Posts Tagged ‘External’

How to Make Easy Backups on Linux Using a GUI tools Deja Dup, TimeShift, BackinTime, Grsync, Vorta

Monday, February 2nd, 2026

Backing up your data on Linux doesn’t have to involve complex terminal commands or custom scripts. While the command line is powerful, many users prefer a simple graphical interface (GUI) that just works.

Luckily, Linux offers several excellent GUI-based backup tools that are easy, reliable, and beginner-friendly.

In this article, we’ll look at why backups matter, and then walk through some of the best GUI backup tools for Linux, along with basic setup tips.

Why Backups Are Important (Even on Linux)

Linux systems are known for stability, but unfortunately, no system is immune to:

  • Hard drive failures
  • Accidental file deletion
  • System updates gone wrong
  • Malware or ransomware
  • Laptop theft or damage

A proper backup ensures you can restore your files or even your entire system in minutes instead of losing everything.

What Makes a Good GUI Backup Tool?

For most desktop users, a good backup tool should :

  • Be easy to use (no terminal required)
  • Supports automatic scheduled backups
  • Allow restoring individual files
  • Work with different types of external drives or network storage
  • Be relatively actively maintained
     

Let’s look at the few tools to create backups with lesser effort.

1. Déjà Dup – The Simplest Backup Tool

Best for: Beginners and home users
Available on: Ubuntu, Linux Mint, Fedora, and others

Déjà Dup is one of the most user-friendly backup tools on Linux. It comes preinstalled on Ubuntu and integrates perfectly with the GNOME desktop.

Key Features

  • Very simple interface
  • Automatic scheduled backups
  • Supports local drives, external USB disks, and network locations
  • Optional encryption for security

# apt info deja-dup
Package: deja-dup
Version: 44.0-2
Priority: optional
Section: utils
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Installed-Size: 4,851 kB
Depends: duplicity (>= 0.7.14), dconf-gsettings-backend | gsettings-backend, libadwaita-1-0 (>= 1.2), libc6 (>= 2.34), libglib2.0-0 (>= 2.70.0), libgpg-error0 (>= 1.14), libgtk-4-1 (>= 4.0.0), libjson-glib-1.0-0 (>= 1.5.2), libpackagekit-glib2-18 (>= 1.1.0), libpango-1.0-0 (>= 1.18.0), libsecret-1-0 (>= 0.18.6), libsoup-3.0-0 (>= 3.0.3)
Recommends: gvfs-backends, packagekit, policykit-1
Suggests: python3-pydrive2
Homepage: https://launchpad.net/deja-dup
Tag: admin::backup, implemented-in::c, interface::graphical, interface::x11,
 role::program, scope::application, suite::gnome, uitoolkit::gtk,
 x11::application
Download-Size: 693 kB
APT-Sources: http://ftp.debian.org/debian bookworm/main amd64 Packages
Description: Backup utility
 Déjà Dup is a simple backup tool. It hides the complexity of backing up the
 Right Way (encrypted, off-site, and regular) and uses duplicity as the
 backend.
 .
 Features:
  * Support for local, remote, or cloud backup locations such as Nextcloud
  * Securely encrypts and compresses your data
  * Incrementally backs up, letting you restore from any particular backup
  * Schedules regular backups
  * Integrates well into your GNOME desktop

How to Use Déjà Dup

Using it is generally simplistic, you select the data folders to be backupped and then the media where to backup it. The program supports also encryption with a password which is nice if you want to keep the backed-up data secret (especially if you want to store the backup on Google Cloud or Microsoft Azure)

Open “Backups” from your application menu

  1. Choose folders to back up (e.g., Home folder)
  2. Select a backup location (external drive recommended)
  3. Enable automatic backups


Click on Back Up Now button

That’s it. Déjà Dup runs quietly in the background after setup.

Note ! that it is not a good idea to try to backup the whole Linux installation ! with deja-dup, as you will get a lot of issues with improper permissions errors and stuff and the OS backup won't get consistent, however for a basic backups of User Homes, Cictures and some Personal data situated within a single directory it is simple as it is easy to initially setup and run.

# apt install deja-dup

$ sudo deja-dup

 

deja-dup-backup-gui-tool-linux-screenshot

deja-dup-backup-gui-tool-linux-screenshot2

2. Timeshift – System Snapshots Made Easy

Best for: System recovery
Available on: Most Linux distributions

Timeshift focuses on system backups, not personal files. It creates restore points similar to Windows System Restore.

Key Features

  • Snapshot-based backups
  • Perfect for rolling back failed updates
  • Supports RSYNC and BTRFS
  • Clean and simple GUI
     

When to Use Timeshift

  • Before major system updates
  • After fresh OS installation
  • To recover from broken packages or configs

# apt info timeshift
Package: timeshift
Version: 22.11.2-1+deb12u1
Priority: optional
Section: utils
Maintainer: Yanhao Mo <yanhaocs@gmail.com>
Installed-Size: 3,231 kB
Depends: cron-daemon | cron, pkexec, psmisc, rsync, libc6 (>= 2.34), libcairo2 (>= 1.2.4), libgdk-pixbuf-2.0-0 (>= 2.22.0), libgee-0.8-2 (>= 0.8.3), libglib2.0-0 (>= 2.39.4), libgtk-3-0 (>= 3.16.2), libjson-glib-1.0-0 (>= 1.5.2), libvte-2.91-0, libxapp1 (>= 1.0.4)
Breaks: util-linux (<< 2.37.2~)
Replaces: timeshift-btrfs
Homepage: https://github.com/linuxmint/timeshift
Tag: uitoolkit::gtk
Download-Size: 617 kB
APT-Manual-Installed: yes
APT-Sources: http://ftp.debian.org/debian bookworm/main amd64 Packages
Description: System restore utility
 Timeshift is a system restore utility which takes snapshots
 of the system at regular intervals. These snapshots can be restored
 at a later date to undo system changes. Creates incremental snapshots
 using rsync or BTRFS snapshots using BTRFS tools.

# apt install timeshift

$ sudo timeshift-gtk

 

https://www.pc-freak.net/images/linux-gui-backup-tools-screenshot/timeshift-rsync-backup-gui-tool-linux-screenshot4

timeshift-rsync-backup-gui-tool-linux-screenshot5

timeshift-rsync-backup-gui-tool-linux-screenshot6

3. Use Timeshift alongside a file backup tool like Déjà Dup as a backup solution for OS and data

a. Set up Timeshift (system snapshots)

What to include

Snapshot type:

  • RSYNC → works on any filesystem (recommended)
  • BTRFS → if your root is BTRFS


timeshift-rsync-backup-gui-tool-linux-screenshot1

Include:

  • / (root filesystem)

Exclude home directories (important!)

In Timeshift settings:

  • Keep /root excluded
  • Do NOT include /home/youruser

timeshift-rsync-backup-gui-tool-linux-screenshot2

Timeshift is not meant to back up your personal files.

Schedule (typical)

  • Daily: 3–5 snapshots
  • Weekly: 2–3 snapshots
  • Monthly: optional

Store snapshots on:

A separate drive or partition if possible

b. Set up Deja Dup (personal backups)

Deja Dup is perfect for:

  • Home directory backups
  • Encryption
  • External drives, NAS, cloud (Google Drive, SFTP, etc.)

Folders to back up

Usually:

~/Documents
~/Pictures (or similar)
Optional: ~/.config (only if you know why)
~/Videos
~/Projects

In Deja Dup:

Folders to back up → select what you actually care about

Folders to ignore → add

~/.cache
~/.local/share/Trash
~/Downloads (optional)

Schedule

Daily or weekly backup is usually fine

Keep backups for “forever” or at least several months

c. Prevent overlap (this matters)

To avoid wasting space and time:

Tool

Should back up

Should NOT back up

Timeshift

/, system configs

/home

Deja Dup

/home/youruser

/, system files

Never:

  • Use Deja Dup to back up /
  • Use Timeshift to back up /home

That’s the #1 mistake you could do

d. Real-world recovery scenarios

Scenario 1: Bad update / system won’t boot

  1. Boot from live USB

  2. Restore with Timeshift

  3. System is back exactly as before

  4. Files untouched

Scenario 2: Deleted or corrupted files

  1. Open Deja Dup

  2. Restore specific files/folders

  3. Done

Scenario 3: New machine / fresh install

  1. Install OS

  2. Restore system apps/settings manually or via Timeshift (if compatible)

  3. Restore home data with Deja Dup

e. Optional pro tips (to avoid data loss)

  • Test restores once (seriously)
  • Label backup drives clearly
  • Keep Deja Dup backups offsite if possible
  • After major distro upgrades:
  • Make a Timeshift snapshot
  • Don’t restore old Timeshift snapshots across major versions unless you know it’s safe
     

4. Back In Time – More Control features tool to create GUI-Based backups on Linux

Best for: Advanced users who want flexibility

Available on: Most Linux distributions

Back In Time uses RSYNC but wraps it in a friendly GUI.

Key Features

  • Scheduled snapshots
  • Exclude files and folders easily
  • Restore files from any snapshot
  • Supports local and remote backups
     

# apt-cache search backintime


backintime-common – simple backup/snapshot system (common files)
# apt info backintime-qt
Package: backintime-qt
Version: 1.3.3-4
Priority: optional
Section: utils
Source: backintime
Maintainer: Jonathan Wiltshire <jmw@debian.org>
Installed-Size: 416 kB
Depends: backintime-common (= 1.3.3-4), libnotify-bin, pkexec, polkitd, python3-dbus.mainloop.pyqt5, python3-pyqt5, x11-utils, python3:any
Recommends: python3-secretstorage
Suggests: meld | kompare
Conflicts: backintime-kde4
Breaks: backintime-qt4 (<< 1.2.1-0.1~)
Replaces: backintime-kde4, backintime-qt4 (<< 1.2.1-0.1~)
Homepage: https://github.com/bit-team/backintime
Download-Size: 73.8 kB
APT-Sources: http://ftp.debian.org/debian bookworm/main amd64 Packages
Description: simple backup/snapshot system (graphical interface)
 Back In Time is a framework for rsync and cron for the purpose of
 taking snapshots and backups of specified folders. It minimizes disk space use
 by taking a snapshot only if the directory has been changed, and hard links
 for unmodified files if it has. The user can schedule regular backups using
 cron.
 .
 This is the graphical interface for Back In Time.

backintime-qt – simple backup/snapshot system (graphical interface)

# apt install backintime-qt

$ sudo backintime-qt

backintime-linux-backup-gui-easy-tool-screenshot-options

linux-gui-backup-tools-screenshot/backintime-linux-backup-gui-easy-tool-screenshot-options

backintime-linux-screenshot-options-menu

backintime-linux-screenshot-options3

linux-gui-backup-tools-screenshot

It’s slightly more complex than Déjà Dup, but still very manageable.
 

5. Backing Up your Data on Linux with Grsync (rsync GUI frontend backup tool interface)

Grsync is a simple yet powerful graphical tool for backing up data on Linux. It acts as a front-end for rsync, one of the most trusted file synchronization utilities in the Linux world, but removes the need to remember long command-line options. This makes Grsync ideal for users who want reliable backups without extra complexity.

grsync-gui-backup-rsync-tool-linux-screenshot1

With Grsync, you can easily select a source and destination folder, such as backing up your home directory to an external drive or a network location. It supports incremental backups, meaning only changed files are copied after the first run, which saves both time and disk space. Useful options like preserving file permissions, deleting obsolete files, and excluding specific directories (for example, cache or temporary files) can be enabled with simple checkboxes.

Another advantage of Grsync is its safety features. You can perform a dry run to preview what will be copied or deleted before actually starting the backup. This reduces the risk of accidental data loss and makes it easier to fine-tune your backup settings. For Linux users looking for a practical and dependable backup solution, Grsync offers a great balance between power and ease of use.
 

Best Backup Strategy for Desktop Linux Users

For most users, Deja Dup + TimeShift  combo should works perfectly:

  • Déjà Dup → Personal files (documents, photos, videos)
  • Timeshift → System snapshots

This way, you’re protected from both data loss and system failure.

Final Thoughts

Linux gives you freedom – and that includes freedom to choose how you protect your data.

With modern GUI backup tools, there’s no excuse not to back up regularly. Whether you’re a casual user or a hardcore PC freak, setting up backups takes just a few minutes and can save you hours (or days) of frustration later.

If you’re serious about your Linux system data,
backup early, backup often and you this 

will pay you back.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Backups, Linux | No Comments »

Howto convert KVM QCOW2 format Virtual Machine to Vmdk to migrate to VMware ESXi

Thursday, November 17th, 2022

qcow2-to-vmdkvk-convert-to-complete-linux-kvm-to-vmware-esxi-migration

Why you would want to convert qcow2 to vmdk?

When managing the heterogeneous virtual environment or changing the virtualization solutions that become so common nowadays, you might need to migrate qcow2 from a Linux based KVM virtualization solution to VMWare's proprietary  vmdk – the file format in which a VMWare does keep stored it's VMs, especially if you have a small business or work in a small start-up company where you cannot afford to buy something professional as VMware vCenter Converter Standalone or Microsoft virtual machine converter (MVMC)- usually used to to migrate VMware hosts to Hyper-V hosts, but also capable to migrate .qcow2 to .vmdk. The reason is that your old datacenter based on Linux OS custom KVM virtual machines might be moved to VMWare ESX to guarantee better and more systemized management (which though is very questionable, since most of my experiences with VMWare was that though the software was a great one, the people who manage it was not very much specialists in managing it).

Another common reason is that running a separate Linux virtual machine, costs you more than a well organized VMWare farm because you need more qualified Linux specialists to manage the KVMs thus KVM to VMWare management as in most big corporations nowadays’s main target is to cut the costs.
Even with successful migrations like that, though you might often expect a drop in the quality of the service when your VM ends in the VMWare farm.

Nomatter what’s the reason to migrate qcow2 to VMDK So lets proceed with how the .QCOW2 to .VMDK can be easily done.


1. Get information about the VM you would like to migrate to VMDK

In QEMU-KVM environment, the popular image format is qcow2, which outperforms the first generation of qcow format and raw format. You can find the files of virtual disks by checking the information of virtual machine by virsh command:

[root@hypervisor-machine ~]# virsh dominfo virtual-machine-name

INFO
ID: {e59ae416-9314-4e4b-af07-21c31d91b3fb}
EnvID: 1704649750
Name: CentOS7minimal
Description:
Type: VM
State: stopped
OS: centos7
Template: no
Uptime: 00:00:00 (since 2019-04-25 13:04:11)
Home: /vz/vmprivate/e39ae416-9314-4e4b-af05-21c31d91b3fb/
Owner: root@.
GuestTools: state=not_installed
GuestTools autoupdate: on
Autostart: off
Autostop: shutdown
Autocompact: off
Boot order: hdd0 cdrom0
EFI boot: off
Allow select boot device: off
External boot device:
On guest crash: restart
Remote display: mode=manual port=6903 address=0.0.0.0
Remote display state: stopped
Hardware:
  cpu sockets=1 cpus=2 cores=2 VT-x accl=high mode=64 ioprio=4 iolimit='0'
  memory 2048Mb
  video 32Mb 3d acceleration=off vertical sync=yes
  memory_guarantee auto
  hdd0 (+) scsi:0 image='/vz/vmprivate/e59ae415-9314-4e4b-af05-21c31d91b3fb/harddisk.hdd' type='expanded' 5120Mb subtype=virtio-scsi
  cdrom0 (+) scsi:1 image='/home/CentOS-7-x86_64-Minimal-1611.iso' state=disconnected subtype=virtio-scsi
  usb (+)
  net0 (+) dev='vme42bef5f3' network='Bridged' mac=001C42BEF5F3 card=virtio ips='10.50.50.27/255.255.255.192 ' gw='10.50.50.1'
SmartMount: (-)
Disabled Windows logo: on
Nested virtualization: off
Offline management: (-)
Hostname: kvmhost.fqdn.com


2. Convert the harddrive to VMDK

[root@hypervisor-machine e59ae415-9314-4e4b-af05-21c31d91b3fb]# ls -lsah

1.3G -rw-r—– 1 root root 1.3G Apr 25 14:43 harddisk.hdd

a. Converstion with qemu:

You can use qemu-img tool that is installable via cmds:

yum install quemu-img / apt install qemu-img / zipper install qemu-img (depending on the distribution RedHat / Debian / SuSE Linux)

-f: format of the source image

-O: format of the target image

[root@hypervisor-machine ~]# qemu-img convert -f qcow2 -O vmdk \-o adapter_type=lsilogic,subformat=streamOptimized,compat6 harddisk.hdd harddisklsilogic.vmdk

 

[root@ hypervisor-machine e59ae415-9314-4e4b-af05-21c31d91b3fb]# ls -lsah

1.3G -rw-r—– 1 root root 1.3G Apr 25 14:43 harddisk.hdd

536M -rw-r–r– 1 root root 536M Apr 26 14:52 harddisklsilogic.vmdk

3. Upload the new harddrive to the ESXi Hypervisor and adapt it to ESX

This vmdk might not be able to used on ESXi, but you can use it on VMware Workstation. To let it work on ESXi, you need to use vmkfstools to convert it again.

 

a. Adapt the filesystem to ESXi

[root@hypervisor-machine ~]# vmkfstools -i harddisklsilogic.vmdk  -d thin harddisk.vmdk

 

4. Create a VM and add the converted harddrive to the machine. 

Futher

Recreate the initramfs

But of course this won’t work directly as it often happens with Linux 🙂 !!. 
We need to make adjustments to the virtual machine as well with few manual interventions:

1. Start the machine from the VMWare interface

2. Grub CentOS Linux rescue will appear from the prompt

3. Run command

dracut –regenerate-all –force


to Recreate the initramfs.
 

Note that You might also have to edit your network configuration since your network device usually get’s a different name.
 

Finally reboot the host:

[root@hypervisor-machine ~]# reboot


And voila you’re ready to play the VM inside the ESX after some testing, you might switch off the KVM Hypervisor hosted VM and reroute the network to point to the ESX Cluster.

 

Tags: , , , , , , , , ,
Posted in Linux, Migration, System Administration, Virtual Machines | No Comments »

How to redirect TCP port traffic from Internet Public IP host to remote local LAN server, Redirect traffic for Apache Webserver, MySQL, or other TCP service to remote host

Thursday, September 23rd, 2021

 

 

Linux-redirect-forward-tcp-ip-port-traffic-from-internet-to-remote-internet-LAN-IP-server-rinetd-iptables-redir

 

 

1. Use the good old times rinetd – internet “redirection server” service


Perhaps, many people who are younger wouldn't remember rinetd's use was pretty common on old Linuxes in the age where iptables was not on the scene and its predecessor ipchains was so common.
In the raise of mass internet rinetd started loosing its popularity because the service was exposed to the outer world and due to security holes and many exploits circulating the script kiddie communities
many servers get hacked "pwned" in the jargon of the script kiddies.

rinetd is still available even in modern Linuxes and over the last years I did not heard any severe security concerns regarding it, but the old paranoia perhaps and the set to oblivion makes it still unpopular soluttion for port redirect today in year 2021.
However for a local secured DMZ lans I can tell you that its use is mostly useful and I chooes to use it myself, everynow and then due to its simplicity to configure and use.
rinetd is pretty standard among unixes and is also available in old Sun OS / Solaris and BSD-es and pretty much everything on the Unix scene.

Below is excerpt from 'man rinetd':

 

DESCRIPTION
     rinetd redirects TCP connections from one IP address and port to another. rinetd is a single-process server which handles any number of connections to the address/port pairs
     specified in the file /etc/rinetd.conf.  Since rinetd runs as a single process using nonblocking I/O, it is able to redirect a large number of connections without a severe im‐
     pact on the machine. This makes it practical to run TCP services on machines inside an IP masquerading firewall. rinetd does not redirect FTP, because FTP requires more than
     one socket.      rinetd is typically launched at boot time, using the following syntax:      /usr/sbin/rinetd      The configuration file is found in the file /etc/rinetd.conf, unless another file is specified using the -c command line option.

To use rinetd on any LInux distro you have to install and enable it with apt or yum as usual. For example on my Debian GNU / Linux home machine to use it I had to install .deb package, enable and start it it via systemd :

 

server:~# apt install –yes rinetd

server:~#  systemctl enable rinetd


server:~#  systemctl start rinetd


server:~#  systemctl status rinetd
● rinetd.service
   Loaded: loaded (/etc/init.d/rinetd; generated)
   Active: active (running) since Tue 2021-09-21 10:48:20 EEST; 2 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 1 (limit: 4915)
   Memory: 892.0K
   CGroup: /system.slice/rinetd.service
           └─1364 /usr/sbin/rinetd


rinetd is doing the traffic redirect via a separate process daemon, in order for it to function once you have service up check daemon is up as well.

root@server:/home/hipo# ps -ef|grep -i rinet
root       359     1  0 16:10 ?        00:00:00 /usr/sbin/rinetd
root       824 26430  0 16:10 pts/0    00:00:00 grep -i rinet

+ Configuring a new port redirect with rinetd

 

Is pretty straight forward everything is handled via one single configuration – /etc/rinetd.conf

The format (syntax) of a forwarding rule is as follows:

     [bindaddress] [bindport] [connectaddress] [connectport]


Besides that rinetd , could be used as a primitive firewall substitute to iptables, general syntax of allow deny an IP address is done with (allow, deny) keywords:
 

allow 192.168.2.*
deny 192.168.2.1?


To enable logging to external file ,you'll have to include in the configuration:

# logging information
logfile /var/log/rinetd.log

Here is an example rinetd.conf configuration, redirecting tcp mysql 3306, nginx on port 80 and a second web service frontend for ILO to server reachable via port 8888 and a redirect from External IP to local IP SMTP server.

 

#
# this is the configuration file for rinetd, the internet redirection server
#
# you may specify global allow and deny rules here
# only ip addresses are matched, hostnames cannot be specified here
# the wildcards you may use are * and ?
#
# allow 192.168.2.*
# deny 192.168.2.1?


#
# forwarding rules come here
#
# you may specify allow and deny rules after a specific forwarding rule
# to apply to only that forwarding rule
#
# bindadress    bindport  connectaddress  connectport


# logging information
logfile /var/log/rinetd.log
83.228.93.76        80            192.168.0.20       80
192.168.0.2        3306            192.168.0.19        3306
83.228.93.76        443            192.168.0.20       443
# enable for access to ILO
83.228.93.76        8888            192.168.1.25 443
127.0.0.1    25    192.168.0.19    25


83.228.93.76 is my external ( Public )  IP internet address where 192.168.0.20, 192.168.0.19, 192.168.0.20 (are the DMZ-ed Lan internal IPs) with various services.

To identify the services for which rinetd is properly configured to redirect / forward traffic you can see it with netstat or the newer ss command
 

root@server:/home/hipo# netstat -tap|grep -i rinet
tcp        0      0 www.pc-freak.net:8888   0.0.0.0:*               LISTEN      13511/rinetd      
tcp        0      0 www.pc-freak.n:http-alt 0.0.0.0:*               LISTEN      21176/rinetd        
tcp        0      0 www.pc-freak.net:443   0.0.0.0:*               LISTEN      21176/rinetd      

 

+ Using rinetd to redirect External interface IP to loopback's port (127.0.0.1)

 

If you have the need to redirect an External connectable living service be it apache mysql / privoxy / squid or whatever rinetd is perhaps the tool of choice (especially since there is no way to do it with iptables.

If you want to redirect all traffic which is accessed via Linux's loopback interface (localhost) to be reaching a remote host 11.5.8.1 on TCP port 1083 and 1888, use below config

# bindadress    bindport  connectaddress  connectport
11.5.8.1        1083            127.0.0.1       1083
11.5.8.1        1888            127.0.0.1       1888

 

For a quick and dirty solution to redirect traffic rinetd is very useful, however you'll have to keep in mind that if you want to redirect traffic for tens of thousands of connections constantly originating from the internet you might end up with some disconnects as well as notice a increased use of rinetd CPU use with the incrased number of forwarded connections.

 

2. Redirect TCP / IP port using DNAT iptables firewall rules

 

Lets say you have some proxy, webservice or whatever service running on port 5900 to be redirected with iptables.
The easeiest legacy way is to simply add the redirection rules to /etc/rc.local​. In newer Linuxes rc.local so if you decide to use,
you'll have to enable rc.local , I've written earlier a short article on how to enable rc.local on newer Debian, Fedora, CentOS

 

# redirect 5900 TCP service 
sysctl -w net.ipv4.conf.all.route_localnet=1
iptables -t nat -I PREROUTING -p tcp –dport 5900 -j REDIRECT –to-ports 5900
iptables -t nat -I OUTPUT -p tcp -o lo –dport 5900 -j REDIRECT –to-ports 5900
iptables -t nat -A OUTPUT -o lo -d 127.0.0.1 -p tcp –dport 5900 -j DNAT  –to-destination 192.168.1.8:5900
iptables -t nat -I OUTPUT –source 0/0 –destination 0/0 -p tcp –dport 5900 -j REDIRECT –to-ports 5900

 

Here is another two example which redirects port 2208 (which has configured a bind listener for SSH on Internal host 192.168.0.209:2208) from External Internet IP address (XXX.YYY.ZZZ.XYZ) 
 

# Port redirect for SSH to VM on openxen internal Local lan server 192.168.0.209 
-A PREROUTING  -p tcp –dport 2208 -j DNAT –to-destination 192.168.0.209:2208
-A POSTROUTING -p tcp –dst 192.168.0.209 –dport 2208 -j SNAT –to-source 83.228.93.76

 

3. Redirect TCP traffic connections with redir tool

 

If you look for an easy straight forward way to redirect TCP traffic, installing and using redir (ready compiled program) might be a good idea.


root@server:~# apt-cache show redir|grep -i desc -A5 -B5
Version: 3.2-1
Installed-Size: 60
Maintainer: Lucas Kanashiro <kanashiro@debian.org>
Architecture: amd64
Depends: libc6 (>= 2.15)
Description-en: Redirect TCP connections
 It can run under inetd or stand alone (in which case it handles multiple
 connections).  It is 8 bit clean, not limited to line mode, is small and
 light. Supports transparency, FTP redirects, http proxying, NAT and bandwidth
 limiting.
 .
 redir is all you need to redirect traffic across firewalls that authenticate
 based on an IP address etc. No need for the firewall toolkit. The
 functionality of inetd/tcpd and "redir" will allow you to do everything you
 need without screwy telnet/ftp etc gateways. (I assume you are running IP
 Masquerading of course.)
Description-md5: 2089a3403d126a5a0bcf29b22b68406d
Homepage: https://github.com/troglobit/redir
Tag: interface::daemon, network::server, network::service, role::program,
 use::proxying
Section: net
Priority: optional
 

 

server:~# apt-get install –yes redir

Here is a short description taken from its man page 'man redir'

 

DESCRIPTION
     redir redirects TCP connections coming in on a local port, [SRC]:PORT, to a specified address/port combination, [DST]:PORT.  Both the SRC and DST arguments can be left out,
     redir will then use 0.0.0.0.

     redir can be run either from inetd or as a standalone daemon.  In –inetd mode the listening SRC:PORT combo is handled by another process, usually inetd, and a connected
     socket is handed over to redir via stdin.  Hence only [DST]:PORT is required in –inetd mode.  In standalone mode redir can run either in the foreground, -n, or in the back‐
     ground, detached like a proper UNIX daemon.  This is the default.  When running in the foreground log messages are also printed to stderr, unless the -s flag is given.

     Depending on how redir was compiled, not all options may be available.

 

+ Use redir to redirect TCP traffic one time

 

Lets say you have a MySQL running on remote machine on some internal or external IP address, lets say 192.168.0.200 and you want to redirect all traffic from remote host to the machine (192.168.0.50), where you run your Apache Webserver, which you want to configure to use
as MySQL localhost TCP port 3306.
Assuming there are no irewall restrictions between Host A (192.168.0.50) and Host B (192.168.0.200) is already permitting connectivity on TCP/IP port 3306 between the two machines.

To open redirection from localhost on 192.168.0.50 -> 192.168.0.200:

 

server:~# redir –laddr=127.0.0.1 –lport=3306 –caddr=192.168.0.200 –cport=3306

 

If you need other third party hosts to be additionally reaching 192.168.0.200 via 192.168.0.50 TCP 3306.

root@server:~# redir –laddr=192.168.0.50 –lport=3306 –caddr=192.168.0.200 –cport=3306


Of course once you close, the /dev/tty or /dev/vty console the connection redirect will be cancelled.

 

+ Making TCP port forwarding from Host A to Host B permanent


One solution to make the redir setup rules permanent is to use –rinetd option or simply background the process, nevertheless I prefer to use instead GNU Screen.
If you don't know screen is a vVrtual Console Emulation manager with VT100/ANSI terminal emulation to so, if you don't have screen present on the host install it with whatever Linux OS package manager is present and run:

 

root@server:~#screen -dm bash -c 'redir –laddr=127.0.0.1 –lport=3306 –caddr=192.168.0.200 –cport=3306'

 

That would run it into screen session and detach so you can later connect, if you want you can make redir to also log connections via syslog with ( -s) option.

I found also useful to be able to track real time what's going on currently with the opened redirect socket by changing redir log level.

Accepted log level is:

 

  -l, –loglevel=LEVEL
             Set log level: none, err, notice, info, debug.  Default is notice.

 

root@server:/ # screen -dm bash -c 'redir –laddr=127.0.0.1 –lport=3308 –caddr=192.168.0.200 –cport=3306 -l debug'

 

To test connectivity works as expected use telnet:
 

root@server:/ # telnet localhost 3308
Trying 127.0.0.1…
Connected to localhost.
Escape character is '^]'.
g
5.5.5-10.3.29-MariaDB-0+deb10u1-log�+c2nWG>B���o+#ly=bT^]79mysql_native_password

6#HY000Proxy header is not accepted from 192.168.0.19 Connection closed by foreign host.

once you attach to screen session with

 

root@server:/home #  screen -r

 

You will get connectivity attempt from localhost logged : .
 

redir[10640]: listening on 127.0.0.1:3306
redir[10640]: target is 192.168.0.200:3306
redir[10640]: Waiting for client to connect on server socket …
redir[10640]: target is 192.168.0.200:3306
redir[10640]: Waiting for client to connect on server socket …
redir[10793]: peer IP is 127.0.0.1
redir[10793]: peer socket is 25592
redir[10793]: target IP address is 192.168.0.200
redir[10793]: target port is 3306
redir[10793]: Connecting 127.0.0.1:25592 to 127.0.0.1:3306
redir[10793]: Entering copyloop() – timeout is 0
redir[10793]: Disconnect after 1 sec, 165 bytes in, 4 bytes out

The downsides of using redir is redirection is handled by the separate process which is all time hanging in the process list, as well as the connection redirection speed of incoming connections might be about at least 30% slower to if you simply use a software (firewall ) redirect such as iptables. If you use something like kernel IP set ( ipsets ). If you hear of ipset for a first time and you wander whta it is below is short package description.

 

root@server:/root# apt-cache show ipset|grep -i description -A13 -B5
Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team@lists.alioth.debian.org>
Architecture: amd64
Provides: ipset-6.38
Depends: iptables, libc6 (>= 2.4), libipset11 (>= 6.38-1~)
Breaks: xtables-addons-common (<< 1.41~)
Description-en: administration tool for kernel IP sets
 IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel which can be
 administered by the ipset(8) utility. Depending on the type, currently an
 IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with
 MAC addresses in a  way which ensures lightning speed when matching an
 entry against a set.
 .
 If you want to
 .
  * store multiple IP addresses or port numbers and match against the
    entire collection using a single iptables rule.
  * dynamically update iptables rules against IP addresses or ports without
    performance penalty.
  * express complex IP address and ports based rulesets with a single
    iptables rule and benefit from the speed of IP sets.
 .
 then IP sets may be the proper tool for you.
Description-md5: d87e199641d9d6fbb0e52a65cf412bde
Homepage: http://ipset.netfilter.org/
Tag: implemented-in::c, role::program
Section: net
Priority: optional
Filename: pool/main/i/ipset/ipset_6.38-1.2_amd64.deb
Size: 50684
MD5sum: 095760c5db23552a9ae180bd58bc8efb
SHA256: 2e2d1c3d494fe32755324bf040ffcb614cf180327736c22168b4ddf51d462522

Tags: , , , , , , , , , , , , , , , , , , , , ,
Posted in Linux, System Administration, Various | No Comments »

The end of the work week :)

Friday, February 1st, 2008

One more week passed without serious server problems. Yesterday after upgrade to debian 4.0rc2 with

apt-get dist-upgrade and reboot the pc-freak box became unbootable.

I wasn’t able to fix it until today because the machine’s box seemed not to read cds well.The problem was consisted of this that after the boot process of the linux kernel has started the machine the boot up was interrupted with a message saying
/sbin/init is missing

and I was dropped to a busybox without being able to read nothing from my filesystem.Thankfully nomen came to Dobrich for the weekend and today he bring me his cdrom-drive I booted with the debian.

Using Debian’s linux rescue I mounted the partition to check what’s wrong. I suspected something is terribly wrong with the lilo’s conf.

Looking closely to it I saw it’s the lilo conf file it was setupped to load a initrd for the older kernel. changing the line to thenew initrd in /etc/lilo.conf and rereading the lilo; /sbin/lilo -C; /sbin/lilo;

fixed the mess and pc-freak booted succesfully! 🙂

Yesterday I had to do something kinky. It was requested from a client to have access to a mysql service of one of the company servers,the problem was that the client didn’t have static IP so I didn’t have a good way to put into the current firewall.

Everytime the adsl they use got restarted a new absolutely random IP from all the BTC IP ranges was assigned.

The solution was to make a port redirect to a non-standard mysql port (XXXXX) which pointed to the standard 3306 service. I had to tell the firewall not to check the coming IPs on the non-standard port (XXXXX) against the 3306 service fwall rules.

Thanks to the help of a guy inirc.freenode.net #iptables jengelh I figured out the solution.

To complete the requested task it was needed to mark all packagescoming into port (XXXXX) using the iptables mangle option and to add a rule to ACCEPT all marked packages.

The rules looked like this

/sbin/iptables -t mangle -A PREROUTING -p tcp –dport XXXXX -j MARK –set-mark 123456/sbin/iptables -t nat -A PREROUTING -d EXTERNAL_IP -i eth0 -p tcp –dport XXXXX -j DNAT –to-destination EXTERNAL_IP:3306

/sbin/iptables -t filter -A INPUT -p tcp –dport 3306 -m mark –mark 123456 -j ACCEPT .

Something I wondered a bit was should /proc/sys/net/ipv4/ip_forward in order for the above redirect to be working, in case you’re wondering too well it doesn’t 🙂 The working week was a sort of quiteful no serious problems with servers and work no serious problems at school (although I see me and my collegues become more and more unserious) at studying. My grand parentsdecided to make me a gift and give me money to buy a laptop and I’m pretty happy for this 🙂 All that is left is to choose a good machine with hardware supported both by FreeBSD and Linux.

END—–

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Everyday Life | No Comments »