Linux Blog

What is 127.0.0.1?

27.0.0.1 is the standard IP address used for a loopback network connection.

This means that if you try to connect to 127.0.0.1, you are immediately looped back to your own machine. If you telnet, ftp, etc... to 127.0.0.1, you are connected to your own machine.

In other words, 127.0.0.1 is you.

For example, if your system was named "hostname", and you attempted to telnet to 127.0.0.1, you would see:

# telnet 127.0.0.1
Trying 127.0.0.1...
Connected to hostname
Escape character is '^]'.

Another name for 127.0.0.1 is localhost.

Although 127.0.0.1 is the most commonly utilized address for localhost, any IP address in the 127.*.*.* range should also function in the same manner.

ICMP Error codes

The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached, the below are the 16 error codes for ICMP.

0 - Network unreachable - Tells you if a specific network is currently unreachable.

1 - Host unreachable - Tells you if a specific host is currently unreachable.

2 - Protocol unreachable - This code tells you if a specific protocol (tcp, udp, etc) can not be reached at the moment.

3 - Port unreachable - If a port (ssh, http, ftp-data, etc) is not reachable, you will get this message.

4 - Fragmentation needed and DF set - If a packet needs to be fragmented to be delivered, but the Do not fragment bit is set in the packet, the gateway will return this message.

5 - Source route failed - If a source route failed for some reason, this message is returned.

6 - Destination network unknown - If there is no route to a specific network, this message is returned.

7 - Destination host unknown - If there is no route to a specific host, this message is returned.

8 - Source host isolated (obsolete) - If a host is isolated, this message should be returned. This code is obsoleted today.

9 - Destination network administratively prohibited - If a network was blocked at a gateway and your packet was unable to reach it because of this, you should get this ICMP code back.

10 - Destination host administratively prohibited - If you where unable to reach a host because it was administratively prohibited (e.g., routing administration), you will get this message back.

11 - Network unreachable for TOS - If a network was unreachable because of a bad TOS setting in your packet, this code will be generated as a return packet.

12 - Host unreachable for TOS - If your packet was unable to reach a host because of the TOS of the packet, this is the message you get back.

13 - Communication administratively prohibited by filtering - If the packet was prohibited by some kind of filtering (e.g., firewalling), we get a code 13 back.

14 - Host precedence violation - This is sent by the first hop router to notify a connected host, to notify the host that the used precedence is not permitted for a specific destination/source combination.

15 - Precedence cutoff in effect - The first hop router may send this message to a host if the datagram it received had a too low precedence level set in it.

Time bases iptables rules

Question: How can I restrict/allow access to certain service on timely basis with iptables? For example restrict access to SSH between 7:00 pm - 8:00 am on weekdays?

Answer: You are welcome to use iptables patch-o-matic extension (pom or p-o-m) that allows you to match a packet based on its arrival or departure (for locally generated packets) timestamp. The syntax is the following:

iptables RULE -m time --timestart TIME --timestop TIME --days DAYS -j ACTION

Where:

--timestart TIME: Time start value (format is 00:00-23:59)
--timestop TIME: Time stop value (the same format)
--days DAYS: a list of days to apply, from (format: Mon, Tue, Wed, Thu, Fri, Sat, Sun).

To add the rule stated in the question use the following command:

iptables -A INPUT -p tcp -d 192.168.0.1 --dport 22 -m time --timestart 19:00 --timestop 8:00 -days Mon,Tue,Wed,Thu,Fri -j DROP

Hope it helps!

Howto open port using iptables

If you want your machine to respond to requests initiated from elsewhere on the internet, in effect to be a server, you need to open the required ports. To do this properly, you need to know:

1. What service you want to open up?
2. Whether it is a tcp or udp service?
3. What port number(s) it uses?

You may also wish to think about restricting access to certain machines; e.g. if you only want people in the X dept to access the machine.

For example, to enable ssh access to your box from anywhere on campus, you could use something like

iptables -A allowed -p tcp --dport 22 -s 129.2.0.0/16 -j ACCEPT
iptables -A allowed -p udp --dport 22 -s 129.2.0.0/16 -j ACCEPT

iptables -A allowed -p tcp --dport 22 -s 128.8.0.0/16 -j ACCEPT
iptables -A allowed -p udp --dport 22 -s 128.8.0.0/16 -j ACCEPT

This allows both udp and tcp traffic from either of the two class B networks to access port 22 on your machine. Of course, you need to have an sshd daemon running as well for this to work; the code above merely punches the required holes in the firewall.

Howto create a MySQL user

Here is a quick tip how to create from mysql new database and a new mysql user that has full privileges on this newly created database:

mysql -uroot -p

CREATE DATABASE ;
GRANT ALL PRIVILEGES ON .* TO 'my_user'@'localhost' IDENTIFIED BY 'my_password' WITH GRANT OPTION;