Tuesday, 20 December 2011

# How to reset forgotten password in Linux

This is quick trick to reset forgotten root password .

Reboot the system.

 Interrupt the boot at the GRUB stage(by pressing any key ) and boot to runlevel 1 i.e. Single usermode . For this select the kernel you want to boot, then use "e" or "a" to edit it .

 In edit give space and then append "single". Hit Enter or "b" for boot. The system will boot in single user mode, then use "passwd" to reset password/s. e.g. #passwd root Other user passwords can be reset, 

CentOS-6 Note: Due to an upstream SELinux bug the root password cannot be reset on a fresh install of CentOS-6 without an additional step. Booting with "selinux=0" appended to the grub kernel line are work-arounds.
Posted by at No comments:
Labels: , , ,

Monday, 8 August 2011

Ebtables and Netfilter






Ebtables and Netfilter

 Introduction:

The ebtables program is a filtering tool for a Linux-based bridging firewall. It enables transparent filtering of network traffic passing through a Linux bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers. Advanced logging, MAC DNAT/SNAT and brouter facilities are also included.
The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel.


  • Ebtables only work on bridged interface.

 Q.How to bridge two interfaces ?

 brctl is the tool for interface bridging.

 #brctl addbr br0            // add bridge br0

 #ifconfig eth0  0.0.0.0  // reomove eth0’s IP

 #ifconfig  eth1 0.0.0.0  // reomove eth1’s IP

 #brctl addif br0 eth1  // add eth1 to bro

 #brctl addif br0 eth0  // add eth0 to bro

 #brctl  show     //see bridge br0 configuration

 #brctl stp br0 on   // stp(spinning tree protocol) on

 #ifconfig br0 192.168.0.254 up // bridge up

 you can ping the bridge now.

 Q.What can we do with ebtables and netfilter ?
  1. Ethernet protocol filtering.
  2. MAC address filtering.
  3. Simple IP header filtering.
  4. ARP header filtering.
  5. 802.1Q VLAN filtering.
  6. In/Out interface filtering (logical and physical device).
  7. MAC address nat.
  8. Logging.
  9. Frame counters.
  10. Ability to add, delete and insert rules; flush chains; zero counters.
  11. Brouter facility.
  12. Ability to atomically load a complete table, containing the rules you made, into the kernel. See the man page and the examples section.
  13. Support for user defined chains.
  14. Support for marking frames and matching marked frames
  • Basic Examples :

 1) Drop/Allow everything

 ebtables -P FORWARD DROP/ACCEPT

 -P for policy
-A for append rule in chain

 It  will drop/allow all traffic going through bridge
you can flush out all ebtable rule by using

ebtables -F
  • HOW Configure a Bridging Ebtables Firewall ?
2) Basic filter on IP

 FORWARD chain policy must be ACCEPT
#ebtables -P FORWARD ACCEPT
#ebtables -I  FORWARD -p Ipv4 --ip-src 192.168.0.2 -j ACCEPT  // Allow 192.168.0.2
#ebtables -I  FORWARD -p Ipv4 --ip-src 192.168.0.3 -j ACCEPT // Allow 192.168.0.3
#ebtables -A  FORWARD -p Ipv4 --ip-src 192.168.0.0/24  -j DROP  //Drop all 192.162.0.0/24

 -I insert rule on top of all
-A appends rule at the end
  • Remember DROP “ rule” must be at the end

You can check rule's order by ,
#ebtables -L
  • To delete any specific rule
ebtables -D FORWARD 4  // delete rule no 4 from FORWARD chain

 3)How to filtert ports and protocols ?
problem . suppose we want to allow  http and icmp  traffic on two IP’s namely. 192.168.0.2 and 192.168.0.3   . the rules will look like this.

 #ebtables -P FORWARD DROP // Change the forward policy to drop all

 # ebtables -A FORWARD -p 0x806 -j ACCEPT // Allow arp traffic

 # ebtables -A FORWARD -p 0x800 --ip-dst 192.168.0.2 --ip-proto tcp --ip-sport 80 -j ACCEPT // allow packets having 192.168.0.2 as destination

 # ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.2 --ip-proto tcp --ip-dport 80 -j ACCEPT  // allow packets having 192.168.0.2 as source

# ebtables -A FORWARD -p 0x800 --ip-dst 192.168.0.3 --ip-proto tcp --ip-sport 80 -j ACCEPT
// allow packets having 192.168.0.3 as destination

 # ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.3 --ip-proto tcp --ip-dport 80 -j ACCEPT  // allow packets having 192.168.0.3 as source

 # ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.2 --ip-proto icmp  -j ACCEPT // allow ping
# ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.3 --ip-proto icmp  -j ACCEPT // allow ping

Now to allow DNS requests ,suppose 192.168.0.1 is our name server .we allow dns to 192.168.0.2 only.

 # ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.2 --ip-dst 192.168.0.1 --ip-proto udp --ip-dport 53 -j ACCEPT
# ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.2 --ip-dst 192.168.0.1 --ip-proto udp --ip-sport 53 -j ACCEPT  

  • Protocol hex descriptions
protocol value      Description
0x800            IP
0x806                       ARP
Have fun!  
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)