After a quiet month, I’m making up for lost time. I just got my new issue of Relevant Magazine, which is my favorite magazine. Ok, so it’s the only one I’m subscribed to. My cousin hooked me on the Relevant Podcast a while back, and while I haven’t caught every episode (or should that be webisode?), it’s always entertaining, engaging, challenging, and many other -ings. The magazine is cool, but the website takes it a whole new level above that, and I just discovered (possibly my favorite) a really cool section of their site: The Drop. Now, they mention this on the podcast all the time, but I’ve never bothered to actually go see what the hubbub is all about. Free music that doesn’t smell, that’s what it is all about. You should go check it out. Now. Hurry, it might disappear. Probably not, but you should go. Quickly. They also happen to be featuring Seabird right now, which is one of my current favorite bands.

It’s really easy to forget what Christmas is all about, so the title is an extra reminder. We had a great Christmas, and while I got some really nice gifts, my dad had one of those moments again. He said, “we need to be thankful for friends and family, that’s what’s really important, not all the material stuff.” Don’t know if I can really expand on that too much, but I just want to take a moment to mention some of the ‘important’ things I’m thankful for before I post some pictures of all the presents and such. I’m thankful for my wife, and my parents, and my sister, and my cousins (all of them, even Afton…). I’m thankful for the little girl that’s on the way, and I’m thankful for my friends, at work, at church, and anywhere else. And I’m thankful for Scooter, Roo, and Oliver.

Now that I’ve gone all serious on you, there’s some completely unserious pictures and one of Amanda at seventeen weeks along (she’s in week twenty now) in the gallery.

It’s a girl! And not a puppy this time. As mentioned before, due in late May. The ‘awesome’ ultrasound machine was broken today, but we still got to see some pretty neat things. She was sucking on her fingers for a bit, and yawned several times. We got to see her little heart pumping away at 153 beats per minute, and even were able to see the four chambers of her heart.  It was incredible the amount of detail that could be seen, even with ‘old technology.’ The scanned images are over in the gallery.

A couple of my cousins posted their Christmas letters on their blogs, so I figured I’d follow suit, sort of. I actually put together a little photo collage that we sent out this year, but in case you didn’t get one (sorry), here it is:

For more details, you can of course read back through my blog posts for the year. The side project I started, God Impact, is going quite well also. I’ve only missed one day (except for yesterday, when I forgot to hit the publish button).

We’ve also had a lot of exciting things happening at our church, and there’s a little info over at www.glendiveag.org.

Seems a lot of my posts lately have been about stuff I’ve been doing at work. This one is going to follow in that tradition, even if it is Christmas. Maybe I’ll write something about Christmas later too…

At any rate, my assistant (not a secretary) left last week for greener (maybe bluer is proper here) pastures at Miles Community College. We’ll miss him dearly (I already do, it gets lonely on the IT Island). As such, we’re hiring. If you’re looking for a job working with computers, maybe this will be a Christmas present for you. If you’re interested, go to http://dawson.edu/faculty_staff/Employment.asp and send in the required application materials.

If you ever wondered if an interface with a dhcp obtained address can also have static aliases assigned to it, stop wondering. It can. That said, some (probably most) firewall distributions don’t allow setting aliases if your external IP is obtained via DHCP. I’m looking at you, IPCop. I thought maybe my ISP was the only one that did this to provide static IP addresses to it’s customers, but AT&T also does it, as I’m sure others do too, since I’ve seen a few posts on how to setup such a beast for firewall purposes. Because my beloved IPCop wasn’t up to the task, I ended up using a vanilla install of Ubuntu server, and I used webmin to setup the firewall using iptables. I detailed that process in the post Wall.

In case you’ve ever wondered how to figure out which type of port your traffic is using (source/destination) for the purposes of setting up iptables (with or without webmin), here’s a little help.

The truth of the matter is that it varies depending on the type of traffic, but you typically want to set the port as a destination port when you’re doing something like port forwarding. Here’s an example of  what’s going on for http traffic: a client computer doesn’t start it’s connection on port 80, it chooses a random, high-numbered port to open the connection on it’s side, so the source port could be 10843. The connection is going to port 80 on the server, since that’s what the server is listening on (unless you’re using a non-standard http port), so 80 is your destination port. This isn’t true for all types of traffic though, which confused me a bit this last week when setting up my firewall from scratch on a Ubuntu server. For something like ntp, the client actually starts it’s request on port 123 (source), and ends up at 123 on the ntp server (destination). So for ntp, you could theoretically set a firewall rule that used 123 as the source port instead of destination port, and it would work, but doing so for port 80 for http traffic will not. Regarding the ntp port, I believe this is also why you can’t run the ntpdate command (a one time synchronization) when the ntp service is running. Both the client and server use the same port on both ends of the communication.

This is about using webmin to administer a firewall/router on Ubuntu Server 9.10. If you’ve already done everything in Wall, then there are two parts to forwarding any port to a machine behind your router. We are operating under the assumption that eth1 is your external interface, and eth0 is your internal one.

First, you need to make a rule under the ‘filter’ IPtable in the INPUT section to allow the traffic in, since it isn’t established or related to any current connections.

The rule should look something like this if you only have one IP address attached to your router’s external interface (see Static, but Not for a little more information on using IP aliases on your external interface):

Accept if protocol is TCP and input interface is eth1 and destination port is 80

Then go to the ‘nat’ IPtable, and add a corresponding rule that will look like this in the PREROUTING section:

Destination NAT if protocol is TCP and input interface is eth1 and destination port is 80

If you have multiple IP addresses on your external interface, simply add a condition for destination address that contains your external IP (in both the ‘filter’ rule, and the ‘nat’ rule). Destination NAT (or DNAT) rules are a little tricky (at least for me they were), so here’s a bit more guidance on that:

Action to take = Destination NAT

Under IPs and ports for DNAT, set IP range to the internal/private address of the machine that should receive the traffic you are forwarding (leave the ‘to’ field blank)

Destination address = the external IP address being forwarded

Incoming interface = your external interface (eth1 for me)

Network protocol in our example was TCP

Destination TCP or UDP port = 80

If you have all those set, you can create the rule, and Apply Configuration. Repeat, and rinse. If the whole destination/source port thing confuses you, see Direction.

Ever wondered how to setup a firewall using Ubuntu Server edition? No? Then you’ll be pretty bored, so I suggest you stop reading now.

If you answered yes, keep going. For my purposes, I’ve used the webmin firewall section, mostly to avoid learning iptables, or even something like shorewall. This was written using version 9.10, although the process should be quite similar to other versions of Ubuntu.

The exact setup I’m going for here is a device that does NAT, and blocks all incoming connections that aren’t established or related. In another post, I’ll talk a bit about port forwarding, and some things to be aware of there. Both of the machines I’m using have eth1 as the outgoing interface, and eth0 as the internal connection (going to a switch, or a WAP, or another computer with a private network address).

You should already have your external and internal interfaces connected and configured, and the box you are setting up as the ‘router’ should be able to ping google.com, and any internal networked devices/computers.

The first thing that needs to happen, is that we need to enable ipv4 forwarding.

Login on the command line and edit the file /etc/sysctl.conf. Find where it says ‘to enable packet forwarding for IPv4′, and uncomment the line below it. Also enable the one for IPv6 if you need it. Save the file, then run this:

sysctl -p

Now we’re ready to install webmin from here. I usually use wget, dpkg, and then aptitude like so:

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.490_all.deb

aptitude install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl

dpkg -i webmin_1.490_all.deb

You can then connect to webmin via https://yourserver:10000. Login with root, or an account that can sudo (like the one you created during the Ubuntu setup process).

Navigate to Networking->Linux Firewall

The first time, it will ask you to set the base rules, choose ‘Allow all traffic’ and Activate at Boot, then Setup Firewall. Then Apply Configuration on the next page. Don’t worry, we’ll lock it down a bit shortly.

Where it says Showing IPtable, there should be three options, the first one we are concerned with is  Network Address Translation (nat).

We need one rule here, and it belongs under POSTROUTING. It should be set to Masquerade if output interface is eth1 (your external nic).

Apply the Configuration, and you should now be able to ping google.com from a computer behind the Ubuntu router.

If you’re still with me, now we’re going to lock things down a bit. Go back to the Packet filtering IPtable, and create these rules under INPUT:

Accept if input interface is eth0 (your internal nic)

Accept if input interface is lo (local interface)

Accept if input interface is eth1 (external) and state of connection is ESTABLISHED or RELATED

Be absolutely sure you have your internal and external interface straight before this next step. As a safety net, be sure you can either access the console directly, or have an ssh session already established, just in case. Then set Drop as the default action for INPUT, and press Apply Configuration.

If you did it right, you can still ping google.com from anywhere on your network and you’re done. If you did it wrong and can’t access the router anymore, hopefully you have that ssh session still open. Open /etc/iptables.up.rules with nano or vim and change :INPUT DROP [0:0] to :INPUT ACCEPT [0:0] under the *filter section. Then run this: iptables-apply /etc/iptables.up.rules and go back and figure out what you did wrong above. If you would like to continue and do port fowarding, see Forwarding.