Categories
GNU/Linux

Download web pages or files through the terminal

Wget is a free software tool available for Linux that allows us to download files from the web in a very simple way. It currently has support for downloading files from HTTP, HTTPs and FTP servers.

The features of Wget are:

  • Robustness: It is very rare that a connection is lost. Wget offers a stable connection continuing the download in case of losing connection.
  • Recursive download: It guarantees that all the files will be downloaded since it makes several passes to the links or web.
  • Portability: Being written in C and being OpenSource, it can be easily ported to other operating systems.
  • It allows you to download large files without limit.
  • You can limit the bandwidth to use.

With Wget we can also download a complete web page for offline viewing without problems. For this we must write the following line from a terminal.

wget -m -F -p -np -k -erobots=off -U mozilla --limit-rate=50K --wait=2 --html-extension http://www.google.es

There are several parameters to highlight in the previous function:

  • We must change www.google.es for the web that we want to download, for example www.redeszone.net
  • The –limit-rate parameter allows us to set a speed limit to perform the download.
  • -U allows us to establish with which browser we want it to appear that we see the web. We can write anything.
  • -erobots allows us to establish whether or not we will download the robots from the web.
  • -F forces you to download the web despite the possible errors that may occur.
  • -k generates local links to local files for proper offline viewing.

Once the website to download has been entered, press “enter” and Wget will begin to download it.

Once the download is finished we can check that the website has been stored in our personal directory under a folder with the same name as the website. We will have the web available for viewing offline perfectly.

wgetweb_foto_2

Despite the fact that there are many more tools to download websites, wget is one of the easiest to use since just by copying one line the program will take care of the rest. This tool also allows us to download files with the HTTP protocol simply by putting wget url.

Categories
GNU/Linux

Manual for using this tool to manipulate TCP / IP packets

When we want to check connectivity, we all use the Ping command, a tool that sends ICMP packets to a specific server to know if the communication is correct or there is a problem. However, this tool is very simple and does not allow practically any modification of the packets, nor does it use other protocols to send information.

Hping3 is a more advanced application that will allow us to modify the packets that are sent through the TCP / IP protocol so that we can have a much greater control of these packets, being able to adapt them according to our needs.

What does Hping3 offer us?

Hping3 is a terminal application for Linux that will allow us to easily analyze and assemble TCP / IP packets. Unlike a conventional ping that is used to send ICMP packets, this application allows the sending of TCP, UDP and RAW-IP packets.

Along with the analysis of packages, this application can also be used for other security purposes, for example, to test the effectiveness of a firewall through different protocols, the detection of suspicious or modified packages, and even protection against attacks. DoS of a system or a Firewall.

Install Hping3

Hping3 is available in the official Ubuntu repositories, so to install it we simply have to open a terminal (or a package manager like Synaptic) and type in it:

sudo apt install hping3

The tool will occupy about 3,600 KB that, once installed, we can start using it.

Hping3 commands

The functions that this program supports are immense. From performing a simple ping to sending packets through a specific port even hiding the source IP.

If we want to know in depth all the parameters that this program offers us, we can consult the help included in the tool simply by typing in the terminal:

hping3 --help

How to use Hping3

Simple ping test

We can use this tool like the conventional ping command, obtaining practically the same results. To do this we simply have to type:

hping3 www.google.es

And we’ll see how this simple connection test is performed. (We can change the Google domain to any other or directly use an IP to ping it).

Plot connection path

In a similar way to the “tracert” option in Windows or “traceroute” in Linux, with this tool we can also follow all the jumps between networks of a packet from when it leaves our computer until it reaches its destination, being able to know at any time if there is some kind of connection problem.

To do this we simply have to type:

hping3 redeszone.net -t 1 --traceroute

Port scanning using the TCP SYN flag

This tool also allows us to send packets under the TCP protocol, in the purest Nmap style. To perform a scan through this method, we will type in the terminal «hping3 –S [IP Destino] –P [Puerto]»Leaving the result similar to the following:

hping3 -S www.google.es –p 80

The result of this test will return a flag SA means that it corresponds to SYN / ACK, that is, that the communication has been accepted, or what is the same, that the port is open. Otherwise, if the value is RA corresponds to RST / ACK or what is the same, that the communication has not been carried out correctly because the port is closed or filtered.

Hping3_tutorial_Linux_foto_2

In this way we will be able to know, for example, if communication is allowed to a certain port, or if otherwise the Firewall is filtering it.

Sign packages with a custom text file

It is possible to use this tool to modify the packages we send and insert a personalized message in them similar to a signature. To do this we simply have to type:

hping3 redeszone.net -d 50 -E firmaredeszone.txt

This command will introduce the content of the indicated txt file into the Ping packages. If we analyze these packages with a suitable software such as WireShark we would see that within them is the content of the file in question.

Hping3_tutorial_Linux_foto_3

The entered parameters mean:

  • -d: The length of the message that we are going to enter, in this case, 50.
  • -E: File from which we are going to take the message signature that we want to introduce to the packages.

We can also use other parameters, for example, -p to indicate the port to which we want to send these packets or -2 to send the packets through the UDP protocol.

Generate multiple requests to test DoS and DDoS protection

This tool will also allow us to check the stability of our system against network attacks such as DoS and DDoS, generating real tests, either towards localhost or towards another server inside (or outside) the network.

We can make a series of unique pings by modifying the source IP of the same in the TCP / IP packets simply by typing:

hping3 --rand-source 192.168.1.1

Likewise, we can add the –flood parameter so that the packets are sent in real time in bulk. In this way we will be able to check, firstly, if our firewall works and, secondly, how well our system responds to a DDoS attack threat.

For this we will type:

hping3 --rand-source --flood 192.168.1.1

Hping3_tutorial_Linux_foto_4

In just a couple of seconds we have generated more than 25,000 packets, so we must be careful as our network may be blocked and unusable.

With this, a large number of packets with a “false origin” will begin to be generated (thanks to the rand-source parameter) that will be sent continuously to the destination server (in this case 192.168.1.1). In this way we can verify the robustness of our system against DDoS attacks since, if the system stops working or crashes, there may be a configuration failure and that we must apply the corresponding measures to prevent this from happening in a real environment.

This tool is very useful, although it should always be used in closed and controlled environments since going outside is possible that we end up carrying out a denial of service attack on a team that we should not, this being illegal and may end up sanctioned for it.

We recommend access the official hping MAN PAGE to know all your options.

Categories
GNU/Linux

How to configure a VNC server on Ubuntu Server without graphical interface

In this article we are going to explain an intermediate point between both options, that is, we are going to install a VNC server in our Ubuntu Server that will allow us to use a graphical interface based on Gnome Core but without loading it on our system and , therefore, saving resources that can be used perfectly to keep our services working properly. The first thing to do is install the Gnome Core package. To do this, we will type the following in the console of our server (physically or via SSH):

  • sudo apt-get install gnome-core

We will also install the VNC server. We will install it with the following line:

  • sudo apt-get install vnc4server

Once the installation is finished we must configure our server. We must type:

And it will ask us to write our password with which we will access VNC. Once the access password is configured, it will indicate that the server has been installed on the first virtual screen of VNC, that is, in: 1.

vnc_ubuntu_server_foto_2

The first thing we are going to do is close this new virtual desktop to make some small configurations and open it again manually. For this we will type:

We are going to configure some parameters of the VNC server. To do this we type:

That is the default VNC configuration file. To configure it, we must replace its content with the following:


#!/bin/sh
# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
#exec /etc/X11/xinit/xinitrc
gnome-session --session=gnome-classic &

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
#x-terminal-emulator -geometry 1280x1024+10+10 -ls -title "$VNCDESKTOP Desktop" &
#x-window-manager &

Once our configuration file is saved, we will write in our terminal:

  • vncserver -geometry 1920 × 1080

Changing the resolution for which we want to use. After a few seconds we will see how we already have the VNC server enabled within the virtual desktop: 1. To connect to it we must download a VNC client (the official one, for example, or Vinagre for Ubuntu) and connect through the IP address of our server followed by two points: and the virtual desktop that we have activated, in our case, in 1, for example:

vnc_ubuntu_server_foto_3

With this we will have our server enabled and ready to start controlling our server remotely. In the event of a server restart, we will have to re-execute the command via SSH to restart the VNC server unless we create a script to start this server that is executed at system startup. In the following link we have a very complete script to start VNC at system startup.

Categories
GNU/Linux

Install a VNC server for remote access

We are going to configure our Ubuntu to remotely access the desktop through VNC through any browser.

We install the necessary packages:

sudo aptitude install x11vnc

sudo aptitude install vnc-java

Once installed, we execute the following in the console (WITHOUT superuser).

x11vnc -storepasswd

We enter the password we want.

Now we open ports 5800 and 5900 on our router or firewall to our (internal) IP.

We execute the following command to raise the server:

x11vnc -forever -usepw -httpdir / usr / share / vnc-java / -httpport 5800

If you want it to start at the beginning of the system you should go to:

System / Preferences / Applications at startup

You give him to add and in COMMAND you put:

x11vnc -forever -usepw -httpdir / usr / share / vnc-java / -httpport 5800

Now to access the computer just put in the browser:

http: // IP: 5800

You can also access with a DynDNS Host

Listening port can be changed.

If you have the computer configured to start it remotely (WOL) you must first access the computer by SSH (Manual to configure an SSH server in Ubuntu and enter your computer remotely safely), log in with the account and execute the command:

x11vnc -forever -usepw -httpdir / usr / share / vnc-java / -httpport 5800

To raise the VNC server.

Categories
GNU/Linux

How to use IP command (iproute2 suite) instead of ifconfig in Linux

Most Linux users know and use the ifconfig command. This command, combined with different parameters, allows knowing many aspects of the network configuration, for example, the IP of a computer, gateways, DNS, etc. The ifconfig command is a long-standing command and, although it is still present in Linux distributions, it is destined to disappear and be replaced by the iproute2 suite application.

IProute2 It is a much more complete and modern tool than ifconfig, so its use is recommended when managing different aspects of our network. With IP, we can carry out the same actions that we can do with ifconfig and, being a much more complete suite, we can configure more parameters that ifconfig would not allow us. The ip command of the iproute2 suite includes all the functionalities that we can carry out with “route”, “ifconfig”, “ipmaddr” and “iptunnel”.

Below we can see a small comparison list between IP and ifconfig.

Show network devices and their settings.

ifconfig
ip addr show // ip link show

Activate a network interface.

ifconfig eth0 up
ip link set eth0 up

Deactivate a network interface.

ifconfig eth0 down
ip link set eth0 down

Set an IP address to an interface.

ifconfig eth0 192.168.1.1
ip address add 192.168.1.1 dev eth0

Remove an IP address from an interface.

ifconfig

you will not be able to do this.

ip address del 192.168.1.1 dev eth0

Add a virtual interface.

ifconfig eth0:1 10.0.0.1/8
ip addr add 10.0.0.1/8 dev eth0 label eth0:1

Add an entry in the ARP table.

arp -i eth0 -s 192.168.0.1 00:11:22:33:44:55
ip neigh add 192.168.0.1 lladdr 00:11:22:33:44:55 nud permanent dev eth0

Disconnect an ARP device.

ifconfig -arp eth0
ip link set dev eth0 arp off

IP configuration examples with iproute2

We can access a complete manual with all the available parameters of this utility for the configuration of a network with IP by typing in a terminal:

man ip

To configure a physical network card, for example, with ifconfig we must type the following:

ifconfig eth0 192.168.0.2 netmask 255.255.255.0

To do the same with IP, we will type the following:

ip addr add 192.168.0.2/24 dev eth0

Now we know how to use the most basic commands of iproute2, if we need to do something more advanced we can always consult the MAN pages that will show us what each parameter means.

Categories
GNU/Linux

How to use Gufw, the Linux firewall

The quintessential Linux firewall is iptables. This firewall allows you to configure line by line all the connections that we want to accept on our computer and all of them that we want to block for security reasons. However, iptables is quite complicated for inexperienced users, so Canonical published a new module called UFW with Ubuntu 8.04 that simplified the use of iptables and allowed various aspects of the firewall to be configured from a terminal.

Some users considered that UFW was still quite complicated to use, so Gufw was developed, a graphical interface that allows you to configure UFW easily from a graphical environment without much difficulty without using complicated command lines to do so.

Using Gufw is straightforward. The first thing we must do is install it on our system. for this we will type:

sudo apt-get install gufw

Once installed we can start to configure the rules. The first thing we will see when starting the firewall will be an interface similar to the following:

As we can see, we have several profiles that we can configure to configure a firewall according to our location, for example, some specific rules for home and others for work. We will also see a switch from which we can easily turn our firewall on and off and the ability to select global rules for all inbound and outbound traffic.

If we click on the “rules” section we can configure new rules to our firewall. These rules can be configured through a series of presets (we have categories and programs associated with these categories) that already have the default configuration and the ports used by the configurations.

gufw_firewall_linux_tuto_foto_2

We can also choose if we want to manually configure the new rule in a basic way.

gufw_firewall_linux_tuto_foto_3

Or use the advanced settings that are much more comprehensive to create the rule.

gufw_firewall_linux_tuto_foto_4

In the section “listening reports” we have the possibility to see a list with all the applications that are using the network and the connections that they have established remotely.

gufw_firewall_linux_tuto_foto_5

Finally, in the registry we can see a list with everything that happens in our firewall.

gufw_firewall_linux_tuto_foto_6

As we can see, it is very easy to manage our integrated Linux firewall through Gufw in graphical mode. Undoubtedly a great tool that allows you to further increase the security of Linux systems.

Are you a Gufw user? What do you think of this app?

Categories
GNU/Linux

a software to make backup copies in Linux

On other occasions we have already talked about the importance of making regular backup copies of our most important files. In the event of a failure or error, if we have a backup copy, we can recover the data, however, if we do not have it, it is possible that the content cannot be obtained again (personal photographs, for example) and we lose access to this data. forever.

There are many applications for scheduling backups for all operating systems. In previous articles we have already talked about applications to make backup copies in Windows, so this time it is Linux’s turn. Backupninja is a tool developed for a Debian operating system totally free in order that Linux users can also make backup copies of their files.

Backupninja offers practically the same functions as any other backup tool, however, one of its strengths is the possibility of making such copies from a terminal so that more advanced users can configure a simple script that allows the backups to be scheduled and perform them automatically.

Install Backupninja

The first thing we must do is install Backupninja from the official repositories by typing:

  • sudo apt install backupninja

During the installation process it will ask us for our Internet connection and our email server. This is to allow the program to send notifications each time a backup is made (ideal for system administrators).

How to use Backupninja

Once installed it will be ready to run. To open the wizard that allows us to start configuring the backup copies, we will type:

We create a new task and a window similar to the following will appear.

Backupninja_backup_linux_foto_2

From here we will be able to choose the type of backup that we are going to use so that Backupninja knows which tool best suits our needs, for example, if we want to make a copy to a remote server, copy databases, etc.

In this example we are going to choose “tar” to perform a conventional backup. In the next step we must choose when we want the backup to take place automatically.

Backupninja_backup_linux_foto_3

The name that we want to assign to the backups to identify them more easily.

Backupninja_backup_linux_foto_4

The destination directory where these periodic and automatic copies will be made.

Backupninja_backup_linux_foto_5

And the compression that we want to apply to the data so that it occupies less. The higher the compression, the less space, but the copy will take longer and consume more resources.

Backupninja_backup_linux_foto_6

To finish we must choose the directories that will be included in the backup copies and those that will be excluded from the copy. Here we will mark all those that contain personal or important data and that we do not want to lose in case something happens.

Backupninja_backup_linux_foto_7

Backupninja_backup_linux_foto_8

With this we will have completed the backup wizard. Then we will return to the main window of the wizard where we will see a new entry corresponding to our backup plan.

Backupninja_backup_linux_foto_9

If we select it, we will see the configuration menu of said backup from where we can modify it, execute it or change the name, among other tasks.

Backupninja_backup_linux_foto_10

With this we will have a backup plan programmed with Backupninja. Depending on the type of file that we want to copy, we will use one tool or another, but broadly speaking, they are all controlled in a similar way and this tool as a whole provides us with powerful backup software in the purest Linux style that can be completely executed from a terminal.

What do you think of Backupninja? Do you know of any other similar backup tools for Linux?

Categories
GNU/Linux

How to install Kodi (XBMC) on Ubuntu

Kodi, formerly known as XBMC, is a tool that allows us to turn our computer into a complete multimedia center from where we can process and play practically any type of film, audio or photo both locally and over the Internet easily and quickly. This multimedia center was initially developed for the Xbox platform but its developers decided to port it to other systems until, currently, it is available for practically any operating system, both desktop and mobile devices and even ARM platforms.

In this article we are going to show you how to install this multimedia center in Ubuntu, although it is also valid for any other Debian-based distribution, for example, Linux Mint.

How to install Kodi on an Ubuntu or derivative operating system

Kodi has official repositories from where we can install it without problems from a terminal without having to download any additional software package and being able to manage the multimedia center updates from the base operating system updater. To install it and guarantee its correct operation, we must first install the necessary dependencies. For this we will open a terminal in our operating system and type:

sudo apt install python-software-properties pkg-config software-properties-common

Once the dependencies are installed, we can install the multimedia center on our computer. To do this, the first thing we must do is add the official repositories of the developer group to the list of software in our system and update it, by typing:

sudo add-apt-repository ppa:team-xbmc/ppa
sudo apt update

Once the repositories are already added and updated we can install the multimedia center by typing in the same terminal:

sudo apt install kodi

Install Kodi Ubuntu photo 2

We wait for the tool to download and install on our operating system. Once this is finished we will be ready to use it. We can run it from the shortcut that we will have created in the software menu (depending on the desktop version we use) or by typing “kodi” in the same terminal window.

Install Kodi Ubuntu photo 3

Install PRV plugins on Kodi

Kodi is a modular multimedia center, that is, its functions can be easily increased through plugins, being able, for example, to be able to watch P2P television through this platform using the corresponding extension.

By default, the installation of this multimedia center does not come with the default PVR extensions, so if we are going to use them we must install them manually in our center. To do this we simply have to type in our terminal:

sudo apt install kodi-pvr-XXXXXXX

Substituting the X of the package for the package that we want from the following:

  • dev – Kodi Media Center development version
  • argustv – PVR Argustv
  • demo – PVR Demo
  • dvbviewer – PVR Dvbviewer
  • iptvsimple – PVR Iptv
  • mediaportal-tvserver – PVR Mediaportal Tvserver
  • mythtv – PVR MythTv – Cmyth
  • nextpvr – PVR NextPvr
  • njoy – PVR Njoy
  • tvheadend-hts – PVR TvHeadend Hts
  • vdr-vnsi – PVR VDR Vnsi
  • vuplus – PVR Vuplus

With this we will have our multimedia center installed and ready to start playing our movies and series as well as our music and our photographs.

More information and source on the main Kodi Media Center website.

Categories
GNU/Linux

Encrypt a USB with password in Ubuntu

USB memories are increasingly used to carry information from one place to another easily, however, if this memory is lost or stolen, all the data contained in it can be exposed to the thief, we do not know who it is or what it is going to do with them. Fortunately, USB drives like most devices today can be encrypted so that in the event of theft or loss, our data is not compromised.

In this article we are going to teach you how to encrypt a USB memory in Ubuntu using only the disk tool and without installing any additional software. To do this, the first thing we must do is open the disk tool from the Unity launcher (or the corresponding section according to our desktop) and we will see a window similar to the following.

All the hard drives that we have connected to the computer and the USB memories should appear here. We will select the memory that we want to encrypt, being careful not to select another unit since the process deletes all the data stored in it. We will automatically see a summary of said memory.

encrypt usb stick ubuntu photo 1

The next step is to click on the options button (the one shaped like a gear) and in the menu that appears we must choose “format”.

encrypt usb stick ubuntu photo 3A new window will open where we must choose the type of unit we want to create and the file format to use.

encrypt usb stick ubuntu photo 4Taking advantage of the process, we will completely erase the drive safely and apply the encryption. In this way no one will be able to recover any file previously saved in it, improving privacy in this regard.

For this we are going to complete the previous window with the following parameters:

  • Clear: Overwrite existing data with zeros.
  • Type: Encryption, compatible with Linux systems.
  • Name: The name we want to give to the unit (RZ_Cipro).
  • Password: The encryption key and the password required to access the USB memory.

The configuration window will look like the following.

encrypt usb stick ubuntu photo 5We have everything ready. The next thing we should do is click on the “Format” button and review the summary window to check that everything is correct.

encrypt usb stick ubuntu photo 6

Problems encrypting the drive?

Ubuntu 14.04 does not come with the “cryptsetup” dependency installed by default, so the disk tool will return an error when trying to encrypt the drive.

To solve this we simply have to open a terminal and type:

sudo apt install cryptsetup

Now we can click on the “format” button again so that the whole process is completed and works without problems.

Once the process of creating the encrypted drive is finished, we will have our memory protected. Whenever we try to access it, we will be asked for the corresponding password that, without it, our data will remain safe in memory and it will be impossible to access or recover them using forensic recovery techniques.

encrypt usb stick ubuntu photo 7We can indicate the time that the password will be valid in our system, if we want it to be mounted only once, during this session or forever, although this last option is not recommended because it could lead to a security failure if someone gains access to our memory and our equipment could access the data.

Categories
GNU/Linux

Firewall configuration on Linux with IPtables

Iptables is a firewall included in Linux kernel since version 2.4 which is included in the operating system. It is a rules-based firewall, its operation is based on applying rules that the same firewall executes. These IPtables are also found in the Linux-based firmwares and of course the Android devices.

Using IPtables is quite complex, so let’s take a general look at its options:

To Start / Stop / Restart Iptables we must execute these commands:

  • sudo service iptables start
  • sudo service iptables stop
  • sudo service iptables restart

The main IPtables commands are the following (command arguments):

  • -A –append → add a rule to a chain.
  • -D –delete → delete a rule from a specified chain.
  • -R –replace → replace a rule.
  • -I –insert → insert a rule instead of a string.
  • -L –list → shows the rules that we pass as an argument.
  • -F –flush → remove all rules from a chain.
  • -Z –zero → zeroes all counters in a chain.
  • -N –new-chain → allows the user to create their own chain.
  • -X –delete-chain → delete the specified chain.
  • -P –policy → explain to the kernel what to do with packets that do not match any rule.
  • -E –rename-chain → change the order of a chain.

Main conditions for Iptables:

  • -p –protocol → the rule applies to a protocol.
  • -s –src –source → the rule applies to a source IP.
  • -d –dst –destination → the rule applies to a destination IP.
  • -i –in-interface → the rule applies to a source interface, such as eth0.
  • -o –out-interface → the rule applies to a target interface.

TCP / UDP conditions

  • -sport –source-port → select or exclude ports from a specific source port.
  • -dport –destination-port → select or exclude ports from a specific destination port.

There are many more conditions for an advanced firewall configuration, but the elementary ones are already listed.

Configure default rules

The default configuration of a firewall should be, translated into Spanish, «block everything except [reglas]». To configure the firewall to block all connections we must type:

  • iptables -P INPUT DROP
  • iptables -P FORWARD DROP
  • iptables -P OUTPUT DROP

With this we will run out of internet, so next we must start creating permissive rules.

To apply a rule that filters a certain port, we must execute:

  • iptables -A INPUT -p tcp –sport 22 22 → create a rule for the source port tcp 2222

To block traffic from a certain IP, we must execute:

  • iptables -A INPUT -p tcp -m iprange –src-range 192.168.1.13-192.168.2.19 (IP example)

We could also block by MAC with the –mac-source condition.

  • iptables -A INPUT -m mac –mac-source 00: 00: 00: 00: 00: 01

Once the rules that we want to apply have been executed, we must save them by typing sudo service iptables save

View firewall status

Parameter L shows open lines. V allows to receive more information about the connections and N returns the IP addresses and their corresponding ports without going through a DNS server.

Delete existing rules

To erase all the firewall configuration to reconfigure it again we must type:

Allow incoming connections

We will type the following parameters:

  • iptables -A INPUT -i [interface] -p [protocolo] –Dport [puerto] -m state –state NEW, ESTABLISHED -j ACCEPT

-i: we must configure the interface, for example, eth0. This is useful in case of having several network cards, if we have only one, we do not have to specify this parameter.

-p: protocol. We must specify if the protocol will be TCP or UDP.

–Dport: the port we want to allow, for example, in the case of HTTP would be 80.

An example to allow incoming connections from web pages:

  • iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW, ESTABLISHED -j ACCEPT

Allow outbound connections

  • iptables -A OUTPUT -o [interfaz] -p [protocolo] -sport [puerto] -m state –state ESTABLISHED -j ACCEPT

-o: we must configure the interface, for example, eth0, as in the previous case.

-p: protocol. We must specify if the protocol will be TCP or UDP.

–Sport: the port we want to allow, for example, in the case of HTTPS would be 443.

An example to allow outbound traffic to web pages:

  • iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT

Allow ICMP packets

By default, ping is disabled. We must enable it manually by adding the corresponding entries in iptables. For this we will type:

In order to ping other servers:

  • iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT

To allow receiving ping requests from other computers:

  • iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

Allow internal traffic to go to the internet

In the case of having 2 network cards (eth0 locally and eth1 connected to the internet) we can configure the firewall to forward the local network traffic through the internet. For this we will write:

  • iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Block and prevent DDoS attacks

  • iptables -A INPUT -p tcp –dport 80 -m limit –limit 25 / minute –limit-burst 100 -j ACCEPT

Query packets rejected by iptables

To know the packets that iptables has rejected we must type:

Practical examples:

How to block incoming connections through port 1234:

  • iptables -A INPUT -p tcp –dport 1234 -j DROP
  • iptables -A INPUT -i eth1 -p tcp –dport 80 -j DROP → hang on interface eth1

Block an IP address:

  • iptables -A INPUT -s 192.168.0.0/24 -j DROP

Block an outgoing IP address:

  • iptables -A OUTPUT -d 75.126.153.206 -j DROP

We can also block a url, for example, facebook:

  • iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP

Block traffic from a MAC address:

  • iptables -A INPUT -m mac –mac-source 00: 0F: EA: 91: 04: 08 -j DROP

Block ping requests:

  • iptables -A INPUT -p icmp –icmp-type echo-request -j DROP

UFW (Uncomplicated Firewall) is a firewall configuration tool for Ubuntu from the console, developed to facilitate the configuration of the Iptables firewall. Ufw provides an easy way to create an IPv4 or IPv6 host-based firewall.

The first thing to do is install ufw from apt-get with:

Now we run the firewall by typing sudo ufw enable. To stop the firewall, we will type sudo ufw disable, and to restart it, we will first stop it and then restart it with the specified commands.

Once we have the firewall working, we can begin to establish rules in its operation. To apply a rule that allows all traffic by default, we type:

On the contrary, to block all traffic, we will type:

To apply rules to certain ports, we will do it using the command:

  • sudo ufw allow deny [puerto]/[protocolo]

Example:

  • sudo ufw allow 1234 / tcp (allows connections from port 1234 in tcp)
  • sudo ufw deny 4321 / udp (blocks connections from port 4321 in udp)

There is a file containing more predefined rules in the path /etc/ufw/before.rules where, for example, we can allow or block external ping. To do this, we will put a # in front of the line -A ufw-before-input -p icmp –icmp-type echo-request -j ACCEPT

We can consult the firewall rules from a terminal by typing sudo ufw status

As we can see, with UFW it is quite easy to manage our iptables firewall at the ipv4 and ipv6 level. We can manage all of this from a terminal without the need for a graphical interface, but we can still make it easier with another application, called gufw, which is a graphical interface for ufw that further simplifies its use.

To install gufw we must write in a terminal sudo apt-get install gufw

Once installed, we run it by typing gufw or looking for it in the applications panel.

The first window that the program shows us allows us to activate and deactivate the firewall, establish default rules for incoming and outgoing traffic (allow, reject and deny), and, at the bottom, create rules.

If we click on the + button at the bottom, we access the rules configuration menu. Here we can add custom rules regarding ports, applications, source ips, etc.

To add a rule per port as we have specified from the terminal, we select if we want to allow (allow) or block (deny), if we want the incoming or outgoing traffic to be filtered, the protocol, either tcp or udp and the port to be filtered .

The possibilities of iptables are practically endless, and the configuration difficulty increases exponentially depending on how complex the configurations we want to make are. From RedesZone we hope that with this small tutorial you can configure your iptables firewall at a basic level in a simple way.

Article written by Rubén Velasco (ruvelro) for RedesZone.net.

Article exclusively for RedesZone.net

Its total or partial reproduction without the consent of the author.