Configure IPTABLES to Allow Access to Common Services This article gives the steps to open firewall ports on CentOS in Iptables IPv4

Basics

  • Iptables rules can be changed on the fly by using the iptables binary.
  • The rules that are set using iptables command are in memory only and will vanish when the daemon is restarted.
  • The firewall rules added on the fly can be saved to the configuration file easily in CentOS/RHEL with the command service iptables save
    • This is no need to edit the configuration file unless you really want to.
  • The following examples are aimed at hardening the inbound traffic, but allowing all outbound traffic.
    • You can completely lock down all inbound, outbound and forwarded traffic if needed. It generally just causes a lot more administration and usually isn’t necessary.

Basic Commands

iptables –flush delete all firewall rules from memory.
iptables –list List current firewall policies
service iptables save (CentOS/RHEL) save current rules in memory to configuration file (/etc/sysconfig/iptables)
service iptables restart restart iptables daemon and load firewall rules from configuration file.
iptables-save > /root/firwallrules.fw save firewall rules in memory to a specific configuration file.
iptables-restore > /root/firwallrules.fw restore firewall rules from a specific configuration file to memory.

Basic iptables Command Parameters

  • -A append to policy chain
  • INPUT | OUTPUT | FORWARD policy chain identifiers
  • -p protocol
  • -m match
  • -s source
  • –dport destination port
  • –state connection state
  • -j jump target ACCEPT | DROP

Backup Current Iptables Configuration to File

Before you begin, it is recommended to backup your current firewall rules.

iptables-save > /path/to/somewhere/filename

Example:

iptables-save > /home/user1/iptable-rules-20130308.fw

Remove All Current Rules

iptables --flush

Set Policy Chains Default Rule

iptables -P INPUT DROP
 iptables -P OUTPUT ACCEPT
 iptables -P FORWARD ACCEPT

Allow Loopback

iptables -A INPUT -i lo -j ACCEPT

Allow All Established and Related Connections

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Allow ICMP “ping” from LAN (TCP Port 22)

iptables -A INPUT -p icmp -m icmp -s 192.168.0.0/24 --icmp-type echo-request -j ACCEPT

Allow SSH from LAN (TCP Port 22)

iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Allow RSYNC from LAN (TCP Port 873)

iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT

Allow HTTP (TCP Port 80)

iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

Allow HTTPS (TCP Port 443)

iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

Allow MySQL Server Access from LAN (TCP Port 3306)

iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

Allow Nagios NRPE Client Access from Nagios Server (TCP Port 5666)

iptables -A INPUT -s 192.168.0.100 -p tcp -m tcp --dport 5666 -m state --state NEW,ESTABLISHED -j ACCEPT

Save Current Rules in Memory to Configuration File

service iptables save

Restart Service

service iptables restart

iptables: insert a rule at a specific line number

# list the rules with line numbers

iptables -nL --line-numbers

# insert a rule at line 5

iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT

Related Articles: Configure iptablesiptables: insert a rule at a specific line number

How to disable IPv6 on Linux CentOS or RHEL 7 This Article describes procedure to disable IPv6 on CentOS or Red Hat 7.x

There are 2 ways to do this:

  1. Disable IPv6 in kernel module (requires reboot)
  2. Disable IPv6 using sysctl settings (no reboot required)

To verify if IPv6 is enabled or not, execute :

# ifconfig -a | grep inet6

inet6 fe80::211:aff:fe6a:9de4 prefixlen 64 scopeid 0x20
inet6 ::1 prefixlen 128 scopeid 0x10[host]

Disable IPv6 in kernel module (requires reboot)

1) Edit /etc/default/grub and add ipv6.disable=1 in line

GRUB_CMDLINE_LINUX, e.g.:

# vi /etc/default/grub

GRUB_TIMEOUT=5
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT=”console”
GRUB_CMDLINE_LINUX=”ipv6.disable=1 crashkernel=auto rhgb quiet”
GRUB_DISABLE_RECOVERY=”true”

2) Regenerate a GRUB configuration file and overwrite existing one:

# grub2-mkconfig -o /boot/grub2/grub.cfg

3) Restart system and verify no line “inet6” in “ip addr show” command output.

# shutdown -r now
 

# ip addr show | grep net6

Disable IPv6 using sysctl settings (no reboot required)

1) Append below lines in /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

NOTE : To disable IPv6 on a single interface add below lines to /etc/sysctl.conf :
net.ipv6.conf.[interface].disable_ipv6 = 1 ### put interface name here [interface]
net.ipv6.conf.default.disable_ipv6 = 1

2) To make the settings affective, execute :

# sysctl -p

NOTE : make sure the file /etc/ssh/sshd_config contains the line AddressFamily inet to avoid breaking SSH Xforwarding if you are using the sysctl method

3) Add the AddressFamily line to sshd_config :

# vi /etc/ssh/sshd_config
 ....
 AddressFamily inet
 ....
 Restart sshd for changes to get get effect :

# systemctl restart sshd

Related Articles: CentOS / RHEL 7 : How to disable IPv6

Initial Network Setup with UBUNTU Server Main steps to configure newtwork services on Linux Ubuntu Server

How do I change the hostname without a restart?

sudo hostname your-new-name

Assigning a static IP to Ubuntu Server

vi /etc/network/interfaces

Example:

auto eth0
 iface eth0 inet static

address 192.168.1.128
 netmask 255.255.255.0
 network 192.168.1.0
 broadcast 192.168.1.255
 gateway 192.168.1.1

How to disable IPv6 in Ubuntu?

vi /etc/sysctl.conf

insert the following lines at the end:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Linux Proxy Server Settings – Set Proxy For Command Line

env | grep -i proxy

check the file :

cat /etc/apt/apt.conf
cat /etc/environment

To Modify contents of file (remove everything from apt.conf for no proxy and only proxy sentences from environment)!

sudo nano /etc/apt/apt.conf
sudo nano /etc/environment
Acquire::http::Proxy "http://proxy.site.com:8080";

Manually edit DNS in Ubuntu

sudo nano /etc/resolvconf/resolv.conf.d/base

Add your DNS to the file :

nameserver 8.8.8.8
nameserver 8.8.4.4

Update resolv configuration:

sudo resolvconf -u

Setting up NTP on Ubuntu

sudo apt-get install ntp ntpdate

sudo nano /etc/ntp.conf

server myserverdnsname1 or IP
server myserverdnsname2 or IP
server myserverdnsname3 or IP

sudo service ntp start

sudo ntpd -gq

watch ntpq -cpe -cas

Grab you Ubuntu server HERE

How to Find MAC Addresse of NIC in Windows Team This article describes how to get the MAC addresses of all member Network Interface Cards (NICs)

There are lot of instances where the network communications fail when we are teaming up the incorrect network interfaces. Especially when the team members are the partitions of a virtual partition capable Converged Network Adapter (CNA), we need to make sure that we are teaming up correct partitions from different physical ports for redundancy and proper VLAN traffic. In such situations, the primary troubleshooting step related to network team’s connectivity issue is to validate the network team members.

The easiest way to ensure this is to compare the unique attributes of the partitioned interfaces with the data in the network card BIOS or out-of-band management tools (like iDRAC, ILO etc) or other baseboard management controllers. Media Access Control (MAC) addresses of the partitioned interfaces seen by the Operating System are the easiest and reliable unique identifiers in this scenario as the names for the interfaces will be different for different network cards.

The default available option to get the member NIC’s MAC address is to use the PowerShell command Get-NetAdapter <member NIC name>. For that we have to manually find the native teams in the server, their member NICs and then the MAC addresses of the member NICs.

The following short PowerShell script will automate this process and will list down the MAC addresses of the member NICs of all the native windows teams available in the server. The advantage with the below script is that it can be used on any Windows 2012 or Windows 2012 R2 servers without any modifications/inputs.

Script:

foreach ($i in ((Get-NetLbfoTeam).name))
{
Write-Host “`nTeam Name – “$i`n”Team Members: ”
Get-NetAdapter (Get-NetLbfoTeamMember -Team $i).Name | Format-Table
}

The best way is to open notepad, copy and paste this script, then save the file as ‘Save As’ > Select ‘All files’ > then name the file ‘nic.ps1’ > destination > where you want

Open Powershell, and run the file .ps1 from it:

MAC_Addresses_NIC_Team_2012
MAC_Addresses_NIC_Team_2012

Related Article: Technet Microsoft

How to Find a Lost, Missing, Hidden or Removed Network Card In a scenario where you have physically removed hardware from a machine you can no longer see it in device manager.

In a scenario where you have physically removed hardware from a machine you can no longer see it in device manager.  This does not mean that it is gone.  Evidence of that is, if for example you had a network card that had a Static IP address set and you remove the card and add a new one then try to set the IP address to the same as the old NIC you will get an error message. The error might look something like “The IP address 192.168.30.100 you have entered for this network adapter is already assigned to another adapter (Microsoft Virtual machine Bus Network Adapter #3) which is no longer present in the computer.  If the same address is assigned to both adapters and they both become active, only one of them will use this address.  This may result in incorrect system configuration”.  In Windows Server 2008 R2 and Windows 7 it actually gives you an opportunity to “remove the static IP configuration for the absent adapter”. If you say Yes, this will eliminate the IP conflict problem but does not solve the problem of the adapter still being present in the machine.  In older versions of the OS, it was even worse because every time you go into network properties it gives you an error message.  Another way this comes up is if you move a virtual machine from one host to another.  Like in the case of moving from Virtual Server 2005 R2 to Hyper-V or perhaps you are moving from one Hyper-V machine to another but you did not do an export, you just moved the VHD’s and created a new machine.

The IP address XXX.XXX.XXX.XXX you have entered for this network adapter is already assigned to another
The IP address XXX.XXX.XXX.XXX you have entered for this network adapter is already assigned to another

Getting rid of these old devices is actually very simple. Well, it is simple if you know how

Before you proceed, I recommend that you confirm that you have a good backup. I have never had a problem with this but hey, it is your server not mine.

Description

  • You need to run a command prompt so you can set an environment variable prior to opening the Device Manager This will bring up a command windowClick Start – Type the following command and then press ENTER

    cmd
  • Step 2: We have the command window open.  We now need to set the variable (that is the “set” line and then with the variable set, we need to run Device Manager.
    The file name for the Device Manager snap-in is devmgmt.msc.  The first line will not appear to do anything but it is setting the environment for next step.  The second command will actually open the Device Manager but it will be in a “special” mode which allows you to show devices that no longer exists.Type the following commands pressing ENTER after each line

    set devmgr_show_nonpresent_devices=1

    devmgmt.msc

  • Step 3: Now all we have to do is show hidden devices and you will be able to access the devices that are not present in the machine.  This will also turn a checkbox on in front of the Show Hidden Devices menu option.In this Special Device Manager Window; on the menu, click View then Show Hidden Devices
  • Step 4: Now you can just go find the adapter or device that is missing and delete it!  Expand the network adapter (or whatever category of device) and look for the device that needs to be removed.  The error message that you got should tell you the “name” of the device so you just have to go find that named device.  You may also notice while you are there that the icon for the “non-present” or missing device is slightly subdued so that will make it easier to find it if you have many devices in a category.See screen shot belowExpand the network adapter (or whatever category of device) and look for the device that needs to be removed.
    Right-Click the Device and select Uninstall
devmgr_show_nonpresent_devices
devmgr_show_nonpresent_devices

Related Article: VMware KB  | Microsoft Blog Technet