Postfix user and mailbox aliases

An easy way to redirect email from a user account to another user account in Postfix is using aliases.
For example if we need to redirect all email destined for the user g to the mailbox of the user rootie we could add the following line to /etc/aliases and then run newaliases.

The /etc/aliases:
~#cat /etc/aliases
# /etc/aliases
g: rootie


Recreate the /etc/aliases.db Berkley DB hash used by Postfix
#newaliases


Test:
ares:~#mail g
Cc: 
Subject: this is for rootie through g
 testin testin 1 2 3 rootie
.
#su rootie
rootie$ cat ~/Maildir/new/1338216976.Vfb00I6f088M939772.ares
Return-Path: 
X-Original-To: g@ares
Delivered-To: g@ares
Received: by ares.ipduh.com (Postfix, from userid 0)
 id DF78E4AC77; Mon, 28 May 2012 14:56:16 +0000 (UTC)
To: 
Subject: this is for rootie through g
X-Mailer: mail (GNU Mailutils 2.1)
Message-Id: <20120528145616.DF78E4AC77@ares>
Date: Mon, 28 May 2012 14:56:16 +0000 (UTC)
From: root@ares.ipduh.com (root)

 testin testin 1 2 3 rootie
$ exit
#


Note: To send the email, exit the mail program, and get back to command prompt when sending an email from the command line use CTRL-D

OK. What about redirecting virtual mailboxes on multiple domains to the same unix account?

Upon setting the MX records for these domains add them on mydestination and virtual_alias_domains in /etc/postfix/main.cf
# cat /etc/postfix/main.cf | egrep 'mydestination|virtual_alias_domains'
mydestination = ares.ipduh.com , ipduh.net , ipduh.org , ip.duh.gr , ares , localhost
virtual_alias_domains = ares.ipduh.com ipduh.net ipduh.org ip.duh.gr
Then we need to set the path to the hash we will use in /etc/postfix/main.cf
# grep virtual_alias_maps /etc/postfix/main.cf 
virtual_alias_maps = hash:/etc/postfix/virtual
/etc/postfix/virtual looks like:
# cat /etc/postfix/virtual
someone@ares.ipduh.com     rootie
another@ipduh.net          rootie
bingo@ipduh.org            rootie
bogo@ip.duh.gr             rootie


Finally we need to create the Berkeley DB Hash used by Postfix when mapping virtual mailboxes and maybe restart Postfix.
# postmap /etc/postfix/virtual
# /etc/init.d/postfix restart
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.


Done!



Postfix user and mailbox aliases

bIf - basic iptables firewall

This is a recipe for a simple persistent iptables firewall for GNU/Linux systems. The bIf script even though it was written for debian systems it has been used on Ubuntu and CentOS systems.


First let's look at some basic iptables commands

To list the iptables rules
# iptables -L -v -n
Use the -t option if you are using and other tables except filter. eg:
#iptables -L -n -t nat


Let 's create a very simple persistent iptables firewall that allows inbound traffic to the ssh daemon, drops all other inbound traffic, and does not pay attention to outbound traffic.
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -j DROP


To list the rules
# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   96  7696 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 17 packets, 2180 bytes)
 pkts bytes target     prot opt in     out     source               destination         


Save these iptables rules.
# iptables-save > /etc/rules.iptables


To make our iptables firewall persistent we need to make sure that our rules are set just before the network interface(s) come up. So we put a little shell script at /etc/network/if-pre-up.d/bif that all it does is to restore the saved iptables rules and set some ipv4 kernel parameters. Kernel parameter settings can stick with sysctl as well. sysctl is actually the debian "politically correct" way.
# cat /etc/network/if-pre-up.d/bif
#!/bin/bash
/sbin/iptables-restore < /etc/rules.iptables
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Set to 1 if you are setting up a gateway
echo 0 > /proc/sys/net/ipv4/ip_forward 



Allow execution
# chmod 700 /etc/network/if-pre-up.d/iptables


OK, the very simple persistent iptables firewall is ready.

To disable the simple firewall --flush all the iptables chains.
# iptables -F
For iptables that are using chains in tables different than the default "filter" table we should use the -t flag to select a table.

However, useful firewalls need more rules than these two. We can set the iptables rules on the command line, edit the /etc/rules.iptables file , or create a shell script that sets the rules.

This is how a /etc/rules.iptables file looks like
# cat /etc/rules.iptables 
# Generated by iptables-save v1.4.8 on Fri May 25 17:58:27 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [121:15892]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -j DROP 
COMMIT


One could edit the /etc/rules.iptables file, but using bash or some other programming language to configure an iptables firewall makes things easier. That's why I wrote bIf which is yet another well commented script that sets an iptables firewall.

bIf stands for basic Iptables firewall , duh!. bIf can be used to set a basic iptables firewall, to block a list of IP addresses from a URL or a local file , or to set the rules for a NAT gateway.

bIf:
#!/bin/bash
##bIf - basic IPtables firewall
##g0 - kod.ipduh.com  - 2011
##bIf protects from most and allows many but you should edit at least BAD_IP_URL and OPEN_INBOUND_TCP
##2012 - There is an entry about bIf at aLog.ipduh.com  and the latest bIf can be found at kod.ipduh.com

#Paths to the programs used
IPTABLES="/sbin/iptables"
IPTABLES_SAVE="/sbin/iptables-save"
#The following programs are not used if BIF_BAD_IP_FILE does not exist and BAD_IP_URL is set to ""
EGREP="/bin/egrep"
AWK="/usr/bin/awk"
WGET="/usr/bin/wget"
SORT="/usr/bin/sort"
UNIQ="/usr/bin/uniq"

#File that stores BAD IP addresses and sets of IP addresses in CIDR notation
#If BIF_BAD_IP_FILE does not exist this functionality is disabled
#an example of a BIF_BAD_IP_FILE file can be found at http://archimedes.ipduh.com/bad_ip.html
BIF_BAD_IP_FILE="/etc/bif.bad"

#URL of bad IP list , set to "" to disable
BAD_IP_URL="http://archimedes.ipduh.com/bad_ip.html"

#Open TCP ports List , TCP Services
OPEN_INBOUND_TCP="21 22 23 25 43 53 80 123 143 389 443 465 587 993 1352 1661 3306 3389"

#Open UDP ports List
OPEN_INBOUND_UDP="53"

#NAT port forwarding settings
#disabled by default , to enable set LAN , WAN , LAN_SRV_PORT ,  LAN_SRV_IP and uncomment the NAT paragraph
LAN="eth0"
WAN="eth1"
LAN_SRV_PORT="1661"
LAN_SRV_IP="192.168.1.101"

if [ -n "$BAD_IP_URL" ]; then
     ${WGET} ${BAD_IP_URL} -O ${BIF_BAD_IP_FILE}
fi

if ! [ -x ${IPTABLES} ]; then
     echo "bIf: I cannot use /sbin/iptables"
     exit 404
fi

#Flush iptables chains
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t raw -F
$IPTABLES -t raw -X

#Set a liberal-permissive OUTPUT Policy -- Remember that firewalls were not invented to be liberal 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT -o lo

#Drop NEW tcp that does not start with SYN packets
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#Allow outbound connections -- You should disable or further specify this if you are a reasonable paranoid admin
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Drop second and further fragments of fragmented packets
$IPTABLES -A INPUT -f -j DROP

#Drop XMAS traffic
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#Drop Null packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

#Allow all loopback traffic and drop politely all traffic to 127/8 that does not go through lo
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#Accept ICMP
$IPTABLES -A INPUT -p icmp -j ACCEPT

#Play ping pong only with 198.51.100.101 even when using a different OUPUT policy
#${IPTABLES} -A INPUT -p icmp -m icmp --icmp-type echo-request -s 198.51.100.101 -j ACCEPT
##${IPTABLES} -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -s 198.51.100.101 -j ACCEPT

#Allow ipv6 ICMP and inbound proto 41 ipv6 tunnel traffic from the ipv6 tunnel PoP 198.51.100.101
#$IPTABLES -A INPUT -p icmpv6 -j ACCEPT
#$IPTABLES -A INPUT -p ipv6 -s 198.51.100.101/32 -j ACCEPT

#NAT
#Enable talking among LAN hosts
#$IPTABLES -A FORWARD -i ${LAN} -j ACCEPT
#$IPTABLES -A FORWARD -o ${LAN} -j ACCEPT
#Forward inbound traffic to a behing the NAT server
#$IPTABLES -t nat -A PREROUTING -i ${WAN} -p tcp --dport ${LAN_SRV_PORT} -j DNAT --to ${LAN_SRV_IP}:${LAN_SRV_PORT}
#Enable Network Address Translation
#$IPTABLES -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

#Allow inbound connections to the TCP daemons listening on the ports defined at the OPEN_INBOUND_TCP list
if [ -n "$OPEN_INBOUND_TCP" ] ; then
for TCP_PORT in $OPEN_INBOUND_TCP; do
        ${IPTABLES} -A INPUT -p tcp --dport ${TCP_PORT} -j ACCEPT
done
fi

#Allow inbound connections to the UDP daemons listening on the ports defined at the OPEN_INBOUND_UDP list
if [ -n "$OPEN_INBOUND_UDP" ] ; then
for UDP_PORT in $OPEN_INBOUND_UDP; do
        ${IPTABLES} -A INPUT -p tcp --dport ${UDP_PORT} -j ACCEPT
        ${IPTABLES} -A INPUT -m state --state NEW -p udp --dport ${UDP_PORT} -j ACCEPT
done
fi

#Block Bad IP addresses and sets of IP addresses in CIDR notation
if [ -e "$BIF_BAD_IP_FILE" ] ; then
for BAD_IP in `${EGREP} -v '^#|^$' ${BIF_BAD_IP_FILE} | ${AWK} -F "," '{print $1}' | ${SORT} | ${UNIQ}`; do
        ${IPTABLES} -A OUTPUT -d ${BAD_IP} -j DROP
        ${IPTABLES} -A INPUT -s ${BAD_IP} -j DROP
done
fi

#Accept SSH connections only from 198.51.100.101 , Take 22 out of the OPEN_INBOUND_TCP list
#${IPTABLES} -A INPUT -p tcp --dport 22 -s 198.51.100.101 -j ACCEPT

#Log outbound connections.
#${IPTABLES} -A OUTPUT -j LOG

#Log Inbound connections useful when debuging
#${IPTABLES} -A INPUT -j LOG

#Drop the rest. bIf is not polite
${IPTABLES} -A INPUT -j DROP

$IPTABLES_SAVE > /etc/rules.iptables


The BAD_IP_FILE can be used to set the path to an IP list to block. You can disable Block List by setting BAD_IP_FILE to a file that it does not exist.

This list can be downloaded of a URL as well. You can disable the pull of the list of a URL by setting BAD_IP_URL to "" --an empty string
BAD_IP_URL=""


The Blocked IP list should look like the one following:
#example bIf bad IP list
#1 IP address XOR 1 CIDR coma comment OR URL to information
# if a pound sign is used at the beginning of the line bIf ignores the line eg:
#5.0.0.0/8, 5.0.0.0/8 , oups RIPE got this one
# whatever follows a comma is ignored. eg:
192.0.2.245, some comment or URL
192.0.2.0/27, 192.0.2.0/27
192.0.2.111, 192.0.2.111
192.0.2.222, 192.0.2.222
192.0.2.212, 192.0.2.212




bif bASIC iPTABLES fIREWALL

Linux Firefox Multiple Versions Multiple Profiles simultaneously

There are many reasons for using multiple Firefox Versions and multiple Firefox profiles at the same time. Firefox Developers , Web Developers and Security Consious People definetely need to do so. Here is an easy recipe.

First download all the firefox*.tar.bz2 versions you need. At this time ( 1337861365 ) firefox-3.6.28 and firefox-12.0 are the latest "secure" - stable versions, firefox-13.0b4 is the latest beta release and firefox-14.0a2 is the latest alpha development release.

You could get them at:
Mozilla Firefox Older Release ( currently 3.6.28 )
Mozilla Firefox Current ( currently 12.0 )
Mozilla Firefox Aurora ( currently 14.0a2 )
Mozilla Firefox Beta ( currently 13.0b4 )


Let 's create a directory structure that holds binary files , configuration files, and profile information. A directory structure that can just be copied to another Linux Workstation if needed.

$ cd ~
$ mkdir firefox
$ cd firefox
$ cp ~/Downloads/firefox-* .
$ ls
firefox-12.0.tar.bz2  firefox-13.0b4.tar.bz2  firefox-14.0a2.en-US.linux-i686.tar.bz2  firefox-3.6.28.tar.bz2
$ bzip2 -d firefox*
$ tar -xf firefox-12.0.tar
$ mv firefox firefox-12.0
$ tar -xf firefox-3.6.28.tar 
$ mv firefox firefox-3.6.28
$ tar -xf firefox-13.0b4.tar
$ mv firefox firefox-13.0b4
$ tar -xf firefox-14.0a2.en-US.linux-i686.tar
$ mv firefox firefox-14.0a2
$ rm firefox-*tar
$ mkdir firefox-profiles
We should be able to move our Firefox Environment to another Linux Workstation by moving this structure along with the ~/.mozilla directory there.

Let 's create profiles. I will use the following scheme in creating profiles:
dev-(Firefox Version)-n for development profiles
sec-(Firefox Version)-n for secure profiles ( profiles with Flash , Java , and the rest doubious plugins disabled )
features-(Firefox Version)-n for profiles using many plugins, iffie extentions , etc

Profiles can be used across different firefox versions but things break across different versions. So do it this way.


Let 's create Profiles
$ ~/firefox/firefox-12.0/firefox -no-remote -P
The Firefox Choose User Profile pops up
->Click on the "Create Profile..." button
->Click on "Next"
->Enter "dev-12.0-0" for Profile Name
->Click on "Choose Folder..." and Choose ~/firefox/firefox-profiles/dev-12.0-0
->Click on "Open"
->Click on "Finish"
->Click on the "Create Profile..." button
->...


I stayed in the loop and created the profiles: dev-12.0-0 , sec-12-0 , features-12-0 , dev-3.6.28-0 , dev-13.0b4-0 , dev-14.0a2-0 . Each of these profiles has its own directory named with the same name as the profile in ~/firefox/firefox-profiles/.

For firefox-3.6.28 change the path set by the moz_libdir variable in the shell script that initializes the binary.
$ grep "#g0-"  ~/firefox/firefox-3.6.28/firefox
#moz_libdir=/usr/local/lib/firefox-3.6.28     #g0-off  
moz_libdir=~/firefox/firefox-3.6.28           #g0-add


We can use bash aliases and a bash function to start all these versions and profiles.

Add the following line to your .bashrc

$ tail -1 ~/.bashrc 
source ~/firefox/firefox-bash-functions-and-aliases 


And put at ~/firefox/firefox-bash-functions-and-aliases something like the following
$ cat ~/firefox/firefox-bash-functions-and-aliases
#g0 2012 - firestarter - firefox versions and profiles starter bitch

#Start the Firefox that comes with your GNU/Linux distribution , if older version  -p does not choose profile
alias firefox-distribution='firefox -no-remote &'

#Start FF 3.6.28 , -p does not choose profile , the choose profile dialogoue should come up - choose dev-3.6.28-0
alias dev-3.6.28-0='~/firefox/firefox-3.6.28/firefox -no-remote &'

#Start FF 12.0 with profile dev-12.0-0
alias dev-12.0-0='~/firefox/firefox-12.0/firefox -p dev-12.0-0 -no-remote &'
alias sec-12-0='~/firefox/firefox-12.0/firefox -p sec-12-0 -no-remote &'
alias features-12-0='~/firefox/firefox-12.0/firefox -p features-12-0 -no-remote &'

#
alias dev-13.0b4-0='~/firefox/firefox-13.0b4/firefox -p dev-13.0b4-0 -no-remote &' 

#
alias dev-14.0a2-0='~/firefox/firefox-14.0a2/firefox -p dev-14.0a2-0 -no-remote &'

#If you don't like debug messages direct them to /dev/null
#alias dev-14.0a2-0='~/firefox/firefox-14.0a2/firefox -p dev-14.0a2-0 -no-remote  2>/dev/null &'

function firefox-profiles {
echo "dev-3.6.28-0"
echo "dev-12.0-0"
echo "sec-12-0"
echo "features-12-0"
echo "dev-13.0b4-0"
echo "dev-14.0a2-0"
}


Let's start them all up.
$ source ~/.bashrc
$ firefox-profiles
dev-3.6.28-0
dev-12.0-0
sec-12-0
features-12-0
dev-13.0b4-0
dev-14.0a2-0
$ firefox-distribution 
[1] 12376
->The "Choose profile" dialogue comes up , Choose default
$ dev-3.6.28-0
[2] 12406
->The "Choose profile" dialogue comes up , Choose dev-3.6.28-0
$ dev-12.0-0
[3] 12448
$ sec-12-0
[4] 12480
$ features-12-0 
[5] 12514
$ dev-13.0b4-0
[6] 12550
$ dev-14.0a2-0
[7] 12574
$


Hit Enter to get a cursor if debug messages pop up on your terminal. Use "2>/dev/null" at the end of each alias if you don't like seeing them.

Cool! Now I have 7 different firefox profiles and 5 different firefox versions open at the same time. Pointing them to the IPduh Anonymity Check is a fast way to confirm versions, plugins , settings etc.

Each of the firefox profiles is started as a job and you can see basic debug messages by bringing it to the foreground.

An easy way to get around Flash and Java Issues is to use these plugins on profiles made for the Firefox that comes with your distribution of GNU/Linux or the one "properly installed" --the one started by firefox-distribution.

It would be pretty easy to adjust firestarter to all kinds of versions and profile combinations. Here is a useful Firefox Command Line Options reference .
For the versions that use a script to initialize the Firefox binary ( 3.6.28 and earlier ) the script source itself is a useful reference.
Also, all binaries respond well to the -help flag. eg:
$ ~/firefox-12/firefox -h
Usage: /home/g/firefox-12/firefox [ options ... ] [URL]
       where options include:

X11 options
  --display=DISPLAY  X display to use
  --sync             Make X calls synchronous
  --g-fatal-warnings Make all warnings fatal

Firefox options
  -h or -help        Print this message.
  -v or -version     Print Firefox version.
  -P        Start with .
  -migration         Start with migration wizard.
  -ProfileManager    Start with ProfileManager.
  -no-remote         Open new instance, not a new window in running instance.
  -UILocale  Start with  resources as UI Locale.
  -safe-mode         Disables extensions and themes for this session.
  -jsconsole         Open the Error console.
  -browser           Open a browser window.
  -new-window   Open  in a new window.
  -new-tab      Open  in a new tab.
  -preferences       Open Preferences dialog.
  -search      Search  with your default search engine.
  -private           Enable private browsing mode.
  -private-toggle    Toggle private browsing mode.
  -setDefaultBrowser Set this app as the default browser.



Other useful references:
Setting Up a Development Environmnet
Setting up an extension development environment




Linux Firefox - Multiple Versions - Multiple Profiles Simultaneously

Linux Time -- time zone changes linux debian ubuntu

To find the timezone used on your system:
# cat /etc/timezone 
Europe/Athens


The easiest and recommended way to change the timezone :
# dpkg-reconfigure tzdata

Current default time zone: 'Europe/Athens'
Local time is now:      Mon May 21 21:26:06 EEST 2012.
Universal Time is now:  Mon May 21 18:26:06 UTC 2012.

#


All the zone data are at /usr/share/zoneinfo
# ls /usr/share/zoneinfo/
Africa     Brazil   Egypt    GB  Hongkong     Jamaica  Mideast  Poland      ROC  US
America     Canada   Eire     GB-Eire  HST       Japan  MST   Portugal    ROK  UTC
Antarctica  CET      EST      GMT  Iceland      Kwajalein  MST7MDT  posix       Singapore  WET
Arctic     Chile    EST5EDT  GMT0  Indian       Libya  Navajo   posixrules  SystemV  W-SU
Asia     CST6CDT  Etc      GMT-0  Iran       localtime  NZ   PRC       Turkey  zone.tab
Atlantic    Cuba     Europe   GMT+0  iso3166.tab  MET  NZ-CHAT  PST8PDT     UCT  Zulu
Australia   EET      Factory  Greenwich  Israel       Mexico  Pacific  right       Universal


Actually /etc/localtime used to be just a link to the zone data file corresponding to the timezone set. On some systems it is still like that.
# ls -l /etc/localtime 
-rw-r--r-- 1 root root 2245 May 21 21:26 /etc/localtime -> /usr/share/zoneinfo/Europe/Athens


On the latest debian based systems /etc/localtime is a copy of the corresponding time zone file in /usr/share/zoneinfo. You could use diff to check :
# diff -s /etc/localtime /usr/share/zoneinfo/`cat /etc/timezone`
Files /etc/localtime and /usr/share/zoneinfo/Europe/Athens are identical


So another way to change the local time is to link the appropriate time zone file to /etc/localtime :
# echo "America/Sao_Paulo" > /etc/timezone
# rm /etc/localtime
# ln -sf /usr/share/zoneinfo/America/Sao_Paulo /etc/localtime
# date
Mon May 21 16:19:53 BRT 2012
or just copy the appropriate zone file to /etc/localtime :
# cp /usr/share/zoneinfo/Canada/Central /etc/localtime
# date
Mon May 21 14:26:32 CDT 2012


Of course dpkg-reconfigure is the right way to set the local time on debian systems
# dpkg-reconfigure tzdata

Current default time zone: 'Europe/Athens'
Local time is now:      Mon May 21 22:28:31 EEST 2012.
Universal Time is now:  Mon May 21 19:28:31 UTC 2012.



Verify daylight savings change dates :
# zdump -v Europe/Athens | grep 2012
Europe/Athens  Sun Mar 25 00:59:59 2012 UTC = Sun Mar 25 02:59:59 2012 EET isdst=0 gmtoff=7200
Europe/Athens  Sun Mar 25 01:00:00 2012 UTC = Sun Mar 25 04:00:00 2012 EEST isdst=1 gmtoff=10800
Europe/Athens  Sun Oct 28 00:59:59 2012 UTC = Sun Oct 28 03:59:59 2012 EEST isdst=1 gmtoff=10800
Europe/Athens  Sun Oct 28 01:00:00 2012 UTC = Sun Oct 28 03:00:00 2012 EET isdst=0 gmtoff=7200
#



If you find some error for a zone you will have to get the source time zone files again, compile your timezone source file with zic and run dpkg-reconfigure tzdata.
The latest source zone file should be correct.

#mkdir tzdata
#cd tzdata
#apt-get source tzdata
#cd tzdata-2012b
#zic ./europe
#dpkg-reconfigure tzdata


If the time zone source file is not correct or you just came up with your own dates and rules for daylight changes or your own time zone you will have to edit the time zone source and then compile it with zic and run dpkg-reconfigure tzdata.


Debian Wiki - Time Zone Changes
Obsolete yet interesting Time information

Linux Time -- time zone changes linux debian ubuntu

Linux "Router" a NAT gateway

This is a quick and dirty HOWTO of a simple "router" linux gateway with 2 network interfaces that provides Internet connectivity to the LAN through NAT.

The WAN interface is eth0
The LAN interface is eth1

The WAN interface eth0 is in 198.51.100.64/30 and it will use the IP address 198.51.100.66 with upstream default gateway 198.51.100.65.

The LAN interface eth1 is in 198.168.1.0/24 and it will use the IP address 198.168.1.1 . 198.168.1.1 will be the LAN default gateway.

Let's set the IP addresses.
# ifconfig eth0 up 
# ifconfig eth0 198.51.100.66 netmask 255.255.255.252
# ifconfig eth1 up
# ifconfig eth1 198.168.1.1 netmask 255.255.255.0


Let 's set the upstream gateway
# route add defaullt gw 198.51.100.65


First enable ipv4 forwarding :
#sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
or set it for now and permanently by setting net.ipv4.ip_forward=1 at /etc/sysctl.conf
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf 
# sysctl -p /etc/sysctl.conf
That should be enough if we are not using IPTables.

IF we are already using iptables we need to add the following rules. Let's enable talking among LAN hosts
# iptables -A FORWARD -i eth1 -j ACCEPT
# iptables -A FORWARD -o eth1 -j ACCEPT
Enable Network Address Translation
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Save the iptables rules:
# iptables-save > /etc/rules.iptables


To set these iptables rules after each reboot put this script at /etc/network/if-pre-up.d/iptables.
# cat /etc/network/if-pre-up.d/iptables
#!/bin/bash
/sbin/iptables-restore < /etc/rules.iptables
and make it executable
# chmod 700 /etc/network/if-pre-up.d/iptables 


If we want to make the eth0 and eth1 IP addresses and the default gateway stick through reboots we will have to change the /etc/network/interfaces file.
# cat /etc/network/interfaces 

auto lo
iface lo inet loopback

allow-hotplug eth0
iface eth0 inet static
 address 198.51.100.66
 netmask 255.255.255.252
 network 192.168.2.64
 broadcast 192.168.2.67
 gateway 192.168.2.65


allow-hotplug eth1
iface eth1 inet static
        address 192.168.1.1
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255



we are Done!

There are some minor security considerations if 192.168.2.65 is on the Internet and what could we do to enable servers behind the NAT to accept inbound traffic?

Here is a simple NAT gateway and Firewall set script.
# cat /etc/iptables-nat-rules.sh 
#!/bin/bash
#iptables-nat-rules.sh
#g0 2011 Set a simple NAT gateway

IPTABLES="/sbin/iptables"
LAN="eth0"
WAN="eth1"
SSHDPORT="22"
LAN_SRV_PORT="80"
LAN_SRV_IP="192.168.1.11"

#Flush Rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t nat -X

#Allow all loopback traffic and drop all traffic to 127/8 that does not go through lo 
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#Enable talking among LAN hosts
$IPTABLES -A FORWARD -i ${LAN} -j ACCEPT
$IPTABLES -A FORWARD -o ${LAN} -j ACCEPT

#Forward inbound traffic to a server behind the NAT
#$IPTABLES -t nat -A PREROUTING -i ${WAN} -p tcp --dport ${LAN_SRV_PORT} -j DNAT --to ${LAN_SRV_IP}:${LAN_SRV_PORT}

#Enable Network Address Translation
$IPTABLES -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

#Drop some old attacks on their tracks
$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

#Allow connections to sshd
$IPTABLES -A INPUT -p tcp --dport ${SSHDPORT} -j ACCEPT

#accept to ping
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#Drop second and further fragments of fragmented packets
$IPTABLES -A INPUT -f -j DROP
#Drop all other inbound traffic
$IPTABLES -A INPUT -j DROP





Linux - a NAT gateway

snort basic setup debian

This is a basic Snort HOWTO for debian based systems. I have tested this procedure on debian 6.* and ubuntu 10.04.

~# apt-get install snort
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libprelude2 oinkmaster snort-common snort-common-libraries snort-rules-default
Suggested packages:
  snort-doc
The following NEW packages will be installed:
  libprelude2 oinkmaster snort snort-common snort-common-libraries snort-rules-default
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,688 kB of archives.
After this operation, 11.4 MB of additional disk space will be used.
Do you want to continue [Y/n]? y


set your home network in CIDR notation on the ncurses screen and hit OK.

Hint: A machine with 2 IP addresses that does not route traffic or protect some multihost network -- ie a lonely dedicated server would use as HOME_NET something like: 192.0.2.222/32 , 192.0.2.223/32

When installed snort will start using the most obvious interface logging alerts at /var/log/snort/alert
and the tcpdumps corresponding on those alerts at
/var/log/snort/tcpdump.log.epoch

Basic settings like the home network or the network interface monitored by snort should be changed on
/etc/snort/snort.debian.config and then applied with
~# dpkg-reconfigure snort


If some of your daemons are listening on non-standard ports change them on /etc/snort.conf.

Let's test Snort :
ares:~#nmap -p 1000-1011 192.0.2.222 

Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-20 08:50 UTC
Interesting ports on archimedes.ipduh.com (192.0.2.222):
PORT     STATE  SERVICE
1000/tcp closed cadlock
1001/tcp closed unknown
1002/tcp closed windows-icfw
1003/tcp closed unknown
1004/tcp closed unknown
1005/tcp closed unknown
1006/tcp closed unknown
1007/tcp closed unknown
1008/tcp closed ufsd
1009/tcp closed unknown
1010/tcp closed unknown
1011/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds
ares:~#
On the host running Snort :
# tail -f /var/log/snort/alert
[**] [1:469:3] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/20-08:52:29.521561 192.0.2.11 -> 192.0.2.222
ICMP TTL:31 TOS:0x0 ID:33835 IpLen:20 DgmLen:28
Type:8  Code:0  ID:60029   Seq:0  ECHO
[Xref => http://www.whitehats.com/info/IDS162]

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3] 
05/20-08:52:29.846827 192.0.2.11 -> 192.0.2.222
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:161 DF

OK , Snort works.

To look at the tcpdumps use tcpdump with the r flag. For example:
# tcpdump -n -r /var/log/snort/tcpdump.log.1337458006 | grep 08:52:29
reading from file tcpdump.log.1337458006, link-type EN10MB (Ethernet)
08:52:29.521561 IP 192.0.2.11 -> 192.0.2.222: ICMP echo request, id 60029, seq 0, length 8
08:52:29.846827 IP 192.0.2.11 -> 192.0.2.222:  ip-proto-255 141
08:52:29.846828 IP 192.0.2.11 -> 192.0.2.222:  ip-proto-255 15
08:52:29.846829 IP 192.0.2.11 -> 192.0.2.222:  ip-proto-255 14
To look at the contents of the packets use:
# tcpdump -X -r ./var/log/snort/tcpdump.log.1337458006
and if you do not need the timestamps use:
# tcpdump -t -X -r ./var/log/snort/tcpdump.log.1337458006


To lookup UNIX epoch timestamps you could use
http://ipduh.com/epoch/?1337458006

Do not worry about log rotation. The debian package takes care of that.

To produce a statistics report from an alert file you could use snort-stat like
# snort-stat < /var/log/snort/alert
Such a report is mailed daily to root or another user set at
/etc/snort/snort.debian.config

While reading /etc/snort.conf you will most probably find out that a lot of rules coming with snort do not apply to you.

You could look at the alerts for a while and find and remove the rules that pollute your alerts.

If you register at snort.org you could get the Snort Vulnerability Research Team Certified Rules free of charge 30-days after their initial release to paid subscribers.

You could use mysql or postgresql to log alerts and tcpdumps and there are packets that provide a web interface to the alerts database. The one I am familiar with sucks so I am not going to provide a setup HOWTO or even mention its name. At snort.org/docs you will find a comparison of popular Snort GUIs and more useful information.



Snort Basic Setup

archive and compress a directory

I always forget the tar flags --"function letters" to archive and compress at once. I always need to login to that backup box and look at that ancient backup script or --help , or man , or google for that GNU howto. Let 's put it on my alog.

some common tar flags:
$  tar --help | egrep " -c, | -u, | -v, | -z, | -Z, | -j, | -p, | -f, | -x,"
  -c, --create               create a new archive
  -u, --update               only append files newer than copy in archive
  -x, --extract, --get       extract files from an archive
  -p, --preserve-permissions, --same-permissions
  -f, --file=ARCHIVE         use archive file or device ARCHIVE
  -j, --bzip2                filter the archive through bzip2
  -z, --gzip, --gunzip, --ungzip   filter the archive through gzip
  -Z, --compress, --uncompress   filter the archive through compress
  -v, --verbose              verbosely list files processed
$


To archive and compress with gzip a directory
$ tar -cvpzf ipduh.com.tar.gz ipduh.com

The ipduh.com directory is approximately 90% ASCII and 10% binary files.
Let 's compare the directory and the compressed archive sizes.
$ du -h --max-depth=0 ipduh.com
8.5G ipduh.com
$ du -h ipduh.com.tar.gz
774M ipduh.com.tar.gz
$
This is a good compression rate.

Let' s archive and compress the same directory with bzip2
$ tar -cvpjf ipduh.com.tar.bz2 ipduh.com

And what is the size of the compressed archive?
$ du -h ipduh.com.tar.bz2 
545M ipduh.com.tar.bz2
That's a better compression rate, but it takes more time.


notes on archiving and compression --that GNU howto

archive and compress a directory linux

install a courier imap ssl enabled daemon on debian based systems

This is a simple configuration. I use it so I can monitor production systems using an email client.

# apt-get install courier-imap-ssl
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  courier-authdaemon courier-authlib courier-authlib-userdb courier-base courier-imap courier-ssl libfam0 libltdl7
Suggested packages:
  courier-doc imap-client fam
The following NEW packages will be installed:
  courier-authdaemon courier-authlib courier-authlib-userdb courier-base courier-imap courier-imap-ssl courier-ssl libfam0 libltdl7
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,416 kB of archives.
After this operation, 3,596 kB of additional disk space will be used.
Do you want to continue [Y/n]? y
...
On the ncurses menu select configuration directories instead of one configuration file
...
A self signed X.509 certificate is created to be used by the server
The private key is at /usr/lib/courier/imapd.pem
...


On /etc/courier/imapd-ssl set :
SSLADDRESS = 192.0.2.44
to the IP address you want imapd-ssl to bind to.

Restart the IMAP SSL Daemon
# /etc/init.d/courier-imap-ssl restart
Stopping Courier IMAP-SSL server: imapd-ssl.
Starting Courier IMAP-SSL server: imapd-ssl.
#


Stop the IMAP Daemon
# /etc/init.d/courier-imap stop
Stopping Courier IMAP server: imapd.
#


We are not going to be using the IMAP Daemon , let 's disable it from starting when the system starts.
# ls -l /etc/rc2.d/S* |grep imap
lrwxrwxrwx 1 root root 22 2011-08-04 15:07 /etc/rc2.d/S20courier-imap -> ../init.d/courier-imap
lrwxrwxrwx 1 root root 26 2011-08-04 16:41 /etc/rc2.d/S20courier-imap-ssl -> ../init.d/courier-imap-ssl
# update-rc.d -f courier-imap remove 
 Removing any system startup links for /etc/init.d/courier-imap ...
   /etc/rc0.d/K20courier-imap
   /etc/rc1.d/K20courier-imap
   /etc/rc2.d/S20courier-imap
   /etc/rc3.d/S20courier-imap
   /etc/rc4.d/S20courier-imap
   /etc/rc5.d/S20courier-imap
   /etc/rc6.d/K20courier-imap
#


Cool, now the IMAP SSL DAEMON is listening on port 993 and your email client should connect fine when set to use:
SSL/TLS for the communication encryption
and Normal password for the Authentication Method.


install a courier imap ssl enabled daemon on debian based systems

SMTP conversation - Troubleshooting mail servers

The basic SMTP commands are: HELO or EHLO , MAIL FROM: , RCPT TO: , DATA , and QUIT.

Date: , From: , Subject: ,and To: may be used within DATA.

The best way to troubleshoot mail servers is using telnet or netcat.

Here is a simple SMTP conversation.
g:~$ netcat archimedes.ipduh.com 25
220 archimedes.ipduh.com ESMTP srv
ehlo gov.us
250-archimedes.ipduh.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: < president@gov.us >
250 2.1.0 Ok
rcpt to: < n@arc.ipduh.com >
250 2.1.5 Ok
data
354 End data with .
To:< n >
From:< el presidente >
Subject: What up n?

I am not going to be able to able to reform the health system.
No dough, no doc.                  
.
250 2.0.0 Ok: queued as E69D97B299E
quit
221 2.0.0 Bye
g:~$ 


The best reference on SMTP commands is RFC5321

SMTP conversation - Troubleshooting mail servers

add user delete user linux debian based

I add or delete users if not every day, at least every other day. Linux systems come with utilities that make it easy. However, I still need to browse their man pages and when on debian based systems I just use the adduser script.

#!/bin/bash
##adduser.sh
###g0 ,2010 , aLog.ipduh.com , kod.ipduh.com

INTERACTIVE=1

GROUPID=""
GROUPNAME=""
USERID=""
USERNAME=""
USERHOMEDIR=""
USERSHELL=""
USERCOMMENT=""

if [ "$INTERACTIVE" -eq 1 ] ; then

echo "Add User:"
read -p "Enter GROUPID     : " GROUPID;
read -p "Enter GROUPNAME   : " GROUPNAME;
read -p "Enter USERID      : " USERID;
read -p "Enter USERNAME    : " USERNAME;

read -p "Enter USER HOME DIRECTORY ( Or hit enter for /home/$USERNAME ): " USERHOMEDIR;
if [ -z "$USERHOMEDIR" ] ; then
        USERHOMEDIR="/home/${USERNAME}"
fi

read -p "Enter USERSHELL   : " USERSHELL;
read -p "Enter USERCOMMENT : " USERCOMMENT;

fi

groupadd -g $GROUPID $GROUPNAME
cp -r /etc/skel /home/$USERNAME
useradd -u $USERID -g $GROUPID -d "/home/$USERNAME" -s "$USERSHELL" -c "$USERCOMMENT" $USERNAME
chown -R $USERNAME.$GROUPNAME /home/$USERNAME
passwd $USERNAME



To add a user:
ares:~/scripts#chmod 700 adduser.sh 
ares:~/scripts#./adduser.sh 
Add User:
Enter GROUPID     : 1234
Enter GROUPNAME   : foo_group
Enter USERID      : 1234
Enter USERNAME    : foo_user
Enter USER HOME DIRECTORY ( Or hit enter for /home/foo_user ): 
Enter USERSHELL   : /bin/bash
Enter USERCOMMENT : da foo   
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully


Let's check
ares:~/scripts#grep foo_user /etc/passwd
foo_user:x:1234:1234:da foo:/home/foo_user:/bin/bash
ares:~/scripts#grep foo_user /etc/shadow
foo_user:$6$gj0o20tJ$jvHSyqNKyITKJEjN.zoMeaAPyzrANaAyM6PbG5ncka6otd2LRZJPK1Uchzu.fyLHXLB9ny5XgpCaV4QwyAo.a0:15471:0:99999:7:::
ares:~/scripts#grep foo_group /etc/group
foo_group:x:1234:



Cool, everything seems OK.

Let's delete foo_user and foo_group
ares:~/scripts#deluser foo_user
Removing user `foo_user' ...
Warning: group `foo_group' has no more members.
Done.
ares:~/scripts#delgroup foo_group
Removing group `foo_group' ...
Done.


Let's check again.
ares:~/scripts#grep foo_user /etc/passwd
ares:~/scripts#grep foo_group /etc/group
ares:~/scripts#



add delete users - linux

Install mod_perl on apache2 on debian

apt-get install libapache2-mod-perl2

# apt-get install libapache2-mod-perl2
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libapache2-reload-perl libbsd-resource-perl libdevel-symdump-perl libfont-afm-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libmailtools-perl
  libperl5.10 libtimedate-perl liburi-perl libwww-perl
Suggested packages:
  libdata-dump-perl libcrypt-ssleay-perl libio-socket-ssl-perl
The following NEW packages will be installed:
  libapache2-mod-perl2 libapache2-reload-perl libbsd-resource-perl libdevel-symdump-perl libfont-afm-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl
  libmailtools-perl libperl5.10 libtimedate-perl liburi-perl libwww-perl
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,212 kB of archives.
After this operation, 7,479 kB of additional disk space will be used.
Do you want to continue [Y/n]?

...



install mod_perl for apache2 on debian

vi color syntax

To turn on color syntax on vi while using it ESC +
:syntax on


To turn off color syntax on vi while using it ESC +
:syntax off


To turn on color syntax for your user permanently.
g$ echo "syntax on" >> ~/.vimrc


To turn off color syntax for yourself permanently.
g$ echo "syntax off" >> ~/.vimrc


To turn on color syntax for all the users in your system
root#echo "syntax on" >>/etc/vim/vimrc


IF you keep on getting errors like:
"Sorry, the command is not available on this version"
then you need to install more Vi Improved extensions - features.

root# apt-get install vim




vim color syntax

IPv6 MTU size debuging

The process by which endpoints and intermediate routers decide on the IPv6 MTU is not understood or not agreed by all the devices. Usually the MTU is not set to the same number of Bytes along a path and many times "Packet too big" - resize messages are ignored by one or more devices in the path.

If you want to save yourself some trouble just set the MTU to the minimum in all of your devices( 1280 B ).
n:~#ifconfig ipv6-iface mtu 1280


If you want to use the maximum MTU possible or figure out who broke IPv6 when you find it broken you could send ICMP echo requests of the most commonly used MTU sizes to each of the intermediate routers until you find which MTU do not make it through which router.

The most common MTU sizes are 1280 B and 1480 B. However, there are devices that are set to use 1472 B, 1460 B or 1452 B and the most default interface configurations use an MTU of 1500 B.

When debugging MTU sizes it helps to remember that an IPv6 header is 40 Bytes and that ICMPv6 headers are 8 Bytes long. Therefore, if you want to figure out if an MTU of 1280 Bytes will work across a path ( This should work always ) try ICMP echo requests
with a payload of 1280 B - 40 B - 8 B = 1232 B.

ares:~#ping6 -s 1232 ipduh.com -c1
PING ipduh.com(hermes.ipduh.com) 1232 data bytes
1240 bytes from hermes.ipduh.com: icmp_seq=1 ttl=46 time=83.6 ms

--- ipduh.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 83.627/83.627/83.627/0.000 ms


Don't forget that traceroute6 is your friend.
I also find http://ipduh.com/ipv6/traceroute helpful.



IPv6 MTU size debugging