You are not logged in.
I use a very simple home network system using sshd and scp. Basically I have sshd running on all 4 home computers and then I use /etc/hosts to list the IP addresses and hostnames of each computer. I then use /etc/hosts.allow to allow the sshd deamon access to my base network address, so that I can login to accounts I know the password for from any computer on the network.
Being as tcp_wrappers has been deprecated can anyone suggest anything as simple as what I am doing to replace what I presently have?
Philosophy is looking for a black cat in a dark room. Metaphysics is looking for a black cat in a dark room that isn't there. Religion is looking for a black cat in a dark room that isn't there and shouting "I found it!". Science is looking for a black cat in a dark room with a flashlight.
Offline
For my own, i've replaced tcp_wrappers by ufw (for my needs iptables is rather overkill)...
Following rules is enough for me (my local network is 192.18.2.0/24)
[Iggy ~]% sudo ufw status
Status: active
To Action From
-- ------ ----
Anywhere ALLOW 192.168.2.0/24
SSH ALLOW Anywhere
Anywhere ALLOW 212.27.38.253
Offline
If you use ufw, you automatically use iptables (it's a dependency of ufw). Check iptables -nvL and you'll see But you are right, ufw is quite nice, especially for beginners.
Offline
If you use ufw, you automatically use iptables (it's a dependency of ufw).
Yes, i know I wanted to say that's overkill for me to play directly with iptables syntax as ufw is far more convenient.
Offline
Alright, so ufw seems to be the weapon of choice to replace tcp_wrappers.
Before removing tcp_wrappers, my /etc/hosts.allow file was empty while and /etc/hosts.deny had only one thing in it like "ALL:ALL".
It turns out I had previously installed gufw, a GTK GUI front-end for ufw (the CLI wrapper for iptables), and now it is all starting to make sense!
Gufw is super simple to use. This is what the tcp_wrappers' default functionality (as determined in the hosts.{allow/deny} files) looks like when replaced with Gufw:
You can also use kcm-ufw in KDE if you don't have Gnome/GTK.
Its all pretty straight forward and there's no need to mess with configuration files or terminal commands.
Now, let me make sure that its working. There must be some location where iptables (manipulated through ufw which is manipulated by gufw) reads its configuration. Let's find it...
The configuration file is located here: /etc/conf.d/iptables.
Mine looks like this:
# Configuration for iptables rules
IPTABLES_CONF=/etc/iptables/iptables.rules
IP6TABLES_CONF=/etc/iptables/ip6tables.rules
# Enable IP forwarding (both IPv4 and IPv6)
# NOTE: this is not the recommended way to do this, and is supported only for
# backward compatibility. Instead, use /etc/sysctl.conf and set the following
# options:
# * net.ipv4.ip_forward=1
# * net.ipv6.conf.default.forwarding=1
# * net.ipv6.conf.all.forwarding=1
#IPTABLES_FORWARD=0
Hmmm, after changing the "incoming" setting to "allow"
my configuration file still looks the same:
# Configuration for iptables rules
IPTABLES_CONF=/etc/iptables/iptables.rules
IP6TABLES_CONF=/etc/iptables/ip6tables.rules
# Enable IP forwarding (both IPv4 and IPv6)
# NOTE: this is not the recommended way to do this, and is supported only for
# backward compatibility. Instead, use /etc/sysctl.conf and set the following
# options:
# * net.ipv4.ip_forward=1
# * net.ipv6.conf.default.forwarding=1
# * net.ipv6.conf.all.forwarding=1
#IPTABLES_FORWARD=0
I wonder where the settings are applied. Both of the .rules files are non-existent still, by the way. Anyone know?
EDIT 8/31/2013 3:08pm: A simple execution of `locate .rules | grep ufw` will show you all the .rules files on your system.
Last edited by trusktr (2013-08-31 22:08:00)
joe@trusktr.io - joe at true skater dot io.
Offline
I wonder where the settings are applied. Both of the .rules files are non-existent still, by the way. Anyone know?
Check the /lib/ufw/ directory.
Offline