I have been working hard here in the background getting rid of all of my hosting accounts and consolidating everything into one (relatively) easy to manage VPS or Virtual Private Server which I got for cheap from the guys (and presumably girls) at ThrustVPS who seem to be running  tight ship, I don’t have any stats on uptime or that so far; but everything has gone smoothly. And when they say instant setup, they mean it.

Thats enough of plugging someone else’s company for now… not that I have my own to run… yet. I have managed so far to implement a custom firewall that suits my needs quite nicely, my own email system, the general webserver / mySQL server etc… and all seems to be running very smoothly for such a cheap box, I do intend however to document all of the install processes I have gone through to get this far, and if your really nice, I might even share my custom backup script with y’all.

Anyways, I just said I would pop on and give a quick update before I get to bed for work.

Some of the things you should probably have already if you want to get the best out of Linux Firewalls is…

• A comfortable familiarity with the distribution of Linux you wish to use.
• Basic understanding of how networks communicate.
• Reasonable understanding of how TCP works (ie. the three way handshake)
• Reasonable understanding of how UDP works
• A system to test this stuff on, if you don’t have a system to test this stuff out on, you could always set up a few virtual machines using VirtualBox or VMWare.
• A will to learn about this kind of stuff

Missing any one of these things (except the will to learn, thats pretty important) probably isn’t going to be a huge deal, but if your missing a lot of them, you might struggle a bit with some of the concepts.

Here is a sample of one of the basic Linux Firewall scripts that I have adapted from the book…

#!/bin/sh
 
#Port and IP addresses changed to protect the innocent.
 
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
 
### Flush existing rules and settings. Set to default drop.
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -X
#$IPTABLES -t nat -F
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
#$IPTABLES -P FORWARD DROP
 
### Load the connection tracking modules. Not going to bother with NAT
echo "[+] Loading conntrack support..."
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
 
### Input Chain
echo "[+] Setting up INPUT chain..."
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
### Allowing Broadcasts
$IPTABLES -A INPUT -d 255.255.255.255 -j ACCEPT
$IPTABLES -A INPUT -d x.x.x.x -j ACCEPT #Replace the x's with your network's broadcast address
 
### Anti-spoofing measures
#$IPTABLES -A INPUT -i eth0 -j LOG --log-prefix "SPOOFED PKT "
#$IPTABLES -A INPUT -i eth0 -j DROP
 
### Accept rules...
$IPTABLES -A INPUT -i lo -j ACCEPT #All local connections
$IPTABLES -A INPUT -i eth0 -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT #Webserver
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT #SSHd
$IPTABLES -A INPUT -i eth0 -p tcp --dport 1000 --syn -m state --state NEW -j ACCEPT #Webmin
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #Accept Ping's
 
### Output Chain
echo "[+] Setting up OUTPUT chain - Allowing all!"
$IPTABLES -A OUTPUT -j ACCEPT
 
### Forward Chain
echo "[+] Setting up FORWARD chain - Nothing to do."
$IPTABLES -A FORWARD -j LOG --log-prefix "DROP FORWARD " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -j DROP

I hope that this impromptu book review is of at least some help to you.

Side Note: The bold bits in the posting are for a little test that I  am doing on keyword density… I’ll let you all know how it goes.

sudo adduser teamspeak

Fill in the questions presented by the adduser application.

sudo usermod -s /bin/false teamspeak

The above command will change the users shell to be /bin/false ie. no shell. Now it is time to go and get Teamspeak… visit http://www.goteamspeak.com and find the correct package for the architecture you wish to use ie. Teamspeak_3.0.0-Beta5-32bit…

wget http://ftp.4players.de/pub/hosted/ts3/releases/beta-5/teamspeak3-server_linux-x86-3.0.0-beta5.tar.gz tar -zxvf teamspeak3-server_linux-x86-3.0.0-beta5.tar.gz

Now its time to move the new TS3 directory to its new home…

sudo mv ./teamspeak3-server_linux-x86-3.0.0-beta5 /opt/TS3 sudo chown -R teamspeak /opt/TS3

The above will place TS3 in /opt/TS3 and give ownership of the contents to the user teamspeak. It is now possible to run Teamspeak, however as veteran Teamspeak users will know, the first time you run the Teamspeak server you are presented with a username/password combo that cannot be recovered without resetting the server. In TS3 you will also be presented with a `token` (all of this is described in the Teamspeak documentation). So for the first run, the following command will allow you to gather these details, they should be noted carefully for future reference.

sudo start-stop-daemon –chuid teamspeak –chdir /opt/TS3 –start –exec /opt/TS3/ts3server_linux_x86

From this, you should see the serveradmin user and password. You can now ^C that and be returned to the normal shell, if you cat /opt/TS3/logs/* you will be presented with the token you require to obtain server-admin status on the new server. The last part is to create a script for /etc/init.d/ to launch Teamspeak each time the system is booted to the correct runlevel. /etc/init.d/skeleton provides a suitable framework for this, here is the script I am using, just about… NOTE: WordPress does not want to format this correctly for me, as such, here is a link to the file in a tar archive. If you follow these instructions and are running a 32bit server, the following file will work out of the box. /etc/init.d/teamspeak This file must then be made executable with

sudo chmod +x /etc/init.d/teamspeak

And finally, the init file must be symlinked to each of the runlevel start dirs using the following…

sudo ln -s ../init.d/teamspeak /etc/rc0.d/K21teamspeak sudo ln -s ../init.d/teamspeak /etc/rc1.d/K21teamspeak sudo ln -s ../init.d/teamspeak /etc/rc2.d/S21teamspeak sudo ln -s ../init.d/teamspeak /etc/rc3.d/S21teamspeak sudo ln -s ../init.d/teamspeak /etc/rc4.d/S21teamspeak sudo ln -s ../init.d/teamspeak /etc/rc5.d/S21teamspeak sudo ln -s ../init.d/teamspeak /etc/rc6.d/K21teamspeak

Viola, you should now have a working Teamspeak 3 server.

BOOTNOTE:

For my initial install, and for the basis of the majority of this, I used this as a reference. Items listed in bold with ** are most likely not the correct file names for the command, I am not close to my server or an available shell to pull the correct parameters at present, but I will update ASAP. As an additional side note, my first impressions of TS3 are very good… It has tons of new features, looks good and the voice quality is very good indeed. My only concern is however the permissions system is very bulky, difficult to understand, and unless you are reasonably familiar with administering a Teamspeak server already, the documentation is not as straight forward as people believe. Still, however, a great job. Well done Teamspeak 3 development team!

UPDATE: Fixed formatting issue, kinda… provided link to pastebin.

UPDATE: Fixed information regarding server executable. Added /etc/init.d/teamspeak file, available for download here, removed pastebin link.

#! /bin/sh
### BEGIN INIT INFO
# Provides:          teamspeak
# Required-Start:    networking
# Required-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      S 0 1 6
# Short-Description: TeamSpeak Server Daemon
# Description:       Starts/Stops/Restarts the TeamSpeak Server Daemon
### END INIT INFO

set -e

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="TeamSpeak Server"
NAME=teamspeak
USER=teamspeak
DIR=/opt/tss2_rc2
DAEMON=$DIR/server_linux
#PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0

d_start() {
        start-stop-daemon --start --quiet \
                --chuid $USER \
                --chdir $DIR \
                --exec $DAEMON \
                > /dev/null \
                || echo -n " already running"
}

d_stop() {
        start-stop-daemon --stop --quiet \
                --chuid $USER \
                --chdir $DIR \
                --exec $DAEMON \
                || echo -n " not running"
}

case "$1" in
  start)
        echo -n "Starting $DESC: $NAME"
        d_start
        echo "."
        ;;
  stop)
        echo -n "Stopping $DESC: $NAME"
        d_stop
        echo "."
        ;;
  restart|force-reload)
        echo -n "Restarting $DESC: $NAME"
        d_stop
        sleep 15
        d_start
        echo "."
        ;;
  *)
        echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
        exit 3
        ;;
esac

exit 0