Linux tips
My cheat sheet of linux commands
I got myself a Ubuntu linux Server 12.10 with 4GB ram, 3.4TB disk Running ext3 and ext4
Find and show zombie process
# top
OR
# ps aux | awk ‘{ print $8 » » $2 }’ | grep -w Z
kill process
pkill <process_app_name>
OR
kill -9 <process_id>
fdisk, df, vol_id and more
# fdisk -l
show disk usages
#df
#vol_id /dev/sda1
jfs site:
#sudo adduser <username> group
Adding user <username> to group group…
Done.
#bash:~$ groups
show a list of all groups you ar member of.
.
Following is a iptable firewall and router
you need to edit /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
This is needed to enable ipv4 forwaring
#!/bin/bash ####################################### # Firewall script using iptables to # close, open and forward traffic (log) ####################################### # External (Internet-facing) interface EXTIF="eth1" # External IP address (automatically detected) EXTIP=$(/sbin/ip addr show dev "$EXTIF" | perl -lne 'if(/inet (\S+)/){print$1;last}'); # Internal interface INTIF="eth0" # Internal IP address (in CIDR notation) INTIP="192.168.0.1/32" #INTIP2=$(/sbin/ip addr show dev "$INTIF" | perl -lne 'if(/inet (\S+)/){print$1;last}'); # Internal network address (in CIDR notation) INTNET="192.168.0.0/24" # The address of anything/everything (in CIDR notation) UNIVERSE="0.0.0.0/0" # Logging pr seconds and max LOGLIMIT="2/s" LOGLIMITBURST="10" echo "External: [Interface=$EXTIF] [IP=$EXTIP]" echo "Internal: [Interface=$INTIF] [IP=$INTIP] [Network:$INTNET]" #echo "Internal: [Interface=$INTIF] [IP=$INTIP2]" echo #echo -n "Loading rules..." ################################################### # only edit blow this line if your # sure what iptable command does ################################################### /sbin/iptables-restore <<-EOF; *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] ################################################### # INPUT: Incoming traffic from various interfaces # ################################################### # Loopback interface is valid -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # Internal interface is valid -A INPUT -i $INTIF -j ACCEPT # Local interface, local machines, going anywhere is valid -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # Remote interface, claiming to be local machines, IP spoofing, get lost -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT # External interface, from any source, for ICMP traffic is valid #-A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in. -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Internal interface, DHCP traffic accepted #-A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT #-A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT # External interface, HTTP/HTTPS traffic allowed #-A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT #-A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT # External interface LOG tcp traffic... -A INPUT -i $EXTIF -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "LOGDROP_TCP: " # External interface, SSH traffic allowed -A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 2274 -j ACCEPT # Accept port 1234 to be forwarded (this rule needs to correspond with PREROUTING rules in NAT table) #-A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Catch-all rule, reject anything else -A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT ########################### # LOGGING - named LOGDROP ########################### #-N LOGDROP #-A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "LOGDROP_ICMP: " #-A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "LOGDROP_TCP: " #-A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "LOGDROP_UDP: " #-A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "LOGDROP_FRAG: " #-A LOGDROP -j DROP # ENABLE LOG #-A INPUT -p icmp -i $EXTIF -j LOGDROP #-A INPUT -p tcp -i $EXTIF -j LOGDROP #################################################### # OUTPUT: Outgoing traffic from various interfaces # #################################################### # Workaround bug in netfilter #-A OUTPUT -m conntrack -p icmp --ctstate INVALID -j DROP # Loopback interface is valid. -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # Internal interface is valid -A OUTPUT -o $INTIF -j ACCEPT # Local interfaces, any source going to local net is valid -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, MASQ server source going to the local net is valid -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT # anything else outgoing on remote interface is valid -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT # Internal interface, DHCP traffic accepted #-A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT #-A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT # Catch all rule, all other outgoing is denied and logged. -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT # Accept solicited tcp packets -A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow packets across the internal interface -A FORWARD -i $INTIF -o $INTIF -j ACCEPT # Forward packets from the internal network to the Internet -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch-all REJECT rule -A FORWARD -j REJECT COMMIT ########################### # Address translations (only; there is no actual forwarding done here) ########################### *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # ----- Begin OPTIONAL FORWARD Section ----- #Optionally forward incoming tcp connections on port 1234 to 192.168.0.100 #-A PREROUTING -p tcp -d $EXTIP --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234 # ----- End OPTIONAL FORWARD Section ----- # IP-Masquerade -A POSTROUTING -o $EXTIF -j MASQUERADE COMMIT EOF echo " done."