Self hosting solution for Christmas
Hello everyone, Here my present for Christmas: a new version of HomeBox, the self hosted email solution. Feel free to drop comments, create issues, update the docs, etc. I released this quickly before going on vacation, so you may find some issues. However, this is mostly stable, and the code is easy to modify. Also, you can now add and remove components individually, with an Ansible playbook. https://github.com/progmaticltd/homebox System installation and features - Custom Debian installer generation with full disk encryption and fully automatic installation. - Unlock the system upon boot by entering the passphrase through SSH. - Install packages only from Debian stable (Bullseye). - Automatic letsencrypt certificates generation using Lego and DNS challenge. - Automatic security updates (optional). - Centralised authentication with an LDAP users database, SSL certificate, password policies, PAM integration. - AppArmor activated with a profile for all daemons. - XKCD Random passwords generated and saved into pass (or on file system). - Can be used at home, on a dedicated or virtual server hosted online. - Flexible IP address support: IPv4 only, IPv6 only, and IPv4+IPv4 or IPv4+IPv6. - Embedded DNS server, with CAA, DNSSEC and SSHFP (SSH fingerprint) support. - Grade A https sites, HSTS implemented by default. - Automatic configuration of OpenPGP Web Key Directory. - Automatic firewall rules for inbound, outbound and forwarding traffic, using nftables. - Restricted outbound web sites access to the minimum. - Automatic update of DNS keys, DNS servers and glue records on Gandi. Emails - Postfix configuration and installation, with LDAP lookups, internationalised email aliases, fully SSL compliant. - Generate DKIM keys, SPF and DMARC DNS records. The DKIM keys are generated every year. - Automatic copy of sent emails into the sent folder. - Automatic creation of the postmaster account and special email addresses using RFC 2142 specifications. - Dovecot configuration, IMAPS, POP3S, Quotas, ManageSieve. - Simple spam and ham learning by moving emails in and out the Junk folder - Sieve and vacation scripts. - Virtual folders for server search: unread messages, conversations view, all messages, flagged and messages labelled as "important". - Email addresses with recipient delimiter included, e.g. john.doe+li...@dbcooper.com. - Optional master user creation, e.g. for families with children or moderated communities. - Server side full text search inside emails, attached documents and files and compressed archives, with better results than GMail. - SOGo webmail with sieve filters management, password change form, Calendar and Address book management, GUI to import other account emails. - Powerful and light antispam system with rspamd and optional access to the web interface. - Antivirus for inbound and outbound emails with clamav (optional). - Automatic configuration for Thunderbird and Outlook using published XML and other clients with special DNS records (RFC 6186). Calendar and Address book - Install and configure a CalDAV / CardDAV server, with automatic discovery (RFC 6186). - Groupware functionality in a web interface, with SOGo. - Recurring events, email alerts, shared address books and calendars. - Mobile devices compatibility: Android, Apple iOS, BlackBerry 10 and Windows mobile through Microsoft ActiveSync. Other optional features - Incremental backups, encrypted, on multiple destination (SFTP, S3, Samba share or USB drive), with email and Jabber reporting. - Jabber server, using ejabberd, with LDAP authentication, direct or offline file transfer and optional server to server communication. - Static web site skeleton configuration, with https certificates and A+ security grade by default. Development - YAML files validation on each commit, using travis-ci. - End to end integration tests for the majority of components. - Playbooks to facilitate the installation or removal of development packages. - Global debug flag to activate the debug mode of all components. - Fully open source Ansible scripts licensed under GPLv3. Merry Christmas, André
Re: Dell CMOS Setup -> System Configuration -> SATA Operation -> RAID On vs AHCI
On 12/23/22 23:16, Jeffrey Walton wrote: On Fri, Dec 23, 2022 at 10:29 PM David Christensen wrote: debian-user: I have a SanDisk Ultra Fit USB 3.0 16 GB flash drive with Debian installed on it EUFI, GPT, and Secure Boot. I use it for maintenance/ trouble-shooting on newer computers. When I boot the flash drive in a Dell Precision 3630 Tower that has Windows 11 Pro installed on the internal NVMe drive, the internal PCIe NVMe drive is not visible to Linux: The work-around is to change CMOS Setup -> System Configuration -> SATA Operation from "RAID On: to "AHCI". The problem is that Windows needs the former and it is a hassle to change the CMOS settings back and forth every time I want to run Debian. If I change it to AHCI and forget to change it back, Windows breaks. If and when I make this mistake on a client computer, it will be very embarrassing. I want a portable Debian on a USB flash drive or USB SSD to work on newer computers without changing the CMOS settings that the factory set for Windows. Comments or suggestions? The NVMe is provisioned to the Intel Optane accelerator. Optane takes a small but fast NVMe, and combines it with a slow HDD, and makes the system (kind of) perform like there's one large SSD. The NVMe drive should not appear as a seperate drive when it is provisioned for Optane. I'm running Kubuntu on a Dell XPS 8930 that came preinstalled with Windoze. It also had the Optane acceleration. I had to disable Optane to get access to the NVMe. Once Optane was broken I was able to load the OS on the NVMe, and make the HDD a large storage/scratch drive. Jeff The M.2 2280 NVMe SSD and a slim DVD +/-RW drive are the only storage devices in the computer. AFAICT there are no Optane devices. The SSD says: PCIe Gen3 x 4 SSD PC300 NVMe SK hunix 256 GB M/N: HFS256GD9MND-5510A BA D P/N 0XHFF7 I am unable to find a web page on skhynix.com for this item; perhaps because it is OEM'd to Dell (?). STFW finds many used items for around US$25. But the CMOS Setup issue is not isolated to this computer nor to this NVMe SSD. I have seen the same issue on Dell Latitude 5400 laptops, for example. I am looking for a way for Debian to see NVMe drives when CMOS Setup -> System Configuration -> SATA Operation is set to "RAID On" (which is the factory default and what Windows needs). David
Re: Dell CMOS Setup -> System Configuration -> SATA Operation -> RAID On vs AHCI
On Sat, Dec 24, 2022 at 3:59 AM David Christensen wrote: > On 12/23/22 23:16, Jeffrey Walton wrote: > > On Fri, Dec 23, 2022 at 10:29 PM David Christensen wrote: > >> [...] > >> When I boot the flash drive in a Dell Precision 3630 Tower that has > >> Windows 11 Pro installed on the internal NVMe drive, the internal PCIe > >> NVMe drive is not visible to Linux: > [...] > The M.2 2280 NVMe SSD and a slim DVD +/-RW drive are the only storage > devices in the computer. AFAICT there are no Optane devices. According to https://www.dell.com/us/dfb/p/precision-3630-workstation/pd, the machine has Optane. I believe that's the pseudo-RAID you are seeing in the UEFI setup screen. Maybe you can see the physical drives using raid utilities. Jeff
Re: Dell CMOS Setup -> System Configuration -> SATA Operation -> RAID On vs AHCI
On Fri, Dec 23, 2022 at 07:29:01PM -0800, David Christensen wrote: > debian-user: > > I have a SanDisk Ultra Fit USB 3.0 16 GB flash drive with Debian installed > on it EUFI, GPT, and Secure Boot. I use it for maintenance/ > trouble-shooting on newer computers. > > > When I boot the flash drive in a Dell Precision 3630 Tower that has Windows > 11 Pro installed on the internal NVMe drive, the internal PCIe NVMe drive is > not visible to Linux: > > 2022-12-23 19:16:13 root@bullseye ~ > # cat /etc/debian_version ; uname -a > 11.5 > Linux bullseye 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64 > GNU/Linux > > 2022-12-23 19:17:48 root@bullseye ~ > # lsblk > NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT > sda 8:01 14.9G 0 disk > |-sda1 8:11 953M 0 part /boot/efi > |-sda2 8:21 954M 0 part /boot > |-sda3 8:31 954M 0 part > | `-sda3_crypt 254:10 954M 0 crypt [SWAP] > `-sda4 8:41 11.2G 0 part > `-sda4_crypt 254:00 11.2G 0 crypt / > sr0 11:01 1024M 0 rom > > 2022-12-23 19:19:24 root@bullseye ~ > # l /dev/n* > /dev/null /dev/nvram > > /dev/net: > ./ ../ tun > > > STFW I see that the 'nvme' kernel module must be loaded. Doing so does not > resolve the issue: > > 2022-12-23 19:17:51 root@bullseye ~ > # modprobe nvme > > 2022-12-23 19:19:17 root@bullseye ~ > # lsmod | grep nvme > nvme 49152 0 > nvme_core 131072 1 nvme > t10_pi 16384 2 sd_mod,nvme_core > > 2022-12-23 19:19:21 root@bullseye ~ > # lsblk > NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT > sda 8:01 14.9G 0 disk > |-sda1 8:11 953M 0 part /boot/efi > |-sda2 8:21 954M 0 part /boot > |-sda3 8:31 954M 0 part > | `-sda3_crypt 254:10 954M 0 crypt [SWAP] > `-sda4 8:41 11.2G 0 part > `-sda4_crypt 254:00 11.2G 0 crypt / > sr0 11:01 1024M 0 rom > > 2022-12-23 18:46:19 root@laalaa ~/laalaa.tracy.holgerdanske.com > # l /dev/n* > /dev/null /dev/nvram > > /dev/net: > ./ ../ tun > > > The work-around is to change CMOS Setup -> System Configuration -> SATA > Operation from "RAID On: to "AHCI". The problem is that Windows needs the > former and it is a hassle to change the CMOS settings back and forth every > time I want to run Debian. If I change it to AHCI and forget to change it > back, Windows breaks. If and when I make this mistake on a client computer, > it will be very embarrassing. I want a portable Debian on a USB flash drive > or USB SSD to work on newer computers without changing the CMOS settings > that the factory set for Windows. > > > Comments or suggestions? > > > David You've been hit by the Dell configuration of Windows on their hardware, I suspect. This was noted a couple of years back when people couldn't install Debian on Dell laptops. The answer is probably to switch it - to obtain the recovery media you need to reinstall Windows / just download the .iso, switch it to AHCI and install Windows like that. I think it's _just_ a Dell funny. Andy - who's just done somthing almost identical to a second hand Thinkpad - putting it back to manufacturer's original installation media to ensure that I could install it my way. (And you've reminded me that I probably need to write a blog post on how to get Debian and Windows dual booting nicely with Bitlocker on Windows) All the very best, as ever, Andy Cater >
Re: colorscheme in vi
On 24/12/2022 03:49, Pierre Frenkiel wrote: if I put in .vimrc "colorscheme white" or any unknown color (qwert for example) I get a message "cannot find colorscheme xxx", but I have black on white characters with vim. I am curious what is the output of :colorscheme (without argument) when you do not set colorscheme in init files. Is it "default"? to get rid of the message, I replaced the vi binary by a script where stderr is redirected to /dev/null I would say it is quite rude. You may miss a message notifying you that you have some typo in a configuration file or even some severe runtime error.
SDDM display manager, two monitors out of order
I have two monitors side by side and they work nicely on my KDE Plasma desktop session. However, in SDDM display manager (login screen) the monitors are in wrong order. Below is a picture of the two situations. Arrows in the picture show how the mouse cursor travels from screen to screen. You need a fixed width font to see my character "art" correctly. SDDM login screen: >+-+ +-+ >| | | | > ---+---> | | ---+--> >| | | | >+-+ +-+ User's KDE Plasma session: >+-+ +-+ >| | | | >| ---+--+---> | >| | | | >+-+ +-+ It's only SDDM login screen so the problem is small but obviously it would be nicer if SDDM would have screens in the right order too. I know that I can add "xrandr" commands in SDDM startup scripts. I also know that I can psysically connect specific cables to specific monitors and change user's KDE Plasma session settings istead of SDDM. But I like my physical monitor hardware in this particular order and I would prefer the least hackish software configuration. My current best idea is to edit /etc/sddm.conf with lines something like: [X11] DisplayCommand=/root/bin/fix-monitor-order.sh And the script would execute "xrandr" with my preferred options and finally run the default setup file /usr/share/sddm/scripts/Xsetup. But that's not too nice for a desktop system. After all a major Linux desktop system should handle multiple monitors without such low-level hackery, right? -- /// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/ // OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462 signature.asc Description: PGP signature
xfce install
hi folks i am wrestling with a fresh 11.6-black-screen installation to get a xfce-desktop going. allthough I think I used from the commandline the most appropriate commands by apt i keep gretting the response 'cannot find xfce4' when i do btw sudo apt-get install xfce4. anhybody a solution for this? kind regarfs and thanks, steef groningen
Re: xfce install
On 12/24/22 05:24, steef van duin wrote: hi folks i am wrestling with a fresh 11.6-black-screen installation to get a xfce-desktop going. allthough I think I used from the commandline the most appropriate commands by apt i keep gretting the response 'cannot find xfce4' when i do btw sudo apt-get install xfce4. I do not have Sudo enabled, however when I run as root (su -) apt install xfce4 works for me anhybody a solution for this? kind regarfs and thanks, steef groningen
Re: xfce install
On Sat, 24 Dec 2022 14:24:03 +0100
steef van duin wrote:
Hello steef,
>gretting the response 'cannot find xfce4' when i
You don't say what installation medium you used or what method of
installation, but if you used either CD or DVD it might be that you still
have the installation disk(s) set as repository, and not an online repo.
If that's the case, it is possible that xfce may not be available to you.
For a start, check /etc/apt/sources.list and /etc/apt/sources.list.d/*
to find out what repos you're using.
--
Regards _ "Valid sig separator is {dash}{dash}{space}"
/ ) "The blindingly obvious is never immediately apparent"
/ _)rad "Is it only me that has a working delete key?"
Now would I say something that wasn't true?
Would I Lie To You - Eurythmics
pgpjVc7aoNUN3.pgp
Description: OpenPGP digital signature
Re: xfce install
steef van duin (12022-12-24): > i am wrestling with a fresh 11.6-black-screen installation to get a > xfce-desktop going. > > allthough I think I used from the commandline the most appropriate commands > by apt i keep gretting the response 'cannot find xfce4' when i do btw sudo > apt-get install xfce4. > anhybody a solution for this? When you ask for help about a command that failed, you do not make a sentence to explain, you copy-paste the command (including the shell prompt) and its output. Regards, -- Nicolas George signature.asc Description: PGP signature
Re: xfce install
On Sat, Dec 24, 2022 at 03:11:05PM +0100, Nicolas George wrote: > steef van duin (12022-12-24): > > i am wrestling with a fresh 11.6-black-screen installation to get a > > xfce-desktop going. > > > > allthough I think I used from the commandline the most appropriate commands > > by apt i keep gretting the response 'cannot find xfce4' when i do btw sudo > > apt-get install xfce4. > > anhybody a solution for this? > > When you ask for help about a command that failed, you do not make a > sentence to explain, you copy-paste the command (including the shell > prompt) and its output. This is especially true when the quoted error text is *clearly* made up. unicorn:~$ sudo apt-get install sdfhskdf Reading package lists... Done Building dependency tree... Done Reading state information... Done E: Unable to locate package sdfhskdf unicorn:~$ sdfhskdf bash: sdfhskdf: command not found Neither of these cases matches the OP's error text, so it's entirely unclear what command the OP actually ran, or what it did, or failed to do. However, I agree with the earlier suggestion that the sources.list file is the best starting point.
Re: xfce install
Greg Wooledge (12022-12-24): > Neither of these cases matches the OP's error text, so it's entirely > unclear what command the OP actually ran, or what it did, or failed to do. It could be a translation back to English. Which brings me to another piece of advice: Before asking for help about a command-line, type: unset LC_ALL export LC_MESSAGES=C … and re-run the command. > However, I agree with the earlier suggestion that the sources.list file > is the best starting point. Always when asking for help about anything related to apt, of course, you are right. Maybe material for the FAQ? Regards, -- Nicolas George signature.asc Description: PGP signature
Re: Self hosting solution for Christmas
On 24.12.2022 13:03, Andre Rodier wrote: Hello everyone, Here my present for Christmas: a new version of HomeBox, the self hosted email solution. Feel free to drop comments, create issues, update the docs, etc. I released this quickly before going on vacation, so you may find some issues. However, this is mostly stable, and the code is easy to modify. Also, you can now add and remove components individually, with an Ansible playbook. https://github.com/progmaticltd/homebox ... Merry Christmas, André Impressive feature list. Does it use MySQL or PostgreSQL for settings\configuration\users storage? I might give it a spin to take a peek under the hood and see how much of it could be customized and tailored for my needs. And also to compare it to other projects like say iRedMail or MailCow. Happy holidays! -- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄
Re: xfce install
On Saturday, December 24, 2022 09:44:49 AM Nicolas George wrote: > Before asking for help about a command-line, type: > > unset LC_ALL > export LC_MESSAGES=C > > … and re-run the command. That sounds like good advice, but then the "user" (the person asking for help) needs to know how to restore his system, so instructions should be included to do that. (So if that is put in an FAQ, it should include the instructions to save and later restore his original settings. Presumably before the unset LC-ALL, a command should be run to find out the current "LC" settings, save them, and then restore them. -- rhk (sig revised 20221206) If you reply: snip, snip, and snip again; leave attributions; avoid HTML; avoid top posting; and keep it "on list". (Oxford comma (and semi-colon) included at no charge.) If you revise the topic, change the Subject: line. If you change the topic, start a new thread. Writing is often meant for others to read and understand (legal documents excepted?) -- make it easier for your reader by various means, including liberal use of whitespace (short paragraphs, separated by whitespace / blank lines) and minimal use of (obscure?) jargon, abbreviations, acronyms, and references. If someone has already responded to a question, decide whether any response you add will be helpful or not ... A picture is worth a thousand words. A video (or "audio"): not so much -- divide by 10 for each minute of video (or audio) or create a transcript and edit it to 10% of the original. A speaker who uses ahhs, ums, or such may have a real physical or mental disability, or may be showing disrespect for his listeners by not properly preparing in advance and thinking before speaking. (Remember Cicero who did not have enough time to write a short missive.) (That speaker might have been "trained" to do this by being interrupted often if he pauses.) A radio (or TV) station which broadcasts speakers with high pitched voices (or very low pitched / gravelly voices) (which older people might not be able to hear properly) disrespects its listeners. Likewise if it broadcasts extraneous or disturbing sounds (like gunfire or crying), or broadcasts speakers using their native language (with or without an overdubbed translation). A person who writes a sig this long probably has issues and disrespects (and offends) a large number of readers. ;-) '
Re: xfce install
On Sat, Dec 24, 2022 at 12:21:44PM -0500, rhkra...@gmail.com wrote: > On Saturday, December 24, 2022 09:44:49 AM Nicolas George wrote: > > Before asking for help about a command-line, type: > > > > unset LC_ALL > > export LC_MESSAGES=C > > > > … and re-run the command. > > That sounds like good advice, but then the "user" (the person asking for > help) > needs to know how to restore his system, so instructions should be included > to > do that. "Afterward, simply exit from this terminal." None of these changes are permanent. An even simpler set of instructions would be: 1) Open a new terminal, or run a new instance of your shell. 2) export LC_ALL=C 3) Run your comands. Paste the commands and their results into the body of your email. 4) Exit from this shell/terminal.
Re: Dell CMOS Setup -> System Configuration -> SATA Operation -> RAID On vs AHCI
On 12/24/22 01:21, Jeffrey Walton wrote: On Sat, Dec 24, 2022 at 3:59 AM David Christensen wrote: On 12/23/22 23:16, Jeffrey Walton wrote: On Fri, Dec 23, 2022 at 10:29 PM David Christensen wrote: [...] When I boot the flash drive in a Dell Precision 3630 Tower that has Windows 11 Pro installed on the internal NVMe drive, the internal PCIe NVMe drive is not visible to Linux: [...] The M.2 2280 NVMe SSD and a slim DVD +/-RW drive are the only storage devices in the computer. AFAICT there are no Optane devices. According to https://www.dell.com/us/dfb/p/precision-3630-workstation/pd, the machine has Optane. "Expandable and flexible: Scalable storage featuring SATA, SAS and PCIe NVMe SSDs can be configured for up to 28TB delivering top performance for complex projects. Plus, Intel® Optane™ Memory massively boosts your system’s responsiveness while keeping high capacity storage costs to a minimum." I believe that is marketing speak for "the computer supports Optane Memory", not "every machine comes with Optane Memory". I believe that's the pseudo-RAID you are seeing in the UEFI setup screen. Maybe you can see the physical drives using raid utilities. My expectation is that if I install two HDD's in the two lower HDD bays and connect them to the two black SATA connectors on the motherboard, I should be able to use the motherboard firmware Setup utility to configure the drives as non-RAID, RAID0, RAID1, and possibly JBOD. If I install a third drive in the front HDD bay, connect it to the motherboard white SATA connector, remove the DVD+/-RW drive, get a suitable 2.5" HDD bracket, install a 2.5" HDD, and connect it to the motherboard blue SATA connector, I might be able to configure the drives as RAID10. David
Re: Dell CMOS Setup -> System Configuration -> SATA Operation -> RAID On vs AHCI
On 12/24/22 02:39, Andrew M.A. Cater wrote: On Fri, Dec 23, 2022 at 07:29:01PM -0800, David Christensen wrote: debian-user: I have a SanDisk Ultra Fit USB 3.0 16 GB flash drive with Debian installed on it EUFI, GPT, and Secure Boot. I use it for maintenance/ trouble-shooting on newer computers. When I boot the flash drive in a Dell Precision 3630 Tower that has Windows 11 Pro installed on the internal NVMe drive, the internal PCIe NVMe drive is not visible to Linux: The work-around is to change CMOS Setup -> System Configuration -> SATA Operation from "RAID On: to "AHCI". You've been hit by the Dell configuration of Windows on their hardware, I suspect. This was noted a couple of years back when people couldn't install Debian on Dell laptops. The answer is probably to switch it - to obtain the recovery media you need to reinstall Windows / just download the .iso, switch it to AHCI and install Windows like that. I think it's _just_ a Dell funny. That might be the most pragmatic approach. The machine is an eBay purchase and has a Windows GML effective September 2017. So, there should be a Windows 10/11 product key in the motherboard firmware or TPM: https://www.microsoft.com/en-us/howtotell/hardware-pc-purchase Andy - who's just done somthing almost identical to a second hand Thinkpad - putting it back to manufacturer's original installation media to ensure that I could install it my way. (And you've reminded me that I probably need to write a blog post on how to get Debian and Windows dual booting nicely with Bitlocker on Windows) All the very best, as ever, Andy Cater David
apt-get under Kali Linux reports wrong data rate.
Dear People I have no idea who to report this issue to. Under latest build of Kali Linux i have noticed the download speed with apt-get commands, it shows K Bits/s and should in fact be K bits/s The difference between Bytes & Bits is important. N.B small b not capital B! KIDS! Please pass on to Debian & Kali developers this major error in download speeds. Regards Mark Edgar Sent with [Proton Mail](https://proton.me/) secure email.
Re: apt-get under Kali Linux reports wrong data rate.
On Sat, Dec 24, 2022 at 07:08:20PM +, Mark wrote: > I have no idea who to report this issue to. > > Under latest build of Kali Linux i have noticed the download speed with > apt-get commands, it shows K Bits/s and should in fact be K bits/s > The difference between Bytes & Bits is important. > > N.B small b not capital B! > KIDS! What evidence do you have to support this claim? apt-get shows "B/s" for me, which I'm assuming is Bytes per second. At no point does it ever say "Bits", nor would I expect a user-facing application that works with files to report bits per second. ii apt2.2.4amd64commandline package manager If your derivative hacker-centric OS is doing something different, then you should report it as a bug to YOUR operating system's support team. Not to the Debian end user mailing list.
Re: apt-get under Kali Linux reports wrong data rate.
On Sat, Dec 24, 2022 at 2:27 PM Mark <196...@protonmail.com> wrote: > > I have no idea who to report this issue to. For Kali issues, see https://www.kali.org/community/ Jeff
questions on iptables
Hello, I have setup the following iptables on linux server, sudo /usr/sbin/iptables -F sudo /usr/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT # my server public IP sudo /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -p tcp -j DROP These rules work for incoming connections. But if I made a request from this server box to the external server, such as rsync to another remote server, it won't work. So how can I set up the outgoing rules as well? Thanks and happy holidays~ Piper
Re: questions on iptables
On 25/12/22 10:14, Piperみかこ wrote: Hello, I have setup the following iptables on linux server, sudo /usr/sbin/iptables -F sudo /usr/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT # my server public IP sudo /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -p tcp -j DROP These rules work for incoming connections. But if I made a request from this server box to the external server, such as rsync to another remote server, it won't work. So how can I set up the outgoing rules as well? Thanks and happy holidays~ Piper It's not quite clear what you are doing. I guess your linux box is in your LAN and you have an external server on the internet? Anyway, it's usual to have a line like this to handle handshaking with external systems. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -- Jeremy
Re: questions on iptables
Piperみかこ wrote: > Hello, > > I have setup the following iptables on linux server, > > sudo /usr/sbin/iptables -F > sudo /usr/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT > sudo /usr/sbin/iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT # my server > public IP > sudo /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT > sudo /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT > sudo /usr/sbin/iptables -A INPUT -p tcp -j DROP > > These rules work for incoming connections. > But if I made a request from this server box to the external server, such > as rsync to another remote server, it won't work. > > So how can I set up the outgoing rules as well? At boot time, there are three chains: INPUT FORWARD OUTPUT each has a policy which determines what happens if no other rule applies. FORWARD is only interesting if you are routing packets. INPUT controls incoming packets. OUTPUT controls outgoing packets. You can specify IPs, interfaces, protocols, ports, and a bunch of other things. -dsr-
Re: questions on iptables
Hello I have a server box who has public IP in the DC. My requirements, 1. allow access to ssh and http port on the server from external. 2. allow access to any services from the server to external. The #1 can be done by my rules already set. But #2 doesn't work. for instance, when rsync connection to another server from that box, it won't work (connection timeout). So how to ? Thanks On Sun, Dec 25, 2022 at 10:28 AM jeremy ardley wrote: > > On 25/12/22 10:14, Piperみかこ wrote: > > Hello, > > > > I have setup the following iptables on linux server, > > > > sudo /usr/sbin/iptables -F > > sudo /usr/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT > > sudo /usr/sbin/iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT # my server > > public IP > > sudo /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT > > sudo /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > sudo /usr/sbin/iptables -A INPUT -p tcp -j DROP > > > > These rules work for incoming connections. > > But if I made a request from this server box to the external server, > > such as rsync to another remote server, it won't work. > > > > So how can I set up the outgoing rules as well? > > > > Thanks and happy holidays~ > > > > Piper > > > It's not quite clear what you are doing. I guess your linux box is in > your LAN and you have an external server on the internet? > > Anyway, it's usual to have a line like this to handle handshaking with > external systems. > > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > -- > Jeremy > >
Re: questions on iptables
=?UTF-8?B?UGlwZXLjgb/jgYvjgZM=?= writes: > > sudo /usr/sbin/iptables -F > sudo /usr/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT > sudo /usr/sbin/iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT # my server > public IP > sudo /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT > sudo /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT > sudo /usr/sbin/iptables -A INPUT -p tcp -j DROP > iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited iptables -A FORWARD -j REJECT --reject-with icmp-admin-prohibited iptables-save > /etc/iptables/rules.v4 ip6tables -F ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -p tcp -âdport 22 -j ACCEPT ip6tables -A INPUT -p tcp -âdport 80 -j ACCEPT ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited ip6tables-save > /etc/iptables/rules.v6 And, look in /etc/iptables to make sure, and reboot; then check for outbound connections with a browser. (Note how icmp is handled-it is required.) John -- John Conover, cono...@panix.com, http://www.johncon.com/
Re: questions on iptables
John Conover writes: > =?UTF-8?B?UGlwZXLjgb/jgYvjgZM=?= writes: > > > > sudo /usr/sbin/iptables -F > > sudo /usr/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT > > sudo /usr/sbin/iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT # my server > > public IP > > sudo /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT > > sudo /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > sudo /usr/sbin/iptables -A INPUT -p tcp -j DROP > > > > iptables -F > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -p icmp -j ACCEPT > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited > iptables -A FORWARD -j REJECT --reject-with icmp-admin-prohibited > iptables-save > /etc/iptables/rules.v4 > > ip6tables -F > ip6tables -P INPUT ACCEPT > ip6tables -P FORWARD ACCEPT > ip6tables -P OUTPUT ACCEPT > ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > ip6tables -A INPUT -p ipv6-icmp -j ACCEPT > ip6tables -A INPUT -i lo -j ACCEPT > ip6tables -A INPUT -p tcp -âdport 22 -j ACCEPT > ip6tables -A INPUT -p tcp -âdport 80 -j ACCEPT > ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited > ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited > ip6tables-save > /etc/iptables/rules.v6 > > And, look in /etc/iptables to make sure, and reboot; then check for > outbound connections with a browser. (Note how icmp is handled-it is > required.) > Sorry, cut from my machine docs. The two ipv6 statement should obviously be: ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT Also, if you have root access on another machine, for assurance: nmap -4 -Pn -sS -v -v IPV4_ADDRESS nmap -4 -Pn -sU -v -v IPV4_ADDRESS nmap -6 -Pn -sS -v -v IPV6_ADDRESS nmap -6 -Pn -sU -v -v IPV6_ADDRESS will take a lot of time to run, and should only find the two open ports. John -- John Conover, cono...@panix.com, http://www.johncon.com/
Re: questions on iptables
Thanks John. The following rules seem to work for me now. sudo /usr/sbin/iptables -F sudo /usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT sudo /usr/sbin/iptables -A INPUT -p icmp -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT sudo /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited are there any problems with my setting above? Thanks
