Simple iptables-firewalling the Debian way

Udgivet den marts 16, 2008 af mike

The script is self explanatory, and if you dont understand it go read some newbie-guide to iptables, otherwise place the script in /etc/init.d name it firewall and run:

update-rc.d rc.firewall defaults 19

And then you are ready to go 🙂

The script:
jail03:~# cat firewall
#!/bin/sh -e
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: networking
# Required-Stop:
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: Raise network interfaces.
### END INIT INFO
. /lib/lsb/init-functions
case “$1” in
start)
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT

log_action_begin_msg “Configuring network firewall”

iptables -P INPUT DROP
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables –new FULL
iptables –new WEB

# The Network Office
iptables -A INPUT -s 10.0.0.0/24 -j FULL
# BOFH
iptables -A INPUT -s 83.89.249.18 -j FULL

# Student range 1 and 2 are jumped to WEB
iptables -A INPUT -s 10.1.0.0/24 -j WEB
iptables -A INPUT -s 10.2.0.0/24 -j WEB

# FULL means:
iptables -A FULL -m state –state NEW -p tcp –dport 80 -j ACCEPT
iptables -A FULL -m state –state NEW -p tcp –dport 21 -j ACCEPT

# WEB means:
iptables -A WEB -m state –state NEW -p tcp –dport 80 -j ACCEPT

log_action_end_msg 0

;;

stop)
log_action_begin_msg “Tearing down network firewall”

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT

iptables -F FULL
iptables –delete-chain FULL

iptables -F WEB
iptables –delete-chain WEB

log_action_end_msg 0;
;;

*)
echo “Usage: /etc/init.d/firewall {start|stop}”
exit 1
;;

Udgivet i Knowledge Base, Linux, Networking, Old Base | Skriv en kommentar

Setting up a CVS repository (pserver)

Udgivet den marts 16, 2008 af mike

First we need a fresh Debian 4.0 install

– Installation of cvs and cvsd

# apt-get install cvs cvsd

– You will be asked for the name of the repositories you want to permit access
to, here we wrote “mcs” which is an abbreviation for our company name.

– prepare the repository

# cvs -d /var/lib/cvsd/mcs init

– give access, you will be prompted for at password
# cvsd-passwd /var/lib/cvsd/mcs mike

– and give the cvsd access to the repository
# chown -D cvsd /var/lib/cvsd/mcs

Now you should be running, but we prefered to add a webinterface:

# apt-get install cvsweb

Edit the file /etc/cvsweb/cvsweb.conf line 60 to point at “/var/lib/cvsd/mcs” change the name if you like.

Make apache run as cvsd/cvsd to allow access to the repository (only do this if you are not using apache for anything else) open /etc/apache2/apache2.conf and change www-data to cvs in line 125 and 126.

Edit /etc/apache2/sites-enabled/000-default , change line 17 to:
RedirectMatch ^/$ /cgi-bin/cvsweb
This makes the webserver redirect you to the cvs repository viewer when you try to enter the server.

Please add some security to this, there are no access control. Everybody can see your source now. We added iptables to prevent outsiders from seing this.

Udgivet i Knowledge Base, Old Base | Skriv en kommentar

setup local debian + backports + ubuntu mirror

Udgivet den februar 28, 2008 af black

first get debmirror.
# apt-get install debmirror

second, create the user mirror and su to him
# useradd -m mirror
# su – mirror
# mkdir /home/mirror/debian
# mkdir /home/mirror/debian-backports
# mkdir /home/mirror/debian-security
# mkdir /home/mirror/ubuntu

now create the default gpg keyring
# gpg –import /usr/share/keyrings/debian-archive-keyring.gpg
# gpg –keyserver hkp://subkeys.pgp.net –recv-keys 16BA136C
# gpg –keyserver hkp://subkeys.pgp.net –recv-keys 437D05B5

create links for the webserver:
# ln -s /var/www/

Create this script and put it in cron:
#!/bin/bash
debmirror –arch=i386,amd64 \
–section=main,contrib,non-free \
–host=ftp.dk.debian.org \
–dist=etch \
–root=/debian \
–progress \
–no-source \
–method=http \
/home/mirror/debian

debmirror –arch=i386,amd64 \
–section=main,contrib,non-free \
–host=security.debian.org \
–dist=etch/updates \
–root=/ \
–progress \
–no-source \
–method=http \
/home/mirror/debian-security

debmirror –arch=i386,amd64 \
–section=main \
–host=www.backports.org \
–dist=etch-backports \
–root=/debian \
–progress \
–no-source \
–method=http \
/home/mirror/debian-backports

debmirror –arch=i386,amd64 \
–section=main,restricted,universe,multiverse \
–host=nl.archive.ubuntu.com \
–dist=gutsy,gutsy-security,gutsy-updates,gutsy-backports \
–root=/ubuntu \
–progress \
–no-source \
–method=http \
/home/mirror/ubuntu

exit to root and create links for the folders to /var/www
# logout
# ln -s /home/mirror/debian /var/www/
# ln -s /home/mirror/debian-backports /var/www/
# ln -s /home/mirror/debian-security /var/www/
# ln -s /home/mirror/ubuntu /var/www/

Now run the script and wait for the packages to download.
Remember to put the script in cron after you finish downloading.

On the clients which use this mirror, add this to sources.list:

#debian etch:
deb http://mirror.sk.mcn.dk/debian/ etch main contrib non-free
deb http://mirror.sk.mcn.dk/debian-security/ etch/updates main contrib
deb http://mirror.sk.mcn.dk/debian-backports/ etch-backports main contrib non-free

#Ubuntu Gutsy:
deb http://mirror.sk.mcn.dk/ubuntu/ gutsy main restricted universe multiverse
deb http://mirror.sk.mcn.dk/ubuntu/ gutsy-updates main restricted universe multiverse
deb http://mirror.sk.mcn.dk/ubuntu/ gutsy-security main restricted universe multiverse

Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar

Shared Deb archive (Ubuntu)

Udgivet den februar 20, 2008 af zephid

Using Samba shares.

Add to /etc/fstab
//server/folder /opt/archives smbfs uid=root,gid=users,credentials=/path/file 0 0

/*
credentials syntax:
username = smb_username
password = smb_password
*/

apt-get install smbfs

Edit /etc/apt/apt.conf.d/20archive

Add to bottom
Dir::Cache::Archives “/opt/archives”;

NB: Due to limitations in apt, we can not change the lock file, so only one person can use the share at the time. However it is possible to delete lock and start a new update, if the packages are archived !

Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar

reinstall debian development server

Udgivet den februar 16, 2008 af black

ow to reinstall the dev server.

***************
Create new vps:
***************

Select configuration type: ‘Typical’
Select os version: ‘Linux’ + ‘Other Linux 2.6.x kernel’
Select name: ‘dev*’
Select network configuration: ‘Use bridged networking’
Select Disk size (GB): ’50’ + uncheck ‘Allocate all disk space now’ + check ‘Split disk into 2 GB files’
Create the vms

Change memory to 512 MB
Load the iso ‘/iso/debian-40r2-i386-netinst.iso’ into cdrom0

Boot the machine

*************************
Do a base Debian install:
*************************

Select language ‘English’
Select country ‘United States’ (fix timezone issue?)
Select keyboard ‘American English’

Wait for the installer to load and setup the network

Select partition method ‘Guided – use entire disk’
Select disk to partition ‘SCSI1’
Select partition scheme ‘All files in one partition’
‘Finish partitioning and write changes to disk’
‘Yes’
Select timezone ‘Easter’ (will be changed later)

Set root pass

Create the first user

Wait for the base install to finish

Use a network mirror: ‘Yes’
Select mirror country: ‘Denmark’
Select one

Setup proxy if needed

Select ‘no’
Uncheck all except ‘Standard system’

Wait for the extra packages to be installed.

Install grub to master boot record: ‘Yes’

Reboot the machine

apt-get install openssh-server

*********************
Setup etch backports:
*********************

echo “deb http://www.backports.org/debian etch-backports main contrib non-free” >> /etc/apt/sources.list
cat >> /etc/apt/preferences << EOF
Package: *
Pin: release a=etch-backports
Pin-Priority: 999
EOF

wget -O – http://backports.org/debian/archive.key | apt-key add –
apt-get update

***********************************
Setup webserver, databases and cvs:
***********************************

apt-get install apache2 mysql-server postgresql-8.2 libapache2-mod-php5 php5-cli php5-mysql php5-pgsql php5-curl cvs stunnel sudo

echo include_path = \”.:/usr/share/php5:/usr/share/php5/Smarty-2.6.19/libs\” >> /etc/php5/apache2/php.ini
wget http://www.smarty.net/do_download.php?download_file=Smarty-2.6.19.tar.gz
cd /usr/share/php5
tar zxf /tmp/Smarty-2.6.19.tar.gz
chown -R root:root Smarty-2.6.19/

**********
Setup PAM:
**********

groupadd wheel
uncomment “# auth sufficient pam_wheel.so trust” in /etc/pam.d/su

************
Setup users:
************

groupadd mcs
usermod -g mcs -a -G wheel,www-data {initial user}

groupadd {secondary user}
useradd -m -g mcs -G users,wheel,www-data,{secondary user} {secondary user}
passwd {secondary user}

**************
Setup webdirs:
**************

chgrp mcs /var/www /etc/apache2/sites-available /etc/apache2/sites-enabled
chmod g+rw /var/www /etc/apache2/sites-available /etc/apache2/sites-enabled

Now each user can create their own webdirs:

mkdir /var/www/{directory}
chgrp www-data /var/www/{directory}

cat > /etc/apache2/sites-available/{directory} << EOF
<VirtualHost *>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/{directory}
<Directory />
Options FollowSymLinks Indexes
AllowOverride None
</Directory>
<Directory /home/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ErrorLog /var/log/apache2/error.log.{directory}

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log.{directory} combined
ServerSignature On

</VirtualHost>
EOF

ln -s /etc/apache2/sites-available/{directory} /etc/apache2/sites-enabled/020-{directory}

As root, run: /etc/init.d/apache2 reload

Udgivet i Knowledge Base, Old Base | Skriv en kommentar

postgres psql ssl

Udgivet den februar 15, 2008 af black

set the environment variable
PGSSLMODE=require

Udgivet i Knowledge Base, Old Base | Skriv en kommentar

Fix php + postgres + curl segfault on debian

Udgivet den februar 14, 2008 af black

If curl is loaded before postgres in php, there is some errors in the shutdown due to shared libraries being unloaded in the wrong order.

A quick and easy fix:

cd /etc/php5/conf.d
cp pdo_pgsql.ini 0pdo_pgsql.ini
cp pgsql.ini 0pgsql.ini
chmod 600 pgsql.ini pdo_pgsql.ini

🙂

Udgivet i Knowledge Base, Old Base | Skriv en kommentar

Postgres backup and restore

Udgivet den februar 12, 2008 af black

(backup mangler lige pt)

pg_restore -i -h localhost -p 5432 -U postgres -d keepit_freds -v “keepit_freds.backup”

Udgivet i Knowledge Base, Old Base | Skriv en kommentar

CVS commit steps

Udgivet den januar 31, 2008 af zephid

CVS Commit steps
—————————————————————————–
zephid@dev# cvs upd
Check for “C” (Conflicts)
if any “C”‘s, poke bt :p
else
zephid@dev# cvs ci -m “What you have done …”

Udgivet i Knowledge Base, Old Base, Programmering | Skriv en kommentar

Fix html danish characters

Udgivet den januar 18, 2008 af black

grep å * | wc -l
grep æ * | wc -l
grep ø * | wc -l

sed -i -e ‘s/Ã¥/\&aring;/g’ *.html
sed -i -e ‘s/æ/\&aelig;/g’ *.html
sed -i -e ‘s/ø/\&oslash;/g’ *.html

grep å * | wc -l
grep æ * | wc -l
grep ø * | wc -l

(I really hated the graphics guy that day)

Udgivet i Knowledge Base, Old Base, Programmering | Skriv en kommentar