Home
Browsing the archives for the Ubuntu Commands tag.
Subscribe


Ubuntu Firewall – UFW – Uncomplicated Firewall Basics

Feb 9, 2010
F.A.Q.'s, How To's, LAMP, Open Source, P.C. Linux, Security, Ubuntu, Ubuntu Server

Firewall

Introduction

The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.

The kernel’s packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables. When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall if you’re familiar with it, but many frontends are available to simplify the task.

ufw – Uncomplicated Firewall

The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall.

ufw by default is initially disabled. From the ufw man page:

“ ufw is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules. It is currently mainly used for host-based firewalls. ”

The following are some examples of how to use ufw:

  • First, ufw needs to be enabled. From a terminal prompt enter: 
    sudo ufw enable
  • To open a port (ssh in this example): 
    sudo ufw allow 22
  • Rules can also be added using a numbered format: 
    sudo ufw insert 1 allow 80
  • Similarly, to close an opened port: 
    sudo ufw deny 22
  • To remove a rule, use delete followed by the rule: 
    sudo ufw delete deny 22
  • It is also possible to allow access from specific hosts or networks to a port. The following example allows ssh access from host 192.168.0.2 to any ip address on this host: 
    sudo ufw allow proto tcp from 192.168.0.2 to any port 22

    Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire subnet.

  • Adding the –dry-run option to a ufw command will output the resulting rules, but not apply them. For example, the following is what would be applied if opening the HTTP port: 
     sudo ufw --dry-run allow http

    *filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###

### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0
-A ufw-user-input -p tcp --dport 80 -j ACCEPT

### END RULES ###
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
-A ufw-user-forward -j RETURN
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT]: "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
COMMIT
Rules updated
  • ufw can be disabled by: 
    sudo ufw disable
  • To see the firewall status, enter: 
    sudo ufw status
  • And for more verbose status information use: 
    sudo ufw status verbose
  • To view the numbered format: 
    sudo ufw status numbered
[Note]
If the port you want to open or close is defined in /etc/services, you can use the port name instead of the number. In the above examples, replace 22 with ssh.

This is a quick introduction to using ufw. Please refer to the ufw man page for more information.

ufw Application Integration

Applications that open ports can include an ufw profile, which details the ports needed for the application to function properly. The profiles are kept in /etc/ufw/applications.d, and can be edited if the default ports have been changed.

  • To view which applications have installed a profile, enter the following in a terminal: 
    sudo ufw app list
  • Similar to allowing traffic to a port, using an application profile is accomplished by entering: 
    sudo ufw allow Samba
  • An extended syntax is available as well: 
    ufw allow from 192.168.0.0/24 to any app Samba

    Replace Samba and 192.168.0.0/24 with the application profile you are using and the IP range for your network.

    [Note]
    There is no need to specify the protocol for the application, because that information is detailed in the profile. Also, note that the app name replaces the port number.
  • To view details about which ports, protocols, etc are defined for an application, enter: 
    sudo ufw app info Samba

Not all applications that require opening a network port come with ufw profiles, but if you have profiled an application and want the file to be included with the package, please file a bug against the package in Launchpad.

IP Masquerading

The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus “masqueraded” as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.

ufw Masquerading

IP Masquerading can be achieved using custom ufw rules. This is possible because the current back-end for ufw is iptables-restore with the rules files located in /etc/ufw/*.rules. These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related.

The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufw command line rules.

  • First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”: 
    DEFAULT_FORWARD_POLICY="ACCEPT"

    Then edit /etc/ufw/sysctl.conf and uncomment:

    net.ipv4.ip_forward=1

    Similarly, for IPv6 forwarding uncomment:

    net.ipv6.conf.default.forwarding=1
  • Now we will add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments: 
    # nat Table rules
*nat
 :P OSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

    The comments are not strictly necessary, but it is considered good practice to document your configuration. Also, when modifying any of the rules files in /etc/ufw, make sure these lines are the last line for each table modified:

    # don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

    For each Table a corresponding COMMIT statement is required. In these examples only the nat and filter tables are shown, but you can also add rules for the raw and mangle tables.

    [Note]
    In the above example replace eth0, eth1, and 192.168.0.0/24 with the appropriate interfaces and IP range for your network.
  • Finally, disable and re-enable ufw to apply the changes: 
    sudo ufw disable && sudo ufw enable

IP Masquerading should now be enabled. You can also add any additional FORWARD rules to the /etc/ufw/before.rules. It is recommended that these additional rules be added to the ufw-before-forward chain.

iptables Masquerading

iptables can also be used to enable masquerading.

  • Similar to ufw, the first step is to enable IPv4 packet forwarding by editing /etc/sysctl.conf and uncomment the following line 
    net.ipv4.ip_forward=1

    If you wish to enable IPv6 forwarding also uncomment:

    net.ipv6.conf.default.forwarding=1
  • Next, execute the sysctl command to enable the new settings in the configuration file: 
    sudo sysctl -p
  • IP Masquerading can now be accomplished with a single iptables rule, which may differ slightly based on your network configuration: 
    sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

    The above command assumes that your private address space is 192.168.0.0/16 and that your Internet-facing device is ppp0. The syntax is broken down as follows:

    • -t nat — the rule is to go into the nat table
    • -A POSTROUTING — the rule is to be appended (-A) to the POSTROUTING chain
    • -s 192.168.0.0/16 — the rule applies to traffic originating from the specified address space
    • -o ppp0 — the rule applies to traffic scheduled to be routed through the specified network device
    • -j MASQUERADE — traffic matching this rule is to “jump” (-j) to the MASQUERADE target to be manipulated as described above
  • Also, each chain in the filter table (the default table, and where most or all packet filtering occurs) has a default policy of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work: 
    sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

    The above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them.

  • If you want masquerading to be enabled on reboot, which you probably do, edit /etc/rc.local and add any commands used above. For example add the first command with no filtering: 
    iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

Logs

Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT).

If you are using ufw, you can turn on logging by entering the following in a terminal:

sudo ufw logging on

To turn logging off in ufw, simply replace on with off in the above command.

If using iptables instead of ufw, enter:

sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "

A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this:

[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0

The above log will also appear in /var/log/messages, /var/log/syslog, and /var/log/kern.log. This behavior can be modified by editing /etc/syslog.conf appropriately or by installing and configuring ulogd and using the ULOG target instead of LOG. The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to a PostgreSQL or MySQL database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as fwanalog, fwlogwatch, or lire.

Other Tools

There are many tools available to help you construct a complete firewall without intimate knowledge of iptables. For the GUI-inclined:

  • Firestarter is quite popular and easy to use.
  • fwbuilder is very powerful and will look familiar to an administrator who has used a commercial firewall utility such as Checkpoint FireWall-1.

If you prefer a command-line tool with plain-text configuration files:

  • Shorewall is a very powerful solution to help you configure an advanced firewall for any network.
  • ipkungfu should give you a working firewall “out of the box” with zero configuration, and will allow you to easily set up a more advanced firewall by editing simple, well-documented configuration files.
  • fireflier is designed to be a desktop firewall application. It is made up of a server (fireflier-server) and your choice of GUI clients (GTK or QT), and behaves like many popular interactive firewall applications for Windows.
The material in this document is available under a free license, see License for details.
No Comments
Tags , , , , , , , , ,

If you are getting “could not reliably determine the servername”

Apr 16, 2009
F.A.Q.'s, How To's, LAMP, Ubuntu, Ubuntu Server

If you are getting any of the following errors please see this page!






apache2: could not   reliably determine the server's fully qualified domain name, using 127.0.0.1   for servername




apache2: could not reliably determine   the server's fully qualified domain name




apache2: could not reliably determine   the server




apache2: could not reliably determine   the server's fully qualified domain name, using




could not reliably determine apache2




could not reliably determine the   server's fully qualified domain name




ubuntu 8.10 apache2: could not reliably   determine the server's fully qualified domain name




could not reliably determine the   server’s fully qualified domain name""




could not reliably determine   the""




could not reliably"" apache2




could not reliably""   servername




could not determine fully qualified   hostname ubuntu server 8.10




could not reliably determine




could not reliably determine the server




could not reliably determine the server   fully qualified domain name ubuntu




could not reliably determine the   server's apache2




could not reliably determine the   server's fully qualified domain name windows




could not reliably determine the   server's fully qualified domain name, using 127.0.0.1 for servername




could not reliably determine the   server's fully qualified domain, using




could not reliably determine the   server\\\'s fully qualified domain name




apache ""could not reliably   determine the server""




apache 2 could not determinate




apache could not reliably determine   servername




apache couldn reliably determine the




apache2 + could not reliably determine   the server's fully qualified domain name+virtual machine




apache2 apache2 could not reliably   determine the




apache2 could not reliably determin




apache2 could not reliably determine   domain name




apache2 could not reliably determine the   server fully qualified domain name




apache2 could not reliably determine the   server's




apache2 could not reliably determine the   server's fully qualified domain name




apache2 could not reliably fully   qualified ubuntu




apache2 error could not reliably   determin servers fully qualified




apache2 reliably determine ubuntu 8.10   server




apache2 servername ""could not   reliably determine"" ""fully qualified domain   name""




apache2: could not reliably




apache2: could not reliably determine   the server's fully qualified




apache2: could not reliably determine   the server's fully qualified domain name, using 127.0.0.1 for servername in   ubuntu
No Comments
Tags , , , , , , ,

Ubuntu Terminal – Basic Commands and Usage

Apr 8, 2009
F.A.Q.'s, How To's, LAMP, Open Source, P.C. Linux, Ubuntu, Ubuntu Server

To start a terminal form the GUI(Graphical User Interface)

In Gnome (Ubuntu)
The terminal can be found at Applications menu -> Accessories -> Terminal.

In Xfce (Xubuntu)
The terminal can be found at Applications menu -> System -> Terminal.

In KDE (Kubuntu)
The terminal can be found at KMenu -> System -> Terminal Program (Konsole).

Commands

sudo: Executing Commands with Elevated Privileges

  • Most of the following commands will need to be prefaced with the sudo command if you will be working with directories or files not owned by your account. This is a special command which temporarily gives you access to change computer settings. The terminal will ask you for your password.

File & Directory Commands

  • pwd: The pwd command will allow you to know in which directory you’re located (pwd stands for “print working directory”). Example: “pwd” in the Desktop directory will show “~/Desktop”. Note that the Gnome Terminal also displays this information in the title bar of its window – see the example screenshot at the top of this page.

  • ls: The ls command will show you the files in your current directory. Used with certain options, you can see sizes of files, when files were made, and permissions of files. Example: “ls ~” will show you the files that are in your home directory.

  • cd: The cd command will allow you to change directories. When you open a terminal you will be in your home directory. To move around the file system you will use cd. Examples:

    • To navigate into the root directory, use “cd /”

    • To navigate to your home directory, use “cd” or “cd ~”

    • To navigate up one directory level, use “cd ..”

    • To navigate to the previous directory (or back), use “cd -”

    • To navigate through multiple levels of directory at once, specify the full directory path that you want to go to. For example, use, “cd /var/www” to go directly to the /www subdirectory of /var/. As another example, “cd ~/Desktop” will move you to the Desktop subdirectory inside your home directory.

  • cp: The cp command will make a copy of a file for you. Example: “cp file foo” will make a exact copy of “file” and name it “foo”, but the file “file” will still be there. If you are copying a directory, you must use “cp -r directory foo” (copy recursively).

  • mv: The mv command will move a file to a different location or will rename a file. Examples are as follows: “mv file foo” will rename the file “file” to “foo”. “mv foo ~/Desktop” will move the file “foo” to your Desktop directory but will not rename it. You must specify a new file name to rename a file.

    • To save on typing, you can substitute ‘~’ in place of the home directory.

    • Note that if you are using mv with sudo you can use the ~ shortcut, because the terminal expands the ~ to your home directory. However, when you open a root shell with sudo -i or sudo -s, ~ will refer to the root account’s home directory, not your own.

  • rm: Use this command to remove or delete a file in your directory.

  • rmdir: The rmdir command will delete an empty directory. To delete a directory and all of its contents recursively, use rm -r instead.

  • mkdir: The mkdir command will allow you to create directories. Example: “mkdir music” will create a directory called “music”.

  • man: The man command is used to show you the manual of other commands. Try “man man” to get the man page for man itself. See the “Man & Getting Help” section down the page for more information.

No Comments
Tags , , , , , , ,

How to share files and folders in Ubuntu Desktop

Jan 19, 2009
Configuring Ubuntu, F.A.Q.'s, How To's, P.C. Linux, Tech Industry News, Ubuntu, Ubuntu Server

This will teach you how to enable file sharing in ubuntu desktop, hopefully.

  1. Sharing files and folders across your network from your Ubuntu PC is every bit as easy as sharing files in Windows (arguably, it’s easier). Start by right-clicking the folder you want to share, and select Share Folder. If the services required to share files/folders aren’t installed, you’ll be prompted to install them.
  2. After clicking Install services they will automatically start to download and install.
  3. Once that has completed you’ll be presented with an options window. From here you can select the type of sharing (SMB or NFS), give the shared folder a name and decide if you want read-only access to the folder. Click OK when you’re done.
  4. If you right-click on your newly shared folder and select Properties and then the Emblems tab, you can give the folder a unique icon so you’ll know it’s shared.
  5. You can further modify the permissions of your shared folder by selecting the Permissions tab after right clicking.

To add a user to use the share:

  1. Now open a terminal in Ubuntu and enter the command:
    sudo smbpasswd -a username

This will add a user/pass for you to use.

YAY! we’re done!

No Comments
Tags , , , , ,

Ubuntu – Common Questions when Moving from Windows

Jan 19, 2009
F.A.Q.'s, How To's, Open Source, P.C. Linux, Tech Industry News, Ubuntu

Recently I upgraded my parent from Windows XP to Ubuntu. As many of you already know, even Dell now includes an option to have Ubuntu rather than Windows.

If you’ve recently upgraded a family member from Windows to Ubuntu please feel free to share your experience and offer any suggestions for FAQs/tutorials.

This is a guide on some common questions I have run into if you have any you would like to add just drop a comment or e-mail us.

Browser Related

1. How to change your Home Page in Firefox on Ubuntu

  • open firefox
  • Select Edit and then Preferences from the Firefox menu
  • Enter in the Homepage in the Homepage section and click CLOSE

Managing Files, Folders and Programs

1. How to rename a file or folder in Ubuntu

  • Right-click the file/folder you want to rename, and select Rename… from the menu.

or

  • If you prefer to use the keyboard more than the mouse, select the file you want to rename and hit the F2 key. The background will change (the cursor will be blinking) indicating that you can rename the file now. Hit enter when done.

2. How to create a desktop shortcut in Ubuntu

  • Navigate to the program you want to create a desktop shortcut for, select it by clicking on it once and while holding down the mouse button, drag it over to your desktop and let go.

3. How to resize pictures/images in Ubuntu

  • Start by locating the image you want to resize. Right-click it and select Open With -> Open with “GIMP Image Editor”.
  • In the main Gimp window (the one with your picture displayed) select Image from the top menu, and then Scale Image… from the drop-down list.
  • The Scale Image window will appear. The image dimensions (Width and Height) will be displayed in pixels.
  • If you’d like to resize your picture based on percentage, click the “up/down” arrows in the pixels menu and select percent.
  • Now use the up or down arrow(s) in the Width: box to increase or decrease the size of your picture. In the example below, I’ve decreased the size of the picture by 50%. Click the Scale button when you’re ready.
  • The picture will now shrink (assuming you opted to decrease its size).
  • If you want to permanently resize the picture, select File -> Save. If you want to save this resized picture but keep the original as it is, click File -> Save as…
  • Give your ‘new’ picture a name and click the Save button.
  • You’ll be asked what Quality you want the picture to be. The higher the quality, the larger the resulting file. I usually opt for somewhere around 95. Click OK when you’re done.
  • That’s it! You can now quit The Gimp by selecting File -> Quit.

Ubuntu “Look and Feel”

1. How to change your desktop background/wallpaper

  • Right-click in an empty space on your desktop and select Change Desktop Background from the pop-up menu.
  • The Desktop Background Preferences window will appear. From here you can opt for No Wallpaper, one of the defaults (Simple and Smooth Chocolate), set your own, or use a solid color. To set your own wallpaper, click the Add Wallpaper button.
  • Navigate to the folder that contains the picture you wish to use as your desktop background (wallpaper). Select it and then click Open.
  • That image will now appear as one of the wallpaper choices (and should already be selected). Click Finish and your new wallpaper will be set.

2. How to change the Ubuntu screensaver

  • To set (or change) a screen saver in Ubuntu, select System -> Preferences -> Screensaver.
  • The Screensaver Preferences window will appear.
  • Select a screensaver from the list in the left column. It will preview itself in the main Screensaver Preferences window.
  • After you’ve found one you like, just click the Close button. If you want to see what the screensaver will look like in “full screen” mode, click the Preview button directly underneath the column of screensavers. If you want to require a password (yours) to be entered to turn off the screensaver once it has become active, place a check in the box labeled Lock screen when screensaver is active.

3. How to change the Ubuntu theme

  • To change the Ubuntu Theme, select System -> Preferences -> Theme.
  • The Theme Preferences window will appear.
  • Select one that looks interesting to you, and Ubuntu will actually apply that theme right away.
  • When you’ve found one you like, just click the Close button. If you decide you actually prefer the default Theme, just click the Revert button, or select Human (which is the name of the default).
No Comments
Tags , , , , ,
« Older Posts
Newer Posts »