Save iptables on Shutdown and Restart, and Restore on Boot

Tuesday, October 6th, 2015

Save iptables Rules on Shutdown, Restore on Boot

When your server shutsdown (halts), reboots, or enters runlevel 1, your iptables configuration is automatically wiped and reset.  Packages such as iptables-persistent supposedly help with this problem, but unless you save your rules manually, the rules are never saved automatically when the system reboots. 

I've wanted to truly persist my iptables, so I decided to change their package to always save the iptables rules when the system reboots, halts, or enters runlevel 1 automatically.  The rules are then restored when the system boots to runlevels 2-5.  This means that your iptables configuration will persist forever.  This may not be desired, but if I ban an IP address permanently, I always want it to be banned.

If you'd like to use this modified version of iptables-persistent so that your rules are automatically saved on shutdown, you can install it by running the below commands:

sudo apt-get remove iptables-persistent
sudo dpkg -r iptables-persistent
wget http://dinofly.com/files/linux/iptables-persistent_0.5.8_all.deb
sudo dpkg --install iptables-persistent_0.5.8_all.deb

Use at your own risk.  If you do something stupid, it will persist until you can clear it!

The above package was tested in Ubuntu 12.04 x86, Ubuntu 12.04 x64, Ubuntu 14.04 x86, Ubuntu 14.04 x64, and Ubuntu 15.04 x64.  Should work on other debian operating systems as well.

Secure Linux Servers Using IPTables Rules and WonderShaper

Thursday, March 28th, 2013

Secure your Ubuntu Server from Flood and Other Attacks Using IPTables and WonderShaper

The following commands use IPTables to prevent common flooding and other miscellaneous malicious attacks. These commands can prevent a Linux server from lagging and spending resources on malformed packets.  Some of these attacks can cause DDoS attacks, so it is best to use these filters and rules.  Use at your own risk. A detailed explanation can be found here.

# Explanations here:
# http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html
sudo apt-get install iptables
sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
sudo iptables -A INPUT -f -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

If you want to drop ICMP ping requests, click here.

Limiting Download and Upload Speeds / Traffic Globally in Ubuntu

Limiting download and upload speeds globally does not make a server any more secure than before.  However, it can aleviate network lag, which in my opinion ensures availability enhancing security.  In Ubuntu, it's easy to limit the max download and upload speed that can be used on an interface.  It wasn't always this easy, but thanks to a tool called wondershaper, you don't have to worry about any of the complexities.  To install, run the following command:

sudo apt-get install wondershaper  

Now, we need to tell wondershaper to start limiting our max download and upload rate on our particular interface. To see a list of interfaces, type the following command:

ifconfig

To determine what your max download and max upload speed should be, use SpeedTest to run a couple of bandwidth tests using your connection.  With your results, convert the speeds from mbps to kilobits per second.  Use this bandwidth calculator / converter to help you out.  Then, I'd subtract 20-30% of each value, as you want to leave some room between your max speed so that bandwith will still be available to other computers / nodes on the network.

Once you have your speeds, start wondershaper (modifying the example below to fit your needs):

# wondershaper [interface] [max_download_speed_kilobits] [max_upload_speed_kilobits]
sudo wondershaper eth0 8192 2764

Make a backup of the /etc/network/interfaces file:

sudo cp /etc/network/interfaces /etc/network/interfaces.bakup
sudo nano /etc/network/interfaces

To run wondershaper upon boot or startup, edit the /etc/network/interfaces file, and add the following (modify to fit your needs if neccessary):

auto lo
iface lo inet loopback
up /sbin/wondershaper eth0 8192 2764
down /sbin/wondershaper clear eth0

Make sure you change your max download and upload speed in both of the examples.  Settings will now apply when the computer boots into Linux.

Exclude LAN from Speed Limits

WonderShaper does not differentiate between LAN traffic and external traffic by default.  To prevent WonderShaper from limiting LAN network download and upload speeds, install this updated WonderShaper script:

cd ~/Downloads
wget -O wondershaper_exclude_lan.tar.gz www.dinofly.com/files/wondershaper_exclude_lan.tar.gz
tar xzvf wondershaper_exclude_lan.tar.gz
sudo cp -f wondershaper /sbin/wondershaper
sudo chmod +x /sbin/wondershaper
sudo nano /sbin/wondershaper

Find:

#Local Network
LAN_SUBNET=192.168.0.0

Change it to your LAN's main IP address.  For example, if your LAN gateway is 192.168.1.X, change it to:

#Local Network
LAN_SUBNET=192.168.1.0

Another example, if your LAN gateway is 192.168.43.X, change it to:

#Local Network
LAN_SUBNET=192.168.43.0

Save the file and reboot.

Your local area network (LAN) traffic is not filtered, but external traffic is!  Enjoy lag free connections from both the outside and inside while running any type of web server. 

PeerGuardian Linux Ubuntu Prerequisites and Install Guide

Saturday, March 24th, 2012

PeerGuardian Installation Guide Ubuntu / Debian

Installing PeerGuardian:

Open a new terminal and install the prerequisites for PeerGuardian Linux but using the following commands:

sudo apt-get install libdbus-1-dev zlib1g-dev iptables libnetfilter-queue-dev libnfnetlink-dev qt4-bin-dbg qt4-dev-tools qt4-bin-dbg g++ libpolkit-qt-1-1 libpolkit-qt-1-dev

Download the latest source of PeerGuardian Linux from:  http://sourceforge.net/projects/peerguardian/files/PeerGuardian%20Linux/

Open a terminal, change to the peerguardian source directory, and run the configure file to generate the makefile.

./configure --sysconfdir=/etc

If you get an error stating that looks like this:

checking for ZLIB... configure: error: Package requirements (zlib) were not met:

No package 'zlib' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables ZLIB_CFLAGS
and ZLIB_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.

You'll need to download and compile the source of zlib from  http://www.zlib.net/

To do this, just change to the directory of the extracted zlib folder, run:

./configure
sudo make
sudo make install

Now, go back to the peerguardian source directory, and re-run ./configure

You will not receive this error anymore.  Why does this happen in the first place?  Installing zlib1g-dev should have been enough to satisfy this requirement, but for some reason it doesn't work sometimes and could be a bug.

Errors Post Installation:

BELOW ISSUE (BOTH Bricking your System and Resolv.conf Issue) APPEARS TO HAVE BEEN FIXED IN MAY of 2013
I'm going to leave this here though in case someone needs it.
 

As of 3/17/13, I've noticed that installing Peerguardian Linux from the latest SourceForge source causes a number of serious problems that could brick your Linux install. You must run the following commands after "make install" is completed to avoid running into problems.

If your gksudo or sudo commands no longer work after installing because of a "Unable to copy the user's .Xauthorization file" error message, your .Xauthority file may no longer exist.  To fix this issue, run the following commands:

gksudo synaptic
sudo chown youruser:youruser ~/.Xauthority
chmod 600 ~/.Xauthority

If the above does not work for you, try this:

cd ~
touch .Xauthority
sudo chown youruser:youruser ~/.Xauthority
chmod 600 ~/.Xauthority 

For some reason, the installer also changes the permissions on the tmp system folder.  To fix this, run the following command:

sudo chmod 1777 /tmp

Peerguardian Linux can also break your DNS settings rendering your internet connection useless.  To fix this issue, run the following commands:

sudo nano /etc/resolv.conf

In it, put your router's dns information in. For example:

nameserver 192.168.1.1

Save and close the file.  Everything should be good to go and your system is not hosed from a buggy compilation of Peerguardian Linux