Basics of Iptables

Iptables is user space program to perform packet filtering via the defined rules. Although Iptables can also be used to perform Network Address Translation(NAT) and Quality Of Service(QOS) on packets, but in preliminary stage Iptables was suppose to filter packets passing through kernel. In this post, I will discover iptables as a packet filtering tool.

Like all other firewalls, Iptables also filters packets using the rules. Rule define the filtering conditions and corresponding action on packets. For example we may to define rule for "Reject all incoming traffic coming from IP 192.168.1.1"

When you suppose to write a rule, you will have to cope with "Where" and "What" question.

Where to write the rule?

what will be Condition and Action in rule? (Statement of Rule)

Let us first address "Where" part

Iptables consists many tables such as filter,nat, mangle etc. You have to put your rule in any one of iptables table.  Selection of table depends on purpose of rule, for all filtering rules filter table will be selected. filter table is also the default table for rules, I mean if no table is defined in rule  then you must understand that rule is defined in filter table.

After selection of table, you have to select chain inside table. There are three chain in filter table INPUT, OUTPUT and FORWARD. For filter table you can use any one of them. Selection of chain will depend on flow of traffic on which rule has to be applied

For incoming traffic - INPUT chain
For outgoing traffic - OUTPUT chain
For traffic forwarding through system - FORWARD chain

Now let us proceed with our example case "Reject all incoming traffic coming from IP 192.168.1.1". 

Table selection: Since here packets from 192.168.1.1 has be filtered  for rejection so, here we will use filter table. 

Chain Selection: Since rule has be applied on incoming traffic so INPUT chain of filter table will be used.

By answering Table and Chain selection "Where" part cleared.

What rule

What part define condition and action part of rule. As per given example "Reject all incoming traffic coming from IP 192.168.1.1" 

Condition: Source IP of traffic should be 192.168.1.1
Action: Reject the traffic

So once "where" and "what" part become crystal clear, You write define iptables rules as below

iptables -t filter -I INPUT -s 192.168.1.1 -j REJECT

In above rule,Inside filter table(-t filter) a rule has been inserted on top of INPUT chain(-I) . Rule's condition part is match the source IP and if it is 192.168.1.1  (-s 192.168.1.1) then action part is (-j REJECT)

You may also watch below video to understand Basics of iptables.


Posted by at
Labels: , , , ,

NSS vs OPENSSL

We have more than one options for implementation of TLS, SSL and PKCS in Linux. Network Security Services(NSS) and OpenSSL are two common options available in Linux.

NSS provides a complete open source implementation of cryptographic libraries. NSS is available both under the Mozilla Public License and GPL . NSS is used by many application and specially by products of Netscape. NSS support TLS, SSL and PKCS including PKCS#11. 

OpenSSL is "dual licensed" under the OpenSSL License and the SSLeay License. OpenSSL License is Apache License. OpenSSL is default crypto library for many applications. 

In our Linux environment, We have choice to use either OpenSSL or NSS. In our setup , for web sites on Apache web server normally we use OpenSSL generated certificates and for this we load module mod_ssl in Apache. If you are interested in using NSS in Apache should go with module mod_nss instead of mod_ssl.

 This becomes obvious that in Linux, packages/binaries use either OpenSSL or NSS or any other crypto library. To know about any individual package or binary, you can use ldd command, like to get list of libraries for sshd 

 root# ldd /usr/sbin/sshd

For managing openssl certificates we use openssl command with different options but for NSS certificates and other management use  certutil command.

While discussing NSS, I can remember concept of "shared database". The concept of shared database will facilitate to use keys and certs by multiple applications. Imagine a situation where SSL certificate working for a web site also used for accessing server via SSH. Fedora is already moving in direction of consolidation  of cryto libraries  and consolidating for NSS https://fedoraproject.org/wiki/FedoraCryptoConsolidationI will discuss more on this in coming posts. 

Posted by at
Labels: , , , ,

ext4 Filesystem

As we know from RHEL Version 6 and Centos Version Redhat shipping Ext4 as a default File system. 
How does ext4 filesystem is better than than ext3  and other older ext filesystems?

Let me explain this ext4 filesystem features from system admin point of view. 

 Most important difference of ext4 filesystem is use of extent in place of block. XFS filesystem were already using extents and so does ext4 filesystem now.

One basic question arise here,
Why Extent and How does it different from Block?

Block in ext3 filesystem  generally have 4KB in size. In Block based filesystem, problems occurs with large files as too many blocks get involved in that large file. Since there are too many block belong to one file and in inode of that file, block number need to be recorded. Indirectly size of inode also getting increased along with size of file. 

What is way out from problem of Block based File System?

Here comes extent. Extent is specific number of contagious blocks. The advantage of extent specially comes with large files where there will be less fragmentation. 

Definitely there will be different inode structure in ext4 in compare to ext3. The inode of ext4 logically need to store not the list of blocks but only the extent number and how many blocks of extent belongs to that inode(file).

  


Posted by at
Labels: , ,

Tuning File System

Tuning of file system depends on what file system you are using. EXT4 filesystem may have different parameters than XFS filesystem. There are a number of tuning parameters which remain common for all file system. There are certain parameters related to formatting and mount options which may improve performance.

If we talk about formatting options then we must consider following parameters

Block Size
Geometry of File system
External Journal

For mounting, we can took following parameter into consideration

Access Time
Barriers
Read ahead support
Posted by at
Labels: ,

Secure Boot Or hate for Linux?

Secure boot is method to boot the operating system by checking the cryptography signature using UEFI(http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) framework. Secure boot is boot level security which dis allow bypassing signature verification process in booting process.

Above explanation of Secure boot sounds good, but what about those users who need dual booting?

With the release of Windows 8, Microsoft decided that all Windows 8 ready machine will have

  • Have secure boot enabled by default.
  • Ships Microsoft keys in firmware.
If above is the case, then what about OS which does not support secure boot. Moreover if Microsoft keys is present in firmware then what about Linux boot loader obviously not signed by Microsoft key ?

Let us stand for freedom http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement. The Big corporate houses forcing us to use certain product and services
Posted by at
Labels:

LDAP SSL : Part 2

In the last post http://www.linuxmantra.com/2013/05/ldap-ssl-part-1.html, I discussed about accessing ldap server via socket. In this post I am going to configure SSL for ldap.

 Step1. Create  a self signed certificate using openssl command. The path of SSL certificate file will be /etc/pki/tls/certs/linuxmantra.crt and SSL key file will be  /etc/pki/tls/certs/linuxmantra.key

 root# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/linuxmantra.crt -keyout /etc/pki/tls/certs/linuxmantra.key

Step2. After creating self signed certificate, verify that if there any TLS certificate is already configured

 root# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" -s base|grep tls

Above given command verifying if there is any entry for tlsCertificate in config. From openldap 2.4 version, configuration of ldap also available in ldap format, so here cn=config storing configuration for ldap server.

 Step3.  Set SSL certificate for your server by importing .ldif file. 

      Step3.1  Create a file addsslcert.ldif with following content
   
     Step3.2  Import this addsslcert.ldif file into ldap server with following command

      root#ldapmodify -Y EXTERNAL -H ldapi:/// -f addsslcert.ldif
Step4. Verify if TLS certificate has been configured properly

 root# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" -s base|grep tls


Step5. Edit /etc/sysconfig/ldap file and set "SLAPD_LDAPS=yes" to enable LDAP over TLS

Save the /etc/sysconfig/ldap file and restart slapd daemon

 root# /etc/init.d/slapd restat
Enjoy you have TLS (SSL) in place for ldap server access.
Posted by at
Labels: , , , , , ,

LDAP SSL : Part 1

In the series of openldap implementation on CentOS6, In next post I am going to discuss ldap TLS (ssl) configuration. 


LDAP data communication over TLS will be safe and encrypted. Encrypted data can't be decoded even though get intercept by network sniffer tools such as Wireshark or tcpdump.



Before going in the implementation part of SSL, 
Let me configure LDAP server to listen over socket 

Normally ldap server run on tcp port 389 and can be accessed over this port from local or remote client. Socket based access can't work for remote access, for remote access use network port 389.


Let me make clear that network port based access option remain available even though we go for socket based access. 



There is one big advantage of using Socket based access. In socket based access we can map even a linux user (not a ldap user) to access ldap directory content. 



Let me explain this through an example. Please note that this example has been covered on centos6 distribution of linux.



Suppose we have a domain "linuxmantra.local", and we want to perform search 
root# ldapsearch -x -H ldap://localhost -b "dc=linuxmantra,dc=local"

Here search operation performed using access method "ldap"

In place of "ldap we can also use "ldaps" if we have ssl configuration in place for our ldap server "localhost" 

Now to perform Socket based access we should use "ldapi".

In our example to search in base "dc=linuxmantra,dc=local"

 root# ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=linuxmantra,dc=local"



So here you can notice that SASL/External authentication mechanism is in use  and mapped to gidNumber=0+uidNumber=0


You may have question in mind 

 Where did this mapping has been configured ?
The answer is file,


 /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif


In this file there is ACL entry for mapping 


"olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa

 l,cn=auth" manage  by * none"



Posted by at
Labels: , , , , ,

samba ldap setup


Below questions encountered by most of the Linux admin

 Is there any options in Linux to implement windows Active Directory concept?
The answer is yes, You can implement windows AD logic on Linux servers. Suppose as a linux admin, you get the task to migrate windows Active Directory server to Linux platform. 

Windows AD is integrated implementation of ldap and kerberos for centralized authentication server and single sign on.

In my last articles, I already covered ldap installation and configuration 


After successfull installation and configuration of ldap. We need to configure samba. Below is the samba configuration file (/etc/samba/smb.conf) for running samba+ldap server

++++++++++++++++++++++++++++++++++++++++++++++
[global]
workgroup = linuxmantra
server string = host1
netbios name = host1
ldap passwd sync = yes
security = user
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=linuxmantra,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap admin dn= "uid=root,ou=People,dc=linuxmantra,dc=com"
domain master = yes
domain logons = yes
logon path =     
add user script = /usr/sbin/smbldap-useradd "%u"
add group script = /usr/sbin/smbldap-groupadd "%g"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"
local master =  yes
os level =  254
preferred master = yes
wins support = yes

 [netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

 As you can notice in samba configuration file, there is given ldap tree structure. 

We also need to create this ldap structure, before starting samba. There are certain tools that populate ldap tree structure, so that require structure can be created without much manual intervention. Following link will help you to install smbldap-tool and populate ldap tree structure.



Posted by at
Labels: , , ,

ldap authentication

In my last two posts http://www.linuxmantra.com/2013/04/openldap-on-centos.html and http://www.linuxmantra.com/2013/04/ldap-on-centos-part-2.html, I discussed ldap basics and its setup on centos server. 

As we know User account verification and authentication are two different thing. I already discussed account verification using ldap in my last post http://www.linuxmantra.com/2013/04/ldap-on-centos-part-2.html.

User Authentication  is a independent process. There are multiple authentication method in Linux. Have a look on below image




In authentication section there are a number of option. Generally we use "Use Shadow Passwords" option. Shadow passwords option use /etc/shadow file. You can continue to use Shadow Password option for ldap user as well. If you use shadow password for ldap user, then user account information getting stored on ldap server and password get stored in /etc/shadow

Other than using method "Use Shadow Passwords" we can go for "Use LDAP Authentication". In LDAP authentication scenario password will be stored in ldap format in the ldap server. 

Let us understand this by an example, 
Suppose there is a user "uid=ldapuser1,dc=linuxmantra,dc=com" and we want to set password of this user. Following commad will set password of this user to 'Passw0rd'

 root# ldappasswd -x -D"cn=Manager,dc=linuxmantra,dc=com" -W "uid=ldapuser1,dc=linuxmantra,dc=com"  -s 'Passw0rd'


Above given command will set userPassword attribute of given DN to whatever value you set as password. You can notice this value in output of slapcat command



Now you have a ldap user "uid=ldapuser1,dc=linuxmantra,dc=com" and more importantly user password is stored inside ldap server.

Finally issue command authconfig-tui and enable the option "Use LDAP Authentication" 
Posted by at
Labels: , , , , ,

ldap on linux : Part 2

In my last post http://www.linuxmantra.com/2013/04/openldap-on-centos.html, I discussed installation and basic configuration of openldap. Here in this article, I am going to discuss user account creation and its usage in account verification and authentication. 

As we know, Linux users information getting stored inside file /etc/passwd but users stored inside /etc/passwd can't perform network logon. For network logon either you can use NIS or LDAP. LDAP has advantage over NIS as LDAP is a very popular directory service and almost all application like oracle,apache,sendmail etc understand LDAP format and can use ldap service. 

In this article, I will elaborate the steps to use ldap as storage of account information. In other words using ldap in place of /etc/passwd 

Step1. Create a normal user using useradd command. In given below example, I created a user named ldapuser1

root# useradd ldapuser1

Once user get created, store that users information in a separate file, In my example root.passwd in that file

root# grep ldapuser1 /etc/passwd>root.passwd



Step2. Convert user information into ldif format

          Step2.1 Install package  migrationtools on your system 

                          root# yum install migrationtools


          Step2.2 . Convert user information into ldif format
  
                     root#/usr/share/migrationtools/migrate_passwd.pl root.passwd>root.ldif


        Step2.3. Edit root.ldif, and set replace padl.com with your domain name, In my example, I replaced          padl with linuxmantra so domain become linuxmantra.com. As you see in below image, to replace padl with linuxmantra, I used following command in vi editor

:s/padl/linuxmantra/g




Step3. Import root.ldif file into ldap server 



    root# ldapadd -x -D"cn=Manager,dc=linuxmantra,dc=com" -W -f root.ldif


 Now user get created, You can verify user using slapcat command.



Now ldapuser1 is a POSIX user which can log onto any linux machine.

Step4. Configure Linux client to use ldap server for account verfication.

root# authconfig-tui



As you can notice in above image, In User Information section, Use Ldap is selected . So you should also select "Use LDAP" and click Next button.


Clicking Next button will bring LDAP Settings box, Mention IP/Name of your server in Server section and ldap base dn entry in Base dn section. In my example ldap server IP is 192.168.1.1 and base dn is dc=linuxmantra,dc=com


Step5. Now you can use ldap user to verify User, but remember authentication part is still not configured. If you want to verify if your LDAP Server is configured properly or not, just do su from root or use getent command


You can use getent command in following way


You can notice, there is no user ldapuser1 in /etc/passwd but getent command showing that user exist.

 Great, User existing in LDAP so everything worked fine so far.
Posted by at
Labels: , , , ,
Subscribe to: Posts (Atom)