December 11, 2012

iptables: redirecting ports

Generally, the preferred method to redirect in-bound traffic on port 80 to port 8080 is to utilize NAT/firewall rules (iptables, specifically). Use the following method to complete the process...

IPTABLES=`which iptables`
$IPTABLES --flush
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept everything from the local interface
$IPTABLES -A INPUT -i lo -j ACCEPT

# Accept traffic on port 80
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# Accept traffic on port 8080
$IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT
# Accept ssh traffice
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

# Local redirect
$IPTABLES -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
# Actual 80 to 8080 redirect
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

# Save the configuration
IPTABLES_SAVE=`which iptables-save`
if [ -d "/etc/sysconfig" ]
then
$IPTABLES_SAVE > /etc/sysconfig/iptables
fi

Posted by cdgrieb at 12:08 PM | Comments (0)

September 07, 2012

iptables: method to simply block Ping requests...

Sometimes a system administrator would simply like to block out all incoming ping requests - issue the following command in order to adjust iptables for this functionality:

/sbin/iptables -I INPUT -j DROP -p icmp --icmp-type echo-request

(this reads drop all input of protocol type icmp, specifically echo-request).

Then to drop the rule, simply obtain the index number of the iptables rule:


/sbin/iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP icmp -- anywhere anywhere icmp echo-request

(the block ICMP request in number 1)

Drop the entry:

/sbin/iptables -D INPUT 1

Posted by cdgrieb at 09:31 AM | Comments (0)

July 13, 2012

Setting the default umask for web-content...

One of the issues we've had with multiple users managing web-content and directory permissions is related to properly setting umask, specifically modifying the default RHEL6 umask value of 022 (022 only allows for group reading) - this causes significant problems when multiple individuals are managing content. We've side-stepped this problem by simply setting default umask values within the various login shell profiles, for example:

[root@winterberry /home]# vim /home/cdgrieb/.cshrc
umask 002

(for bash)
[root@winterberry /home]# vim /home/cdgrieb/.bash_profile
umask 002

A default value of 002 allows for owner/group reading/writing, which makes managing multiple web-based users significantly easier to deal with.

Posted by cdgrieb at 10:14 AM | Comments (0)

July 10, 2012

SA Lisa - VM deployment checklist Linux

We started the process of creating our VM deployment check-list, including insurance of documentation creation, RHN registering, and account management, with the eventual goal of automating the entire process. More information soon!

Link:https://wiki.umms.med.umich.edu/x/EReTBw

Posted by cdgrieb at 04:35 PM | Comments (0)

June 05, 2012

Standardizing MySQL credentials

Currently, MSIS hosts a number of WordPress blogs operating under external, non-univeristy DNS entries, for example umhsheadlines.org. Due to multiple SA's configuring and managing these blogs, we've encountered a situation in which root-level SQL passwords are variable, often significantly, from server to server. Additionally, only a few of these passwords have actually been documented. As a result, team Lisa has started the process of resetting and tracking passwords associated with MySQL credentials. Hopefully, we'll have this finished in a few weeks.

Posted by cdgrieb at 04:02 PM | Comments (0)