Admins eHow SysAdmin Tips & Tricks

December 2, 2022

Redirect all DNS requests to local caching DNS server

Filed under: dns,linux — Tags: , , , , — admin @ 2:44 am

For caching DNS Server, I use PowerDNS recursor server. Install it first :

apt install pdns-recursor

By default it listens on 127.0.0.1:53 and should work right after the installation, but for faster performance I want it to forward all queries to 8.8.8.8 which is Google’s public DNS server. so change /etc/powerdns/recursor.conf and add the following line :

forward-zones-recurse= .=8.8.8.8;

Restart the service after config change :

systemctl restart pdns-recursor.service

Now you can test it :

dig yahoo.com @127.0.0.1

You should get a valid response.
Now lets redirect all DNS queries to our local server :

iptables -t nat -I OUTPUT -m owner --uid-owner pdns -j RETURN
iptables -t nat -I POSTROUTING -m owner --uid-owner pdns -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:53
iptables -t nat -A POSTROUTING -p udp --dport 53 -j SNAT --to-source 127.0.0.1

The first two iptables rules prevent a loop in redirecting pdns queries to outside world (8.8.8.8 in our case).
Done. Easy 😉

October 23, 2019

How to limit the number of incoming connections to a specific port

Filed under: linux,Security — Tags: , , , , — admin @ 11:47 pm

Replace [PORT] & [CON_NUM] with respected values.

iptables -I INPUT -p tcp --syn --dport [PORT] -m connlimit --connlimit-above [CON_NUM] --connlimit-mask 0 -j REJECT --reject-with tcp-reset

September 5, 2011

IPTables packet traverse map

Filed under: CentOS,Debian,General,linux,Security — Tags: , , , , , — admin @ 7:23 am

1.

(more…)

April 27, 2011

Block BitTorrent traffic on your Linux firewall using iptables

Filed under: Debian,linux,Security — Tags: , , , , , — admin @ 7:25 pm

The following script will block and log un-encrypted BitTorrent & DHT traffic on your Linux firewall.
I have personally tested it on debian 5 lenny , but I am almost sure it should work pretty well on any new Linux distros.

iptables -N LOGDROP > /dev/null 2> /dev/null 
iptables -F LOGDROP 
iptables -A LOGDROP -j LOG --log-prefix "LOGDROP " 
iptables -A LOGDROP -j DROP

#Torrent
iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j LOGDROP 
iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j LOGDROP
iptables -A FORWARD -m string --algo bm --string "peer_id=" -j LOGDROP
iptables -A FORWARD -m string --algo bm --string ".torrent" -j LOGDROP
iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j LOGDROP 
iptables -A FORWARD -m string --algo bm --string "torrent" -j LOGDROP
iptables -A FORWARD -m string --algo bm --string "announce" -j LOGDROP
iptables -A FORWARD -m string --algo bm --string "info_hash" -j LOGDROP 

# DHT keyword
iptables -A FORWARD -m string --string "get_peers" --algo bm -j LOGDROP
iptables -A FORWARD -m string --string "announce_peer" --algo bm -j LOGDROP
iptables -A FORWARD -m string --string "find_node" --algo bm -j LOGDROP

August 27, 2009

How to clear all iptables rules

Filed under: CentOS,Debian,General,Security — Tags: , , , — admin @ 2:08 pm

In order to flush all iptables rules , Run the following commands :

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

June 6, 2009

iptables v1.3.5: can’t initialize iptables table `filter’: iptables who? (do you need to insmod?)

Filed under: XEN — Tags: , , — admin @ 8:10 am

Typically this occurs when a kernel update occurred on the node. Run this on the server node and then restart the VM having trouble.

/script/fixxenkernel

Powered by WordPress