Monthly Archives: September 2011

Link

reallinux:

CentOS has been criticized heavily earlier this year, mainly because of the big delay their distribution normally has (compared to the original RHEL releases).
One of the problems that comes with this delay is that security fixes that RedHat writes for their latest release are unavailable for…

Linux: CentOS CR for CentOS 6.0

Link

sys-log:

Sometimes when dealing with application problems you run into a point where logs and environmental data just don’t seem to provide you with the exact issue.

For this reason there are many times where a developer may ask you to create a core file for their application. Core files contain a lot of…

Sys::Log: kill: Creating a core dump

The simple way of setting up NAT with iptables and Red Hat / CentOS and Scientific Linux

I always feel intimidated with setting NAT. I knew, of course, how to filter packets with iptables, but I always felt that NAT to be just a tad bit confusing. Then I studied for the RHCE exam and it turns out that it is a lot easier than I expected, with a little help from Red Hat’s firewall tool.

With earlier releases of Red Hat, the firewall tool is limited to just filtering by ports with no NAT or ACLs support. With version 6, the tool was significantly revamped. While ACLs are still not supported, you can now setup NAT with the firewall GUI. To get started, log yourself into the X-Windows GUI and run the following from the terminal.

system-config-firewall

Alternatively, you may run it from the menu -> System- Administration -> firewall. Or if you are logged remotely and you have X-Window running on your workstation, you can forward the tool over SSH to run it locally on your workstation by logging to the server with:

ssh -X username@hostname

and then run the “system-config-firewall.”

(One notable caution: if you have an existing iptables configuration, running this tool will wipe out your rules. Be sure to back /etc/system/iptables before you proceed further on this.)

From there, you will see the following options available:

Select “Masquerading” and then to your right, select the interface or interfaces you want your traffic to go through.

Congratulations, NAT is now setup! The next step is to setup forwarding to your devices or servers. Select “Port Forwarding” to your left:

Then click on add button at your right:

{stub}

Then near the top of the following screen under the Source heading, click on the interface button, select your interface and click on OK

Then click the protocol button, select your protocol and then click on OK

Then click on the port button and select (or enter) your port(s) and then click on  OK:

Now under the Destination heading, select “Forward to another port” and enter the IP address of the machine you will forward the packets to in the field:

Then select the Port button or enter the port(s) you will be forwarding to:

Click on OK,  then OK to return to the main screen

From there, click on apply (which will write to the /etc/sysconfig/iptables file) and then reload (which will restart iptables).

(If you have backed up your iptables file, you may be able restore them with the custom rules option. However, the iptable backup must be in the iptables-save format, which presumably means that a custom-made one will not work).

You are mostly done here, but there is a couple of more changes youneed to make. First of all, though, lets login in via the command and take a look at the iptables file:

[root@sl6vmware sysconfig]# cat iptables

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o eth+ -j MASQUERADE

-A PREROUTING -i eth+ -p tcp --dport 20:21 -j DNAT --to-destination 192.168.15.36:20-21

COMMIT

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth+ -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -p icmp -j ACCEPT

-A FORWARD -i lo -j ACCEPT

-A FORWARD -i eth+ -j ACCEPT

-A FORWARD -o eth+ -j ACCEPT

-A FORWARD -i eth+ -m state --state NEW -m tcp -p tcp -d 192.168.15.36 --dport 20:21 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

As you can see there, setting up NAT comprised of a few steps:

1) you set the table type, which at the beginning, would be *nat. If you were to do it from the command line, it would be the first part of the following statement

iptables -t nat <statement>

2) Then, you would set POSTROUTING s. From the command line, it will the second part of the statement we mention earlier.

iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE

At that point, the nat is setup.

3) From this point, it is just the matter of forwarding the packets based on source port (you can add the ACLs at this point, but the GUI tool will most likely overwrite them. Again, make sure that you have a backup!) . That is done by setting up a PREROUTING rule for a port, with:

-A PREROUTING -i eth+ -p tcp –dport 20:21 -j DNAT –to-destination 192.168.15.36:20-21

From the command line, it would be:

iptables -t nat -A PREROUTING -i eth+ -p tcp –dport 20:21 -j DNAT –to- destination 192.168.15.36:20-21

And then, you would add a FORWARD rule with:

-A FORWARD -i eth+ -m state –state NEW -m tcp -p tcp -d 192.168.15.36 – dport 20:21 -j ACCEPT

Which, from the command line would be:

iptables -t filter -A FORWARD -i eth+ -m state –state NEW -m tcp -p tcp -d 192.168.15.36 –dport 20:21 -j ACCEPT

Note that statement must be under the filter table, not under the nat table.

Getting this right via the command-line is fairly tricky even for experienced administrations, which is why the firewall tool is a great way to manage your rules for NAT (assuming that they are simple enough)

But you are not done yet. First, you need to make sure that you actually enable IP forwarding with the kernel.  You can set it dynamically with either:

sysctl -w net.ipv4.conf.all.forwarding =1

Or:

echo “1” > /proc/sys/net/ipv4/ip_forward

To change it permanently (which is what you want), add or change the  net.ipv4.conf.all.forwarding value  in /etc/sysctl.conf to:

net.ipv4.ip_forward = 1

And then reboot (assuming that you didn’t make the change dynamically).

At this point, there is one more thing you may  need to do, , particularly if you are running a FTP service.

With FTP, when a client connects to a server, the FTP server returns the response via different port (usually a high-number port above 1024). That becomes a problem when the client attempts to respond to that same port when the server is behind either a firewall or a NAT , as that port will most likely be blocked.

So there are 4 options you choose to address this problem.

1) Use SFTP. It is is encrypted and travels through the same port (22), so that is the best option. However, not all clients would have thats support.

2) Have the FTP server return a response to a specific port and open that port.

3) Have the client use passive mode

4) Modify the nat/firewall dynamically as well as modify the PORT and PASV commands dynamically.

We will go with the last option. Fortunately, it is not complicated in this case. We just need the open the following file:

/etc/sysconfig/iptables-config

And add (or change) the following:

IPTABLES_MODULES=“nf_nat_ftp”

This is a helper module that allows us to dynamically set the ports and track the FTP connectivity. It will load once you restart type iptables, either from the gui or from the command line with:

service iptables restart

If you were to prefer the load the module manual, you would run:

modprobe nf_nat_ftp

Which will load that module as the other supporting modules. You confirm whether it is loaded by running:

lsmod | grep ftp

Which will present you with the following output

nf_nat_ftp              3473  0 

nf_conntrack_ftp       12879  1 nf_nat_ftp

nf_nat                 22788  3 nf_nat_ftp,ipt_MASQUERADE,iptable_nat

nf_conntrack           79611  8 nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state

Now you are done with NAT. You can start forwarding traffic to your internal servers and have them accessible from outside your network. 

For more information on setting up NAT, go to the following links:

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables – A longer guide to setting up IP tables, with a section for NAT.

http://debianclusters.org/index.php/NAT_with_IPTables – Setting up IP tables with Debian-type distributions.

http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html – The problems you will encounter with with NAT and FTP.

bash: Field Separator Variable

sys-log:

By default when using a for loop in bash the field separator is set to a space.

Example:

[bcane@bcane ~]$ for x in list:like:this; do echo $x; done
list:like:this

One of the cool things about bash is that you can change this by setting a simple variable $IFS

[bcane@bcane ~]$ IFS=”:”
[bcane@bcane ~]$ for x in list:like:this; do echo $x; done
list like this

The exit code from a batch job is a standard Unix termination status, the same sort of number you get in a shell script from checking the “$?” variable after executing a command.

Typically, exit code 0 (zero) means successful completion. Codes 1-127 are typically generated by your job itself calling exit() with a non-zero value to terminate itself and indicate an error. In BaBar we don’t make very much use of this. The most common such value you might see is 64, which is the value used by Framework to say that its event loop is being stopped before all the requested data have been read, typically because time ran out. In recent BaBar releases you might also see 125, which we use as a code for a generic “severe error”; the job log should contain a message stating what the error was.

Exit codes in the range 129-255 represent jobs terminated by Unix “signals”. Each type of signal has a number, and what’s reported as the job exit code is the signal number plus 128. Signals can arise from within the process itself (as for SEGV, see below) or be sent to the process by some external agent (such as the batch control system, or your using the “bkill” command).

By way of example, then, exit code 64 means that the job deliberately terminated its execution by calling “exit(64)”, exit code 137 means that the job received a signal 9, and exit code 140 represents signal 12.

(via arisawa)