Basic iptables Configuration

It’s always a good idea to setup a local firewall on hosts that are on unprotected networks. The internet “winds” blow harder and harder each day, and it’s only a matter of time before some daemon has an exploit that gets taken advantage of. I use CentOS 5 for all my web servers, and here is an example of the script I use to create a DEFAULT TO DENY set of firewall rules. This script generates a file called iptables in /etc/sysconfig.

I used to create a special rule for MySQL that only allowed connections from my own network, but lately I have been omitting this rule and tunneling the connection through ssh instead. That is why it is commented out in the script below.


### SCRIPT ###
#!/bin/sh
# Drop all incoming traffic
/sbin/iptables -P INPUT DROP
# Drop all forwarded traffic
/sbin/iptables -P FORWARD DROP
# Allow all outgoing traffic
/sbin/iptables -P OUTPUT ACCEPT
# Allow returning packets
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow incoming traffic on port 80 for web server
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow MySQL only from a certain network
/sbin/iptables -A INPUT -p tcp -m tcp -s XXX.XXX.XXX.0/24 --dport 3306 -j ACCEPT
# Allow local traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Allow incoming SSH on port 22
#/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow ping
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables-save > /etc/sysconfig/iptables
chmod go-r /etc/sysconfig/iptables
/sbin/sudo service iptables restart
### /SCRIPT ###

Here is what /etc/sysconfig/iptables looks like after running this script:


# Generated by iptables-save v1.3.5 on Wed Dec 31 13:47:40 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [12:8972]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Wed Dec 31 13:47:40 2008

After you are done, make sure you have iptables setup to start when the system boots.


# /sbin/chkconfig --list | grep iptables

iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off

If it’s not on, just run:

/sbin/chkconfig iptables on

Bare Metal Linux Restore

Several weeks ago we started seeing some pretty scary errors showing up on the main system disk for our Blackboard server. We had an extra server hanging around, so we decided to move all the data off the failing disk and onto our spare server. The only question was how to make the new server as close to a perfect copy of the old one as possible. Simply restoring all the filesystems failed for a variety of reasons, mostly related to GRUB and the kernel, so I had to find a way of excluding only the files and directories that were tied to the specific model of server.

To do this, I started by installing a minimal copy of RHEL 4, making sure to lay the filesystems out in exactly the same way as they were on the old server. I then went through several experiments, leaving just the bare minimum files and directories required for the hardware and booting, but formatting all other filesystems and restoring the data from our old server. In the end, the below process resulted in system that worked perfectly, and very closely mirrored the original server.
Continue reading

RHEL System Configuration Changes for Oracle 10G

Below is a list of RHEL system configuration changes that Oracle 10G requires before it is installed.

First, check the following kernel parameters using the commands below:


/sbin/sysctl -a | grep kernel.shmall
/sbin/sysctl -a | grep kernel.shmmax
/sbin/sysctl -a | grep kernel.shmmni
/sbin/sysctl -a | grep kernel.sem
/sbin/sysctl -a | grep fs.file-max
/sbin/sysctl -a | grep net.ipv4.ip_local_port_range
/sbin/sysctl -a | grep net.core.rmem_default
/sbin/sysctl -a | grep net.core.rmem_max
/sbin/sysctl -a | grep net.core.wmem_default
/sbin/sysctl -a | grep net.core.wmem_max

If any parameters are lower than the examples below, you will have to increase them by editing “/etc/sysctl.conf” file, adding the appropriate lines as expressed below. If the current value is higher, leave it as is.

kernel.shmall = 2097152
kernel.shmmax = 2147483648
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
net.core.rmem_default = 262144
net.core.rmem_max = 262144
net.core.wmem_default = 262144
net.core.wmem_max = 262144

Next, edit your “/etc/security/limits.conf” file, adding the following lines:

oracle          soft    nproc           2047
oracle          hard    nproc           16384
oracle          soft    nofile          1024
oracle          hard    nofile          65536

If your current “/etc/pam.d/login” file does not already contain the following line, add it:

session    required     pam_limits.so

Finally, add the following lines to your "/etc/profile" file:

#Tweaks for Oracle
if [ $USER = "oracle" ]; then
    if [ $SHELL = "/bin/ksh" ]; then
    ulimit -p 16384
    ulimit -n 65536
    else
    ulimit -u 16384 -n 65536
    fi
fi

These are just the basic steps I take. See the “Oracle Database Installation Guide” for more complete instructions.

How to Make Gnarly Big Linux Filesystems

At least in RHEL 4, the fdisk command does not support the creation of filesystems larger than 2TB. In order to get around it, you have to use the parted command. I found the basic info here, but this is the long and short of how to cut off a big ol’ slice of disk using parted:

Run parted

# /sbin/parted

It’s interactive, so the following commands are issued within the utility.

1) Make the disk label

(parted) mklabel gpt

2) Create the partition

(parted) mkpart primary 0 -1

3) Verify

(parted) print


Disk geometry for /dev/sda: 0.000-38146.972 megabytes
Disk label type: msdos
Minor    Start       End     Type      Filesystem  Flags
1          0.031    101.975  primary   ext3        boot
2        101.975  38146.530  primary               lvm

4) Exit the GNU Parted command shell

(parted) quit

5) Finally, make the filesystem:

# mkfs.ext3 -m0 -F /dev/sdb1

6)Finally, you don’t want to wait for that big filesystem to fsck from time to time, so make sure it does not get checked unless you run the command yourself:

# tune2fs -c0 -i0 /dev/sdb1

That should just about do it. Remember that only RHEL 4 and higher can support filesystems larger than 2TB. If I remember correctly RHEL 3 can go up to 2TB, RHEL4 can handle 8TB, and RHEL 5 can make a whopping 16TB chunk of disk. Have fun!

Strange X11 Forwarding Problem

I started getting this error:
X11 connection rejected because of wrong authentication
when trying to forward X11 applications from a Linux server to my Mac. I had been forwarding the display on this server for years, so I was a little unsure what could be causing it. In the end, it turned out that I had filled up /var, and X11 could not write to “/var/log/XFree86.0.log”. It was an easy fix, but the error was certainly no help.

RHEL useradd Syntax

Unlike other flavors of UNIX, RHEL does not have a command like adduser which walks you through the process step-by-step, so you have to remember the four flags useradd requires, and in what order it expects to receive them. Since I don’t manually add users unless I’m installing a new server, I don’t run the command enough to remember the syntax… It’s basically the same as it is on Solaris.

useradd -g group -c 'User Name' -d /path/to/home/directory -s /bin/bash username