Friday, April 20, 2012

Iptables: My most used commands

SkyHi @ Friday, April 20, 2012

This is a small manual of iptables, I’ll show some basic commands, you may need to know to keep your computer secure.

Basic commands

List rules
iptables -L
This is going, list the default table “Filter”.
Edit: You may prefer to use iptables -L -vn to get more information, and to see ports as numbers instead of its names.
List rules in specific table
iptables -L -t nat
You can also list the other tables like: mangle, raw and security. You should consider reading a bit more about tables. You can do it in the Tables section in the man page of iptables
Delete all rules
iptables -F
Delete specific table liket nat
iptables -t nat -F
Specify chain policies
iptables let’s you configure default policies for chains in the filter table, where INPUT, FORWARD and OUTPUT, are the main ones (or at least the most used). Users can even define new chains.
These aforementioned chains, are better explained in this graph that comes from Wikipedia.
iptables chains
You can see the original image here
iptables -P INPUT DROP
iptables -P OUTPUT DROP
You can define the default policy as ACCEPT and then deny specific traffic, or define default policies as DROP and then open specific traffic to and/or from your box. The last one is more secure, but require more job.
Block IP traffic from an specific IP or Network.
Block from an IP
iptables -A INPUT -s -j DROP
If you want to block only on an specific NIC
iptables -A INPUT -s -i eth0 -j DROP
Or an specific port
iptables -A INPUT -s -p tcp -dport 22 -j DROP
Using a Network and not only one IP
iptables -A INPUT -s -j DROP
Block traffic from a specific MAC address
Suppose you want to bloc traffic some a MAC address instead of an IP address. This is handy if a DHCP server is changing the IP of the maching you want to protect from.
iptables -A INPUT -m mac --mac-source 00:11:2f:8f:f8:f8 -j DROP
Block a specific port
If all you want is to block a port, iptables can still do it.
And you can block incoming or outgoing traffic.
Block incoming traffic to a port
Suppose we need to block port 21 for incoming traffic:
iptables -A INPUT -p tcp --destination-port 21 -j DROP
But if you have two-NIC server, with one NIC facing the Internet and the other facing your local private Network, and you only one to block FTP access from outside world.
iptables -A INPUT -p tcp -i eth1 -p tcp --destination-port 21 -j DROP
In this case I’m assuming eth1 is the one facing the Internet.
You can also block a port from a specific IP address:
iptables -A INPUT -p tcp -s --destination-port 21 -j DROP
Or even block access to a port from everywhere but a specific IP range.
iptables -A INPUT p tcp -s ! --destination-port 21 -j DROP
Block outgoing traffic to a port
If you want to forbid outgoing traffic to port 25, this is useful, in the case you are running a Linux firewall for your office, and you want to stop virus from sending emails.
iptables -A FORWARD -p tcp --dport 25 -j DROP
I’m using FORWARD, as in this example the server is a firewall, but you can use OUTPUT too, to block also server self traffic.
Log traffic, before taking action
If you want to log the traffic before blocking it, for example, there is a rule in an office, where all employees have been said not to log into a given server, and you want to be sure everybody obeys the rule by blocking access to ssh port. But, at the same time you want to find the one who tried it.
iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "dropped access to port 22"
iptables -A INPUT -p tcp --dport 22 -j DROP
You will be able to see which IP tried to access the server, but of course he couldn’t.

Tips and Tricks

Because iptables executes the rules in order, if you want to change something you need to insert the rule in the specific position, or the desired effect is not going to be achieved.
List rules with numbers
iptables -nL --line-numbers
This is going to list all your rules with numbers preceding the rules. Determine where you want the inserted rule and write:
List specific chains
iptables -nL INPUT
Will list all INPUT rules.
iptables -nL FORWARD
Will list all OUTPUT rules
Insert rules
iptables -I INPUT 3 -s -j ACCEPT
That is going to add a rule in position 3 of the “array”
Delete rules
iptables -D INPUT 3
That is going to remove the rule inserted above. You can also remove it, by matching it.
iptables -D INPUT -s -j ACCEPT
Delete flush all rules and chains
This steps are very handy if you want to start with a completely empty and default tables:
iptables --flush
iptables --table nat --flush
iptables --table mangle --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table mangle --delete-chain
NOTE: do not execute this rules if you are connected via ssh or something similar, you may get locked out

Simple scripts for specific needs

How to stop brute force attacks
You can also use iptables to stop brute force attacks to your server, for example: Allow only three attempts to log through ssh before banning the IP for 15 minutes, this should let legitimate users to log to the servers, but bots will not be able. Remember to always use strong passwords
iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT                    
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport www -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 900 --hitcount 3 -j DROP
iptables -P INPUT DROP
How to NAT with iptables
iptables is also very useful to configure NAT routers, a Linux mashing can act as a router, and share its public IP with a private networks behind it. It is also useful to configure the DHCP in the same server.
To configure a NAT router, you will be better with a server with two NICs, let’s suppose you have:
  • eth0:
  • eth1:
Now configure NAT to forward all traffic from network through eth0 IP. You may want to empty all tables and start with a fresh chains and tables (see how above).
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
That is it, you only have to enable kernel forwarding now:
echo 1 > /proc/sys/net/ipv4/ip_forward


Wednesday, April 18, 2012

Sendmail High Volume Mail

SkyHi @ Wednesday, April 18, 2012
# Copyright (c) 2001 Sendmail, Inc. and its suppliers.
# All rights reserved.
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
# $Id: TUNING,v 1.16 2001/08/19 21:03:38 gshapiro Exp $

** This is a DRAFT, comments are welcome! **

If the default configuration of sendmail does not achieve the
required performance, there are several configuration options that
can be changed to accomplish higher performance.  However, before
those options are changed it is necessary to understand why the
performance is not as good as desired.  This may also involve hardware
and software (OS) configurations which are not extensively explored
in this document.  We assume that your system is not limited by
network bandwidth because optimizing for this situation is beyond
the scope of this guide.  In almost all other cases performance will
be limited by disk I/O.

This text assumes that all options which are mentioned here are
familiar to the reader, they are explained in the Sendmail Installation
and Operations Guide; doc/op/op.txt.

There are basically three different scenarios which are treated
in the following:
* Mailing Lists and Large Aliases (1-n Mailing)
* 1-1 Mass Mailing
* High Volume Mail

Depending on your requirements, these may need different options
to optimize sendmail for the particular purpose.  It is also possible
to configure sendmail to achieve good performance in all cases, but
it will not be optimal for any specific purpose.  For example, it
is non-trivival to combine low latency (fast delivery of incoming
mail) with high overall throughput.

Before we explore the different scenarios, a basic discussion about
disk I/O, delivery modes, and queue control is required.

* Disk I/O

In general mail will be written to disk up before a delivery attempt
is made.  This is required for reliability and should only be changed
in a few specific cases that are mentioned later on.  To achieve
better disk I/O performance the queue directories can be spread
over several disks to distribute the load.  This is some basic tuning
that should be done in all cases where the I/O speed of a single
disk is exceeded, which is true for almost every high-volume
situation except if a special disk subsystem with large (NV)RAM
buffer is used.

Depending on your OS there might be ways to speed up I/O, e.g.,
using softupdates or turning on the noatime mount option.  If this
is done make sure the filesystem is still reliable, i.e., if fsync()
returns without an error, the file has really been committed to

* Queueing Strategies and DeliveryMode

There are basically three delivery modes:

background: incoming mail will be immediately delivered by a new process
interactive: incoming mail will be immediately delivered by the same process
queue: incoming mail will be queued and delivered by a queue runner later on

The first offers the lowest latency without the disadvantage of the
second, which keep the connection from the sender open until the
delivery to the next hop succeeded or failed.  However, it does not
allow for a good control over the number of delivery processes other
than limiting the total number of direct children of the daemon
processes (MaxChildren) or by load control options (RefuseLA,
DelayLA).  Moreover, it can't make as good use as 'queue' mode can
for connection caching.

Interactive DeliveryMode should only be used in rare cases, e.g.,
if the delivery time to the next hop is a known quantity or if the
sender is under local control and it does not matter if it has to
wait for delivery.

Queueing up e-mail before delivery is done by a queue runner allows
the best load control but does not achieve as low latency as the
other two modes.  However, this mode is probably also best for
concurrent delivery since the number of queue runners can be specified
on a queue group basis.  Persistent queue runners (-qp) can be used
to minimize the overhead for creating processes because they just
sleep for the specified interval (which shold be short) instead of
exiting after a queue run.

* Queue Groups

In most situations disk I/O is a bottleneck which can be mitigated
by spreading the load over several disks.  This can easily be achieved
with different queue directories.  sendmail 8.12 introduces queue
groups which are collections of queue directories with similar
properties, i.e., number of processes to run the queues in the
group, maximum number of recipients within an e-mail (envelope),
etc.  Queue groups allow control over the behaviour of different
queues.  Depending on the setup, it is usually possible to have
several queue runners delivering mails concurrently which should
increase throughput.  The number of queue runners can be controlled
per queue group (Runner=) and overall (MaxQueueChildren).

* DNS Lookups

sendmail performs by default host name canonifications by using
host name lookups.  This process is meant to replace unqualified
host name with qualified host names, and CNAMEs with the non-aliased
name.  However, these lookups can take a while for large address
lists, e.g., mailing lists.  If you can assure by other means that
host names are canonical, you should use

  FEATURE(`nocanonify', `canonify_hosts')

in your .mc file.  For further information on this feature and
additional options see cf/README.  If sendmail is invoked directly
to send e-mail then either the -G option should be used or


should be added to the .mc file.

* Mailing Lists and Large Aliases (1-n Mailing)

Before 8.12 sendmail delivers an e-mail sequentially to all its
recipients.  For mailing lists or large aliases the overall delivery
time can be substantial, especially if some of the recipients are located
at hosts that are slow to accept e-mail.  Some mailing list software
therefore "split" up e-mails into smaller pieces with fewer recipients.
sendmail 8.12 can do this itself, either across queue groups or
within a queue directory.  For the former the option SplitAcrossQueueGroups
option must be set, the latter is controlled by the 'r=' field of
a queue group declaration.

Let's assume a simple example: a mailing lists where most of
the recipients are at three domains: the local one (local.domain)
and two remotes (one.domain, two.domain) and the rest is splittered
over several other domains.  For this case it is useful to specify
three queue groups:

QUEUE_GROUP(`local', `P=/var/spool/mqueue/local, F=f, R=2, I=1m')dnl
QUEUE_GROUP(`one', `P=/var/spool/mqueue/one, F=f, r=50, R=3')dnl
QUEUE_GROUP(`two', `P=/var/spool/mqueue/two, F=f, r=30, R=4')dnl
QUEUE_GROUP(`remote', `P=/var/spool/mqueue/remote, F=f, r=5, R=8, I=2m')dnl
define(`ESMTP_MAILER_QGRP', `remote')dnl
define(`confSPLIT_ACROSS_QUEUEGROUPS', `True')dnl
define(`confDELIVERY_MODE', `q')dnl
define(`confMAX_QUEUE_CHILDREN', `50')dnl
define(`confMIN_QUEUE_AGE', `27m')dnl

and specify the queuegroup ruleset as follows:

R$* @ local.domain $# local
R$* @ $* one.domain $# one
R$* @ $* two.domain $# two
R$* @ $*  $# remote
R$*   $# mqueue

Now it is necessary to control the number of queue runners, which
is done by MaxQueueChildren.  Starting the daemon with the option
-q5m assures that the first delivery attempt for each e-mail is
done within 5 minutes, however, there are also individual queue
intervals for the queue groups as specified above.  MinQueueAge
is set to 27 minutes to avoid that entries are run too often.

Notice: if envelope splitting happens due to alias expansion, and
DeliveryMode is not 'i'nteractive, then only one envelope is sent
immediately.  The rest (after splitting) are queued up and queue
runners must come along and take care of them.  Hence it is essential
that the queue interval is very short.

* 1-1 Mass Mailing

In this case some program generates e-mails which are sent to
individual recipients (or at most very few per e-mail).  A simple
way to achieve high throughput is to set the delivery mode to
'interactive', turn off the SuperSafe option and make sure that the
program that generates the mails can deal with mail losses if the
server loses power.  In no other case should SuperSafe be set to
'false'.  If these conditions are met, sendmail does not need to
commit mails to disk but can buffer them in memory which will greatly
enhance performance, especially compared to normal disk subsystems, e.g.,
non solid-state disks.

* High Volume Mail

For high volume mail it is necessary to be able to control the load
on the system.  Therefore the 'queue' delivery mode should be used,
and all options related to number of processes and the load should
be set to reasonable values.  It is important not to accept mail
faster than it can be delivered otherwise the system will be
overwhelmed.  Hence RefuseLA should be lower than QueueLA, the number
of daemon children should probably be lower than the number of queue
runnners (MaxChildren vs. MaxQueueChildren).  DelayLA is a new option
in 8.12 which allows delaying connections instead of rejecting them.
This may result in a smoother load distribution depending on how
the mails are submitted to sendmail.

* Miscellaneous

Other options that are interesting to tweak performance are
(in no particular order):

SuperSafe: if interactive DeliveryMode is used, then this can
be set to the new value "interactive" in 8.12 to save some disk
synchronizations which are not really necessary in that mode.



SkyHi @ Wednesday, April 18, 2012
Next up is /etc/sysconfig/sendmail. This file is used to assign some simple variables for the sendmail initialization script. By default it contains the following information:
Quite simply this information is passed to the sendmail initscripts telling sendmail to run as a daemon and that it should process its queue once an hour. Depending on your environment you may need to change these values. If you're running a 24x7 net host, you should know that the SMTP RFCs specify a minimum queue time of 5 minutes so a queue run frequency of one minute would violate the RFC specifications.

Change the Queue Runner Interval in Sendmail
The default in CentOS 5.x is 1 hour:
# pgrep -lf "Queue runner"
12443 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
You can change it editing /etc/sysconfig/sendmail (ie. set 30 minutes):
It’s easy, isn’t it? Useful for mail backup MXs that may need shorter queue run times.


Monday, April 16, 2012

How to Change Reply-To Email Address in Outlook 2010

SkyHi @ Monday, April 16, 2012
Sometimes you might want send email from one account (i.e. your personal account) but want any replies from your recipients to go to another account (i.e. your business account), vice versa.
This is how you would do it on an instance by instance basis.
  1. Launch Outlook 2010.
  2. From the Home tab of the top ribbon, click the New E-mailbutton.
  3. In the New E-mail window, click the Options tab.
  4. On the Options  ribbon, click Direct Replies To to bring up the Properties dialog.
  5. Under Delivery options, make sure the Have replies sent to: checkbox is checked.Specify the email address where you want your replies to be sent to.  (You can also click theSelect Names… button to select from your contact list.)
You are done!  Now send yourself a test message.  When you receive the test message, hit reply to confirm it is showing the proper alternate Reply-To email address.
Now you know how to change the Reply-To Email Address on an instance by instance basis.