Bash Navigating Shortcuts
Here are few great shortcuts that will make navigating in BASH a bit easier. This also works in many other shells, as I am often in Korn Shell in our AIX and HP-UX machines.
I learned a few shortcuts a while ago from this website, as well as this one.
These were taking from the “Command Line Editing” in the bash manual. The bash manual is a well-written piece of documentation. It would do all SysAdmins well to read this manual a few times.
Well, here’s the new shortcuts I learned:
Basic moves
- Move back one character.
Ctrl
+b
- Move forward one character.
Ctrl
+f
- Delete current character.
Ctrl
+d
- Delete previous character.
Backspace
- Undo.
Ctrl
+-
Moving faster
- Move to the start of line.
Ctrl
+a
- Move to the end of line.
Ctrl
+e
- Move forward a word.
Meta
+f
(a word contains alphabets and digits, no symbols) - Move backward a word.
Meta
+b
- Clear the screen.
Ctrl
+l
What is Meta? Meta
is your Alt
key, normally. For Mac OSX user, you need to enable it yourself. Open Terminal > Preferences > Settings > Keyboard, and enable Use option as meta key. Meta
key, by convention, is used for operations on word.
Cut and paste (‘Kill and yank’ for old schoolers)
- Cut from cursor to the end of line.
Ctrl
+k
- Cut from cursor to the end of word.
Meta
+d
- Cut from cursor to the start of word.
Meta
+Backspace
- Cut from cursor to previous whitespace.
Ctrl
+w
- Paste the last cut text.
Ctrl
+y
- Loop through and paste previously cut text.
Meta
+y
(use it afterCtrl
+y
) - Loop through and paste the last argument of previous commands.
Meta
+.
Search the command history
- Search as you type.
Ctrl
+r
and type the search term; RepeatCtrl
+r
to loop through results. - Search the last remembered search term.
Ctrl
+r
twice. - End the search at current history entry.
Ctrl
+j
- Cancel the search and restore original line.
Ctrl
+
CodeWeavers Flock The Vote is Live!
CodeWeavers has again launched a Presidential Election Year promotion! This is similar to the Lame Duck promotion that many of you may remember from 2008. This is the campaign that made me aware of CodeWeavers and Crossover, and has since helped me run all kinds of Windows software on my Linux workstations.
I have been a very happy customer of CodeWeavers since 2008, and now I am happy to help them spread the word on this new campaign. Heres the details:
If 100,000 people signup as "pledging to vote" in this years Presedential Election campaign, they will launch a 24 hour give-a-way of their Crossover software for Mac and Linux! All you have to do is enter your email address saying that you will be voting in this years election, and thats it! Once they hit 100,000 people signed up, they will announce when they will be doing the 24 hour give-a-way.
Click on the logo below to be taken to the "Flock The Vote" campaign!
iptables Tutorial and Exmaples
This is a small manual of iptables
, I’ll show some basic commands, you may need to know to keep your computer secure.
Basic commands
List rules
iptables -L
This is going, list the default table “Filter”.
Edit: You may prefer to use iptables -L -vn
to get more information, and to see ports as numbers instead of its names.
List rules in specific table
iptables -L -t nat
You can also list the other tables like: mangle, raw and security. You should consider reading a bit more about tables. You can do it in the Tables section in the man page of iptables
Delete all rules
iptables -F
Delete specific table liket nat
iptables -t nat -F
Specify chain policies
iptables
let’s you configure default policies for chains in the filter table, where INPUT, FORWARD and OUTPUT, are the main ones (or at least the most used). Users can even define new chains.
These aforementioned chains, are better explained in this graph that comes from Wikipedia.
You can see the original image here
iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT DROP
You can define the default policy as ACCEPT and then deny specific traffic, or define default policies as DROP and then open specific traffic to and/or from your box. The last one is more secure, but require more job.
Block IP traffic from an specific IP or Network.
Block from an IP
iptables -A INPUT -s 11.22.33.44 -j DROP
If you want to block only on an specific NIC
iptables -A INPUT -s 11.22.33.44 -i eth0 -j DROP
Or an specific port
iptables -A INPUT -s 11.22.33.44 -p tcp -dport 22 -j DROP
Using a Network and not only one IP
iptables -A INPUT -s 11.22.33.0/24 -j DROP
Block traffic from a specific MAC address
Suppose you want to bloc traffic some a MAC address instead of an IP address. This is handy if a DHCP server is changing the IP of the maching you want to protect from.
iptables -A INPUT -m mac --mac-source 00:11:2f:8f:f8:f8 -j DROP
Block a specific port
If all you want is to block a port, iptables
can still do it.
And you can block incoming or outgoing traffic.
Block incoming traffic to a port
Suppose we need to block port 21 for incoming traffic:
iptables -A INPUT -p tcp --destination-port 21 -j DROP
But if you have two-NIC server, with one NIC facing the Internet and the other facing your local private Network, and you only one to block FTP access from outside world.
iptables -A INPUT -p tcp -i eth1 -p tcp --destination-port 21 -j DROP
In this case I’m assuming eth1 is the one facing the Internet.
You can also block a port from a specific IP address:
iptables -A INPUT -p tcp -s 22.33.44.55 --destination-port 21 -j DROP
Or even block access to a port from everywhere but a specific IP range.
iptables -A INPUT p tcp -s ! 22.33.44.0/24 --destination-port 21 -j DROP
Block outgoing traffic to a port
If you want to forbid outgoing traffic to port 25, this is useful, in the case you are running a Linux firewall for your office, and you want to stop virus from sending emails.
iptables -A FORWARD -p tcp --dport 25 -j DROP
I’m using FORWARD, as in this example the server is a firewall, but you can use OUTPUT too, to block also server self traffic.
Log traffic, before taking action
If you want to log the traffic before blocking it, for example, there is a rule in an office, where all employees have been said not to log into a given server, and you want to be sure everybody obeys the rule by blocking access to ssh port. But, at the same time you want to find the one who tried it.
iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "dropped access to port 22" iptables -A INPUT -p tcp --dport 22 -j DROP
You will be able to see which IP tried to access the server, but of course he couldn’t.
Tips and Tricks
Because iptables
executes the rules in order, if you want to change something you need to insert the rule in the specific position, or the desired effect is not going to be achieved.
List rules with numbers
iptables -nL --line-numbers
This is going to list all your rules with numbers preceding the rules. Determine where you want the inserted rule and write:
List specific chains
iptables -nL INPUT
Will list all INPUT rules.
iptables -nL FORWARD
Will list all OUTPUT rules
Insert rules
iptables -I INPUT 3 -s 10.0.0.0/8 -j ACCEPT
That is going to add a rule in position 3 of the “array”
Delete rules
iptables -D INPUT 3
That is going to remove the rule inserted above. You can also remove it, by matching it.
iptables -D INPUT -s 10.0.0.0/8 -j ACCEPT
Delete flush all rules and chains
This steps are very handy if you want to start with a completely empty and default tables:
iptables --flush iptables --table nat --flush iptables --table mangle --flush iptables --delete-chain iptables --table nat --delete-chain iptables --table mangle --delete-chain
NOTE: do not execute this rules if you are connected via ssh or something similar, you may get locked out
Simple scripts for specific needs
How to stop brute force attacks
You can also use iptables
to stop brute force attacks to your server, for example: Allow only three attempts to log through ssh before banning the IP for 15 minutes, this should let legitimate users to log to the servers, but bots will not be able. Remember to always use strong passwords
iptables -F iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport www -j ACCEPT iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 900 --hitcount 3 -j DROP iptables -P INPUT DROP
How to NAT with iptables
iptables
is also very useful to configure NAT routers, a Linux mashing can act as a router, and share its public IP with a private networks behind it. It is also useful to configure the DHCP in the same server.
To configure a NAT router, you will be better with a server with two NICs, let’s suppose you have:
- eth0: 12.13.14.15
- eth1: 10.1.1.1
Now configure NAT to forward all traffic from 10.1.1.0 network through eth0 IP. You may want to empty all tables and start with a fresh chains and tables (see how above).
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT
That is it, you only have to enable kernel forwarding now:
echo 1 > /proc/sys/net/ipv4/ip_forward
Mount NFS Share in AIX 6.1
On some AIX 6.1 instances, you may run into problems when mounting an NFS from a Linux based machine. The root of the error lies in how AIX handles its NFS ports. You can configure AIX to use the standard NFS ports so that it can talk to the Linux box's NFS service.
Use the following code to setup AIX NFS options to use the proper ports for Linux NFS mounts:
nfso -o -p nfs_use_reserved_ports=1
Then just mount the share like you would normally. For example to mount the share temporarily, use this:
mount server:/path/to/share /mnt
That will mount the NFS share /path/to/share that is being served from a machine named "server" to your local filesystem at the directory /mnt.
Add, Remove, and adjust disks and file systems in AIX 6.1
You can use the built in tool called SMITTY to resize files systems in AIX. Supply SMITTY with the FS argument to work with the file systems. See instructions below for a walk through of adjusting /opt
Launch Smitty by typing: smitty fs
Arrow down to the third option "Add / Change / Show / Delete File Systems" and press enter.
Select "Enhanced Journaled File System" and press enter.
Arrow down to the third option labled "Change / Show Characteristics of an Enhanced Journaled File System" and press enter.
This will bring up a selection box of the available partitions and file systems that can be edited. Use the arrow keys to select the one you want to modify, and press enter.
Now you will see all available options for editing. To adjust the size of the file system, arrow down to the line labeled "Number of Units"
In this example, I have adjusted the file system to 12582912 units which is equivalent to 6 GB.
Once you have entered the desired size, press the enter key to accept.
Give the system a few seconds to adjust the size, and if successful you will see a message similar to the one below.
Once you see this confirmation, press the F10 to exit smitty.