Converting proprietary formats to native formats in qemu

Virtual box stores its image in vdi and vmware with vmdk format. To convert to qcow2 or raw format use the following command

qemu-img convert file.vdi -O qcow file.qcow

-O option is used to specify the format

The formats supported by qemu are

1. raw
2. cloop
3. cow [only on windows]
4. qcow
5. qcow2 [has many advantages, higly recommended]
6. vmdk
7. vdi
8. vhdx
9. vpi
10. bochs
11. dmg
12. nbd
13. parallels
14. vvfat

Remember you can convert images  only between these formats.

Reference

https://virtuallyfun.com/wordpress/2011/04/30/qemu-disk-image-conversion/

Redhat Qemu Documentation

Qemu: How To transfer file from host to guest using Qemu-nbd

In the last post we have seen how to transfer  files  using guestfs-tools to mount an image to transfer files. In this method we are using a native client called qemu-nbd to transfer files. Make sure qemu-utils have been installed if not run

apt-get install qemu-utils

After installing first run

sudo modprobe nbd max_part=8

This command loads the nbd module and instructs the kernel we will manage upto eight partitions. To mount first we need to connect the image to the qemu network device block driver.

 sudo qemu-nbd --connect=/dev/nbd0  hq.qcow2

Now check the partitions  of the device /dev/nbd0

sudo fdisk /dev/nbd0 -l

this command will list the partitions in the image. Now we can mount the image using the mount command.

sudo mount /dev/nbd0p1  /mnt

to unmount the image run

sudo umount  /mnt

sudo qemu-nbd  --disconnect /dev/nbd0

With this command you can modify your contents in your image. If you are mounting  a  linux distro image make sure you are modifying only the home folder and nothing elsee other wise it will corrupt your image.

QEMU: How to transfer files from Host to Guest

In virtual box there is a way to transfer files from host to guest and vice versa using the guest additions. In qemu there is a way to transfer files. First install
libguestfs-tools.

apt-get install libguestfs-tools

The libguestfs-tools package contains two important programs guestmount and guestunmount. To mount a image say with qcow2 format run

guestmount -a hd.qcow2 -m /dev/sda  /mnt/dir 

-a hd.qcow2: this option must be followed by a image file.
-m /dev/sda: the disk layout  your image file has. If you don't know just type random disk no and it will give you a layout of the image file.
 /mnt/dir: the mount point of your image.

No you can transfer your file. To unmount run

guestunmount  /mnt/dir

IMPORTANT: Never mount an image when qemu is running. It will corrupt the image.

Reference:

 http://ask.xmodulo.com/mount-qcow2-disk-image-linux.html
 

HOW-TO: QEMU

There are many  popular virtualization software in the wild  such as virtual box, vmware, etc. But there is another virtualization software native to linux and is opensource that is Qemu. It can also emulate hardware level virtualization.
To install qemu run the following command

apt-get install qemu

make sure you install qemu-system-gui otherwise you will be left without GUI and you will only see

VNC server started at 127.0.0.1:5869

make sure you also installed libsdl-dev and libconsole packages. If you don't want to have GUI then uninstall qemu-system-gui package and install gvncviewer.

apt-get install gvncviewer

To run gvncviewer use the following command

/usr/bin/gvncviewer localhost ::1:5869

First we need  to create a virtual hard disk  file. The native format for qemu is a raw file but if you have more disk space then it is recommended to use qcow2 format to create a virtual image we use the qemu-img command.

qemu-img create -f qcow2 hd.qcow2 1G

if you use .img for your image qemu will give warning about explicitly specifying a format.
-f qcow2 says create a  image with the format qcow2
1G says the file must of size 1 GB

To run your virtual os if your system is 32 bit then run qemu-system-i386 and  if it's 64 bit then run qemu-system-x86_64

For example to run freedos

qemu-system-i386 -m 512 -cpu host -enable-kvm -hda hd.cow2  -cdrom freedos.iso -boot order=d

-m 512: use ram of 512 MB
-cpu host: Emulate host cpu
-boot order=d: boot from cdrom

After you have installed your virtual os run

qemu-system-i386 -m 512 -cpu host -enable-kvm hd.qcow2

That's it you can now use your virtual os.



 

HOW TO:Iptables rules for Debian Linux Desktop

Iptables rules follows a distinct classification 

Tables ---------> Chains  ----------> Rules

For Desktop the default tables is filter  it contains three chains INPUT, FORWARD and OUTPUT. The Input chain is for the incoming connection and the output chain is for the outgoing connection. For a strict policy deny input, output and the forward packets and then allow which ports are to be allowed.

Another important thing is you have allow certain icmp protocols,many tutorials tell you to drop the icmp protocol altogether but is unwise to do so. There are three icmp protocols  one  must allow they are 

1. Ping
2. Destination unreachable and 
3. Time exceeded

Ping is a diagnostic tool that  helps to check if the network is  working  or not. If one is worried about ping of death or anything  you can always limit how much icmp packets you receive. 

The state module has been depreciated in favour of conntrack module. The ctstate has five options 

INVALID meaning that the packet is associated with no known connection

ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions

NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions

RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

 UNTRACKED : The packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.If  a packet is marked within the raw table with the NOTRACK target, then that packet will show up as  UNTRACKED in the state machine. This also means that all RELATED connections will not be seen, so some caution must be taken when dealing with the UNTRACKED connections since the state machine will not be able to see related ICMP messages et cetera. 

SNAT :  A virtual state, matching if the original source address differs from the reply destination.  

DNAT:  A virtual state, matching if the original destination differs from the reply source. 

INPUT chain policy

iptables -P INPUT DROP 

we are rejecting new connection if it does not have syn bit set in the packet header

iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 

Accepting  localhost connections  and established and related connections

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 30 -j ACCEPT
Dropping spoofing packets that originate from internet

iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
Dropping Invalid bit set in packets

iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP 

Dropping Null scan

 iptables -A INPUT  -p tcp --tcp-flags ALL NONE -j DROP   

Dropping Xmas Scan

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

Dropping Fragments

iptables -A INPUT -f -j DROP

Dropping Fin scan

iptables -A INPUT -p tcp --tcp-flags  ALL FIN -j DROP  

Dropping udp packets if it's length is too small

iptables -A INPUT -p udp -m length --length 0:28 -j DROP

Limit ICMP and accept certain protocols and drop rest of them

iptables -A INPUT -p icmp -m limit --limit 1/second --limit-burst 5 -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp -j DROP 

Drop Invalid Packets and log them

iptables -A INPUT -m conntrack --ctstate INVALID,UNTRACKED -m limit --limit 2/min -j LOG --log-prefix "INVALID: " --log-level 7
iptables -A INPUT -m conntrack --ctstate INVALID,UNTRACKED -j DROP 

FORWARD POLICY

iptables -P FORWARD  DROP
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP

OUTPUT POLICY

iptables -P OUTPUT   DROP

Accepting Localhost and internet  

iptables -A OUTPUT -o lo  -j ACCEPT 
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

Allowing certain icmp protocols and rejecting rest of them 

iptables -A OUTPUT  -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT  -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A OUTPUT  -p icmp -j DROP

Logging Invalid Output and rejecting Invalid packets

iptables -A OUTPUT  -m conntrack --ctstate INVALID,UNTRACKED -m limit --limit 2/min -j LOG  --log-prefix "INVALID-OUTPUT: " --log-level 7
iptables -A OUTPUT  -m conntrack --ctstate INVALID,UNTRACKED -j DROP 


After all this you have save your rules otherwise it will be gone after you reboot your computer.To do this you must first have iptables-persistent package installed on your computer. To save the rules run

iptables-save > /etc/iptables.conf

to reload  your rules on next boot add the following lines in  
/etc/network/interfaces  after the lo section

iptables-restore < /etc/iptables.conf

and save the file. 

Iptable Logs 

 

By default all the logs are  in /var/log/kern.log. To log in a different file you must have rsyslog installed. Goto the folder /etc/rsyslog.d and create a file called iptables.conf and also at the sametime create a folder /var/log called iptables and in it create two files one for input and the other for output.

:msg, contains  "INVALID-INPUT: "  /var/log/Input.log
:msg, contains  "INVALID-OUTPUT: " /var/log/output.log

& stop 

then run service rsyslog restart as root.Now all invalid packets  will be logged in these two files.

References

1.https://manpages.debian.org/unstable/iptables/iptables-extensions.8.en.html 
2.https://www.cyberciti.biz/faq/linux-iptables-multiport-range/
3.https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
4.https://serverfault.com/questions/84963/why-not-block-icmp/84981 
5.https://john.albin.net/essential-icmp 
6.https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state
7.https://askubuntu.com/questions/634788/iptables-allow-just-internet-connection 
8.All about ICMP messages
9.https://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/
10.https://www.cs.montana.edu/courses/309/topics/11-security/IPTables_discussion.html 
11.https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands 
12.https://www.booleanworld.com/depth-guide-iptables-linux-firewall/
13.https://unix.stackexchange.com/questions/191607/iptables-and-return-target
14.https://askubuntu.com/questions/939562/why-dont-my-iptables-log
15.Linux Firewalls by Steve suehring and Robert Ziegler.Third Edition