September 17

Linux: How to block a specific IP Address using UFW

The key to blocking a specific IP address with UFW is to make sure that the rule which blocks the ipaddress is applied before any allow rules. Because the firewalls rules are run in order – the block will no come into affect if it appears at the bottom. For example on most webserver you might expect the rules to be:


To Action From
-- ------ ----
22 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
22 ALLOW Anywhere (v6)
80 ALLOW Anywhere (v6)
443 ALLOW Anywhere (v6)

Therefore, to block an IP address the rules would need to setup like this:


To Action From
-- ------ ----
Anywhere DENY <ip address >
22 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
22 ALLOW Anywhere (v6)
80 ALLOW Anywhere (v6)
443 ALLOW Anywhere (v6)

To do this you need to insert the new deny rule at the top using the “insert” option.

sudo ufw insert 1 deny from

To remove the block simple:

sudo ufw delete allow from

By: James

Category: Linux | Comments Off on Linux: How to block a specific IP Address using UFW
August 18

Linux: Ping examples

As you already know, ping command is used to find out whether the peer host/gateway is reachable.

If you are thinking ping is such a simple command and why do I need 15 examples, you should read the rest of the article.

Ping command provides lot more options than what you might already know.

 

Ping Example 1. Increase or Decrease the Time Interval Between Packets

By default ping waits for 1 second before sending the next packet. You can increase or decrease this using option -i as shown below.

Increase Ping Time Interval

Example: Wait for 5 seconds before sending the next packet.

$ ping -i 5 IP

Decrease Ping Time Interval

Example: Wait 0.1 seconds before sending the next packet.

# ping -i 0.1 IP

Note: Only super user can specify interval less than 0.2 seconds. If not, you’ll get the following error message.

$ ping -i 0.1 127.0.0.1
PING 0 (127.0.0.1) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms

Ping Example 2. Check whether the local network interface is up and running

Before checking whether the peer machine is reachable, first check whether the local network network is up and running using any one of the following 3 methods.

Ping localhost using zero (0)

This is probably the easiest and simplest way to ping a local host

$ ping 0
PING 0 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms
^C

Ping localhost using name

$ ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.051 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.055 ms
^C
--- localhost ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.051/0.053/0.055/0.002 ms

Ping localhost using ip

$ ping 127.0.0.1

To quit the ping command, send SIGINT signal by pressing CTRL+C. If you have not specified any option to make the ping to exit automatically, then you will be terminating using CTRL+C ( SIGINT ) which will show the statistics and then terminate the ping process. When everything is working properly, it should say ’0% packet loss’

2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.051/0.053/0.055/0.002 ms

Ping Example 3. Send N packets and stop

Send N packets specified with -c option and then stop. This way the ping command can exit automatically instead of pressing CTRL+C to exit.

In the following example, ping command sends 5 packets, and waits for response from the destination host. Ping will exit after receiving the response or error.

$ ping -c 5 google.com
PING google.com (74.125.45.100) 56(84) bytes of data.
64 bytes from yx-in-f100.google.com (74.125.45.100): icmp_seq=1 ttl=44 time=731 ms
64 bytes from yx-in-f100.google.com (74.125.45.100): icmp_seq=2 ttl=44 time=777 ms
64 bytes from yx-in-f100.google.com (74.125.45.100): icmp_seq=3 ttl=44 time=838 ms
64 bytes from yx-in-f100.google.com (74.125.45.100): icmp_seq=4 ttl=44 time=976 ms
64 bytes from yx-in-f100.google.com (74.125.45.100): icmp_seq=5 ttl=44 time=1071 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4216ms
rtt min/avg/max/mdev = 731.039/879.129/1071.050/126.625 ms

Ping Example 4. Show Version and Exit

Display the current version of ping program using -V option.

$ ping -V
ping utility, iputils-sss20071127

Ping Example 5. Flood the network

Super users can send hundred or more packets per second using -f option. It prints a ‘.’ when a packet is sent, and a backspace is printed when a packet is received.

As shown below, ping -f has sent more than 400,000 packets in few seconds.

# ping -f localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
.^C
--- localhost ping statistics ---
427412 packets transmitted, 427412 received, 0% packet loss, time 10941ms
rtt min/avg/max/mdev = 0.003/0.004/1.004/0.002 ms, ipg/ewma 0.025/0.004 ms

Ping Example 6. Audible ping: Give beep when the peer is reachable

This option is useful for sysadmin during troubleshooting. There is no need for you to look at the ping output after each and every change. You can continue working with your changes, and when the remote machine become reachable you’ll hear the beep automatically.

$ ping -a IP

Note: It can give beep only from terminal number 1 through 7 and gnome-terminal ( It will not work in console ).

Ping Example 7. Find out the IP address

You can identify the ip-address using the host name as shown below.

$ ping -c 1 google.com
PING google.com (74.125.67.100) 56(84) bytes of data.
64 bytes from gw-in-f100.google.com (74.125.67.100): icmp_seq=1 ttl=43 time=287 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 287.903/287.903/287.903/0.000 ms

Ping Example 8. Print Only Ping Command Summary Statistics

Use option -q to view only the ping statistics summary as shown below.

$ ping -c 5 -q 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

--- 127.0.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3998ms
rtt min/avg/max/mdev = 0.047/0.053/0.061/0.009 ms

Ping Example 9. Change Ping Packet Size

You can change the packet size of ping command using -s option.

Example: Change the default packet size from 56 to 100.

$ ping -s 100 localhost
PING localhost (127.0.0.1) 100(128) bytes of data.
108 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.022 ms
108 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.021 ms
108 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.020 ms
^C
--- localhost ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.020/0.021/0.022/0.000 ms

Ping Packet Size

In the above example, when we set the packet size to 100, it displays ’128 bytes’ in the output. This is because of the Ping packet header size, which is 28 bytes. So, if you specify the packet size as 100, 28 bytes for header will be added to it and 128 bytes will be sent.

Ping Bytes Sent = Ping Packet Size + Ping Header Packet Size (28 bytes)

Ping Example 10. Timeout -w

Ping -w option specifies the deadline to terminate the ping output. This specifies the total number of seconds the ping command should send packets to the remote host.

The following example will ping for 5 seconds. i.e ping command will exit after 5 seconds irrespective of how many packets are sent or received.

$ ping -w 5 localhost

Note: When you specify both -w, and -c, whichever comes first will terminate the ping command.

Ping Example 11. Online ping

Ping from different locations and check the reachability (availability or time for reaching) of your server from different locations.

If you want to do an online ping, try just ping.

Ping Example 12. Option -w or -c Exits Ping

$ ping -c 4 0 -w 2
PING 0 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.064 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.060 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.058 ms

--- 0 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.058/0.060/0.064/0.009 ms
$ ping -c 4 0 -w 10
PING 0 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.063 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.060 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.055 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.061 ms

--- 0 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.055/0.059/0.063/0.009 ms

Ping Example 13. Shorter statistics with SIGQUIT

While ping is printing the individual packet status, when you want to view the shorter statistics you can use this technique.

Pressing CTRL+| (Control key followed by pipe symbol) for the shows the summary in between, and continues with it packet sending and receiving process.

$ ping -w 100 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=10 ttl=64 time=0.021 ms
64 bytes from localhost (127.0.0.1): icmp_seq=11 ttl=64 time=0.022 ms
11/11 packets, 0% loss, min/avg/ewma/max = 0.020/0.022/0.022/0.024 ms
64 bytes from localhost (127.0.0.1): icmp_seq=12 ttl=64 time=0.021 ms
64 bytes from localhost (127.0.0.1): icmp_seq=13 ttl=64 time=0.022 ms
64 bytes from localhost (127.0.0.1): icmp_seq=14 ttl=64 time=0.021 ms
64 bytes from localhost (127.0.0.1): icmp_seq=15 ttl=64 time=0.021 ms
19/19 packets, 0% loss, min/avg/ewma/max = 0.020/0.022/0.022/0.024 ms
64 bytes from localhost (127.0.0.1): icmp_seq=31 ttl=64 time=0.022 ms
64 bytes from localhost (127.0.0.1): icmp_seq=32 ttl=64 time=0.022 ms
32/32 packets, 0% loss, min/avg/ewma/max = 0.020/0.022/0.022/0.027 ms
64 bytes from localhost (127.0.0.1): icmp_seq=33 ttl=64 time=0.023 ms
..

Ping Example 14. Specify path for ping to send the packet

You can also specify through which path the ping should send the packet to destination.

$ ping hop1 hop2 hop3 .. hopN destination
$ ping 192.168.3.33 192.168.7.1 192.168.4.45

Note: If one of the hop in the path is not reachable then you will have failure in pinging.

Ping Example 15. Record and print route of how ECHO_REQUEST sent and ECHO_REPLY received

It records, and prints the network route through which the packet is sent and received. This is useful for network engineers who wish to know how the packet is sent and received.

$ ping -R 192.168.1.63
PING 192.168.1.63 (192.168.1.63) 56(84) bytes of data.
64 bytes from 192.168.1.63: icmp_seq=1 ttl=61 time=2.05 ms
RR:     192.168.9.118
        192.168.3.25
        192.168.10.35
        192.168.1.26
        192.168.1.63
        192.168.1.63
        192.168.10.4
        192.168.3.10
        192.168.4.25
64 bytes from 192.168.1.63: icmp_seq=2 ttl=61 time=2.00 ms      (same route)

By: R. Natarajan
Category: Linux | Comments Off on Linux: Ping examples
August 7

Linux: ZFS repair after kernel update

On occasion zfs will no longer be properly installed after a kernel update.
If you installed ZFS with the kernel modules, the following command may repair the issue:

sudo apt-get install –reinstall zfs-dkms

Category: Linux | Comments Off on Linux: ZFS repair after kernel update
August 7

Linux: eject command

NAME
eject – eject removable media

SYNOPSIS
eject -h
eject [-vnrsfmqp] [<name>]
eject [-vn] -d
eject [-vn] -a on|off|1|0 [<name>]
eject [-vn] -c slot [<name>]
eject [-vn] -i on|off|1|0 [<name>]
eject [-vn] -t [<name>]
eject [-vn] -T [<name>]
eject [-vn] -x <speed> [<name>]
eject [-vn] -X [<name>]
eject -V

DESCRIPTION
Eject allows removable media (typically a CD-ROM, floppy disk, tape, or JAZ or ZIP disk) to be ejected under software control. The command can also control some multi-disc CD-ROM chang‐
ers, the auto-eject feature supported by some devices, and close the disc tray of some CD-ROM drives.

The device corresponding to <name> is ejected. The name can be a device file or mount point, either a full path or with the leading “/dev”, “/media” or “/mnt” omitted.  If  no  name  is
specified, the default name “cdrom” is used.

There are four different methods of ejecting, depending on whether the device is a CD-ROM, SCSI device, removable floppy, or tape. By default eject tries all four methods in order until
it succeeds.

If the device is currently mounted, it is unmounted before ejecting.

COMMAND-LINE OPTIONS
-h   This option causes eject to display a brief description of the command options.

-v   This makes eject run in verbose mode; more information is displayed about what the command is doing.

-d   If invoked with this option, eject lists the default device name.

-a on|1|off|0
This option controls the auto-eject mode, supported by some devices.  When enabled, the drive automatically ejects when the device is closed.

-c <slot>
With this option a CD slot can be selected from an ATAPI/IDE CD-ROM changer. Linux 2.0 or higher is required to use this feature. The CD-ROM drive can not be in use  (mounted  data
CD or playing a music CD) for a change request to work. Please also note that the first slot of the changer is referred to as 0, not 1.

-i on|1|off|0
This option controls locking of the hardware eject button. When enabled, the drive will not be ejected when the button is pressed.  This is useful when you are carrying a laptop in
a bag or case and don’t want it to eject if the button is inadvertently pressed.

-t   With this option the drive is given a CD-ROM tray close command. Not all devices support this command.

-T   With this option the drive is given a CD-ROM tray close command if it’s opened, and a CD-ROM tray eject command if it’s closed. Not all devices support  this  command,  because  it
uses the above CD-ROM tray close command.

-x <speed>
With  this  option the drive is given a CD-ROM select speed command.  The speed argument is a number indicating the desired speed (e.g. 8 for 8X speed), or 0 for maximum data rate.
Not all devices support this command and you can only specify speeds that the drive is capable of. Every time the media is changed this option is cleared. This option can  be  used
alone, or with the -t and -c options.

-X   With  this  option the CD-ROM drive will be probed to detect the available speeds. The output is a list of speeds which can be used as an argument of the -x option. This only works
with Linux 2.6.13 or higher, on previous versions solely the maximum speed will be reported. Also note that some drive may not correctly report the speed and therefore this  option
does not work with them.

-n   With this option the selected device is displayed but no action is performed.

-r   This option specifies that the drive should be ejected using a CDROM eject command.

-s   This option specifies that the drive should be ejected using SCSI commands.

-f   This option specifies that the drive should be ejected using a removable floppy disk eject command.

-q   This option specifies that the drive should be ejected using a tape drive offline command.

-p   This option allow you to use /proc/mounts instead /etc/mtab. It also passes the -n option to umount(1).

-m   This  option  allows  eject  to  work  with  device drivers which automatically mount removable media and therefore must be always mount(1)ed.  The option tells eject to not try to
unmount the given device, even if it is mounted according to /etc/mtab or /proc/mounts.

-V   This option causes eject to display the program version and exit.

LONG OPTIONS
All options have corresponding long names, as listed below. The long names can be abbreviated as long as they are unique.

-h –help
-v –verbose
-d –default
-a –auto
-c –changerslot
-t –trayclose
-T –traytoggle
-x –cdspeed
-X –listspeed
-n –noop
-r –cdrom
-s –scsi
-f –floppy
-q –tape
-V –version
-p –proc
-m –no-unmount

EXAMPLES
Eject the default device:

eject

Eject a device or mount point named cdrom:

eject cdrom

Eject using device name:

eject /dev/cdrom

Eject using mount point:

eject /mnt/cdrom/

Eject 4th IDE device:

eject hdd

Eject first SCSI device:

eject sda

Eject using SCSI partition name (e.g. a ZIP drive):

eject sda4

Select 5th disc on multi-disc changer:

eject -v -c4 /dev/cdrom

Turn on auto-eject on a SoundBlaster CD-ROM drive:

eject -a on /dev/sbpcd

EXIT STATUS
Returns 0 if operation was successful, 1 if operation failed or command syntax was not valid.

NOTES
Eject only works with devices that support one or more of the four methods of ejecting. This includes most CD-ROM drives (IDE, SCSI, and proprietary), some SCSI tape drives, JAZ drives,
ZIP  drives (parallel port, SCSI, and IDE versions), and LS120 removable floppies. Users have also reported success with floppy drives on Sun SPARC and Apple Macintosh systems. If eject
does not work, it is most likely a limitation of the kernel driver for the device and not the eject program itself.

The -r, -s, -f, and -q options allow controlling which methods are used to eject. More than one method can be specified. If none of these options are specified, it tries all four  (this
works fine in most cases).

Eject  may  not always be able to determine if the device is mounted (e.g. if it has several names). If the device name is a symbolic link, eject will follow the link and use the device
that it points to.

If eject determines that the device can have multiple partitions, it will attempt to unmount all mounted partitions of the device before ejecting. If an unmount fails, the program  will
not attempt to eject the media.

You can eject an audio CD. Some CD-ROM drives will refuse to open the tray if the drive is empty. Some devices do not support the tray close command.

If  the auto-eject feature is enabled, then the drive will always be ejected after running this command. Not all Linux kernel CD-ROM drivers support the auto-eject mode. There is no way
to find out the state of the auto-eject mode.

You need appropriate privileges to access the device files. Running as root or setuid root is required to eject some devices (e.g. SCSI devices).

The heuristic used to find a device, given a name, is as follows. If the name ends in a trailing slash, it is removed (this is to support filenames generated using shell file name  com‐
pletion).  If  the  name  starts  with  ‘.’  or  ‘/’, it tries to open it as a device file or mount point. If that fails, it tries prepending ‘/dev/’, ‘/media/’ ,’/mnt/’, ‘/dev/cdroms’,
‘/dev/rdsk/’, ‘/dev/dsk/’, and finally ‘./’ to the name, until a device file or mount point is found that can be opened. The program checks /etc/mtab for mounted devices. If that fails,
it also checks /etc/fstab for mount points of currently unmounted devices.

Creating symbolic links such as /dev/cdrom or /dev/zip is recommended so that eject can determine the appropriate devices using easily remembered names.

To save typing you can create a shell alias for the eject options that work for your particular setup.

AUTHOR
Eject  was  written  by  Jeff  Tranter  ([email protected]) and is released under the conditions of the GNU General Public License. See the file COPYING and notes in the source code for
details.

The -x option was added by Nobuyuki Tsuchimura ([email protected]), with thanks to Roland Krivanek ([email protected]) and his cdrom_speed command.

The -T option was added by Sybren Stuvel ([email protected]), with big thanks to Benjamin Schwenk ([email protected]).

The -X option was added by Eric Piel ([email protected]).

Category: Linux | Comments Off on Linux: eject command
July 31

Linux: How to write bash while-loops

You can execute a sequence of commands by writing them into a “script file” and then running the script file. A script file is simply a text file that contains a sequence of instructions that could also be executed from the command line (also know as shell). Usually the extension “.sh” is used for script files.

Here is an example of a while loop:

#!/bin/bash
count=1
while [ $count -le 9 ]
do
echo “$count”
sleep 1
(( count++ ))
done

When executed, this script file will print the numbers 1 through 9 on the screen. The while-statement gives you more flexibility for specifying the termination condition than the for-loop. For example you can make the previous script an infinite loop by omitting the increment statement “(( count++ ))”:

#!/bin/bash
count=1
while [ $count -le 9 ]
do
echo “$count”
sleep 1
done

The “sleep 1” statement pauses the execution for 1 second on each iteration. Use “Ctrl-C” to terminate the process.

You can also create an infinite loop by putting a colon as the condition:

#!/bin/bash
count=1
while :
do
echo “$count”
sleep 1
(( count++ ))
done

In order to use multiple conditions in the while-loop you need to use the double square bracket notation:

count=1
done=0
while [[ $count -le 9 ] && [ $done == 0 ]]
do
echo “$count”
sleep 1
(( count++ ))
if [ $count == 5 ]; then $done=1
fi
done

In this script the variable “done” is initialized to 0 and then set to 1 when count reaches 5. The loop condition states that the while loop will continue as long as “count” is less than nine and “done” is equal to zero. Therefore the loops exits when count equals 5.

The “&&” means logical “and” and “||” means logical “or”.

An alternative notation for the conjunctions “and” and “or” in conditions is “-a” and “-o” with single square brackets. The above condition

[[ $count -le 9 ] && [ $done == 0 ]]

could be rewritten as

[ $count -le 9 ] -a [ $done == 0 ]

Reading a text file is typically done with a while loop. In the following example, the bash script reads the contends of a file “inventory.txt” line be line:

FILE=inventory.txt
exec 6

The first line assigns the input file name to the variable “FILE”. The second line saves the “standard input” in the file descriptor “6” (it could be any value between 3 and 9). This is done so that “standard input” can be restored to file descriptor “0” at the end of the script (see statement “exec 0 In the 3rd line the input file is assigned to file descriptor “0”, which is used for standard input. The “read” statement then reads a line from the file on each iteration and assigns it to the variable “line1”.

In order to prematurely exit a while-loop you can use the break statement as in the following example:

count=1
done=0
while [ $count -le 9 ]
do
echo “$count”
sleep 1
(( count++ ))
if [ $count == 5 ]
then
break
fi
done
echo Finished

The break statement skips program execution to the end while loop and executes any statements following it. In this case the statement “echo Finished”.

The continue statement on the other hand skips only the rest of the while loop statement of the current iteration and jumps directly to the next iteration:

count=1
done=0
while [ $count -le 9 ]
do
sleep 1
(( count++ ))
if [ $count == 5 ]
then
continue
fi
echo “$count”
done
echo Finished

In this case the “continue” statement is executed when the variable “count” reaches 5. This means the subsequent statement (echo “$count”) is not executed on this iteration (when the value of “count” is 5).

By J. Haas

Category: Linux | Comments Off on Linux: How to write bash while-loops