Steps to add new rule to existing configuration

• Check the list of rules and their corresponding sequence

sudo iptables -vL --line-numbers 

• Add the new rule at the required location/sequence

 sudo iptables -I INPUT LINE_NUMBER RULE 

Example :

iptables -I INPUT 8 -s X.X.X.X/24 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT

• Save the configuration

 sudo serivce iptables save 

Thx to Sijis for helping with the commands. ]]> http://kudithipudi.org/2011/12/12/how-to-modify-iptables-rules/feed/ 0 http://kudithipudi.org/2011/10/31/how-to-check-web-services-using-curl/ http://kudithipudi.org/2011/10/31/how-to-check-web-services-using-curl/#comments Mon, 31 Oct 2011 20:36:40 +0000 Vinay http://kudithipudi.org/?p=1077 Quick note for myself to check web services using curl ([L/U]nix utility to play with http(s) traffic)

 curl https://URL_TO_TEST --insecure --trace-ascii debug.txt 

Comments on options :
–insecure is used if you are testing web services served over SSL using self signed certs
–trace-ascii dumps all traffic between the client (curl in this case) and the server in human readable format

If you ever run into errors like this

<pre>Starting httpd: Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
(13)Permission denied: httpd: could not open error log file /etc/httpd/logs/error_log.
Unable to open logs
                                                           [FAILED]

And you are scratching your head why Apache is throwing these errors, even when the said directory and files exist. And you have the right permissions!! Check if you have SELinux running and being enforced.
On RHEL, you can check if SELinux is running by

cat /selinux/enforce 

The two values are 0 and 1. 0 means, SELinux is not being enforced and 1 means it is.
You can quickly disable SELinux temporarily by

echo 0 >/selinux/enforce 

If you want to disable it permanently (i.e. survive reboots), you have to edit the file /etc/selinux/config and change the SELINUX line from enabled to disabled. ]]> http://kudithipudi.org/2011/08/22/how-to-apache-and-selinux/feed/ 2 http://kudithipudi.org/2011/07/20/how-to-export-and-import-certificates-using-keytool/ http://kudithipudi.org/2011/07/20/how-to-export-and-import-certificates-using-keytool/#comments Wed, 20 Jul 2011 19:55:51 +0000 Vinay http://kudithipudi.org/?p=990 Keytool is a java utility to manage SSL key databases (stores). Here are a couple of options for using this tool

• List the certificates in the keystore

keytool -list -keystore NAME_OF_KEYSTORE_FILE 

• Export a particular certificate from the keystore

keytool -export -alias ALIAS_NAME_OF_CERT -keystore NAME_OF_KEYSTORE_FILE 

• Import a certificate into the keystore

keytool -import -alias ALIAS_NAME_YOU_WANT -keystore NAME_OF_KEYSTORE_FILE -file NAME_OF_CERT_FILE_TO_IMPORT 

If I am not mistaken, nc comes as a default tool in most of the Linux distros. You can download the windows port of the tool at http://www.securityfocus.com/tools/139

The command to have netcat listen on a specific port is “nc -l PORT_NUMBER”. If you run this on a Windows 7 machine, you will get this dreaded message “local listen fuxored: INVAL”. The fix is to run it with a -L option. So the command would like this

nc -L -p 80

The -L means “listen harder, re-listen on socket close” .. Have to dig deeper and see what it really means though. I will leave that for another blog post.

And if you want to validate that netcat is indeed listening on that port, you can connect to that port from another workstation by using nmap.

• Configure lighttpd (HTTP Server) on the server using instructions from this article on Cyberciti.
• Edit the lighttpd.conf file and add the following line in your site configuration

 server.error-handler-404   = "index.html" 

• Name your maintenance page as index.html and upload it to the document root (in this example, it is /var/www/html)

You are essentially telling the web server to display index.html whenever the user is trying to access content that is not present on the server. And since there is no content on the server other than the index.html, the web browser will always display the index.html page..

• On the web server, issue the following command

 tcpdump -s 1024 -C 1024000 -w /tmp/httpcapture dst port 80 

• Stop the capture by issuing the break command (ctrl + c)
• Open the capture file (httpcapture in this example) in wireshark and check out the headers under the  the HTTP protocol

[root@serverxyz bin]# cat /proc/net/bonding/bond0

i.e. assuming the name of your bond interface is bond0.

Output from the command

Ethernet Channel Bonding Driver: v3.4.0 (October 7, 2008)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: eth3 (primary_reselect always)
Currently Active Slave: eth3
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth3
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:10:18:6e:b8:1a

Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:21:5e:11:34:32

The configuration files involved are

/etc/sysconfig/network-scripts/ifcfg-bond0 (Bond Interface)

DEVICE=bond0
IPADDR=10.10.40.26
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
GATEWAY=10.10.40.1
NETWORK=10.10.40.0
BROADCAST=10.10.40.255
TYPE=Ethernet

/etc/sysconfig/network-scripts/ifcfg-eth3 (Primary Interface)

DEVICE=eth3
BOOTPROTO=none
ONBOOT=yes
HWADDR=00:10:18:6e:b8:1a
MASTER=bond0
SLAVE=yes
TYPE=Ethernet
USERCTL=no

/etc/sysconfig/network-scripts/ifcfg-eth0 (Secondary Interface)

DEVICE=eth0
HWADDR=00:21:5e:11:34:32
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
TYPE=Ethernet

Here’s what I get, when I queried for www.express.com

HDD Testing :

I found a pretty interesting tool called Iozone written by William Norcott (Oracle) and Don Capps. You can get the source code and builds for major OSs at http://iozone.org . Despite installing the program using RPM, we were not able to  run the program without specifying the complete path.

There are a ton of options for the program, but the easiest method to run it was in automated mode with the output going to an Excel spreadsheet (more like a glorified CSV file ). Here is the command we used

/opt/iozone/bin/iozone -a -Rb output_excel_file.xls

The “-a” is to tell the program in automated mode and the “-Rb” is to tell the program to format the output in Excel format. And you can then go ahead and open the spreadsheet in Excel and create 3D graphs to check and compare the output.

Network Testing :

Most of the information out there in terms of testing the network stack of a machine is either to copy large files over a network share or via FTP. We didn’t find that was enough to really max out a Gigport since there were protocol limitations that didn’t allow us to saturate the network port. After some searching, we stumbled across a tool called “ettcp” on Sourceforge. ettcp itself is an offshoot of ttcp. ttcp (stands for test tcp) was created to test network performance between two nodes. I couldn’t find any place to download ttcp itself, but you can download ettcp at http://ettcp.sourceforge.net/.

We used a server, to act as a common receiver for all the servers we intended to do a performance test on. Here are the commands we used to run the test

RECEIVER (Common Server)
./ettcp -r -s -f M

The options are

• “-r” for designating the machine as receiver
• “-f M” for showing the output in Mega Bytes.

TRANSMITTER (Test Servers)
./ettcp -t -s receiver_hostname -n 10000000 -f M

the options are

• “-t” for designating the machine as transmitter
• “-s receiver_hostname” to define the receiver
• “-n” to define the number of packets to send to the receiver