Derek Neely

...notes for thyself, but useful for all...

Iptables Diagram (Cheat Sheet)


Nov 21, 2017 by derek

I'm not sure where I grabbed this Iptables diagram** from but it has been quite a handy reference.

** If I pulled this from you please ping me and will be happy to give credit. Been very useful.

Security, Linux, Networking

Iptables Log File


Nov 21, 2017 by derek



Iptables
 is the userspace command line program used to configure the Linux 2.4.x and later packet filtering ruleset by netfilter. In a lot of our Iptables configs we'll often setup a LOG directive to monitor some of the rules being hit. This helps for testing/confirming a rule or so we can monitor and report on the rules.

 

Something like:

-N LOG_AND_DROP
-A LOG_AND_DROP -j LOG --log-prefix "[iptables] - denied (ipset): "
-A LOG_AND_DROP -j DROP

-A INPUT -m set --match-set china-blacklist src -j LOG_AND_DROP

In the above example we have an ipset list of some China IPs (another post coming soon regarind ipsets) and we're going to log the hit of this rule and then DROP the packet. You ultimately do the same for logging and ACCEPT but this is just a quick snippet/example.

However, one you enable something of this sorts, or do any kind of logging you'll notice that the log entries get dropped into /var/log/messages, /var/log/syslog, and/or /var/log/kern.log. A little crazy right? Well, how can we consolidate or narrow down where these logs go? Well, we just need to tell our rsyslog daemon where to put these.

Create a iptables config file

vi /etc/rsyslog.d/10-iptables.conf

Add the following lines:

:msg, contains, "[iptables] " -/var/log/iptables.log
& stop

Reload rsyslog:

service rsyslog restart

And you should be good to go.

Note the 'tag' that we're using here '[iptables] '. This can ultimately be any tag you want to use that makes sense to you. You just need to update the iptables rules as well as the rsyslog config file to match. You can also use this to have different tags go to different files if that is something you want to do. 

 

Security, Linux, Networking, System Administration

Nginx and Apache Developer Sandboxes


Nov 13, 2017 by derek

We do a lot of development on many different projects concurrently as well as just having a place to play. With that, we didn't want to have to have folks create a vhost for every project. Having to maintain what was what (needed, old, etc.) would quickly become a big pain in the a$$. With that said, we just employed some simple mod rewrite rules and our devs can now create a project/sandbox just by creating that directory.

Each user has a 'sandbox' directory in their home directory on the development server.

Nginx:

server {
	listen 80;
	listen [::]:80;

	server_name ~^(?<user>\w+)\.(?<site>\w+)\.sandbox\.domain\.com$;
	root /home/$user/sandbox/$site;

	access_log /var/log/nginx/sandbox.domain.com_access.log;
	error_log /var/log/nginx/sandbox.domain.com_error.log error;

	# Add index.php to the list if you are using PHP
	index index.php index.html index.htm index.nginx-debian.html;

	location / {
		try_files $uri $uri/ =404;
	}

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/var/run/php5-fpm.sock;
	}
}

Apache:

<VirtualHost>     
     ServerAdmin support@domain.com
     ServerName sandbox.domain.com
     ServerAlias *.sandbox.domain.com    
     ServerAlias *.*.sandbox.domain.com    

     RewriteEngine	on
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
     RewriteRule .* - [F] 
     
     RewriteCond %{HTTP_HOST} ^(.*)\.(.*)\.sandbox\.domain\.com$ [NC]
     RewriteRule ^(.*)$ /home/%1/sandbox/%2/$1 [L]

     LogLevel warn 
     LogFormat "%V:%p %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined_remote
     ErrorLog /var/log/apache2/sandbox.domain.com_error.log
     CustomLog /var/log/apache2/sandbox.domain.com_access.log vhost_combined_remote

     <Directory>
        AllowOverride All 
	    Require all granted
    </Directory>
</VirtualHost>
Linux, Nginx, Apache
Page 1 of 10 >>>

Social


Tweet Tweet Tweet


© 2016 Derek Neely