topic Re: Questions in Operating System - Linux

Questions

manny_9 — Sun, 03 Aug 2003 16:43:53 GMT

Hi,

I am fairly new to linux...but I can move around within the system.

I have been volunteered to document a redhat 7.2 box.Which was setup by a now defunct outside vendor.
This is a non paid position...and i would like to take advantage of it and enhance my skills.
I am trying to form the right questions so i can research on my own.

redhat 7.2
the box is being used for email (sendmail)and the internet.

There is a livingston portmaster firewall connected to it.

1.I don't see squid on the box at all.
2.how would i find out where users have been surfing and block those addresses.
3. i was using cat on a (data) file and the screen had sqiggly lines all over it. What happened??
4.where should i look for the configuration of the box.(what 's installed etc.)
5.can rehat also participate in firewalling or would it fall to the livingston. how can i tell
6. I know i am not supposed to but can i telnet into this box from windows?

Thanks in advance. I really would appreciate being pointed in the right direction.

Re: Questions

Steven E. Protter — Sun, 03 Aug 2003 17:39:24 GMT

Answers

1.I don't see squid on the box at all.
2.how would i find out where users have been surfing and block those addresses.

squid is not the only way to give the users web access. They could be using the iptables firewall with a NAT(Natural Address Translation) to provide the web to users. In this case the addresses are not logged. To check:

as root user

service iptables restart
If you see a start and stop message then they are running it. Look at the following file:
/etc/sysconfig/iptables

Look for a line like this:
# Generated by iptables-save v1.2.5 on Sun Apr 27 03:12:07 2003
*nat
-A POSTROUTING -o eth0 -j SNAT --to-source 66.92.147.104

IP address is changed to protect my infrastructure.

This is an indication the Linux box is providing Internet services to the rest of the network.

This can also be done with the obsolete ipchains

service ipchains restart to see if it was running.

3. i was using cat on a (data) file and the screen had sqiggly lines all over it. What happened??

You may be cat ing a file that is binary

file if its binary try the strings command on it.
4.where should i look for the configuration of the box.(what 's installed etc.)

Most of the configuration is in /etc/sysconfig

There are subfolders there.

Take a look at these directories:
/etc/rc1.d
/etc/rc2.d
/etc/rc3.d
/etc/rc4.d
/etc/rc5.d

To see what is fired up at startup.

The rmp -q command will show you what is installed on the box. This is also possible from the GUI if the machine is configured for X-Windows which is probably console only.

5.can rehat also participate in firewalling or would it fall to the livingston. how can i tell

See my answer to questions 1 and 2. I don't know livingson, but if its a mail program it does not necessarily do firewalling. ipchains and iptables are open source firewalls and pretty darned good ones at that.

6. I know i am not supposed to but can i telnet into this box from windows?

this depeneds on the boxes firewall and internet setup. try telnet or telnet from a windows box and find out.

Out of the Box Linux 7.2 does not allow direct root telnet login, you'll have to try a regular user.

Cone you are on the box, you can su - root if you have the root password.

To check the configuration, look at these areas

/etc/xinetd.d/

telentd file is diable yes or no. If its yes telnet is diabled.

If this post was helpful, please assign points. If it solved your issue or was of significant value, please assign accordingly.

If you require more in depth help, contact me directly.

http://www.isnamerica.com

SEP

Re: Questions

Manuel Wolfshant — Mon, 04 Aug 2003 12:30:03 GMT

1. the question being ? :)
There are a lot of ways to allow web access without squid. One might use another program for proxy; or might use routable addresses, in which case the redhat box might only be just a router; or use NAT, as Steven has said. However, masqarading rules are not always started with 'service iptables start' , so the correct check is to use 'iptables -L -t nat'. If you see something like
SNAT all -- localnet anywhere to:
you can bet on masquarading
I for one never use the default RH system, I have my own scripts.

2. There are several ways to monitor network activity. Which one to use depends on what does the box do and on your skills. You might wish to use some form of traffic sniffer (dnisff, ettereal, ethereal ot other). Or you could use the good ol' tcpdump. Or if you are using NAT and just want a connection list, you can either cat /proc/net/ip_conntrack, or (my all time favourite) use the program called netstat-nat (http://tweegy.demon.nl/projects/netstat-nat/)
For blocking purposes, iptables is your best friend.

3. You cat-ed a binary file. Use the command 'reset' to restore the terminal to normal settings.

4. In all linux-es configuration data is normally stored under /etc and [eventually] under /usr/local/[something] (mainly for locally compiled applications).
To see what applications / services are automatically started, the simplest way is first find what runlevel you are into (the command is ... runlevel); then with either chkconfig (chkconfig --list) or with ntsysv you can list the services launched at boot. The more laborious way is to list the symbolic links whose name start with S from
/etc/rc.d

5. yes it can, assuming all trafic is passing through it. iptables is better the cisco PIX from many point of vues.

6. By default, no modern linux distribution will allow you to telnet into. Telnet has been replaced by the more secure "ssh" (secure shell). You should forget about telnet: install (or update!) sshd if you have not already done so and then connect from windows using a SSH client, such as putty (http://google.com -> search for "putty.exe download" -> I feel lucky). If you must use telnet, then install the package called telnet-server and then use "service telnet start" to start it. Bear in mind that all forms of root access from other sources then console (except using ssh ...) are disabled by default. Therefore you must login as a normal user and then switch user (su - ) to become root. If you do not like putty, you can use cygwin+ssh.

Re: Questions

manny_9 — Tue, 05 Aug 2003 01:33:24 GMT

Thanks very much to both of you .I actually think I learned something today !

I was cat-ing a file (I panicked)

Here is what I found
ip_allow / relay_allow
followed by some I.P's. self explanatory I think

IPTABLES I did iptables -l
This is what i got....

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.0/8 anywhere
ACCEPT all -- 192.0.0.0/8 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Now my big question for the day!!!

If I wanted to block users from accessing games.yahoo.com (66.218.72.118) where and how do i do it.

Do I add a line to iptables :
-A FORWARDING -d 66.218.72.118 -j REJECT

What is the hosts file used for ???

I am not sure of the correct syntax. I have tried to research, but only seemed to confuse myself more.

I want to be able to restrict users from accessing certain sites.

Hey thanks once again to both of you!!!

Re: Questions

manny_9 — Wed, 06 Aug 2003 01:35:37 GMT

anyone???

Re: Questions

Stuart Browne — Wed, 06 Aug 2003 02:49:23 GMT

To restrict access to given sites, there are multiple ways.

If it is just web traffic, and you are using squid, you can use the ACL (Access Control Lists).

These are very simple, and are described in depth in the squid documentation (online at http://www.squid-cache.org).

If you don't want them to have any access at all, then yes, the rule you listed (iptables -I FORWARD -j DENY -d ) would be sufficient.

Remember that IP Tables flow downwards. If a rule higher up accepts a given packet, it's accepted. Using '-I' instead of '-A' forces the rule into the start of the chain, and thus get checked first.

You might want to look at the introductory howto's at the http://www.netfilter.org site.

Re: Questions

manny_9 — Sun, 10 Aug 2003 20:59:11 GMT

Thanks to everyone gor their help!!!

I have been unsuccessful!!!

1. Is this the correct way to edit iptables to block users from accessing a specific site.

vi iptables edit and save???

IPTABLES
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- x.0.0.0/8 anywhere
ACCEPT all -- xxx.0.0.0/8 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

-A FORWARDING -d 66.218.72.118 -j REJECT

2. what is this hosts file used for??

Thank you!!!!!!!!!

Re: Questions

Steven E. Protter — Sun, 10 Aug 2003 21:52:16 GMT

/etc/hosts

Is uses for local, file based networking.

You can set up quite a nice little network internally without having to play with or connect to dns servers.

Here is my interal file with the ip addresses changed to protect the innocent.

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 jerusalem localhost.localdomain localhost
66.92.147.194 investmenttool.com www.investmenttool.com jerusalem.investmenttool.com jerusalem dns1.investmenttool.com shell.investmenttool.com ftp.investmenttool.com news.investmenttool.com
66.92.147.195 isnamerica.com www.isnamerica.com isnamerica dns2.investmenttool.com
192.168.0.41 telaviv.investmenttool.com telaviv
192.168.0.70 hpweb.investmenttool.com hpweb
66.92.147.221 telaviv.investmenttool.com telaviv

Note the 127 adress, for loopback, never mess with that.

Note the general strucutre

number fully qualified domain name alias

You don't need to register domain names to do this kind of networking, you have pretty basic freedome to experiment and learn.

As far as blocking users from particular sites, this is quite possible with iptables, but it can make the load time very long and may impact the performance of your box.

If eth0 is the interface facing the internet here is how I'd do it.

Lets say there's a porn site one of your employees is visiting and its really grossing out your girlfriend who works there and has to pass by.

Lets call it grossporn.com
(That might be a real site, would not check)

on the Linux box run this command.

dig grossporn.com

This will return an IP address.

Lets say its 24.101.21.100

Add this statement to iptables

-A INPUT -s 24.101.21.100 -i eth0 -j REJECT

That will block that IP address on all ports. You may have to play with that statement to get it to work, but thats the approach. I don't block any sites at my network, my kids use computers in public areas(they don't know how yet) and mommy polices that stuff.

SEP

Re: Questions

Steven E. Protter — Sun, 10 Aug 2003 22:56:40 GMT

That REJECT in my previous post maybe should be a DENY

SEP

Re: Questions

manny_9 — Sun, 10 Aug 2003 23:44:53 GMT

Steven,

Thank you for all of your help!!!. I am sure your tired of me by now or at least three questions ago.

I am leery of making changes to this box so i tread carefully.

If it matters at all xinetd is active.

what is the correct way to edit iptables???

/sbin/iptables -A FORWARDING -d 66.218.72.118 -j DENY

iptables restart

Re: Questions

Stuart Browne — Mon, 11 Aug 2003 00:10:19 GMT

Without the last bit (the 'restart' bit).

After changing rules, if you want to make them permenant, then you'll want to issue 'service itpables save', but no need to 'restart' (unless you want to reset your rules back to the last 'sane' state).

Re: Questions

Steven E. Protter — Mon, 11 Aug 2003 00:54:02 GMT

thats

service iptables restart

I'm assuming you added the rule to the file

/etc/sysconfig/iptables

I am not tired of you at all, I want to see you succeed. I'm on the way to Wyoming but will monitor this thread as best I can.

Always make a backup if the iptables file so you can back out any changes you make.

Probably a good idea to make these changes during off hours, versus the middle of the business day.

Thanks for the earlier points.

SEP