Perladmin’s Weblog

Just another Perl Blog

Why does IPTables not log when it is started/stopped?

I have to say that it is very strange that iptables doesn’t log when it is started, stopped, restarted or even when a rule is added. Given how big of a part in the security scene iptables plays, you’d think that by default it would send a notice to syslog, probably at daemon.notice level, when it is stopped and started. After all this is one fairly important tool. Not the only (hopefully) but usually a pretty important one and in many cases it really is the only thing between a server and the bad guys (yes, I know, that it shouldn’t be the only thing..).

I mention this because I just came back from lunch to find my SSH connection wouldn’t respond to input. This has happened occasionally, but as far as I’ve been able to tell (by piecing together information afterwards), it has invariably been because iptables was restarted.

Now me, I just add the new rule to the firewall and if it works and I want to keep it, add it to the config file separately. I don’t believe in restarting iptables because if you f*ck up the new rule and restart the firewall you’re not only screwed then, but if you reboot the server too. For a remote connection that’s bad news. At least if you screw up the rule you know that you did the moment that you add it to the firewall, so if it comes to remotely rebooting the box you know it will come back up without a problem. And yes, I did do that once. It was a case of

“I’ll just update the firewall rules before I leave this morni… oh er.. oh, what did I type? Sh*t!”.

But my colleague believes that you should add it to the config file and restart because that way you’re only entering it once. Which is nice, and does indeed have its merits because there’s less chance of a typo, getting the order wrong, etc., but it also means you need to stop and restart iptables. Aside from the risk of locking yourself out of the server to me that’s a royal pain. You lose any temporary rules, and you worst of all you lose the connection tracking. Which means my nice and quiet SSH session which was working before lunch and has my open Vim session in it … is now not working because its state is not new or established or related, and thus not a valid connection state as far as iptables is concerned and thus the packets are blocked, and the connection gets dropped. *grr*

More irritatingly though is that I can’t *know* that that’s what happened because iptables doesn’t log when it stopped or started. Which is pretty crazy really if you think about the fact that every daemon under the sun logs that kind of information. It never occurred to me before, but its true, at least on my box.

Incidentally, if you’re looking to fiddle with the firewall remotely, a few good tricks are;

  1. Add a rule to allow your SSH connection through as a first rule. E.g.iptables -I INPUT 1 -p tcp --dport 22 -s <your ip> -j ACCEPT
  2. Use a sleep; undo system. This works for both the command line and restarting iptables. For example;
    1. Add a rule on the command line, knowing the rule number you’ll give it, and then set it to undo a moment later;iptables -I INPUT 23 <what you want to happen>; \
      sleep 10; \
      iptables -D INPUT 23
    2. Restart iptables, then stop it again if it doesn’t work;/etc/init.d/iptables restart; sleep 10; /etc/init.d/iptables stop

The second tip uses the a chain of commands which do whatever might go wrong, sleep and then undo it. The reason for this is that it will execute a command and then move on to the next command in the list, so if you submit the commands like this, where you must include the semi-colons between the commands, (don’t forget the \’s in the first case, or just ignore them and don’t hit return) , then the shell will execute them one after another like this … do “fiddle with firewall command”, sleep, and do “undo fiddle command”. In the even that you don’t do anything, the firewall will be restarted and then ten seconds later, stopped. This is good because in the event that you f*ck up the firewall rules and can’t type, 10s later you’ll be able to type again because the firewall has been taken down again.

But the best part of this trick is that in the event that you can type you do … you wait a second or so, and then type Ctrl-C to interupt the currently running command. This will be the sleep command, so you’ll interrupt that and interrupt the list of commands to execute so your last command, the “undo” command, is never run. So if you can’t get into the box it unsets its firewall. If you can get in then you kill the sleep command before it finishes thus the “undo” is never executed.

As a tip, if you’re not sure when to hit Ctrl-C, add a command echo “Sleeping” into the list just before the sleep command. If you don’t see that then the firewall was messed up. If you do see it then your changes worked, and you can kill the rest of the commands with Ctrl-C.

Colin.

September 9, 2008 Posted by perladmin | linux | , | No Comments Yet

Virtualbox 2.0 is out

For those who have never used it, Virtualbox is Virtual Machine software from Sun Microsystems, who bought the previous owners, innoTek Gmbh. While my experience with VM software is not extensive, I’ve used a few programs on a Windows host and I’m pretty impressed with Virtualbox. VMWare was, by comparision much much slower, although this may have changed in more recent editions. I also hated how tightly into the OS VMWare wove itself. Uninstalling it has broken several computers of mine and resulted in days of trying to unbreak its grip on my network adapter. (Trying to remove the virtual adapters from the MAC bridge when VMWare was no longer installed). In comparision to VB, MS Virtual PC appears to be lacking features – or at least an interface, and plainly has no design to support anything but Windows with boot options of “Windows 95, 98, NT, 2000, XP, Vista and OTHER”. It isn’t surprising, given that they sell Windows, but I can’t help but wonder how effective it can really be for non-windows, which at the moment is my thing since I’m running Windows as the host OS.

Virtualbox gives a nice range of features and appears pretty fast. 2.0 is no exception, appearing to most fix a few gotchas which never bit me. My only complaint about it is that aperiodically I’ve found that the clipboard will break. This is from Windows as a HostOS to CentOS and Fedora 8 as guest OS’s. You’ll be typing along and suddenly the clipboard won’t work, for Windows or in the guestOS and you end up needing to restart the Vbox to clear it.

I’ve yet to see any information explaining what is happening, but what I suspect is happening is that an event is being lost on the client end and this ties up the entire clipboard because Windows doesn’t get the acknowledgement that the event was processed. I did once see an error message from the Xserver about it dropping events so this seems to be a reasonable guess.

My solution to this has been to work around it and instead of using X directly on the console of the Vbox to connect to it via Nomachine’s NX client. This no only gives me the equivalent of “screen” under X, with the ability to disconnect and reconnect later, but I’ve never had the clipboard cross-over screw up. Which is really handy.

So if you haven’t already tried it but you’d like to, or you’d like to try VM’s and don’t know where to start, or you’re looking to try Linux, but are too addicted to your Windows apps to be logged out of your computer, Virtualbox will be great for you.

As for choice in Linuxes, well I’ve going with Fedora 8 and CentOS 5.2. Personally I’ve been concerned about the direction of Fedora, especially with its “pump a new version out every few months” attitude, (as opposed to putting out something decent). I did try Fedora 9 from the live CD and it sucked, especially when compaired to F8. F8 has, so far, been a pinnacle in the Fedora for me. By comparison CentOS 5.2 appears to have a very strong stable base, and ever bit as usable for a desktop OS as a server OS. As a quick comparison when running under Virtualbox in order to be able to have a graphical resolution which matches my windows box (which is only 1280px by 1024px, so nothing to write home about) Fedora 8 requires you allocate 32Mb of memory for graphics, but CentOS 5.2 requires only 16Mb. I think it says something about F8.

Colin.

September 9, 2008 Posted by perladmin | centos, linux, virtualbox | , , , | No Comments Yet

Nomachine NX Client Times out “Negotiating Link Parameters”

I use NX Client from Nomachine to connect to one of my boxes, or more accurately, to a copy of CentOS 5.2 I’m running in a VirtualBox virtualbox that I run on my Windows box. Its kinda wierd, but cool in some respects as half of my computer is now running CentOS; pretty much literally since half the RAM can be used by it and since I connect via NX client it sits in a window which lives on a second monitor.

This is a cool setup. Its a way to wean myself from Windows, to run a test environment with yet another web browser (ok, so its Firefox, but still), while at the same time playing with VM’s (and X11 as I used to do). It also gives me a great excuse to use NX which is, it must be said, far better than the other free Xserver for Windows, Xming. I think its the compression or something, or maybe that its a dedicated protocol server and client, and Xming is implementing X11 directly. Whatever, Xming is often slow and sometimes iffy (to the point where I never felt comfortable purchasing the latest version). It is particularly bad at handling network issues I’ve found, where it will infrequently just hang the connection, causing you to lose all of your window placements.

Not so with NX which appears to be the equivalent of screen for X. Disconnect? Okay, I’ll just sit here and suspend your session and wait for you to come back. This feature alone is amazingly useful, but combined wtih the built-in compression it works very well. Part of the high quality compression is that they compress the data in the connection protocol, X11, VNC, or Radmin, instead of compressing the stream of data, as happens with say SSH compression. Although I haven’t tried it, you can apparently still use X sessions over a dialup line. I know its considerably easier to bring up my X session at home over a cable modem link with NX that it is with Xming, which crawls on anything but having a text window open.

One issue I do have with NX is that its is really complicated to setup. I spent a good couple of hours installing things and repeated logging into my box, with numerous updates to the local SELinux config to allow NX under SSH to launch various things, including being able to write a log to /var/log. That’s exactly the kinda of crap people won’t deal with in general. If you’re having this problem then I fully recommend running this command:

audit2allow -l -r < /var/log/audit/audit.log

After each failed login. This gets audit2allow to list only the allow rules which are needed for the failures since the last reload of the SELinux policy (-l) and (-r) output them with the corresponding require { } structure.

Beyond that, which I got on my FC8 system, even using FC8 RPM’s (but not on my CentOS 5.2, with both the CentOS and NX RPM’s) the only issue I’ve found with NX is that occassionally it seems to get confused. When you open your client connection it will go through the normal setup, the window will open and it will resume the session, but the final Windows dialog box will sit there saying

“Negotiating Link Parameters”

It will do this for about 30s to a minute, mean while the session is up and running and usable. At the end of what seems to be a timeout period, it seems to give up. At that point it closes both the dialog box and the entire NX client window. Once this happens you can try as many times as you like and it will just repeat.

I’ve found that the only answer to this is to open up task manager with alt-ctrl-delete, and to kill all “NX” processes. Once you do that it works again.

Col.

September 9, 2008 Posted by perladmin | centos, nomachine, virtualbox | , , , , | 7 Comments

Google Releases Updates for Chrome

Google’s new browser Chrome has been getting varied reviews. It seems the usefulness of the browser depends on your point of view, where those in the tech industry are, kinda like me, a little “neh” about it, others in the mainstream media are raving about it. It is being called all sorts of things including a replacement OS and other such nonsense. Which might be nice, if it were possible…

It also has a few issues. I couldn’t help but notice that they had to fix the carpet bombing flaw which affected other browsers, and they had a few issues with other sites that they’ve now fixed.

I couldn’t help but notice the blog post for beta-0214929, which included fixes for such minor sites as

  • http://search.daum.net/
  • http://search.empas.com/
  • http://meta.ua/
  • http://search.naver.com/
  • and http://search.yahoo.com/

Hmm. Google’s new Terminator of browsers, designed to hunt down and kill other browser because it integrates with Google Gears and other stuff Google offers (which is like everything) conveniently didn’t work with a few minor search engines… Well that’s okay, it was only a few little ones. Oh, and Yahoo!. Well isn’t that a coincident :p

I wouldn’t be surprised if the internal name for this project is the Googlenator…

I also thought it was interesting to note that the “Links to this Blog Post” contained a rather notable entry:

Screenshot of Google's Chrome blog blog links

Screenshot of Google

… Ahh but they allow it, so they must be “open”. :p

Col.

September 9, 2008 Posted by perladmin | chrome, nonsense | , | No Comments Yet