For today's article I am going to explain how to create a basic firewall allow and deny filter list using the iptables package. We will be focused on creating a filtering rule-set for a basic everyday Linux web server running Web, FTP, SSH, MySQL, and DNS services.
Before we begin lets get an understanding of iptables and firewall filtering in general.
What is iptables? iptables is a package and kernel module for Linux that uses the netfilter hooks within the Linux kernel to provide filtering, network address translation, and packet mangling.
In one of the first posts of this blog I covered some basic SystemTap functionality from an email that I sent to members of my team, but I have always felt that I haven't given SystemTap as thorough of an article as this incredible tool deserves. Today I want to correct that.
For today's article I will show how to compile SystemTap scripts on one server while running the compiled module on a production server without installing debug-info or devel packages in production.
Have you ever said to yourself, “man I really need to slow down my internet”?
Probably not very often, but recently I found myself in a dilemma where I needed to simulate 120ms of network latency in my test environment which consists of servers that are racked right next to each other. That is where the command tc comes in.
Within the current distributions of Linux there is a kernel component called netem, which adds Network Emulation and is used for testing and simulating the same types of issues one would see in a WAN (Wide Area Network).
Access Control Lists aka ACL's are one of those obscure Linux tools that isn't used every day; and if you find yourself using ACL's every day than you probably have a very complicated Linux environment.
A few years ago I had an engineer tell me “Any thing you want to solve with ACL's can be solved with standard unix permissions” and while he may have just been justifying why he didn't know ACL's very well.
Today I want to cover one of the best troubleshooting tools in any sysadmins arsenal; strace. Strace is a command that will trace the system calls and signals from a specified command. What does that mean in layman's terms? Strace will output all of the inner workings of a process you run it against.
If a process opens a file or binds a port, strace will print that action; it is a great utility for troubleshooting when a process is not behaving as expected and you can't find any reason in the commands output or log files.
This is a quick and easy tip for the day.
imadmac:~ madflojo$ uname -a Darwin imadmac.local 10.8.0 Darwin Kernel Version 10.8.0: Tue Jun 7 16:32:41 PDT 2011; root:xnu-1504.15.3~1/RELEASE_X86_64 x86_64 The example is from my imac but it works on unix/linux in general.
If you have ever run a system with very little memory such as a small virtual server cough or a server with a java application cough than you might have seen this type of error every now and then.
Jul 611:39:55 slize kernel: [1262223.326537] apache2 invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0 What is oom-killer? oom-killer is a process that the kernel will call when a system is over committed on memory.