Posts Tagged ‘linux’

Iptables Tricks and Tweaks

Monday, December 22nd, 2008

#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# System limit modifications for Ensim
fs.file-max = 65000

Your ip_conntrack table is full. This is the table the kernel uses to track forwarded packets. To see how many connections are currently being tracked :
sysctl net.ipv4.netfilter.ip_conntrack_max

It should be safe to double the number:
sysctl -w net.ipv4.netfilter.ip_conntrack_max=2x

Should that not cause any problems edit /etc/sysctl.conf and add the following line:
net.ipv4.netfilter.ip_conntrack_max=2x

This will make the change permanent should you need to reboot the box.

Tags: ,
Posted in linux | No Comments »

Various Tricks

Saturday, December 13th, 2008 
dpkg-reconfigure -phigh xserver-xorg -> reconfigures the xorg server
http://www.realvnc.com/products/free/4.1/x0.html
http://wiki.debian.org/FluxBox

Remove files in a directory when rm won't work:
find /home/$u/tmp/ -name '*.wrk' -print0 | xargs -0 rm -f
find . -name 'spam-*' -print0 | xargs -0 rm
find /some/directory -name ‘*.wrk’ -print0 | xargs -n1000 -0 rm -f
ls | xargs -n1000 -0 rm -f

Tags: ,
Posted in linux | No Comments »

Screen Tips

Saturday, October 4th, 2008

A few snippets to make your prompt look better when using screen for linux.

Add the below to your .bashrc so each tab created when you generate a new screen shows user@hostname

function rename_screen_tab () { echo -ne “\x1bk$@\x1b\\”; return 0; }

if [[ "$TERM" = screen* ]]; then
PROMPT_COMMAND=’rename_screen_tab ${USER}@${HOSTNAME%%.*}’
[ "$HOSTNAME" = "hostname-of-mainbox" ] && PROMPT_COMMAND=’rename_screen_tab ${SCREEN_TAB:-$USER}’
fi

Add the below to your .screenrc

hardstatus off
caption always “%?%F%{= Kk}%:%{=u kR}%?  %h %-024=%{+b} %C%a %D %d %M %Y%{= db}”
hardstatus alwayslastline
hardstatus string ‘%{= kG}[ %{G}%H %{g}][%= %{= kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u)%?%{r})%{w}%?%+Lw%?%?%= %{g}][%{B} %d/%m %{W}%c %{g}]‘
shelltitle “$ |bash”

Note: the hardstatus string should be on the one line.

Tags: , , , ,
Posted in linux | No Comments »

How to update DNS through DHCP automatically

Thursday, October 2nd, 2008

If you are looking for configuration then you need it as follows:

Let us say domain is test.com
Domain nameserver, dns (named), samba and most of Linux services servers ip is 192.168.0.1
And network is 192.168.0.1/24 for dhcp ips are 192.168.0.10-60

(more…)

Tags: , , ,
Posted in linux | No Comments »

Bash tips

Wednesday, August 20th, 2008

Originally from here.

(more…)

Tags: , ,
Posted in linux | No Comments »

Exim Tips & Tricks - Unclog your queue!

Friday, August 15th, 2008

Original article here

This article will focus on some general Exim MTA tips and tricks as well as how to parse mail logs. I originally put this guide together for use with Exim on cPanel. Many cPanel server administrators use the built in Exim MTA without giving it a second thought because it works. It works until they end up providing virtual hosting systems (shared hosting) where some of the users do not update their scripts regularly or simply think setting a cron job that runs every minute and clogs the queue is a good idea. Then running the built in Exim MTA with no knowledge of how it works becomes a disaster! Learn Exim today and save your self some serious headaches!

Is your Exim queue piled up with thousands or even millions of emails? Are you getting complaints from your upstream provider because your servers are sending spam? Are your users complaining emails that they are expecting aren’t coming in or take hours or days to get there? Are your servers blacklisted on the major lists and you have no idea why? If any of these situations describe your problems then this guide should serve as a good primer for you to get the basic idea of how Exim works. You can use the knowledge here to solve all of these problems!

(more…)

Tags: ,
Posted in linux | No Comments »

Various Iptables Tricks

Friday, August 15th, 2008

> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> iptables -t nat -P PREROUTING DROP
> # Box 1
> iptables -t nat -A PREROUTING -m mac –mac-source 00:50:da:e3:f3:45 -j
> ACCEPT
> # Box 2
> iptables -t nat -A PREROUTING -m mac –mac-source 00:d0:b7:18:0f:f5 -j
> ACCEPT
>
> Now this works as expected, all packets from the two MAC addresses above are
> masq’ed and routed, anything from any other MAC address is DROP’ed.

mmh… but it is a bit unclean to drop packets in the nat table. You want
to filter packets, so use the filter table. Why? Because it is
- unclean
- only the first packet of each connection hits the nat table.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t filter -N restr
iptables -t filter -A restr -p tcp –dport 25 -j DROP

iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -m mac –mac-source 00:50:da:e3:f3:45 -j ACCEPT
iptables -t filter -A FORWARD -m mac –mac-source 00:d0:b7:18:0f:f5 -j restr

(more…)

Tags: ,
Posted in linux | No Comments »