The LEGENDARY grep command

the man page starts as follows...
 
SYNOPSIS
       grep [OPTIONS] PATTERN [FILE...]
       grep [OPTIONS] [-e PATTERN | -f FILE] [FILE...]

DESCRIPTION
       grep  searches  the named input FILEs (or standard input if no files are named, or if a single hyphen-minus (-) is given as file name) for lines containing a match to the given PATTERN.  By default, grep prints the matching lines.

       In addition, two variant programs egrep and fgrep are available.  egrep is the same as  grep -E.   fgrep  is  the  same  as grep -F.   Direct  invocation as either egrep or fgrep is deprecated, but is provided to allow historical applications that rely on them to run unmodified.
..
..
..
..till the end of the page

The following are some practical uses of grep from my own experience  and some sourced from the net.

1. Search file contents

Search for the word PAGE (case sensitive) in the file application.xml;
$grep "PAGE" /opt/tomcat7/webapps.labs/primetest/WEB-INF/configs/application.xml

For case insensitive match use the -i switch as follows;

$grep -i "PAGE" /opt/tomcat7/webapps.labs/primetest/WEB-INF/configs/application.xml

2. Search inside a directory

Search for the word drvierClassName inside the directory META-INF

$ grep -R "driverClassName" META-INF/

You will see result on a separate line preceded by the name of the file in which it was found.

3. Find whole words only

When you search for class, grep will match class, className etc.

$ grep -w "class" WEB-INF/context.xml

4. Multiple word search

Use the egrep command as follows:
$ egrep -w 'word1|word2' /path/to/file

5. Count occurences

The grep can report the number of times that the pattern has been matched for each file using -c (count) switch:

$ grep -R -c "driverClassName" META-INF/

6. Show line numbers

Pass the -n switch to precede each line of output with the number of the line in the text file from which it was obtained:

$ grep -R -n "driverClassName" META-INF/

7. Names of matching files only

Use the -l (list) switch as follows;

$ grep -R -l "driverClassName" META-INF/


8. Grep invert match

You can use -v option to print inverts the match; that is, it matches only those lines that do not contain the given word. For example print all line that do not contain the word bar:

$ grep -v bar /path/to/file

NB: for coloured output (if not on by default) you can add --color=auto to your grep command

Other options:

• -A x or -B x (where x is a number) --- display “x” lines After or Before the section where the particular word is found.

Periodicaly restart dead process in Linux

The following is (one way of ) how to automaticaly check for and restart a dead process running in a linux host

Part A

/bin/netstat -ln | /bin/grep ":80 " | /usr/bin/wc -l | /bin/awk '{if ($1 == 0) system("/sbin/service httpd restart") }'

This checks if there is any service running on port 80, if not it runs the command to start the service (apache httpd in this example)

Part B
Create a cron job to periodicaly do the above

#monitors the service every 10 minutes
*/10 * * * * /usr/sesame/bash/service_monitor.sh> /dev/null 2>&1

NB: please note the trailing space after the port number


Tested in Redhat|Fedora|CentOS

Touchpad stops working on GNome3 - Solution

Assalam Aleikum all,

Last week i experienced the same problem on my Fedora 15 Dell Inspiron.
After searching the net i came across a solution which worked for me.

1. As root or using sudo create file "/etc/X11/xorg.conf.d/00-enable-taps.conf"
2. Enter the following in the file:

Code:

Section "InputClass"
    Identifier "tap-by-default"
    MatchIsTouchpad "on"
    Option "TapButton1" "1"
EndSection


Worked for me after restarting X (Ctrl+Alt+Backspace). no need to reboot the machine

Credits: http://www.fedoraforum.org/forum/showthread.php?t=263884

Linux Cron Jobs

Cron Jobs aka Scheduled Tasks

1. To see crontabs for root
#crontab -u root -l


2. To edit
#crontab -u root -e
Edit the time (min hh) to 00 10 - so that this task runs every day at 10 a.m.


a. Run at 9pm everyday
00 21 * * * wget -q "http://192.168.1.254:9090/bizypalace/push?to=0202058726&msg=NOTICE (9 PM) Server OK: $(date)"

b. At midnight 00 00 hours everyday
00 00 * * * wget -q "http://192.168.1.254:9090/bizypalace/push?to=0202058726&msg=CRON AT MIDNIGHT"

c. every 2 hours from 4am till 6pm
00 04,06,08,10,12,14,16,18 * * *

Note: in my examples am running wget but u can use any bash command

3. To check Log
tailf /var/log/cron

Windows Embarassing itself

I have used Windows but never became a fun of that OS.
If the GUI can embarass itself that much what about the things u dont see ?
And dont forget u will never get any where close to its Source Code...

ATM asking for Windows Activation

Micro$oft Windows not trusting Internet Explorer

Error Messages that tell it all

The logical conclusion

Windows Sucks

1.
This is Linux land. In silent nights you can hear the Windows machines rebooting.

2.
The box said "Windows 98 or better" - so I installed Linux

3.
Macs are for those who don't want to know why their computer works.
Linux is for those who want to know why their computer works.
DOS is for those who want to know why their computer doesn't work.
Windows is for those who don't want to know why their computer doesn't work.

4.
# Mouse not present - click twice to continue...
# Who the fuck is General Failure ? And why is he reading my harddisk ?

10.
# McAfee-Question: Is Windows a virus ?
No, Windows is not a virus. Here's what viruses do:

1. They replicate quickly - okay, Windows does that.
2. Viruses use up valuable system resources, slowing down the system as they do so - okay, Windows does that.
3. Viruses will, from time to time, trash your hard disk - okay, Windows does that too.
4. Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too.
5. Viruses will occasionally make the user suspect their system is too slow (see 2.) and the user will buy new hardware. Yup, that's with Windows, too.

Until now it seems Windows is a virus but there are fundamental differences:
Viruses are well supported by their authors, are running on most systems, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature.
So Windows is not a virus. It's a bug.

Batch Convert Multimedia Files Using FFMPEG

I will show u how to batch convert multimedia files using a bash script.

The following script will get all .mp4 files from the current directory, convert them to .wav and save them in a folder called wav(still in the current directory). Of course u can modify this file to suit your specific conversion needs.

Save the following script as mp4_to_wav.sh and make it executable (chmod +x mp4_to_wav.sh):

#===================================
#the directory wav must be present in the current directory
for f in *.mp4;
do
ffmpeg -i "$f" "wav/${f%.mp4}.wav";
done
#====================================

Now i can accept ur coffee

FFMPEG - Multimedia Tool

FFmpeg is a free software/open source project that produces libraries and programs for handling multimedia data. It ships with Fedora Linux so I naturally took a dive and have never turned back.....

I normaly use it to convert multimedia files from one format to another. Being a command line tool u expect faster execution.

For example
Convert from MP4 to AVI

#ffmpeg -i inputfile.mp4 outfile.avi

To See Supported File Formats
#ffmpeg -formats

You will get output similar to this
FFmpeg version 0.5, Copyright (c) 2000-2009 Fabrice Bellard, et al.
configuration:
libavutil 49.15. 0 / 49.15. 0
libavcodec 52.20. 0 / 52.20. 0
libavformat 52.31. 0 / 52.31. 0
libavdevice 52. 1. 0 / 52. 1. 0
built on Nov 20 2009 15:52:49, gcc: 4.3.2 20081105 (Red Hat 4.3.2-7)
File formats:
E 3g2 3GP2 format
E 3gp 3GP format
DEA wmav1 Windows Media Audio 1
DEA wmav2 Windows Media Audio 2
DEVSD wmv1 Windows Media Video 7
DEVSD wmv2 Windows Media Video 8
D V wmv3 Windows Media Video 9
DES dvbsub DVB subtitles
DES dvdsub DVD subtitles
DEV D dvvideo DV (Digital Video)
D V dxa Feeble Files/ScummVM DXA
D V D eacmv Electronic Arts CMV video
D V D eatgq Electronic Arts TGQ video
D V eatgv Electronic Arts TGV video
D V D eatqi Electronic Arts TQI Video
D V D escape124 Escape 124
.........To mention but a few

Fedora 10 - Startup Scripts

1. Startup Script
I have a fedora core box which needs to run different scripts on startup to provide services to other machines.

I found what appears to be the best solution for me, using ntsysv and init.d. Here's how it's done;

1.) make a new file in the /etc/init.d/ directory
2.) add your script to this file with the following lines at the top;
#!/bin/bash
# chkconfig: 345 85 15
# description: of your file

3.) enter this in the shell;
chkconfig --add startup_filename

4.) type ntsysv (instead of using setup>service>etc) - your startup script should now be in the list, checked and ready for action!

5. Confirm by
# service sesamedms-test start


NB: make sure the file is executable


Sample File

#!/bin/bash
# chkconfig: 345 85 15
# description: starts tomcat server

case "$1" in
start) /opt/tomcat/bin/startup.sh ;;
stop) /opt/tomcat/bin/shutdown.sh ;;
restart) /bin/sh $0 stop
/bin/sh $0 start ;;
*) echo "Usage: $0 {start|stop}"
exit 1 ;;
esac

Typical Linux Bootup

From Power Up to Bash Prompt

[..in a nutshell..
loading vmlinuz
loading initrd.gz
booting kernel
]


1. POST

2. LILO
- This reads the configuration file /etc/lilo.conf. The main thing in lilo.conf is one entry for each thing that lilo is set up to boot. For a Linux entry, this includes where the kernel is, and what disk partition to mount as the root filesystem.

3. Kernel -
Config:
--------
Most of the configuration of the kernel is done when you build it, using make menuconfig, or make xconfig in /usr/src/linux/ (or wherever your Linux kernel source is). You can reset the default video mode, root filesystem, swap device and RAM disk size using rdev. These parameters and more can also be passed to the kernel from lilo. You can give lilo parameters to pass to the kernel either in lilo.conf, or at the lilo prompt. For example if you wanted to use hda3 as your root file system instead of hda2, you might type
LILO: linux root=/dev/hda3

4. init
The next thing that happens as your computer starts up is that init is loaded and run. However, init, like almost all programs, uses functions from libraries.
In fact, you can put any program you like in /sbin/init, and the kernel will run it when it has finished loading.

It is init's job to get everthing running the way it should be. It checks that the file systems are ok and mounts them. It starts up 'daemons' to log system messages, do networking, serve web pages, listen to your mouse and so on. It also starts the getty processes that put the login prompts on your virtual terminals.

Init reads the file /etc/inittab, which tells it what to do. Typically, the first thing it is told to do is to run an initialisation script. The program that executes (or interprets) this script is bash, the same program that gives you a command prompt. In Debian systems, the initialisation script is /etc/init.d/rcS, on Red Hat, /etc/rc.d/rc.sysinit. This is where the filesystems get checked and mounted, the clock set, swap space enabled, hostname gets set etc.

Next, another script is called to take us into the default run-level. This just means a set of subsystems to start up. There is a set of directories /etc/rc.d/rc0.d, /etc/rc.d/rc1.d, ..., /etc/rc.d/rc6.d in Red Hat, or /etc/rc0.d, /etc/rc1.d, ..., /etc/rc6.d in Debian, which correspond to the run-levels. If we are going into runlevel 3 on a Debian system, then the script runs all the scripts in /etc/rc3.d that start with `S' (for start). These scripts are really just links to scripts in another directory usually called init.d.

So our run-level script was called by init, and it is looking in a directory for scripts starting with `S'. It might find S10syslog first. The numbers tell the run-level script which order to run them in. So in this case S10syslog gets run first, since there were no scripts starting with S00 ... S09. But S10syslog is really a link to /etc/init.d/syslog which is a script to start and stop the system logger. Because the link starts with an `S', the run-level script knows to execute the syslog script with a ``start'' parameter. There are corresponding links starting with `K' (for kill), which specify what to shut down and in what order when leaving the run-level.

To change what subsystems start up by default, you must set up these links in the rcN.d directory, where N is the default runlevel set in your inittab.

/etc/inittab is the top level configuration file for init.

The rcN.d directories, where N = 0, 1, ..., 6 determine what subsystems are started.

Somewhere in one of the scripts invoked by init, the mount -a command will be issued. This means mount all the file systems that are supposed to be mounted. The file /etc/fstab defines what is supposed to be mounted. If you want to change what gets mounted where when your system starts up, this is the file you will need to edit. There is a man page for fstab.

5. File system
In Linux, you 'mount' a disk filesystem onto the system's filesystem.

In the previous section I mentioned that init scripts check and mount the filesystems. The commands that do this are fsck and mount respectively.

6. Kernel Daemons
The information for ps aux (or top) command comes from the /proc filesystem that I mentioned in the previous section. Note that init is process number one. Processes 2, 3, 4 and 5 are kflushd, kupdate, kpiod and kswapd.
The kernel daemons are started after init, so they get process numbers like normal processes do. But their code and data lives in the kernel's part of the memory.

There are brackets around the entries in the command column because the /proc filesystem does not contain command line information for these processes.

7. System Logger
Init starts the syslogd and klogd daemons. They write messages to logs. The kernel's messages are handled by klogd, while syslogd handles log messages from other processes. The main log is /var/log/messages. This is a good place to look if something is going wrong with your system.

The file /etc/syslog.conf tells the loggers what messages to put where. Messages are identified by which service they come from, and what priority level they are. This configuration file consists of lines that say messages from service x with priority y go to z, where z is a file, tty, printer, remote host or whatever.

NOTE: Syslog requires the /etc/services file to be present. The services file allocates ports

8. Getty and Login
Getty is the program that enables you to log in through a serial device such as a virtual terminal, a text terminal, or a modem. It displays the login prompt. Once you enter your username, getty hands this over to login which asks for a password, checks it out and gives you a shell.

There are many getty's available. Some distributions, including Red Hat use a very small one called mingetty that only works with virtual terminals.

The login program is part of the util-linux package, which also contains a getty called agetty, which works fine. This package also contains mkswap, fdisk, passwd, kill, setterm, mount, swapon, rdev, renice, more (the program) and more (ie more programs).

9. Bash
If you give login a valid username and password combination, it will check in /etc/passwd to see which shell to give you. In most cases on a Linux system this will be bash. It is bash's job to read your commands and see that they are acted on. It is simultaneously a user interface, and a programming language interpreter.

The file /etc/profile controls the system-wide behaviour of bash. What you put in here will affect everybody who uses bash on your system. It will do things like add directories to the PATH, set your MAIL directory variable.

Once bash has read the system-wide configuration file, it looks for your personal configuration file. It checks in your home directory for .bash_profile, .bash_login and .profile. It runs the first one of these it finds. If you want to change the way bash behaves for you, without changing the way it works for others, do it here.

IPTables Intro

Six pre-defined "chain" rules are available:
* INPUT
* OUTPUT
* FORWARD
* PREROUTING
* POSTROUTING
* User defined chains (give it a new name)


General /sbin/iptables format to add rules:
---------------------------------------------------
iptables [-t|--table table] -command [chain] [-i interface] [-p protocol] [-s address [port[:port]]] [-d address [port[:port]]] -j policy

Options:
----------
1. --table [-t]
filter - the default table
nat - NAT table
mangle - used for QoS and preferential treatment
raw - enables optimization

2. Command (use only one - mutualy exclusive)
--append [-A] - append rule to chain
--delete [-D] - delete rule from chain
--insert [-I] - insert at the begining or at specified position in chain
--replace [-R] - replace rule
--flush [-F] - flush all rules
--zero [-Z] - Zero byte counters in all chains ????
--list [-L] - list all rules. use option --line-numbers for rule number
--new-chain [-N] - create new
--delete-chain [-X] - delete user defined chain
--policy [-P] - set default policy for chain
--rename-chain [-E] - rename

3. Command Option(s)
--source [-s] - source address of packet
--destination [-d] - destination address
--in-interface [-i] - interface packet is arriving from
--out-interface [-o] - interface packet is going to
--jump [-j] - target to send packet to
--fragment [-f] - fragment matching
--set-counters [-c] - set packet/byte counter
--protocol [-p] - protocol:
*udp
*icmp
*mac
*tcp
--sport port [:port]
--dport port [:port]
--syn
--match tcp[-m tcp]
*--source-port port[:port](port # or range #:#)
*--destination-port port[:port]
*--tcp-flags
--match state [-m state]
--state
*ESTABLISHED
*RELATED
*NEW
*INVALID
(push content, not expected to recieve this packet)

4. Defined Policies

ACCEPT - accept
DROP - deny packet with no reply
REJECT - deny packet and notify sender
RETURN - handled by default targets
MARK - used for error response.
MASQUERADE - used with NAT table and DHCP
ULOG - Log to file and specify userspace logging messages
SNAT -valid in PREROUTING chain. used by nat
REDIRECT - used with nat table. output
DNAT - valid in POSTROUTING chain. output
QUEUE - pass packet to userspace
LOG - Log to file and specify message:
*--log-level #
*--log-prefix "prefix"
*--log-tcp-sequence
*--log-tcp-options
*--log-ip-options

IPChains Intro

=====
1. Multiple Machines, A single connection
2. NAT 101
3. IPCHAINS 101
4. IP_MASQ 101
5. Setting up the router
6. Caveats

The program
========
General format:
ipchains []

Commands:
-F flushes a chain so that it starts fresh
-P sets up the default handling
-A adds conditions or rules to a chain

With ipchains, three chains are predefined: input, output, and forward. The following two commands are normally used to set up a chain:

ipchains -F input //flush input chain
ipchains -P input REJECT //default mode

This causes any rules for the input chain to be discarded and sets up the default condition so incoming packets are rejected.

The output chain controls what packets can be sent. A packet may be accepted by the input chain but rejected by the output chain. Likewise, the forward chain controls what packets will be routed.

In general, the input chain controls incoming packet filtering. The packet is either destined for the router or for another computer. In the latter case, the packet is processed by the forward chain. Packets that make it through this chain will then be processed by the output chain.

Examples:
1. ipchains -A input -i eth0 -s 10.1.0.0/16 -d 0.0.0.0/0 -j ACCEPT

2. ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT

No 2 above will reject packets with a source address like 10.2.x.x to any destination. This is actually redundant for the current set of rules since anything that does not match the first example rule for 10.1.x.x will be rejected.

NB:
Note that rules are order dependent in a first-come-first-used basis

Other argument values for the -j option when used with the forward chain. These include DENY and MASQ. DENY is similar to REJECT in that it terminates checking of the chain. MASQ indicates that a packet should be masqueraded using the built-in NAT support. In this case, the accepted packet will be modified so its IP address and port address are changed as described with NAT earlier. The reverse translation for response packets is done automatically. Selective use of MASQ allows a Linux router to forward some packets NAT-fashion and others with no translation. This is handy for small companies that have been assigned more than one IP address and use them for PCs on the local network.
For simple router support when an ISP provides a single IP address, MASQ is typically used. User-defined chains are usually unnecessary.

======
Commands
======
1. chkconfig --del ipchains
Remove ipchains from system boot/initialization process
2. chkconfig --add iptables
Add iptables to system boot/initialization process
3 ipchains -F
Flush ipchains rules
4. service ipchains stop
Stop ipchains. Also: /etc/init.d/ipchains stop
5. rmmod ipchains
Unload ipchains kernel module. Iptables kernel module can not be loaded if the ipchains module is loaded
6. service iptables start
Load iptables kernel module. Also: /etc/init.d/iptables stop

Basic Commands

1. Find:
find / -perm -4000 -print
find / -atime +10 -print
2. Changing file permissions:
4=read, 2=write, 1=execute
permissions are always in the order; user, group, other

$ chmod 755 file
means 7 (rwx-user) , 5 (rx-group), 5 (rx-others)
3. add default gateway
route add default gw 10.0.0.1
4. adding many routes + gateways
route add -net 10.1.0.0 gw 10.0.0.10
route add -net 10.2.0.0 gw 10.0.0.20
5. Accessing remote file systems
mount [-tnfs] 1.2.3.4:/usr/files /mnt/files
6. Allowing users to mount drives
With a special command in the etc/fstab file.....
Typical eg for fd0(A:) drive in etc/fstab:
/dev/fdo /mnt auto noauto,user 1 1
noauto: tells mount not to mount drive A on boot
user: allows any user to mount the drive into /mnt
auto: tells mount to try to find out the FS on the drive
7. Allowing users to run root programs
You can set a cmd to be suid root with chmod command
chmod _s mybin : sets mybin suid root
8. Change locales (keyboad)
loadkeys cf (others fr,us,etc)
9. Default file permissions ?
A. Linux
The default is 755
To change the default from 755 to 700, use this cmd:
umask 077 (base 8)

10. Default boot mode (3 in total)
They are defined in /etc/inittab
>Runlevel 1 is a single user mode (with no networking?)
>Runlevel 3 is the default. loads net servers + login txt
>Runlevel 5 displays the graphical login prompt
Modify the initdefault line in /etc/inittab to:
id:3:initdefault:
11. Change password:
passwd

12. File Permissions in Unix
Change group access on the file shrc in ur home dir
chmod g=rw- ~/.shrc
Make group and others have read permission only
chmod go=r-- ~/.shrc
Direclty:
chmod u=rwx,go=r-x foo
13. List directory contents
ls -l /lib/l* :long
ls -r /lib/l* :recursively down the dir tree
ls -l -r

14.
netstat -an ! more

15. See user and process owning a port
fuser -v -n tcp 6000

16.To make a symbolic link:
$ ln -s
Eg: $ ln -s /usr/doc/g77/DOC g77manual.txt

17. Make a file executable
chmod +x
Now u can refer to g77manual.txt instead of /usr/doc/g77/DOC

18. Setting Enviroment Variables
PATH : export PATH=$JAVA_HOME/bin:$PATH
JAVA_HOME: export JAVA_HOME=/usr/local/blackdown/jdk1.2.2



========
DOs Vs Linux
========
DOS Linux Notes
--------------------------------------------------

ATTRIB (+-)attr file chmod file
BACKUP tar -Mcvf device dir/
CD dirname\ cd dirname/
COPY file1 file2 cp file1 file2
DEL file rm file
DELTREE dirname rm -R dirname/
DIR ls
DIR file /S find . -name file
EDIT file vi file
jstar file
EDLIN file ed file
FORMAT fdformat,
mount, umount
HELP command man command,
info command
MD dirname mkdir dirname/
MORE < file less file
MOVE file1 file2 mv file1 file2
NUL /dev/null
PRINT file lpr file
PRN /dev/lp0,
/dev/lp1
RD dirname rmdir dirname/
REN file1 file2 mv file1 file2
RESTORE tar -Mxpvf device
TYPE file less file
WIN startx

Advanced Firewall - ipchains

Scenario One:
=========
Internet external network interface: eth0
Internal private network interface: eth1
Local loopback virtual interface: lo

Gateway script for ipchains firewall and NAT:

#!/bin/sh

# Flush Rules
ipchains -F forward
ipchains -F output
ipchains -F input

# Set default to deny all
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY

# Add Rules

# Accept packets from itself (localhost) (s)ource to itself (d)estination
# Keeps system logging, X-Windows or any socket based service working.
ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo
ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo

# Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses
ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 -l

# Accept requests/responses from/to your own firewall machine
ipchains -A input -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0 ipchains -A output -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0 # Allow outgoing packets source (s) to destination (d) ipchains -A input -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 ipchains -A output -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 # Deny and log (option -l) outside packets from internet which claim to be from your loopback interface ipchains -A input -j REJECT -p all -s localhost -i eth0 -l ipchains -A forward -s 192.168.10.0/24 -j MASQ ipchains -A forward -i eth1 -j MASQ # Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward



Notes:

For this example it was assumed that your private network is from 192.168.10.0 to 192.168.10.255
The -d 0.0.0.0/0 refers to all or any destination address of packet. (destination in this case is irrelevant and the -d statement may be omitted))
localhost refers to your loopback interface on 127.0.0.1

Blocking Ports

1. Block specific host
iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP

2. Block specific ports

# Allow loopback access. Rule for your computer to be able to access itself via the loopback. This rule must come before the rules denying port access!!

iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
# Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
# Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
# Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
# Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP
# Block Sun rpc/NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP
# Deny packets which claim to be from your loopback interface
iptables -A INPUT -p all -s localhost -i eth0 -j DROP


Debugging and Logging
-----------------------------
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "

NB:
Add these (logging) to the end of your rules inorder to monitor dropped connections in /var/log/messages. It generates outrageous volume of messages. Use for debugging or short term monitoring of the network.

A simple Firewall

======
Firewall 1
======
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

NB:
Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.)
Allow network input/output from self (lo).

======
Firewall 2
======
Another approach to firewalls is to drop everything and then grant access to each port you may need.

iptables -F : Flush
iptables -A INPUT -i lo -p all -j ACCEPT : Allow loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT : Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset

# Open ftp port (tcp +/- udp)
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
# Open secure shell port
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
# Open HTTP port
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT : Accept local Samba connection
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP : Drop all other connection attempts.Only connections defined above are allowed.

IPTables Vs IPChains

IPTABLES is (or should) replacing IPCHAINS

1. IPCHAINS
-with ipchains you will need to write a rule for the input, forward
and output chains, as each and every packet goes through each of
these chain. This usually leads to a very complex script even for a
simple packet filter.


2. IPTABLES
- with iptables you will need to write rules as follows:

INPUT rules only for packets with the destination IP on the local box
FORWARD rules only for packets passing through the local box
OUTPUT rules only for packets generated on the local box

Linux iz gud !!

Linux for Life..

As a challenge i request all my fans to get going in Linux (whatever the flavor). This way we can keep microsoft on the cold and the anti piracy guys less stressed.

"What happens to my favorite Windows programs..?", you might ask. Of course we know 'old habits die hard. There are several versions of CD bootable Linux (eg Puppy, DSL, Knoppix, among many others!) which you can use to boot into Linux (doesnt need your Hard disk to keep rolling !). You can always use Windows if you decide to boot without the Linux Bootable CD...

Linux comes with various office tools; spreadsheet, word processors, calculators, etc

Isn't this cool ?

..If you like the experience, just pass me a comment...