Posts Tagged ‘Linux’


January 31, 2011

Hello there true believers, been a while since I’ve written something here.

A quick FYI on those wanting to use SVN but are restricted to use it from within a network with a proxy.
If you try using SVN over HTTP, it most likely won’t work by default since SVN uses a different network port (usually 3690 for *nixes) and HTTP proxies by default use 80 or 8080 as their ports.
If you try checking out or updating or committing to/from an SVN repo by default, you’ll run into a problem saying SVN couldn’t connect. Uh oh spaghetti-oh. ūüôā
In my Ubuntu 10.04 machine, what I do is open (with sudo/root properties) the file:


and uncomment (or add, if the following are not present) these parameters:

http-proxy-host =
http-proxy-port = port


http-proxy-host =
http-proxy-port = 8080

I save the file, then try SVN again. Voila. I’m back to coding again. ūüôā


Virtualbox shared folder access: Mac OS X host with Ubuntu 10.04 as guest

November 13, 2010

Whew. It’s been a while since I’ve done anything here. ūüôā Now time to do some geeky blogging (and so much more soon) once again mis amigos y amigas. ūüôā

Tech specs of the setup


Mac OS X Version 10.5.8

$uname -a

Darwin theorylabs-P-System-iMac.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386

VirtualBox (non-OSE version, but still free) Version 3.2.10 r66523


Ubuntu Lucid Lynx 10.04 32bit

Setting it up

Essentially just add a shared folder using VirtualBox, whether a VM is running or not. In the¬†guest OS, create a directory where you want your host OS’s files to be mounted (with R or R/W permissions).

Then in the guest OS make sure that the guest additions are successfully installed already. This step is easily and quickly done by mounting the ISO into the guest OS, then allowing Ubuntu 10.04 to detect an autorun script. It will warn you that the running of certain scripts can pose a threat to your system, so we go ahead knowing that the ISO is from Oracle. Otherwise, you can run the script by double-clicking on it or using a terminal.

Once the guest additions have been successfully installed, the following command should mount the host OS’s folder onto the newly created folder in the guest OS which we just created from above:

sudo mount -t vboxsf virtualbox_shared_folder_name guest_os_directory_path

Where virtualbox_shared_folder_name is the name of your host OS’s folder which you entered in the VirtualBox shared folder setting, which may not necessarily be the real directory name of the directory you want to share from your Mac OS X. ¬†guest_os_directory_path is the newly created folder from above awhile ago.

A note on the virtualbox forums, several users say that changing one’s directory in the guest OS to / (root directory of the filesystem) helps, although this wasn’t the case for me.

Hope that helps ladies and gents. Questions are very much welcome. ūüôā


IPCop Linux, route command, and network routing

September 16, 2009

This short post is about the dilemma a coworker of mine just had this morning regarding network packets, and a not fully functional IPCop Linux installation.

The Dilemma

The server runs IPCop, which allows a PC to run as a firewall appliance. The IPCop server has 2 NICs, eth0 and eth1. Eth0 is connected to a Class A private LAN while eth1 uses a Class C address to connect to the public Internet. The problem however is that the Internet is accessible (Google, Yahoo! etc.) but not private LAN machines and addresses.¬† The private LAN’s gateway return ping replies, but not the DNS server.

Detective Work (i.e. Troubleshooting)

What I did was to check all possible causes for this problem: restart the network, checked logs for error messages and others, though some of these had already been done, but I just want to be doubly sure myself. I next checked the firewall using the iptables command. There were tens of lines of firewall rules, along with numerous chains. Since I was in a hurry at that time, I decided to skip the detailed checking of the firewall rules for the moment, even hough I have experience dealing directly with iptables, and not with the higher level application firewalls that just modify it. Next I tried to ping again the DNS server. Adding a -v in the ping command to make it more verbose, I noticed that packets were being successfully sent to the DNS server, but no packets were coming back. I thought to myself that the iptables firewall is one good suspect for this, but I’ll try a few more checks before I go to the nitty gritty of iptables firewall rules. I did ifconfig ethX up and then¬† down but to no avail. Replace the X with the NIC number you wish to up/down.

The Fix

I next checkd the routing table using the very useful route command. The static IP route looked fine, but I noticed that it was rathe incomplete, given that it has 2 NICs. What I mean by incomplete is that the route from the public, Class C network has routes for going in and out of the destination network and host, but the private LAN doesn’t have a route for traffic going into the IPCop server. It only has a route for traffic coming from the Class A private LAN NIC. Bingo was its name-o. ūüôā Apparently the reason why ping packets weren’t making their way back to the IPCop server was that they weren’t being routed correctly back to the IPCop server itself. This was further supported by using the traceroute command. I traceroute-ed the private LAN DNS server and as expected, the routing of the packet was all messed up. The traceroute packets for the private LAN DNS server were exiting through eth1, and out to the public Internet already. No wonder it doesn’t have a private LAN connection! ūüôā

So the fix was to add a correct route to the routing table using the route command. The new route should, well, route the packets correctly from the  private LAN back to the IPCop server, and to make sure that the class A private LAN traffic enters/exits via the eth0 NIC. To do this the command

route add -net NETWORK netmask NETMASK gw GATEWAY

was used. Just replace NETWORK, NETMASK, and GATEWAY with the appropriate values for your network. In our case, NETWORK was the destination host ( the local machine, given by and GATEWAY was the gateway of the Class A network of the private LAN.

Sure enough, after adding that static route, the Class A private LAN became accessible. ūüôā

route add -net netmask gw ipx4route add -net netmask gw ipx4

In Linux, no cpu-z you see…

June 22, 2009

… which may be bad at the start, but isn’t so if you really know how powerful Linux is. In this case, you don’t really need to acquire a cpu-z-like software, unless of course you’re freaked out by the command line (which we’ll use in this case).¬† Linux (at least those that use kernel versions 2.6 and above) have quite¬† an array of commands that lets you acquire most info that cpu-z will give you on a Window$ box, sometimes less, sometimes more. These commands are especially useful in cases like (this was my case a week ago, that’s why I had to find out about them) there’s no graphical interface for you since you’re either remotely doing administration or the server just doesn’t have any graphical server/service installed.

To list information about the CPU enter the command

cat /proc/cpuinfo

To list your PCI devices type the command


To acquire information about your installed memory/RAM sticks or modules, one command to do this is

sudo dmidecode ‚ÄĒtype 17

To check your hard drives, the following commands give you loads of info

cat /proc/diskstats | egrep "^\s?+8"
df -hT
ls -lh /dev/disk/by-path/
ls -lh /dev/disk/by-id/
ls -lh /dev/disk/by-uuid/
cat /proc/scsi/scsi

you then can find out disk info by running the following on each node listed (device name in third column):

sudo fdisk -l /dev/NODE (e.g. sudo fdisk -l /dev/sda, if you have SCSI drives)

There are quite a lot more commands to get information about the hardware you are running, without shutting it/them down so you can open them up and check the hardware yourself. Or you won’t have to grab your hardware’s manual (whether locally or online) just to get info about your hardware. Good especially for sys ads like me. ūüôā

Pretty Practicable PDF Tricks In Linux

March 23, 2009

I still don’t have quite a lot of time to write a more or less decent technology or philosophy or science/math related post, but I just want to put this on my blog for the sake of reference¬† again (as most, if not all, of my blog entries).

My Dilemma

I have a copy of a pdf file from which I want to share some parts only to my lab exercise partner (for reasons I can’t exactly divulge in the public Internet). So I Google around how to manipulate, specifically to¬† pluck/extract specific pages from a pdf file, and still output the extracted files as pdf file/s themselves. Then I found pdftk. Fantastic tool. Really.

Why Is It Fantastic?

Here are a few reasons why:

For such a small (more or less) package (3408kB in my Ubuntu 8.10 installation) you can:

Pdftk can join and split PDFs; pull single pages from a file; encrypt and decrypt PDF files; add, update, and export a PDF’s metadata; export bookmarks to a text file; add or remove attachments to a PDF; fix a damaged PDF; and fill out PDF forms. In short, there’s very little pdftk can’t do when it comes to working with PDFs.


Developer Sid Steward describes pdftk as the PDF equivalent of an “electronic staple remover, hole punch, binder, secret decoder ring, and X-ray glasses.”¬† Pdftk can join and split PDFs; pull single pages from a file; encrypt and decrypt PDF files; add, update, and export a PDF’s metadata; export bookmarks to a text file; add or remove attachments to a PDF; fix a damaged PDF; and fill out PDF forms.

Swiss army knife of PDF files anyone? And thankfully, it’s free and open source. The above quotes are from, and a lot of us know that once something gets posted on, it’s more or less worthwhile to learn, more so to read at the very least. pdftk is a command line tool (sorry, but check out my further references below).

And installing it is just simply

sudo apt-get install pdftk

in my Ubuntu 8.04 and 8.10 installations. Again, quoting from, here are some very useful (at least to me) things you can do with pdftk. Of course, with a bit of knowledge in scripting or programming (bash, php, python etc) you can work wonders with this tool:

Joining files

Pdftk’s ability to join two or more PDF files is on par with such specialized applications as pdfmeld and joinPDF (discussed in this article). The command syntax is simple:

pdftk file1.pdf file2.pdf cat output newFile.pdf

cat is short for concatenate — that is, link together, for those of us who speak plain English — and output tells pdftk to write the combined PDFs to a new file.

Pdftk doesn’t retain bookmarks, but it does keep hyperlinks to both destinations within the PDF and to external files or Web sites. Where some other applications point to the wrong destinations for hyperlinks, the links in PDFs combined using pdftk managed to hit each link target perfectly.

Splitting files

Splitting PDF files with pdftk was an interesting experience. The burst option breaks a PDF into multiple files — one file for each page:

pdftk user_guide.pdf burst

I don’t see the use of doing that, and with larger documents you wind up with a lot of files with names corresponding to their page numbers, like pg_0001 and pg_0013 — not very intuitive.

On the other hand, I found pdftk’s ability to remove specific pages from a PDF file to be useful. For example, to remove pages 10 to 25 from a PDF file, you’d type the following command:

pdftk myDocument.pdf cat 1-9 26-end output removedPages.pdf

Updated Man page

For all the geeks and geekettes out there (no this sub heading is not sexist), here’s an updated man page from my Ubuntu 8.10 server installation:

PDFTK(1)                                                                                                                          PDFTK(1)

pdftk – A handy tool for manipulating PDF

pdftk <input PDF files | – | PROMPT>
[input_pw <input PDF owner passwords | PROMPT>]
[<operation> <operation arguments>]
[output <output filename | – | PROMPT>]
[encrypt_40bit | encrypt_128bit]
[allow <permissions>]
[owner_pw <owner password | PROMPT>]
[user_pw <user password | PROMPT>]
[flatten] [compress | uncompress]
[keep_first_id | keep_final_id] [drop_xfa]
[verbose] [dont_ask | do_ask]
<operation> may be empty, or:
[cat | attach_files | unpack_files | burst |
fill_form | background | stamp | generate_fdf
dump_data | dump_data_fields | update_info]

For Complete Help: pdftk –help

If PDF is electronic paper, then pdftk is an electronic staple-remover, hole-punch, binder, secret-decoder-ring, and X-Ray-glasses.
Pdftk is a simple tool for doing everyday things with PDF documents.  Use it to:

* Merge PDF Documents
* Split PDF Pages into a New Document
* Rotate PDF Documents or Pages
* Decrypt Input as Necessary (Password Required)
* Encrypt Output as Desired
* Fill PDF Forms with X/FDF Data and/or Flatten Forms
* Generate FDF Data Stencil from PDF Forms
* Apply a Background Watermark or a Foreground Stamp
* Report PDF Metrics such as Metadata and Bookmarks
* Update PDF Metadata
* Attach Files to PDF Pages or the PDF Document
* Unpack PDF Attachments
* Burst a PDF Document into Single Pages
* Uncompress and Re-Compress Page Streams
* Repair Corrupted PDF (Where Possible)

A summary of options is included below.

–help, -h
Show summary of options.

<input PDF files | – | PROMPT>
A list of the input PDF files. If you plan to combine these PDFs (without using handles) then list files in  the  order  you
want  them  combined.  Use Рto pass a single PDF into pdftk via stdin.  Input files can be associated with handles, where a
handle is a single, upper-case letter:

<input PDF handle>=<input PDF filename>

Handles are often omitted.  They are useful when specifying PDF passwords or page ranges, later.

For example: A=input1.pdf B=input2.pdf

[input_pw <input PDF owner passwords | PROMPT>]
Input PDF owner passwords, if necessary, are associated with files by using their handles:

<input PDF handle>=<input PDF file owner password>

If handles are not given, then passwords are associated with input files by order.

Most pdftk features require that encrypted input PDF are accompanied by the ~owner~ password. If the input PDF has no  owner
password,  then  the  user  password  must be given, instead.  If the input PDF has no passwords, then no password should be

When running in do_ask mode, pdftk will prompt you for a password if the supplied password is incorrect or none was given.

[<operation> <operation arguments>]
If this optional argument is omitted, then pdftk runs in ’filter’ mode.  Filter mode takes only one PDF input and creates  a
new PDF after applying all of the output options, like encryption and compression.

Available operations are: cat, attach_files, unpack_files, burst, fill_form, background, stamp, dump_data, dump_data_fields,
generate_fdf, update_info. Some operations takes additional arguments, described below.

cat [<page ranges>]
Catenates pages from input PDFs to create a new PDF.  Page order in the new PDF is specified by the order  of  the  given
page ranges.  Page ranges are described like this:

<input PDF handle>[<begin page number>[-<end page number>[<qualifier>]]][<page rotation>]

Where¬† the¬† handle¬† identifies one of the input PDF files, and the beginning and ending page numbers are one-based refer‚Äź
ences to pages in the PDF file, and the qualifier can be even or odd, and the page rotation can be N, S, E, W, L,  R,  or

If the handle is omitted from the page range, then the pages are taken from the first input PDF.

The  even  qualifier  causes  pdftk  to  use only the even-numbered PDF pages, so 1-6even yields pages 2, 4 and 6 in that
order.  6-1even yields pages 6, 4 and 2 in that order.

The odd qualifier works similarly to the even.

The page rotation setting can cause pdftk to rotate pages and documents.  Each option sets the page rotation  as  follows
(in  degrees):  N:  0,  E: 90, S: 180, W: 270, L: -90, R: +90, D: +180. L, R, and D make relative adjustments to a page’s

If no arguments are passed to cat, then pdftk combines all input PDFs in the order they were given to create the  output.

* <end page number> may be less than <begin page number>.
* The keyword end may be used to reference the final page of a document instead of a page number.
* Reference a single page by omitting the ending page number.
* The handle may be used alone to represent the entire PDF document, e.g., B1-end is the same as B.

Page Range Examples w/o Handles:
1-endE – rotate entire document 90 degrees
5 11 20
5-25oddW – take odd pages in range, rotate 90 degrees

Page Range Examples Using Handles:
Say A=in1.pdf B=in2.pdf, then:
A1-21 Beven A72
AW – rotate entire document 90 degrees
A2-30evenL Рtake the even pages from the range, remove 90 degrees from each page’s rotation
AevenW AoddE

attach_files <attachment filenames | PROMPT> [to_page <page number | PROMPT>]
Packs  arbitrary  files  into  a  PDF  using PDF’s file attachment features. More than one attachment may be listed after
attach_files. Attachments are added at the document level unless the optional to_page option is given, in which case  the
files are attached to the given page number (the first page is 1, the final page is end). For example:

pdftk in.pdf attach_files table1.html table2.html to_page 6 output out.pdf

Copies  all  of  the attachments from the input PDF into the current folder or to an output directory given after output.
For example:

pdftk report.pdf unpack_files output ~/atts/

or, interactively:

pdftk report.pdf unpack_files output PROMPT

burst  Splits a single, input PDF document into individual pages. Also creates a report named doc_data.txt which is the same  as
the  output  from dump_data.  If the output section is omitted, then PDF pages are named: pg_%04d.pdf, e.g.: pg_0001.pdf,
pg_0002.pdf, etc.¬† To name these pages yourself, supply a printf-styled format string via the output section.¬† For¬† exam‚Äź
ple,  if  you  want  pages  named: page_01.pdf, page_02.pdf, etc., pass output page_%02d.pdf to pdftk.  Encryption can be
applied to the output by appending output options such as owner_pw, e.g.:

pdftk in.pdf burst owner_pw foopass

fill_form <FDF data filename | XFDF data filename | – | PROMPT>
Fills the single input PDF’s form fields with the data from an FDF file, XFDF file or  stdin.  Enter  the  data  filename
after fill_form, or use – to pass the data via stdin, like so:

pdftk form.pdf fill_form data.fdf output form.filled.pdf

After  filling  a  form, the form fields remain interactive unless you also use the flatten output option. flatten merges
the form fields with the PDF pages. You can use flatten alone, too, but only on a single PDF:

pdftk form.pdf fill_form data.fdf output out.pdf flatten


pdftk form.filled.pdf output out.pdf flatten

If the input FDF file includes Rich Text formatted data in addition to plain text, then the Rich Text data is packed into
the form fields as well as the plain text.¬† Pdftk also sets a flag that cues Acrobat/Reader to generate new field appear‚Äź
ances based on the Rich Text data.  That way, when the user opens the PDF, the viewer will create the Rich Text fields on
the  spot.   If the user’s PDF viewer does not support Rich Text, then the user will see the plain text data instead.  If
you flatten this form before Acrobat has a chance to create (and save) new field appearances, then the plain  text  field
data is what you’ll see.

background <background PDF filename | – | PROMPT>
Applies  a  PDF  watermark  to the background of a single input PDF.  Pass the background PDF’s filename after background
like so:

pdftk in.pdf background back.pdf output out.pdf

Pdftk uses only the first page from the background PDF and applies it to every page of  the  input  PDF.   This  page  is
scaled and rotated as needed to fit the input page.  You can use Рto pass a background PDF into pdftk via stdin.

If¬† the input PDF does not have a transparent background (such as a PDF created from page scans) then the resulting back‚Äź
ground won‚Äôt be visible — use the stamp feature instead.

stamp <stamp PDF filename | – | PROMPT>
This behaves just like the background feature except it overlays the stamp PDF page on top of the  input  PDF  document’s
pages.  This works best if the stamp PDF page has a transparent background.

Reads  a  single, input PDF file and reports various statistics, metadata, bookmarks (a/k/a outlines), and page labels to
the given output filename or (if no output is given) to stdout.  Does not create a new PDF.

Reads a single, input PDF file and reports form field statistics to the given output filename or (if no output is  given)
to stdout.  Does not create a new PDF.

Reads  a single, input PDF file and generates a FDF file suitable for fill_form out of it to the given output filename or
(if no output is given) to stdout.  Does not create a new PDF.

update_info <info data filename | – | PROMPT>
Changes the metadata stored in a single PDF’s Info dictionary to match the input data file. The input data file uses  the
same  syntax  as  the  output from dump_data. This does not change the metadata stored in the PDF’s XMP stream, if it has
one. For example:

pdftk in.pdf update_info output out.pdf

[output <output filename | – | PROMPT>]
The output PDF filename may not be set to the name of an input filename.¬† Use¬† –¬† to¬† output¬† to¬† stdout.¬†¬† When¬† using¬† the
dump_data  operation,  use output to set the name of the output data file. When using the unpack_files operation, use output
to set the name of an output directory.  When using the burst operation, you can use output to  control  the  resulting  PDF
page filenames (described above).

[encrypt_40bit | encrypt_128bit]
If an output PDF user or owner password is given, output PDF encryption strength defaults to 128 bits.¬† This can be overrid‚Äź
den by specifying encrypt_40bit.

[allow <permissions>]
Permissions are applied to the output PDF only if an encryption strength is specified or an owner or user password is given.
If permissions are not specified, they default to ’none,’ which means all of the following features are disabled.

The permissions section may include one or more of the following features:

Top Quality Printing

Lower Quality Printing

Also allows Assembly


Also allows ScreenReaders


Also allows FillIn


Allows the user to perform all of the above, and top quality printing.

[owner_pw <owner password | PROMPT>]

[user_pw <user password | PROMPT>]
If  an  encryption  strength  is  given but no passwords are supplied, then the owner and user passwords remain empty, which
means that the resulting PDF may be opened and its security parameters altered by anybody.

[compress | uncompress]
These are only useful when you want to edit PDF code in a text editor like vim or emacs.  Remove PDF page stream compression
by applying the uncompress filter. Use the compress filter to restore compression.

Use  this  option  to merge an input PDF’s interactive form fields (and their data) with the PDF’s pages. Only one input PDF
may be given. Sometimes used with the fill_form operation.

[keep_first_id | keep_final_id]
When combining pages from multiple PDFs, use one of these options to copy the document ID from either  the  first  or  final
input  document  into the new output PDF. Otherwise pdftk creates a new document ID for the output PDF. When no operation is
given, pdftk always uses the ID from the (single) input PDF.

If your input PDF is a form created using Acrobat 7 or Adobe Designer, then it probably has XFA data.  Filling such  a  form
using  pdftk  yields  a PDF with data that fails to display in Acrobat 7 (and 6?).  The workaround solution is to remove the
form’s XFA data, either before you fill the form using pdftk or at the time you fill the  form.  Using  this  option  causes
pdftk to omit the XFA data from the output PDF form.

This  option  is  only  useful  when  running pdftk on a single input PDF.  When assembling a PDF from multiple inputs using
pdftk, any XFA data in the input is automatically omitted.

By default, pdftk runs quietly. Append verbose to the end and it will speak up.

[dont_ask | do_ask]
Depending on the compile-time settings (see ASK_ABOUT_WARNINGS), pdftk might prompt you for further input when it encounters
a  problem, such as a bad password. Override this default behavior by adding dont_ask (so pdftk won’t ask you what to do) or
do_ask (so pdftk will ask you what to do).

When running in dont_ask mode, pdftk will over-write files with its output without notice.

Decrypt a PDF
pdftk secured.pdf input_pw foopass output unsecured.pdf

Encrypt a PDF using 128-bit strength (the default), withhold all permissions (the default)
pdftk 1.pdf output 1.128.pdf owner_pw foopass

Same as above, except password ’baz’ must also be used to open output PDF
pdftk 1.pdf output 1.128.pdf owner_pw foo user_pw baz

Same as above, except printing is allowed (once the PDF is open)
pdftk 1.pdf output 1.128.pdf owner_pw foo user_pw baz allow printing

Join in1.pdf and in2.pdf into a new PDF, out1.pdf
pdftk in1.pdf in2.pdf cat output out1.pdf
or (using handles):
pdftk A=in1.pdf B=in2.pdf cat A B output out1.pdf
or (using wildcards):
pdftk *.pdf cat output combined.pdf

Remove ’page 13’ from in1.pdf to create out1.pdf
pdftk in.pdf cat 1-12 14-end output out1.pdf
pdftk A=in1.pdf cat A1-12 A14-end output out1.pdf

Apply 40-bit encryption to output, revoking all permissions (the default). Set the owner PW to ’foopass’.
pdftk 1.pdf 2.pdf cat output 3.pdf encrypt_40bit owner_pw foopass

Join two files, one of which requires the password ’foopass’. The output is not encrypted.
pdftk A=secured.pdf 2.pdf input_pw A=foopass cat output 3.pdf

Uncompress PDF page streams for editing the PDF in a text editor (e.g., vim, emacs)
pdftk doc.pdf output doc.unc.pdf uncompress

Repair a PDF’s corrupted XREF table and stream lengths, if possible
pdftk broken.pdf output fixed.pdf

Burst a single PDF document into pages and dump its data to doc_data.txt
pdftk in.pdf burst

Burst a single PDF document into encrypted pages. Allow low-quality printing
pdftk in.pdf burst owner_pw foopass allow DegradedPrinting

Write a report on PDF document metadata and bookmarks to report.txt
pdftk in.pdf dump_data output report.txt

Rotate the first PDF page to 90 degrees clockwise
pdftk in.pdf cat 1E 2-end output out.pdf

Rotate an entire PDF document to 180 degrees
pdftk in.pdf cat 1-endS output out.pdf

pdftk uses a slightly modified iText Java library ( to read and write  PDF.  The  author  compiled
this Java library using GCJ ( so it could be linked with a front end written in C++.

The pdftk home page is

Sid Steward ( maintains pdftk.

September 18, 2006                                                    PDFTK(1)

Comments, questions, and suggestions are always welcome as long as they’re calm and ruly ūüôā

Further References

>> reference article

>>Main site for pdftk (including manual/documentation), a bit dated though

>> GUI for pdftk

UUIDs, Linux devices, and fstab

November 8, 2008

The Dilemma

I upgraded one of my Ubuntu servers from Hardy Heron (version 8.04 LTS) to Intrepid Ibex (version 8.10). After I rebooted my machine after upgrading my distribution, I noticed that apparently, 8.10 (or at least the kernel used by it initially, 2.6.27-7-generic) fully masks my attached Segate IDE and SATA drives as SCSI drives. My old fstab entries which used IDE raw device names such as /dev/hda1 were no longer relevant. As such, my /home directory had my non-/home SATA hard drive partition mounted on it, for example. I realized ( I don’t know why just now) that using raw device names (e.g. /dev/hda or even /dev/sda) for my mounted drives was a pain in the neck, not only because Ubuntu or the Linux kernel may change sooner rather than later on how to scan, load, mount storage devices. Rather, what is more appropriate is to use the UUIDs of my devices.

Do You UUID?

UUID or universally unique identifier is used around a lot in the tech/computer world these days, e.g. in MAC addresses. It’s basically a 128-bit number or 2128 or approximately 3.4 √ó 1038, which is a very large number. To put it in perspective, if you would produce oner UUID for every second of every hour of every day, for 365 days a year, you would still need approximately 1 √ó 1031 years, that’s a 1 with 30 zeros behind it. Now that’s a long time :D. So for now UUIDs are pretty unique, wouldn’t you agree?

Anyway, to get your hard drive’s UUID (whether it’s IDE or SCSI), use either the /dev directory

$ ls -l /dev/disk/by-uuid

to see your devices’ UUIDs. Mine gives

$ ls -l /dev/disk/by-uuid/
total 0
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 46483822-17f9-408b-a3e2-aad688f8380d -> ../../sdd2
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 47AB-8F94 -> ../../sdd1
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 4c05ec57-4171-42c3-b932-f721edc45f15 -> ../../sdd3
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 533bef31-8157-4097-895b-e20217fb90a5 -> ../../sda1
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 5e4cab82-808e-43ec-99a6-bb1a6d7f4efd -> ../../sdc3
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 668cbb68-36a7-4454-bd50-7056f1658a2a -> ../../sdb2
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 71e7e7df-cff4-42ae-a0ec-dddcc6a4dacb -> ../../sdb1
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 b9c011df-1882-4d4c-b215-00ddd7b9bfe0 -> ../../sda3
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 BBF7-94B5 -> ../../sdc1
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 c33271e6-5c7a-406d-a87f-84d9b2d0c196 -> ../../sdc2
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 c3ec0a22-04e8-4735-b6c8-b20e95c2b5a3 -> ../../sda5
lrwxrwxrwx 1 root root 10 2008-11-06 20:28 fdd0b195-0313-4af7-bbbe-9eb1bed89a64 -> ../../sda2

Since I have 4 hard drives and several partitions on those hard drives on my server. The other way to get UUIDs is to use the blkid tool:

$ blkid /dev/sda1
/dev/sda1: UUID=”533bef31-8157-4097-895b-e20217fb90a5″ TYPE=”ext3″

UUIDs come in handy when you want to mount certain plug-and-play or hot-swappable disks onto your machine, and you want to customize the response of your Linux box via /etc/fstab. As for me, UUIDs are very important so I don’t have to depend on raw device names anymore. Instead, I just use my devices’ UUIDs so even if I disconnect and connect them again (assuming I don’t format my hard drives/partitions or intentionally change the assigned UUID Ubuntu assigned to them), I basically get the flexibility that I need.

My previous /etc/fstab looked like this:

UUID=fdd0b195-0313-4af7-bbbe-9eb1bed89a64 /home           ext3    defaults        0       2
# /dev/hda3
UUID=b9c011df-1882-4d4c-b215-00ddd7b9bfe0 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec 0       0
/dev/hda5       /media/hda5     ext3    defaults        0       2
/dev/sda1       /media/sda1     ntfs-3g uid=1000,umask=007      0       2
/dev/sda2       /media/sda2     ext3    defaults        0       2
/dev/sdc1       /media/sdc1     vfat    uid=1000,umask=007      0       1
/dev/sdc2       /media/sdc2     ext3    defaults        0       2
/dev/sdc3       /media/sdc3     reiserfs        defaults        0       2
/dev/sdb3       /media/sdb3     ext3    defaults        0       2
/dev/sdb1       /media/sdb1     vfat    uid=1000,umask=007      0       1

Now it looks like this (exactly the same hard drive/partition set up):

UUID=fdd0b195-0313-4af7-bbbe-9eb1bed89a64 /home           ext3    defaults,relatime        0       2
# /dev/hda3
UUID=b9c011df-1882-4d4c-b215-00ddd7b9bfe0 none            swap    sw              0       0
#/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec 0       0
UUID=c3ec0a22-04e8-4735-b6c8-b20e95c2b5a3       /media/hda5     ext3    defaults,relatime       0       2
UUID=71e7e7df-cff4-42ae-a0ec-dddcc6a4dacb       /media/sda1     ext3    defaults,relatime       0       2
UUID=71e7e7df-cff4-42ae-a0ec-dddcc6a4dacb       /media/sda2     ext3    defaults,relatime       0       2
UUID=47AB-8F94  /media/sdc1     vfat    defaults        0       2
UUID=46483822-17f9-408b-a3e2-aad688f8380d       /media/sdc2     ext3    defaults,relatime       0       2
UUID=4c05ec57-4171-42c3-b932-f721edc45f15       /media/sdc3     reiserfs        defaults        0       2
UUID=5e4cab82-808e-43ec-99a6-bb1a6d7f4efd       /media/sdb3     ext3    defaults,relatime       0       2
UUID=BBF7-94B5  /media/sdb1     vfat    uid=1000,umask=007      0       1

Now isn’t that prettier? ūüėÄ

I just removed the old raw device names and replaced them with the appropriate UUID (e.g. /dev/hda5 is equal to UUID=c3ec0a22-04e8-4735-b6c8-b20e95c2b5a3 ) , and I didn’t have to change the directory where they should be mounted (my /dev/hda5 is mounted at /media/hda5), saving me a lot of time and effort, since I don’t have to update a lot of things dependent on the directory/path where my hard drives are mounted.

Further Reading

* More info on UUIDs and on administration

* The Linux Documentation Project on Linux devices (IDE/SCSI)

rdesktop in Linux + Ubuntu vulnerability and fix

October 22, 2008

I’ve been working back and forth from one of my PCs running a Windows XP (note: I’m in no way promoting the use of Windows here ūüôā ) for some tests I’m doing, and this has continued for many days already. Then (unfortunately, this took me several days to realize) I hit an epiphany: Why don’t I do something so that I won’t have to get up from my seat everytime I need to check up on my Windows PC? The solution? Why rdesktop in Linux of course! Not VNC and not virtualization. Actually I already had a virtual machine running Window$ (the dollar sign there isn’t accidental) but I needed a real machine/PC which will run Window$ [sic], since software such as DirectX require specific hardware which cannot usually be duplicated by virtual machines. rdesktop is particularly useful if you want to graphically control your Windows machine remotely, that is, control your own desktop and computer just like you were sitting in front of it. You can also use it to help others diagnose their PCs for example.

To install it in a machine running Ubuntu or Debian, just do a

$ sudo apt-get install rdesktop

The way to use it is actually very simple:

$ rdesktop  host

And then just replace the host part with the network or IP address of the PC you want to connect to. In your Windows PC, right-click on your My Computer and then click Properties. Then on the Remote tab, you can then enable there the Remote Desktop functionality. This will then allow people who have user accounts on that Windows machine to remotely connect and control/view their Windows desktops. Of course, since we’re talking about Windows here, might as well talk about security. One of the most obvious ways is to always create accounts with passwords, unless you have a very good reason to allow no password logins. Another is if you’re going to use remote desktop over the Internet, better setup a firewall with port forwarding to the Windows PC you’re connecting to (by default it’s port 3389 for remote desktop).

Doing a

$ man rdesktop

Will give you a load of other options such as compressing your data before transmitting them over the network, which conserves bandwith albeit with the added computing resource cost, for example.

Lastly, don’t think that us Linux users, with the built-in (down to the kernel level) security, can sleep calmly at night. There is a vulnerability in rdesktop (particularly in Ubuntu) as stated below:

It was discovered that rdesktop did not properly validate the length of packet headers when processing RDP requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1801)

==Ubuntu Security Notice USN-646-1  September 18, 2008rdesktop vulnerabilities
CVE-2008-1801, CVE-2008-1802, CVE-2008-1803==

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTSUbuntu 7.04Ubuntu 7.10Ubuntu 8.04 LTS

In order to fix this dilemma, it is advised to upgrade to the following (depending on what Ubuntu version you’re using):

Ubuntu 6.06 LTS:  rdesktop                        1.4.1-1.1ubuntu0.6.06.1

Ubuntu 7.04:  rdesktop                        1.5.0-1ubuntu1.1

Ubuntu 7.10:  rdesktop                        1.5.0-2ubuntu0.1

Ubuntu 8.04 LTS:  rdesktop                        1.5.0-3+cvs20071006ubuntu0.1

Check your installed rdesktop version with the ones above in order to fix the vulnerability. Click here for more information on the vulnerability.

And again, while I’m at it, I’ll include another not so new but pretty alarming vulnerability in Debian based distributions which use ssl for encryption. The vulnerability and fix for Debian is here, as for Ubuntu, click here.

Doing cool things in Bash and in Linux

February 29, 2008

Finally, I’m able to cut-in one last post for this month. I’ve some little free time and the things I’ve read and learned again inspired me to write another post.

This post is concerned with the cool things you can do with the bourne again shell or bash for short. If you want more info afterwards on other cool Linux and bash commands, you can consult my earlier post here. This post would probably mean it’s an extension of that previous post of mine. Difference is that bash can be installed not only in Linux but other Unix or *nix related operating systems such as Mac OS or solaris, and of course, Unix itself.

Anyhow to start of, I recently re-learned the wonderful use of brace expansion. Brace expansion is performed by issuing a command whose arguments are strings (alphanumeric for example) enclosed in curly braces and separated only by commas such as:

$ echo {s,sd,sdf}

Which outputs the following

s sd sdf

Note that there musn’t be any spaces inside the braces. But then that alone doesn’t seem to be anything marvelous right? So we extend that further to make it a bit more interesting such as these:

$ echo {red,yellow,blue,black,pink}_mask
red_mask yellow_mask blue_mask black_mask pink_mask

$ echo {"red ","yellow ","blue ","black ","pink "}mask
red mask yellow mask blue mask black mask pink mask

$ echo {red,yellow,blue,black,pink}" mask"
red mask yellow mask blue mask black mask pink mask

Or even nest braces like so:

$ echo {{yellow,red}_color,blue,green} yellow_color red_color blue green

At this part you might be saying to yourself the big “So what???” What use would we (Linux/Bash users, administrators, shell coders etc) have for brace expansion? A lot actually. One example is if I want to rename my files (for backup for example). Instead of typing a lot of file names (even with the help of tab completion, that is a lot of work, especially if you’re working with files from another directory). If say I have a configuration file at /home/f/F/RoR/sample_config_file.conf and I want to create a back up copy of the file on the same directory, I just have to do this

$ cp -v /home/f/F/RoR/sample_config_file.conf{,.bak} `/home/f/F/RoR/sample_config_file.conf' -> `/home/f/F/RoR/sample_config_file.conf.bak'

Which is equivalent to doing this

$ cp -v /home/f/F/RoR/sample_config_file.conf /home/f/F/RoR/sample_config_file.conf.bak `/home/f/F/RoR/sample_config_file.conf' -> `/home/f/F/RoR/sample_config_file.conf.bak'

So instead of executing the last command, the command using brace expressions is much shorter (and looks better to).

Next is command substitution which is very helpful at assigning values to variables and especially at shell scripting. Substitution is made possible by enclosing strings inside a $( ) combination. An example is the following

$ uname -a Linux foxhound3 2.6.22-14-generic #1 SMP Tue Feb 12 07:42:25 UTC 2008 i686 GNU/Linux

Using substitution I can do it this way

$ info=$(uname -a) $ echo $info Linux foxhound3 2.6.22-14-generic #1 SMP Tue Feb 12 07:42:25 UTC 2008 i686 GNU/Linux

Which might seem longer but you have to realize that a lot more can be done with this technique such as the next one. Next I issue a two commands: the output of the first (which is actually two commands joined together) becomes the input of the second (outer command) like so:

$ ls -lh $(find . |grep txt)

The inner commands in the previous command lists all files with the string txt in their file names. The outer command ls -lh shows the time stamp (creation/modification date), file owner, file size etc of the files containing the string txt in their file names.

Output redirection of standard error is next. When you execute a command which you know will produce a lot of errors such as using find to look for files on the topmost / (slash root) directory knowing full well that you don’t have read access to many directories, such as this one (which assumes you’re looking for the file php.ini):

$ find / -name php.ini

find: /etc/cups/ssl: Permission denied
find: /etc/ssl/private: Permission denied
find: /tmp/gconfd-root: Permission denied
find: /tmp/orbit-root: Permission denied
find: /var/cache/system-tools-backends/backup: Permission denied
find: /var/tmp/kdecache-guest: Permission denied
find: /var/tmp/kdecache-ma3x: Permission denied
find: /var/tmp/kdecache-root: Permission denied
find: /var/spool/postfix/flush: Permission denied
find: /var/spool/postfix/deferred: Permission denied
find: /var/spool/postfix/defer: Permission denied
find: /var/spool/postfix/active: Permission denied
find: /var/spool/postfix/trace: Permission denied
find: /var/spool/postfix/hold: Permission denied
find: /var/spool/postfix/private: Permission denied
find: /var/spool/postfix/saved: Permission denied
find: /var/spool/postfix/maildrop: Permission denied
find: /var/spool/postfix/corrupt: Permission denied
find: /var/spool/postfix/bounce: Permission denied

<other output truncated>

You get the idea. What you can do is to send them to /dev/null if you’re not interested in the error messages like so

$ find / -name php.ini 2> /dev/null /etc/php5/cli/php.ini /etc/php5/apache2/php.ini /etc/php5/cgi/php.ini

Which produces a cleaner output. Or if you want to view error messages later you can issue a

$ find / -name php.ini 2> error_messagest.txt

And then view the text file later for error messages. If you want to redirect both the error and standard output messages to the same file you can do a

$find / -name php.ini >output.txt 2>&1

The important thing to note here is that the combination of the two messages (error and standard) is done at the end of the command that generates the output (in this case find).

When it comes to searching through the history of bash commands executed, the usual way would be to scroll up or down using the arrow keys or enter the command history, view the history number of that long line of commands you entered, then do a !<history number of command here> to execute the command again without typing it. For example


<output truncated>

531 cat output.txt 532 find / -name php.ini >output.txt 2>&1 533 history

then to execute command number 531


which is equivalent to executing

$cat output.txt

again. But what if your history of commands is already in the hundreds or above a thousand? What you can do is press ctrl and r at the same time which gives you this

$ (reverse-i-search)`':

A command history search. You can start typing the first letter of your previous command and then bash searches for the most recent and closest command you entered.

The last trick is looping. A lot of people think that looping is only good for writing programs, but one can actually put it to good use even in system administration, or plain ‘housekeeping’ of your files etc. For example, I have the files a.txt, b.txt, and c.txt in a directory. In order to make backup copies of them instantly, I do a

$ for something in *; do cp -v $something $something.bak; done

Which gives me the output

`a.txt' -> `a.txt.bak' `b.txt' -> `b.txt.bak' `c.txt' -> `c.txt.bak'

And voila! Instant backup of my files. One story I’ve read is that a system administrator’s machine lost so much memory that even basic commands like ls failed because of insufficient memory. But the administrators know that a certain file was the one wreaking havoc on the machine. So what they apparently did was this

$ for var in *; do echo $var;done

Which actually displays the files in the current directory, and basically solved the problem (replacing ls for the meantime). This is because those commands including echo are part of bash and are already loaded in memory. “Wonderful!” I said to myself (^)__(^)

Thanks to Linux Journal’s issue 132 in April 2005 (my back issue which I actually re-read) before writing this post.

Machine protection with iptables firewall

February 9, 2008

This mini tutorial aims to setup a firewall on a machine that will connect to the Internet, and perhaps serve some web pages on its web server. This mini tutorial was actually inspired by one of the Appendices I’m writing for my thesis, particularly the details of how I setup my firewall in the machine I’ll be using. To setup a firewall as a NAT gateway, you can consult this site, but this tutorial will still benefit you since almost all the things/commands we’ll be doing here can be applied to NAT firewall setup. For protection from malicious attackers breaking into the system and/or causing havoc, a firewall is definitely a must. To implement a firewall system, the iptables [1] utility created by Paul Russell was used. Paul Russell founded the Netfilter Core Team which provides an extensive manual and documentation for iptables. The iptables utility is usually the standard built in firewall utility in Linux distributions with kernel versions of 2.4 or higher. The network interface for the machine is given the name eth0.

In executing the commands (unless otherwise stated, which would mean it’s a configuration file and a ‘#’ means a comment) below preceded by a ‘#’ means either you need to be root or you’re using sudo to enter the commands.

A bit of warning though: if you’re setting up the following rules on a remote machine (and this is your first time using iptables) on which you don’t have any physical reach/contact (e.g. manually rebooting the machine), it’s best if you add this command on your crontab :

*/15 * * * * /sbin/iptables -F

Which ‘flushes’ or removes all iptables rules you’ve made every 15 minutes in case you get locked out of your remote machine when you’re experimenting and you make a mistake. That way, even if you get disconnected from your machine because of a mistaken rule you made, you can login again after the crontab job flushes all your rules. Of course this won’t be of much use if the machine your configuring iptables for is the local machine (or you have physical contact with the machine).




Appends one or more rules to the end of the statement.

-I chain rulenum

Inserts chain at the location rulenum. Useful when one wants a rule

to supercede those before it.


Lists all the rules in the current chain.


Flush all the rules in the current chain, basically deleting the firewall


Table 1 ‚Äď basic iptables commands [2]

rule specification


-p protocol

Specify protocol for the rule to match e.g. icmp, tcp, udp

-s address/mask!port

Specifies a certain address or network to match

-j target

This tells what to do with the packet if it matches the specifications.

The valid options for target are

DROP – Drop packet/s without any further action.

REJECT – Drop packet/s and send an error packet in return.

ACCEPT ‚Äď Allow packets to enter the network interface

Table 2 ‚Äď iptables basic rules specifications [2]

Initially, iptables rules are empty. Rules are the the firewall’s configuration/s, denying and/or accepting certain packets, for example. Checking the rules before any has been added:

# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0K packets, 0 bytes) pkts bytes target prot opt in out source destination

Which basically says no rules have been applied yet. If in case there were previous rules and one wishes to start with a clean slate, the command

# iptables -F

Flushes the rules out. Careful notice has to be given to the uppercase and lowercase commands since iptables is [sic] case-sensitive.

The following setup is for a single non-gateway non-NAT (Network Address Translation) machine. All packets received by the network interface eth0 with destination address being the machine’s IP address pass through the INPUT chain/rule. Only wanted packets must be accepted to avoid attackers or DOS (Denial of Serivce) attacks et al.

First, create custom chains/rules which will become clearer as more chains/rules are given:

# iptables -N open # iptables -N interfaces

Accept ICMP messages such as pings:

# iptables -A INPUT -p icmp -j ACCEPT

Next is the rule that will make sure no traffic that belongs to already established connections will be dropped. This rule can be done by matching a given state of a connection. A connection can have one of the four states: ESTABLISHED, RELATED, NEW and INVALID. All packets/connections that are in state ESTABLISHED or RELATED should be accepted, turning the firewall into a “stateful firewall”:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Since not all incoming connections will be denied, more custom chains are put into place for the open and interfaces that have been created earlier:

# iptables -A INPUT -j interfaces # iptables -A INPUT -j open

Based on the last two rules, drop all traffic that hasn’t been explicitly accepted by the previous rules. TCP packet connections are denied with a tcp-reset. UDP packets are answered with an ICMP message. This method of replying to connections imitates Linux’s default behaviour:

# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

All protocols other than TCP, UDP and ICMP are dropped (unless they manage to match the state match from previous chains). This rule is done by setting the policy for the INPUT chain to DROP

# iptables -P INPUT DROP

Since the machine won’t function as a router/forwarding device, we set the policy of the FORWARD chain to DROP:

# iptables -P FORWARD DROP

There is no need to filter any outgoing traffic. Set the OUTPUT policy to ACCEPT.

# iptables -P OUTPUT ACCEPT

Use the interfaces chain to accept any traffic from trusted interfaces. The following rule is absolutely necessary:

# iptables -A interfaces -i lo -j ACCEPT

The previous rule accepts every traffic from the loopback interface, lo, which is necessary for many applications to work properly. Incoming connections on other interfaces will be denied, unless they hit another exception in the open chain.

The open chain contains rules for accepting incoming connections on specific ports/protocols. To accept ssh (default port is 22) connections on every interface

# iptables -A open -p tcp --dport 22 -j ACCEPT

Limited machines can be allowed to connect to port 22 by modifying the /etc/hosts.allow file. The local machine uses the port 8094 (arbitrarily chosen) to make ssh connections instead of the default port (default ssh port is 22):

# iptables -A open -i eth0 -p tcp --dport 80 -j ACCEPT

Next, force SYN packet checking. Make sure NEW incoming tcp connections are SYN packets (synchronization); otherwise drop them:

 # iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Now, force fragmented packets to be checked. Packets with incoming fragments are dropped.

  #iptables -A INPUT -f -j DROP

Incoming malformed Christmas tree packets [3] are dropped:

#iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

As well as incoming malformed NULL packets:

#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

To prevent spoofed traffic [4], block reserved private networks coming from the Internet

#iptables -I INPUT -i eth0 -s -j DROP #iptables -I INPUT -i eth0 -s -j DROP #iptables -I INPUT -i eth0 -s -j DROP #iptables -I INPUT -i eth0 -s -j DROP

The following line is added to the /etc/sysctl.conf configuration file to enable source address verification which is built into the Linux kernel itself.

  net.ipv4.conf.all.rp_filter = 1

In order to further lessen the network traffic that will be experienced by the machine’s network interface (eth0), specific types of unwanted ICMP packets [5] will be dropped

iptables -I INPUT -p icmp --icmp-type redirect -j DROP
#iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
#iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
#iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP

Now, the rules should be saved. Different Linux distributions have different ways of saving iptables rules. The following comes from an Arch Linux setup. The configuration file /etc/conf.d/iptables is edited first for further security:

# Configuration for iptables rules IPTABLES=/usr/sbin/iptables IPTABLES_CONF=/etc/iptables/iptables.rules IPTABLES_FORWARD=0 # disable IP forwarding!!!

And then arbitrarily specify a filename such as iptables.rules where the rules will be saved according to the previous configuration file.

Now, save the rules with the command

# /etc/rc.d/iptables save

and to make sure the rules are loaded when the machine is rebooted, edit the /etc/rc.conf file, iptables should be added preferably before ‘network’.

 DAEMONS=(... iptables network ...)

For other Linux distros (Debian, Ubuntu, Fedora etc), issuing the command

iptables-save > /etc/firewall.conf

saves all your iptables rules on the arbitrary file firewall.conf. Then after a reboot, you can do a

iptables-restore < /etc/firewall.conf

To restore your iptables rules. Or you can just create a simple shell script like so

echo "#!/bin/sh" > /etc/network/if-up.d/iptables
echo "iptables-restore < /etc/firewall.conf" >> /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables

To let ifup load your rules automatically for you. Run the previous shell script during boot-up of course.

Now you might want to log the packets that are dropped. A quick and simple way to log those packets on the file /var/log/syslog is this:

#iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

which is pretty self-explanatory.

Comments/suggestions/questions/reactions are welcome as long as they come in a calm and ruly way (^)__(^)


[1] T. Howlett, Open Source Security Tools: Practical Applications for Security. Prentice Hall Professional Technical Reference, 2005

[2] P. Russell et al. Iptables manuals and documentations. (January 2008  )

[3] H. Bidgoli. The Internet Encyclopedia. John Wiley and Sons, 2004

[4] M. Freire and M. Pereira. Encyclopedia of Internet Technologies and Applications. Information Science Reference, 2008

[5] Internet Assigned Numbers Authority. ICMP type numbers RFC list. (January 2008  )