Linux – Kamran Zafar

April 5, 2017June 11, 2019

Docker and iptables firewall

Docker works perfectly fine when no firewall is running on the host machine. Without the firewall docker containers can communicate with each other and with the outside world. But with the firewall we need to setup some rules in order to allow traffic to and from the docker interface. Below it is detailed how we can configure the firewall for docker on a Centos server.

First of all let us find the docker interface and IP, we can do that using the ifconfig command:

Here the interface name is docker0. Now we can setup firewall rules using the iptables command:

# Enable masquerading and allow connections to containers
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow internal and external container communication
iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT

# Enable masquerading and allow connections to containers

iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow internal and external container communication

iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT

iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT

With these rules setup, Docker containers can now talk to each other and the outside world.

If you use CSF (Config Server Firewall), a custom chain with these rules can be added to csfpost.sh file, like below:

#!/bin/sh

echo "[DOCKER] Setting up firewall rules."

# Create a new chain
iptables -N DOCKER
iptables -A FORWARD -o docker0 -j DOCKER

# Enable masquerading and allow connections to containers
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow internal and external container communication
iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT

iptables -A DOCKER -j RETURN

echo "[DOCKER] Done."

#!/bin/sh

echo "[DOCKER] Setting up firewall rules."

# Create a new chain

iptables -N DOCKER

iptables -A FORWARD -o docker0 -j DOCKER

# Enable masquerading and allow connections to containers

iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow internal and external container communication

iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT

iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT

iptables -A DOCKER -j RETURN

echo "[DOCKER] Done."

And then reload the firewall rules using the command below:

csf -r

csf -r

January 17, 2016June 8, 2019

Protect your identity from SSH servers

Recently I came across a tweet that highlighted a serious privacy issue related to SSH servers and online services that publish user information in public domain without having to explicitly take permission from users.

Added a OpenSSH roaming vuln test to the whoami server $ ssh https://t.co/MSn1TEQGTs (code: https://t.co/HMIH00CxHg) pic.twitter.com/9tolWWvXZJ

— Filippo Valsorda (@FiloSottile) January 16, 2016

In this tweet the guy talks about running a SSH server that matches the incoming connection’s public key with the public keys of Github users, which for some reason Github has kept in the public domain (totally not cool!).

So I decided to give it a go and below is what I found.

My public keys were already captured by this server from Github, and so it knew who I was. Which kind of creeped me out. But the feeling was only momentary because I knew what I had to do to protect myself.

The answer lies in the way the public key is shared. Public key is like a signature of the user. My mistake was that I was using my Github public/private key as my default SSH key. So now it was time to change this.

SSH allows you to configure keys per host, therefore limiting the use of the SSH keys for only the specified hosts. This SSH key and host mapping can be configured in ~/.ssh/config file.

So the solution is to backup your existing SSH key and configure the SSH client to use it for the right service.

Host github.com
  IdentityFile ~/.ssh/github/id_rsa

1 2	Host github.com IdentityFile ~/.ssh/github/id_rsa

Then generate a new default public/private key pair.

ssh-keygen -t rsa -b 2048

1	ssh-keygen -t rsa -b 2048

Now when I connect to Filippo’s dodgy SSH server, it doesn’t know who I am 🙂

Note: Another thing to be aware of; if you are using ssh-agent to manage your keys, then it will send all the public keys to any SSH server you connect to. It is better to avoid using ssh-agent, and configure host specific keys in the SSH config file for identity protection.

November 29, 2015June 8, 2019

Real-time Web Cam Surveillance with Raspberry-PI

Raspberry PI is a great little tool for building small projects, from personal web servers to robot butlers. With it’s linux core you could potentially use RPI like a regular linux box. There are loads of example projects available on the internet. Here I will present how to use RPI to build a poor man’s surveillance camera using an ordinary web cam. I found an old web cam in the drawer, I seldom open, that came in handy for this project.

The idea is pretty simple, stream the captured web-cam video over the internet in almost real-time. So here is what we need for this project:

Raspberry PI
Wifi adaptor (Network connectivity)
USB Web cam

I will assume that RPI is connected to the internet, so will skip the setup of point #2 in the list above.

The first step is to connect the web cam to RPI. After that check if RPI can recognize it, by running the following command:

lsusb

lsusb

This will list all the usb devices and you should also see the web cam in the list.

Now what we need is a RTP (Real-time Transfer Protocol) server; for this purpose we’ll use NnginX web server and build it from source with the RTP module to stream the video. So lets download, build and install it.

cd ~
mkdir tmp
cd tmp
wget http://nginx.org/download/nginx-1.9.7.tar.gz
wget https://github.com/arut/nginx-rtmp-module/archive/v1.1.7.tar.gz

tar -xvzf nginx-1.9.7.tar.gz
tar -xvzf v1.1.7.tar.gz

cd nginx-1.9.7
./configure --add-module=~/tmp/nginx-rtmp-module
make
sudo make install

cd ~

mkdir tmp

cd tmp

wget http://nginx.org/download/nginx-1.9.7.tar.gz

wget https://github.com/arut/nginx-rtmp-module/archive/v1.1.7.tar.gz

tar -xvzf nginx-1.9.7.tar.gz

tar -xvzf v1.1.7.tar.gz

cd nginx-1.9.7

./configure --add-module=~/tmp/nginx-rtmp-module

make

sudo make install

After this we’ll configure RTP on Nginx in the /etc/nginx/nginx.conf file.

worker_processes  1;

events {
  worker_connections  10;
}

rtmp {
  server {
    listen 1935;
    notify_method get;

    application live {
      live on;
    }
  }
}

worker_processes 1;

events {

worker_connections 10;

}

rtmp {

server {

listen 1935;

notify_method get;

application live {

live on;

}

And then restart the server

sudo service nginx restart

1	sudo service nginx restart

The server is all setup to stream the video. What we need to do now is capture and send the video to nginx for streaming. For this we can either use ffmpeg or avconv. I will use avconv in this example.

First install avconv

sudo apt-get install libav-tools

1	sudo apt-get install libav-tools

After this we’ll start the video capture and send it to nginx. We can do this with the following command.

avconv -f video4linux2 -s 320x176 -r 10 -b 350k -i /dev/video0 -vcodec libx264 -preset ultrafast -f flv -an rtmp://localhost/live/cam

1	avconv -f video4linux2 -s 320x176 -r 10 -b 350k -i /dev/video0 -vcodec libx264 -preset ultrafast -f flv -an rtmp://localhost/live/cam

You can play with settings to increase the video size and buffer etc.

Once the streaming starts you will see something like below on the shell terminal:

To view the video I used VLC player, which is the best open video player available that can literally play whatever you throw at it. So point the web cam to what you want to capture and open the following URL in VLC (replace <rpi-ip> with the IP of your Raspberry PI).

rtmp://<rpi-ip>/live/cam

1	rtmp://<rpi-ip>/live/cam

Here I am keeping an eye on my guitar which has been suspiciously going out of tune lately.

December 24, 2013

Organizing Media files on Linux

Recently I was doing some cleanup on my Dropbox account, and I found that some folders (especially “Camera Uploads”) had like a million unorganized images and video files that were auto uploaded from my mobile phone and other devices. Unfortunately Dropbox doesn’t automatically organize these files in date folders or even gives you an option to do so. So I decided to write a script to organize the files myself in the Dropbox folder on my Linux Desktop. Below is a simple shell script that can do this.

for file in *.{jpg,JPG,3gp,3GP,png,PNG,mp4,MP4,mov,MOV};
do
datepath="$(exiftool "$file" | grep Modification | awk '{print $5 }' | sed s%:%/%g)"
if ! test -e "$datepath"; then
mkdir -pv "$datepath"
fi

mv -v "$file" $datepath
done

for file in *.{jpg,JPG,3gp,3GP,png,PNG,mp4,MP4,mov,MOV};

datepath="$(exiftool "$file" | grep Modification | awk '{print $5 }' | sed s%:%/%g)"

if ! test -e "$datepath"; then

mkdir -pv "$datepath"

mv -v "$file" $datepath

done

This script moves the media files in date folders, which are created using the last modified date of the file. The script is also available on Github and uses exiftool to determine the last modified date. The exiftool can be installed on Ubuntu using the following command:

sudo apt-get install libimage-exiftool-perl

1	sudo apt-get install libimage-exiftool-perl

August 16, 2012

Sharing VPN connection on Linux

Most VPN servers allow a single remote session per user, which is all you need most of the times. But sometimes it is necessary to connect multiple devices to the VPN server; but using a single user account it is impossible if the server doesn’t allow it. There is a way around this problem by sharing the VPN connection from a central node to other computers by setting up an ad-hoc wireless network using the wireless modem of the central computer as a hot-spot. The idea is fairly simple provided the central computer has two network cards:

Use a central computer to connect to VPN via ethernet or one of the network cards
Setup a hotspot on the central computer so that devices in range can connect to it over wifi
Route all traffic (inbound & outbound) from the hotspot to the ethernet/vpn connection

The diagram below illustrates this.

So how do we do this? Below is an example to setup this configuration on a Linux box. I used Linux Mint desktop in this example. Here are the steps:

Install and configure hostapd application so that you can turn your wireless modem into a hotspot
Install and configure a DHCP server so that IP addresses are assigned to devices connected to the hotspot
Allow IP masquerading to share the ethernet/vpn connection with the devices connected to the hotspot.

Install and configure hostapd

Use the following command to install the hostapd application

sudo apt-get install hostapd

1	sudo apt-get install hostapd

Configure hostapd by editing the /etc/hostapd/hostapd.conf file as follows

interface=wlan0
driver=nl80211
ssid=kamran-hotspot
hw_mode=g
channel=11
wpa=1
wpa_passphrase=MYPASSWORD
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_ptk_rekey=600

interface=wlan0

driver=nl80211

ssid=kamran-hotspot

hw_mode=g

channel=11

wpa=1

wpa_passphrase=MYPASSWORD

wpa_key_mgmt=WPA-PSK

wpa_pairwise=TKIP CCMP

wpa_ptk_rekey=600

You can check the wireless interface name by using the iwconfig command, on my machine the interface name was wlan0. Now you can start hostapd using the following command:

sudo hostapd -dd /etc/hostapd/hostapd.conf 1>/dev/null &

1	sudo hostapd -dd /etc/hostapd/hostapd.conf 1>/dev/null &

Install and configure dhcp

Install the dhcp server using the following command

sudo apt-get install isc-dhcp-server

1	sudo apt-get install isc-dhcp-server

Edit the /etc/dhcp/dhcpd.conf file to setup subnet by adding the following lines to the file

subnet 10.10.0.0 netmask 255.255.255.0 {
range 10.10.0.25 10.10.0.50;
option domain-name-servers 8.8.4.4;
option routers 10.10.0.1;
}

subnet 10.10.0.0 netmask 255.255.255.0 {

range 10.10.0.25 10.10.0.50;

option domain-name-servers 8.8.4.4;

option routers 10.10.0.1;

}

Edit /etc/default/isc-dhcp-server and add the wireless network interface name like below:

INTERFACES="wlan0"

1	INTERFACES="wlan0"

Configure a new interface and start the dhcp server

    sudo ifconfig wlan0 10.10.0.1 netmask 255.255.255.0

    sudo start isc-dhcp-server

sudo ifconfig wlan0 10.10.0.1 netmask 255.255.255.0

sudo start isc-dhcp-server

Allow IP masquerading

Now when the linux box is connected to the VPN, we can share this VPN connection over wifi hotspot by running following commands:

echo "1" | sudo tee /proc/sys/net/ipv4/ip_forward

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -o tun0 -i wlan0 -m conntrack --ctstate NEW -j ACCEPT

echo "1" | sudo tee /proc/sys/net/ipv4/ip_forward

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

sudo iptables -A FORWARD -o tun0 -i wlan0 -m conntrack --ctstate NEW -j ACCEPT

In this example the vpn interface is tun0, you can check the interface name using iwconfig command.

So now VPN sharing is setup and all your devices (computers, tablets, smart phones etc.), connected to the hot-spot of your central linux box, can access all the available network resources on VPN.