However with new nfs-utils versions we can bind mountd,stad,lockd,rquotad to certain port numbers, on redhat we can define port numbers in /etc/sysconfig/nfs file and then simple iptables rules. For example, after modifying /etc/sysconfig/nfs I have

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892

Other ports which needs to be opened on firewall are 111/tcp,udp for portmapper and 2049/tcp,udp for nfsd.

However this is not available with older version of nfs-utils, or different distributions of Linux. You can use the script below with small modifications in script starting the nfs daemon.

#!/bin/bash
#script for adding iptables rules to support exporting NFS share
#behind iptables firewall.

#get the port numbers
PORTS=`rpcinfo -p | awk ‘$4 != “port” { print $4 }’ | uniq | paste -sd,`

#function to check/create iptables chain NFS
check_ipt () {
/sbin/iptables -L NFS >/dev/null 2>&1 || /sbin/iptables -N NFS
}

#function to insert iptables rules
ins_rul () {
/sbin/iptables -F NFS
/sbin/iptables -I NFS 1 -m state –state NEW -p tcp -m multiport –dports $PORTS,2049,111 -j ACCEPT
/sbin/iptables -I NFS 2 -m state –state NEW -p udp -m multiport –dports $PORTS,2049,111 -j ACCEPT
#change below as per your need/iptables chain name.
/sbin/iptables -R loc2fw 1 -j NFS
}

check_ipt
ins_rul

You can call this script from nfs startup script.

Download script

More options of securing NFS are available on TLDP site..

Anuj

[root@node2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere           
ACCEPT     ah   --  anywhere             anywhere           
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
[root@node2 ~]#

Added one rule to allow access on port number 111(portmapper)

iptables -I INPUT -p tcp --dport 111 -j ACCEPT

After inserting rule in INPUT chain to allow access on port number 111, I have:

[root@node2 ~]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sunrpc
RH-Firewall-1-INPUT  all  --  anywhere             anywhere           
[root@node2 ~]#

It should allow access to port 111/tcp for all isn’t it? but still getting error of No Route to host error.

The reason behind is order or rules in iptables. Let’s check the line numbers of rules with:

[root@node2 ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sunrpc
2    RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        
1    RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination        
1    ACCEPT     all  --  anywhere             anywhere           
2    ACCEPT     icmp --  anywhere             anywhere            icmp any
3    ACCEPT     esp  --  anywhere             anywhere           
4    ACCEPT     ah   --  anywhere             anywhere           
5    ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
6    ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
7    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
8    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
10   REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
[root@node2 ~]#

To resolve this issue we have to insert our new rule in RH-Firewall-1-INPUT chain before rule number 10 (REJECT all  from anywhere to anywhere).

Let’s delete previously added rule to INPUT chain.

[root@node2 ~]# iptables -D INPUT -p tcp --dport 111 -j ACCEPT

And add a new rule to RH-Firewall-1-INPUT chain in correct order,

[root@node2 ~]# iptables -I RH-Firewall-1-INPUT 10 -m state --state NEW -p tcp --dport 111 -j ACCEPT

After adding new rule, listing of rules:

[root@node2 ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        
1    RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination        
1    ACCEPT     all  --  anywhere             anywhere           
2    ACCEPT     icmp --  anywhere             anywhere            icmp any
3    ACCEPT     esp  --  anywhere             anywhere           
4    ACCEPT     ah   --  anywhere             anywhere           
5    ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
6    ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
7    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
8    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
10   ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:sunrpc
11   REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
[root@node2 ~]#

Note: in mangle state only NEW is sufficient as on rule line number 8 RELATED, ESTABLISHED is already added.  You should not get any error now,  you can change port number and protocol according to your needs.

There is an another method which is quite simple, you can use setup command on redhat and then select Firewall Configuration> Customize> Allow incoming and define ports you want to allow access on.

You can also use shorewall firewall which is an excellent tool of configuring iptables/gateway. (http://www.shorewall.net)

Anuj.

Usually big organizations have hardware firewall and other measures, admin’s skip configuring firewall on servers, however we can follow individual firewall/device – a better practice.

Shorewall is available in binary packages (*.rpm, *.deb etc) as well as you can follow installation using source. To use installation using source you just have to run ./install.sh script from the extracted source tarball.

Here I am not going to run into all the setup’s, e.g. sharing traffic between two ISP’s, it would be just re-inventing the wheel, however the information here can give you enough fuel to have your own setup running, some port forwarding and masquerading of traffic as well.

So, what are the minimum files you need to have configured on the server? Files are /etc/shorewall/shorewall.conf (to start the shorewalll automatically at the boot time), and some files under /etc/shorewall directory (interfaces, zones, policy, rules and in case you want to masquerade traffic then masq).

In my setup, I want to forward traffic coming on network interfaces to different virtual machines(can be physical machines as well). I have one ethernet card eth0 (you should have two in case if you want to configure a gateway server), virtual network interface vmnet8 (should be replaced by eth1 in case of using physical server), and one more ISP (sometimes i use mobile phone to use internet).

Entries in configuration files:
/etc/shorewall/interfaces (Define your interfaces)
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
nokia ppp0
loc vmnet8 172.16.249.255
##############################################################################

File /etc/shorewall/zones
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
loc ipv4
nokia ipv4
net ipv4
##############################################################################

File /etc/shorewall/policy
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
fw all ACCEPT
loc nokia ACCEPT
loc net ACCEPT
loc fw REJECT
net all REJECT
all all REJECT info
###############################################################################

File /etc/shorewall/masq
#############################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
eth0 172.16.217.1/24
ppp0 172.16.217.1/24
#############################################################################################

And finally /etc/shorewall/rules file
######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW
ACCEPT loc net tcp 22,80,53,21,443
ACCEPT loc net udp 53
DNAT net loc:172.16.217.128 tcp 22,80,443
######################################################################################### -

Shorewall version i used is shorewall-4.4.27.tar.bz2, which is the current stable version while writing this post. It was observed that the VM’s getting IP with dhcp had default route set to 172.16.217.2, we have to change the default route of VM’s if DNAT is not working, i had to change default route to 172.16.217.1 on VMs to have port forwarding working.
On debian lenny need to change one more parameter in /etc/default/shorewall file, which is “startup=1″ and in /etc/shorewall/shorewall.conf “STARTUP_ENABLED=Yes”. Make sure that the net.ipv4.ip_forward is set to 1 (net.ipv4.ip_forward=1) in /etc/sysctlc.conf to allow packet forwarding (if you had to change this value then execute sysctl -p /etc/sysctl.conf) otherwise you can use echo 1 >/proc/sys/net/ipv4/ip_forward (for temporary purpose, after a reboot you again to set ip_forward to 1)

It’s time to start the shorewall, issue command “shorewall start” (it’s going to work on most of the linux distributions)

Shorewall is very nicely documented, available on http://www.shorewall.net/

Anuj,

[root@localhost ~]# touch /forcefsck

Note:
This option is going to force fsck only on those mount points which are having non-zero value set in the 6th filed of /etc/fstab file while skipping mount points which have 6th field defined as 0.

What If you want to force fsck at the boot time without creating an empty file? Yes. there is an another method, at the boot time on grub screen pass kernel parameter forcefsck (the same way as you would have booted the server in run level 1 by passing S or 1)

How about skipping forcefsck? Sometimes you can get at login shell at fsck (not a good idea) while booting time, to skip you can pass kernel fastboot parameter at grub level, also you can skip forcefck by creating an empty file fastboot under the root /
touch /fastboot

Anuj

Reason behind, disk driver for scsi device was not included (as during the installation no scsi disk) was added.

Solution,

create a new initial ram disk with,

mkinitrd /tmp/initrd-kernel-version kernel-version

(example: mkinitrd  -v  /tmp/initrd-2.6.18-194.el5 2.6.18-194.el5)
Take a backup of existing initial ram disk.

cp -v /boot/initrd-2.6.18-194.el5.img{,.bak}

Now replace existing initial ram disk with newly created initrd image in tmp,

cp -v /tmp/initrd-2.6.18-194.el5 /boot/initrd-2.6.18-194.el5.img

In case if you already rebooted without creating a new initial ram disk, solution is to boot in resuce mode and follow above steps of modifying inital ram disk.

Anuj

After connecting cables, check the available resolutions with:
xrandr -q

I got the information below on terminal:
Screen 0: minimum 320 x 200, current 1280 x 800, maximum 2880 x 800
VGA connected 1280×800+0+0 (normal left inverted right x axis y axis) 0mm x 0mm
1280×800       60.0*+
1280×768       60.0
1024×768       60.0
800×600        60.3
640×480        59.9
LVDS connected 1280×800+0+0 (normal left inverted right x axis y axis) 331mm x 207mm
1280×800       60.0 +   60.0*
1280×768       60.0
1024×768       60.0
800×600        60.3
640×480        59.9
TV disconnected (normal left inverted right x axis y axis)

Now the next step is to edit  /etc/X11/xorg.conf file (X Window System server configuration file), add the entries below under screen section:

SubSection “Display”
Depth 24
Modes “1280×800″ “1280×768″ “1440×900″ #the resolutions of your monitors
Virtual 2880 800
EndSubSection

Restart the X-server with alt+ctrl+back-space-key,

Now on terminal give command:
xrandr –auto –output DVI-0 –mode 1280×800 –right-of DVI-1

You should have display shared with an another monitor

Anuj

1. Let’s check the swap space in use:
   [root@localhost ~]# cat /proc/swaps
   Filename                                Type            Size    Used    Priority
   /dev/mapper/VolGroup00-LogVol00         partition       229368  0       1
   [root@localhost ~]#
   Or use command ‘free -m’
2. Disable the swap device with:
   [root@localhost ~]# swapoff /dev/VolGroup00/LogVol00
   [root@localhost ~]#
3. Increase the space of LVM with (depending on available Free PE’s and your choice).
   [root@localhost ~]# lvextend -L+352M /dev/VolGroup00/LogVol00
   Extending logical volume LogVol00 to 576.00 MB
   Logical volume LogVol00 successfully resized
4. Now we have to enable swap again, but before doing so we again need to format swap file system on extended lvm with:
   [root@localhost ~]# mkswap /dev/VolGroup00/LogVol00
   Setting up swapspace version 1, size = 603975 kB
5. Enable swap device with:
   swapon  -p 1 /dev/VolGroup00/LogVol00
6. Check swap space again with:
   [root@localhost ~]# cat /proc/swaps
   Filename                Type        Size    Used    Priority
   /dev/mapper/VolGroup00-LogVol00         partition    589816    0    1
   [root@localhost ~]#

   in swapon command -p switch sets the priority of swap, higher the value, higher priority swap is used before using other lower priority swap space. Two swap devices or file can have same priority number (would be used in a round robin method). Every time we create a new swap file/device the priority allocated will be lower than previous(in case -p switch is not used).

Other possible method which does not include lvm’s is to create a swap file, for example
[root@localhost ~]# dd if=/dev/zero of=/var/swapspace bs=512 count=1048576
1048576+0 records in
1048576+0 records out
536870912 bytes (537 MB) copied, 18.9145 seconds, 28.4 MB/s
[root@localhost ~]# mkswap /var/swapspace
Setting up swapspace version 1, size = 536866 kB
[root@localhost ~]# swapon  -p 1 /var/swapspace
[root@localhost ~]# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/mapper/VolGroup00-LogVol00         partition       589816  0       1
/var/swapspace                          file            524280  0       1
[root@localhost ~]#

Make persistent swap file availability with making an entry in /etc/fstab file:
[root@localhost ~]# echo ‘/var/swapspace swap swap defaults 0 0 ‘ >>/etc/fstab

Anuj

Disable dhcp and give static ip of same subnet to eth0 on ubuntu, leave the gateway entry blank for eth0, it’s very very simple to have most of the data card running on ubuntu, attach USB port to the ubuntu VM after inserting data card (it’s a different topic, here i am just sharing information of using Internet access from a VM with other VM’s and host).

Once the data card is configured on Ubuntu VM, check default route/ping some external domain/ip etc to make sure that the VM is able to access Internet using data card. There are different methods such as check /var/log/messages, ifconfig -a, etc.

Ok once the Internet is working on Ubuntu VM, let’s do simple work of masqurading with iptables, however first we have to enable ip forwarding, either you can make it permanent with modifying /etc/sysctl.conf (uncomment net.ipv4.ip_forward=1) and give command sysctl -p /etc/sysctl.conf OR echo 1 >/proc/sys/net/ipv4/ip_forward

Let’s configure iptables to forward packets from VMWare Host and other vm’s.

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

now use ip of ubuntu vm as a gateway, modify /etc/resolv.conf if needed.

• Requirement:

• Nokia E6 (:P indeed)
  Data cable
  Should have wvdial installed (on debian lenny) which  depends on:
  libuniconf
  libwvstreams
  libwvstreams
  libxplc
  ppp
  wvdial_1.60.1+nmu2_i386.deb 

  If your debian is already on network then use tasksel to have dependencies resolved automatically.

• After connecting data cable with Nokia E6, select Nokia Ovi Suite option from USB section

• List the USB devices with:

  debian:~# lsusb

  Bus 006 Device 019: ID 0421:032f Nokia Mobile Phones

  Bus 006 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

  Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

  Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

  Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

  Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

  Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

• From the listing of USB devices we have information of Nokia E6 phone, we are going to use two numbers 0421:032f to load the module into the Linux Kernel.
  0421 is the Vendor ID, and 032f is the Product ID. 

  debian:~# modprobe usbserial vendor=0×421 product=0x32f

• Verify with dmesg or checking /var/log/messages etc. From dmesg:
  [ 7698.253766] usb 6-1: bad CDC descriptors
  [ 7698.262285] usb 6-1: New USB device found, idVendor=0421, idProduct=032f
  [ 7698.262285] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
  [ 7698.262285] usb 6-1: Product: E6-00
  [ 7698.262285] usb 6-1: Manufacturer: Nokia
  [ 7698.262285] usb 6-1: SerialNumber: 1234565…
• Now generate a wvdia configuration file using command wvdialconf
• Edit /etc/wvdial.conf and change/add information below
  Phone = *99#
  Username= your phone number
  Password= your phone number
  Init3 = AT+CGDCONT=1,”IP”,”airtelgprs.com”    #added this line for my airtel connection 

  So my /etc/wvdial.conf after editing:
  [Dialer Defaults]
  Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
  Init3 = AT+CGDCONT=1,”IP”,”airtelgprs.com”
  Modem Type = USB Modem
  Phone = *99#
  ISDN = 0
  Username = my-phone-number-is-here
  Init1 = ATZ
  Password = my-phone-number-is-here
  Modem = /dev/ttyACM0
  Baud = 460800

• Make sure that /etc/ppp/peers/wvdial has the entries below:
  noauth
  name wvdial
  usepeerdns
• Now it’s time to connect to the internet, give command
  wvdial
  You should get similar message as below: 

  –> WvDial: Internet dialer version 1.60
  –> Cannot get information for serial port.
  –> Initializing modem.
  –> Sending: ATZ
  OK
  –> Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
  OK
  –> Sending: AT+CGDCONT=1,”IP”,”airtelgprs.com”
  OK
  –> Modem initialized.
  –> Sending: ATDT*99#
  –> Waiting for carrier.
  CONNECT
  ~[7f]}#@!}!} } }2}#}$@#}!}$}%\}”}&} }*} } g}%~
  –> Carrier detected.  Waiting for prompt.
  ~[7f]}#@!}!} } }2}#}$@#}!}$}%\}”}&} }*} } g}%~
  –> PPP negotiation detected.
  –> Starting pppd at Thu Nov 17 12:18:30 2011
  –> Pid of pppd: 11230
  –> Using interface ppp0
  –> pppd: �[07]� `[06]� �[07]�
  –> pppd: �[07]� `[06]� �[07]�
  –> pppd: �[07]� `[06]� �[07]�
  –> pppd: �[07]� `[06]� �[07]�
  –> local  IP address 223.176.85.113
  –> pppd: �[07]� `[06]� �[07]�
  –> remote IP address 10.6.6.6
  –> pppd: �[07]� `[06]� �[07]�
  –> primary   DNS address 202.56.230.5
  –> pppd: �[07]� `[06]� �[07]�
  –> secondary DNS address 202.56.230.6
  –> pppd: �[07]� `[06]� �[07]�

• Ping some external public ip, for example 4.2.2.2. If it’s not working check the default route.Should also work on RedHat/Fedora/Ubuntu and other Linux flavours.

Anuj