UFW or iptables redirect (forward) to new IP

A simple steps for redirecting, forwarding or tunnelling all traffic from one host IP to another in Ubuntu.

Using UFW

Edit /etc/default/ufw to accept forwarding requests:

 DEFAULT_FORWARD_POLICY="ACCEPT" 

Edit /etc/ufw/sysctl.conf to allow IP forwarding:

net.ipv4.ip_forward=1

Edit /etc/ufw/before.rules and add the following before *filter options:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination external_ip:8080
COMMIT 

On some configurations, MASQUERADE option needs to be enabled as well:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination external_ip:8080
-A POSTROUTING -j MASQUERADE
COMMIT 

Reload and commit the new rules:

ufw reload

Using iptables

Edit /etc/sysctl.conf to allow IP forwarding (add or uncomment):

net.ipv4.ip_forward=1

Save the existing rules using iptables-save:

iptables-save > /etc/iptables/rules.v4

Edit /etc/iptables/rules.v4 and add the following before *filter options:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination external_ip:8080
COMMIT 

Again, if you need to MASQUERADE, add the line before the COMMIT:

:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE

Restore the edited rules with iptables-restore:

 iptables-restore < /etc/iptables/rules.v4

To make the rules persistent on the system reboot, use iptables-persistent or custom solution with on-boot scripts.

Recursively chmod files (or folders) only

Modifying permissions with chmod and using recursive -R tag is handy, but it will be executed on both, files and folders:

chmod -R 755 /path/to/directory

To change permissions on files (or folders) inside directory structure, we can use the following commands:

Files only

cd /path/to/directory
find . -type f -exec chmod 644 -- {} +

Folders only

cd /path/to/directory
find . -type d -exec chmod 755 {} +

Increase swap file on Raspberry Pi

Changing swap size on your rPi is pretty straight forward. Raspbian uses a swap file solution dphys-swapfile, and is much easier to change the size of the swap than with standard partition based options.

Edit configuration file /etc/dphys-swapfile, default value on Raspbian is 100 MB of swap:

CONF_SWAPSIZE=100

Simply change the number to desired size in MB and restart dphys-swapfile:

/etc/init.d/dphys-swapfile stop
/etc/init.d/dphys-swapfile start

Of course, don’t forget swap file is physically located on your SD card (usually /var/swap) so it also takes the space there.

That’s it, enjoy your increased size of your swap!

Vsftpd with SSL/TLS support on Ubuntu

Configure vsftpd to use SSL/TLS on Ubuntu VPS, dedi or physical machine. This how-to assumes vsftpd is already configured and running without encryption support.

Generate SSL certificate

Let’s create some SSL certificates to use with vsftpd. Change -nodes-days to desired number of days, example bellow assumes  one year (365 days).

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Edit /etc/vsftpd.conf

Add the following lines to vsftpd config file:

# Uncomment or add the path to cert
# we generated in previous step
rsa_cert_file=/etc/ssl/private/vsftpd.pem

# Enable SSL support
ssl_enable=YES

# Force local users to use SSL
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

# allow only TLS, not SSL
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

# Some additional security and compatibility settings
# Filezilla reports GnuTLS error without strong ciphers
require_ssl_reuse=NO
ssl_ciphers=HIGH

# Optional: enable passive connection if not already configured
# (add appropriate rules to your firewall - iptables/UFW etc.)
pasv_enable=YES
pasv_min_port=63000
pasv_max_port=63100

Restart service

sudo service vsftpd restart

Connect with client

Now connect with your favourite client (like Filezilla), don’t forget to set Require explicit FTP over TLS. Port stays default 21, if you didn’t specify otherwise in the config file of course.

 

Fix SSL sec_error_unknown_issuer with Comodo PositiveSSL in Firefox (Apache2)

Installing Comodo PositiveSSL certificate on Apache server for a client, everything worked fine in Chrome, Firefox on OS X and (surprisingly) even in IE, but Firefox on Windows was complaining with the following error (might be something to do with older version or some other settings, but didn’t really test it that extensively):

Invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)

After a bit of googling I came across a blog post by John Bakker, where he describes a quick and easy fix, merging all .crt files you receive from Comodo into one .ca_bundle.

To do this, the easiest way is to combine (concatenate) multiple certificates into one file, named www_yourdomain_com.ca_bundle (of course replace www_yourdomain_com with your actual domain with underscores):

  1. AddTrustExternalCARoot.crt
  2. COMODORSAAddTrustCA.crt
  3. COMODORSADomainValidationSecureServerCA.crt
  4. www_yourdomain_com.crt
cat www_yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > www_yourdomain_com.ca_bundle

Note: Device/Entity Cert Intermediates need to be in reversed order.

Place it in the same place you put your .key and .crt and .csr files for your certificate.
Now instead of pointing it to the individual files you point to just the bundle from your vhost.

SSLEngine on
SSLCertificateFile /etc/ssl/certs/www_yourdomain_com.crt
SSLCertificateKeyFile /etc/ssl/certs/www_yourdomain_com.key
SSLCertificateChainFile /etc/ssl/certs/www_yourdomain_com.ca-bundle

Restart apache and enjoy secure connection to your site without SSL errors in all browsers.

Remove Ubuntu sysinfo on user login

Do you also hate the (not so) slight delay for the system information to appear when you login to your Ubuntu Server console? Here are a couple of ways how to change the displayed information or even get completely rid of it.

Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-29-generic x86_64)
  * Documentation: https://help.ubuntu.com/

System information as of Thu Jul 31 12:12:12 CEST 2014

System load: 0.08               Processes: 86
Usage of /: 11.9% of 155.51GB   Users logged in: 0
Memory usage: 72%               IP address for eth0: 74.125.12.12
Swap usage: 0%

Graph this data and manage this system at:
  https://landscape.canonical.com/

Disable with reconfigure

To hide system information you can either remove the landscape-common package or just run dpkg-reconfigure again and choose to not display the landscape-sysinfo on login.

dpkg-reconfigure landscape-common

Remove the package

apt-get remove --purge landscape-common

Choose what to display

Alternatively, you can choose to display just certain parts on sysinfo.

Edit /etc/landscape/client.conf, and add them comma separated:

[sysinfo]
exclude_sysinfo_plugins = LandscapeLink,Temperature,Processes

You can remove any of these plugins (information):

Load, Disk, Memory, Temperature, Processes, LoggedInUsers, LandscapeLink, Network

Or just test it on the command line:

landscape-sysinfo  --exclude-sysinfo-plugins=Temperature,LandscapeLink,Processes