The complicated process for removing the “uncomplicated firewall”

If your new to linux, ufw is very useful tool. Really simple to install with ubuntu.

However, should you choose to get rid of it for some reason, it leaves behind quite a mess.
Here is a quick script to clean up the mess.

Here is the whole process as a bash script:

iptables -P INPUT ACCEPT
iptables -X ufw-user-output

iptables -X ufw-user-logging-output
iptables -X ufw-user-logging-input
iptables -X ufw-user-logging-forward
iptables -X ufw-user-limit-accept
iptables -X ufw-user-limit
iptables -X ufw-user-input
iptables -X ufw-user-forward
iptables -X ufw-track-output
iptables -X ufw-track-input
iptables -X ufw-skip-to-policy-output
iptables -X ufw-skip-to-policy-input
iptables -X ufw-skip-to-policy-forward
iptables -X ufw-reject-output
iptables -X ufw-reject-input
iptables -X ufw-reject-forward
iptables -X ufw-not-local
iptables -X ufw-logging-deny
iptables -X ufw-logging-allow
iptables -X ufw-before-output
iptables -X ufw-before-logging-output
iptables -X ufw-before-logging-input
iptables -X ufw-before-logging-forward
iptables -X ufw-before-input
iptables -X ufw-before-forward
iptables -X ufw-after-output
iptables -X ufw-after-logging-output
iptables -X ufw-after-logging-input
iptables -X ufw-after-logging-forward
iptables -X ufw-after-input
iptables -X ufw-after-forward
apt-get remove ufw
#As a basic firewall I’d recommend the following:
iptables  -F
iptables  -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables  -A INPUT -i lo -j ACCEPT
iptables  -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
iptables  -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
iptables  -A INPUT -p tcp -m tcp –dport 13160-j ACCEPT
iptables  -A INPUT -d XX_REPLACE_WITH_YOUR_SERVER_IP/32 -p icmp -m icmp –icmp-type 8 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables  -A INPUT -d XX_REPLACE_WITH_YOUR_SERVER_IP/32 -p icmp -m icmp –icmp-type 0 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
This will:
Reset the default policy of INPUT to ACCEPT so we don’t get locked out of our box.
Then  remove the custom ufw chains, flush all existing rules, accept established connections, accept all connections on loopback device, accept all connects to ports 80(http),443(https), and 22(sshd)
It will also accept pings from machines which have established a connection. With large packet support now enabled by default in the linux kernel, its important to allow some pings to be accepted. Then we set the default policys of input and forward to drop and output to accept.
Make sure you replace XX_REPLACE_WITH_YOUR SERVER_IP with your servers ip address.

Install errors from missing locales

While setting up a lamp stack in a VPS using ubuntu 10 LTR, I got the following error:
Setting up php5-cli (5.3.2-1ubuntu4.5) ...
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_US.utf8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C")

I was also getting a similar error from locale -a
locale -a
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_COLLATE to default locale: No such file or directory

It appears this VPS provider doesn’t have any locales installed by default. I fixed it by installing my locale via apt-get.

apt-get install language-pack-en-base


Update – 1-23-2011

If your using debian instead of ubuntu, see

  1. Install debconf (i.e. run apt-get update then apt-get install debconf, as root)
  2. Run dpkg-reconfigure locales as root


Add php5-cli and rsync to your esxi server

My new favorite toy is a box running ESXi.

ESXi is a strange beast. I’m used to using linux based host OS’s so the limitations of ESXi are a little frustrating. No direct access to physical drives, no direct access to USB devices, ESXi only knows how to read its own proprietary files system vmfs.
For all the headache, its much faster than a linux host and has a ton of configuration options via the vSphere client software.

The no cli thing bugs me a lot. The only supported way to interact with esxi is via the vSphere client software.
It does include sshd, but its off by default.
There are lots of articles on how to enable this mode.

Once you’ve got SSH access, you’ll quickly discover that most of the commands your used to in linux are missing.
Including perl, rsync, etc…

Since there are no dev tools, no gcc, or glib headers for this kernel, you can’t compile software directly on the host either.
Ah, but if you can build it into a static binary, it will run!

I’ve found an rsync binary and a php binary.
Installing these opens doors for writing useful scripts with esxi.

Login as root, plop these into your /bin/ directory and make them executable with a chmod a+x and your good to go.

Not quite that easy. The binaries work, just /bin doesn’t persist between reboots. You’ll need to place your utilities in a persistent storage location to keep them around.

Warning: The resulting partition is not properly aligned for best performance.

I’m adding a disk to an ubuntu machine and creating a new partition which uses the whole disk.

GNU Parted 2.2
Using /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
Error: /dev/sdb: unrecognised disk label

So I make a new dos partition

(parted) mklabel
New disk label type? msdos
(parted) print
Model: - (scsi)
Disk /dev/sdb: 53.7GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number  Start  End  Size  Type  File system  Flags
(parted) mkpart primary ext4 0 -1
Warning: The resulting partition is not properly aligned for best performance.

You should align the first partition at block 64
(parted) mkpart primary ext4 64 -1
mkpart syntax is: mkpartfs part-type fs-type start-mb end-mb
so this just wastes the first 64 MB of space on the disk. Setting the start at 1 avoids the error message as well.

mkpart primary ext4 1 -1

And your error free. Go forth and partition.
Thanks to Stefan.
This is why I put stuff on the internet.

Configure Crashplan on Centos 5.3

Crashplan is a backup tool similar to carbonite or mozy with one great exception: It allows pc to pc backup without a fee and they have clients for windows, mac and linux.

The configuration of this on a headless linux server is a little tricky but can be done.

The crashplan software is divided into two parts: The engine and the desktop. The desktop is the configuration gui and the engine does the work. To configure a headless server, you’ll need to use the desktop on another computer to connect to the headless one via port forwarding.

Check out the instructions

Their instructions are mac centric. Here is how to achieve same thing with windows and putty.

  1. Open putty
  2. Fill in the host and port info to connect to your server
  3. Under ‘Category’ on the left, click on ‘SSH’
  4. Next click on ‘Tunnels’
  5. Check both ‘Local ports accept connections…’ and ‘Remote ports do the same…’
  6. Enter ‘4243’ into the source port box
  7. Enter into the ‘Destination’ box.
  8. Select ‘Local’ and ‘Auto’
  9. Click ‘Add’
  10. Now click open and login to your server as normal.
  11. You’ll now be able to open the crashplan desktop and configure your server.

Before you can begin backing up to your linux machine, you’ll also need to configure your linux firewall to allow connections to ports 4200 and 4243. You’ll need to allow both tcp and udp connections on port 4200.

On centos, add these lines to your /etc/sysconfig/iptables

-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 4200 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 4243 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 4200 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 4243 -j ACCEPT

Right before this line:

-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT