Koozali.org: home of the SME Server

adding lines to masq

Offline louhaven

  • *
  • 22
  • +0/-0
adding lines to masq
« on: August 18, 2022, 08:11:39 AM »
Hello!

I finally have the time to have a look-see at sme10.

Some of the information has come from a how-to, "how to custom template host blocking"
but because of the changes between sme 9.x and sme 10.x doesn't seem to work.
Namely I am unable to add 2 lines to the blocking script. and am unable to copy the script to templates-custom.
a la:
"
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cp -p /etc/e-smith/templates/etc/rc.d/init.d/masq /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Creating the new file:

vi 40DenyZombies

and exiting after adding changes in the editor:

and Expanding the template:

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
"

Can someone help me because I'd like too add 2 lines to the masq blocking code:
"
/sbin/iptables -A INPUT -p udp --dport 1:112 -j DROP
/sbin/iptables -A INPUT -p udp --dport 114:65535 -j DROP
"
to stop all inbound UTP connections save port 113, which is used by my isp to tell if my connection is active or not.

Also I'd like to customize the nameservers used by sme to just:
"
208.67.220.220
208.67.222.222
"
as the aussie nameservers all use dns poisoning.

Is there something I can read or notes or something that I can get updated information on the new system?

Any/All help appreciated.

:An update:

I think I fixed it, both issues by:
doing some research and going to
"
https://wiki.koozali.org/Template_Tutorial
"
to see what might be changed from sme 9 to sme 10

issue 1:

by adding a /* to the cp -p command (it wasn't working) so it looks like this:
cp -p /etc/e-smith/templates/etc/rc.d/init.d/masq/* /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
"
and adding a new fragment, 40DenyZombies, editing it, and proceeding to add the new fragment, and restarting masq a la above.

issue 2:
by copying the following to the templates-custom directory and modifying the 25nameservers file
/etc/e-smith/templates/etc/resolv.conf/*
then expand-template /etc/resolv.conf

Anything anyone want to add?

« Last Edit: August 18, 2022, 09:48:20 AM by louhaven »
----
Regards,

Louis

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: adding lines to masq
« Reply #1 on: August 18, 2022, 09:33:03 AM »
Your template should work.

There are no real differences with masq between 9 & 10.

signal-event remoteaccess-update is a better way to expand & restart.

Grep the masq file for your new lines, and check your logs for template errors.

Pretty sure there is a page or note on the wiki for this as I have similar but can't find it.

DNS.

https://wiki.koozali.org/DB_Variables_Configuration#DNS_Cache_Forwarder_.28dnscache_.2F_dnscache.forwarder.29

Think there may be some other info there somewhere - have a search.

Quite a few of us run pi-holes with SME doing the external lookups through that.

Benefits a reduction in crap :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: adding lines to masq
« Reply #2 on: August 18, 2022, 09:54:41 AM »
what is your source?


nothing has change with masq template

only change with SME 10 is SysVinit is not the way of handling a service
Code: [Select]
/etc/init.d/masq restart
should rather be

Code: [Select]
systemctl restart masq
InboundUDP and its children rules drop all UDP traffic going to your SME from outside except with destination to your IP using ports you specifically defines via the server manager port redirection or you specifically define in the configuration db for a specific service.
(see iptables -L -n -v for the actives rules)
YOur rule is useless and will not open what is already refused (port 113)

What service should answer there ? as even if the firewall does not drop what comes on the port, if nothing is here to answer your ISP will not see the difference if dropped by firewall or nothing answer


Name servers:
well by default your SME does not use your ISP DNS server but resolves itself your requests using root DNS server to obtain the answer from the autoritative DNS server for the domains.
So you are less prone to DNS poisoning and a lot of issues rather than using a public DNS services, where some request will hit a denial because the autoritative server has been hot too many time by the over used opendns server (eg DNS BL service to only cite this) and also using those services you will not get results based on your situation over the world but rather on the geolocalisation of the opendns server, so you might have as answer an IP in the US while there is a mirror in Australia.

however, you can set a forwarder DNS during the installation at the end, and add one more in the domains page of the manager.
« Last Edit: August 18, 2022, 09:58:05 AM by Jean-Philippe Pialasse »

Offline louhaven

  • *
  • 22
  • +0/-0
Re: adding lines to masq
« Reply #3 on: September 02, 2022, 06:32:54 AM »

Quite a few of us run pi-holes with SME doing the external lookups through that.

Benefits a reduction in crap :-)

Hello,

I'm new here, so what is a 'pi-hole'?
----
Regards,

Louis

Offline louhaven

  • *
  • 22
  • +0/-0
Re: adding lines to masq
« Reply #4 on: September 02, 2022, 06:51:49 AM »
what is your source?


trial and error ;-)

Quote

nothing has change with masq template

only change with SME 10 is SysVinit is not the way of handling a service
Code: [Select]
/etc/init.d/masq restart
should rather be

Code: [Select]
systemctl restart masq

I have added this new restart code to my masq "how-to" file.

Quote

InboundUDP and its children rules drop all UDP traffic going to your SME from outside except with destination to your IP using ports you specifically defines via the server manager port redirection or you specifically define in the configuration db for a specific service.
(see iptables -L -n -v for the actives rules)
YOur rule is useless and will not open what is already refused (port 113)


I didn't know that port 113 was blocked already. Since I access the 'net via a vpn permantly now, with a static ip address
I didnt want some script kiddie trying to get into my server with its dhcp-supplied ip address.

Quote
What service should answer there ? as even if the firewall does not drop what comes on the port, if nothing is here to answer your ISP will not see the difference if dropped by firewall or nothing answer

AFAIK my isp was sending a 'ping' on port 113, and was expecting a 'pong' in reply. Otherwise the isp will 'drop' the connection as it appears to be not active anymore.
This was the standard with ADSL-style connections, however, with the fibre connections all the connections are programmed out of 'Melbourne' so I'm not sure if this is revelent anymore.

Quote

Name servers:
well by default your SME does not use your ISP DNS server but resolves itself your requests using root DNS server to obtain the answer from the autoritative DNS server for the domains.
So you are less prone to DNS poisoning and a lot of issues rather than using a public DNS services, where some request will hit a denial because the autoritative server has been hot too many time by the over used opendns server (eg DNS BL service to only cite this) and also using those services you will not get results based on your situation over the world but rather on the geolocalisation of the opendns server, so you might have as answer an IP in the US while there is a mirror in Australia.

however, you can set a forwarder DNS during the installation at the end, and add one more in the domains page of the manager.

I always set my nameservers to 208.67.220.220 and 208.67.222.222 and # out the 'local ip' line in the template fragment. However I have found the nameserver settings are being controlled in the info when the dhcp-client connects to the isp, so I am not sure if the dhcp-client info is overwriting my nameservers.
What is a forwarder dns? and how do I add one or more domains? and what would these domains be?
Do you suggest a different nameserver(s) to the ones I am using?

I am right at the limit of my knowledge, here. (Can you tell? ;-) ..) This is where I get quite 'foggy', so any/all help is muchly appreciated.

----
Regards,

Louis

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: adding lines to masq
« Reply #5 on: September 02, 2022, 02:01:22 PM »
pi-hole
search the internet.


your sources:
you mean you ended ip with this template-custom by trial error? without ever checking the output of iptables and not seeing port 113 is already blocked?

Again, it has always been blocked, and without any specific service your isp could try to connect to the port firewall or not it will end up in nothingness. 
Unless you install a specific software to run and listen a specific port having this port firewalled or not changes nothing. So you can check about your “AFAIK”


nameservers

setting a nameserver at the end of configuration in console or in domain panel setting up to two is the way to set a forwarder. 
SME has its own server and communicate with root DNS server to then ask information to the name server in charge of the domain directly, and will not use the informations sent by your ISP.
configuring a nameserver at one of the two place described above will override the ability of SME to do so, at a cost and collateral damages. 

The two principal issues from that are
- errors while filtering incoming email with dnsbl, as the remote DNS server will likely hit the daily maximal request fast considering all the people using them , and leave your server without the expected answer.
- dns answers geolocalized to the nameserver location rather than yours.  leaving you with slow browsing as you might access to the US east coast mirror of the site you want rather than its closer copy to you which could have great impact of you live in Australia as an example.