LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-24-2007, 10:08 AM   #1
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,695

Rep: Reputation: 56
About iptables rules


Hi folks,


Ubuntu 7.04 lamp server amd64 - Host OS
VMware
Guest OS - not yet installed.
Iptables-1.3.6


$ cat /etc/network/interfaces
Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.10
        netmask 255.255.255.0
        gateway 192.168.0.1

Browser can connect Internet w/o problem.


After performing following steps to setup iptables, Internet connection blocked.

Edited /etc/rc.local and entered following rules on it
Code:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#exit 0

#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.10 --reject-with icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

$ sudo /etc/init.d/rc.local start
Code:
 * Running local boot scripts (/etc/rc.local)                                                     [ OK ]
$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.1         reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  127.0.0.10           anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable

$ ping -c3 yahoo.com
Code:
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable

--- yahoo.com ping statistics ---
0 packets transmitted, 0 received, +3 errors
Failed.


I have to run following command to stop iptables.

$ sudo iptables -F
No complaint

$ ping -c3 yahoo.com
Code:
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=55 time=242 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=2 ttl=54 time=247 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=3 ttl=54 time=246 ms

--- yahoo.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 242.397/245.283/247.256/2.086 ms
Internet connection then worked.


Please advise where goes wrong. TIA


B.R.
satimis
 
Old 08-25-2007, 09:49 AM   #2
ComputerHermit_
LQ Newbie
 
Registered: Feb 2007
Distribution: Ubuntu 7.10 Mint 4.0
Posts: 23

Rep: Reputation: 15
ok

that's pritty far out man I never did iptables like that befor I was reading around and I read you can spend a liftime on iptables because it's sooo awsome :-))
 
Old 08-25-2007, 06:10 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
The reason ping doesn't work is because you don't have any OUTPUT rule allowing it (ICMP type 8 packets) - so the ICMP packets run into the last rule and get sent to REJECT.
Quote:
iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
Quote:
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
BTW, why are you doing this with inserts instead of appends? It makes it a PITA to make edits.

Last edited by win32sux; 08-25-2007 at 06:39 PM.
 
Old 08-25-2007, 08:04 PM   #4
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,695

Original Poster
Rep: Reputation: 56
Quote:
Originally Posted by win32sux View Post
The reason ping doesn't work is because you don't have any OUTPUT rule allowing it (ICMP type 8 packets) - so the ICMP packets run into the last rule and get sent to REJECT.

BTW, why are you doing this with inserts instead of appends? It makes it a PITA to make edits.
Hi win32sux,


Tks for your advice.


I'm building a Virtual Machine with lamp server running on Ubuntu 7.04 amd64 as Host OS. This VM will be for testing only. I found following guides on Internet;

http://searchservervirtualization.te...242833,00.html


and am following them to proceed. VMware is now running on this PC. I haven't installed Guest OS yet.


The rules posted came from the guides with little modification.


Network connection;
Server -> Router -> DSL Modem -> ISP

Router with 4 ports and Modem are supplied by ISP. 192.168.01 has been locked by ISP with password which I need login and password to access. This address is now used as Gateway address.

192.168.0.10 is reserved for server. Other 3 ports are connected to workstations. I have fixed IP provided by ISP and domain name registered with Godaddy. The server after setup will serve LAN as well as Internet.


I won't run this server as workstation. On installing this VM, I need searching technical documents on Internet, Therefore I run X with limited components of X installed such as Fluxbox (Desktop manager), GUI browser-Firefox (I'm not experienced on running TEXT browser), GUI text Editor (leafpad), Rox filer, screenshot, etc. X won't start a boot.


That is the whole story.



B.R.
satimis

Last edited by satimis; 08-25-2007 at 08:07 PM.
 
Old 08-25-2007, 08:44 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
I see. Well, I must admit it's the first time I've seen that style script. On a side note, I noticed you made a typo with the loopback interface address. It's supposed to be "127.0.0.1", not "127.0.0.10". You should probably fix that. So did you get your ping issue sorted-out? Using the same style as your other rules, one like this should let you ping:
Code:
iptables -I OUTPUT -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8

Last edited by win32sux; 08-25-2007 at 08:56 PM.
 
Old 08-26-2007, 11:22 AM   #6
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,695

Original Poster
Rep: Reputation: 56
Hi win32sux


Quote:
I see. Well, I must admit it's the first time I've seen that style script. On a side note, I noticed you made a typo with the loopback interface address. It's supposed to be "127.0.0.1", not "127.0.0.10". You should probably fix that. So did you get your ping issue sorted-out?
Oh, correct it. Tks.

Still having problem.

$ sudo /etc/rc.local start
$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
It hung here until I cancelled it.

$ ping -c3 yahoo.com
Code:
PING yahoo.com (66.94.234.13) 56(84) bytes of data.
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
It hung here.


Quote:
Using the same style as your other rules, one like this should let you ping:
Code:
iptables -I OUTPUT -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
Changed the line;
Code:
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
as;
Code:
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
$ sudo /etc/rc.local start

$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  192.168.0.10         anywhere            icmp echo-request 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable
$ ping -c3 yahoo.com
ping: unknown host yahoo.com

Still failed.

$ cat /etc/rc.local
Code:
#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable

#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8


# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

B.R.
satimis
 
Old 08-26-2007, 05:57 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
You weren't supposed to replace the DNS rule with the ping one, just simply add the ping rule. The reason your "iptables -L" stalled and why you are now getting a "unknown host" error is because without the DNS rule your box can't do any DNS lookups. The idea was for you to end up with something like:
Code:
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# allow all pings from the management interface NIC
iptables -I OUTPUT 4 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 5 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

Last edited by win32sux; 08-26-2007 at 05:59 PM.
 
Old 08-26-2007, 08:15 PM   #8
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,695

Original Poster
Rep: Reputation: 56
Quote:
Originally Posted by win32sux View Post
You weren't supposed to replace the DNS rule with the ping one, just simply add the ping rule. The reason your "iptables -L" stalled and why you are now getting a "unknown host" error is because without the DNS rule your box can't do any DNS lookups. The idea was for you to end up with something like:
Code:
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# allow all pings from the management interface NIC
iptables -I OUTPUT 4 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 5 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
Hi win32sux,


Edited /etc/rc.local

$ cat /etc/rc.local
Code:
#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable



#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# allow all pings from the management interface NIC
iptables -I OUTPUT 4 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 5 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

$ sudo /etc/init.d/rc.local start
No complaint

$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
ACCEPT     icmp --  192.168.0.10         anywhere            icmp echo-request 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable
It took prolonged time to generate each line.

$ ping -c3 yahoo.com
Code:
PING yahoo.com (66.94.234.13) 56(84) bytes of data.
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=54 time=179 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=2 ttl=54 time=180 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=3 ttl=55 time=178 ms

--- yahoo.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 178.975/179.568/180.084/0.668 ms
Ping OK. But can't browse Internet


B.R.
satimis
 
Old 08-26-2007, 08:48 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by satimis View Post
Ping OK. But can't browse Internet
Perfectly normal, as the rules you've used don't allow outgoing HTTP/HTTPS packets. Please understand that the tutorial you used provides you with a very restrictive set of rules. I haven't really read the tutorial so I don't know the reasoning behind the rules, but this is indeed the behavior they are designed for. Typically this is for security reasons (as in "nobody should be surfing the Web on this box", etc.) - in fact, adding the ping rule in and of itself could be considered a security issue if the idea was to have a full-lockdown of anything outgoing from 192.168.0.10 besides DNS.

Do you need to always be able to ping and surf the Web and stuff from this IP on this box? If so, you have chosen the wrong iptables script to get started with. In any case, here's what it would look like if you wanted to allow HTTP and HTTPS (once again, using the same style):
Code:
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# allow all pings from the management interface NIC
iptables -I OUTPUT 4 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8

# allow all HTTP from the management interface NIC
iptables -I OUTPUT 5 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 80

# allow all HTTPS from the management interface NIC
iptables -I OUTPUT 6 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 443

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 7 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
By now you should have figured-out that you'll need to add rules in this manner for whatever service you want to allow access for.

Last edited by win32sux; 08-26-2007 at 08:51 PM.
 
Old 08-26-2007, 09:13 PM   #10
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,695

Original Poster
Rep: Reputation: 56
Quote:
Originally Posted by win32sux View Post
Perfectly normal, as the rules you've used don't allow outgoing HTTP/HTTPS packets. Please understand that the tutorial you used provides you with a very restrictive set of rules. I haven't really read the tutorial so I don't know the reasoning behind the rules, but this is indeed the behavior they are designed for. Typically this is for security reasons (as in "nobody should be surfing the Web on this box", etc.) - in fact, adding the ping rule in and of itself could be considered a security issue if the idea was to have a full-lockdown of anything outgoing from 192.168.0.10 besides DNS.
Noted with tks.


Quote:
Do you need to always be able to ping and surf the Web and stuff from this IP on this box? If so, you have chosen the wrong iptables script to get started with.
In fact this is a test allowing me learning building VM. After finish I won't use the server surfing the web. Should really in need to surf web, I will tunnel a workstation via ssh to do it. At the beginning it is not worthwhile running 2 PCs to do one job.


Quote:
In any case, here's what it would look like if you wanted to allow HTTP and HTTPS (once again, using the same style):
Code:
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# allow all pings from the management interface NIC
iptables -I OUTPUT 4 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8

# allow all HTTP from the management interface NIC
iptables -I OUTPUT 5 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 80

# allow all HTTPS from the management interface NIC
iptables -I OUTPUT 6 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 443

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 7 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
Your advice worked here, websurfing being possible.


$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
ACCEPT     icmp --  192.168.0.10         anywhere            icmp echo-request 
ACCEPT     tcp  --  192.168.0.10         anywhere            tcp dpt:www 
ACCEPT     tcp  --  192.168.0.10         anywhere            tcp dpt:https 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable
I wonder why it took prolonged time displaying one/each line?


Port 443 - I suppose is secure layer
http://www.grc.com/port_443.htm


Quote:
By now you should have figured-out that you'll need to add rules in this manner for whatever service you want to allow access for.
Noted with tks


B.R.
satimis
 
Old 08-26-2007, 10:23 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Port 443 - I suppose is secure layer
Yes, it's needed to surf sites such as hotmail.com, etc. which transmit your password using HTTPS (HTTP over SSL).

Quote:
I wonder why it took prolonged time displaying one/each line?
Not sure, but you can determine if it's due to your packet filtering rules by sending packets to LOG before you send them to REJECT. You can then open a terminal and do a "tail -f /var/log/syslog" or similar to see if any packets get filtered when you do your "iptables -L". Example:
Code:
#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902

# log all other traffic to the management interface NIC before we reject it
iptables -I INPUT 6 -j LOG -d 192.168.0.10 --log-prefix "INPUT REJECT: "

# reject all other traffic to the management interface NIC
iptables -I INPUT 7 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# log all other traffic from localhost before we reject it
iptables -I OUTPUT 3 -j LOG -s 127.0.0.1 --log-prefix "OUTPUT REJECT LOCALHOST: "

# reject all other traffic from localhost
iptables -I OUTPUT 4 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# allow all pings from the management interface NIC
iptables -I OUTPUT 5 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8

# allow all HTTP from the management interface NIC
iptables -I OUTPUT 6 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 80

# allow all HTTPS from the management interface NIC
iptables -I OUTPUT 7 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 443

# log all other traffic from the management interface NIC before we reject it
iptables -I OUTPUT 8 -j LOG -s 192.168.0.10 --log-prefix "OUTPUT REJECT: "

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 9 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

Last edited by win32sux; 08-26-2007 at 10:26 PM.
 
Old 08-27-2007, 04:50 AM   #12
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,695

Original Poster
Rep: Reputation: 56
Quote:
Originally Posted by win32sux View Post
Yes, it's needed to surf sites such as hotmail.com, etc. which transmit your password using HTTPS (HTTP over SSL).

Not sure, but you can determine if it's due to your packet filtering rules by sending packets to LOG before you send them to REJECT. You can then open a terminal and do a "tail -f /var/log/syslog" or similar to see if any packets get filtered when you do your "iptables -L". Example:
Code:
#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902

# log all other traffic to the management interface NIC before we reject it
iptables -I INPUT 6 -j LOG -d 192.168.0.10 --log-prefix "INPUT REJECT: "

# reject all other traffic to the management interface NIC
iptables -I INPUT 7 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# log all other traffic from localhost before we reject it
iptables -I OUTPUT 3 -j LOG -s 127.0.0.1 --log-prefix "OUTPUT REJECT LOCALHOST: "

# reject all other traffic from localhost
iptables -I OUTPUT 4 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# allow all pings from the management interface NIC
iptables -I OUTPUT 5 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8

# allow all HTTP from the management interface NIC
iptables -I OUTPUT 6 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 80

# allow all HTTPS from the management interface NIC
iptables -I OUTPUT 7 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 443

# log all other traffic from the management interface NIC before we reject it
iptables -I OUTPUT 8 -j LOG -s 192.168.0.10 --log-prefix "OUTPUT REJECT: "

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 9 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

Edited /etc/rc.local
$ cat /etc/rc.local
Code:
#exit 0

#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902

# log all other traffic to the management interface NIC before we reject it
iptables -I INPUT 6 -j LOG -d 192.168.0.10 --log-prefix "INPUT REJECT: "

# reject all other traffic to the management interface NIC
iptables -I INPUT 7 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# log all other traffic from localhost before we reject it
iptables -I OUTPUT 3 -j LOG -s 127.0.0.1 --log-prefix "OUTPUT REJECT LOCALHOST: "

# reject all other traffic from localhost
iptables -I OUTPUT 4 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# allow all pings from the management interface NIC
iptables -I OUTPUT 5 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8

# allow all HTTP from the management interface NIC
iptables -I OUTPUT 6 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 80

# allow all HTTPS from the management interface NIC
iptables -I OUTPUT 7 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 443

# log all other traffic from the management interface NIC before we reject it
iptables -I OUTPUT 8 -j LOG -s 192.168.0.10 --log-prefix "OUTPUT REJECT: "

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 9 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

$ sudo /etc/init.d/rc.local start
Code:
 * Running local boot scripts (/etc/rc.local)                            [ OK ]

$ tail -f /var/log/syslog
Code:
Aug 27 16:43:52 ubuntu /usr/sbin/cron[4658]: (CRON) INFO (pidfile fd = 3)
Aug 27 16:43:52 ubuntu /usr/sbin/cron[4659]: (CRON) STARTUP (fork ok)
Aug 27 16:43:52 ubuntu /usr/sbin/cron[4659]: (CRON) INFO (Running @reboot jobs)
Aug 27 16:43:53 ubuntu /etc/mysql/debian-start[4691]: Checking for crashed MySQL tables.
Aug 27 16:43:53 ubuntu kernel: [   39.495062] ip_tables: (C) 2000-2006 Netfilter Core Team
Aug 27 16:43:53 ubuntu kernel: [   39.604519] Netfilter messages via NETLINK v0.30.
Aug 27 16:43:53 ubuntu kernel: [   39.608871] nf_conntrack version 0.5.0 (8192 buckets, 65536 max)
Aug 27 16:44:30 ubuntu ntpdate[2973]: sendto(fiordland.ubuntu.com): Operation not permitted
Aug 27 16:44:32 ubuntu last message repeated 3 times
Aug 27 16:44:33 ubuntu ntpdate[2973]: no server suitable for synchronization found
hanging here.


$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTAB
LISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
LOG        0    --  anywhere             192.168.0.10        LOG level warning p
refix `INPUT REJECT: ' 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-po
rt-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTAB
LISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-po
rt-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTAB
LISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
LOG        0    --  localhost            anywhere            LOG level warning p
refix `OUTPUT REJECT LOCALHOST: ' 
REJECT     0    --  localhost            anywhere            reject-with icmp-po
rt-unreachable 
ACCEPT     icmp --  192.168.0.10         anywhere            icmp echo-request 
ACCEPT     tcp  --  192.168.0.10         anywhere            tcp dpt:www 
ACCEPT     tcp  --  192.168.0.10         anywhere            tcp dpt:https 
LOG        0    --  192.168.0.10         anywhere            LOG level warning p
refix `OUTPUT REJECT: ' 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-po
rt-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTAB
LISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-po
rt-unreachable 
ACCEPT     icmp --  192.168.0.10         anywhere            icmp echo-request 
ACCEPT     tcp  --  192.168.0.10         anywhere            tcp dpt:www 
ACCEPT     tcp  --  192.168.0.10         anywhere            tcp dpt:https 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-po
rt-unreachable

"tail -f /var/log/syslog" continued to grow
Code:
Aug 27 16:59:12 ubuntu kernel: [  957.301623] INPUT REJECT: IN=eth0 OUT= MAC=00:
0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.4 DST=192.168.0.10 LEN=71 T
OS=0x00 PREC=0x00 TTL=251 ID=18687 DF PROTO=UDP SPT=53 DPT=32915 LEN=51 
Aug 27 17:01:12 ubuntu kernel: [ 1077.308367] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.4 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=7755 DF PROTO=UDP SPT=53 DPT=32929 LEN=51 
Aug 27 17:03:13 ubuntu kernel: [ 1197.363318] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.4 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=62409 DF PROTO=UDP SPT=53 DPT=32942 LEN=51 
Aug 27 17:04:13 ubuntu kernel: [ 1257.333374] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.14 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=14733 DF PROTO=UDP SPT=53 DPT=32949 LEN=51 
Aug 27 17:05:43 ubuntu kernel: [ 1347.332221] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.4 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=51429 DF PROTO=UDP SPT=53 DPT=32958 LEN=51 
Aug 27 17:06:43 ubuntu kernel: [ 1407.319204] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.14 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=39276 DF PROTO=UDP SPT=53 DPT=32965 LEN=51 
Aug 27 17:08:13 ubuntu kernel: [ 1497.305903] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5
b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.4 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=35009 DF PROTO=UDP SPT=53 DPT=32974 LEN=51 
Aug 27 17:09:01 ubuntu /USR/SBIN/CRON[5022]: (root) CMD (  [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -r -0 rm)
Aug 27 17:09:13 ubuntu kernel: [ 1557.282240] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.14 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=22864 DF PROTO=UDP SPT=53 DPT=32981 LEN=51 
Aug 27 17:17:01 ubuntu /USR/SBIN/CRON[5029]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
hanging here again

[Ctrl]+C to exit


satimis
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules Hegemon Linux - Networking 0 01-28-2004 02:20 AM
iptables rules chrisfirestar Linux - Security 2 10-29-2003 02:30 AM
IPTables rules dkny01 Linux - Networking 6 10-23-2003 12:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration