The following steps will setup each part of a basic firewall configuration. Once we have all of the rules applied we’ll save the rules and set them to start up at boot.

Allow established connections

The first thing we need to do is allow any established traffic to come into the server. This will allow our SSH traffic to continue functioning while we work on our firewall. Type the following command:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow SSH traffic

Next we need to include a rule to enable SSH traffic. Type the following rule to allow incoming SSH connections:

iptables -A INPUT -p tcp --dport ssh -j ACCEPT

If we were to look at our rules at this point by typing iptables -L we would see something like this:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

While this looks like it may be complete, we still need to add a few additional rules. Let’s continue on.

Allow HTTP traffic

If you intend to host a web server you will need to include a rule to accept HTTP (port 80) traffic. Type the following rule to do this:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Note: You will still be required to install a web server such as Apache!

Drop all remaining traffic

Now we need to setup our final rule to drop all remaining traffic that is not destined for our server.

iptables -A INPUT -j DROP

Allow loopback traffic

Now that we’ve worked on the rules for our external traffic we need to allow internal loopback traffic for inter-server communication. Type the following rule to allow this:

iptables -I INPUT 1 -i lo -j ACCEPT

Check your rules

Now if we look at our rules by typing iptables -L -v you should see something similar to this:

# iptables -L -v
Chain INPUT (policy ACCEPT 355 packets, 26896 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
  323 24560 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    1    48 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:www 
    0     0 DROP       all  --  any    any     anywhere             anywhere 
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain OUTPUT (policy ACCEPT 372 packets, 38968 bytes)
 pkts bytes target     prot opt in     out     source               destination

Saving your rules

Now that we have a basic firewall configuration we need to go ahead and save it. The command iptables-save will save your IPtables configuration. By default it will send it to the console so we need to ‘pipe’ it to a file. Type the following to save the file to /etc/iptables.rules:

iptables-save > /etc/iptables.rules

Set your rules to apply at boot

Finally we need to make sure that our iptables rules are applied when we boot up the server. The method that Ubuntu suggests is to apply them to your interfaces file but because of the tight integration with our Control Panel we do not recommend that. Our suggested method is to create a service that applies the rules.

To create the startup service file type the following command:

nano /etc/network/if-pre-up.d/iptaload

You’ll see the nano text editor load up. Paste in the following text:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

Save the file by pressing CTRL-X, then Y and Enter.

Next we need to create a service that will run when the server is shut down. This file will save our rules so any changes we have made will be applied at next boot. Type the following to create the service file:

nano /etc/network/if-post-down.d/iptasave

Once the nano editor has appeared, paste in the following text:

#!/bin/sh
if [ -f /etc/iptables.downrules ]; then
   iptables-restore < /etc/iptables.downrules
fi
iptables-save -c > /etc/iptables.save
exit 0

Save the file as you did before.

Now we need to make sure these scripts are executable. Type the following:

chmod +x /etc/network/if-post-down.d/iptasave

chmod +x /etc/network/if-pre-up.d/iptaload

Test your setup

You may reboot your server and run iptables -L to make sure that your firewall rules applied successfully.

With all that out of the way, let’s go ahead and install Postfix! In this example I am using Ubuntu 10.04.

Installation is very easy. We’ll be using aptitude to install the software itself.

sudo aptitude install postfix telnet mailx

Note that we also install telnet and mailx as they contain several tools we’ll use to test and configure postfix.
During the installation you will be asked the general type of mail configuration:

Choose the ‘Internet Site’

You will then need to enter your main domain name (this should match the hostname).

At this stage, you can send emails from your application. The settings shown above during the postfix installation mean that the very basics are already done.

Test It

let’s conduct a quick test to see if postfix is actually sending mail. You will need to send an email to a working email address using the ‘mail’ command:

mail You@example.com

Replace the email address with one of your choosing (remember this must be a working email address).

• The output asks for the subject of the email. Once done, press enter/return.
• Next enter the subject of the email. Once done, press enter/return and then a single period (.) – the period lets mail know the body is finished.
• Finally press enter/return again to send the email (you may need to do this twice so you skip the ‘CC:’ entry.

NOTE: No confirmation is given that the email has been sent (the logs will show the details) but check the receiving email address and voila! a nice, fresh email with the subject ‘test email from yourserver.tld’.

For many people, that is all you need to send mail from your application – especially if the only emails are notifications to the site administrator. I hope the article helped you install Postfix on your Ubuntu 10.04 server.

After applying Security Update 2010-05, some users have reported PHP and MySQL problems, including an inability to connect to MySQL databases. Apple reports that the following procedure resolves the database connection issue:

1. In the Terminal type sudo nano /etc/php.ini (Terminal will ask you for your password)
2. Change: mysql.default_socket = to: mysql.default_socket = /tmp/mysql.sock
3. Press Ctrl-O, then Enter to save
4. Type sudo apachectl graceful

Note that you may need to duplicate the original install php.ini.default file, just simply copy the contents of the file and create a php.ini. (cp php.ini.default php.ini)

Tech: “Did you reboot?”
Sales: “Yeah dude, three times just like you always tell me too”

The Website Is Down!

Download

Download wget for Mac OS X (124 KB)

Install wget

For normal mac setups.

# Open Terminal: Applications/Utilitys/Terminal
# This is assuming the wget folder is in Downloads
cd Downloads
cd wget
sudo mv wget /usr/local/bin
password:
sudo mv wget.1 /usr/local/man/man1
sudo mv wgetrc /usr/local/etc
 
# Close then reopen your terminal
# Now lets test! Simply do:
wget
 
 # Output
wget: missing URL
Usage: wget [OPTION]... [URL]...
 
Try `wget --help' for more options.

This will work 99% of the time, but i have seen one case that this did not work. When calling “sudo mv wget.1 /usr/local/man/man1″ and it responds “No such file or directory” do not freak out! I have the solution for you, below is for users that received an error after trying to move the wget.1 to man1 folder.

Install wget (option 2)

For other mac setups.

# ONLY IF YOU GOT AN ERROR "No such file or directory: MAN1"
# DO NOT USE THIS IF THE CODE ABOVE WORKED AND YOU CAN USE WGET
# May need to re-download
sudo mv wget /usr/bin
password:
sudo mv wget.1 /usr/share/man/man1
sudo mv wgetrc /usr/local/etc
 
# Close then reopen your terminal
# Now lets test! Simply do:
wget
 
# Output
wget: missing URL
Usage: wget [OPTION]... [URL]...
 
Try `wget --help' for more options.

So now thats installed, what do we use it for? Well are you wanting to download my lasted version of the Winn Guestbook? You can easily download it with wget now! Let me show you how!

# Download the latest version of the Winn Grestbook (v2.2.9)
# First 'cd' to the directory you want it to download too.
wget http://winn.ws/downloads/guestbook_v2-2-9.zip
 
# done!

Works great! Leran more about using wget and other commands with this book from amazon.com: MAC OS X UNIX Toolbox: 1000+ Commands for the Mac OS X