Firewall & DNS Configuration in EasyOS

[Neo_78]

What's the best way to block access to a specific IP and port on that IP in your network from your device in EasyOS (for instance 192.168.0.10:1234)?

Is it possible to set custom DNS servers like Google's public DNS (8.8.8.8 and 8.8.4.4)?

Is there a text -based configuration file that could be used?

If you are booting EasyOS into RAM from USB (no hard drive installation), are the configuration settings of your firewall etc persistent or have to be reimplemented after each re-boot?

Thanks for your feedback!

[williams2]

What's the best way to block access to a specific IP and port on that IP in your network from your device

Probably not iptables.
This should block puppylinux.com

iptables -I INPUT -s 162.241.244.127 -j DROP

This inserts a rule at the top of the INPUT chain to DROP any packets from puppylinux.com,
so this should be rule number 1.

iptables -L should list the rules.

iptables -L --line-numbers lists the rules with line numbers.

iptables -D INPUT 1 deletes rule number 1 of the INPUT chain.

This will DROP the ip address in the INPUT and OUTPUT and FORWARD chains.

Code: Select all

iptables -I INPUT -s 162.241.244.127 -j DROP
iptables -I OUTPUT -s 162.241.244.127 -j DROP
iptables -I FORWARD -s 162.241.244.127 -j DROP

You can also use iptables-restore and iptables-save

Where you would put this I don't know.
In Puppy, a good place would be /etc/rc.d/rc.local
unless the firewall is set up later, for example, after Xwindows starts, in which case the new rule should be added after the firewall set up has finished.

I think you would set up the firewall before starting the browser in a container.
or maybe it should be added to the script that starts the container.
I don't know.

custom DNS servers like Google's public DNS

For Puppy, edit the file /etc/resolv.conf.head (create if necessary) like this:

Code: Select all

nameserver 8.8.8.8
nameserver 8.8.4.4

are the configuration settings of your firewall etc persistent or have to be reimplemented after each re-boot?

I don't know.

There are similar tools for ipv6, like ip6tables

[Neo_78]

Thanks @williams2. I guess the question is how to "remaster" and customize EasyOS with your configurations AND use the RAM-only boot mode without having to implement your changes on every boot AND being able to update the OS on your USB while keeping your changes...

[BarryK]

EasyOS also has /etc/rc.d/rc.local, for user stuff at bootup.

[Neo_78]

Ok, so you would have to script all custom configurations into rc.local to run at startup, like the following example?

https://linuxhint.com/use-etc-rc-local-boot/

Does this work with iptables and network configurations?

[williams2]

The https://linuxhint.com/use-etc-rc-local-boot/ web page refers partly to systemd and partly to sysvinit.

BionicPup64 uses busybox init.
EasyOS probably uses busybox init.
(but it might not, I have a somewhat old version of EasyOS on a usb flash drive, so I'm not the person to ask about EasyOS details.)

busybox init.is similar to sysVinit.
Puppy doesn't really have run levels
but busybox knows when XWindows (wallpaper and buttons to click, etc.) is running.
So ctrl+alt+del does nothing when X is running.
If you kill X from the menu or by pressing ctrl+alt+backspace,
then ctrl+alt+del will reboot Puppy.
If the bootloader is running, you can poweroff your computer by pressing the computers power button.
(a normal press, no need to hold the power button for 5 or 10 seconds.)

Busybox init will eventually execute the shell script /etc/rc.d/rc.local.
linuxhint.com refers to /etc/rc.local
Puppy does not have this file, Puppy (and EasyOS) have /etc/rc.d/rc.local
You can put stuff in /etc/rc.d/rc.local (not X applications, X isn't running yet.)

If the firewall rules are configured in /etc/rc.d/rc.local.
then you could put those iptables commands to DROP packets from a specific url address at the bottom of /etc/rc.d/rc.local

If the firewall rules are set after /etc/rc.d/rc.local executes,
(for example, in /etc/init.d/)
Then putting an iptables command to block an ip address in /etc/rc.d/rc.local won't work, because setting the firewall rules will erase the firewall chains (including your iptables rule blocking that ip address)
So you would need to find somewhere else, like /root/Startup.
And you might put a sleep instruction in a script, to be sure it executes after the firewall rules are set up.

if there is a gui (buttons to click) jn the menu, you might prefer to use that,

If you prefer CLI, You just need to edit /etc/resolv.conf.head once.

You would need to use iptables to block an ip address every time Puppy (or EasyOS) boots.

Does this work with iptables and network configurations?

The iptables to block an ip address and configuring the dns nameservers, bypasses the configuration that Puppy (and Easy) set up.

If you want to remaster EasyOS, I really don't know.
It is possible, of course.
If you want to run Easy with no access to the drives, but have all your configurations set up (saved)
I don't know how to do that.
Easy must have had access to easy.sfs on a hard drive or flash drive, to be able to copy it to ram then mount the file system in easy.sfs.
Or the OS might have mounted the easy.sfs file that is on a hard drive or flash drive.

So you want persistence, and run in ram with the hard drives and flash drives locked so they can't be mounted.
AFAIK, that can be done. But I don't know exactly all the details.

[BarryK]

Yes, EasyOS has busybox init.

When bootup to ram only, drives disabled, the initrd sets that up. While in the initrd, Easy has full access to the drives, and copies easy.sfs and the full contents of /mnt/wkg/.session to ram, then switches to the layered filesystem at the same time dropping access to the drives