Tuesday 31 January 2012

Enable IP forwarding in Linux

This can be done in different ways, here are some of the most common.

Use procfs
This is maybe the most used way, it is a temporary change, and you need to enable it after every reboot.
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
You can add this line to /etc/rc.local file, and that way, each time you reboot your computer it will be enabled again.

You can check if IP forwarding is enabled or disabled by checking the content of /proc/sys/net/ipv4/ip_forward file:
cat /proc/sys/net/ipv4/ip_forward
If the output is 1, it is enabled if 0, then it is disabled.

Use sysctl
sysctl let’s you change Kernel values on the fly, so you can use it, to change the IP forward behaviour.

First, let’s check if it is enabled or disabled, as root run:
sysctl -a | grep net.ipv4.ip_forward
Now you can set its value to 1, to enable ip forwarding.
sysctl -w net.ipv4.ip_forward=1
This is also temporary, if you want it to be permanent, you can edit the file /etc/sysctl.conf:

sudo vi  /etc/sysctl.conf
And uncomment or add this line:
net.ipv4.ip_forward = 1
To make it effective you have to use this command
sudo sysctl -p

Possibly Related Posts

Sunday 29 January 2012

Permanent iptables Configuration

You can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save and iptables-restore.

Save your firewall rules to a file:
sudo sh -c "iptables-save > /etc/iptables.rules"
At this point you have several options. You can make changes to /etc/network/interfaces or add scripts to /etc/network/if-pre-up.d/ and /etc/network/if-post-down.d/ to achieve similar ends. The script solution allows for slightly more flexibility.

Solution #1 - /etc/network/interfaces

Modify the /etc/network/interfaces configuration file to apply the rules automatically.
Open your /etc/network/interfaces file:
sudo vi /etc/network/interfaces
Add a single line (shown below) just after ‘iface lo inet loopback’:
pre-up iptables-restore < /etc/iptables.rules
You can also prepare a set of down rules, save them into second file /etc/iptables.downrules and apply it automatically using the above steps:
post-down iptables-restore < /etc/iptables.downrules
A fully working example using both from above:
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-restore < /etc/iptables.downrules
You may also want to keep information from byte and packet counters.
sudo sh -c "iptables-save -c > /etc/iptables.rules"
The above command will save the whole rule-set to a file called /etc/iptables.rules with byte and packet counters still intact.

Solution #2 /etc/network/if-pre-up.d and ../if-post-down.d


NOTE: This solution uses iptables-save -c to save the counters. Just remove the -c to only save the rules.

Alternatively you could add the iptables-restore and iptables-save to the if-pre-up.d and if-post-down.d directories in the /etc/network directory instead of modifying /etc/network/interface directly.

The script /etc/network/if-pre-up.d/iptablesload will contain:
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
and /etc/network/if-post-down.d/iptablessave will contain:
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules
fi
exit 0
Then be sure to give both scripts execute permissions:
sudo chmod +x /etc/network/if-post-down.d/iptablessave
sudo chmod +x /etc/network/if-pre-up.d/iptablesload
Solution #3 iptables-persistent


Install and use the iptables-persistent package.

Tips

If you manually edit iptables on a regular basis
The above steps go over how to setup your firewall rules and presume they will be relatively static (and for most people they should be). But if you do a lot of development work, you may want to have your iptables saved everytime you reboot. You could add a line like this one in /etc/network/interfaces:
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules

The line "post-down iptables-save > /etc/iptables.rules" will save the rules to be used on the next boot.

Possibly Related Posts

Monday 23 January 2012

Xenserver list snapshots

This command will list the snapshot tree, with it you'll get a view of where each VDI fits on your system:
for i in `vgs --noheadings -o vg_name`; do vhd-util scan -p -l $i -f 'VHD-*' ; done

Possibly Related Posts

Thursday 5 January 2012

Organize your photos with a script

I have a lot of photographs and they where distributed over several external disks and computers, so I needed a way to organize them, I've searched the web and found a script that used the exif data to organize the images into folders by year, month, day. So I've picked that up and modified a bit to better fit my neads, I ended up with the script that you can check after the break.
I also use this script to move the photos from my camera to my PC.

Note: I don't remember the link from where I got the original script but I will update this post as soon as I find it. The original script can be found here: http://davehope.co.uk/Blog/sorting-your-photos-with-bash/

Possibly Related Posts

Monday 2 January 2012

Setting up a Bridged VPN using OpenVPN

Install OpenVPN and bridging tools:
sudo apt-get install openvpn bridge-utils
Setting up the Bridge

Edit /etc/network/interfaces

When a Linux server is behind a NAT firewall, the /etc/network/interfaces file commonly looks like
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo eth0
iface lo inet loopback
# The primary network interface
## This device provides internet access.
iface eth0 inet
 static address 192.168.1.10
 netmask 255.255.255.0
 gateway 192.168.1.1
Edit this and add a bridge interface:
sudo vi /etc/network/interfaces
so that it look similar to:
## This is the network bridge declaration
## Start these interfaces on bootauto lo br0
iface lo inet loopback
iface br0 inet static
 address 192.168.1.10
 netmask 255.255.255.0
 gateway 192.168.1.1
 bridge_ports eth0
iface eth0 inet manual
 up ip link set $IFACE up promisc on
 down ip link set $IFACE down promisc off
If you are running Linux inside a virtual machine, you may want to add the following parameters to the bridge connection:
bridge_fd 9 ## from the libvirt docs (forward delay time)
bridge_hello 2 ## from the libvirt docs (hello time)
bridge_maxage 12 ## from the libvirt docs (maximum message age)
bridge_stp off ## from the libvirt docs (spanning tree protocol)
Restart networking:
sudo /etc/init.d/networking restart
The bridging declarations come from the libvirt documentation.

Generating Certificates

Generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.

Copy files to the /etc/openvpn/easy-rsa/ directory:
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*/etc/openvpn/easy-rsa/
Than edit /etc/openvpn/easy-rsa/vars
sudo vi /etc/openvpn/easy-rsa/vars
And change these lines at the bottom so that they reflect your new CA.
export KEY_COUNTRY="US"export KEY_PROVINCE="CA"export KEY_CITY="SanFrancisco"export KEY_ORG="Fort-Funston"export KEY_EMAIL="me@myhost.mydomain"
Finally setup the CA and create the first server certificate
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and keycd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
The Certificate Authority is now setup and the needed keys are in /etc/openvpn/


Configuring the Server

By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.

First, we're going to create a couple of new scripts to be used by the openvpn server.
sudo vi /etc/openvpn/up.sh
This script should contain the following
#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl
/usr/sbin/brctl/usr/sbin/brctl addif $BR $DEV
Now, we'll create a "down" script.
sudo vi /etc/openvpn/down.sh
It should contain the following.
#!/bin/sh
BR=$1DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ip/sbin/ip link set "$DEV" down
Now, make both scripts executable.
sudo chmod +x /etc/openvpn/up.sh/etc/openvpn/down.sh
And finally on to configuring openvpn itself.
sudo vi /etc/openvpn/server.conf

mode server
tls-server
local <your ip address> ## ip/hostname of server
port 1194 ## default openvpn portproto udp
#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-keypersist-tun
#certificates and encryption
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS your.dns.ip.here"
push "dhcp-option DOMAIN yourdomain.com"
max-clients 10 ## set this to the max number of clients that should be connected at a time
#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3
If the server initialization script will complain about WARN: could not open database for 4096 bits. Skipped, you can work around it by running this command:
touch /usr/share/openssl-blacklist/blacklist.RSA-4096
Now you will need to restart openvpn and load the new config with:
sudo /etc/init.d/openvpn restart
In case you run a firewall like ufw, please consider enabling ip forwarding, otherwise the clients will only be able to connect to the server, but not to other LAN servers.

Possibly Related Posts

Setting up a Routed VPN using OpenVPN

First let's install OpenVPN:
sudo apt-get install openvpn
OpenVPN must be installed in both client and server, the configuration file used for starting the service will define the role of each PC.

Now we can start, stop or restart OpenVPN as usual:

Start OpenVPN:
/etc/init.d/openvpn start
Stop OpenVPN:
/etc/init.d/openvpn stop
Restart OpenVPN:
/etc/init.d/openvpn restart
Every time you change settings in /etc/openvpn/openvpn.conf you need to restart OpenVPN.

Create Keys and Certificates

Now we need to create security certificates and keys. We'll do all this in the server as root:
cd /etc/openvpn/
Copy the directory easy-rsa to /etc/openvpn:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .
Remember we're still inside the /etc/openvpn directory. Now let's edit the file vars with our favorite editor (replace vi with yours):
vi easy-rsa/vars
Kaiman reported a change for this part after June 2008:
vi easy-rsa/2.0/vars
Comment this line:
#export D=pwd
Add this one:
export D=/etc/openvpn/easy-rsa
And modify as below:
export KEY_COUNTRY=PEexport KEY_PROVINCE=LIexport KEY_CITY=Limaexport KEY_ORG="Nombre-OpenVPN"export KEY_EMAIL="tu-nombre@example.com"
Save and quit.

Now run:
. ./vars
Important: that's a period, a space and another period followed by /vars. This is a common confusion in many setups.

Now:
./clean-all
The next command creates your certificate authority (CA) using the parameters you just set, you should just add Common Name, I used OpenVPN-CA. For this step you'll need OpenSSL; if you don't have it in your server install it by running:
sudo apt-get install openssl
Ok, now we're ready:
./build-ca
Now let's create the keys, first the server:
./build-key-server server
This is important. When build-key-server asks for Common Name write server, the same parameter you provided to the command.

Also you'll need to answer yes to these two questions:
Sign the certificate? [y/n]
and

1 out of 1 certificate requests certified, commit? [y/n].

Now the key for the client:
./build-key client1
Use client1 as Common Name, the same parameter you used above for build-key.

You can repeat this step if you want to have more clients, just replace the parameter with client2, client3, etc.

Now let's create Diffie Hellman parameters:
./build-dh
There you are! Now you should have a new directory with your certificates and keys: /etc/openvpn/easy-rsa/keys. To configure your first client copy these files from servo to cliento:
ca.crtclient1.crtclient1.key
Ideally you should use a secure channel, I use scp with RSA authentication (topic for another article):
scp alexis@servo:ca.crt .
scp alexis@servo:client1.crtscp alexis@servo:client1.crt .
scp alexis@servo:client1.keyscp alexis@servo:client1.key .
These commands assume you've copied the files to the home of user alexis on the server and assigned read permissions. Then move the files to /etc/openvpn on the client.

The Configuration Files: openvpn.conf

Now go to your client and create openvpn.conf in /etc/openvpn. Write this inside:
dev tun
client
proto tcp
remote x.y.z.w 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
# Set log file verbosity.
verb 3
Replace x.y.z.w with your server's public IP.
Now in the server: create openvpn.conf in /etc/openvpn and put this:
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push "redirect-gateway def1"
#log-append /var/log/openvpn
comp-lzo
If youre connections are a little slow you can try disabling compression with this:
#comp-lzo
Finally, configure IP forwarding and IPTables for doing NAT on the server:
echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
You can verify the rule was written correctly with:
sudo iptables -L -t nat
If you have a firewall you should make sure your VPN traffic can be routed.

If you made a mistake and want to remove all rules from IPTables:
sudo iptables -F -t nat
Now restart OpenVPN in both client and server and you should be set.

Running ifconfig and route -n you should see a new interface, tun0, in both PC's.

Confirm you can connect with a ping to your new tun0 interfaces, for example:
ping 10.8.0.1

Possibly Related Posts