and the second contains the desired values separated by commas. See Table 18.1 for a list of keywords.
Table 18.1 Keywords In /etc/resolv.conf
| Keyword |
Value |
| Nameserver |
IP address of your DNS nameserver. There should be only one entry per “nameserver” keyword. If there is more than one nameserver, you’ll need to have multiple “nameserver” lines. |
| Domain |
The local domain name to be used by default. If the server is bigboy.my-site.com, then the entry would just be my-site.com |
| Search |
If you refer to another server just by its name without the domain added on, DNS on your client will append the server name to each domain in this list and do an DNS lookup on each to get the remote servers’ IP address. This is a handy time saving feature to have so that you can refer to servers in the same domain by only their servername without having to specify the domain. The domains in this list must separate by spaces. |
Take a look at a sample configuration in which the client server’s main domain is my-site.com, but it also is a member of domains my-site.net and my-site.org, which should be searched for shorthand references to other servers. Two name servers, 192.168.1.100 and 192.168.1.102, provide DNS name resolution:
search my-site.com my-site.net my-site.org
nameserver 192.168.1.100
nameserver 192.168.1.102
The first domain listed after the search directive must be the home domain of your network, in this case my-site.com. Placing a domain and search entry in the /etc/resolv.conf is redundant, therefore.
Configuring A Caching Nameserver
The RedHat/Fedora default installation of BIND is configured to convert your Linux box into a caching name server. The only file you have to edit is /etc/resolv.conf; you’ll have to comment out the reference to your previous DNS server (most likely your router) with a # or make it point to the server itself using the universal localhost IP address of 127.0.0.1
So, your old entry of
nameserver 192.168.1.1
would be replaced by a new entry of
# nameserver 192.168.1.1
or
nameserver 127.0.0.1
The next step is to make all the other machines on your network point to the caching DNS server as their primary DNS server.
Important File Locations
RedHat/Fedora BIND normally runs as the named process owned by the unprivileged named user.
Sometimes BIND is also installed using Linux’s chroot feature to not only run named as user named, but also to limit the files named can see. When installed, named is fooled into thinking that the directory /var/named/chroot is actually the root or / directory. Therefore, named files normally found in the /etc directory are found in /var/named/chroot/etc directory instead, and those you’d expect to find in /var/named are actually located in /var/named/chroot/var/named.
The advantage of the chroot feature is that if a hacker enters your system via a BIND exploit, the hacker’s access to the rest of your system is isolated to the files under the chroot directory and nothing else. This type of security is also known as a chroot jail.
You can determine whether you have the chroot add-on RPM by using this command, which returns the name of the RPM.
[root@bigboy tmp]# rpm -q bind-chroot
bind-chroot-9.2.3-13
[root@bigboy tmp]#
There can be confusion with the locations: Regular BIND installs its files in the normal locations, and the chroot BIND add-on RPM installs its own versions in their chroot locations. Unfortunately, the chroot versions of some of the files are empty. Before starting Fedora BIND, copy the configuration files to their chroot locations:
[root@bigboy tmp]# cp -f /etc/named.conf /var/named/chroot/etc/
[root@bigboy tmp]# cp -f /etc/rndc.* /var/named/chroot/etc/
Before you go to the next step of configuring a regular name server, it is important to understand exactly where the files are located. Table 18.2 provides a map.
Table 18.2 Differences In Fedora And Redhat DNS File Locations
| File |
Purpose |
BIND chroot Location |
Regular BIND Location |
| named.conf |
Tells the names of the zone files to be used for each of your website domains. |
/var/named/chroot/etc |
/etc |
| rndc.key
rndc.conf |
Files used in named authentication |
/var/named/chroot/etc |
/etc |
| zone files |
Links all the IP addresses in your domain to their corresponding server |
/var/named/chroot/var/named |
/var/named |
Note: Fedora Core installs BIND chroot by default. RedHat 9 and earlier don’t.
Configuring A Regular Nameserver
For the purposes of this tutorial, assume your ISP assigned you the subnet 97.158.253.24 with a subnet mask of 255.255.255.248 (/29).
Configuring resolv.conf
You’ll have to make your DNS server refer to itself for all DNS queries by configuring the /etc/resolv.conf file to reference localhost only.
nameserver 127.0.0.1
Configuring named.conf
The named.conf file contains the main DNS configuration and tells BIND where to find the configuration files for each domain you own. This file usually has two zone areas:
o Forward zone file definitions list files to map domains to IP addresses.
o Reverse zone file definitions list files to map IP addresses to domains.
In this example, you’ll set up the forward zone for www.my-site.com by placing entries at the bottom of the named.conf file. The zone file is named my-site.zone, and, although not explicitly stated, the file my-site.zone should be located in the default directory of /var/named/chroot/var/named in a chroot or in /var/named in a regular one. Use the code:
zone “my-site.com” {
type master;
notify no;
allow-query { any; };
file “my-site.zone”;
};
In addition, you can insert additional entries in the named.conf file to reference other Web domains you host. Here is an example for another-site.com using a zone file named another-site.zone.
zone “another-site.com” {
type master;
notify no;
allow-query { any; };
file “another-site.zone”;
};
Note: The allow-query directive defines the networks that are allowed to query your DNS server for information on any zone. For example, to limit queries to only your 192.168.1.0 network, you could modify the directive to:
allow-query { 192.168.1.0/24; };
Next, you have to format entries to handle the reverse lookups for your IP addresses. In most cases, your ISP handles the reverse zone entries for your public IP addresses, but you will have to create reverse zone entries for your SOHO/home environment using the 192.168.1.0/24 address space. This isn’t important for the Windows clients on your network, but some Linux applications require valid forward and reverse entries to operate correctly.
The forward domain lookup process for mysite.com scans the FQDN from right to left to get to get increasingly more specific information about the authoritative servers to use. Reverse lookups operate similarly by scanning an IP address from left to right to get increasingly specific information about an address.
The similarity in both methods is that increasingly specific information is sought, but the noticeable difference is that for forward lookups the scan is from right to left, and for reverse lookups the scan is from left to right. This difference can be seen in the formatting of the zone statement for a reverse zone in /etc/named.conf file where the main in-addr.arpa domain, to which all IP addresses belong, is followed by the first 3 octets of the IP address in reverse order. This order is important to remember or else the configuration will fail. This reverse zone definition for named.conf uses a reverse zone file named 192-168-1.zone for the 192.168.1.0/24 network.
zone “1.168.196.in-addr.arpa” {
type master;
notify no;
file “192-168-1.zone”;
};
Configuring the Zone Files
You need to keep a number of things in mind when configuring DNS zone files:
o In all zone files, you can place a comment at the end of any line by inserting a semi-colon character then typing in the text of your comment.
o By default, your zone files are located in the directory /var/named or /var/named/chroot/var/named.
o Each zone file contains a variety of records (SOA, NS, MX, A, and CNAME) that govern different areas of BIND.
Take a closer look at these entries in the zone file.
The very first entry in the zone file is usually the zone’s time to live (TTL) value. Caching DNS servers cache the responses to their queries from authoritative DNS servers. The authoritative servers not only provide the DNS answer but also provide the information’s time to live, which is the period for which it’s valid.
The purpose of a TTL is to reduce the number of DNS queries the authoritative DNS server has to answer. If the TTL is set to three days, then caching servers use the original stored response for three days before making the query again.
$TTL 3D
BIND recognizes several suffixes for time-related values. A D signifies days, a W signifies weeks, and an H signifies hours. In the absence of a suffix, BIND assumes the value is in seconds.
DNS Resource Records
The rest of the records in a zone file are usually BIND resource records. They define the nature of the DNS information in your zone files that’s presented to querying DNS clients. They all have the general format:
Name Class Type Data
There are different types of records for mail (MX), forward lookups (A), reverse lookups (PTR), aliases (CNAME) and overall zone definitions, Start of Authority (SOA). The data portion is formatted according to the record type and may consist of several values separated by spaces. Similarly, the name is also subject to interpretation based on this factor.
The SOA Record
The first resource record is the Start of Authority (SOA) record, which contains general administrative and control information about the domain. It has the format:
Name Class Type Name-Server Email-Address Serial-No Refresh Retry Expiry Minimum-TTL
The record can be long, and will sometimes wrap around on your screen. For the sake of formatting, you can insert new line characters between the fields as long as you insert parenthesis at the beginning and end of the insertion to alert BIND that part of the record will straddle multiple lines. You can also add comments to the end of each new line separated by a semicolon when you do this. Here is an example:
@ IN SOA ns1.my-site.com. hostmaster.my-site.com. (
2004100801 ; serial #
4H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
Table 18.3 explains what each field in the record means.
| Field |
Description |
| Name |
The root name of the zone. The “@” sign is a shorthand reference to the current origin (zone) in the /etc/named.conf file for that particular database file. |
| Class |
There are a number of different DNS classes. Home/SOHO will be limited to the IN or Internet class used when defining IP address mapping information for BIND. Other classes exist for non Internet protocols and functions but are very rarely used.. |
| Type |
The type of DNS resource record. In the example, this is an SOA resource record. Other types of records exist, which I’ll cover later. |
| Name-server |
Fully qualified name of your primary name server. Must be followed by a period. |
| Email-address |
The e-mail address of the name server administrator. The regular @ in the e-mail address must be replaced with a period instead. The e-mail address must also be followed by a period. |
| Serial-no |
A serial number for the current configuration. You can use the format YYYYMMDD with single digit incremented number tagged to the end to provide an incremental value that provides some editing information. |
| Refresh |
Tells the slave DNS server how often it should check the master DNS server. Slaves aren’t usually used in home / SOHO environments. |
| Retry |
The slave’s retry interval to connect the master in the event of a connection failure. Slaves aren’t usually used in home / SOHO environments. |
| Expiry |
Total amount of time a slave should retry to contact the master before expiring the data it contains. Future references will be directed towards the root servers. Slaves aren’t usually used in home/SOHO environments. |
| Minimum-TTL |
There are times when remote clients will make queries for subdomains that don’t exist. Your DNS server will respond with a no domain or NXDOMAIN response that the remote client caches. This value defines the caching duration your DNS includes in this response. |
So in the example, the primary name server is defined as ns1.my-site.com with a contact e-mail address of hostmaster@my-site.com. The serial number is 2004100801 with refresh, retry, expiry, and minimum values of 4 hours, 1 hour, 1 week, and 1 day, respectively.
NS, MX, A And CNAME Records
Like the SOA record, the NS, MX, A, PTR and CNAME records each occupy a single line with a very similar general format. Table 18.4 outlines the way they are laid out.
Table 18.4 NS, MX, A, PTR and CNAME Record Formats
| Record
Type |
Field Descriptions
Name Field |
Class
Field2 |
Type
Field |
Data
Field |
| NS |
Usually blank1 |
IN |
NS |
IP address or CNAME of the name server |
| MX |
Domain to be used for mail. Usually the same as the domain of the zone file itself. |
IN |
MX |
Mail server DNS name |
| A |
Name of a server in the domain |
IN |
A |
IP address of server |
| CNAME |
Server name alias |
IN |
CNAME |
“A” record name for the server |
| PTR |
Last octet of server’s IP address |
IN |
PTR |
Fully qualified server name |
1 If the search key to a DNS resource record is blank it reuses the search key from the previous record which in this case of is the SOA @ sign.
2 For most home / SOHO scenarios, the Class field will always be IN or Internet. You should also be aware that IN is the default Class, and BIND will assume a record is of this type unless otherwise stated.
If you don’t put a period at the end of a host name in a SOA, NS, A, or CNAME record, BIND will automatically tack on the zone file’s domain name to the name of the host. So, BIND assumes an A record with www refers to www.my-site.com. This may be acceptable in most cases, but if you forget to put the period after the domain in the MX record for my-site.com, BIND attaches the my-site.com at the end, and you will find your mail server accepting mail only for the domain my-site.com.mysite.com.
Sample Forward Zone File
Now that you know the key elements of a zone file, it’s time to examine a working example for the domain my-site.com.
; Zone file for my-site.com
; The full zone file
;
$TTL 3D
@ IN SOA ns1.my-site.com. hostmaster.my-site.com. (
200211152 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds
;
NS www ; Inet Address of nameserver
my-site.com. MX 10 mail ; Primary Mail Exchanger
localhost A 127.0.0.1
bigboy A 97.158.253.26
mail CNAME bigboy
ns1 CNAME bigboy
www CNAME bigboy
Notice that in this example:
o Server ns1.my-site.com is the name server for my-site.com. In corporate environments there may be a separate name server for this purpose. Primary name servers are more commonly called ns1 and secondary name servers ns2.
o The minimum TTL value ($TTL) is three days, therefore remote DNS caching servers will store learned DNS information from your zone for three days before flushing it out of their caches.
o The MX record for my-site.com points to the server named mail.my-site.com.
o ns1 and mail are actually CNAMEs or aliases for the Web server www. So here you have an example of the name server, mail server, and Web server being the same machine. If they were all different machines, then you’d have an A record entry for each.
www A 97.158.253.26
mail A 97.158.253.134
ns A 97.158.253.125
It is a required practice to increment your serial number whenever you edit your zone file. When DNS is setup in a redundant configuration, the slave DNS servers periodically poll the master server for updated zone file information, and use the serial number to determine whether the data on the master has been updated. Failing to increment the serial number, even though the contents of the zone file have been modified, could cause your slaves to have outdated information.
Sample Reverse Zone File
Now you need to make sure that you can do a host query on all your home network’s PCs and get their correct IP addresses. This is very important if you are running a mail server on your network, because sendmail typically relays mail only from hosts whose IP addresses resolve correctly in DNS. NFS, which is used in network-based file access, also requires valid reverse lookup capabilities.
This is an example of a zone file for the 192.168.1.x network. All the entries in the first column refer to the last octet of the IP address for the network, so the IP address 192.168.1.100 points to the name bigboy.my-site.com.
Notice how the main difference between forward and reverse zone files is that the reverse zone file only has PTR and NS records. Also the PTR records cannot have CNAME aliases.
; Filename: 192-168-1.zone
; Zone file for 192.168.1.x
;
$TTL 3D
@ IN SOA www.my-site.com. hostmaster.my-site.com. (
200303301 ; serial number
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
NS www ; Nameserver Address
;
100 PTR bigboy.my-site.com.
103 PTR smallfry.my-site.com.
102 PTR ochorios.my-site.com.
105 PTR reggae.my-site.com.
32 PTR dhcp-192-168-1-32.my-site.com.
33 PTR dhcp-192-168-1-33.my-site.com.
34 PTR dhcp-192-168-1-34.my-site.com.
35 PTR dhcp-192-168-1-35.my-site.com.
36 PTR dhcp-192-168-1-36.my-site.com.
I included entries for addresses 192.168.1.32 to 192.168.1.36, which are the addresses the DHCP server issues. SMTP mail relay wouldn’t work for PCs that get their IP addresses via DHCP if these lines weren’t included.
You may also want to create a reverse zone file for the public NAT IP addresses for your home network. Unfortunately, ISPs won’t usually delegate this ability for anyone with less than a Class C block of 256 IP addresses. Most home DSL sites wouldn’t qualify.
What You Need To Know About NAT And DNS
The previous examples assume that the queries will be coming from the Internet with the zone files returning information related to the external 97.158.253.26 address of the Web server.
What do the PCs on your home network need to see? They need to see DNS references to the real IP address of the Web server, 192.168.1.100, because NAT won’t work properly if a PC on your home network attempts to connect to the external 97.158.253.26 NAT IP address of your Web server.
Don’t worry. BIND has a way around these called views. The views feature allows you to force BIND to use predefined zone files for queries from certain subnets. This means it’s possible to use one set of zone files for queries from the Internet and another set for queries from your home network.
Here’s a summary of how it’s done:
1. Place your zone statements in the /etc/named.conf file in one of two views sections. The first section is called internal and lists the zone files to be used by your internal network. The second view called external lists the zone files to used for Internet users.
For example; you could have a reference to a zone file called my-site.zone for lookups related to the 97.158.253.X network which Internet users would see. This /etc/named.conf entry would be inserted in the external section. You could also have a file called my-site-home.zone for lookups by home users on the 192.168.1.0 network. This entry would be inserted in the internal section. Creating the my-site-home.zone file is fairly easy: Copy it from the my-site.zone file and replace all references to 97.158.253.X with references to 192.168.1.X.
2. You must also tell the DNS server which addresses you feel are internal and external. To do this, you must first define the internal and external networks with access control lists (ACLs) and then refer to these lists within their respective view section with the match-clients statement. Some built-in ACLs can save you time:
> localhost: Refers to the DNS server itself
> localnets: Refers to all the networks to which the DNS server is directly connected
> any: which is self explanatory.
Note: You must place your localhost, 0.0.127.in-addr.arpa and “.” zone statements in the internal views section. Remember to increment your serial numbers!
Here is a sample configuration snippet for the /etc/named.conf file I use for my home network. All the statements below were inserted after the options and controls sections in the file.
// ACL statement
acl “trusted-subnet” { 192.168.17.0/24; };
view “internal” { // What the home network will see
match-clients { localnets; localhost; “trusted-subnet”; };
zone “.” IN {
type hint;
file “named.ca”;
};
zone “localhost” IN {
type master;
file “localhost.zone”;
allow-update { none; };
};
zone “0.0.127.in-addr.arpa” IN {
type master;
file “named.local”;
allow-update { none; };
};
// IPv6 Support
zone “0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa” IN {
type master;
file “named.ip6.local”;
allow-update { none; };
};
// Prevents lookups for broadcast addresses ending in “.255″
zone “255.in-addr.arpa” IN {
type master;
file “named.broadcast”;
allow-update { none; };
};
// Prevents lookups for network addresses ending in “.0″
zone “0.in-addr.arpa” IN {
type master;
file “named.zero”;
allow-update { none; };
};
zone “1.168.192.in-addr.arpa” IN {
type master;
file “192-168-1.zone”;
allow-update { none; };
};
zone “my-site.com” {
type master;
notify no;
file “my-site-home.zone”;
allow-query { any; };
};
zone “another-site.com” {
type master;
notify no;
file “another-site-home.zone”;
allow-query { any; };
};
};
view “external” { // What the Internet will see
match-clients { any; };
recursion no;
zone “my-site.com” {
type master;
notify no;
file “my-site.zone”;
allow-query { any; };
};
zone “another-site.com” {
type master;
notify no;
file “another-site.zone”;
allow-query { any; };
};
};
In this example I included an ACL for network 192.168.17.0 /24 called trusted-subnet to help clarify the use of ACLs in more complex environments. Once the ACL was defined, I then inserted a reference to the trusted-subnet in the match-clients statement in the internal view. So in this case the local network (192.168.1.0 /24), the other trusted network (192.168.17.0), and localhost get DNS data from the zone files in the internal view. Remember, this is purely an example. The example home network doesn’t need to have the ACL statement at all as the built in ACLs localnets and localhost are sufficient. The network won’t need the trusted-subnet section in the match-clients line either.
Loading Your New Configuration Files
To load your new configuration files, first make sure your file permissions and ownership are okay in the /var/named directory.
[root@bigboy tmp]# cd /var/named
[root@bigboy named]# ll
total 6
-rw-r–r– 1 named named 195 Jul 3 2001 localhost.zone
-rw-r–r– 1 named named 2769 Jul 3 2001 named.ca
-rw-r–r– 1 named named 433 Jul 3 2001 named.local
-rw-r–r– 1 root root 763 Oct 2 16:23 my-site.zone
[root@bigboy named]# chown named *
[root@bigboy named]# chgrp named *
[root@bigboy named]# ll
total 6
-rw-r–r– 1 named named 195 Jul 3 2001 localhost.zone
-rw-r–r– 1 named named 2769 Jul 3 2001 named.ca
-rw-r–r– 1 named named 433 Jul 3 2001 named.local
-rw-r–r– 1 named named 763 Oct 2 16:23 my-site.zone
[root@bigboy named]#
The configuration files above will not be loaded until you issue the proper command to restart the named process that controls DNS, but be sure to increment your configuration file serial number before doing this.
[root@bigboy tmp]# service named restart
Take a look at the end of your /var/log/messages file to make sure there are no errors.
Make Sure Your /etc/hosts File Is Correctly Updated
Linux Networking, explains how to correctly configure your /etc/hosts file. Some programs, such as sendmail, require a correctly configured /etc/hosts file even though DNS is correctly configured.
Configuration of ftp server
How To Download And Install VSFTPD:
Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn’t hard. If you need a refresher, Chapter 6, on RPMs, covers how to do this in detail. It is best to use the latest version of VSFTPD.
When searching for the file, remember that the VSFTPD RPM’s filename usually starts with the word vsftpd followed by a version number, as in: vsftpd-1.2.1-5.i386.rpm.
How To Get VSFTPD Started:
You can start, stop, or restart VSFTPD after booting by using these commands:
[root@bigboy tmp]# service vsftpd start
[root@bigboy tmp]# service vsftpd stop
[root@bigboy tmp]# service vsftpd restart
To configure VSFTPD to start at boot you can use the chkconfig command.
[root@bigboy tmp]# chkconfig vsftpd on
Note: In RedHat Linux version 8.0 and earlier, VSFTPD operation is controlled by the xinetd process, which is covered in Chapter 16, “TELNET, TFTP, and XINETD.” You can find a full description of how to configure these versions of Linux for VSFTPD in Appendix III, “Fedora Version Differences.”
Testing the Status of VSFTPD:
You can always test whether the VSFTPD process is running by using the netstat -a command which lists all the TCP and UDP ports on which the server is listening for traffic. This example shows the expected output.
[root@bigboy root]# netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN
[root@bigboy root]#
If VSFTPD wasn’t running, there would be no output at all.
The vsftpd.conf File:
VSFTPD only reads the contents of its vsftpd.conf configuration file only when it starts, so you’ll have to restart VSFTPD each time you edit the file in order for the changes to take effect.
This file uses a number of default settings you need to know about.
> VSFTPD runs as an anonymous FTP server. Unless you want any remote user to log into to your default FTP directory using a username of anonymous and a password that’s the same as their email address, I would suggest turning this off. The configuration file’s anonymous_enable directive can be set to no to disable this feature. You’ll also need to simultaneously enable local users to be able to log in by removing the comment symbol (#) before the local_enable instruction.
> VSFTPD allows only anonymous FTP downloads to remote users, not uploads from them. This can be changed by modifying the anon_upload_enable directive shown later.
> VSFTPD doesn’t allow anonymous users to create directories on your FTP server. You can change this by modifying the anon_mkdir_write_enable directive.
> VSFTPD logs FTP access to the /var/log/vsftpd.log log file. You can change this by modifying the xferlog_file directive.
> By default VSFTPD expects files for anonymous FTP to be placed in the /var/ftp directory. You can change this by modifying the anon_root directive. There is always the risk with anonymous FTP that users will discover a way to write files to your anonymous FTP directory. You run the risk of filling up your /var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its own dedicated partition.
The configuration file is fairly straight forward as you can see in the snippet below.
# Allow anonymous FTP?
anonymous_enable=YES
…
# Uncomment this to allow local users to log in.
local_enable=YES
…
# Uncomment this to enable any form of FTP write command.
# (Needed even if you want local users to be able to upload files)
write_enable=YES
…
# Uncomment to allow the anonymous FTP user to upload files. This only
# has an effect if global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
…
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
…
# Activate logging of uploads/downloads.
xferlog_enable=YES
…
# You may override where the log file goes if you like.
# The default is shown# below.
#xferlog_file=/var/log/vsftpd.log
…
# The directory which vsftpd will try to change
# into after an anonymous login. (Default = /var/ftp)
#anon_root=/data/directory
To activate or deactivate a feature, remove or add the # at the beginning of the appropriate line.
Other vsftpd.conf Options
There are many other options you can add to this file:
o Limiting the maximum number of client connections (max_clients)
o Limiting the number of connections by source IP address (max_per_ip)
o The maximum rate of data transfer per anonymous login. (anon_max_rate)
o The maximum rate of data transfer per non-anonymous login. (local_max_rate)
Descriptions on this and more can be found in the vsftpd.conf man pages.
FTP Security Issues:
FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user’s access to non-anonymous FTP, and you can change the configuration to not display the FTP server’s software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted.
The /etc/vsftpd.ftpusers File
For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn’t have FTP access. As FTP doesn’t encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security.
Anonymous Upload
If you want remote users to write data to your FTP server, then you should create a write-only directory within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other users. The commands you need are:
[root@bigboy tmp]# mkdir /var/ftp/pub/upload
[root@bigboy tmp]# chmod 722 /var/ftp/pub/upload
FTP Greeting Banner
Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to determine the type of system you have. The directive in this file is.
ftpd_banner= New Banner Here
Using SCP As Secure Alternative To FTP
One of the disadvantages of FTP is that it does not encrypt your username and password. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection. Secure Copy (SCP) and Secure FTP (SFTP) provide encryption and could be considered as an alternative to FTP for trusted users. SCP does not support anonymous services, however, a feature that FTP does support.
Tutorial:
FTP has many uses, one of which is allowing numerous unknown users to download files. You have to be careful, because you run the risk of accidentally allowing unknown persons to upload files to your server. This sort of unintended activity can quickly fill up your hard drive with illegal software, images, and music for the world to download, which in turn can clog your server’s Internet access and drive up your bandwidth charges.
FTP Users with Only Read Access to a Shared Directory
In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access to a directory for downloading files. Here are the steps:
1. Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this:
# Allow anonymous FTP?
# anonymous_enable=YES
2. Enable individual logins by making sure you have the local_enable line uncommented in the vsftpd.conf file like this:
# Uncomment this to allow local users to log in.
local_enable=YES
3. Start VSFTP.
[root@bigboy tmp]# service vsftpd start
4. Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of ftp-users for the remote users
[root@bigboy tmp]# groupadd ftp-users
[root@bigboy tmp]# mkdir /home/ftp-docs
5. Make the directory accessible to the ftp-users group.
[root@bigboy tmp]# chmod 750 /home/ftp-docs
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs
6. Add users, and make their default directory /home/ftp-docs
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@bigboy tmp]# passwd user1
[root@bigboy tmp]# passwd user2
[root@bigboy tmp]# passwd user3
[root@bigboy tmp]# passwd user4
7. Copy files to be downloaded by your users into the /home/ftp-docs directory
8. Change the permissions of the files in the /home/ftp-docs directory for read only access by the group
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*
[root@bigboy tmp]# chmod 740 /home/ftp-docs/*
Users should now be able to log in via FTP to the server using their new usernames and passwords. If you absolutely don’t want any FTP users to be able to write to any directory, then you should set the write_enable line in your vsftpd.conf file to no:
write_enable = NO
Remember, you must restart VSFTPD for the configuration file changes to take effect.
10. Connect to bigboy via FTP
[root@smallfry tmp]# ftp 192.168.1.100 (ip address of bigboy)
you will get a prompt like
ftp>
FTP commands and files:
/etc/ftpaccess : General configuration file: classes of users, access definitions, logging, etc.
class all real,guest,anonymous *
limit all 10 Any /etc/msgs/msg.dead
message /welcome.msg login
log transfers anonymous,real inbound,outbound
/etc/ftphosts : Individual user host access to allow / deny a given username from an address.
# Example host access file
# Everything after a '#' is treated as comment,
# empty lines are ignored
allow bartm somehost.domain
deny fred otherhost.domain 131.211.32.*
/etc/ftpgroups : It allow us to set up groups of users.
/etc/ftpusers : Users who are not allowed to log in.
/etc/ftpconversions : Allows users to request specific on-the-fly conversions.
-
chroot – Run with a special root directory
-
ftpcount – Show number of concurrent users.
-
ftpshut – close down the ftp servers at a given time
-
ftprestart – Restart previously shutdown ftp servers
-
ftpwho – show current process information for each ftp user
Telnet Server Configuration
To run or enable the telnet service following file need to be edited.
/etc/xinetd.d/telnet
and restart xinetd service.
Create a /etc/nologin file will prevent any remote login via telnet.
If you are in an environment where you work with multiple UNIX computers networked together, you will need to work on different machines from time to time. The telnet command provides you with a facility to login to other computers from your current system without logging out of your current environment. The telnet command is similar to the rlogin command described earlier in this section.
The hostname argument of telnet is optional. If you do not use the host computer name as part of the command, you will be placed at the telnet prompt, usually, telnet>. There are a number of sub-commands available to you when you are at the telnet> prompt. Some of these sub-commands are as follows:
-
exit to close the current connection and return to the telnet> prompt if sub-command open was used to connect to the remote host. If, however, telnet was issued with the host-name argument, the connection is closed and you are returned to where you invoked the telnet command.
-
display to display operating arguments.
-
open to open a connection to a host. The argument can be a host computer name or address. telnet will respond with an error message if you provide an incorrect name or address.
-
quit to exit telnet.
-
set to set operating arguments.
-
status to print status information.
-
toggle to toggle operating arguments (toggle ? for more).
-
? to print help information.
Examples Assume that you work with two networked computers, box1 and box2. If you are currently logged in on box1, you can execute the following command to login into box2:
As a response to this command, box2 will respond with the login screen where you can enter your userid and password for box2 to login. After completing your work on box2, you can come back to box1.
Basic user security:
My Red Hat 7.3 server and wu-ftp server 2.6.2-5 does not support this configuration to prevent shell access and requires a real user shell. i.e. /bin/bash It use to work great in older versions. If it works for you, use it, as it is more secure to deny the user shell access. You can always deny telnet access.
-
Disable remote telnet login access allowing FTP access only:
Change the shell for the user in /etc/passwd from /bin/bash to be /etc/ftponly.
user1:x:502:503::/home/user1:/etc/ftponly
Create file: /etc/ftponly.
Protection set to -rwxr-xr-x 1 root root
Contents of file:
trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
Admin=root@your-domain.com
#System=`/usr/ucb/hostname`@`/usr/bin/domainname`
/bin/echo "********************************************************************"
/bin/echo " You are NOT allowed interactive access."
/bin/echo " User accounts are restricted to ftp and web access."
/bin/echo " Direct questions concerning this policy to $Admin."
/bin/echo "********************************************************************"
The last step is to add this to the list of valid shells on the system.
Add the line /etc/ftponly to /etc/shells.
Sample file contents:
See man page on /etc/shells.
An alternative would be to assign the shell /bin/false which became available in later releases of Red Hat.
Configuring Samba
Samba uses /etc/samba/smb.conf as its configuration file. If you change this configuration file, the changes will not take effect until you restart the Samba daemon with the command service smb restart.
The default configuration file (smb.conf) in Red Hat Linux 8.0 allows users to view their Linux home directories as a Samba share on the Windows machine after they log in using the same username and password. It also shares any printers configured for the Red Hat Linux system as Samba shared printers. In other words, you can attach a printer to your Red Hat Linux system and print to it from the Windows machines on your network.
To specify the Windows workgroup and description string, edit the following lines in your smb.conf file:
workgroup = WORKGROUPNAME
server string = BRIEF COMMENT ABOUT SERVER
|
Replace WORKGROUPNAME with the name of the Windows workgroup to which this machine should belong. The BRIEF COMMENT ABOUT SERVER is optional and will be the Windows comment about the Samba system.
To create a Samba share directory on your Linux system, add the following section to your smb.conf file (after modifying it to reflect your needs and your system):
[sharename]
comment = Insert a comment here
path = /home/share/
valid users = tfox carole
public = no
writable = yes
printable = no
create mask = 0765
|
The above example allows the users tfox and carole to read and write to the directory /home/share, on the Samba server, from a Samba client.
Samba Passwords
In Red Hat Linux 8.0 encrypted passwords are enabled by default because it is more secure. If encrypted passwords are not used, plain text passwords are used, which can be intercepted by someone using a network packet sniffer. It is recommended that encrypted passwords be used.
The Microsoft SMB Protocol originally used plaintext passwords. However, Windows 2000 and Windows NT 4.0 with Service Pack 3 or higher require encrypted Samba passwords. To use Samba between a Red Hat Linux system and a system with Windows 2000 or Windows NT 4.0 Service Pack 3 or higher, you can either edit your Windows registry to use plaintext passwords or configure Samba on your Linux system to use encrypted passwords. If you choose to modify your registry, you must do so for all your Windows NT or 2000 machines — this is risky and may cause further conflicts.
To configure Samba on your Red Hat Linux system to use encrypted passwords, follow these steps:
1. Create a separate password file for Samba. To create one based on your existing /etc/passwd file, at a shell prompt, type the following command:
cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
|
2. If the system uses NIS, type the following command:
ypcat passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
|
3. The mksmbpasswd.sh script is installed in your /usr/bin directory with the samba package.
4. Change the permissions of the Samba password file so that only root has read and write permissions:
chmod 600 /etc/samba/smbpasswd
|
5. The script does not copy user passwords to the new file. To set each Samba user’s password, use the command (replace username with each user’s username):
6. A Samba user account will not be active until a Samba password is set for it.
7. Encrypted passwords must be enabled in the Samba configuration file. In the file smb.conf, verify that the following lines are not commented out:
encrypt password = yes
smb passwd file = /etc/samba/smbpasswd
|
8. Make sure the smb service is started by typing the command service smb restart at a shell prompt.
9. If you want the smb service to start automatically, use ntsysv, chkconfig, or Services Configuration Tool to enable it at runtime.
Connecting to a Samba Share
To connect to a Linux Samba share from a Microsoft Windows machine, use Network Neighborhood or Windows Explorer.
To connect to a Samba share from a Linux system, from a shell prompt, type the following command:
smbclient //hostname/sharename -U username
|
You will need to replace hostname with the hostname or IP address of the Samba server you want to connect to, sharename with the name of the shared directory you want to browse, and username with the Samba username for the system. Enter the correct password or press [Enter] if no password is required for the user.
If you see the smb:> prompt, you have successfully logged in. Once you are logged in, type help for a list of commands. If you wish to browse the contents of your home directory, replace sharename with your username. If the -U switch is not used, the username of the current user is passed to the Samba server.
To exit smbclient, type exit at the smb:> prompt.
Linux Firewalls using iptables
Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a firewall. Though prices are always falling, in some cases you may be able to create a comparable unit using the Linux iptables package on an existing server for little or no additional expenditure.
This chapter shows how to convert a Linux server into:
* A firewall while simultaneously being your home website’s mail, web and DNS server.
* A router that will use NAT and port forwarding to both protect your home network and have another web server on your home network while sharing the public IP address of your firewall.
What Is iptables?
Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it such improvements as:
> Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.
> Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.
> Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.
> System logging that provides the option of adjusting the level of detail of the reporting.
> Better network address translation.
> Support for transparent integration with such Web proxy programs as Squid.
> A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks..
Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under Red Hat and Fedora Linux.
Download And Install The Iptables Package
Before you begin, you need to make sure that the iptables software RPM is installed. When searching for the RPMs, remember that the filename usually starts with the software package name by a version number, as in iptables-1.2.9-1.0.i386.rpm.
How To Start iptables
You can start, stop, and restart iptables after booting by using the commands:
[root@bigboy tmp]# service iptables start
[root@bigboy tmp]# service iptables stop
[root@bigboy tmp]# service iptables restart
To get iptables configured to start at boot, use the chkconfig command:.
[root@bigboy tmp]# chkconfig iptables on
Determining The Status of iptables
You can determine whether iptables is running or not via the service iptables status command. Fedora Core will give a simple status message. For example
[root@bigboy tmp]# service iptables status
Firewall is stopped.
Packet Processing In iptables
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.
There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.
The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. These are the:
> Forward chain: Filters packets to servers protected by the firewall.
> Input chain: Filters packets destined for the firewall.
> Output chain: Filters packets originating from the firewall.
The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:
> Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.
> Post-routing chain: NATs packets when the source address of the packet needs to be changed
Table 14-1 Processing For Packets Routed By The Firewall
| Queue Type |
Queue Function |
Packet Transformation chain in Queue |
Chain Function |
| Filter |
Packet filtering |
FORWARD |
Filters packets to servers accessible by another NIC on the firewall. |
| |
|
INPUT |
Filters packets destined to the firewall. |
| |
|
OUTPUT |
Filters packets originating from the firewall |
| Nat |
Network Address Translation |
PREROUTING |
Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall’s routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT. |
| |
|
POSTROUTING |
Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT |
| |
|
OUTPUT |
Network addresses translation for packets generated by the firewall. (Rarely used in SOHO environments) |
| Mangle |
TCP header modification |
PREROUTING POSTROUTING OUTPUT INPUT FORWARD |
Modification of the TCP packet quality of service bits before routing occurs
(Rarely used in SOHO environments) |
You need to specify the table and the chain for each firewall rule you create. There is an exception: Most rules are related to filtering, so iptables assumes that any chain that’s defined without an associated table will be a part of the filter table. The filter table is therefore the default.
To help make this clearer, take a look at the way packets are handled by iptables. In Figure 14.1 a TCP packet from the Internet arrives at the firewall’s interface on Network A to create a data connection.
The packet is first examined by your rules in the mangle table’s PREROUTING chain, if any. It is then inspected by the rules in the nat table’s PREROUTING chain to see whether the packet requires DNAT. It is then routed.
If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT before arriving at Network B. When the destination server decides to reply, the packet undergoes the same sequence of steps.
If the packet is destined for the firewall itself, then it is filtered by the rules in the INPUT chain of the filter table before being processed by the intended application on the firewall. At some point, the firewall needs to reply. This reply is inspected by your rules in the OUTPUT chain of the mangle table, if any. The rules in the OUTPUT chain of the nat table determine whether address translation is required and the rules in the OUTPUT chain of the filter table are then inspected before the packet is routed back to the Internet.
Figure 14-1 Iptables Packet Flow Diagram
It is now time to discuss the ways in which you add rules to these chains.
Targets And Jumps
Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing. Table 14.2 lists the built-in targets that iptables uses.
Table 14-2 Descriptions Of The Most Commonly Used Targets
| Target |
Description |
Most common options |
| ACCEPT |
iptables stops further processing.
The packet is handed over to the end application or the operating system for processing |
N/A |
| DROP |
iptables stops further processing.
The packet is blocked |
N/A |
| LOG |
The packet information is sent to the syslog daemon for logging. iptables continues processing with the next rule in the table. As you can’t log and drop at the same time, it is common to have two similar rules in sequence. The first will log the packet, the second will drop it. |
–log-prefix “string”
Tells iptables to prefix all log messages with a user defined string. Frequently used to tell why the logged packet was dropped |
| REJECT |
Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked |
–reject-with qualifier
The qualifier tells what type of reject message is returned. Qualifiers include: ** |
| DNAT |
Used to do destination network address translation. ie. Rewriting the destination IP address of the packet |
–to-destination ipaddress
Tells iptables what the destination IP address should be |
| SNAT |
Used to do source network address translation rewriting the source IP address of the packet.
The source IP address is user defined |
–to-source <address>[-<address>][:<port>-<port>]
Specifies the source IP address and ports to be used by SNAT. |
| MASQUERADE |
Used to do Source Network Address Translation.
By default the source IP address is the same as that used by the firewall’s interface |
[--to-ports <port>[-<port>]]
Specifies the range of source ports to which the original source port can be mapped. |
** icmp-port-unreachable (default), icmp-net-unreachable, icmp-host-unreachable, icmp-proto-unreachable
icmp-net-prohibited, icmp-host-prohibited, tcp-reset, echo-reply.
Important Iptables Command Switch Operations
Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again. Tables 14.2 through 14.6 list the most common options.
Table 14-2 General Iptables Match Criteria
| Iptables command
Switch |
Description |
| -t <table> |
If you don’t specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle |
| -j <target> |
Jump to the specified target chain when the packet matches the current rule |
| -A |
Append rule to end of a chain |
| -F |
Flush. Deletes all the rules in the selected table |
| -p <protocol-type> |
Match protocol. Types include, icmp, tcp, udp, and all |
| -s <ip-address> |
Match source IP address |
| -d <ip-address> |
Match destination IP address |
| -i <interface-name> |
Match “input” interface on which the packet enters. |
| -o <interface-name> |
Match “output” interface on which the packet exits |
In this command switches example
iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall’s IP address of 192.168.1.1. The 0/0 representation of an IP address means any.
Table 14-4 Common TCP and UDP Match Criteria
| Switch |
Description |
| -p tcp –sport <port> |
TCP source port, Can be a single value or a range in the format:
start-port-number:end-port-number |
| -p tcp –dport <port> |
TCP destination port, Can be a single value or a range in the format:
starting-port:ending-port |
| -p tcp –syn |
Used to identify a new TCP connection request
! –syn means, not a new connection request |
| -p udp –sport <port> |
UDP source port, Can be a single value or a range in the format:
starting-port:ending-port |
| -p udp –dport <port> |
UDP destination port, Can be a single value or a range in the format:
starting-port:ending-port |
In this example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP
–sport 1024:65535 –dport 80 -j ACCEPT
iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http).
Table 14-5 Common ICMP (Ping) Match Criteria
| Matches used with
—icmp-type |
Description |
| –icmp-type <type> |
The most commonly used types are echo-reply and echo-request |
In this example
iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies.
Consider another example
iptables -A INPUT -p icmp –icmp-type echo-request
-m limit –limit 1/s -i eth0 -j ACCEPT
The limit feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.
In this example, ICMP echo requests are restricted to no more than one per second. When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms.
iptables -A INPUT -p tcp –syn -m limit –limit 5/s -i eth0 -j ACCEPT
You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack. Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second.
Table 14-6 Common Extended Match Criteria
| Switch |
Description |
| -m multiport –sport <port, port> |
A variety of TCP/UDP source ports separated by commas. Unlike when -m isn’t used, they do not have to be within a range. |
| -m multiport –dport <port, port> |
A variety of TCP/UDP destination ports separated by commas. Unlike when -m isn’t used, they do not have to be within a range. |
| -m multiport –ports <port, port> |
A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same and they do not have to be within a range. |
| -m –state <state> |
The most frequently tested states are:
ESTABLISHED: The packet is part of a connection that has seen packets in both directions
NEW: The packet is the start of a new connection
RELATED: The packet is starting a new secondary connection. This is a common feature of such protocols such as an FTP data transfer, or an ICMP error.
INVALID: The packet couldn’t be identified. Could be due to insufficient system resources, or ICMP errors that don’t match an existing data flow. |
This is an expansion on the previous example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP
–sport 1024:65535 -m multiport –dport 80,443 -j ACCEPT
iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP
-m state –state ESTABLISHED -j ACCEPT
Here iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination ports are port 80 (www/http) and 443 (https). The return packets from 192.168.1.58 are allowed to be accepted too. Instead of stating the source and destination ports, you can simply allow packets related to established connections using the -m state and –state ESTABLISHED options.
Using User Defined Chains
As you may remember, you can configure iptables to have user-defined chains. This feature is frequently used to help streamline the processing of packets. For example, instead of using a single, built-in chain for all protocols, you can use the chain to determine the protocol type for the packet and then hand off the actual final processing to a user-defined, protocol-specific chain in the filter table. In other words, you can replace a long chain with a stubby main chain pointing to multiple stubby chains, thereby shortening the total length of all chains the packet has to pass through. For example
iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue
iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j fast-output-queue
iptables -A fast-input-queue -p icmp -j icmp-queue-in
iptables -A fast-output-queue -p icmp -j icmp-queue-out
iptables -A icmp-queue-out -p icmp –icmp-type echo-request
-m state –state NEW -j ACCEPT
iptables -A icmp-queue-in -p icmp –icmp-type echo-reply -j ACCEPT
Here six queues help assist in improving processing speed. Table 14.7 summarizes the function of each.
Table 14.7 Custom Queues Example Listing
| Chain |
Description |
| INPUT |
The regular built-in INPUT chain in iptables |
| OUTPUT |
The regular built-in OUTPUT chain in iptables |
| fast-input-queue |
Input chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains. |
| fast-output-queue |
Output chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains. |
| icmp-queue-out |
Output queue dedicated to ICMP |
| icmp-queue-in |
Input queue dedicated to ICMP |
Saving Your iptables Scripts
The service iptables save command permanently saves the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration.
The format of the /etc/sysconfig/iptables file is slightly different from that of the scripts shown in this chapter. The initialization of built-in chains is automatic and the string “iptables” is omitted from the rule statements.
Here is a sample /etc/sysconfig/iptables configuration that allows ICMP, IPSec (ESP and AH packets), already established connections, and inbound SSH.
[root@bigboy tmp]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:12748]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Nov 8 11:00:07 2004
[root@bigboy tmp]#
It is never a good idea to edit this script directly because it is always overwritten by the save command and it doesn’t save any comments at all, which can also make it extremely difficult to follow. For these reasons, you’re better off writing and applying a customized script and then using the service iptables save command to make the changes permanent.
Fedora comes with a program called lokkit that you can use to generate a very rudimentary firewall rule set. It prompts for the level of security and then gives you the option of doing simple customizations. It is a good place for beginners to start on a test system so that they can see a general rule structure.
Like the service iptables save command, lokkit saves the firewall rules in a new /etc/sysconfig/iptables file for use on the next reboot.
Once you have become familiar with the iptables syntax, it’s best to write scripts that you can comment and then save it to /etc/sysconfig/iptables. It makes them much more manageable and readable.
Sometimes the script you created to generate iptables rules may get corrupted or lost, or you might inherit a new system from an administer and cannot find the original script used to protect it. In these situations, you can use the iptables-save and iptables-restore commands to assist you with the continued management of the server.
Unlike the service iptables save command, which actually saves a permanent copy of the firewall’s active configuration in the /etc/sysconfig/iptables file, iptables-save displays the active configuration to the screen in /etc/sysconfig/iptables format. If you redirect the iptables-save screen output to a file with the > symbol, then you can edit the output and reload the updated rules when they meet your new criteria with the iptables-restore command.
This example exports the iptables-save output to a text file named firewall-config.
[root@bigboy tmp]# iptables-save > firewall-config
[root@bigboy tmp]# cat firewall-config
# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:12748]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Nov 8 11:00:07 2004
[root@bigboy tmp]#
After editing the firewall-config file with the commands you need, you can reload it into the active firewall rule set with the iptables-restore command.
[root@bigboy tmp]# iptables-restore < firewall-config
Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots:
[root@bigboy tmp]# service iptables save
If desired, you can eventually convert this firewall-config file into a regular iptables script so that it becomes more easily recognizable and manageable.
The iptables application requires you to load certain kernel modules to activate some of its functions. Whenever any type of NAT is required, the iptable_nat module needs to be loaded. The ip_conntrack_ftp module needs to be added for FTP support and should always be loaded with the ip_conntrack module which tracks TCP connection states. As most scripts probably will keep track of connection states, the ip_conntrack module will be needed in any case. The ip_nat_ftp module also needs to be loaded for FTP servers behind a NAT firewall.
Unfortunately, the /etc/sysconfig/iptables file doesn’t support the loading of modules, so you’ll have to add the statements to your /etc/rc.local file which is run at the end of every reboot.
The script samples in this chapter include these statements only as a reminder to place them in the /etc/rc.local file
# File: /etc/rc.local
# Module to track the state of connections
modprobe ip_conntrack
# Load the iptables active FTP module, requires ip_conntrack
modprobe ip_conntrack_ftp
# Load iptables NAT module when required
modprobe iptable_nat
# Module required for active an FTP server using NAT
modprobe ip_nat_ftp
This section provides some sample scripts you can use to get iptables working for you. Pay special attention to the logging example at the end.
The basic initialization script snippet should also be included in all your scripts to ensure the correct initialization of your chains should you decide to restart your script after startup. This chapter also includes other snippets that will help you get basic functionality. It should be a good guide to get you started.
Note: Once you feel more confident, you can use Appendix II “Codes, Scripts, and Configurations,” to find detailed scripts. The appendix shows you how to allow your firewall to:
> Be used as a Linux Web, mail and DNS server
> Be the NAT router for your home network
> Prevent various types of attacks using corrupted TCP, UDP and ICMP packets.
> Provide outbound passive FTP access from the firewall
There are also simpler code snippets in the Appendix II for Inbound and outbound FTP connections to and from your firewall
Basic Operating System Defense
You can do several things before employing your firewall script to improve the resilience of your firewall to attack. For example, the Linux operating system has a number of built-in protection mechanisms that you should activate by modifying the system kernel parameters in the /proc filesystem via the /etc/sysctl.conf file. Using of /etc/sysctl.conf to modify kernel parameters is explained in more detail in Appendix I, “Miscellaneous Linux Topics.”
Here is a sample configuration:
# File: /etc/sysctl.conf
#—————————————————————
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#—————————————————————
net/ipv4/conf/all/rp_filter = 1
#—————————————————————
# Enable logging of packets with malformed IP addresses
#—————————————————————
net/ipv4/conf/all/log_martians = 1
#—————————————————————
# Disable redirects
#—————————————————————
net/ipv4/conf/all/send_redirects = 0
#—————————————————————
# Disable source routed packets
#—————————————————————
net/ipv4/conf/all/accept_source_route = 0
#—————————————————————
# Disable acceptance of ICMP redirects
#—————————————————————
net/ipv4/conf/all/accept_redirects = 0
#—————————————————————
# Turn on protection from Denial of Service (DOS) attacks
#—————————————————————
net/ipv4/tcp_syncookies = 1
#—————————————————————
# Disable responding to ping broadcasts
#—————————————————————
net/ipv4/icmp_echo_ignore_broadcasts = 1
#—————————————————————
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
#—————————————————————
net/ipv4/ip_forward = 1
This configuration will become active after the next reboot, but changes won’t become active in the current boot session until you run the sysctl -p command.
[root@bigboy tmp]# sysctl -p
…
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
[root@bigboy tmp]#
It is a good policy, in any iptables script you write, to initialize your chain and table settings with known values. The filter table’s INPUT, FORWARD, and OUTPUT chains should drop packets by default for the best security. It is not good policy, however, to make your nat and mangle tables drop packets by default. These tables are queried before the filter table, and if all packets that don’t match the nat and mangle table rules are dropped, then they will not reach the INPUT, FORWARD, and OUTPUT chains for processing.
Additional ALLOW rules should be added to the end of this script snippet.
#—————————————————————
# Load modules for FTP connection tracking and NAT – You may need
# them later
#
# Note: It is best to use the /etc/rc.local example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#—————————————————————
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
#—————————————————————
# Initialize all the chains by removing all the rules
# tied to them
#—————————————————————
iptables –flush
iptables -t nat –flush
iptables -t mangle –flush
#—————————————————————
# Now that the chains have been initialized, the user defined
# chains should be deleted. We’ll recreate them in the next step
#—————————————————————
iptables –delete-chain
iptables -t nat –delete-chain
iptables -t mangle –delete-chain
#—————————————————————
# If a packet doesn’t match one of the built in chains, then
# The policy should be to drop it
#—————————————————————
iptables –policy INPUT -j DROP
iptables –policy OUTPUT -j DROP
iptables –policy FORWARD -j DROP
iptables -t nat –policy POSTROUTING ACCEPT
iptables -t nat –policy PREROUTING ACCEPT
#—————————————————————
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#—————————————————————
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
You may also want to add some more advanced initialization steps to your script, including checks for Internet traffic from RFC1918 private addresses. The sample script snippet below outlines how to do this. More complex initializations would include checks for attacks using invalid TCP flags and directed broadcasts which are beyond the scope of this book.
The script also uses multiple user-defined chains to make the script shorter and faster as the chains can be repeatedly accessed. This removes the need to repeat the same statements over and over again.
You can take even more precautions to further protect your network. The complete firewall script in Appendix II “Codes, Scripts, and Configurations,” outlines most of them.
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
#
# Define networks: NOTE!! You may want to put these “EXTERNAL”
# definitions at the top of your script.
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
EXTERNAL_INT=”eth0″ # External Internet interface
EXTERNAL_IP=”97.158.253.25″ # Internet Interface IP address
#—————————————————————
# Initialize our user-defined chains
#—————————————————————
iptables -N valid-src
iptables -N valid-dst
#—————————————————————
# Verify valid source and destination addresses for all packets
#—————————————————————
iptables -A INPUT -i $EXTERNAL_INT -j valid-src
iptables -A FORWARD -i $EXTERNAL_INT -j valid-src
iptables -A OUTPUT -o $EXTERNAL_INT -j valid-dst
iptables -A FORWARD -o $EXTERNAL_INT -j valid-dst
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
#
# Source and Destination Address Sanity Checks
#
# Drop packets from networks covered in RFC 1918 (private nets)
# Drop packets from external interface IP
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
iptables -A valid-src -s $10.0.0.0/8 -j DROP
iptables -A valid-src -s $172.16.0.0/12 -j DROP
iptables -A valid-src -s $192.168.0.0/16 -j DROP
iptables -A valid-src -s $224.0.0.0/4 -j DROP
iptables -A valid-src -s $240.0.0.0/5 -j DROP
iptables -A valid-src -s $127.0.0.0/8 -j DROP
iptables -A valid-src -s 0.0.0.0/8 -j DROP
iptables -A valid-src -d 255.255.255.255 -j DROP
iptables -A valid-src -s 169.254.0.0/16 -j DROP
iptables -A valid-src -s $EXTERNAL_IP -j DROP
iptables -A valid-dst -d $224.0.0.0/4 -j DROP
Allowing DNS Access To Your Firewall
You’ll almost certainly want your firewall to make DNS queries to the Internet. This is not because it is required for the basic functionality of the firewall, but because of Fedora Linux’s yum RPM updater which will help to keep the server up to date with the latest security patches. The following statements will apply not only for firewalls acting as DNS clients but also for firewalls working in a caching or regular DNS server role.
#—————————————————————
# Allow outbound DNS queries from the FW and the replies too
#
# – Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# / websites using a single DNS server won’t require TCP statements
#
#—————————————————————
iptables -A OUTPUT -p udp -o eth0 –dport 53 –sport 1024:65535
-j ACCEPT
iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1024:65535
-j ACCEPT
Allowing WWW And SSH Access To Your Firewall
This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions. Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection. It isn’t necessary to specify these ports for the return leg as outbound packets for all established connections are allowed. Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren’t allowed.
#—————————————————————
# Allow previously established connections
# – Interface eth0 is the internet interface
#—————————————————————
iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED
-j ACCEPT
#—————————————————————
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#—————————————————————
iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535
-m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535
-m state –state NEW -j ACCEPT
Allowing Your Firewall To Access The Internet
This iptables script enables a user on the firewall to use a Web browser to surf the Internet. HTTP traffic uses TCP port 80, and HTTPS uses port 443.
Note: HTTPS (secure HTTP) is used for credit card transactions frequently, as well as by RedHat Linux servers running up2date. FTP and HTTP are frequently used with yum.
#—————————————————————
# Allow port 80 (www) and 443 (https) connections from the firewall
#—————————————————————
iptables -A OUTPUT -j ACCEPT -m state –state NEW
-o eth0 -p tcp -m multiport –dport 80,443 -m multiport
–sport 1024:65535
#—————————————————————
# Allow previously established connections
# – Interface eth0 is the internet interface
#—————————————————————
iptables -A INPUT -j ACCEPT -m state –state ESTABLISHED,RELATED
-i eth0 -p tcp
If you want all TCP traffic originating from the firewall to be accepted, then remove the line:
-m multiport –dport 80,443 –sport 1024:65535
Allow Your Home Network To Access The Firewall
In this example, eth1 is directly connected to a home network using IP addresses from the 192.168.1.0 network. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed.
Further rules will be needed for the interface connected to the Internet to allow only specific ports, types of connections and possibly even remote servers to have access to your firewall and home network.
#—————————————————————
# Allow all bidirectional traffic from your firewall to the
# protected network
# – Interface eth1 is the private network interface
#—————————————————————
iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1
Masquerading (Many to One NAT)
As explained in Chapter 2, “Introduction to Networking,” masquerading is another name for what many call many to one NAT. In other words, traffic from all devices on one or more protected networks will appear as if it originated from a single IP address on the Internet side of the firewall.
Note: The masquerade IP address always defaults to the IP address of the firewall’s main interface. The advantage of this is that you never have to specify the NAT IP address. This makes it much easier to configure iptables NAT with DHCP.
You can configure many to one NAT to an IP alias, using the POSTROUTING and not the MASQUERADE statement. An example of this can be seen in the static NAT section that follows.
Keep in mind that iptables requires the iptables_nat module to be loaded with the modprobe command for the masquerade feature to work. Masquerading also depends on the Linux operating system being configured to support routing between the internet and private network interfaces of the firewall. This is done by enabling IP forwarding or routing by giving the file /proc/sys/net/ipv4/ip_forward the value 1 as opposed to the default disabled value of 0.
Once masquerading has been achieved using the POSTROUTING chain of the nat table, you will have to configure iptables to allow packets to flow between the two interfaces. To do this, use the FORWARD chain of the filter table. More specifically, packets related to NEW and ESTABLISHED connections will be allowed outbound to the Internet, but only packets related to ESTABLISHED connections will be allowed inbound. This helps to protect the home network from anyone trying to initiate connections from the Internet:
#—————————————————————
# Load the NAT module
#
# Note: It is best to use the /etc/rc.local example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#—————————————————————
modprobe iptable_nat
#—————————————————————
# Enable routing by modifying the ip_forward /proc filesystem file
#
# Note: It is best to use the /etc/sysctl.conf example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#—————————————————————
echo 1 > /proc/sys/net/ipv4/ip_forward
#—————————————————————
# Allow masquerading
# – Interface eth0 is the internet interface
# – Interface eth1 is the private network interface
#—————————————————————
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0
-j MASQUERADE
#—————————————————————
# Prior to masquerading, the packets are routed via the filter
# table’s FORWARD chain.
# Allowed outbound: New, established and related connections
# Allowed inbound : Established and related connections
#—————————————————————
iptables -A FORWARD -t filter -o eth0 -m state
–state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state
–state ESTABLISHED,RELATED -j ACCEPT
Note: If you configure your firewall to do masquerading, then if should be the used as the default gateway for all your servers on the network.
Port Forwarding Type NAT (DHCP DSL)
In many cases home users may get a single DHCP public IP address from their ISPs. If a Linux firewall is also your interface to the Internet and you want to host a Web site on one of the NAT protected home servers, then you will have to use port forwarding. Here the combination of the firewall’s single IP address, the remote server’s IP address, and the source/destination port of the traffic can be used to uniquely identify a traffic flow. All traffic that matches a particular combination of these factors may then be forwarded to a single server on the private network.
Port forwarding is handled by the PREROUTING chain of the nat table. As in masquerading, the iptables_nat module has to be loaded and routing has to be enabled for port forwarding to work. Routing too must be allowed in iptables with the FORWARD chain, this includes all NEW inbound connections from the Internet matching the port forwarding port plus all future packets related to the ESTABLISHED connection in both directions:
#—————————————————————
# Load the NAT module
# Note: It is best to use the /etc/rc.local example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#—————————————————————
modprobe iptable_nat
#—————————————————————
# Get the IP address of the Internet interface eth0 (linux only)
#
# You’ll have to use a different expression to get the IP address
# for other operating systems which have a different ifconfig output
# or enter the IP address manually in the PREROUTING statement
#
# This is best when your firewall gets its IP address using DHCP.
# The external IP address could just be hard coded (“typed in
# normally”)
#—————————————————————
external_int=”eth0″
external_ip=”`ifconfig $external_int | grep ‘inet addr’ |
awk ‘{print $2}’ | sed -e ‘s/.*://’`”
#—————————————————————
# Enable routing by modifying the ip_forward /proc filesystem file
#
# Note: It is best to use the /etc/sysctl.conf example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#—————————————————————
echo 1 > /proc/sys/net/ipv4/ip_forward
#—————————————————————
# Allow port forwarding for traffic destined to port 80 of the
# firewall’s IP address to be forwarded to port 8080 on server
# 192.168.1.200
#
# – Interface eth0 is the internet interface
# – Interface eth1 is the private network interface
#—————————————————————
iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip
–dport 80 –sport 1024:65535 -j DNAT –to 192.168.1.200:8080
#—————————————————————
# After DNAT, the packets are routed via the filter table’s
# FORWARD chain.
# Connections on port 80 to the target machine on the private
# network must be allowed.
#—————————————————————
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.200
–dport 8080 –sport 1024:65535 -m state –state NEW -j ACCEPT
iptables -A FORWARD -t filter -o eth0 -m state
–state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state
–state ESTABLISHED,RELATED -j ACCEPT
Static NAT
In this example, all traffic to a particular public IP address, not just to a particular port, is translated to a single server on the protected subnet. Because the firewall has more than one IP address, I can’t recommend MASQUERADE; it will force masquerading as the IP address of the primary interface and not as any of the alias IP addresses the firewall may have. Instead, use SNAT to specify the alias IP address to be used for connections initiated by all other servers in the protected network.
Note: Although the nat table NATs all traffic to the target servers (192.168.1.100 to 102), only connections on ports 80,443 and 22 are allowed through by the FORWARD chain. Also notice how you have to specify a separate -m multiport option whenever you need to match multiple non-sequential ports for both source and destination.
In this example the firewall:
o Uses one to one NAT to make the server 192.168.1.100 on your home network appear on the Internet as IP addresses 97.158.253.26.
o Creates a many to one NAT for the 192.168.1.0 home network in which all the servers appear on the Internet as IP address 97.158.253.29. This is different from masquerading
You will have to create alias IP addresses for each of these Internet IPs for one to one NAT to work.
#—————————————————————
# Load the NAT module
#
# Note: It is best to use the /etc/rc.local example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#—————————————————————
modprobe iptable_nat
#—————————————————————
# Enable routing by modifying the ip_forward /proc filesystem file
#
# Note: It is best to use the /etc/sysctl.conf example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#—————————————————————
echo 1 > /proc/sys/net/ipv4/ip_forward
#—————————————————————
# NAT ALL traffic:
###########
# REMEMBER to create aliases for all the internet IP addresses below
###########
#
# TO: FROM: MAP TO SERVER:
# 97.158.253.26 Anywhere 192.168.1.100 (1:1 NAT – Inbound)
# Anywhere 192.168.1.100 97.158.253.26 (1:1 NAT – Outbound)
# Anywhere 192.168.1.0/24 97.158.253.29 (FW IP)
#
# SNAT is used to NAT all other outbound connections initiated
# from the protected network to appear to come from
# IP address 97.158.253.29
#
# POSTROUTING:
# NATs source IP addresses. Frequently used to NAT connections from
# your home network to the Internet
#
# PREROUTING:
# NATs destination IP addresses. Frequently used to NAT
# connections from the Internet to your home network
#
# – Interface eth0 is the internet interface
# – Interface eth1 is the private network interface
#—————————————————————
# PREROUTING statements for 1:1 NAT
# (Connections originating from the Internet)
iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0
-j DNAT –to-destination 192.168.1.100
# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)
iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0
-j SNAT –to-source 97.158.253.26
# POSTROUTING statements for Many:1 NAT
# (Connections originating from the entire home network)
iptables -t nat -A POSTROUTING -s 192.168.1.0/24
-j SNAT -o eth1 –to-source 97.158.253.29
# Allow forwarding to each of the servers configured for 1:1 NAT
# (For connections originating from the Internet. Notice how you
# use the real IP addresses here)
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.100
-m multiport –dport 80,443,22
-m state –state NEW -j ACCEPT
# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections
iptables -A FORWARD -t filter -o eth0 -m state
–state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding for all 1:1 NAT connections originating on
# the Internet that have already passed through the NEW forwarding
# statements above
iptables -A FORWARD -t filter -i eth0 -m state
–state ESTABLISHED,RELATED -j ACCEPT
Troubleshooting iptables
A number of tools are at your disposal for troubleshooting iptables firewall scripts. One of the best methods is to log all dropped packets to the /var/log/messages file.
You track packets passing through the iptables list of rules using the LOG target. You should be aware that the LOG target:
o Logs all traffic that matches the iptables rule in which it is located.
o Automatically writes an entry to the /var/log/messages file and then executes the next rule.
If you want to log only unwanted traffic, therefore, you have to add a matching rule with a DROP target immediately after the LOG rule. If you don’t, you’ll find yourself logging both desired and unwanted traffic with no way of discerning between the two, because by default iptables doesn’t state why the packet was logged in its log message.
This example logs a summary of failed packets to the file /var/log/messages. You can use the contents of this file to determine which TCP/UDP ports you need to open to provide access to specific traffic that is currently stopped.
#—————————————————————
# Log and drop all other packets to file /var/log/messages
# Without this we could be crawling around in the dark
#—————————————————————
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
Here are some examples of the output of this file:
o Firewall denies replies to DNS queries (UDP port 53) destined to server 192.168.1.102 on the home network.
Feb 23 20:33:50 bigboy kernel: IN=wlan0 OUT= MAC=00:06:25:09:69:80:00:a0:c5:e1:3e:88:08:00 SRC=192.42.93.30 DST=192.168.1.102 LEN=220 TOS=0×00 PREC=0×00 TTL=54 ID=30485 PROTO=UDP SPT=53 DPT=32820 LEN=200
o Firewall denies Windows NetBIOS traffic (UDP port 138)
Feb 23 20:43:08 bigboy kernel: IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:09:6a:b5:08:00 SRC=192.168.1.100 DST=192.168.1.255 LEN=241 TOS=0×00 PREC=0×00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221
o Firewall denies Network Time Protocol (NTP UDP port 123)
Feb 23 20:58:48 bigboy kernel: IN= OUT=wlan0 SRC=192.168.1.102 DST=207.200.81.113 LEN=76 TOS=0×10 PREC=0×00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
The traffic in all these examples isn’t destined for the firewall; Therefore, you should check your INPUT, OUTPUT, FORWARD, and NAT related statements. If the firewall’s IP address is involved, then you should focus on the INPUT and OUTPUT statements
If nothing shows up in the logs, then follow the steps in Chapter 4, “Simple Network Troubleshooting,” to determine whether the data is reaching your firewall at all and, if it is not, the location on your network that could be causing the problem.
As a general rule, you won’t be able to access the public NAT IP addresses from servers on your home network. Basic NAT testing requires you to ask a friend to try to connect to your home network from the Internet.
You can then use the logging output in /var/log/messages to make sure that the translations are occurring correctly and iptables isn’t dropping the packets after translation occurs
The iptables startup script expects to find the /etc/sysconfig/iptables before it starts. If none exists, then symptoms include the firewall status always being stopped and the /etc/init.d/iptables script running without the typical [OK] or [FAILED] messages.
If you have just installed iptables and have never applied a policy, then you will face this problem. Unfortunately, running the service iptables save command before restarting won’t help either. You have to create this file.
[root@bigboy tmp]# service iptables start
[root@bigboy tmp]#
[root@bigboy tmp]# touch /etc/sysconfig/iptables
[root@bigboy tmp]# chmod 600 /etc/sysconfig/iptables
[root@bigboy tmp]# service iptables start
Applying iptables firewall rules: [ OK ]
[root@bigboy tmp]#
![clip_image012[1]](http://subhrendu.files.wordpress.com/2009/04/clip-image01211.gif "clip_image012[1]"){kind=small}
