May 2016 - DevopsCube

Iptables Tutorial for Beginners – Key Concepts

August 4, 2016May 18, 2016 by devopscube

For every system, the firewall is a must have for security. In Linux systems, a firewall can be implemented using iptables command line utility. It is very powerful for setting firewall rules for enhanced security. Under the hood, iptables interact with packet filtering hooks of the kernel’s networking stack known as Netfilter (http://www.netfilter.org/) framework. It can manage packet filtering and NAT rules.

Note: In practice iptables handles IPv4 rules and ip6tables http://linux.die.net/man/8/ip6tables handles IPv6 rules.

Getting Started With iptables

iptables utility uses table concept to organize the firewall rules. Tables, in turn, contains a set of chains. And chains contain a set of rules.

There are four types of tables.

1. Filter table
2. NAT table
3. Mangle table
4. Raw table
5. Security table

Filter table

It is the default iptable. This table decides if a packet should be allowed to its destination or not. A typical packet which reached filter table will go through any one of the following three chains.

1. Input chain – If a packets destination to your server, it goes through INPUT chain.
2. Output – If the packets source is your server, then it goes through Output chain.
3. Forward – If the packets, neither the source nor the destination belongs to your server, then it goes through the forward chain. It means the packet from another NIC of your server is being routed. This normally happens when your Linux system acts as a router.

You can view the filter table in your system using the following command.

sudo iptables -t filter --list

NAT table

NAT table contains the following chains.

1. PREROUTING chain – This chain is mainly for DNAT (Destination NAT)

2. POSTROUTING chain – This chain is mainly for SNAT (Source NAT)

Note: Read about DNAT and SNAT with the example from here .

3. OUTPUT chain – If the packets get delivered locally, this chain is used.

You can view the NAT table using the following command.

sudo iptables -t filter --list

Mangle table

This table is primarily used for altering the IP headers. It has the following chains.

1. PREROUTING
2. OUTPUT
3. FORWARD
4. INPUT
5. POSTROUTING

View the mangle table list using the following command.

sudo iptables -t mangle --list

Raw table

This table provides a mechanism to mark packets for opting out of connection tracking. http://people.netfilter.org/pablo/docs/login.pdf

Mangle table has the following chains

1. PREROUTING
2. OUTPUT chain

View the raw table list using the following command.

sudo iptables -t raw --list

Security table

This table is related SELINUX. It sets SELINUX context on packets. To be more specific, it is used for Mandatory Access Control https://en.wikipedia.org/wiki/Mandatory_access_control

View the security table list using the following command.

sudo iptables -t security --list

How to Install and Configure Ansible Server and Hosts

May 11, 2016May 10, 2016 by devopscube

This guide will teach you to install and configure Ansible control server on a Ubuntu/Centos/Redhat/fedora servers. Also, we will see how to configure hosts that have to be managed by Ansible server. I would strongly suggest using Vagrant for all Ansible test purposes.

Install and Configure Ansible

Choose any of the following three methods for installing Ansible based on your operating system.

1. Using Pip

If you have python pip in your system, use the following pip command.

sudo pip install ansible

2. Ubuntu

Execute the following commands to install ansible.

sudo apt-add-repository -y ppa:ansible/ansible
sudo apt-get update
sudo apt-get install -y ansible

3. Redhat/Centos/Fedora

Redhat/Centos 6

sudo yum -y install ansible

Redhat/Centos 7

sudo yum -y install epel-release
sudo yum -y  install ansible

Configuring hosts

Here I represent all the servers that have to be managed using Ansible as hosts. Ansible keeps track of the hosts using the inventory file ( A file with list of servers). It has the IP address/domain name of the hosts with username, password or key information to connect to the node.

All the default configurations are present in /etc/ansible/ansible.cfg file. Here you can change all the default paths if you want your own custom paths and configurations.

Now let’s disable host key checking by replacing the host_key_checking parameter to true so that Ansible won’t prompt for host key checking. This is not recommended for production deployments

sed -i '/#host_key_checking = False/c\host_key_checking = True' /etc/ansible/ansible.cfg

By default the inventory file named hosts is present in /etc/ansible/ directory. If you open the /etc/ansible/hosts you will find the sample host entries. Lets keeps this file as a backup and create our own hosts file.

Let’s create the backup of original hosts inventory file.

sudo mv /etc/ansible/hosts /etc/ansible/hosts.original

Create a new hosts file.

sudo touch /etc/ansible/hosts

Now we have an empty hosts inventory file. Let’s create it from scratch.

In every environment the servers are segregated as web group, DB group, app group etc.. we can have similar segregation in our inventory file using labels. It is a recommended way of managing servers. For instance, you might have dev, test and prod servers. In this case, you can group servers from different environments under different labels.

Create two new hosts, get its IP address, username, and password/key. We will use these new hosts for testing.

Now we have the Ansible control server and two hosts that need to be managed. My hosts IP addresses are 192.168.2.30 and 192.168.2.40 and I will be using it throughout the example. Replace it with your hosts IP address.

Define the hosts in /etc/ansible/hosts inventory file with dev, dev:vars and local label as shown below.

[dev]
192.168.2.30
192.168.2.40

[dev:vars]
ansible_user=vagrant
ansible_ssh_pass=vargrant

[local]
127.0.0.1

dev:vars parameters are applied to the servers under dev label. As we know that Ansible uses ssh for connecting to hosts. So we need to specify the username and password of those hosts. If all the servers have the same username and password, you can mention it in dev:vars label. If not you can specify it with the IP addresses separated by space as shown below.

192.168.2.30 ansible_user=vagrant ansible_ssh_pass=vargrant

the local label represents the Ansible server itself. So if you want to run a playbook on your ansible server, you can make use of the local label.

Test the Configuration Using an Ad-Hoc Command

Now we have every Configuration in place. Let’s test our configuration using the following command.

ansible all -m ping

You should get the following success message.

[email protected]:/etc/ansible$ ansible all -m ping
192.168.2.30 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
192.168.2.40 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Linux File Permissions Tutorial For Beginners

May 2, 2016May 2, 2016 by devopscube

Permissions in Linux plays an important part in administration as well as application configuration. Whether you are a system administrator or a developer, it is mandatory to understand how permissions work in Linux systems.

Linux File Permissions

At times, even will get confused about the numbers and notations used for setting up file permissions. In this article, we will learn the concepts and commands involved in Linux file permissions from a beginner perspective.

Before diving into commands, you should understand the basic notations used for representing permissions.

Read, Write and Execute

The read, write and execute Permissions are denoted by letters r, w and x

Octal Notation

Read, Write and Execute can also be denoted using Octal.

Read (r) – 4
Write (w) – 2
Execute (1) – 1

Let’s say a file has read, write and execute permissions, then you can denote that in a number as 7 (ie, 4+2+1=7). You will understand about this more in the following sections.

User, Group and Others (UGO)

User – The owner of the file. Mostly, one who created the file.
Group – The group which the file belongs to.
Others – Everyone other than the user and the group.

Listing Permissions

Every file has a permission associated with it. To list the assigned permissions for files (also hidden files) in your current directory, use the following command.

ls -la

Output:

[[email protected] ~]$ ls -l
-rw-rw-r--. 1 vagrant vagrant 0 May  2 02:51 demo.sh
-rw-r--r--. 1 root    root    0 May  2 03:14 rootsfile.txt
drwxrwxr-x. 2 vagrant vagrant 4096 May  2 03:17 demodir

Now, lets dissect the output and see how to understand the permissions of files.

-rw-rw-r–. represents the file permissions. if the line starts with “-” it means it is a regular file. If it starts with “d” then it is a directory. Followed by that, you have three sets of “rwx”.

1. The first set represents the permission for the user (who created or owns the file).
2. The second set represents the permissions for the group the file is associated with.
3. The third set represents anyone other than the user and group.

Also Read: Linux commands every developer should know

In the above output, the first line shows the permissions of the demo.sh file. It shows that it is a regular file and permissions as follows.

1. first set(rw-) -> the user has only read and write permissions.
2. The second set(rw-) -> the group has read and write permissions.
3. The third set(r–) –> Other have only read access to the file.

Have a look at the following image for better understanding.

Changing permissions of a file

“chmod” command is used for changing the permission of a file/directory. You need two parameters for chmod command as shown below.

chmod (permission-to-be-assigned) (path-to-file)

Permissions can be assigned using “+” and “-” symbols. Lets look at some examples.

1. To assign user permissions use “u+”” (eg: u+x, u+xw, u+rwx) with the chmod command as shown below.

chmod u+x demo.sh
chmod u+rw demo.sh
chmod u+rwx demo.sh

2. To revoke the access given to the user, you can use “u-” command as shown below. This will unset all the given permissions.

chmod u-x demo.sh
chmod u-rw demo.sh
chmod u-rwx demo.sh

In the same way, you can replace “u” with “g” and “o” for assigning permissions to groups and others.

3. To assign permissions for ugo at the same time, you can use the following syntax.

chmod ugo+x demo.sh

Changing permissions Using Octals

We have seen how octal can be user to represent permissions. Have a look at the image below to get more ideas about octal representation.

While using octal, we represent the permissions using three numbers. First for the user, second for the group and the third one for others.

1. To give the user all permissions use the following form.

chmod 700 demo.sh

2. To give the user all permissions, the group just read/write and others only read, use the following command.

chmod 764 demo.sh

In this manner, you can assign different permissions to users, groups and others.

Change Permissions Recursively

At some point, you might want to change the permissions of the folder, its subfolder, and files. For example, you uploaded the website files to apache webserver and you want to change the permissions of all the files and folders in the images folder. In this case, you have to apply the permission change Recursively using “-R” flag with the “chmod” command as shown below.

chmod -R 755 demodir

Sticky bit Permission

The sticky bit is a Permission bit for a file or a folder. It is set, only the file or directory owner and the root will be able to delete it. This permission is very useful in scenarios where you want to share a folder with multiple users. Sticky bit avoids deliberate and accidental deletion of files by other users.

setting Up Stickybit

You can set a sticky bit on a file or a folder using “t” or “1”. Here is an example.

chmod +t demo.sh
chmod 1755 demo.sh

In the above command, 1 represents sticky bit and 755 represents the normal file permissions. To ensure that sticky bit is assigned, user “ls -la” command and see if a T flag is added to the permission block as shown below.

-bash-4.2$ ls -l
-rwxr-xr-t. 1 vagrant vagrant 0 May  2 02:51 demo.sh