Tag: firewall-cmd

How to install samba server on centos 7 with and without user and password

First, we must install package samba and accept all dependencies.

yum install samba -y

Create user, who can access our samba secure folder:

useradd -s /sbin/nologin user
groupadd smbgroup
usermod -a -G smbgroup user
smbpasswd -a user

Then, create a directories for samba shares. Chcon command mark our directory with label, that SELinux allows samba service to operate with this folder. Another possibility is disable SELinux, but it is not the right way 🙂

#for anonymous
mkdir -p /mnt/aaa
chmod -R 0777 /mnt/aaa
chcon -t samba_share_t /mnt/aaa -R
chown -R nobody:nobody /mnt/aaa
#for another secure user
mkdir -p /mnt/nfs/kadeco/
chmod -R 0755 /mnt/nfs/kadeco/
chcon -t samba_share_t /mnt/nfs/kadeco/ -R
chown -R user:smbgroup /mnt/nfs/kadeco/
restorecon -R /mnt/nfs/kadeco/

Edit samba config for ours anonymous and secure shares

vi /etc/samba/smb.conf
[global]
 workgroup = home
 security = user
 passdb backend = tdbsam
 printing = cups
 printcap name = cups
 load printers = yes
 cups options = raw
 map to guest = bad user
[Anonymous-aaa]
        path = /mnt/aaa
        writable = yes
        browsable = yes
        guest ok = yes
        create mode = 0777
        directory mode = 0777
[kadeco]
        path = /mnt/nfs/kadeco
        writable = yes
        browsable = yes
        guest ok = no
        valid users = user
        create mask = 0755
        directory mask = 0755
        read only = No

Now, we can see our configuration of samba by this command and test it for errors:

testparm

Next, if we use firewall, we must add some ports, or service for samba to allow:

firewall-cmd --permanent --zone=public --add-port=137/tcp
firewall-cmd --permanent --zone=public --add-port=138/tcp
firewall-cmd --permanent --zone=public --add-port=139/tcp
firewall-cmd --permanent --zone=public --add-port=445/tcp
firewall-cmd --permanent --zone=public --add-port=901/tcp
firewall-cmd --reload
or we can use simple:
firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload

And finally, start samba services and enable it, after reboot.

systemctl start smb.service
systemctl start nmb.service
systemctl enable smb.service
systemctl enable nmb.service

A way to restart samba services:

systemctl restart smb
systemctl restart nmb

And now we can use our samba server. Anonymous folder, or secured folder 🙂

If you want to access some folder for read from apache, just made a selinux modify:

Allow samba read/write access everywhere:

setsebool -P samba_export_all_rw 1
or if you want to be a little more descrite about it:
chcon -t public_content_rw_t /mnt/nfs/kadeco
2) setsebool -P allow_smbd_anon_write 1
3) setsebool -P allow_httpd_anon_write 1

This should allow both Samaba and Apache write access to public_content_rw_t context.

Status of samba we can list by this commands:

smbstatus -p
- show list of samba processes
smbstatus -S
- show samba shares
smbstatus -L
- show samba locks

If we need restart samba process, or restart server, we can list locked files by “smbstatus -L”. We can see, which share is locked and which specific file is accessing.

Have fun

Total Page Visits: 177030 - Today Page Visits: 28

How to create a site-to-site ipsec vpn connection

Install and enable the EPEL using Yum, with some useful software:

yum install epel-release.noarch
yum install htop dstat tcpdump

On Red Hat based Systems (CentOS, Fedora or RHEL):

yum install libreswan

Now we disable VPN redirects, if any, in the server using these commands:

for vpn in /proc/sys/net/ipv4/conf/*;
do echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects;
echo 0 > $vpn/rp_filter;
done

Edit /etc/ipsec.conf to debug in pluto.log

    plutostderrlog=/var/log/pluto.log
    protostack=netkey
#if using NAT, use variable below
#    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

Next, we modify the kernel parameters to allow IP forwarding and disable redirects permanently by:

 vim /etc/sysctl.conf
    net.ipv4.ip_forward = 1
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.send_redirects = 0

Reload /etc/sysctl.conf:

 sysctl -p

Now, we customize firewall to allow ports for ipsec

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --zone=public --permanent --add-port=4500/tcp
firewall-cmd --zone=public --add-port=50/udp --permanent
firewall-cmd --zone=public --add-port=51/udp --permanent

We don’t use masquerade, because ipsec tunnel parameters automatic enable routing in these situations. If  not working, we add masquerade, but first we must add rule for match packets for this tunnel. Like: src leftsubnet dst rightsubnet on both sides

#In some posts in world I found this code, but explanation above cancel this
#code and in my situation it not working with this
#firewall-cmd --zone=public --permanent --add-masquerade

We reload firewalld and check our rules:

firewall-cmd --reload
firewall-cmd --zone=public --list-all

Check if is ipsec OK for itself:

ipsec verify
------------
Verifying installed system and configuration files
Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.6.1.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

Now, create a configuration file for our one connection

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=%defaultroute
    leftid=192.168.201.75
    leftsubnet=192.168.201.0/24
   
    right=#public IP other side#
    rightid=192.168.202.177
    rightsubnet=192.168.202.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=start
    compress=no

And configuration file for other connection:

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=#public IP this side#
    leftid=192.168.202.177
    leftsubnet=192.168.202.0/24
    right=%any
    rightid=192.168.201.75
    rightsubnet=192.168.201.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=add
    compress=no
    keep_alive=30

Now create on both sides secrets file for PSK with your public IP:

vim /etc/ipsec.d/blava.secrets
------------------------------
%any 1.1.1.1: PSK "ahoj12345"
vim /etc/ipsec.d/blava.secrets
------------------------------
1.1.1.1 %any: PSK "ahoj12345"

Now, restart ipsec for apply configurations

systemctl restart ipsec.service

And if we are good, we must see some like this in pluto.log

 STATE_MAIN_R3: sent MR3, ISAKMP SA established
 STATE_QUICK_R2: IPsec SA established tunnel mode

Or check ipsec status:

ipsec auto --status
-------------------
Total IPsec connections: loaded 4, active 1
STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 85318s
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27718s;

Some usefull commands for work with ipsec…
When we update configuration file and if we must reload one ipsec tunnel, use these step rather then restart ipsec service itself:

ipsec auto --down blava
ipsec auto --replace blava
ipsec auto --up blava

If we change secrets file and PSK, we must use too, before –up:

ipsec auto --rereadall
Total Page Visits: 177030 - Today Page Visits: 28