The Linux Questions Thread: a bunch of pitfalls, but technically it's possible

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Linux Questions Thread: a bunch of pitfalls, but technically it's possible

Winkle-Daddy: Mar 10, 2007

reading posted:

Does anyone know how I can get Tor working from the command line? The only command line args for it are for windows, apparently, even according to the linux man page (????). I want to set up a bridge from the command line, not the browser bundle's GUI. I'm using Xubuntu.

https://www.torproject.org/docs/debian#ubuntu

This should help. Tor should have init.d scripts, so you would just need to sudo /etc/init.d/tor start once installed.

edit: read the disclaimer, don't install from default repos.

Winkle-Daddy fucked around with this message at 16:47 on Jan 24, 2014

# ¿ Jan 24, 2014 16:45

Adbot: ADBOT LOVES YOU

# ¿ Apr 24, 2024 02:00

Winkle-Daddy: Mar 10, 2007

Ugh, hopefully this is the right thread, but I've got an iptables issue that I'm having one hell of a time getting to work right. The scenario is this: I have a bunch of computers on a LAN, and I want these computers to only be able to talk on the LAN except when I ping a specific port (e.g. port knocking). These are the rules I've got:

code:

iptables -N WAN

iptables -P OUTPUT DROP
iptables -A OUTPUT -m recent --name WANON --rcheck -j WAN
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT

iptables -P INPUT DROP
iptables -A INPUT -m recent --name WANON --rcheck -j WAN
iptables -A INPUT -p udp --dport 1111 -m recent --name WANON --set -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

iptables -A WAN -j ACCEPT

This works fine:

code:

# ping -c 2 192.168.1.104
PING 192.168.1.104 (192.168.1.104) 56(84) bytes of data.
64 bytes from 192.168.1.104: icmp_seq=1 ttl=64 time=0.297 ms
64 bytes from 192.168.1.104: icmp_seq=2 ttl=64 time=0.352 ms

--- 192.168.1.104 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.297/0.324/0.352/0.032 ms

I can still ping hosts on the LAN, but I can't ping google:

code:

# ping -c 2 google.com
PING google.com (74.125.227.162) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- google.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 5987ms

So far so good. To verify things are working how I want:

code:

# iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 WAN        all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: CHECK name: WANON side: source 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1111 recent: SET name: WANON side: source 
   87  6624 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       192.168.0.0/16       0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 2 packets, 168 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 WAN        all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: CHECK name: WANON side: source 
   46  6536 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    56 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.0.0/16          

Chain WAN (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

You can see that the OUTPUT chain dropped my two packets to Google, as expected. Now I want to enable the WAN chain (from another host):

code:

$ sudo hping3 192.168.1.102 --udp -c 1 -p 1111
HPING 192.168.1.102 (eth0 192.168.1.102): udp mode set, 28 headers + 0 data bytes

--- 192.168.1.102 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Again, as expected, confirmed by iptables:

code:

...cutting out everything but the last chain...
Chain WAN (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   58  6136 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Everything is now flowing over the WAN chain. However...

code:

# ping google.com -c 1
PING google.com (173.194.46.9) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
^C
--- google.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 1470ms

Is anyone able to give me a pointer for what I should do here to be able to accomplish my goal of a port knock that enables the internet?

e: I know other tools exist that can assist in doing this, but for complicated reasons I need to accomplish this with things available on the host, which is why iptables + recent was an obvious; albeit obnoxious choice.

Winkle-Daddy fucked around with this message at 23:38 on Jun 18, 2014

# ¿ Jun 18, 2014 23:12

Winkle-Daddy: Mar 10, 2007

effika posted:

Alrighty. Give Cinnamon a try?

I prefer openbox, but to each his own.

# ¿ Jun 19, 2014 00:45

Winkle-Daddy: Mar 10, 2007

telcoM posted:

In your configuration, iptables will not stop your ping command from trying to send the pings; it will just silently eat the outgoing ping messages. The "ping: sendmsg: Operation not permitted" makes me think something else is stopping the ping command from running properly. Perhaps you have SELinux enabled?

If you have SELinux enabled, you should monitor the audit logs (normally at /var/log/audit) when running your ping command. If you can see AVC deny messages regarding "sendmsg" appearing while you're trying to ping, then that's the cause.

Thanks guys, they are vm's, but when I flush iptables I can ping Google just fine. I'm not sure if that negates your theory or not, but I'll do some more reading today.

# ¿ Jun 19, 2014 15:09

Winkle-Daddy: Mar 10, 2007

Elias_Maluco posted:

For some reason, all of a sudden, my Mint 15 (with KDE) date/time setting went nuts.

I start it and the clock is 3 hours ahead. I correct it and then next time I restart, it is 3 hours ahead again.

What can be happening here?

Is ntpd crashing? I had this happen on Fedora 20 for a work computer a while ago, I never did figure it out, so I just added a cron to restart it every hour.

# ¿ Jun 19, 2014 16:07

Winkle-Daddy: Mar 10, 2007

evol262 posted:

You're checking whether the source address (which is almost certainly not 173.194.46.9) is in your list of recents. It isn't. And it's not related or established or in the subnet, and you haven't allowed icmp echo-request or echo-reply, so you're getting blocked when you try to open an icmp socket.

If you want to port knock on output to unspecified, previously unseen hosts (your rules would work fine if you wanted to say "this host from a subnet that's not on 192.168.0.0/24 hit me on UDP 1111, so allow outbound connections to that host", which you can verify by adding a host on another subnet, like 192.168.1.0/24, adding routes, and hpinging 1111), you need knockd. I know this isn't built in and you have to install a package, but it's the appropriate solution.

Or if you can't, you can trivially use the LOG target and --log-prefix='whatever' and watch syslog (or dump iptable logs to their own log) with a long-running (systemd/upstart ideally) script which inserts iptables rules to allow outbound. You could probably do this in 30 lines or less of any language you want.

Ahhh, that makes sense given the capacity that recent is typically used in. And here I thought I could be clever

The man page lays it out pretty well, I'm not sure why on my first read I didn't make the connection. I guess I'll be writing my own script for this. Oh well, It's been a while since I've needed to actually accomplish anything like that.

Winkle-Daddy fucked around with this message at 16:43 on Jun 19, 2014

# ¿ Jun 19, 2014 16:32

Winkle-Daddy: Mar 10, 2007

Elias_Maluco posted:

"Set date and time automatically" is currently off and if I try to turn it on I get this error: "Unable to authenticate/execute the action: 6,"

Try running:

code:

service ntpd status

If it's not running, try (as root):

code:

service ntpd start

If your clock is automagically fixed, then try adding a cron to restart ntpd every so often.

# ¿ Jun 19, 2014 16:36

Winkle-Daddy: Mar 10, 2007

Elias_Maluco posted:

I got "ntpd: unrecognized service".

I think on Ubuntu/Debian (which Mint is based on) it might just be ntp, not ntpd. My bad. You can also see if there's an init script for it (ls -al /etc/init.d/ | grep ntp). If there is one, just do sudo /etc/init.d/<script> restart

quote:

I get a "ntpdate[9755]: bind() fails: Permission denied", no matter what server I use.

You have to do this as root, ntp runs on a privileged port.

# ¿ Jun 19, 2014 17:13

Winkle-Daddy: Mar 10, 2007

Elias_Maluco posted:

Now it worked, it gave me "timestamp too far in the future: Jun 19 15:59:28 2014" (its 13:00 right now)

Is ntp running?

code:

ps aux | grep ntp | grep -v grep

If it is, you could try restarting it by sending a SIGHUP to the process ID

code:

ps aux | grep ntp | grep -v grep | awk '{print $2}' | sudo xargs kill -1

If this doesn't help, I won't be of any further help without getting hands on and doing things like rebooting

Maybe some smarter goon can do better.

# ¿ Jun 19, 2014 17:47

Winkle-Daddy: Mar 10, 2007

I was referred to this thread by the 'POS for some RedHat help! Crossposting:

Winkle-Daddy posted:

We have a build automation process where we use Boxcutter + Packer + VMWare vSphere + VMWare VirtualBox to create Windows and Linux box files. The Windows box files are built to automatically be pointed at our internal MS KMS server. We also maintain boxes for each patch level of each OS as well as a rolling "latest" that is built weekly and re-imported into our cloud. This works great for all of our supported platforms (CentOS, Fedora, Ubuntu, Debian, Suse, Win* since XP) except for one: Red Hat. The way that we use the containers with Vagrant is that we just invoke Chef to cook up our node with recipes hosted on our internal Supermarket, some acceptance tests are run and the environment is destroyed to be run again the next day with a new build of our software.

How in the actual gently caress do we license these RH servers in such a way we can use package management with them and then destroy them when we're done? We can't reliably "un-register" them because we have some jobs that do automated cleanup in the vagrant cloud if something happens and a Jenkins job failed to properly vagrant destroy something. AFAIK, the old satellite server methodology still required you to manually remove registration of the machine, same with executing rhn_register.

What should I be looking at to help solve this problem??

e: Some suggestions from the 'POS:

Since we're using chef, just add a centOS repo and install packages from there -- Doable but if we're bothering to make the templates in the first place, might as well make them for reals.
Make a RH mirror to mirror an official repo, just make sure your licenses cover it (I assume this is still an option?).
Write a script that deletes the license registration after they're offline (check by hostname?)

All of these are likely doable, I'm thinking #2 on this list if it's still available as it seems the easiest for long term support.

Winkle-Daddy fucked around with this message at 17:30 on Sep 27, 2016

# ¿ Sep 27, 2016 16:59

Winkle-Daddy: Mar 10, 2007

That's some good info, thanks!

Sounds slightly more threatening, imo:

a little further down the page... posted:

Some resources may require more of these benefits, some less, so Red Hat measures the full value of your subscriptions by counting the number of instances or installations of Red Hat software you use. While you have subscriptions for a Red Hat product, you must maintain a subscription for every instance or installation of Red Hat software being used in your environment.

# ¿ Sep 27, 2016 17:51

Winkle-Daddy: Mar 10, 2007

That is some good poo poo, evel262, thank you!

We are planning on building from RHEL 5.2 through to the current release, I assume reposync would be best in this case as well?

e:

quote:

If you actually want to update those systems while they're running, they'd need to be registered (or pointed at your repos), but it doesn't sound like it.

What do you mean by this? The templates will execute chef runs, so they are going to try to install various package resources. If we go with the reposync option it sounds like we would want to create a chef recipe that points a machine to our newly synced internal repo before installing other packages?

# ¿ Sep 27, 2016 18:36

Adbot: ADBOT LOVES YOU

# ¿ Apr 24, 2024 02:00

Winkle-Daddy: Mar 10, 2007

Awesome! Thanks!

This has been on someone else's "to do" list for like 6 months and I got sick of them humming and hawing over it, so like I really appreciate this a lot!

# ¿ Sep 27, 2016 19:29

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Linux Questions Thread: a bunch of pitfalls, but technically it's possible