Chit chat

======

Alas poor Nslu2, I knew you well.

Basic commonly known as Basic all-purpose instruction code is also known as BASIC – “Briskly Achieve Solutions Impossible in C”.

Cunningham’s Law states “the best way to get the right answer on the Internet is not to ask a question, it’s to post the wrong answer.”

may-the-fourth-4th-be-with-you-memes-gifs-star-wars-day-18

——————————————————

Just some notes to myself.

Add to Path

export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/home/$USER/bc:/home/$USER/bin

Alternative ping command

fping -q -a -c 1 -g 192.168.1.0/24

List files in latest files last in in single lines

ls -rtl

Edit the score of Gnome mines,

cd /var/games
sudo vim gnomine.Small.scores

Moving like files to same directory. i,e, html and support folder.

mkdir html/js ; mv JavaScr* html/js/

Count files in a directory

ls -1 | wc -l

This did not work at all

wget -r -e robot.txt=off username.wordpress.com

——————————————————

Downloaded all the pdf files from my instructables site for use on a local server. Found a manual method that was not too cumbersome. The I used the following batch file to automatically create the html for the file listing.

ls *.pdf > pdflist
cut -d "." -f1 pdflist > descripts
sed -i -e 's/^/<a href=\"/' pdflist
sed -i 's/$/\"\>/' pdflist
paste -d "" pdflist descripts > pdflist.html
sed -i 's/$/\<\/a\>\<br \/\>/' pdflist.html
echo "<html>" > index.html
echo "<body>" >> index.html
echo "<h2><center>PDF list</center></h2>" >> index.html
echo "<hr>" >> index.html
cat pdflist.html >> index.html
echo "</body>" >> index.html
echo "</html>" >> index.html

Screenshot from 2015-05-01 07:52:14

 

Decided to add some alphabetic tags:

<pre>
<a href="#a">A</a>
<p><a name="a">A</a></p>
</pre>

Screenshot from 2015-05-02 17:56:56
------------------------------------------------------

Update to radio.sh script

Update:  Shoutcast stations work also.

Go to http://www.xatworld.com/radio-search/

One example:

mplayer http://108.61.73.120:8118

Screenshot from 2015-05-02 17:14:13

Screenshot from 2015-05-02 17:09:13

——————————————————

For almost two years, or since Ubuntu 12.04 was released, there has been a steady stream of posts about PAE and related problems. 12.04 was the first Ubuntu for which a special non-PAE version wasn’t available. X/Lubuntu carried on supporting non-PAE processors for one release more, making 12.10 their first PAE-only release.Several workarounds have been published which enabled the affected hardware (the Banias part of the Pentium M family) to run the latest Buntus.From 14.04 the boot option forcepae has been added, which eliminates the need for these workarounds. More here.I suggest that when people encounter a PAE related question they spread the word and point to Lubuntu 14.04 and the boot option, provided that the person asking is willing to run a beta version, of course. We will try this option with a P I.

——————————————————

Use any of this information at you own risk.

Basics

The essence of security is simplicity, and when it comes to workstation or small-office Linux firewalls I have always been a fan of direct iptables use over some of the more popular alternatives ([g]ufw, fwbuilder). While they may be easier to use, they also hide a lot of the details. Especially when you are starting to learn about firewalls and network security, I believe you are better served using customizable firewall scripts like the two I detail below. When you get comfortable with iptables and networking concepts, then you can look to some of the other solutions. At that point, you’ll fully understand what they are doing under the hood.
Iptables Scripts

The first aptly-named shell script, ‘firewall.sh’, is meant to protect a SOHO (Small Office / Home Office) or home office network behind a dual-homed (two interface) firewall. It doesn’t support DMZ hosts, but does support the most common scenario of SOHO or home firewalls doing double-duty as SSH or web servers. It features forwarding, NAT (network address translation), syn-flood protection and rate-limiting for log entries.

The next script, ‘bastion-host.sh’, is much simpler, and is meant to be used on any host directly connected to the Internet, like a home workstation or laptop. It drops all inbound connections by default. Both scripts are well-commented, with any variables and each section explained. You can download the scripts here:

Dual-homed Linux firewall script
Singly-homed Linux firewall script (bastion host)  

Startup Options The way I like to use these scripts on a Debian or Ubuntu system (see below for an alternative if you use network manager) is very simple and is as follows:

First, put your chosen script in /usr/local/sbin, and make it owned by root with permissions 0700.

 

$ sudo cp ./firewall.sh /usr/local/sbin; chown root.root /usr/local/sbin/firewall.sh; chmod 0700 /usr/local/sbin/firewall.sh

Edit /etc/network/interfaces, and add the following line to the interface stanza of your external interface (usually eth0):

 

pre-up /usr/local/sbin/firewall.sh

So the stanza for your external interface will probably look something like this when you are done:

 

interface eth0 inet dhcp 

pre-up /usr/local/sbin/bastion-host.sh 

or

 

interface eth0 inet static 

address 10.1.1.254 

netmask 255.255.255.0 

gateway 10.1.1.1 

pre-up /usr/local/sbin/firewall.sh

On desktop systems where you are using the network manager application, or on Red Hat, CentOS or Fedora systems, you can put scripts like this in /etc/rc.local (On Red Hat systems the comments and touch command are there already by default): #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don’t # want to do the full Sys V style init stuff.

 

# touch /var/lock/subsys/local /usr/local/sbin/firewall.sh

Just make sure that if you use this method on Red Hat based systems, you stop the default iptables firewall:

 

# /etc/init.d/iptables stop chkconfig –level 2345 iptables off

If you would rather integrate your firewall into the Red Hat startup scripts, run the firewall script of your choice directly. Then save the rules so they will be read by the

 

# iptables init script: /usr/local/sbin/firewall.sh iptables-save > /etc/sysconfig/iptables service iptables restart

You would then need to do this every time you made a firewall script change.

Testing

When you make changes to the script, just run it again directly and check the firewall status (see below). There are times when an erroneous change will lock you or a network client out of your server. If you have direct access to the host, you can correct any errors that occur immediately from the console. If you are making firewall changes over an SSH session, rename the firewall script first, and make changes on the copy, so that you can just reboot the box as a last resort to get a known-good configuration. Some hosting providers also provide a remote console that is ideal for fixing mistakes.

Monitoring Firewall Status

You can view the currently loaded ruleset as follows:

 

# iptables -L -nvx iptables -t nat -L -nvx

The -nvx options give you the most detail possible – showing IP addresses instead of hostnames and full packet counts. This comes in handy if you want to see how often a rule is being hit, or if some rules never get hit. The option -t nat shows just the rules in the NAT table.

One final note, there is an ip6tables command that is the analogue of iptables for IPv6, and can be used independently of and alongside it.

Webmin

Use webmin to set up and administer  your firewall rules remotely.

Older script:

# Red Hat Linux firewall using iptables
#
# Created: October 2002
# Last Revised: August 2006
#
# Authors: Dennis G. Allard (allard@oceanpark.com) and Don Cohen (don@isis.cs3-inc.com)
#
# This script works on on servers running Red Hat 7.3, 8.0, 9.0, and
# RHEL ES 3 and 4.  Variants of this script are in active use on
# many servers.
#
# No warranty is implied.  Use at your own risk!!

# Using this script
# —————–
#
# I save this file as /etc/sysconfig/iptables-precursor
# and then source it and run iptables-save to create
# /etc/sysconfig/iptables, which is an input file
# consumed by the script /etc/rc.d/init.d/iptables,
# which in turn makes use of the script /sbin/iptables-restore.
#
# Before mucking with setting up iptables, you should
# disconnect the machine from the internet.  Examine
# and understand the current set of iptables rules
# before you reconnect to the internet.
#
# To configure the set of iptables rules:
#
#   /etc/rc.d/init.d/iptables stop
#   source /etc/sysconfig/iptables-precursor
#
# To save the current set of iptables rules for use at next reboot:
#
#   iptables-save > /etc/sysconfig/iptables
#
# To dynamically restart iptables after modifying /etc/sysconfig/iptables:
#
#   /etc/rc.d/init.d/iptables restart
#
# Note that /etc/rc.d/init.d/iptables is a script.  You can read it to
# gain understanding of how iptables uses iptables-restore to restore
# iptables firewall rules at reboot.
#
# To examine the current set of rules in effect:
#
#   /etc/rc.d/init.d/iptables status
#
# However, I prefer to show the current set of rules via:
#
#   iptables -nvL -t filter
#   iptables -nvL -t nat
#
# or
#
#   iptables -vL -t filter
#   iptables -vL -t nat
#
#
# To configure iptables to be used at next system reboot:
#
#   chkconfig –add iptables
#
# To see if iptables is currently configured to start at boot, do:
#
#   chkconfig –list iptables
#
# (You might have to do chkconfig –del ipchains to remove ipchains)
#
# The rest of this file is derived from my old ipchains script.
#

# A word about routing
# ——————–
#
# Note that this web page does not discuss routing decisions.  Routing
# (see the ‘ifconfig’ and ‘route’ commands) decides which interface an
# incoming packet will be delivered to, i.e. if a given packet will be
# ‘input’ to this machine or be ‘forwarded’ to some interface for
# delivery to another machine, say on an internal network.  You should
# have your routing configured before you attempt to configure your
# firewall.
#
# Caveat.  DNAT and SNAT provide a way for the IPTABLES firewall to modify the
# Destination or Source IP addresses of a packet and, in this way, interact
# with routing decisions.  See section below: ‘More about NAT and routing’.
#

# The network
# ———–
#
# This firewall is running on a gateway machine having multiple ethernet
# interfaces, a public one, eth0, which is a DSL connection to an ISP,
# and one or more internal ones, including eth1, which is assigned to
# 192.168.0.1, an IP number on my internal private network.  My public
# network has static IP numbers depicted below as x.y.z….  Actual
# IP numbers would, of course, be a sequence of four octets.  For this
# script, I assume that the firewall is running on the same machine
# having the interfaces configued with my public IPs.  For this reason,
# most of the rules below are INPUT rules.  Were I to route some of my public
# static IP numbers to interfaces on one or more machines inside the
# firewall on the internal network, I would modify certain rules to be
# FORWARD rules instead of INPUT rules.  I show some examples below of
# FORWARD rules.  Finally, the script is just for a single server IP,
# hence all of the “/32” network masks below.  A more realistic situation
# would involve using IP ranges and their corresponding network masks.
#
# The gateway at my ISP is x.y.z.1.  I run a few web servers on
# x.y.z.w, a DNS server on x.y.z.n, and qmail on x.y.z.m.
#
# Using this file in a more complex network would require some
# modifications. Particular attention would need to be given to using
# the right the IP numbers and interfaces, among other things. 🙂
#

# Preliminaries
# ————-
#
# To permit machines internal to the network to be able to
# send IP packets to the outside world, enable IP Forwarding:
#
#   echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Prevent SYN floods from consuming memory resources:
#
#   echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
# I place the above echo commands into /etc/rc.d/rc.local
# so that they will be executed at boot time.
#

# The basic idea of this firewall
# ——————————-
#
# Provide rules that are applied in the following order:
#
# ACCEPT all UDP packets for certain UDP services
#
# Currently the only UDP connections I accept are to my secure DNS
# server, tinydns. For an explanation of why tinydns is secure, see:
# http://www.faqts.com/knowledge_base/view.phtml/aid/8739/fid/699.
#
# DENY all other UDP packets.
#
# ACCEPT SYN packets just for certain TCP services
#
# SYN packets are specified via the -syn flag in the input
# rules defined below.  Note that certain services can be
# further filtered by xinetd.
#
# DENY all other TCP SYN packets.
#
# ACCEPT all other TCP packets that are part of existing connections
#
# DENY all other TCP packets.
#
# In other words, we allow any TCP packet through that is part of an
# established TCP connection, but we are very selective in just which
# connections we permit to be made to start off with.
#
# A brief explanation of SYN packets goes as follows.  TCP connections
# are initiated via a hand shaking protocol between the client and server
# programs at either end of the connection.  The very first TCP packet
# is sent by the client to the server and is called a SYN packet,
# because it has the SYN flag set to 1 in the TCP packet header.  We
# only allow SYN packets for the specific servers running on specific
# ports of specific hosts.  Subsequently, we only permit further TCP
# packets in that are determined to be part of a connection whose
# initial SYN packet was already accepted and responded to by one of our
# servers.  This is done via ‘Stateful Packet Inspection’ provided by the
# netfilter functionality added to linux as of kernel 2.4.  By stopping all
# other packets in their tracks, we limit attempts to attack our internal
# network.
#
# There are subtle ways that Denial of Service attacks can be performed
# if an attacker is able to somehow gain access to a machine inside our
# network or otherwise hijack a connection.  However, even in such
# cases, current research is leading to ways to greatly limit the effect
# of such attacks. For further reading, see: http://www.cs3-inc.com/ddos.html.
#
# For detailed background reading about iptables, please refer to:
# http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
#

# begin oceanpark.com firewall rules (using iptables)
# —————————————————

# Here we go…

#
# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable.  These rules apply if a more specific rule below
# is not applicable.  Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#
# Flush (-F) all specific rules
#
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat

# The rest of this file contains specific rules that are applied in the order
# listed.  If none applies, then the above policy rules are used.

#
# Forward all packets from eth1 (internal network) to eth0 (the internet).
#
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

#
# Forward packets that are part of existing and related connections from eth0 to eth1.
#
iptables -A FORWARD -i eth0 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT

#
# Permit packets in to firewall itself that are part of existing and related connections.
#
iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Note, in the above two rules, a connection becomes ESTABLISHED in the
# iptables PREROUTING chain upon receipt of a SYNACK packet that is a
# response to a previously sent SYN packet. The SYNACK packet itself is
# considered to be part of the established connection, so no special
# rule is needed to allow the SYNACK packet itself.

#
# Allow all inputs to firewall from the internal network and local interfaces
#
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

#
# Enable SNAT functionality on eth0
#
# SNAT (Source NAT) is used to map private source IP numbers of
# interfaces on the internal LAN to one of my public static IP numbers.
# SNAT performs this mapping when a client running on one of the
# internal hosts (x.y.z.c) initiates a TCP connection (SYN) through
# eth0.
#
iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT –to-source x.y.z.c

#
# Alternative to SNAT — MASQUERADE
#
# If your firewall has a dynamic IP number because it connects to the
# internet itself via DHCP, then you probably cannot predict what the IP
# number is of your firewall’s interface connected to the internet. In
# this case, you need a rule like the following that assigns the (an) IP
# number associated with eth0 to outgoing connections without you needing
# to know in advance (at time of writing this rule) what that IP number is:
#
# iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
#
# Note that the above SNAT and MASQUERADE rules are applicable
# independent of how a host on the internal network is assigned its own
# internal IP number.  The host could be assigned a static IP number on
# an internal nonpublic network (e.g. 10. or 192.168.)  or it could be
# itself assigned a dynamic IP number from your own DHCP server running
# on the firewall, or it could even have a public static IP number.
# However, it seems unlikely that one would want to assign a public IP
# number to a host and then proceed to hide that number from the public.
#

#
# Deny any packet coming in on the public internet interface eth0
# which has a spoofed source address from our local networks:
#
iptables -A INPUT -i eth0 -s x.y.z.s/32 -j DROP
iptables -A INPUT -i eth0 -s x.y.z.c/32 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

#
# Accept all tcp SYN packets for protocols SMTP, HTTP, HTTPS, and SSH:
# (SMTP connections are further audited by our SMTP server)
#
iptables -A INPUT -p tcp -s 0/0 -d x.y.z.m/32 –destination-port 25 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 80 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 443 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 22 –syn -j ACCEPT

#
# Notice that the above rules are all INPUT rules.  My current network
# does not require me to make use of FORWARD rules, since I run all
# publicly accessible servers directly on my firewall machine.  But I
# promised above in the description of my network to give examples of
# rules used when there are servers running on machines on the internal
# network.  Following are examples of FORWARD rules I would use if I ran
# mail, web, and ssh servers on machines on the internal network inside
# the firewall.
#
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.m/32 –destination-port 25 –syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.w/32 –destination-port 80 –syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.w/32 –destination-port 443 –syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 22 –syn -j ACCEPT
#
#
# The first three of the above four rules would be used if my routing
# delivered packets having destination IP x.y.z.m, port 25, or IP
# x.y.z.w, port 80 or 443, to an interface connected to my internal
# network (i.e. the packet was being FORWARDed). The fourth of the above
# four rules is similar but operates on any destination IP, port 22.
#
# The difference between an INPUT rule and a FORWARD rule is that an
# INPUT rule applies to packets that are ‘input’ to this machine (the
# machine on which these iptables firewall rules are installed), whereas
# a FORWARD rule applies to packets that are being ‘fowarded’, i.e. to
# packets that are passing through this machine to some other machine,
# such as a machine on my internal network.
#
# If I ran my mail server on an internal machine, I would no longer
# need my previous INPUT rule for x.y.z.m and would use the above
# FORWARD rule instead.
#

#
# Begin Caveat, More about NAT and routing
#
# The above talk of routing is independent of the rules defined here.
# I.e., routing is determined by ifconfig, route, et. al.  I have not
# yet seen any very good explanation of how to setup the static routing
# table (what you see as output from the `route` command).  I will not
# attempt to remedy that lacuna at this time.  If you know of some
# good documenation that completely and accurately explains the
# semantics of the ifconfig and route commands, i.e., explains what
# affect each has such that I can reliably predict what the output
# of `route` will be after executing a sequence of ifconfig and
# route commands, then please do let me know.
#
# What *can* be done by IPTABLES rules that has the ‘feel’ of routing is
# DNAT (Destintion NAT) and SNAT (Source NAT).  DNAT and SNAT rules are,
# respectively, mechnisms to map the incoming destination IP number and
# outgoing source IP number to different IP numbers.  For example, SNAT
# can be used to map an internal source IP number to any one of your
# external public IP numbers so that a workstation on your internal
# network will appear to servers on the internet to which it connects to
# have a source IP number equal to the mapped public IP number.
#
# DNAT goes the other way. It is a mechanism used typically to map
# public destination IP numbers to internal private IP numbers.  (In
# fact, DNAT could also map public to public or private to private or
# private to public, but that is left as an exercise for the reader).
# So, for example, if you run a mail server on a machine configured with
# an internal IP number but wish to expose that service to the external
# world via a public IP number, DNAT is for you.
#
# Now, DNAT and SNAT are *not* routing but can *interact* with routing.
# Routing decides whether a packet is going to be INPUT to this machine
# or be FORWARDed to another machine.  That decision is done by routing.
# Once that decision is made, and only then, are the IPTABLES filtering
# rules (FORWARD and INPUT rules) applied to a given packet.  On the
# other hand DNAT is applied by a PREROUTING rule and SNAT by a POSTROUTING
# rule.  It is now time for you to read the following Packet Filtering
# HOWTO section:
#
# http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-9.html
#
# which states:
#
#     It’s common to want to do Network Address Translation (see the
#     NAT HOWTO) and packet filtering. The good news is that they mix
#     extremely well.  [editor- The NAT HOWTO can be found at:
#     http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html%5D
#
#     You design your packet filtering completely *ignoring* any NAT you
#     are doing. The sources and destinations seen by the packet filter
#     will be the `real’ sources and destinations. For example, if you
#     are doing DNAT to send any connections to 1.2.3.4 port 80 through
#     to 10.1.1.1 port 8080, the packet filter would see packets going
#     to 10.1.1.1 port 8080 (the real destination), not 1.2.3.4 port 80.
#     Similarly, you can ignore masquerading: packets will seem to come
#     from their real internal IP addresses (say 10.1.1.1), and replies
#     will seem to go back there.
#
#
# Hence, INPUT/FORWARD rules would operate on destination IP numbers
# *after* a DNAT rule is applied.  But if you don’t have any DNAT rules,
# then INPUT/FORWARD would apply to the IP numbers as they are in the
# incoming packet.
#
# INPUT or FORWARD would be needed purely depending on whether your
# routing would cause the packet to stay on the machine where the
# firewall is installed or be forwarded to another machine.  THAT
# decision is done by routing and *not* by DNAT or SNAT or anything
# else in this firewall script.
#
# It is perfectly possible for the machine having the firewall to have
# both public and internal IPs configured and/or for some packets to be
# INPUT and others to be FORWARDed.
#
# DNAT is done by a PREROUTING rule, so you should think of things as
# proceeding in the following order:
#
#     1.  apply PREROUTING DNAT rules (if any) to map destination IP
#     2.  apply routing decisions (see ifconfig et. al.)
#     3a. apply INPUT rules to packets having a destination IP on this machine
#     3b. apply FORWARD rules to packets having a destination IP elsewhere
#     4.  apply POSTROUTING SNAT rules (if any) to map source IP
#
# (3a and 3b can be done in either order since they apply to a mutually
# exclusive set of packets)
#
# I *think* that’s correct.
#
# End Caveat, More about NAT and routing
#

#
# Sometimes I run older versions of SSH on port 2200:
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 2200 –syn -j ACCEPT

#
# For imapd via stunnel (instead of xinetd-based imapd):
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 993 –syn -j ACCEPT

#
# For xinetd-based IMAP server (see /etc/xinetd.conf for who can use it):
#
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 143 –syn -j ACCEPT

#
# For DHCP server:
#
iptables -A INPUT -i eth1 -p tcp –sport 68 –dport 67 -j ACCEPT
iptables -A INPUT -i eth1 -p udp –sport 68 –dport 67 -j ACCEPT

#
# For LDAP clients:
#
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 389 -syn -j ACCEPT
#dga- worry about LDAP later (after I decode LDAP documentation (-;)

#
# DNS queries:
#
# Permit responses from our ISP’s DNS server.  When a client running on our
# host makes a DNS query, the outgoing query is allowed since we permit all
# outgoing packets.  The reply will be a UDP connection back to the high
# numbered client port from which the query was made.  So we only need to
# permit UDP packets from our ISP’s DNS servers back to high numbered ports:
#
#iptables -A INPUT -p udp -s <ISP DNS server IP>/32 –source-port 53 -d 0/0 –destination-port 1024:65535 -j ACCEPT
#
# But since we trust our ISP DNS Server not not have been hacked and we may
# not be sure what our client IP range is, we loosen this to:
#
iptables -A INPUT -p udp -s <ISP DNS server IP>/32 –source-port 53 -d 0/0 -j ACCEPT

#
# Running a caching DNS Server
#
# We need to permit querying a remote DNS server.  Since I am running
# a caching DNS server on x.y.z.d that makes requests for DNS lookups
# to external DNS servers, those servers send back responses via UDP to
# the high numbered client port on x.y.z.d where the caching server listens.
# I could of course increase security by running the dns cache on its own
# machine/IP and restricting to just that machine/IP.
#
iptables -A INPUT -p udp -s 0/0 –source-port 53 -d x.y.z.d/32 –destination-port 1024:65535 -j ACCEPT

#
# Running a DNS server (tinydns)
#
# When we run a DNS server, we have to accept UDP from anywhere to port 53
#
iptables -A INPUT -p udp -s 0/0 -d 0/0 –destination-port 53 -j ACCEPT

#
# Running a Master DNS Server to update slave DNS servers
#
# You may have your server colocated at an ISP and may arrange to have your
# ISP provide your primary and secondary DNS with the ISP DNS servers slaving
# off of your master DNS server.  This has the advantage of letting you be
# in full control of the DNS zone files yet keeping the DNS servers exposed
# to the public outside of your network.  To achieve this, in addition to
# permitting vanilla DNS responses from the ISP DNS serves, you also need
# to allow TCP connections from the ISP Master DNS Server:
#
# Allow DNS zone transfers via TCP from ISP Master DNS server:
#
# iptables -A INPUT -p tcp -s <ISP Master DNS server IP>/32 -d 0/0 –destination-port 53 –syn -j ACCEPT

#
# For some other custom server running here listening on port <port number>:
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port <port number> –syn -j ACCEPT

#
# For FTP server, restricted to specific local hosts (and see /etc/xinetd.conf):
# (for public file transfers we use scp, sftp, and related SSH file transfer tools)
#
iptables -A INPUT -p tcp -s x.y.z.s/32 -d 0/0 –destination-port 20 –syn -j ACCEPT
iptables -A INPUT -p tcp -s x.y.z.s/32 -d 0/0 –destination-port 21 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 127.0.0.1/8 -d 0/0 –destination-port 20 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 127.0.0.1/8 -d 0/0 –destination-port 21 –syn -j ACCEPT

#
# For Samba (smbd and nmbd), restricted to specific local client hosts (x.y.z.c):
#
iptables -A INPUT -p tcp -s x.y.z.c/32 -d x.y.z.s/32 –destination-port 139 –syn -j ACCEPT
iptables -A INPUT -p udp -s x.y.z.c/32 -d x.y.z.s/32 –destination-port 137 -j ACCEPT

#
#Special cable modem rules.  I used to have a third ethernet card,
#eth2, attached to a separate ISP via a cable modem and used the rules
#shown below to cause a specific Windows machine on my internal network
#(192.168.0.128) to send traffic out via DSL and get it back via cable.
#This violates ingres filtering rules but seems to work.  It was neat
#since my cable modem had higher inbound bandwidth and it permitted
#me to do downloads without impacting my DSL inbound bandwidth.
#I no longer have that third interface, so no longer use this technique.
#
#iptables -A INPUT -i eth2 -s 68.65.209.39/32 -j DROP
#iptables -A INPUT -i eth2 -s 127.0.0.0/8 -j DROP
#iptables -t nat -A POSTROUTING -s 192.168.0.128/32 -d 0/0 -j SNAT –to-source 68.65.209.39

#
# Finally, DENY all connection requests to any UDP port not yet provided
# for and all SYN connection requests to any TCP port not yet provided
# for.  Using DENY instead of REJECT means that no ‘ICMP port
# unreachable’ response is sent back to the client attempting to
# connect.  I.e., DENY just ignores connection attempts.  Hence, use of
# DENY causes UDP connection requests to time out and TCP connection
# requests to hang.  Hence, using DENY instead of REJECT may have
# the effect of frustrating attackers due to increasing the amount of
# time taken to probe ports.
#
# Note that there is a fundamental difference between UDP and TCP
# protocols.  With UDP, there is no ‘successful connection’ response.
# With TCP, there is.  So an attacking client will be left in the dark
# about whether or not the denied UDP packets arrived and will hang
# waiting for a response from denied TCP ports.  An attacker will not
# be able to immediately tell if UDP connection requests are simply
# taking a long time, if there is a problem with connectivity between
# the attacking client and the server, or if the packets are being
# ignored.  This increases the amount of time it takes for an attacker
# to scan all UDP ports.  Similarly, TCP connection requests to denied
# ports will hang for a long time.  By using REJECT instead of DENY, you
# would prevent access to a port in a more ‘polite’ manner, but give out
# more information to wannabe attackers, since the attacker can positively
# detect that a port is not accessible in a small amount of time from
# the ‘ICMP port unreachable’ response.

iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp –syn -j DROP

# end oceanpark.com firewall rules (using iptables)
# ————————————————-
——————————————————

FM40LLQI52CSZSN.MEDIUM

Freebasic is free and is available for most platforms.

compile with

fbc -lang qb filerdr.bas

filerdr.bas


open "file" for input as #1 

open "notes" for output as #2 

open "notes-cs" for output as #3 

do while not eof(1) 

input #1, a$ 

b$ = left$(a$,2) 

c$ = mid$(a$,4,2) 

print #2,"NOTE_";b$;", "; 

print #3, c$;", "; 

loop 

close #1 

close #2\

close #3

file
G3-3

F4-23

notes
NOTE_G3, NOTE_F4,

notes-cs

3 , 23,

—————-

Screenshot from 2015-05-09 09:05:01

——————————————————

Unfinished. Use at your own risk.

Minimal install ubuntu router

At least 2 nics wan(primary)/lan(secondary)

set hostname

set User name

set password for user and verify

encrypt home directory ?

set Timezone

Use “Guided” default disk partitions setup

Set proxy if needed

Configure updates for automatic install. Security            automatically)

Software install (just openssh server)

Boot loader (best for single os install) install brub to master boot record)

Reboot

Command line login with username and password

sudo will be used alot

Add  webmin repo

Test version of Webmin in Ubuntu Linux from its official repository.

As you may know, Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely.

To get started, login your remote server and follow the steps below:

1. Run below command to edit the source file:

sudo vi /etc/apt/sources.list

2. Press i on keyboard to start editing the file and add this line into the end:

deb http://download.webmin.com/download/repository sarge contrib

Press Esc to exit edit. Shift + : and followed by wq to save the changes.

3. Now execute command to download and install the key:

wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add –

4. After that, you can always use below commands to install the latest version of Webmin:

sudo apt-get update

sudo apt-get install webmin

Install software

$ sudo apt-get install webmin bind9 perl dhcp3server openssl

sudo vim /etc/network/interfaces

Look at setup.

Add interface for lan

# wan network interface

auto eth0

iface eth0 inet dhcp

# lan network interface

auto eth1

iface eth0 inet static

address 10.1.10.1

netmask 255.255.255.0

broadcast 10.1.10.255

network 10.1.10.0

Enable ipv4

$ sudo vim /etc/sysctl.conf

scro0ll down and uncomment line for packetforwarding for ipv4

see running interfaces

$ ifconfig

eth1 may not be up

see interfaces

$ ifconfig -a

start lan interface

$ sudo ifup eth1

Should see both cards

$ ifconfig

Hook computer to lan interface and reget ip addess

Go to another machine and use web browser

for the url use 10.1.10.1:10000

https://10.1.10.1:10000

add security exception

Login

Change timezone if needed

Go to configuration

Go to ports and addresses

change any address to only listen on server address

Port 10000 is ok

save

Go back to configuration

Goto Ipaccess control

Goto  allowed addresses

Include local network

add current machine

Allow resolve hostnames

save

Go back to configuration

Goto Networking

Check interfaces in network configuration

Goto config dhcp server

Hostname and Dnsserver

Add router as primary dns server

Search domain as wanb address

save

Goto Server

Goto Dhcp server

Add new subnet

subnet and other infor from from /etc/net/interfaces file

Description to whatever you like.

Set address on same subnet for use with client machines.

Static addresses should not be part of dhcp addresses.

you can change default lease times

Edit client options

Add subnet

default router lan address

save

save

edit network interfaces

set eth1  (lan) as interface to give out addesses

start dhcp server

Reserve an address

need mac address and an address to use.

leave at top level

add hostname for resolving.

apply changes

Goto Configure firewall

Set nat translatiopn on external interface (eth0)

Enable firewall at boot time

setup firewall

Goto Packet filtering

Default action on incoming packets to drop

Set

Drop forwarded packets

Add rules to incoming packets

1 accept all incoming packets on loopback (lo) interface

create

2  accept all incoming packets on eth1

create

3 accept packets from eth1 needs to be related to established from internal or already established (connection state) related to eth0

4 forwarded packets accept input eth1 and output eth0

create

5 accept established and related traffic for eth0 to eth1

accept all outgoing packets

chain

log dropped packes if space

log packets

if eth0 for

if noit logged the dropped

view logfile

——————————————————

Here is a web based interface to control some low voltage lines via the
Arduino.  The web interface will let you either singly turn an led on of off. You can also turn all the leds on or off at one time. From there you can interface all kinds of equipment.  Thebasoc circuit for the project is:

Or to look at an Arduino board the relevant pins are:

Whether is is for a Personal computer or one of many microcontrollers, the interfacing technique is pretty much the same. Here are two links to consider:

http://www.instructables.com/id/Ubuntu-and-the-arduino/

 http://www.instructables.com/id/External-device-control-ie-coffee-machine/

Now you can remotely turn on for off many devices and a start at home automation.

The code:

#include <Ethernet.h>

#include <SPI.h>

//network NB: Pins 10, 11, 12 and 13 are reserved for Ethernet module.

byte mac[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };

byte ip[] = { 192, 168, 1, 200 };

byte gateway[] = { 192, 168, 1, 1 };

byte subnet[] = { 255, 255, 255, 0 };

String inString = String(35);

String Led;
String z;

int led[] = {00, 1, 2, 3, 4, 5, 6, 7, }; //Led pins num 0 in arry is not used

int numofleds = 7; //numofleds

String value[] = {"on","on","on","on","on","on","on","on","on"}; //startup all led are off

EthernetServer server(80);

String data;

void setup()

{

Serial.begin(9600);

Ethernet.begin(mac, ip,gateway,subnet);

server.begin();

//set pin mode

for (int j = 0; j < (numofleds + 1); j++){

pinMode(led[j], OUTPUT);

}

Serial.println("Serial READY");

Serial.println("Ethernet READY");

Serial.println("Server READY");

}

void loop()

{

EthernetClient client = server.available();

if(client){

// an http request ends with a blank line

boolean current_line_is_blank = true;

while (client.connected()) {

if(client.available()) {

char c = client.read();

// if we've gotten to the end of the line (received a newline

// character) and the line is blank, the http request has ended,

// so we can send a reply

if (inString.length() < 35) {

inString.concat(c);

}

if (c == '\n' && current_line_is_blank) {

// send a standard http response header

client.println("HTTP/1.1 200 OK");

client.println("Content-Type: text/html");

client.println();

client.println("<html><body><form method=get>");

client.println("<hr><center>");
client.println("<p>Led controller</p>");
client.println("</center><hr>");

client.println("<p>Each led</p>");

for(int i=2;i < (numofleds + 1) ;i++){

Led = String("Led") + i;
z = String("#") + i;
if(inString.indexOf(Led+"=on")>0 || inString.indexOf("all=on")>0){

Serial.println(Led+"on");

digitalWrite(led[i], HIGH);

value[i] = "off";

}else if(inString.indexOf(Led+"=off")>0 || inString.indexOf("all=off")>0 ){

Serial.println(Led+"off");

digitalWrite(led[i], LOW);

value[i] = "on";

}

client.println("<br> Led "+z+"  <input type=submit name="+Led+" value="+value[i]+">");

}

client.println("<p>All leds</p>");
client.println("<input type=submit name=all value=on><input type=submit name=all value=off>");

client.println("</form><html></body>");

break;

}

if (c == '\n') {

// we're starting a new line

current_line_is_blank = true;

} else if (c != '\r') {

// we've gotten a character on the current line

current_line_is_blank = false;

}

}

}

// give the web browser time to receive the data

delay(10);

inString = "";

client.stop();

}

}

——————————————————

This article is more about window dressing more than anything else. The Arduino comes with a nice bit of web server code that reports the results of some temperature sensors. Thought the code could use at least some minimal improvements. Also put the the Arduino web address on the dns so that it could be called by the hostname lookup instead of the ipaddress. The important part of the changed code is included. Normally you can not store images on the Arduino, but you can reference them from another site.


void loop() {
  // listen for incoming clients
  EthernetClient client = server.available();
  if (client) {
    Serial.println("new client");
    // an http request ends with a blank line
    boolean currentLineIsBlank = true;
    while (client.connected()) {
      if (client.available()) {
        char c = client.read();
        Serial.write(c);
        // if you've gotten to the end of the line (received a newline
        // character) and the line is blank, the http request has ended,
        // so you can send a reply
        if (c == '\n' && currentLineIsBlank) {
          // send a standard http response header
          client.println("HTTP/1.1 200 OK");
          client.println("Content-Type: text/html");
          client.println("Connnection: close");
          client.println();
          client.println("<!DOCTYPE HTML>");
          client.println("<html>");
                    // add a meta refresh tag, so the browser pulls again every 5 seconds:
          client.println("<meta http-equiv=\"refresh\" content=\"5\">");
          // output the value of each analog input pin
        
          client.println("<hr>");
          client.println("<center>");
          client.println("<h2>Analog sensor information page</h2>");
          client.println("</center>");
          client.println("<hr>");
          client.println("<br><br>");
          client.println("<img
src='http://cdn.instructables.com/FFO/DOLC/FVW22FQV/FFODOLCFVW22FQV.LARGE.gif'
 width='200' height='200'>");
          client.println("<table border='1'>");
          client.println("<tr>");
          client.println("<td>");
          client.println("Sensor number");
          client.println("</td>");
          client.println("<td>");
          client.println("Sensor value");
          client.println("</td>");
          client.println("</tr>");
          for (int analogChannel = 0; analogChannel < 6; analogChannel++) {
           client.println("<tr>");
            client.println("<td>");
            int sensorReading = analogRead(analogChannel);
                
            client.print(analogChannel);
         
            client.println("</td>");
            client.println("<td>");
            client.print(sensorReading);
            client.println("<br />");     
             client.println("</td>");
            client.println("</tr>");
                   
      }
        client.println("</table>");
          client.println("</html>");
          break;
        }
        if (c == '\n') {
          // you're starting a new line
          currentLineIsBlank = true;
        }
        else if (c != '\r') {
          // you've gotten a character on the current line
          currentLineIsBlank = false;
        }
      }
    }
    // give the web browser time to receive the data
    delay(1);
    // close the connection:
    client.stop();
    Serial.println("client disonnected");
  }

Example of how to the the temperature with an arduino.  From Ubuntu and the Arduino on http://www.instructables.com

 Temp sensor. Is it too hot for you or your equipment, so now you can tell. Using an ice cube  will gve you a good test of the unit.Could also be the start of a sous vide machine.<code.>

//declare variables
float tempC;
int tempPin = 0;

void setup()
{
Serial.begin(9600); //opens serial port, sets data rate to 9600 bps
}

void loop()
{
tempC = analogRead(tempPin);           //read the value from the sensor
tempC = (5.0 * tempC * 100.0)/1024.0;  //convert the analog data to temperature
Serial.print((byte)tempC);             //send the data to the computer
delay(1000);                           //wait one second before sending new data
}

</code>

 

——————————————————

Pasta drying stand

FHB2NO5H8RVM4N4.MEDIUM

Good day.

Advertisements