Tag Archives: Linux How to

Unix Similar multi-user operating systems based on the Linux kernel and essentially on GNU software. Like CentOS, Debian, Ubuntu Fedora.

How to Check and Set Linux systemd Runlevels

Runlevel today implemented on systemd, previously most Linux distributions were equipped with the init system, Sys-V style. Sys-V used seven different runlevels to determine which processes can be started on the system. For example, runlevel 3 was usually reserved for the command line and associated programs, while runlevel 5 launched a GUI and all the processes required to do so. Results may vary by distribution.

The vast majority of Linux distributions have adopted systemd as their init system. Some distributions still use Sys-V where the traditional implementation of runlevels still exists. The systemd implementation adopted the concept of runlevels, converting them to systemd “targets”.

On some systems there are still scraps of Sys-V, on which commands such as runlevel can still be found. But some modern systemd distributions have completely eradicated this support. In this tutorial we show how to check the current runlevel on Linux.

Check current Linux runlevel?

Check current Linux runlevel?

Below are two commands to determine the current Linux runlevel.

$ runlevel
N 5
$ who -r
  run-level 5 2022-11-07 14:52

As you can see, runlevel 5 has started here. Alternatively, the command who -r can be ran. The runlevel command is only available on some systemd distributions, but should work on any sys-V system.

The different runlevels were assigned to corresponding systemd targets. This command can be used to check the targets.

$ ls -l /lib/systemd/system/runlevel*

Below is the output of the runlevels at a Linux Mint, which is based on Ubuntu/Debian.

$ lrwxrwxrwx 1 root root 15 Aug 31 17:27 /lib/systemd/system/runlevel0.target -> poweroff.target
lrwxrwxrwx 1 root root 13 Aug 31 17:27 /lib/systemd/system/runlevel1.target -> rescue.target
lrwxrwxrwx 1 root root 17 Aug 31 17:27 /lib/systemd/system/runlevel2.target -> multi-user.target
lrwxrwxrwx 1 root root 17 Aug 31 17:27 /lib/systemd/system/runlevel3.target -> multi-user.target
lrwxrwxrwx 1 root root 17 Aug 31 17:27 /lib/systemd/system/runlevel4.target -> multi-user.target
lrwxrwxrwx 1 root root 16 Aug 31 17:27 /lib/systemd/system/runlevel5.target -> graphical.target
lrwxrwxrwx 1 root root 13 Aug 31 17:27 /lib/systemd/system/runlevel6.target -> reboot.target

/lib/systemd/system/runlevel1.target.wants:
Total 0

/lib/systemd/system/runlevel2.target.wants:
Total 0

/lib/systemd/system/runlevel3.target.wants:
Total 0

/lib/systemd/system/runlevel4.target.wants:
Total 0

/lib/systemd/system/runlevel5.target.wants:
Total 0

Linux Runlevels

0Halt shut down the system
1Single-user mode (Rescue and special administration)
2Multi-user mode not start network interfaces and daemons
3Multi-user mode with Networking starts system normally
4Not Used
5Multi-user mode as runlevel 3 + display manager X11 GUI
6Reboot the system

As with runlevels, there are 7 systemd targets by default. The two main targets are multi-user.target and graphical.target. The following command displays the default systemd targets.

$ systemctl get-default
graphical.target

In this example, graphical.target is started, which makes sense because we need a graphical desktop environment. On a server where often no GUI is running, multi-user.target is usually started.

$ systemctl get-default
multi-user.target

Use the command to see which services are associated with this target.

$ systemctl list-dependencies graphic.target
graphic.target

Try the following command to see which systemd target (or runlevel) a service needs to run. In this example, we check the SSH service.

$ systemctl show -p WantedBy sshd.service
WantedBy=multi-user.target

How to set systemd?

The Linux systemd runlevel can be set with this command.

$ sudo systemctl set-default multi-user.target

The next time the system boots in multi-user mode (multi-user.target).

How to use iptables and configuring

How does iptables work? Here’s how it works

iptables is a userspace-utility for the Linux-kernel firewall. It iptables chain rule is used to modify packet filters and configure the Linux firewall, which monitors traffic to and from the server, using tables. The tables contain rule sets, called chains, that filter incoming and outgoing data packets.

iptables chain rule and configuring

When a packet matches a iptables rule, it is assigned to a destination, which can be another chain or one of these values:

  • ACCEPT – lets the package pass.
  • DROP – does not allow the package to pass.
  • RETURN – prevents the packet from going through a chain and instructs it to return to the previous chain.

This tutorial works with one of the standard tables called filter, consisting of three iptables chains:

  • INPUT – directs incoming packets to the server.
  • FORWARD – filters incoming packets that are forwarded.
  • OUTPUT – Filter the packets coming from the server.

  iptables can be used with Linux Uncomplicated Firewall (ufw) as well as with firewalld. iptables rules apply only to IPv4. If the firewall is used for the IPv6 protocol, ip6tables must be used instead.

iptables installation

Create an SSH terminal to the server with root access, or become root with sudo permission, with sudo su - on Ubuntu/Debian Linux.

iptables comes pre-installed on most Linux distributions. However, if it is not present by default, the following steps must be performed on an Ubuntu/Debian system.

$ sudo apt-get update
$ sudo apt-get install iptables

Check the status of the current iptables chain rule packet by run the next command.

$ iptables -vnL

The -L option is used to list all rules, the numeric output of addresses and ports with -n, and -v is used to display in a more verbose format. As shown with this sample output.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in out   source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in out   source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in out   source destination

At this point, you will notice that all chains are set to ACCEPT and no rules are defined. So the system is not protected because every packet gets through without filtering.

Don’t worry! How to define rules can be learned in the next step of this iptables tutorial.

Defining Chain Rules

Defining a rule means appending it to the chain. To do this, the -A (Append) option must be add directly after the iptables command.

iptables is instructed to append a new rule into the chain. Subsequently, other options can be applied in combination.

-i (interface)the network interface whose traffic you want to filter, e.g. eth0, lo, ppp0, etc.
-p (protocol)the network protocol in which the filtering process takes place. It can be either tcp, udp, udplite, icmp, sctp, icmpv6 and so on. Alternatively, type all to select each protocol.
-s (source)the address from which the traffic originates. A host name or IP address can be used.
–dport (dest. port)the destination port number of a protocol, for example: 22 (SSH), 443 (HTTPS), and so on.
-j (target) the target name (ACCEPT / DROP / RETURN). Insert each time a new rule is created.

The iptables command syntax must be written in this order.

$ sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <port no> -j <destination>

Once you understand the basic syntax, you can start configuring the firewall to give the server more security. Here we use the INPUT chain in this example.

Accept traffic on localhost

For most requirements the localhost is not restricted. To allow traffic on localhost then ran this command.

$ sudo iptables -A INPUT -i lo -j ACCEPT

The lo or loopback interface is used for all connections on the localhost. The above command ensures that the connections between a database and a Web application work correctly on the same system.

Accept connections on HTTP, HTTPS and SSH

Next, we want http (port 80), https (port 443) and ssh (port 22) connections to work as usual. To do this, we need to pass the protocol (-p) and the corresponding port (–dport), ran this command one by one.

$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

It is now time to check if the rules are appended in iptables.

$ iptables -vnL

Displaying the rules in chains with the List -L option similary like this.

Chain INPUT (1 references)
 pkts bytes target     prot opt in     out    source         destination
2798K  156M ACCEPT     tcp  --  *      *      0.0.0.0/0      0.0.0.0/0       tcp dpt:22 ctstate NEW
 114K 5508K ACCEPT     tcp  --  *      *      0.0.0.0/0      0.0.0.0/0       tcp dpt:80 ctstate NEW
65438 2804K ACCEPT     tcp  --  *      *      0.0.0.0/0      0.0.0.0/0       tcp dpt:443 ctstate NEW

Filter packets from sources

iptables can filter packets based on an IP address or a range of IP addresses. To do this, you must specify the -s option. For example, to accept packets from 192.168.2.4, the command is.

$ sudo iptables -A INPUT -s 192.168.2.4 -j ACCEPT

It is also possible to reject packets from a specific IP address by replacing the destination ACCEPT with DROP.

$ sudo iptables -A INPUT -s 192.168.2.4 -j DROP

To drop packets from a number of IP addresses, use the -m option and the iprange module. The IP address range is specified with —src-range. Remember that a hyphen should separate the range of IP addresses without spaces, here as follows.

$ sudo iptables -A INPUT -m iprange --src-range 192.168.8.80-192.168.8.90 -j DROP

Drop all other traffic

It is important to use DROP as the destination for all remaining traffic after the –dport rules have been defined. This prevents unauthorized connections from accessing the server through other open ports. To do this, simply enter the following.

$ sudo iptables -A INPUT -j DROP

Now the connection will be rejected following the added filter.

iptables delete rules

If you want to remove all rules and start clean, use option -F (Flush).

$ sudo iptables -F

This command deletes all current rules. However, to delete a specific rule, use the -D option. All available rules are displayed first, as the following command shows.

$ sudo iptables -nL --line-numbers

A list of rules with numbers will see in the output.

Chain INPUT (policy ACCEPT)
num  target     prot opt source           destination
1    ACCEPT     all -- 192.168.8.8        anywhere
2    ACCEPT     tcp -- anywhere           anywhere tcp dpt:https
3    ACCEPT     tcp -- anywhere           anywhere tcp dpt:http
4    ACCEPT     tcp -- anywhere           anywhere tcp dpt:ssh

To delete a rule, use the corresponding chain and number from the list. For this example, suppose we want to delete rule number one (1) of the INPUT chain. The command to do this is as follows.

$ sudo iptables -D INPUT 1

Conclusion

iptables is a powerful userspace-utility for the Linux firewall that can be used to protect Linux servers. A big benefit is that different rules can be defined based on your own preferences.

In this iptables tutorial you will learn how to install and use the tool. We hope that custom rule sets can be managed to filter incoming and outgoing packets.

The next related post might also be helpful, see in GeoIP Firewall Configuration on Debian and Ubuntu.