Linux firewall and connectivity issues
Src: Todd Hammer, Microsoft
All Linux Distributions have a firewall in place, just because it comes with the kernel, but it’s inactive by default. If we’re having connectivity issues, then, the firewall is something we should check. Netfilter is the name for firewall in the Linux kernel, and we can talk with it using a command-line utility called iptables.
| List currently configured iptables | iptables -L |
| List main tables | iptables -t security -L iptables -t mangle -L iptables -t filter -L iptables -t nat -L |
| Clear all currently configured rules | iptables -F |
| Block connection to specific ip address | iptables -A INPUT -s <ip_address> -j DROP |
| Block connection to a ip addresses range | iptables -A INPUT -s <ip>/<netmask> -j DROP |
| Block connection to a specific port and ip address | iptables -A INPUT -p tcp –dport <port> -s <ip_address> -j DROP |
| Block connections to a specific port from any ip address | iptables -A INPUT -p tcp –dport <port> -j DROP |
| Add port in firewall(22 in example) | /sbin/iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT |
| Save changes you made | Ubuntu: sudo /sbin/iptables-save Red Hat/CentOS: sudo /sbin/service iptables save Others: /etc/init.d/iptables save |
| Listen open ports | sudo lsof -i -P -n | grep LISTEN sudo lsof -i:22 ## see a specific port such as 22 ## sudo ss -tulpn |
Now, some people’s distributions has their firewall in place so, you can use these commands (of course there are more options you can apply, read the manuals please) to check on them:
Red Hat/CentOS/SuSE
| Get current firewall status: | sudo systemctl status firewalld |
| Start/Stop Firewalld | sudo systemctl start firewalld/sudo systemctl stop firewalld |
| Enable/disable firewalld at system startup | sudo systemctl enable firewalld/sudo systemctl disable firewalld |
| List zones | firewall-cmd –get-zones |
| Check active zones | firewall-cmd –get-active-zones |
| List configuration | firewall-cmd –list-all |
| List allowed services | firewall-cmd –list-services |
| List allowed ports | firewall-cmd –list-ports |
| Allow a service | firewall-cmd –add-service=<servicename> –zone=<zonename> –permanent |
| Allow a port | firewall-cmd –add-port=<portnumber/protocol> –zone=<zonename> –permanent |
| Reload the firewall | firewall-cmd –reload |
Ubuntu
| Firewall status | sudo ufw status [verbose] |
| Enable/Disable firewall | sudo ufw enable/sudo ufw disable |
| Allow port for tcp/udp | sudo ufw allow <port_number> |
| Allow port for tcp | sudo ufw allow <port_number>/tcp |
| Allow port by service name (will check in /etc/services file) | sudo ufw allow <service> |
| Block outgoing traffic | sudo ufw reject out <service/port> |
| Delete a rule | sudo ufw delete reject out <service/port> |
| Deny tcp traffic from specific ip on specific port | sudo ufw deny proto tcp from <ip> to any port <port_number> |
| Reset firewall to its default state | sudo ufw reset |
| See application profiles available | sudo ufw app list |
| View information about a profile and its included rules | sudo ufw app info <app_name> |
| Allow an application profile | sudo ufw allow <app_name> |
| Enable logging to print firewall messages to -system log | sudo ufw logging on |
There is something called Security-enhanced Linux(SELinux) that can also block connections,
More information:
- iptables manual: https://man7.org/linux/man-pages/man8/iptables.8.html
- firewall-cmd manual: https://firewalld.org/documentation/man-pages/firewall-cmd.html
- Ufw manual: http://manpages.ubuntu.com/manpages/bionic/man8/ufw.8.html
[LFCS] Commands to manage and configure containers in Linux
– LXC(Linux container) is an OS level virtualization for running multiple isolated Lx systems (containers) using single kernel
– LXC combines the kernel’s cgroups (Control Groups) to provide isolated space for our application
– Lx kernel provides the cgroups functionality + namespace isolation –> cgroups is the brain behind the virtualization
– cgroups provides { resource limiting, prioritization, accounting and control }
– various projects use cgroups as their basis, including Docker, CoreOS, RH, Hadoop, libvirt, LXC, Open Grid/Grid Engine, Kubernetes, systemd, mesos and mesoshpere
– initial version of Docker had LXC as execution environment, but later replaced with libcontianer written in go lang
– both dockers and LMCTFY taken over the containers space and used by many companies
>>>LXC – Linux container commands
$ sudo -i {switch to root account}
$ apt update
$ free -m { check your memory availability, -m for MB, -G for GB }
$ apt install lxc { linux container, docker is based on this/type of }
$ systemctl status lxc.service
$ systemctl enable lxc
$ lxc ->tab -> tab { to see all the lxc- commands }
$ cd /usr/share/lxc/templates
$ ls { should see the list of templates }
$ lxc-create -n mylxcontainer -t ubuntu { should create ubuntu container based on the specified template}
$ lxc-ls { list the local container, ubuntu should appear with name mylxcontainer }
$ lxc-info -n mylxcontainer { should see the status as STOPPED }
$ lxc-start -n mylxcontainer
$ lxc-info -n mylxcontainer { should see the state as RUNNING }
$ lxc-console -n mylxcontainer { console login to the container, username -ubuntu, pass-ubuntu }
$ ubuntu@mylxcontainer:~$ { upon login your console prompt changes takes you to ubuntu }
$ uname -a or hostname { to confirm you are within the container }
$ Type <cntrl+a q> to exit the console
$ lxc-stop -n mylxcontainer
$ lxc-destroy -n mylxcontainer
>>>Docker container commands
$ apt update
$ free -m
$ apt install docker.io
$ systemctl enable docker
$ systemctl start docker
$ systemctl status docker
$ docker info
$ docker version
$ docker run hello-world { to pull the hello-world for testing }
$ docker ps
$ docker ps -la or $ docker ps -a { list all the containers }
$ docker search apache or microsoft { to search container by name }
$ docker images { to list all the images in localhost }
$ docker pull ubuntu
$ docker run -it –rm -p 8080:80 nginx { for nginx, -it for interative }
$ docker ps -la { list all the containers, look for container_id, type first 3 letters which is enough }
$ docker start container_id or ubuntu { say efe }
$ docker stop efe
$ docker run -it ubuntu bash
$ root@efe34sdsdsds:/# { takes to container bash }
<type cntrl p + cntrl q> to switch back to terminal
$ docker save debian -o mydebian.tar
$ docker load -i mydebian.tar
$ docker export web-container -o xyz.tar
$ docker import xyz.tar
$ docker logs containername or id
$ docker logs -f containername or id { live logs or streaming logs }
$ docker stats
$ docker top container_id
$ docker build -t my-image dockerfiles/ or $ docker build -t aspnet5 . { there is a dot at the end to pick the local yaml file for the build }
>>>for working with Azure Container
$ az acr login –name myregistry
$ docker login myregistry.azurecr.io -u xxxxxxxx -p myPassword
$ docker pull nginx
$ docker run -it –rm -p 8080:80 nginx { Browse to http://localhost:8080 }
{To stop and remove the container, press Control+C.}
$ docker tag nginx myregistry.azurecr.io/samples/nginx
$ docker push myregistry.azurecr.io/samples/nginx
$ docker pull myregistry.azurecr.io/samples/nginx
$ docker run -it –rm -p 8080:80 myregistry.azurecr.io/samples/nginx
$ docker rmi myregistry.azurecr.io/samples/nginx
$ docker inspect -f “{{ .NetworkSettings.Networks.nat.IPAddress }}” nginx
$ az acr repository delete –name myregistry –repository samples/nginx –tag latest –manifest
$ docker run -d redis (By default, Docker will run a command in the fg. To run in the bg, the option -d needs to be specified.)
$ docker run -d redis:latest
$ docker start $(docker ps -a -q)
$ docker rm -f $(docker ps -a -q)
>>>docker minified version
$ docker pull docker.io/httpd
$ docker images
$ docker run httpd
$ docker ps [-a | -l]
$ docker info
$ docker run httpd
$ curl http://172.17.0.2 <ctrl+c>
$ docker stop httpd
$ docker rmi -f docker.io/httpd
$ systemctl stop docker
Happy learning !
[Linux] How to login Azure Linux VM’s using SSH key pair
This post is for Linux newbies trying to figure out SSH way login to Azure Linux VM. I am following the steps explained here. Had seen many times our windows users struggle to get this right at first shot. Hope the below screenshots are clear to follow and achieve easy logon. Ps note, there are many ways to get this done but I felt this as the quick way to get it right without jumping between tools/sites.
Step 1: I am using WSL but you can try Git Bash or bitvise or Putty or Tux vm or any other SSH client of your choice.
Pls note down the Key passphrase safely. This is required when we SSH to Linux VM from $ terminal.
Step 2: You would see the public and private keys generated at the path ~/.ssh. Cat out the id_rsa.pub file to grab the public key which is required when creating Azure Linux VM.
Step 3: Paste the above Public key at the time of VM creation in portal or CLI
Step 4: Once the VM is created, copy the SSH command to logon
Step 5: Go back to the your favorite SSH client and run the above copied command. Pls note, it will prompt for the passphrase which you have to enter now. On success, you would see your remote machine terminal.
Let me know if you see this helps you in some way.
Happy learning !
[Azure PaaS] Why to consider Azure PaaS?
Happy new year ! As a Technical Evangelist, I work with bunch of ISV’s where I meet technical architects for engagements which includes Architectural design talk, review or POC’s assistance. To me, its easy to work with and explain Uber architects vs PowerPoint architects who resist PaaS services aggressively and often describe it’s a burden for them. As a leader in PaaS offerings, we encourages developers/startups to focus on their “apps” rather spending time on managing the underlying resources. It gives us a “real” freedom to operate cloud easily and also provide easy integration happy path to various tools, reports and monitoring. Here
I wanted to list out the advantages of adapting PaaS Service over IaaS.
1) Open and Hybrid: Azure is committed to being open and speak customer languages of their choice and platforms they prefer. We openly work with many open source communities, integrating the demands, acknowledging the development community movement and also contribute the same fix back to the community repos. By this way, It put us on a win/win situation. Hybrid path and options in Azure is so useful for someone to leverage their existing on Premise investments. Azure PaaS provides high control, high productivity + Intelligence platform which you can consider for both Open source and Hybrid scenario’s.
2) Data-driven Intelligence: Azure is the “only” cloud provider which provides comprehensive monitoring solutions to monitor both Cloud and On- Premises in a single pane. It has Azure Monitor, Application Insights, Log Insights etc helps to get various intelligence about the services easily. It also has the Azure Security Centre to helps us easily detect threats early and avoid false positives.
3) Continuous Innovation: Azure services can be easily integrated with VSTS which provides an end to end DevOps having planning, build & release and required tools. Azure Cognitive and AI services is way ahead of other providers. In fact, Azure provides 29 API’s for Cognitive Service which is a true value proposition and also a sign of Innovation.
4) Cross Platform: Using VS tools for Xamarin, developers can build native Android, iOS and windows apps sharing 90% of the code across device platforms. Non developers can also build scalable applications for desktop and mobile on top of cloud & On Premise services using PowerApps (no coding skills required).
5) Productivity & Tools: Azure offers unparalleled developer productivity tools for PaaS Development with Visual Studio through which one can even step into remote codes in few mins(remote debugging).
Do you still believe as a burden?
#StayLearning..
WIIFM-“Powershell available on Linux”
When I first read this announcement – https://azure.microsoft.com/en-us/blog/powershell-is-open-sourced-and-is-available-on-linux/, I thought what the heck we are trying to solve when “Bash/Python/Perl” Linux already has got for automation & scripting. But it is proved wrong after this video – https://youtu.be/2WZwv7TxqZ0
But once again, this is a very cool move from our Powershell team by opening up the source code + extending support to Linux and MacOS. Devops would love this for sure, it comes handy for managing or automating Azure resources across the OS. They are plans to include most of the modules down the line so that, seamless execution for sure.
Keytakeaway:- If we have any PS script written in Windows say Azure VM creation or management /Dockers/AWS storage/VMware resource management etc then we can reuse the same script in Linux & Macos. There is no difference in the syntax. Just copy paste should work without any difference.
Sweet – “We are partnering with third party companies – Chef, Amazon Web Services, VMware, and Google to name a few – to create a rich, seamless experience across the platforms you know and use.”
Write once, runs any ware philosophy –heterogeneous management toolset.
https://channel9.msdn.com/Blogs/hybrid-it-management/PowerShell-on-Linux-and-Open-Source/player
How to RDP into Azure Linux machine using Xrdp
I ran into this issue after creating Azure Linux VM and attempting to configure RDP for the first time. At Linux side, I have installed Xrdp and configured for RDP access. But when I try to RDP from my windows machine then it failed. I spent few hours troubleshooting this issue without clue but later it turned out to be a “port” issue. Yes, by default Azure VM’s will expose or allow very limited port say 80,443 for Windows and in Linux Port 22 for SSH connection. So in order to enable RDP for Linux/Win machines, then you may have to add this port 3389 under “incoming security rules” as below.
I followed this blog post for xrdp setup up but nothing specific about Azure port as such. So thought of summarizing my learning here in steps to follow quickly for achieving RDP access to Azure Linux VM’s.
1) Login to new portal (portal.azure.com), Click “+ New” for adding resource, then select Virtual machine. You will find Ubuntu server OS list. Let say pick “Ubuntu Server 14.04.4 LTS”. Make sure to note down the Username, Password and Public IP(PIP) for later reference.
2) Once VM has been created, use Putty.exe to connect to the VM over SSH(Port 22) which is enabled by default. Enter the PIP and hit the connect button. You will get a console asking to enter username and password. Once provided, you will land in Linux terminal where we are going to execute the next set of commands in order.
3) Command to Install Desktop and xRDP at Linux VM side.
$ sudo apt-get update
$ sudo apt-get install ubuntu-desktop
$ sudo apt-get install xfce4
$ sudo apt-get install xrdp
$ echo xfce4-session >~/.xsession
$ sudo nano /etc/xrdp/startwm.sh <attention to the last line, it should be exactly like this>
#!/bin/sh
if [ -r /etc/default/locale ]; then
. /etc/default/locale
export LANG LANGUAGE
fi
startxfce4
$ sudo service xrdp restart
4) Now go back to Azure portal and Add Port 3389 under Inbound security rule (as in the above screenshot). P.s:- 3389 is well known port used by Azure for RDP.
5) Now from Windows machine, Launch “mstsc” to input VIP and username & password to Xrdp.
P.s:- Clipboard copy not supported here.
I missed the step 4 and wasted quite a lot of time figuring out.
Hope this will save someone’s time 🙂 .
<update:7/21>
a. Finding the inbound rules is little tricky..
VM > settings > network interfaces >settings > NSG > select the NSG > settings > inbound rules
b. lately noticed our official article on this https://azure.microsoft.com/en-in/documentation/articles/virtual-machines-linux-classic-remote-desktop/
</update:7/21>
Update:8/1 – tips
1) exit ->logout, 2) sudo – -> (to get into root) 3) sudo passwd root
4) download any .deb (tar xzvf file.tar.gz) extract, check for bin > say check for "sh" file -pycharm.sh, right click > execute
<Unsupported: 9/28/2016>
Unsupported: How to install xRDP for GUI remote access on Linux
https://blogs.msdn.microsoft.com/linuxonazure/2016/09/26/unsupported-how-to-install-xrdp-for-gui-remote-access-on-linux/
</Unsupported>
-
Recent
- The ID token is not yet valid. Make sure your computer’s time and time zone are both correct. Current epoch = 1689517128
- .NET Core – How to create a .NET GUI app which runs across the platform
- AKS 2022 updates
- Linux firewall and connectivity issues
- Microsoft Ignite (Sep22-24) event recap & On-demand sessions
- [Linux] Steps to install and configure sysstat package for monitoring.
- Azure Security Enablement – Centralized place for all the links
- Presenting tech session with stories [linkedin learning notes]
- gRPC using .NET core notes
- .NET in 2020 (Build recap)
- #KubeCon CNCF – North America 2019 watchlist
- AKS CLI Sheetcheat for the labs
-
Links
RSS
//Cloud notes from my desk -Maheshk 
You must be logged in to post a comment.