Wednesday, July 24, 2019

Qemu: How To transfer file from host to guest using Qemu-nbd

In the last post we have seen how to transfer  files  using guestfs-tools to mount an image to transfer files. In this method we are using a native client called qemu-nbd to transfer files. Make sure qemu-utils have been installed if not run

apt-get install qemu-utils

After installing first run

sudo modprobe nbd max_part=8

This command loads the nbd module and instructs the kernel we will manage upto eight partitions. To mount first we need to connect the image to the qemu network device block driver.

 sudo qemu-nbd --connect=/dev/nbd0  hq.qcow2

Now check the partitions  of the device /dev/nbd0

sudo fdisk /dev/nbd0 -l

this command will list the partitions in the image. Now we can mount the image using the mount command.

sudo mount /dev/nbd0p1  /mnt

to unmount the image run

sudo umount  /mnt
sudo qemu-nbd  --disconnect /dev/nbd0

With this command you can modify your contents in your image. If you are mounting  a  linux distro image make sure you are modifying only the home folder and nothing elsee other wise it will corrupt your image.

QEMU: How to transfer files from Host to Guest

In virtual box there is a way to transfer files from host to guest and vice versa using the guest additions. In qemu there is a way to transfer files. First install
libguestfs-tools.

apt-get install libguestfs-tools

The libguestfs-tools package contains two important programs guestmount and guestunmount. To mount a image say with qcow2 format run

guestmount -a hd.qcow2 -m /dev/sda  /mnt/dir 

-a hd.qcow2: this option must be followed by a image file.
-m /dev/sda: the disk layout  your image file has. If you don't know just type random disk no and it will give you a layout of the image file.
 /mnt/dir: the mount point of your image.

No you can transfer your file. To unmount run

guestunmount  /mnt/dir

IMPORTANT: Never mount an image when qemu is running. It will corrupt the image.

Reference:

 http://ask.xmodulo.com/mount-qcow2-disk-image-linux.html
 

Tuesday, July 23, 2019

HOW-TO: QEMU

There are many  popular virtualization software in the wild  such as virtual box, vmware, etc. But there is another virtualization software native to linux and is opensource that is Qemu. It can also emulate hardware level virtualization.
To install qemu run the following command

apt-get install qemu

make sure you install qemu-system-gui otherwise you will be left without GUI and you will only see

VNC server started at 127.0.0.1:5869

make sure you also installed libsdl-dev and libconsole packages. If you don't want to have GUI then uninstall qemu-system-gui package and install gvncviewer.

apt-get install gvncviewer

To run gvncviewer use the following command

/usr/bin/gvncviewer localhost ::1:5869

First we need  to create a virtual hard disk  file. The native format for qemu is a raw file but if you have more disk space then it is recommended to use qcow2 format to create a virtual image we use the qemu-img command.

qemu-img create -f qcow2 hd.qcow2 1G

if you use .img for your image qemu will give warning about explicitly specifying a format.
-f qcow2 says create a  image with the format qcow2
1G says the file must of size 1 GB

To run your virtual os if your system is 32 bit then run qemu-system-i386 and  if it's 64 bit then run qemu-system-x86_64

For example to run freedos

qemu-system-i386 -m 512 -cpu host -enable-kvm -hda hd.cow2  -cdrom freedos.iso -boot order=d

-m 512: use ram of 512 MB
-cpu host: Emulate host cpu
-boot order=d: boot from cdrom

After you have installed your virtual os run

qemu-system-i386 -m 512 -cpu host -enable-kvm hd.qcow2

That's it you can now use your virtual os.



 

Sunday, July 21, 2019

HOW TO:Iptables rules for Debian Linux Desktop

Iptables rules follows a distinct classification 

Tables ---------> Chains  ----------> Rules

For Desktop the default tables is filter  it contains three chains INPUT, FORWARD and OUTPUT. The Input chain is for the incoming connection and the output chain is for the outgoing connection. For a strict policy deny input, output and the forward packets and then allow which ports are to be allowed.

Another important thing is you have allow certain icmp protocols,many tutorials tell you to drop the icmp protocol altogether but is unwise to do so. There are three icmp protocols  one  must allow they are 
  1. Ping
  2. Destination unreachable and 
  3. Time exceeded
Ping is a diagnostic tool that  helps to check if the network is  working  or not. If one is worried about ping of death or anything  you can always limit how much icmp packets you receive. 

The state module has been depreciated in favour of conntrack module. The ctstate has five options 

INVALID meaning that the packet is associated with no known connection

ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions

NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions

RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

 UNTRACKED : The packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.If  a packet is marked within the raw table with the NOTRACK target, then that packet will show up as  UNTRACKED in the state machine. This also means that all RELATED connections will not be seen, so some caution must be taken when dealing with the UNTRACKED connections since the state machine will not be able to see related ICMP messages et cetera. 

SNAT :  A virtual state, matching if the original source address differs from the reply destination.  

DNAT:  A virtual state, matching if the original destination differs from the reply source. 

INPUT chain policy

iptables -P INPUT DROP 

we are rejecting new connection if it does not have syn bit set in the packet header

iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 

Accepting  localhost connections  and established and related connections

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 30 -j ACCEPT

Dropping spoofing packets that originate from internet

iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

Dropping Invalid bit set in packets

iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
 

Dropping Null scan

 iptables -A INPUT  -p tcp --tcp-flags ALL NONE -j DROP   

Dropping Xmas Scan

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP


Dropping Fragments

iptables -A INPUT -f -j DROP

Dropping Fin scan

iptables -A INPUT -p tcp --tcp-flags  ALL FIN -j DROP  

Dropping udp packets if it's length is too small

iptables -A INPUT -p udp -m length --length 0:28 -j DROP

Limit ICMP and accept certain protocols and drop rest of them

iptables -A INPUT -p icmp -m limit --limit 1/second --limit-burst 5 -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp -j DROP 

Drop Invalid Packets and log them

iptables -A INPUT -m conntrack --ctstate INVALID,UNTRACKED -m limit --limit 2/min -j LOG --log-prefix "INVALID: " --log-level 7
iptables -A INPUT -m conntrack --ctstate INVALID,UNTRACKED -j DROP
 

FORWARD POLICY

iptables -P FORWARD  DROP
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP

OUTPUT POLICY

iptables -P OUTPUT   DROP

Accepting Localhost and internet  

iptables -A OUTPUT -o lo  -j ACCEPT 
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

Allowing certain icmp protocols and rejecting rest of them 

iptables -A OUTPUT  -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT  -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A OUTPUT  -p icmp -j DROP

Logging Invalid Output and rejecting Invalid packets

iptables -A OUTPUT  -m conntrack --ctstate INVALID,UNTRACKED -m limit --limit 2/min -j LOG  --log-prefix "INVALID-OUTPUT: " --log-level 7
iptables -A OUTPUT  -m conntrack --ctstate INVALID,UNTRACKED -j DROP 


After all this you have save your rules otherwise it will be gone after you reboot your computer.To do this you must first have iptables-persistent package installed on your computer. To save the rules run

iptables-save > /etc/iptables.conf

to reload  your rules on next boot add the following lines in  
/etc/network/interfaces  after the lo section

iptables-restore < /etc/iptables.conf

and save the file. 

Iptable Logs 

 

By default all the logs are  in /var/log/kern.log. To log in a different file you must have rsyslog installed. Goto the folder /etc/rsyslog.d and create a file called iptables.conf and also at the sametime create a folder /var/log called iptables and in it create two files one for input and the other for output.

:msg, contains  "INVALID-INPUT: "  /var/log/Input.log
:msg, contains  "INVALID-OUTPUT: " /var/log/output.log

& stop 

then run service rsyslog restart as root.Now all invalid packets  will be logged in these two files.



References

1.https://manpages.debian.org/unstable/iptables/iptables-extensions.8.en.html 
2.https://www.cyberciti.biz/faq/linux-iptables-multiport-range/
3.https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
4.https://serverfault.com/questions/84963/why-not-block-icmp/84981 
5.https://john.albin.net/essential-icmp 
6.https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state
7.https://askubuntu.com/questions/634788/iptables-allow-just-internet-connection 
8.All about ICMP messages
9.https://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/
10.https://www.cs.montana.edu/courses/309/topics/11-security/IPTables_discussion.html 
11.https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands 
12.https://www.booleanworld.com/depth-guide-iptables-linux-firewall/
13.https://unix.stackexchange.com/questions/191607/iptables-and-return-target
14.https://askubuntu.com/questions/939562/why-dont-my-iptables-log
15.Linux Firewalls by Steve suehring and Robert Ziegler.Third Edition

Tuesday, May 29, 2018

Flatpak Basic commands

Flatpak is a  packaging  format similar to exe files in  windows. With flatpak we don't have to hunt down libraries or having compilation nightmares. Apart from Flatpak there is also Appimage, Ubuntu Snap. So we will see some basic commands. 

i.First install flatpak for debian.

apt-get install flatpak

ii.   To install apps first we have to add a repository called flathub.

flatpak remote-add --if-not-exists  flathub 
https://dl.flathub.org/repo/flathub.flatpakrepo

iii. Before installing an  app we have to  install runtimes. Runtimes are basic libraries that are needed for an app to run. The available runtimes comes from freedesktop.org, GNOME  and Kde.

flatpak install flathub org.freedesktop.Platform
flatpak install flathub org.gnome.Platform
flatpak install flathub org.kde.Platform

For Gnome and Kde it will ask which version to install and always make sure you install the latest version. Also if you wish install the SDK

flatpak install flathub org.freedesktop.Sdk
flatpak install flathub org.gnome.Sdk
flatpak install flathub org.kde.Sdk 

See Flatpak available Runtimes

iv To list the apps in the remote directory

flatpak remote-ls  flathub

v. To list the apps installed in your system

flatpak list  --app

v[a]. To list the runtimes installed in your system

flatpak  list  --runtime

vi To install an app, for example VLCX
 
flatpak install org.com.videolan

vii. To uninstall an app 

flatpak uninstall org.com.videolan

viii. To update the apps

flatpak update

Flatpak command reference 

Saturday, May 12, 2018

Arch Linux Installation:What other web tutorials won't tell you.

Hey folks

If you are faithful to my blog you should know by now that i'm a great fan of  Debian, Slackware and OpenSuse. When i started linux i tried a bunch of  distros before settling into Debian and this cycle would start and end again. This past  week  I  wanted to try  Arch linux. I heard it was tougher than slackware; to people who still thinks slackware is tough lets just say they haven't tried Gentoo and by the way slackware is pretty straight forward than Arch is. So I  read some tutorials in the web about installing arch linux and here is what i found out.

0. Arch has a Rolling release model so download and use it at your own risk.
1. Download Arch linux iso
2. Create a bootable CD or USB drive.
3. Boot the installation.
4. Ping 8.8.8.8  [ or any random site you know]
5. If not run dhcpcd 

I don't know if its a problem with arch, every time i rebooted for a retry [yeah long story]  I had to reboot my modem router to get the internet working. The same problem occured also in Manjaro. Also make sure you have a wired connection not wifi we don't need to get frustrated now, do we?

5. So Rebooting your modem may help you a bit.
6. Again ping, if it works great, lets move on shall we
7. Run timedatectl status
8. set timedatectl set-ntp true
9. Now we need to partition our hard drive if your are a beginner use cfdisk
 even if you are not a beginner you can use cfdisk without getting judged.
run  the command cfdisk  you can set your partion and write the partition table

If you want to know the list of all partitions run fdisk -l 

10. Format our partition.: mkfs.ext4 /dev/sdaX  [X=1,2,3...]
11. mkswap  /dev/sdaX  [X=1,2,....]
12. swapon  /dev/sdaX  [X=1,2,....]
13. mount /dev/sdaX   /mnt

right now you should run the command pacman -Sy  
to those who don't know pacman is the package manager for archlinux just like apt-get or dpkg or slackpkg. This command will  update the package database. It will solve issues with packages integrity.
 
14. run pacstrap  /mnt base base-devel

Depending on your internet connection it will take a while. It will install all the basic packages you need. 

15.Create Fstab. genfstab >> /mnt/etc/fstab  check it with cat /mnt/etc/fstab

16. you need to chroot into your installed environment. run arch-chroot  /mnt

17.  edit /etc/locale.gen  run nano /etc/locale.gen  uncomment the necessary locales and run locale-gen

17.i. in /etc/locale.conf add the following line  LANG=en_US.UTF-8


18. run hwclock --systohc --utc

19. Make sure you are in correct time zone. for a list of time zones run  
 ls /usr/share/zoneinfo and run  
ln -sf /usr/share/zoneinfo/Region/City  /etc/localtime
this resulted in error telling me the file already exists
20. Create hostname in /etc/hostname run
                  echo hostname >> /etc/hostname

21. Install bootloader.

pacman  -S  grub os-prober fuse2

after installing run  grub-mkconfig -o /boot/grub/grub.cfg

grub-install /dev/sda

Install Fuse2 if you are dual booting. It will  detect windows  and also make sure you have enabled the boot flag enabled in windows boot partition [for win 7 or later]

22. Enable dhcpcd. systemctl enable dhcpcd

23.a set root passwd by running command passwd
If you forgot to set root passwd it is not the end of the world it will let you login automatically.  by entering your username, i.e root.
23. exit, umount /mnt, systemctl reboot 

24. After booting  you will be  in root shell. you now proceed to install GUI.

25. after you booted for the first time run
pacman -Syu 
pacman-key --init
pacman-key --populate archlinux
 The tutorials won't mention this step. But it is required to initialize the keyring.
25. Install Xorg. Pacman -S xorg

I later installed xfce4 including vlc,firefox,etc. and for the life of me  i couldn't correctly configure the display manager properly which led to successful failure [Operation success but the patient is dead] . After a while i gave up on configuring the display manager in arch and abandoned it. You just can't sit two days in a row and not have a fully functional system.So i again went back to Debian. Now i'm running Stretch.It's pretty smooth. I was reading about debootstrap method of installing debian and i'm reminded  archlinux installation is kind of like debootstrap. I think i'll give another shot another time after throughly reading about configuring about display managers.

Sunday, May 6, 2018

Thought: Candle and Candidate

Candles and Candidates have things  in common

one: Both have the same root word - cand

Two: A candle's purpose is to glow, to shine, to give light in the darkness
and a candidate's purpose is to glow in his success and to give light in the dark world [be a more positive influence in the world ]

Three: Both can be replaced.

candle (s) (noun), candles (pl)
1. A molded piece of wax, tallow, or other fatty substance, usually cylindrical in shape, encasing a wick that is burned to provide light: Before the days of gas and electricity, candles were the main sources of light at night.
2. A unit of luminous intensity, defined as a fraction of the luminous intensity of a group of 45 carbon-filament lamps; used from 1909 to 1948 as the international standard.
3. Etymology: from Ole English candel, early church-word borrowing from Latin candela, "a light, a torch"; from candere, "to shine". Candles were unknown in ancient Greece where oil lamps were used, but they were common from early times among Romans and Etruscans.

candidate (s) (noun), candidates (pl)
1. A person who seeks to run for a political office: The conservative candidate promised to eliminate high taxes while the liberal candidate said he would strive to eliminate unemployment.
2. Etymology: from Latin candidus, "white" and candidatus, "clothed in white" from the white togas, which were long, shining, white cloaks that were worn by Romans who were seeking political offices. 
When a man ran for public office in ancient Rome, he obtained a toga which was a long, shining, white cloak.
With this "shining white" outfit, the candidate stood out in a crowd and the people might have considered him to be associated with purity and goodness because of the symbolism of the garment.




Popular Posts