Docker and iptables firewall

Docker works perfectly fine when no firewall is running on the host machine. Without the firewall docker containers can communicate with each other and with the outside world. But with the firewall we need to setup some rules in order to allow traffic to and from the docker interface. Below it is detailed how we can configure the firewall for docker on a Centos server.

First of all let us find the docker interface and IP, we can do that using the ifconfig command:

Here the interface name is docker0. Now we can setup firewall rules using the iptables command:

With these rules setup, Docker containers can now talk to each other and the outside world.

If you use CSF (Config Server Firewall), a custom chain with these rules can be added to file, like below:

And then reload the firewall rules using the command below:

Protect your identity from SSH servers

Recently I came across a tweet that highlighted a serious privacy issue related to SSH servers and online services that publish user information in public domain without having to explicitly take permission from users.

In this tweet the guy talks about running a SSH server that matches the incoming connection’s public key with the public keys of Github users, which for some reason Github has kept in the public domain (totally not cool!).

So I decided to give it a go and below is what I found.

kamran@kamran-laptop: ~_005

My public keys were already captured by this server from Github, and so it knew who I was. Which kind of creeped me out. But the feeling was only momentary because I knew what I had to do to protect myself.

The answer lies in the way the public key is shared. Public key is like a signature of the user. My mistake was that I was using my Github public/private key as my default SSH key. So now it was time to change this.

SSH allows you to configure keys per host, therefore limiting the use of the SSH keys for only the specified hosts. This SSH key and host mapping can be configured in ~/.ssh/config file.

So the solution is to backup your existing SSH key and configure the SSH client to use it for the right service.

Then generate a new default public/private key pair.

Now when I connect to Filippo’s dodgy SSH server, it doesn’t know who I am 🙂

kamran@kamran-laptop: ~_007

Note: Another thing to be aware of; if you are using ssh-agent to manage your keys, then it will send all the public keys to any SSH server you connect to. It is better to avoid using ssh-agent, and configure host specific keys in the SSH config file for identity protection.

Real-time Web Cam Surveillance with Raspberry-PI

Raspberry PI is a great little tool for building small projects, from personal web servers to robot butlers. With it’s linux core you could potentially use RPI like a regular linux box. There are loads of example projects available on the internet. Here I will present how to use RPI to build a poor man’s surveillance camera using an ordinary web cam. I found an old web cam in the drawer, I seldom open, that came in handy for this project.

The idea is pretty simple, stream the captured web-cam video over the internet in almost real-time. So here is what we need for this project:

  1. Raspberry PI
  2. Wifi adaptor (Network connectivity)
  3. USB Web cam

I will assume that RPI is connected to the internet, so will skip the setup of point #2 in the list above.

The first step is to connect the web cam to RPI. After that check if RPI can recognize it, by running the following command:

This will list all the usb devices and you should also see the web cam in the list.

Now what we need is a RTP (Real-time Transfer Protocol) server; for this purpose we’ll use NnginX web server and build it from source with the RTP module to stream the video. So lets download, build and install it.

After this we’ll configure RTP on Nginx in the /etc/nginx/nginx.conf file.

And then restart the server

The server is all setup to stream the video. What we need to do now is capture and send the video to nginx for streaming. For this we can either use ffmpeg or avconv. I will use avconv in this example.

First install avconv

After this we’ll start the video capture and send it to nginx. We can do this with the following command.

You can play with settings to increase the video size and buffer etc.

Once the streaming starts you will see something like below on the shell terminal:

pi@kamran-rpi: ~_002

To view the video I used VLC player, which is the best open video player available that can literally play whatever you throw at it. So point the web cam to what you want to capture and open the following URL in VLC (replace <rpi-ip> with the IP of your Raspberry PI).

Here I am keeping an eye on my guitar which has been suspiciously going out of tune lately.

rtmp:-- - VLC media player_003

Organizing Media files on Linux

Recently I was doing some cleanup on my Dropbox account, and I found that some folders (especially “Camera Uploads”) had like a million unorganized images and video files that were auto uploaded from my mobile phone and other devices. Unfortunately Dropbox doesn’t automatically organize these files in date folders or even gives you an option to do so. So I decided to write a script to organize the files myself in the Dropbox folder on my Linux Desktop. Below is a simple shell script that can do this.

This script moves the media files in date folders, which are created using the last modified date of the file. The script is also available on Github and uses exiftool to determine the last modified date. The exiftool can be installed on Ubuntu using the following command:

Sharing VPN connection on Linux

Most VPN servers allow a single remote session per user, which is all you need most of the times. But sometimes it is necessary to connect multiple devices to the VPN server; but using a single user account it is impossible if the server doesn’t allow it. There is a way around this problem by sharing the VPN connection from a central node to other computers by setting up an ad-hoc wireless network using the wireless modem of the central computer as a hot-spot. The idea is fairly simple provided the central computer has two network cards:

  1. Use a central computer to connect to VPN via ethernet or one of the network cards
  2. Setup a hotspot on the central computer so that devices in range can connect to it over wifi
  3. Route all traffic (inbound & outbound) from the hotspot to the ethernet/vpn connection
The diagram below illustrates this.

So how do we do this? Below is an example to setup this configuration on a Linux box. I used Linux Mint desktop in this example. Here are the steps:

  1. Install and configure hostapd application so that you can turn your wireless modem into a hotspot
  2. Install and configure a DHCP server so that IP addresses are assigned to devices connected to the hotspot
  3. Allow IP masquerading to share the ethernet/vpn connection with the devices connected to the hotspot.

Install and configure hostapd

Use the following command to install the hostapd application

Configure hostapd by editing the /etc/hostapd/hostapd.conf file as follows

You can check the wireless interface name by using the iwconfig command, on my machine the interface name was wlan0. Now you can start hostapd using the following command:

Install and configure dhcp

Install the dhcp server using the following command

Edit the /etc/dhcp/dhcpd.conf file to setup subnet by adding the following lines to the file

Edit /etc/default/isc-dhcp-server and add the wireless network interface name like below:

Configure a new interface and start the dhcp server

Allow IP masquerading

Now when the linux box is connected to the VPN, we can share this VPN connection over wifi hotspot by running following commands:

In this example the vpn interface is tun0, you can check the interface name using iwconfig command.

So now VPN sharing is setup and all your devices (computers, tablets, smart phones etc.), connected to the hot-spot of your central linux box, can access all the available network resources on VPN.