Scribd
Upload
20 views

Linux OS - Notes

The document provides information about Linux firewall configuration and networking concepts. It discusses the different chains in iptables and provides examples of iptables rules. It also covers NFS and Samba configuration and centralized logging.

Uploaded by

lokendra.sondhiya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
20 views

Linux OS - Notes

The document provides information about Linux firewall configuration and networking concepts. It discusses the different chains in iptables and provides examples of iptables rules. It also covers NFS and Samba configuration and centralized logging.

Uploaded by

lokendra.sondhiya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Linux OS – Notes

Host ----> FW -----> (Forwarding / Routing) SRV

INPUT CHAIN (Incoming Traffic)


External host sending data to our Public / Private IP
Example: Paras trying to connect with Google.com
OUTPUT CHAIN (Outbound Traffic)
Internal host sending data to external IP
Example: Paras from within the RACE, attempting to connect with
Google.com
FORWARD CHAIN (Traffic Routing)
Receiving the external traffic and routing it to relevant server
inside
Example: Paras trying to connect with Srv1.Google.com

Firewall has key components:


1. Ports
2. Protocols
3. Source / Destination IPs
4. Rate Limit (Protection from DDoS / DoS)
5. Stateful inspection
6. Decision
7. Binding firewall to monitor specific ethernet card

Step 1... Determine the CHAIN (INPUT/ OUTPUT/ FORWARD) ---> -A INPUT
Step 2... Bind to specific ethernet port ( -i eth0 ) ---> -i eth0
Step 3... Defining the source (Port + Protocol + IP) ---> -s
20.102.80.220/255.255.255.255
Step 4... Defining the destination (Port + Protocol + IP) ---> -p 80,443
+ -d 8.8.8.8
Step 4.1... Defining the stateful inspection + fine tuning the
communication rate ---> -m state --state NEW, ESTABLISHED
Step 5... Take action (DROP/ ACCEPT/ RETURN|REJECT) ---> -j DROP

sudo iptables -A INPUT -i eth0 -p tcp --dport 80,443 -s


20.102.80.220/255.255.255.255 -d 8.8.8.8 -m state --state NEW -j DROP
sudo iptables -A INPUT -i eth0 -p tcp --dport 80,443 -s
20.102.80.220/255.255.255.255 -d 8.8.8.8 -m state,limit --state NEW --
limit 1/s --limit-burst 100 -j DROP

sudo iptables -A OUTPUT -i eth0 --dport 80,443 -p tcp -d 8.8.8.8 -m state


--state NEW -j DROP

-I INPUT 1

--delete <Rule #> or <Specific of Rule>

--check INPUT
Linux OS – Notes

RULE # 1 (Reject Specific IP)


RULE # 2 (Allow *)
A- RULE # 3 (DROP *)
A- RULE # 4 (DROP IP)

Stateful Inspection:
New connection is initiated from host to server ---> NEW
Active connection is running between host and server ---> ESTABLISHED
Terminating connection between host and server ---> CLOSED

TCP 3-way handshake (NEW STATE)


----------------------------------
Host ---> SYN ---> Server (Port/ IP)
Server ---> SYN/ACK ---> Host (Acknowledgement)
Host ---> Ack ---> Server (Acknowledgement)

Data Transfer starts on Ack Port/IP (ESTABLISHED STATE)

CLOSED STATE
Host ---> FIN ---> Server
Server ---> Ack ---> Host

sudo iptables -A INPUT -i ens33 -p tcp --match multiport --dport 80,443 -


s 20.102.80.220/255.255.255.255 -d 8.8.8.8 -m state --state NEW -j DROP

subtree_check
/tmp/A/B
/tmp - exported or not?
Linux OS – Notes

/tmp/A - exported or not?


/tmp/A/B - exported or not?
no_subtree_check
/tmp/A/B - exported or not?

root_squash --> Map the UID / GID of "0" to UID / GID of Anonymous user
no_root_squash --> Map the UID / GID of "0" to UID / GID of Root only
all_squash --> Map the UID / GID of all users to UID / GID of Anonymous
user
no_all_squash --> Map the UID ? GID of all users to respective UID and
GID on local machine (NFS Server)

NFS:
Server Side:
Step 1 - edit the /etc/exports file and add rule. Example: /tmp
*(rw)
Step 2 - exportfs -a (to export all the shared folders)
Step 3 - exportfs -v (to verify the exported list)
Step 4 - Start / Re-start the nfs-server service

Client Side:
Step 1 - Verify the export list by running the command --> showmount -e
<IP OF NFS SERVER>
Step 2 - Mount the remote share using the command format --> mount -t nfs
<IP>:<NFS Shared Folder> <Local Mount POint>. Example --- mount -t nfs
10.0.0.6:/tmp /mnt/mount_folder

Two Broad Sections:


1. Global Section
2. Home Section
3. Share Description Area

structure of smb.conf ---> parameter = value


; # ---> comment

Global Section --> Provides a overall configuration to smb service.


Homes section --> Provide a flexibility to have a remote / mobile users
without the need to have local home directories on their systems.
Share description --> This is place where we define our shares,
configuration, permissions, description, path, etc.

There can be 3 security types:


1. user (Define the users who can access the shares)
Linux OS – Notes

2. share (Define the permissions on the file system to who can access the
share)
3. server (LDAP / Active Directory integration)

passdb backend:
1. tdbsam (Local system db)
2. ldapsam (LDAP / AD db)
"password server = <ip/ name>"

Properties that can be configured on a share basis:


1. path = /tmp
2. writeable = yes|no
3. guest ok = yes|no
4. read only = yes|no
5. invalid users = @admin
6. valid users = j0ker, u1, u2
7. inherit acls = yes|no
8. log file = /var/log/smb_share_1.log

[RACE]
path = /tmp
writeable = yes
guest ok = no
read only = no
valid users = j0ker
inherit acls = yes
log file = /var/log/smb_share_1.log

Next Step is to provide the password for the valid user. Because system
password and samba password are / can be different.

sample smb.conf

[global]
workgroup = RACE
security = user

passdb backend = tdbsam

# printing = cups
Linux OS – Notes

# printcap name = cups


# load printers = yes
# cups options = raw

[share1]
comment = Testing of Samba services
valid users = RACE1, RACE2
browseable = Yes
read only = No
inherit acls = Yes
path = /tmp
log file = /var/log/SAMBA_%m.log

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775

[RACE]
path = /tmp
writeable = yes
guest ok = no
read only = no
valid users = joker
inherit acls = yes
log file = /var/log/smb_share_1.log

Centralized Syslogging / Logging:

Host ---> UDP/TCP/514 port ---> Centralized server (IPTables/ Firewalld


allowed)
Linux OS – Notes

Syslog (earlier)
Rsyslog (current)

You might also like