Saturday 26 March 2016

Bypassing Open DNS for certain computers

In my last post on Open DNS I showed you how to set up the firewall to block any unauthorised DNS queries bypassing your Open DNS settings.

Depending on your reasons for blocking certain sites there may be times when you want to be able to bypass Open DNS and get straight out onto the internet. Perhaps you have blocked access to some sites because you think they are unsuitable for your children but you would still like to be able to get to them!

To do this from a particular machine is relatively easy.

Again using my Huwai HG533 as the example router.

First step is not directly related to the firewall but if you haven't already set fixed IPs for your machines it is worth doing (at least for the one you wish to have full access) otherwise your bypassing rule may not always apply to the same computer.

Go to Basic, LAN, and click NEW next to the IP Address Reserve.

Then enter the MAC address of the machine you want to bypass your Open DNS rules and give it an IP address like 192.168.42.10, remember however that you will have two MAC addresses if you have a machine with both wired and wireless internet. Make sure you choose the right one (or both) and give each one a different IP (most routers won't let you give two MACs the same IP in case they are both connected at the same time)

Once this is done and you have clicked Submit you will need to disconnect and reconnect your machine from the network or refresh your connection so that the new IP will be picked up.

Now that you have a known IP you can go to the advanced settings, firewall section and add a new rule.

This time the rule will be under IP Filtering so select the appropriate radio button.

First we will give the rule a name e.g. Unsecure DNS
Set the protocol to UDP and add the IP address you set earlier.

Destination start and end port should be set to 53 as this is the port used for DNS queries and status should be set to Accept.

If you only want access to a particular DNS server say Googles 8.8.8.8 you can add this to the rule too in the destination address. If you leave this blank then any DNS Server can be used.

The last step once the rule is created is to change the dns server on your PC. How you do this will depend on the OS you are using but the DNS Server setting can normally be found under network settings. Change this on your unrestricted PC to your alternate DNS IP address, reconnect your network connection and you are done.

Obviously doing this invalidates all the hard work you did to implement a secure Open DNS server in the first place but only on one machine so if your kids have tablets or you have a family computer those can be left protected.


Posted by at No comments:

Monday 26 October 2015

Running an McMyAdmin Minecraft Server on Linux Mint

Why Would I Want To Do This?

McMyAdmin allows you to run and manage a Minecraft server (relatively) simply. 

This is how I went about installing it on a box running Linux Mint 17.2

Add A New User 

Note: You can choose not to do this step if you like but from a security and backup point of view I find it helps
  • Go to User and Groups (via the Linux Mint menu) and add a new user without admin permissions
I called mine "minecraft" but "mcmyadmin" or whatever you like will work just as well. 

Install Supporting Files

This needs to be done as an admin user.
  • Change directory with cd /usr/local 
  • Download the supporting zipped file sudo wget http://mcmyadmin.com/Downloads/etc.zip 
  • Unzip the downloaded file sudo unzip etc.zip
  • Remove the zipped file sudo rm etc.zip

Install McMyAdmin Itself

This needs to be done as the user you created in the first step
  • First create a directory for McMyAdmin mkdir ~/McMyAdmin
  • Change directory with cd ~/McMyAdmin
  • Download the zipped file wget http://mcmyadmin.com/Downloads/MCMA2_glibc26_2.zip
  • Unzip the downloaded file unzip MCMA2_glibc26_2.zip
  • Remove the zipped file rm MCMA2_glibc26_2.zip

Configure McMyAdmin With An Admin Password

  • Run the executable with the -setpass and -configonly options ./MCMA2_Linux_x86_64 -setpass [YOURPASSWORD] -configonly

Running McMyAdmin For The First Time

  • Change to the McMyAdmin directory cd ~/McMyAdmin 
  • Run the executable ./MCMA2_Linux_x86_64
Note that you must change to the directory McMyAdmin is installed to before running it. You cannot run it using a relative or absolute path.

Adding McMyAdmin To Upstart

Having an McMyAdmin server running is a good start but you don't want to have to restart it manually every time you reboot your server. That is where Upstart helps out. 

In order to configure Upstart to start up your server you must do the following...

Create Config File

Create a new config file called something like minecraft.conf or mcmyadmin.conf
  • cd /etc/init 
  • sudo touch minecraft.conf 
Paste in the following code into your conf file making sure to change the path in the cd command to match the location of your McMyAdmin install

<---------------start cutting below this line--------------->

# /etc/init/minecraft.conf
description "Minecraft server"

start on runlevel [2345]
stop on runlevel [^2345]

#change /home/minecraft/McMyAdmin if you put McMyAdmin somewhere else
exec su minecraft -s /bin/bash -c 'cd /home/minecraft/McMyAdmin;./MCMA2_Linux_x86_64'

 <---------------stop cutting above this line---------------> 
To check if this has worked run

  • initctl reload-configuration 

which will load your new config file.
 
Test the service status (which should not yet be running)

  • sudo service minecraft status

Start the service

  • sudo service minecraft start 

Test the service status again (which should now be running)

  • sudo service minecraft status 

And then stop the service 

  • sudo service minecraft stop 

Once you are happy that the service starts and stops at your command. Reboot the computer. Once it is back up and running  recheck the service status and confirm it restarted automatically on reboot.

Port Forwarding for your server


The example is for the Huawei hg533 router but while the exact naming of the settings may differ on other routers the principles will be the same.
Go to the router page on your LAN. This is normally 192.168.1.1 but you may have changed it.
Login as the admin user using your password
  1. Go to the Advanced NAT, Port Forwarding section 
  2. Click on new to create a new rule
  3. Set type to Customization
  4. Protocol to TCP
  5. External Start and End Ports to 25565 (or whatever port you want your users to access your Minecraft server on)
  6. Internal Host to the local IP address of your server
  7. Internal Port to 25565 (or whatever port you have set your McMyAdmin server Minecraft instance to)
  8. Mapping Name to a suitable name. Mine is set to "Minecraft" 
Posted by at 1 comment:

Wednesday 9 September 2015

Using Opendns on an Huawei hg533 router

Why would I want to do this?

OpenDns is one of (if not) the best way to restrict access to content you are uncomfortable being available on your network. Whether you are a parent and don't want your kids seeing porn, are a school or institution that wants to ban anything that may upset anyone, or just someone who wants to block irritating websites which load up your Windows PC with Malware, OpenDns is a free (for personal use), independent, configurable solution.

The instructions below are for the HG533 Router but if you are trying to work out how to set this up on any other router the basic principles should still be the same even if some of the specifics are different.

Step 1 - Setting up the DNS server configuration

Step 1.1 - Point you router to the OpenDns DNS Servers

You can do this even if you don't have an OpenDns account but that won't give you any control over the content accessible over your router. All that will happen is that you will use the OpenDns DNS servers which are good but meh! 

Go to the router page on your LAN. This is normally 192.168.1.1 but you may have changed it.

Login as the admin user using your password (make sure you change this from the default or all the stuff below will be pointless)
  1. Go to the Basic LAN section 
  2. Change the Primary and Secondary DNS settings to the OpenDns servers 208.67.222.222 and 208.67.220.220 respectively. These are the DNS settings given to computers that connect to your router. Make sure you are in the LAN section not the WAN section as there is also a place for DNS settings there.
  3. Check your config is working by going to - https://store.opendns.com/settings

Step 1.2 - Get an OpenDns account and block whatever content you like

Next step, if you don't already have one, is to set up an OpenDns account (I'm not going to document this - just go to OpenDns.com and set up a free account and choose which content you want to block)

Step 1.3. Configure your router to tell OpenDns what your IP is

If you have a fixed (static) public IP (which most people don't) then you can ignore this step as you will already have configured your OpenDns account with your IP address. If on the other hand, like most of us, you have a Dynamic IP that changes on the whim of your internet provider then you need something to keep OpenDns informed whenever it changes. 

You can do this in a number of ways but I think the best way is to get your router to do it auto-magically via dns-o-matic. I have had some issues getting this to work but it seems to be working now I've upgraded to version 1.20t of the router firmware (we'll see). 
  1. Create a dns-o-matic account (https://www.dnsomatic.com/)
  2. Add the OpenDns service to your account
Then go back to your router to point it to the dns-o-matic account you've just created
  1. Go to the Advanced -> DDNS section 
  2. Set Service Provider to "Others"
  3. Set host to "all"
  4. Set domain to "dnsomatic.com"
  5. Set username and password to the values you entered when creating your dns-o-matic account
  6. Set server to "dnsomatic.com"
  7. Set port to "80"
  8. Set protocol to "GNUDip.http"
  9. Set service name to something appropriate (I used "dnsomatic")
  10. Submit your config

Step 2 - Enforcing the use of the DNS config

By doing step one the OpenDns servers will be used for the DNS lookups and inappropriate will be blocked based on your OpenDns settings. BUT anyone can override this by making changes to the configuration on their PC or other device. 

To ensure that they can't do this and that your OpenDns blocking will always be adhered to you need to do some firewall configuration.

Step 2.1 - Block port 53

First you need a blanket ban on the use of port 53. To do this
  1. Go to the Advanced -> Firewall section and click on the "Application Filtering" option.
  2. Select DNS from the application drop down
  3. Set status to reject
  4. Click submit

Step 2.2 - Open your firewall for OpenDns

You have now block all DNS traffic, so nothing can get out. This isn't what you want so...
  1.  still in the Advanced -> Firewall section click on "IP Filtering"
  2. type in a rule name (I called mine "OpenDns")
  3. set protocol to UDP
  4. set destination start address to 208.67.220.220
  5. set destination end address to 208.67.222.222
  6. set destination start and end port to 53
  7. set priority to something high (I used 253)
  8. set status to "Accept"
  9. set input interface to "All"

And there you go!

So it took me a while to work this out and although the information is around on the internet I couldn't find it all in one place in a way I could understand. Hopefully other people will find this useful. If you have any suggestions for improving the configuration or if I've made a mistake somewhere please post comments.
Posted by at 11 comments:
Subscribe to: Posts (Atom)