Setting up an Ubuntu Router

I wanted to experiment with sniffing data on the network. Of course, my own network. This was not a creepy sniffing of my neighbours’ network. I was keen in converting my Ubuntu VM into a router VM. Then I can redirect all traffic from ‘client’ VM via the ‘router’ VM on which the sniffer is running. So, my requirements are simple, I need a VM with dual network adapter, one of which will be for the WAN side and other will be on the LAN side (exactly like a home router). What is required to convert a VM into router is a different topic and it will not be covered in this blog post.

Configure the Dual Network Adapter

The most important part of this is to understand that only one of the adapter is visible to your DHCP server and other is not. Why is this important? Because, only one of the adapter will get an IP from the DHCP and other will have to manually set. This DHCP-enabled adapter will be the WAN side adapter and the manual IP adapter will be the LAN side adapter. So, how do you configure dual interfaces on Ubuntu?

In Ubuntu, the networking system is configured via the ‘/etc/network/interfaces‘ file. Originally, there would have been only one interface as shown below:

$> ifconfig 
 eth0 Link encap:Ethernet HWaddr 08:00:27:d9:7a:ca 
 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
 inet6 addr: fe80::a00:27ff:fed9:7aca/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:600 errors:0 dropped:0 overruns:0 frame:0
 TX packets:852 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:273084 (273.0 KB) TX bytes:141395 (141.3 KB)

lo Link encap:Local Loopback 
 inet addr:127.0.0.1 Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING MTU:16436 Metric:1
 RX packets:479 errors:0 dropped:0 overruns:0 frame:0
 TX packets:479 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0 
 RX bytes:147404 (147.4 KB) TX bytes:147404 (147.4 KB)

Now, let us configure the networking system to understand the 2nd interface, which we shall name as ‘eth1.’

So edit ‘/etc/network/interfaces‘ as show below:

# The loopback network interface
 auto lo
 iface lo inet loopback

# The primary network interface
 auto eth0
 iface eth0 inet dhcp

 auto eth1
 iface eth1 inet static
 address 192.168.50.1
 network 192.168.50.0
 netmask 255.255.255.0
 broadcast 192.168.50.255

What this means is that:

  • eth0 is DHCP-enabled and gets the IP from the DHCP server.
  • eth1 has static IP of 192.168.50.1

Restart the network (via ‘sudo /etc/init.d/networking restart’):

network-restart
Restart of network

Now, both the interfaces are up as shown below:

$> ifconfig 
 eth0 Link encap:Ethernet HWaddr 08:00:27:d9:7a:ca 
 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
 inet6 addr: fe80::a00:27ff:fed9:7aca/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:600 errors:0 dropped:0 overruns:0 frame:0
 TX packets:852 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:273084 (273.0 KB) TX bytes:141395 (141.3 KB)

eth1 Link encap:Ethernet HWaddr 08:00:27:85:3a:24 
 inet addr:192.168.50.1 Bcast:192.168.50.255 Mask:255.255.255.0
 inet6 addr: fe80::a00:27ff:fe85:3a24/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:3043 errors:0 dropped:0 overruns:0 frame:0
 TX packets:34454004 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:372333 (372.3 KB) TX bytes:3193181649 (3.1 GB)

lo Link encap:Local Loopback 
 inet addr:127.0.0.1 Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING MTU:16436 Metric:1
 RX packets:479 errors:0 dropped:0 overruns:0 frame:0
 TX packets:479 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0 
 RX bytes:147404 (147.4 KB) TX bytes:147404 (147.4 KB)

Now we have 2 interfaces:

  1. ‘eth0’ (DHCP-enabled) pointing to the WAN side
  2. ‘eth1’ (static IP) pointing to the LAN side

Configure NAT routing

Use the following script, which I had borrowed from somewhere (forgot!) and slightly modified to my taste (available on github):

#!/bin/sh


#
#--------------------------------- constants
fn_check_dependencies() {
	local __cmd=${1}
	local __path=$(which ${__cmd})

	if [ $? -ne 0 ]; then
		echo "****************** !! \${__cmd}\' IS NOT AVAILABLE !! ******************"
		echo
		exit 1
	fi

	echo ${__path}
}

#
#--------------------------------- constants
AWK=$(fn_check_dependencies awk)
ECHO=$(fn_check_dependencies echo)
DEPMOD=$(fn_check_dependencies depmod)
GREP=$(fn_check_dependencies grep)
IP=$(fn_check_dependencies ip)
IPTABLES=$(fn_check_dependencies iptables)
MODPROBE=$(fn_check_dependencies modprobe)
NETSTAT=$(fn_check_dependencies netstat)

#
#--------------------------------- functions
fn_get_wan_iface() {
	${ECHO} $(${IP} route show | ${GREP} default | ${AWK} '{print $5}')
}

fn_get_lan_iface() {
	local _wan_ip=$(fn_get_wan_iface)
	${ECHO} $(${NETSTAT} -i | ${GREP} -ve lo -ve Iface -ve Kernel -ve ${_wan_ip} | ${AWK} '{print $1}')
}

fn_load_mod() {
	local __mod_name=${1}
	${ECHO} " |->; ${__mod_name}"
	${MODPROBE} ${__mod_name}
	if [ $? -ne 0 ]; then
		${ECHO} "****************** !! FAILED TO LOAD ${__mod_name} !! ******************"
		${ECHO}
		exit 1
	fi
}

fn_load_modules() {
	${ECHO} " - Loading kernel modules: "
	${DEPMOD} -a
	fn_load_mod ip_tables
	fn_load_mod nf_conntrack
	fn_load_mod nf_conntrack_ftp
	fn_load_mod nf_conntrack_irc
	fn_load_mod iptable_nat
	fn_load_mod nf_nat_ftp
	${ECHO}
}

fn_enable_ipv4_forwarding() {
	${ECHO} " - Enabling forwarding.."
	${ECHO} "1" > /proc/sys/net/ipv4/ip_forward
}

fn_enable_ipv4_dynamic_addr() {
	${ECHO} " - Enabling DynamicAddr.."
	${ECHO} "1" > /proc/sys/net/ipv4/ip_dynaddr
}

fn_clear_previous_fw_rules() {
	${ECHO} " - Clearing existing firewall rules"
	${IPTABLES} -t nat -D POSTROUTING -o "$WANIF" -j MASQUERADE
	${IPTABLES} -t filter -D FORWARD -i "$WANIF" -o "$LANIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
	${IPTABLES} -t filter -D FORWARD -i "$LANIF" -o "$WANIF" -j ACCEPT
	${IPTABLES} -t filter -D FORWARD -j LOG
}

fn_create_fw_rules() {
	${ECHO} " - Enabling firewall rules"
	${IPTABLES} -t nat -A POSTROUTING -o "$WANIF" -j MASQUERADE
	${IPTABLES} -t filter -A FORWARD -i "$WANIF" -o "$LANIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
	${IPTABLES} -t filter -A FORWARD -i "$LANIF" -o "$WANIF" -j ACCEPT
	${IPTABLES} -t filter -A FORWARD -j LOG
}

#
#--------------------------------- Main
${ECHO}
${ECHO} "======================= Enabling NAT ======================="
${ECHO}

WANIF=$(fn_get_wan_iface)
LANIF=$(fn_get_lan_iface)

${ECHO} "WAN Interface: $WANIF"
${ECHO} "LAN Interface: $LANIF"
${ECHO}

if [ -z ${WANIF} ]; then
	${ECHO} "****************** !! WAN interface not found !! ******************"
	${ECHO}
	exit 1
fi

if [ -z ${LANIF} ]; then
	${ECHO} "****************** !! LAN interface not found !! ******************"
	${ECHO}
	exit 1
fi

if [ ${WAN} = ${LANIF} ]; then
	${ECHO} "****************** !! Only one interface found !! ******************"
	${ECHO}
	exit 1
fi

${ECHO} "Setting up network:"
fn_load_modules
fn_enable_ipv4_forwarding
fn_enable_ipv4_dynamic_addr
fn_clear_previous_fw_rules
fn_create_fw_rules
${ECHO}
${ECHO} "======================= Done ======================="
${ECHO}

The above script does the following:

  1. Ensures the required kernel modules are loaded.
  2. Enable IP forwarding
  3. Enable masquerading on the WAN side interface
  4. All connections via LAN interface should be transferred to WAN interface
  5. Finally, all ‘established’ or ‘related’ connections via WAN should be transferred to LAN.

Done. Now when a device connects to this Ubuntu box via ‘eth1’ it connect to the internet. In other words, this ubuntu box serves as a router for other connected devices.

How to: Create a local SVN on Ubuntu

Often times I get into a situation where I mess up with my development (of personal projects). Though I use github for personal projects yet sometimes it is convenient to have a local SVN for all silly works (like .vimrc, .bashrc, etc…). After a lot of procrastination, I decided to set a local svn repo for all my silly “not-to-be-published” work.

Points to note
  • First, understand that I am working on my personal box & so I got complete permission to violate 😉 the value of a sudoer account.
  • Second, I am kinda cli person. Except for the joys of multi-window vim sessions I don’t want an overhead of apache et al. So I did not invest time in configuring my apache for my svn.
  • Third, I am gonna access my SVN as a “file:///” & not as “http://” or “svn:///”

And, so here we go…

Install Subversion Package

Don’t expect an explanation here 😉

$> sudo apt-get install subversion subversion-tools

Repository directory

Create a directory to hold all your repositories. Since I own my box, to avoid confusion I created the repo directory as a peer to my user account. Another reason is this will ensure that my guest accounts (i.e., family et al) don’t get access to my SVN (by the virtue of they not being a sudoer).

$> sudo mkdir /home/svn

Create repo

Create a new, empty repository at the path provided. Suppose, I want a repository for all my silly test works (like a super silly shell script to dump the current ip), I shall call it ‘test.’ Then:

$> sudo svnadmin create /home/svn/test
$> ls -l /home/svn/
total 4
drwxr-xr-x 6 root root 4096 2014-09-18 18:32 test

This has created an empty repository under /home/svn/test.

Import data

Importing data implies that some data is available somewhere already. In my case, yes I do have my silly scripts to import and hence I change directory into where I have stored the scripts and import them as below:

$> cd ~/sillyscripts
$> sudo svn import . file:///home/svn/test/trunk -m "Initial import"

Now the entire sub-tree under sillyscripts have been imported into test.

Checkout

Final point to remember is that the original location from where the data was imported (i.e., ~/sillyscripts) is _NOT_ under svn. We need to freshly checkout the repo.

$> cd ~/svnprojects/
$> svn co file:///home/svn/test
$> cd ~/svnprojects/test
$> svn info
Path: .
URL: file:///home/svn/test
Repository Root: file:///home/svn/test
Repository UUID: 4158fc24-64e9-4705-b124-8f2b88018be7
Revision: 1
Node Kind: directory
Schedule: normal
Last Changed Author: root
Last Changed Rev: 1
Last Changed Date: 2014-09-18 19:00:02 +0300 (Thu, 18 Sep 2014)

Voila! Now play with your data & have fun 🙂

Courtesy:

IPTables: Personal Firewall to protect my laptop

Firewall! What a high sounding word! Means high protection & a safe cocoon for all the newbies. Thats exactly what I did setup in my laptop: A firewall! A personalized firewall.

My use cases & reasons were very simple. Every once in a while, I expose my laptop to unsafe open Internet like the cafes, restaurants & hotel-accommodations. Apart from that, thanks to my work, I run many services like apache2, sshd, mongodb, mysqld, etc in my laptop, which are susceptible to malicious attacks. Club these two & I got a time-bomb ticking right on my lap!!

I did a bit of research and finally (I think & I hope this is final!) I have arrived at the min-ship requirement for my laptop to function correctly under any network without compromising itself!! These are things I felt like handling within my firewall:

  1. Enable (or Disable) a few kernel features
  2. Make the default rule to DROP instead of the ACCEPT
  3. Allow all packets from RELATED/ESTALBLISHED connectons
  4. Always allow loopback devices
  5. Drop all IANA reserved IPs
  6. Allow skype incoming
  7. Allow DHCP outgoing
  8. Allow DNS outgoing
  9. Allow HTTP outgoing
  10. Allow NTP outgoing
  11. Allow ping outgoing
  12. Allow SMTP outgoing
  13. Allow SSH outgoing

Simple, yeah?! 🙂

 

All of these steps are captured in my script – firewall.txt (Updated script: meetrp github). Just executing the script will enable everything as described above. But if you want to understand or wanna do them one-by-one yourselves then continue reading! 🙂

 

Enable (or Disable) a few kernel features
The common rule in protecting oneself is: “Deactivate everything you do not need.” Keeping in line with this principle, I have disabled (or enabled) a few kernel parameters to protect my laptop from malicious (or unwanted) intrusion.

  1. Ignore the broadcast pings: ICMP echo messages are the messages used by the “ping” command-line tool. By ignoring broadcast ICMP echo requests, your machine won’t respond when someone tries to ping a broadcast address (such as 255.255.255.255, or, say, 192.168.1.255 on a 192.168.1.0/24 subnet) to find all the hosts on the network or subnet at the same time.
  2. $> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
  3. Deactivate source routed packets: Attackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
  4. $> for iter in /proc/sys/net/ipv4/conf/*/accept_source_route; do; echo 0 > $iter; done
    
  5. Disable ICMP redirects: ICMP redirects are used by routers to specify better routing paths out of one network, based on the host choice, so basically it affects the way packets are routed and destinations. The atacker can then on basically alter your host’s routing tables and diver traffic towards external hosts on a path of his/her choice; the new path is kept active by the router for 10 minutes.
  6. $> for iter in /proc/sys/net/ipv4/conf/*/accept_redirects; do; echo 0 > $iter; done
    
  7. Disable IP forwarding: If there are mulitple network interfaces (like eth0, eth1, wlan0) active at the same time, then traffic coming in from one interface can be forwarded to another interface. This feature is not required in a traditional laptop
  8. $> echo 0 > /proc/sys/net/ipv4/ip_forward
    
  9. Turn on source address verfication: By default, routers route everything, even packets which ‘obviously’ don’t belong on your network. A common example is private IP space escaping onto the Internet. If you have an interface with a route of 195.96.96.0/24 to it, you do not expect packets from 212.64.94.1 to arrive there. Enabling this verification implies if the reply to a packet wouldn’t go out the interface this packet came in, then this is a bogus packet and should be ignored.
  10. $> for iter in /proc/sys/net/ipv4/conf/*/rp_filter; do; echo 1 > $iter; done
    
  11. Turn on syn cookies protection: The TCP Syn is DoS (Denial of Service) attack. It consumes resources on your Linux server. The attacker begin with the TCP connection handshake sending the SYN packet, and then never completing the process to open the connection. This results into massive half-open connections.
  12. $> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    

 
Where is the rules set?
Check the attached: firewall.txt (Updated script: meetrp github)! Rename this file with ‘.sh’ extension & execute it.

$> ls -l ./firewall.txt 
-rw-rw-r-- 1 rp rp 17288 Aug 31 00:15 ./firewall.txt

$> mv firewall.txt myfirewall.sh
$> ls -l *firewall*
-rwxrwxr-x 1 rp rp 17288 Aug 31 00:15 myfirewall.sh

$> chmod +x ./myfirewall.sh 

$> sudo ./myfirewall.sh 
[Sunday 31 August 2014 00:16:20] Not a root!
[Sunday 31 August 2014 00:16:20] ignore ICMP echo broadcasts
[Sunday 31 August 2014 00:16:20] log all packets
[Sunday 31 August 2014 00:16:21] enable reverse path filtering
[Sunday 31 August 2014 00:16:21] enable syn cookies protetion
[Sunday 31 August 2014 00:16:21] disable ICMP redirects
[Sunday 31 August 2014 00:16:21] disable ip forwarding
[Sunday 31 August 2014 00:16:21] disable source route
[Sunday 31 August 2014 00:16:21] -------------- IPv4 ---------------
[Sunday 31 August 2014 00:16:21] clear all rules
[Sunday 31 August 2014 00:16:21] default drop
[Sunday 31 August 2014 00:16:21] allow all related & established
[Sunday 31 August 2014 00:16:21] allow loop back
[Sunday 31 August 2014 00:16:21] drop all IANA reserved IPs
[Sunday 31 August 2014 00:16:21] --> eth0
[Sunday 31 August 2014 00:16:21] allow skype in
[Sunday 31 August 2014 00:16:21] allow DHCP out
[Sunday 31 August 2014 00:16:21] allow DNS out
[Sunday 31 August 2014 00:16:21] allow HTTP out
[Sunday 31 August 2014 00:16:21] allow NTP out
[Sunday 31 August 2014 00:16:21] allow ping out
[Sunday 31 August 2014 00:16:21] allow SMTP out
[Sunday 31 August 2014 00:16:21] allow SSH out
[Sunday 31 August 2014 00:16:21] --> wlan0
[Sunday 31 August 2014 00:16:21] allow skype in
[Sunday 31 August 2014 00:16:21] allow DHCP out
[Sunday 31 August 2014 00:16:21] allow DNS out
[Sunday 31 August 2014 00:16:21] allow HTTP out
[Sunday 31 August 2014 00:16:21] allow NTP out
[Sunday 31 August 2014 00:16:21] allow ping out
[Sunday 31 August 2014 00:16:22] allow SMTP out
[Sunday 31 August 2014 00:16:22] allow SSH out
[Sunday 31 August 2014 00:16:22] -------------- IPv6 ---------------
[Sunday 31 August 2014 00:16:22] clear all rules
[Sunday 31 August 2014 00:16:22] default drop

This is my firewall setup script. Whenever I want, I execute this script and voila, my firewall is setup.

 
Dump the IPTables for verfication

 $> sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 0.0.0.0/7 -j DROP
-A INPUT -s 2.0.0.0/8 -j DROP
-A INPUT -s 5.0.0.0/8 -j DROP
-A INPUT -s 7.0.0.0/8 -j DROP
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 23.0.0.0/8 -j DROP
-A INPUT -s 27.0.0.0/8 -j DROP
-A INPUT -s 31.0.0.0/8 -j DROP
-A INPUT -s 36.0.0.0/7 -j DROP
-A INPUT -s 39.0.0.0/8 -j DROP
-A INPUT -s 42.0.0.0/8 -j DROP
-A INPUT -s 49.0.0.0/8 -j DROP
-A INPUT -s 50.0.0.0/8 -j DROP
-A INPUT -s 77.0.0.0/8 -j DROP
-A INPUT -s 78.0.0.0/7 -j DROP
-A INPUT -s 92.0.0.0/6 -j DROP
-A INPUT -s 96.0.0.0/4 -j DROP
-A INPUT -s 112.0.0.0/5 -j DROP
-A INPUT -s 120.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 173.0.0.0/8 -j DROP
-A INPUT -s 174.0.0.0/7 -j DROP
-A INPUT -s 176.0.0.0/5 -j DROP
-A INPUT -s 184.0.0.0/6 -j DROP
-A INPUT -s 192.0.2.0/24 -j DROP
-A INPUT -s 197.0.0.0/8 -j DROP
-A INPUT -s 198.18.0.0/15 -j DROP
-A INPUT -s 223.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/3 -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 16514 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 16514 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 16514 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 16514 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -o wlan0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A OUTPUT -o wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -o wlan0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A OUTPUT -o wlan0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

$> sudo ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

If you notice I have plenty of rules for IPv4 but dropped the IPv6 entirely!! Who wants IPv6 right away?! I still get only IPv4 address.;)

If you wanna make these rules permanent and persistent then follow these steps:

Save the rules set while networking is going down

$> cat /etc/network/if-down.d/saveiptables
#!/bin/bash

/sbin/iptables-save > /etc/ipv4tables.rules
/sbin/ip6tables-save > /etc/ipv6tables.rules

exit 0

Restore the rules while networking is coming up

$> cat /etc/network/if-up.d/loadiptables
#!/bin/bash

/sbin/iptables-restore < /etc/ipv4tables.rules
/sbin/ip6tables-restore < /etc/ipv6tables.rules

exit 0

Btw, don't forget to change it to executable!

$> sudo chmod +x /etc/network/if-down.d/saveiptables /etc/network/if-up.d/loadiptable

After this, hopefully, my laptop is secure as compared to before.

FYI, these were my experiments limited to my understanding. If I can be of any help & esp vice-versa, please feel free to contact me!

Updated script: meetrp github

Courtesy

  1. Security - Linux StepByStep
  2. The Kernel - Linux inside
  3. IPTables Tips and Tricks: More Than Just ACCEPT or DROP
  4. Saving iptables rules to be persistent
  5. http://hermann-uwe.de/files/fw_laptop
  6. Laptop Iptables configuration
  7. iptables: Small manual and tutorial with some examples and tips

HowTo: Show/Display available network interfaces

The biggest problem I found was not identifying all the network interfaces available but the ones that are up. For instance, the 2 quickest way to identify all the available network interfaces are:

ip link
$> ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 5c:26:0a:7b:7b:f6 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
    link/ether a0:88:b4:ca:8b:4c brd ff:ff:ff:ff:ff:ff

Obviously, there are 2 interfaces (sans the default, lo): eth0 & wlan0. Btw, can you tell which of these 2 are up & which is NOT?!!!! Trust me I couldn’t. At least not in the first look! Then figured a pattern in the presence of ‘DOWN’ or ‘UP’ keywords!! Yet, this was not sufficient for me as I was wanting to identify the network interfaces that are UP using a generic script. ‘grep’-ing for ‘UP’ & ‘DOWN’ would not work out here.

ifconfig
$> ifconfig -a
eth0      Link encap:Ethernet  HWaddr 5c:26:0a:7b:7b:f6
          inet addr:10.212.140.25  Bcast:10.212.140.255  Mask:255.255.255.0
          inet6 addr: fe80::5e26:aff:fe7b:7bf6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:919885 errors:0 dropped:0 overruns:0 frame:0
          TX packets:418690 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1098622617 (1.0 GB)  TX bytes:48860614 (48.8 MB)
          Interrupt:20 Memory:e2e00000-e2e20000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:92466 errors:0 dropped:0 overruns:0 frame:0
          TX packets:92466 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12115565 (12.1 MB)  TX bytes:12115565 (12.1 MB)

wlan0     Link encap:Ethernet  HWaddr a0:88:b4:ca:8b:4c
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:506150 errors:0 dropped:0 overruns:0 frame:0
          TX packets:344206 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:557950489 (557.9 MB)  TX bytes:40095705 (40.0 MB)

Another obvious problem! Can you see that it is not easy to figure out which of the interfaces are down!! Of course, the presense of UP (or the lack of it) is not sufficient to write a simple bash script!!

So, after a bit of research & some soul-searching as well, I figure out a simpler way:

netstat -i

$> netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0    921323      0      0 0        419605      0      0      0 BMRU
lo        65536 0     93141      0      0 0         93141      0      0      0 LRU

Ah! There you can see only eth0 is displayed! Voila! I found my unicorn here! 🙂 So, now my script would be a simple:

$> netstat -i | grep -vi 'kernel' | grep -vi 'iface' | grep -v 'lo' | awk '{print $1}'
eth0

Isn’t this awesome?! 🙂

One can even use ‘ifconfig -s‘ instead of ‘netstat -i‘ and the output be the same! 🙂

FYI: I am using Ubuntu 14.04 LTS 64-bit.

Ubuntu: How to solve a GPG Error (BADSIG)

Well, well, haven’t we all faced this irritating issue where apt-gets begin to fail? I have faced it one too many times. Frustrating and mind-numbing. One of the common error is the infamous GPG Error. A “BADSIG” scenario. For instance, I faced this today:

$> sudo apt-get update
...
...
...
Ign http://archive.ubuntu.com trusty-security/main Translation-en_IN
Ign http://archive.ubuntu.com trusty-security/multiverse Translation-en_IN
Ign http://archive.ubuntu.com trusty-security/restricted Translation-en_IN
Ign http://archive.ubuntu.com trusty-security/universe Translation-en_IN
Ign http://archive.ubuntu.com trusty-proposed/main Translation-en_IN
Ign http://archive.ubuntu.com trusty-proposed/multiverse Translation-en_IN
Ign http://archive.ubuntu.com trusty-proposed/restricted Translation-en_IN
Ign http://archive.ubuntu.com trusty-proposed/universe Translation-en_IN
Fetched 490 kB in 46s (10.6 kB/s)
Reading package lists... Done
W: GPG error: http://archive.ubuntu.com trusty-backports Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
$>

So what is this? Why do we see this?

Let us begin with what is GPG? It is acronym for GNU Privacy Guard and is an alternative for PGP suite, which provides cryptographic privacy and authenticaion for data communication. And additional useful information is GPG is a key-based encryption method, i.e., using public key & private key. Using these public-private key pairs, Ubuntu servers sign the files that are transferred to the client (i.e., our local box) & the APT at the client end check their signatures. This is required to check that a package hasn’t been tampered since the time it was uploaded to the archive and the time we download it. During this check if there is a mismatch in the signature the corresponding APT actions raises error.

Why the mismatch? That is a question I have been trying hard to find the answer for and it has been a really long & hard search with very less significant data. With all the search, I concluded that the mismatch of the signature is possible in any of the following scenarios:

  1. Old files
  2. Corrupt files
  3. Partial Downloads
  4. All of the above.

It appears like the APT doesn’t handle some of the error conditions well. To quote from one of the page:

This is due to cache inconsistencies and thus is not necessarily a bug in Ubuntu at all. But I hope the fine devs can find a way to better deal with broken proxies. This is a very visible issue, a large number of internet connections are behind proxies and the users cannot do anything about it.

If anybody got more info please lemme know. Share your knowledge & let us grow together.

Anyways, the resolution here is to drop all the state information of each & every package resource and rebuild them. And, to do so follow these steps & this will rebuild the cache:

$> sudo apt-get clean
$> sudo mv /var/lib/apt/lists /var/lib/apt/lists.old
$> sudo mkdir -p /var/lib/apt/lists/partial
$> sudo apt-get clean
$> sudo apt-get update

This should solve the ‘BADSIG’ problem for sure.

Courtesy

  • http://ubuntuforums.org/showthread.php?t=1983220
  • https://wiki.debian.org/SecureApt
  • https://bugs.launchpad.net/ubuntu/+source/synaptic/+bug/863306
  • https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/24061
  • http://en.wikipedia.org/wiki/GNU_Privacy_Guard

Ubuntu: Disable start of a service on boot

A simple problem I was facing in Ubuntu was finding an equivalent of “chkconfig” available on the Redhat flavors. Well, for the unaware people:

chkconfig‘ is popularly used for adding or removing any services during boot. In other words, it updates and queries runlevel information for system services.

So, my search was for a similar tool on Ubuntu. And, this is what I found at the end of the search: update-rc.d. This is very simple to use & equally intuitive as well. For instance,

$> sudo update-rc.d -f mongodb remove
Removing any system startup links for /etc/init.d/mongodb ...

The above usage helped me remove ‘mongodb’ from automatically starting on boot. Voila! 🙂

Reference

Ubuntu: sudo without password prompt

How many of you are bored of typing your password every time you run a sudo command on your personal computer?! This is a bloody waste of time! I mean, I appreciate the sudoer jazz and the importance of security but then this is my freaking single-owner-only laptop! Why do I need to type password everytime I run a command with a sudo? In fact, if someone has a shell access to my laptop then my biggest worry is ‘where did I lose my laptop?’ more than ‘oh! crap! There is no sudo password!’ Right? How many with me on this one? 🙂

Anyways, so here is my attempt to eradicate password prompt for sudo on my personal laptop. And, it turned out to be super simple! 🙂

Please run this at the command line to edit the sudo list:

$> sudo visudo

The content before I modified is as below:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Now, append the following line to the END of the file (if not at the end there is a chance it could be nullified by other entries!):

<username> ALL=NOPASSWD: ALL

In my case, this is:

rp ALL=NOPASSWD: ALL

Save & exit!

To enforce this “no-password-sudo” rule, logout & log back in and Voila you are done! 🙂

Reference

Wine – Run windows app on Linux

Wine is a free & open source software application designed to run windows-based application on other operating systems. In English, using wine one can run any windows software (games including) in Linux!

Trivia: WINE is an acronym for WINdows Emulator or Wine Is Not an Emulator.

Wine for Ubuntu and Ubuntu derivatives

Wine is not a part of default repository that comes with the Ubuntu bundle. So as a first measure, we need to add the Wine repository to Ubuntu software sources.

Adding the WineHQ PPA Repository

Open “System Settings” by clicking on the top-right corner of the ubuntu desktop.

ubuntu-system-settings
Open software settings in ubuntu

 

Open “Software updates” as shown below:

Ubuntu Software Updates
Ubuntu Software Updates

 

In the “Software & Updates” window, select ‘Other Software‘ and then click on ‘Add…‘ to get this:

Ubuntu add a new repo
Ubuntu add a new repo

Then, copy and paste the following: ppa:ubuntu-wine/ppa.

Installing Wine

Open “Ubuntu Software Center“:

ubuntu-software-center
Ubuntu Software Center

 

Type ‘wine‘ in the right-top corner textbox of the software center window, which is actually a search textbox. Click ‘Enter.’  You should get a list of all softwares related to wine. The one of interest to us is the top-most one titled ‘Microsofts Windows Compatibility Layer.‘ Select it and click ‘Install.’

Once installed you should be able to see a view like below where ‘Install’ button is replaced with ‘Remove.’

ubuntu-install-wine
Install Wine

Voila! Installation done! 🙂

What next?

Configure Wine

This would be the first step I would suggest to do.

ubuntu-configure-wine
Configure Wine

 

The major step is to configure wine to the windows version you are interested in. For instance, I am interested in “Windows 7” so change the ‘Windows version’ to ‘WIndows 7’.

ubuntu-wine-configuration
Wine Configuration

This ensures that Wine will emulate Windows 7 behavior, if it would make any difference to the software you are going to install.

How to install?

Unfortunately, there is only one way to do it. Command line! First step, download the software you want to install. Next step is to install the package using wine as show below:

$> wine [full path of .exe file]

Done! 🙂

Install Wine using apt-get

Same as before we have to add Wine HQ repository to the software sources and install wine.

$> sudo add-apt-repository ppa:ubuntu-wine/ppa
$> sudo apt-get update
$> sudo apt-get install wine

Done! 🙂

Related Links

Checking your Ubuntu Version

There are 4 different ways to check which version of Ubuntu one is running. Two of them are command-line based and the other is using tools.

In Unity

Unity is the default desktop environment for Ubuntu since 12.04 (Precise Pangolin). The steps to retrieve the version information is as follows:

  1. Click on the ‘projection’ on the menu bar (upper-right portion of the screen). This is to the right of the clock. In my installation, this cog is more of an empty square after the clock.
  2. Select the option: About This Computer. This will open a new windows & displays as below:
Unity-based-ubuntu-version
About This Computer

 

Using Terminal

Open a terminal (Keyboard shortcut: CTRL+ALT+T) and do any of the following.

lsb_realease

Enter the command ‘lsb_release -a

using lsb_release command
lsb_release -a

read lsb-release file

Read through the static file ‘lsb-release‘ under etc directory.

Using lsb_release file
/etc/lsb-release

 

Using Ubuntu Tweak

Install Tweak Ubuntu and opening them gives you this:

Using ubuntu tweak
ubuntu tweak

 

All of these suggest the installed version on my computer is 13.04 (aka raring). These are, currently, the different methods to check the versions of ubuntu that has been installed.