Category Archives: Networking

Linux – routing examples

Posted on by No Comments ↓

set ip_forward to 1 to enable routing between nics.
type ‘route‘ to insure both networks are routed as expected (connected route added with nic)

Setup a script with the following (CHMOD 0755 the script so it executes)

iptables -F (clears previous iptables stuff)
iptables -P INPUT DROP (will set default policy to DROP all INPUT packets – Incoming to local NICs)
iptables -P OUTPUT DROP (will set default policy to DROP all OUTPUT packets – Outgoing to local NICs)
iptables -P FORWARD DROP (will set default policy to DROP all FORWARDed packets – Routed via local NICs)

allow rules;
iptables -A FORWARD -s 172.23.23.1 -d 172.23.23.2 -p tcp –dport 80 -j ACCEPT (append forward rules – self explanatory)

Add more as required.

Want to use NAT outbound?

wlan0 => external network – route to Internet
eth0 => internal network

#setup masquerading
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

A very handy tool and the current best way i’ve found to test firewall rules is to fire up tcpdump. Check man for details but here is an example of monitoring a specific destination port and host on a specific NIC;

tcpdump -i eth1 dst port 22 and dst host 192.168.4.34

If you can see the traffic leaving the interface outbound it has made it past the firewall, if not then you need to have a look at your firewall rules or check your routing table. Type route to see current routing table

Done

Windows – Port forwarding

Posted on by No Comments ↓

Just wanted to note here that there is a tool for windows to ‘port forward’ Its a command MS ships that enables IPv6 to work on IPv4, but can be used as a port redirector…. so as long as you have IPv6 support on your box, you can do this.

syntax as follows;

netsh interface portproxy add v4tov4 listenport=443 connectaddress=targetmachine connectport=3389

so the machine above listens on 443 and redirects traffic to 3389 on targetmachine.

Be warned though, NETSH is insanely powerful. And if you make a mistake good luck at cleaning up the mess…. Feeling confident now?

OpenSolaris cifs/smb server – configuring ACL’s on shares – Part 2

Posted on by No Comments ↓

I have done most of the explaining in another post on how the permissions work with a zfs cifs share – link here.

In this post I’m going to show an example of how to add multiple groups / users to a specific folder. Which then recursively adds its ACL”s to any child objects. Its essentially like the other commands i used, but with an extra line per user or group you want to configure; 

chmod -R A=\

owner@:full_set:d:allow,\

owner@:full_set:f:allow,\

user:lisa:full_set:d:allow,\

user:lisa:full_set:f:allow,\

everyone@:rxaARWcs:d:allow,\

everyone@:raARWcs:f:allow \

/protected/

The above command gives the owner and the user “lisa” full permissions, the everybody else group has read only access. If you want to add a group then just use group: instead of user: at the start.

This gives full access to myself and list, but deny’s access to everyone else; 

chmod -R A=\

owner@:full_set:d:allow,\

owner@:full_set:f:allow,\

user:daz:full_set:d:allow,\

user:daz:full_set:f:allow,\

user:lisa:full_set:d:allow,\

user:lisa:full_set:f:allow,\

everyone@:full_set:d:deny,\

everyone@:full_set:f:deny \

/protected/photos/

Done.

OpenSolaris cifs/smb server – configuring ACL’s on shares

Posted on by No Comments ↓

O.k. from this  point I’m assuming you have created your zfs shares via the zfs command and renamed appropriately like so…..   (if you havent setup cifs yet then check read this)

zfs set sharesmb=on protected/backup

zfs set sharesmb=name=backup protected/backup

Now to check your current shares type…

sharemgr show

zfs

zfs/protected/backup
backup=/protected/backup

zfs/protected/photos
photos=/protected/photos

Now its time to look at NFSv4 ACL’s. This page has a great explanation of ACL’s and how to set things up. http://cuddletech.com/blog/pivot/entry.php?id=939

The ZFS manual here has the compact access and inheritance codes for chmod : http://opensolaris.org/os/community/zfs/docs/zfsadmin.pdf

Here are the current compact codes for access control;

add_file w , add_subdirectory p , delete d , delete_child D , execute x , list_directory r , read_acl c , read_attributes a , read_data r , read_xattr R , write_xattr W , write_data w , write_attributes A , write_acl C , write_owner o

Here are the current compact codes for inheritance control;

file_inherit f , dir_inherit d , inherit_only i , no_propagate n

So… The below command (referencing above compact codes) will give me (the owner) full permissions to files / directories, and read only access to everyone else. I have enabled inheritance so newly created files should also maintain their parents ACL without windows creating its own. Note: i used chown on the root of the my share first  i.e. chown -R daz /protected

then…

chmod -R A=\

owner@:wACpdDo:d:allow,\

owner@:wACpdDo:f:allow,\

everyone@:rxaARWcs:d:allow,\

everyone@:raARWcs:f:allow \

/protected/

Remember to test that this has provided what you want. Connect to your share as guest test the permissions, then connect as the owner and test permissions again. The fun thing about this particular ACL system is that you are not restricted to just one owner and one group. You can add additional lines as required using user: and group: attributes. I’ve done a multi-user ACL post here.

There is alot of flexibility – i’d say even more than the samba server options by a long shot. Its probably a little bit more fiddly getting your commands right, but once up and running you can have alot more control.

There are also “ACL sets” which combine the above attributes into groups….. i.e .you can have just the word “full_set” (full permissions) or “read_set”  (supposedly gives you read, but i couldn’t see any child files after using this) between the first set of colons in the above command… Using ACL sets the above command could be changed to…

chmod -R A=\

owner@:full_set:d:allow,\

owner@:full_set:f:allow,\

everyone@:rxaARWcs:d:allow,\

everyone@:raARWcs:f:allow \

/protected/

This should still give the owner full permissions (previously the owner just inherited the everyone groups permissions it didnt have as well)

These are the possible choices for ACL sets: full_set , read_set , modify_set , write_set

see here for more examples : https://sigtar.com/2009/02/15/opensolaris-cifssmb-server-configuring-acl’s-on-shares-part-2/

—– workgroup authentication —–

Assuming you are NOT using a domain:
Did you enable the password database settings?
user@solaris:~# cat >> /etc/pam.conf

# Seem to need this line for smb / cifs:
other password required pam_smb_passwd.so.1 nowarn

(Control-D to end)

user@solaris:~# passwd
passwd: Changing password for user
New Password:
Re-enter new Password:
passwd: password successfully changed for user

OpenSolaris – Migrating from samba to cifs

Posted on by No Comments ↓

OpenSolaris 2008.11 has a cifs/smb server built into the kernel. From what i have been reading (and discovering) this is a much more efficient and faster way to get your files out into the network.

Previously i have run a dedicated samba service to share my files as I’ve come from various linux distros which require it. Seems i should be doing things differently on OpenSolaris.

The dedicated samba service is called;

svc:/network/samba:default

The new kernel embedded solaris smb/cifs service is called;

svc:/network/smb/server:default

If you do not have it running or installed you’ll need to add the following packages (use package manager); 

SUNWsmbs

SUNWsmbskr

Update : both these packages are called SUNWsmbfs in newer builds

Enable the service via “services” gui else use the svcadm command; 

svcadm enable svc:/network/smb/server:default

This is a great page on how to do a basic cifs setup http://blogs.sun.com/timthomas/entry/solaris_cifs_in_workgroup_mode

I just need to find a bit more detail on how to configure access to the shares (update: see below). In another post i made previously using samba it was easy enough to restrict guests to read only while giving some users rw access… I’m also interested in whether its possible to backup or manually configure the cifs server via any config file? Still looking into this one.

First step is to disable the samba service and enable the solaris smb/cifs service;

svcadm disable network/samba

svcadm enable -r smb/server – the “r” switch also enables all services that smb requires.

The next step is to add the following line to your /etc/pam.conf file. This is so future changes to passwords  also update the smb password file;

other   password required       pam_smb_passwd.so.1     nowarn

now set the name of the workgroup…

smbadm join -w workgroup

now setup your users (you have to reset your current passwords to update the password file above). I usually create and use a “Guest” account to keep some windows boxes happy. I set the guest account password to blank… 

useradd guest

passwd guest – then enter twice to enter a blank password

Next its time to setup the actual shares. If you have a zfs pool setup (you most likey do if you are running opensolaris) then you can share your data via the zfs command like so….   (i have a “backups” zfs file system within a “unprotected” zpool)

zfs set sharesmb=on unprotected/backups

Unfortunately this creates a share called “unprotected_backups” which can be seen via the sharemgr show -vp command. To rename the share to something more appropriate do the following…

zfs set sharesmb=name=backups unprotected/backups

All going well the share should now be called “backups”, if you have both the old and new name listed restart the smb server : svcadm restart smb/server

From your windows machine you should be able to browse to your share via \\servername\backups, if you get a prompt then type “guest” and press enter. Here is an example of a quick and easy way to mount drives via an XP commandline…

net use * \\serverip\backups /user:guest

Update: i have figured out the ACLs for cifs — See this Post