linux

Open Port Permanently with firewalld in linux

linux, networking

First thing to do after installing a service that listening on your network interface is to test in your preferred internet browser.

However, if your firewalld is running, you will be getting a connection error message and this is how you should open it. Permanently.

# firewall-cmd --permanent --zone=public --add-port=<portNo>/tcp
# firewall-cmd --reload
# firewall-cmd --list-all

Explanation

  1. Configure the new rule to be implemented permanently, --permanent
  2. The rule is in specific zone, with specific port number and protocol, firewall-cmd --permanent --zone=public --add-port=/tcp
  3. To reload firewall-cmd with new rule, --reload
  4. Listing all rule in, --list-all

Note: Removing --permanent will caused it to take effect immediately, but the configuration is volatile!

Port forwarding with firewalld

linux

The firewalld in Linux is quite flexible and quite number of task can be achieve with just a single line of code. It just a matter of to get the parameter correctly.

Just to overcome the laziness of application team to change port, lets us port forwarding instead.

# firewall-cmd --add-forward-port='port=<port>:proto=tcp:toport=<toPort>:toaddr=<toAddress>'

Explanation

code

  1. Flagging firewall-cmd that this is a port forwarding rule, --add-forward-port=''
  2. Define protocol and port number that hit the host, port=<port>:proto=tcp
  3. Define destination port and address to be forwarded, toport=<toPort>:toaddr=<toAddress>

Note: Above command is to get the port forwarding work immediately after hitting enter. No need to reload service nor server reboot. The catch is, this is non-persistent configuration and as its name implies, the configuration will revert back once the OS being rebooted.

Execute scp via http Proxy

linux

In a tightly configured network policy environment, where every single connection must go through a proxy, a simple task such as file transfer would be a hassle.

A simple scp connection also would be denied if it is not through a proxy.

However it still can be achieve with following additional internal paramater.

scp -o "ProxyCommand=nc --proxy <proxyHost>:<proxyPort> --proxy-type http %h %p" root@<remoteHost>:<remotePort>

Explanation

-o "ProxyCommand=nc --proxy <proxyHost>:<proxyPort> --proxy-type http %h %p"

  1. Supply an option, where will be proxy-ing via nc with ProxyCommand=nc
  2. Define the proxy host and port with --proxy <proxyHost>:<proxyPort>.
  3. Define the type of proxy as http with --proxy-type http %h %p

Mount windows shared folder from linux

linux

To mount a Windows share in Linux, one typically uses the mount command with the cifs filesystem type, specifying the remote Windows share’s path, the local mount point, and authentication credentials

By mounting a Windows share in Linux, users can effortlessly copy, edit, and manipulate files, ensuring smooth collaboration across heterogeneous computing environments.

Command

# mount --verbose -t cifs -o username=<username> '//<windowsIP>/<folder>' </local/path>

Explanation

  1. mount will instruct the OS to attached a filesystem to a specific mount point.
  2. The --verbose is mentioned specifically to output the progress or any error or warning message.
  3. Defining filesytem type with -t, followed by filesystem type.
  4. If authentication is needed, -o username= can be used.

iptables – enforce rule within specific time

linux

I got a requirement to block all public access via port 443 for a maintenance window, so the developer can deploy and troubleshoot their application without any intervention from external unknown access by public

Instead of messing with the network team, we take it on a lower level, iptables!

# iptables -A INPUT -p tcp -m multiport --dports 443 -m time --timestart 18:00:00 --timestop 20:00:00 -j DROP

Explanation

  1. Append current set of rules in INPUT chain, -A INPUT
  2. The rule looking for connection that using TCP protocol, -p tcp
  3. Support multiple port, one of the port is 443, -m multiport --dports 443
  4. Between 18:00:00UTC and 20:00:00UTC, -m time --timestart 18:00:00 --timestop 20:00:00
  5. And drop the connection, -j DROP

Note: above timestart and timestop in iptables is using UTC, thus need to adjust the actual time according to your machine timezone.

Note: above iptables rule will block all incoming traffic to port 443, even from localhost. So make sure you have precede a rule that allow traffic from localhost..