Update pam.d files with FISMA complia...

Update pam.d files with FISMA compliant options

 
#!/usr/bin/perl
my $outpdir = '/etc/pam.d';
my $inpdir = '/etc/pam.d';
opendir(my $pamd, $inpdir);
my @pamddir = readdir($pamd);
closedir($pamd);
foreach my $file (@pamddir) {
        my $fileabs = "$inpdir/$file";
        if (-r $fileabs && ! -d $fileabs) {
                print "Processing $file:\n";
                open(PAMFILE, $fileabs) or die "Failed to open $fileabs: $!";
                my @pfLines = <PAMFILE>;
                close PAMFILE;
                open(DESTFILE, ">$outpdir/$file") or die "Could not write $outpdir/$file: $!";
                foreach my $line (@pfLines) {
                        chomp $line;
                        if ($line =~ /pam_rhosts_auth\.so/) { print DESTFILE "#$line\n"; }
                        else { print DESTFILE "$line\n"; }
                }
                close DESTFILE;
        }
}

Perl script to update FISMA compliant...

Perl script to update FISMA compliant kernel paramaters

 
#!/usr/bin/perl -w
use strict;

# Make timestamped backup for sysctl.conf and limits.conf
my $timestamp = `date +%Y%m%d%H%M`;
system("cp /etc/sysctl.conf /etc/sysctl.conf.$timestamp");
 
my $drpf = '1';
my $arpf = '1';
my $dasr = '0';
my $tmsb = '4096';
my $aasr = '0';
my $dar = '0';
my $aar = '0';
my $dsr = '0';
my $asr = '0';
my $ieib = '0';
my $dser = '0';
my $aser = '0';
my $tsyn = '1';
 
# Write out sysctl.conf
open OUTP, '>/etc/sysctl.conf.fisma' or die "Cannot write /etc/sysctl.conf.fisma: $!";
open SYSCTL, '/etc/sysctl.conf' or die "Cannot read sysctl.conf: $!";
 
while (my $line = <SYSCTL>) {
        chomp $line;
        next if $line =~ /^net\.ipv4\.conf\.default\.rp_filter/;
        next if $line =~ /^net\.ipv4\.conf\.all\.rp_filter/;
        next if $line =~ /^net\.ipv4\.conf\.default\.accept_source_route/;
        next if $line =~ /^net\.ipv4\.tcp_max_syn_backlog/;
        next if $line =~ /^net\.ipv4\.conf\.all\.accept_source_route/;
        next if $line =~ /^net\.ipv4\.conf\.default\.accept_redirects/;
        next if $line =~ /^net\.ipv4\.conf\.all\.accept_redirects/;
        next if $line =~ /^net\.ipv4\.conf\.default\.secure_redirects/;
        next if $line =~ /^net\.ipv4\.conf\.all\.secure_redirects/;
        next if $line =~ /^net\.ipv4\.icmp_echo_ignore_broadcasts/;
        next if $line =~ /^net\.ipv4\.conf\.default\.send_redirects/;
        next if $line =~ /^net\.ipv4\.conf\.all\.send_redirects/;
        next if $line =~ /^net\.ipv4\.tcp_syncookies/;
 
        print OUTP "$line\n";

    }
 
close SYSCTL;
 
print OUTP "net.ipv4.conf.default.rp_filter = $drpf\n";
print OUTP "net.ipv4.conf.all.rp_filter = $arpf\n";
print OUTP "net.ipv4.conf.default.accept_source_route = $dasr\n";
print OUTP "net.ipv4.tcp_max_syn_backlog = $tmsb\n";
print OUTP "net.ipv4.conf.all.accept_source_route = $aasr\n";
print OUTP "net.ipv4.conf.default.accept_redirects = $dar\n";
print OUTP "net.ipv4.conf.all.accept_redirects = $aar\n";
print OUTP "net.ipv4.conf.default.secure_redirects = $dsr\n";
print OUTP "net.ipv4.conf.all.secure_redirects = $asr\n";
print OUTP "net.ipv4.icmp_echo_ignore_broadcasts = $ieib\n";
print OUTP "net.ipv4.conf.default.send_redirects = $dser\n";
print OUTP "net.ipv4.conf.all.send_redirects = $aser\n";
print OUTP "net.ipv4.tcp_syncookies = $tsyn\n";
 
close OUTP;
 
# Write new file back to active config file
system("mv /etc/sysctl.conf.fisma /etc/sysctl.conf");


One liners

Bash One liners



for path in `awk '($3 ~ "ext2|ext3") {print $2}' /etc/fstab`;do find $path -xdev -type d -perm -0002 ! -perm -1000 >> /tmp/sticks;done

Where /tmp/sticks contains directory listing one per line with world writeable permissions and no sticky bit set i.e.
    /usr/openv/netbackup/logs/user_ops
    /usr/openv/netbackup/logs/user_ops/nbjlogs

Read lines in file /tmp/sticks and echo them out
    cat /tmp/sticks |while read dlist; do echo "${dlsit}";done

chmod the folders listed in the file by adding sticky bit (prevent other users with write from deleting anything but their own files)
    cat /tmp/sticks |while read dlist; do chmod +t "${dlist}";done


Read lines in file and echo them out
    while read dlist; do echo "${dlist}";done < <(cat /tmp/sticks)

find files and echo their names
    find /tmp -name 'sticks*' |while read tfile; do echo "${tfile}";done
 
find world readable directories
for PART in `awk '($3 ~ "ext2|ext3") {print $2}' /etc/fstab`;do find $PART -xdev -type d -perm -0002 -a ! -perm -1000 >> /tmp/sticks ;done
 
Change world readable directories to have sticky bit set
cat /tmp/sticks |while read dlist; do chmod +t "${dlist}";done
 
rm -rf /etc/exports if not used:
 if ! grep ^[^#] /etc/exports;then rm -rf /etc/exports; else mail -s "exports in use on `hostname`" pvalentino@sysxperts.com < /etc/exports;fi
 
User home directories should be 750 or less:
#!/bin/sh
find `awk -F: '($3 >= 500 && $1 != "nobody") {print $6}' /etc/passwd` -maxdepth 1 -type d -prune  \( -perm -g+w -o -perm -o+r -o -perm -o+w -o -perm -o+x \) -ls
 
Fix for home dir permissions:
find `awk -F: '($3 >= 500 && $1 != "nobody") {print $6}' /etc/passwd` -maxdepth 1 -type d -prune  \( -perm -g+w -o -perm -o+r -o -perm -o+w -o -perm -o+x \) -exec chmod 750 {} \;
 
Test for world writable files:
#!/bin/sh
for PART in `awk '($2!="/data" && $2!="/apps" && !/^#/ && $6 != "0") { print $2 }' /etc/fstab`; do
  find $PART -xdev -type f \( -perm -0002 -a ! -perm -1000 \) -ls;
done

Fix world writable:
#!/bin/sh
for PART in `awk '($2!="/data" && $2!="/apps" && !/^#/ && $6 != "0") { print $2 }' /etc/fstab`; do
  find $PART -xdev -type f \( -perm -0002 -a ! -perm -1000 \) -exec chmod o-w {} \;;
done
 
Fix log permissions:
find /var/log -type f -exec chmod o-rx {} \;
 
Find and log SUID/SGID System executables:
#!/bin/sh
for PART in `awk '(!/^#/ && $6 != "0") { print $2 }' /etc/fstab`; do
  find $PART -xdev -type f \( -perm -04000 -o -perm -02000 \) ! -path /bin/su >> /tmp/sgidfiles;mail -s "SUID/SGID files on `hostname` pvalentino@sysxperts.com < /tmp/sgidfiles ;
done
 
Find unowned files:
#!/bin/bash
for PART in `awk '(!/^#/ && $6 != "0") { print $2 }' /etc/fstab`; do
  find $PART -xdev \( -nouser -o -nogroup \) -ls;
done
 
FIX unowned files:
#!/bin/bash
for PART in `awk '(!/^#/ && $6 != "0") { print $2 }' /etc/fstab`; do
  find $PART -xdev \( -nouser -o -nogroup \) -exec chown root:root {} \;;
done

Ubuntu system account shell set to nologin:
rm -rf /tmp/sysaccts; awk -F: '($1!="root" && $1!="halt" && $1!="sync" && $1!="shutdown" && $3<500 && $7!="/bin/false" && $7!="/bin/sh" && $7!="/usr/sbin/nologin") {print $1}' /etc/passwd >> /tmp/sysaccts;cat /tmp/sysaccts |while read slist;do usermod -s /usr/sbin/nologin $slist;done

Redhat system account shell set to nologin:
rm -rf /tmp/sysaccts; awk -F: '($1!="root" && $1!="halt" && $1!="sync" && $1!="shutdown" && $3<500 && $7!="/sbin/nologin") {print $1}' /etc/passwd >> /tmp/sysaccts;cat /tmp/sysaccts |while read slist;do usermod -s /sbin/nologin $slist;done


TCP Wrappers Example

TCP Wrappers Example

 
To log all access to vsftpd and limit all other wrapped services to local networks add something like this to /etc/hosts.allow

vsftpd : ALL \

: spawn /bin/echo $(/bin/date) access granted to %c>>/var/log/vsftpd_access.log

ALL : LOCAL

ALL : 10.

ALL : 192.168.1.

The options above allow access from anywhere in the world to vsftpd and logs that access but only permits access to remaining services from the Local machine, anything that starts with a 10. address and anything that starts with a 192.168.1 address.
 
Then to enforce denial for all  undefined addresses add the following to /etc/hosts.deny
 
ALL : ALL
If none of the rules in /etc/hosts.allow are matched then the above rule ensures that access is denied, otherwise access would be granted by default.
 

To find wrapped services:
[root@host]# strings -f /usr/sbin/* |grep hosts_access
/usr/sbin/in.tftpd: hosts_access
/usr/sbin/sshd: hosts_access
/usr/sbin/stunnel: hosts_access
/usr/sbin/stunnel: See hosts_access(5) manual for details
/usr/sbin/tcpd: hosts_access_verbose
/usr/sbin/xinetd: hosts_access
[root@host]# strings -f /sbin/* |grep hosts_access
/sbin/auditd: hosts_access
/sbin/portmap: hosts_access_verbose
If you were using quest authentication services formerly known as vintella authentication services you might also check this location:
[root@host]# strings -f /opt/quest/sbin/* |grep hosts_access
/opt/quest/sbin/sshd: @(#) hosts_access.c 1.21 97/02/12 02:13:22


The following expansions are available within shell commands for use with the spawn or twist option as in my vsftpd example above. (The spawn option does not work with the ALL wildcard, hence why I specified the vsftpd separately) I've highlighted the most common and useful expansions below:

       %a (%A) The client (server) host address.

       %c   Client information: user@host, user@address, a host name, or just an address, depending on how much information is available.

       %d  The daemon process name (argv[0] value).

       %h (%H) The  client  (server)  host  name or address, if the host name is unavailable.

       %n (%N) The client (server) host name (or "unknown" or "paranoid").

       %p     The daemon process id.

       %s     Server information: daemon@host, daemon@address, or just a daemon name, depending on how much information is available.

       %u     The client user name (or "unknown").

       %%     Expands to a single % character.


HugePages with Oracle example on...

HugePages with Oracle example on RHEL 5 with 10g

 
Determine hugepages requirement and kernel parameters (database should be running for this)
The perl script below will first backup the sysctl.conf and limits.conf files, write the new recommended and calculated values to a new version of each file, then write back the changes to the active files.  See comments in script for details of what it does.
 
create file hugemem.pl with content below and run with:
    perl hugemem.pl

#!/usr/bin/perl -w
use strict;
# Make timestamped backup for sysctl.conf and limits.conf
my $timestamp = `date +%Y%m%d%H%M`;
system("cp /etc/sysctl.conf /etc/sysctl.conf.$timestamp");
system("cp /etc/security/limits.conf /etc/security/limits.conf.$timestamp");
# Get kernel version
my $kern = `uname -r`;
$kern =~ /^(\d\.\d)/;
$kern = $1;
my $hpg_sz = `grep Hugepagesize /proc/meminfo | awk '{print \$2}'`;
my $num_pg = 1;
my $min_pg = 0;
# Get oracle shared memory segments, initialize afterKey and smssum for the for loop below
my @ipcs_out = `ipcs -m`;
my $afterKey = 0;
my $smssum = 0;
# Find total available mem from system
my $mem = `free | grep Mem | awk '{print \$2}'`;
# Convert mem to bytes
my $totmem =  $mem * 1024;
# Get hugepagesize of architecture we're on
my $huge = `grep Hugepagesize /proc/meminfo |awk '{print \$2}'`;
# Calculate the % of total memory for SHMMAX, in this case 75%
my $max = ($totmem * 75) / 100;
# Calculate SHMALL by dividing SHMAX by Hugepagesize
my $all = $max / $huge;
# Oracle recommended semaphores
my $sem = '250 32000 100 142';
# Shared memory segments
my $mni = '4096';
# File limits recommended by oracle
my $fmax = '131072';
# Receive socket buffer size
my $rmemd = '262144';
my $rmemm = '4194304';
# Send socket buffer size
my $wmemd = '262144';
my $wmemm = '4194304';
# TCP socket buffer
my $ipv4r = '4096 262144 4194304';
my $ipv4w = '4096 262144 4194304';
# Port range
my $ipv4p = '1024 65000';
# Frequency of keepalive packets when connection is not in use
my $katime = '30';
# Kernel wait between probes
my $kintvl = '60';
# Max probes
my $kprobe = '9';
# SYN retries
my $synr = '2';
# Memory settings
# Disable swapping for oracle
my $swap = '0';
# % of active memory that can have dirty pages
my $dirtyb = '3';
# % of total memory that can have dirty pages
my $dirtyr = '15';
# 1/100th of seconds that page cache data is expired
my $dirtye = '500';
# frequency pdflush will clean dirty pages
my $dirtyw = '100';
# limits.conf recommended by oracle
my $nproc = '131072';
# Find size of all shared memory segments
foreach my $ipcsLine (@ipcs_out) {
        chomp $ipcsLine;
        next if ! $ipcsLine;
        if ($afterKey) {
                my @ipcsVals = split /\s+/, $ipcsLine;
                if (! $ipcsVals[6]) { $smssum += $ipcsVals[4]; }
        }
        $afterKey++ if $ipcsLine =~ /^key\s/;
}
# Determine number of huge pages needed to hold all shared mem segments
$min_pg = $smssum / ($hpg_sz * 1024);
$num_pg = $min_pg + 1;
# Calculate HUHETBL_POOL size
my $hugetbl_pool = ($num_pg * $hpg_sz) / 1024;
# Get oracle group id
my $oracle_gid = `id -g oracle`;
# Calculate memlock for limits.conf based upon allocated huge pages
my $memlock = $num_pg * 1024 * 2;
# Write out limits.conf
open OUTPL, '>/etc/security/limits.conf.hugemem' or die "Cannot write /etc/security/limits.conf.hugemem: $!";
open LIMITS, '/etc/security/limits.conf' or die "Cannot read limits.conf: $!";
while (my $linel = <LIMITS>) {
        chomp $linel;
        next if $linel =~ /memlock/;
        next if $linel =~ /End/;
        next if $linel =~ /nproc/;
        print OUTPL "$linel\n";
}
close LIMITS;
print OUTPL "oracle soft  memlock  $memlock\n";
print OUTPL "oracle hard  memlock  $memlock\n";
print OUTPL "oracle soft  nproc  $nproc\n";
print OUTPL "oracle hard  nproc  $nproc\n";
close OUTPL;
# Write out sysctl.conf
open OUTP, '>/etc/sysctl.conf.hugemem' or die "Cannot write /etc/sysctl.conf.hugemem: $!";
open SYSCTL, '/etc/sysctl.conf' or die "Cannot read sysctl.conf: $!";
while (my $line = <SYSCTL>) {
        chomp $line;
        next if $line =~ /^vm\.hugetlb_shm_group/;
        next if $line =~ /^kernel\.shmmax/;
        next if $line =~ /^kernel\.shmall/;
        next if $line =~ /^kernel\.sem/;
        next if $line =~ /^kernel\.shmmni/;
        next if $line =~ /^fs\.file-max/;
        next if $line =~ /^net\.core\.rmem_default/;
        next if $line =~ /^net\.core\.rmem_max/;
        next if $line =~ /^net\.core\.wmem_default/;
        next if $line =~ /^net\.core\.wmem_max/;
        next if $line =~ /^net\.ipv4\.tcp_rmem/;
        next if $line =~ /^net\.ipv4\.tcp_wmem/;
        next if $line =~ /^net\.ipv4\.ip_local_port_range/;
        next if $line =~ /^net\.ipv4\.tcp_keepalive_time/;
        next if $line =~ /^net\.ipv4\.tcp_keepalive_intvl/;
        next if $line =~ /^net\.ipv4\.tcp_keepalive_probes/;
        next if $line =~ /^net\.ipv4\.tcp_syn_retries/;
        next if $line =~ /^vm\.swappiness/;
        next if $line =~ /^vm\.dirty_background_ratio/;
        next if $line =~ /^vm\.dirty_ratio/;
        next if $line =~ /^vm\.dirty_expire_centisecs/;
        next if $line =~ /^vm\.dirty_writeback_centisecs/;
        if ($kern eq '2.4') {
                next if $line =~ /^vm\.hugetlb_pool/;
        } elsif ($kern eq '2.6') {
                next if $line =~ /^vm\.nr_hugepages/;
        }
        print OUTP "$line\n";
}
close SYSCTL;
if ($kern eq '2.4') {
        print OUTP "vm.hugetlb_pool = $hugetbl_pool\n";
} elsif ($kern eq '2.6') {
        print OUTP "vm.nr_hugepages = $num_pg\n";
}
print OUTP "vm.hugetlb_shm_group = $oracle_gid\n";
print OUTP "kernel.shmmax = $max\n";
print OUTP "kernal.shmall = $all\n";
print OUTP "kernal.sem = $sem\n";
print OUTP "kernal.shmmni = $mni\n";
print OUTP "fs.file-max = $fmax\n";
print OUTP "net.core.rmem_default = $rmemd\n";
print OUTP "net.core.rmem_max = $rmemm\n";
print OUTP "net.core.wmem_default = $wmemd\n";
print OUTP "net.core.wmem_max = $wmemm\n";
print OUTP "net.ipv4.tcp_rmem = $ipv4r\n";
print OUTP "net.ipv4.tcp_wmem = $ipv4w\n";
print OUTP "net.ipv4.ip_local_port_range = $ipv4p\n";
print OUTP "net.ipv4.tcp_keepalive_time = $katime\n";
print OUTP "net.ipv4.tcp_keepalive_intvl = $kintvl\n";
print OUTP "net.ipv4.tcp_keepalive_probes = $kprobe\n";
print OUTP "net.ipv4.tcp_syn_retries = $synr\n";
print OUTP "vm.swappiness = $swap\n";
print OUTP "vm.dirty_background_ratio = $dirtyb\n";
print OUTP "vm.dirty_ratio = $dirtyr\n";
print OUTP "vm.dirty_expire_centisecs = $dirtye\n";
print OUTP "vm.dirty_writeback_centisecs = $dirtyw\n";
close OUTP;
system("mv /etc/sysctl.conf.hugemem /etc/sysctl.conf");
system("mv /etc/security/limits.conf.hugemem /etc/security/limits.conf");


/etc/sysctl.conf will be updated with similar output to below:

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.


# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes

# Controls the maximum number of shared memory segments, in pages

vm.nr_hugepages = 4002
vm.hugetlb_shm_group = 1034

kernel.shmmax = 28450271232
kernal.shmall = 13891734
kernal.sem = 250 32000 100 142
kernal.shmmni = 4096
fs.file-max = 131072
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 4194304
net.ipv4.tcp_rmem = 4096 262144 4194304
net.ipv4.tcp_wmem = 4096 262144 4194304
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_syn_retries = 2
vm.swappiness = 0
vm.dirty_background_ratio = 3
vm.dirty_ratio = 15
vm.dirty_expire_centisecs = 500
vm.dirty_writeback_centisecs = 100


sysctl -p  #run this to activate new kernel parameters  
Example limits.conf output

oracle  soft    nofile  4096
oracle  hard    nofile  65536

oracle soft  memlock  8196096
oracle hard  memlock  8196096
oracle soft  nproc  131072
oracle hard  nproc  131072

   
Reboot after these changes to ensure that oracle can obtain the new hugepages settings and limits.conf settings etc.
 
Also, if your sga is set too small and you need to update your spfile be sure to rerun this script after you've updated and restarted your database.  You will most likely need to try various settings and run through a few iterations to obtain the best configuration/performance.
 
vm.overcommit_memory settings #for VM's:
    0 =  kernel estimates amount of free memory left when userspace requests more
    1 =  kernel pretends there is always enough until it runs out
    2 =  never overcommit
 
Check dirty pages and adjust vm.dirty_background_ratio and vm.dirty_ration on a VM accordingly
    grep -A 1 dirty /proc/vmstat  #the lower the numbers the better
 
Example spfile for large memory system:

*._b_tree_bitmap_plans=false
*._column_elimination_off=TRUE
*.audit_file_dest='/oracle/admin/test/audit'
*.audit_trail='os'
*.background_dump_dest='/oracle/admin/test/bdump'
*.compatible='9.2.0'
*.control_files='/testdata01/test/testctrl1','/testdata01/test/testctrl2','/
oracle/admin/test/cfile/testctrl3'
*.core_dump_dest='/oracle/admin/test/cdump'
*.db_block_size=32768
*.db_cache_size=26214400000
*.db_file_multiblock_read_count=32
*.db_files=500
*.db_keep_cache_size=21474836480
*.db_name='test'
*.java_pool_size=20971520
*.job_queue_processes=4
*.large_pool_size=10485760
*.log_buffer=1048576
*.O7_DICTIONARY_ACCESSIBILITY=true
*.open_cursors=512
*.optimizer_index_caching=10
*.optimizer_index_cost_adj=80
*.parallel_max_servers=12
*.parallel_min_servers=0
*.pga_aggregate_target=16777216000
*.processes=125

*.query_rewrite_enabled='FALSE'
*.query_rewrite_integrity='stale_tolerated'
*.remote_login_passwordfile='EXCLUSIVE'
*.resource_limit=true
*.sga_max_size=45G
*.shared_pool_size=125M
*.star_transformation_enabled='true'
*.timed_statistics=true
*.undo_management='auto'
*.undo_retention=18000
*.undo_tablespace='undo'
*.user_dump_dest='/oracle/admin/test/udump'

RecoverPoint Bookmark example

RecoverPoint Bookmark example

  

Copy Private Key in /home/user/.ssh/id_dsa on the db server

-----BEGIN DSA PRIVATE KEY-----
Key Here
-----END DSA PRIVATE KEY-----

 

put public key from id_dsa.pub into your Clariion management interface with:

 add_ssh_key # and enter name of your db server

 

 

Test connectivity to the Clariion management interface from the DB server with:

# ssh adminuser@<w.x.y.z> get_version

 

Create a bookmark - this is for Oracle_DB example:

# ssh adminuser@<w.x.y.z> bookmark_image group=Oracle_DB bookmark=Test1_snap

 

So you could now do something like:
 
alter database|tablespace begin backup;
ssh adminuser@<w.x.y.z> bookmark_image group=Oracle_DB bookmark=Oracle_7AM_snap
alter database|tablespace end backup;
 
Then expose your recoverpoint luns to the server on DR side and perform the remaining backup steps there.

RecoverPoint Bookmark example

RecoverPoint Bookmark example

  

Copy Private Key in /home/user/.ssh/id_dsa on the db server

-----BEGIN DSA PRIVATE KEY-----
Key Here
-----END DSA PRIVATE KEY-----

 

put public key from id_dsa.pub into your Clariion management interface with:

 add_ssh_key # and enter name of your db server

 

 

Test connectivity to the Clariion management interface from the DB server with:

# ssh adminuser@<w.x.y.z> get_version

 

Create a bookmark - this is for Oracle_DB example:

# ssh adminuser@<w.x.y.z> bookmark_image group=Oracle_DB bookmark=Test1_snap

 

So you could now do something like:
 
alter database|tablespace begin backup;
ssh adminuser@<w.x.y.z> bookmark_image group=Oracle_DB bookmark=Oracle_7AM_snap
alter database|tablespace end backup;
 
Then expose your recoverpoint luns to the server on DR side and perform the remaining backup steps there.

#1 UNIX Tips

UNIX Random Tips -  sorry Linux Tips is what I really meant


Make dated backup files easy with a profile update
in /home/user/.bash_profile add:
TIME=$(date +%Y%m%d%H%M%S)
export TIME
    of course change the date and time stamp to whatever format you prefer
    then to backup a file with the timestamp just use:
cp /path/to/file /path/to/backup/filename.$TIME
   and file will be saved with the timestamp provided you have sourced your .bash_profile or logged in again.

or even better use tar gzip:
TIME=$(date +%Y%m%d%H%M)
tarfile=bak/named-$TIME.tgz
tar zcvf $tarfile /path/to/filesandfolders

Test logrotate
    logrotate -f /etc/logrotate.conf

Establish ssh tunnel to vncserver
    ssh -L 5901:vncserver:5901 server
    vncviewer localhost:5901 should result in tunneled connection to vncserver

Push ssh into background and do not execute remote command:
    ssh -Nf vncserver 5901:vncserver:5901

Kill vncserver with: vncserver -kill :1
   

Setting SGID and Sticky permissions so that the group ownership on all files created in a directory will be set the the group owner and so that one user cannot remove another's files with:
    chmod 3770 /path/to/folder

Check if a service is SELinux aware

    semanage fcontext -l |grep <service i.e. samba>
    check for booleans:
    getsebool -a |grep <service>
    set booleans:    
    setsebool -P <boolean> on|off for example setsebool -P samba_enable_home_dirs on
    ls -ZR /path # determine security context of directory or file

Service status -  service --status-all
                             chkconfig --list

Useful man pages

    man -k proxy |grep selinux
    man -k http |grep selinux
    makewhatis &

Check if service is libwrapped with TCP Wrappers 

ldd `which <service>` |grep libwrap  or ldd ${which <service>} |grep libwrap
strings `which <service>` |grep hosts  or strings ${which <service>} |grep hosts

Remount a filesystem that has locks

fuser -km /mountpount #kill active sessions and locks 
umount /mountpoint  #unmount (alternatively unmount the device with umount /dev/...)
mount -a # to remount

SSH Tunneling Example

on the shellserver run:
  ssh -v -L 1110:popserver:110 shellserver
 
  nc localhost 1110
connects to popserver on port 100 via localhost 1110 to secure transmission to your pop server
 

Reverse SSH Tunnel Example

add the following to ~/.ssh/config
 
 Host  remoteserver  #i.e. linux server at home
    Hostname  ip.of.rem.server
    RemoteForward 2222 localhost:22
    User   pvalentino
 
  ssh remoteserver
 
  ping anotherserver  #this helps keep the connection active
 
  ssh -p 2222 pvalentino@localhost
 
you are now connected to the linux server in the office through the firewall with a secure shell

Determine disk used versus available on Linux:

df -Pkl |grep -v shm|awk ' { used += $3/1024/1024 } END { printf("%d Gb total used", used)}'
df -Pkl |grep -v shm|awk ' { avail += $2/1024/1024 } END { printf("%d Gb total avail", avail)}'
edit the grep -v command to exclude any directories that you don't want included i.e. grep -v 'shm backup' would exclude any directories with names including shm or backup.  if that syntax doesn't work try adding a second grep -v as |grep -v shm|grep -v backup|....  also omit the "l" in df -Pkl for AIX

Sort user accounts are on server  - getent passwd |sort -t ":" -k 3 -g

Speedier sftp transfer at the expense of security:

sftp -oCipher=blowfish-cbc host:/path


Format a swap partition:

mkswap /dev/sda5

in fstab  add /dev/sda5         swap                    swap    defaults        0 0

swapon -a
or via a file:
dd if=/dev/zero of=/swapfile bs=1M count=1024
in fstab add /swapfile   swap    swap  defaults 0 0
mkswap  /swapfile 1024
swapon -a

 

Create a large 2GB file for test purposes:

dd if=/dev/zero of=largefile bs=1M count=2048

 

Rsync example:

client initiated

rsync -av -e ssh server1:/usr/local/cvsroot/ /usr/local/cvsroot >> /tmp/cvs_rsync_log

server initiated

rsync -av -e ssh  /usr/local/cvsroot/ server1:/usr/local/cvsroot >> /tmp/cvs_rsync_log

 

Pattern replace for multiple files example:

to replace pattern server with pattern server-tst in all files containing .properties in the current directory and below:

for i in `find . -name *.properties*`$i | sed -e 's/server/server-tst/' > $i.1 | mv -f $i.1 $i; done

 

Mail Attachments:

mutt -s "Subject" -a picture.jpg user@mydomain.com

 

Count Files in a Directory recursively:

find YOURDIR -type f ¦ wc -l

 

Install Kernel Source and headers on Ubuntu:

use sudo passwd to give root a password and enable shell login

su -

apt-get install build-essential linux-headers-`uname -r`


remove comments and blank lines with:

grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

change uid example:

lgroupmod -g 712 groupname
usermod -u 712 -U username

Create users with specific uid and groupid:

To create an oracle user (only required on an Oracle server):

    groupadd -g 502 oinstall ; useradd –m -u 500 -g oinstall oracle ; echo "password" |passwd --stdin oracle

 

To create a standard user:

     groupadd -g 701 [groupname] ; useradd -m -u 701 -g [groupname] [username] ; echo "password"|passwd --stdin [username]


CHANGE UID's and ownership of files on entire fs:

find / -mount -user UID -print | xargs chown newowner

This variation changes the group ownership:
find / -mount -group GID -print | xargs chgrp newgroup

Find files modified more than x days ago:
find / -mount -mtime +3

Find faulty permissions
    find /  \( -nouser -o -nogroup \)  # files and directories with no matching user or group in passwd
    find / -type f -perm 002  #files writable by other group
    find / -type d -perm -2    #directories writable by other

Fixing Duplicate RPM's:

rpm -qa --queryformat "%{NAME}-%{VERSION}-%{ARCH} \\n" | grep <packagename> | sort
then remove the one not needed - may need to fix the packagename a little for it to work....
rpm -e bluez-libs-2.10-i386
rpm -e bluez-libs-2.10-x86_64

may needs to be changes to:
rpm -e bluez-libs-2.10-2.i386
rpm -e bluez-libs-2.10-2.x86_64

Install megaraid driver from SRPM example:

Install megaraid driver

download driver from

http://www-304.ibm.com/jct01004c/systems/support/supportsite.wss/license?filename=system_
x/lsi_dd_megasas_00.00.03.06_rhel4_32-64.tgz&root=/systems/support/&brandind=5000008

sftp the drivers over to server and extract them with tar zxvf *.tgz

go to SRPM folder and install with rpm -ivh *.rpm

cd to /usr/src/redhat

export BUILD_KERNEL="2.6.9-55.ELsmp"  #2.6.9-55.ELsmp is result of uname -r

rpmbuild -bb SPECS/megaraid_sas.spec

rpm -ivh /RPMS/x86_64/lsi-megaraid_sas-smp-00.00.03.06_2.6.9_55.EL-0.x86_64.rpm

rpm -ivh /RPMS/x86_64/lsi-megaraid_sas-smp-debuginfo-00.00.03.06_2.6.9_55.EL-0.x86_64.rpm

Copy or Cut and Paste in VIM

Cut and Paste:
  • Place the cursor at the beginning of the block you want to CUT.
  • Mark it with md
  • Go to the end of the block.
  • Cut it with d'd
  • Go to the new location that you want to PASTE the text.
  • Enter P (shift-p).

Copy and Paste:
  • Place the cursor at the beginning of the block you want to COPY.
  • Mark it with my
  • Go to the end of the block.
  • Copy it with y'y
  • Go to the new location that you want to paste the text.
  • Press P (shift-p).

Replace one character with another for an entire file:

cat <filename> | tr \" \' > <outfilename>  #  will replace all "  with '  in <filename> and output to <outfilename>

Finding Services on my network i.e. Servers running MySQL:

nmap -sV -p 3306 192.168.1-254 > MySQLhosts.out
nmap options
    -sS #synchronous scan TCP
    -sU #UDP scan
    -sR  #RPC/portmap
    -A    #OS and version detection
    -v     #verbose
    -P0   #suppress pretest ping
    -p      #port

    will locate all servers running mysql on default port 3306 on the class C 192.168.1.x network
    Just open the MySQLhosts.out file to find hosts that are not in closed state

Find files that are filling up disk space:

cd to dir that is filling up
     du -sk * | sort -nr | more
list files and directories in order of space they occupy

Updating Kernel parameters on Linux:

Edit /etc/sysctl.conf  for example:
kernel.sysrq = 0
kernel.shmmax = 2147483648
kernel.shmmni = 4096
kernel.shmall = 2097152
kernel.shmmin = 1
kernel.shmseg = 10
kernel.sem = 250 32000 100 128
fs.file-max = 104032
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_fin_timeout = 15
net.core.rmem_default = 1048576
net.core.rmem_max = 16777216
net.core.wmem_default = 262144
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

Run
    sysctl -p  # this loads the parameters from changes made to sysctl.conf
    ipcs -l  # lists the parameters

Set date and time:

date MMDDhhmm.ss

Crontab:

*     *   *   *    *  command to be executed
-     -    -    -    -
|     |     |     |     |
|     |     |     |     +----- day of week (0 - 6) (Sunday=0)
|     |     |     +------- month (1 - 12)
|     |     +--------- day of month (1 - 31)
|     +----------- hour (0 - 23)
+------------- min (0 - 59)

Changing linux prompt in profile

in ~/.bash_profile add:
PS1="\[\033[1;32m\]\u@\[\033[1;33m\]\h \[\033[1;34m\]\${PWD} $\[\033[0m\] "

What is my ip?   /sbin/ifconfig or /sbin/ip addr
What is my mac? /sbin/ip maddr



JBoss startup using init.d and /etc/j...

JBoss startup using init.d and /etc/jbtab

 
Assumes that all jboss apps live in /apps/jboss/default/server/....   where default is a link to the current version of jboss and all start/stop scripts follow the startJBoss.sh and stopJBoss.sh convention
 
/etc/jbtab:

# JBoss Instance        Username
myapp1       jbadmin
myapp2                     jbadmin
myapp3          jbadmin
 
 
init.d/jboss

#!/bin/sh
#
# JBoss init script
#chkconfig: 2345 97 05
#description: JBoss Application Server
# Source function library.
if [ -f /etc/init.d/functions ] ; then
        . /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
        . /etc/rc.d/init.d/functions
else
        exit 0
fi

if [ ! -z "$2" ]; then APP_NAME=$2; fi

start () {
        TABLINE=`grep "^$APP_NAME" /etc/jbtab`

        if [ -z "$TABLINE" ]; then
                echo "Application not found in jbtab: $APP_NAME"
                exit 1
        fi

        AGENT_USER=`echo $TABLINE | awk '{print $2}'`
        APP_HOME=/apps/jboss/default/server/$APP_NAME/bin

        echo -n "Starting $APP_NAME: "

        # start daemon
        su - ${AGENT_USER} -c "cd ${APP_HOME}; ./startJBoss.sh"
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && touch /var/lock/subsys/$APP_NAME
        return $RETVAL
}

stop () {
        TABLINE=`grep "^$APP_NAME" /etc/jbtab`

        if [ -z "$TABLINE" ]; then
                echo "Application not found in jbtab: $APP_NAME"
                exit 1
        fi

        AGENT_USER=`echo $TABLINE | awk '{print $2}'`
        APP_HOME=/apps/jboss/default/server/$APP_NAME/bin

        # stop daemon
        echo -n "Stopping $APP_NAME: "
        su - ${AGENT_USER} -c "cd ${APP_HOME};./stopJBoss.sh"
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && touch /var/lock/subsys/$APP_NAME
        return $RETVAL
}

restart() {
        stop
        start
}

case $1 in
        start)
                if [ -z "$2" ]; then
                        echo "WARNING: Operating on all instances, will proceed in 5 seconds"
                        sleep 5

                        for a in `cat /etc/jbtab | grep -v '^#' | awk '{print $1}'`; do
                                APP_NAME=$a
                                #echo "Would have started $APP_NAME"
                                start
                        done
                else
                        APP_NAME=$2
                        start
                fi
        ;;
        stop)
                if [ -z "$2" ]; then
                        echo "WARNING: Operating on all instances, will proceed in 5 seconds"
                        sleep 5

                        for a in `cat /etc/jbtab | grep -v '^#' | awk '{print $1}'`; do
                                APP_NAME=$a
                                #echo "Would have stopped $APP_NAME"
                                stop
                        done
                else
                        APP_NAME=$2
                        stop
                fi
        ;;
        restart|reload)
                if [ -z "$2" ]; then
                        echo "Restart only operates on one instance at a time."
                        echo "Please specify instance after restart keyword."
                        exit 1
                else
                        APP_NAME=$2
                        restart
                fi
        ;;
        *)

        echo "Usage: $prog {start|stop|restart} <appname>"
        echo "If no appname is specified all apps in /etc/jbtab will be acted upon"
        exit 1
esac

exit $RETVAL

 
 
example startup script startJboss.sh:
 

#!/bin/sh
### ====================================================================== ###
##                                                                          ##
##  JBoss Bootstrap Script                                                  ##
##                                                                          ##
### ====================================================================== ###

echo "Starting JBoss"

PROGNAME=`basename $0`
whoiam=$(/usr/bin/id --user --name)
if [[ "$whoiam" != "jbadmin" ]]
then
    echo "$PROGNAME: This script must be run as jbadmin."
    exit -1
fi

export JAVA_HOME="/apps/java/default"
export JBOSS_HOME="/apps/jboss/default"
export PATH=${JAVA_HOME}/bin:${PATH}
JAVA=${JAVA_HOME}/bin/java

# make the JBOSS_HOME the real path not a slimebolic link.
WD=$(/bin/pwd)
cd ${JBOSS_HOME}
jb=$(/bin/pwd)
export JBOSS_HOME="$jb"
cd $WD

CLASSPATH="${JAVA_HOME}/lib/tools.jar"
export CLASSPATH

# trick to find which server we are running
WD=$(/bin/pwd)

case "${0}" in
    /*)
        cmdDir=$(dirname "$0")
        ;;
    *)
        cmdDir=$(dirname "${WD}/$0")
        ;;
esac

cd  $cmdDir
wrkDir=$(/bin/pwd)
SERVER=$(echo $wrkDir| sed -e "s^${JBOSS_HOME}/server/^^" | sed -e "s^/.*^^")
SERVERDIR="${JBOSS_HOME}/server/${SERVER}"
pid=${SERVERDIR}/${SERVER}.pid
APPDIR="/apps/$SERVER/server"
LOGDIR="/log/$SERVER"
LOGFILE="${LOGDIR}/${SERVER}.log"

#
# Helper to complain.
#
warn() {
        echo "${PROGNAME}: $*"
}

#
# Helper to puke.
#
die() {
        warn $*
        exit 1
}

# The properties file for setting up hostIp, jvmDebugPort, and jmxRemotePort
setup="$APPDIR/${SERVER}/${SERVER}-server.properties"

if [[ -f ${setup} ]]
then
        echo "Reading server setup from ${setup}"
        hostIp=""
        source ${setup}

    if [[ ! $hostIp ]]
    then
        # The host IP must exist on the server properties file.
        die "Mandatory host IP is not found in $setup."
    fi
else
        die "Mandatory setup file (${setup}) does not exist.  Aborting."
fi

# Use the maximum available, or set MAX_FD != -1 to use that
MAX_FD="maximum"

# Increase the maximum file descriptors if we can
# ulimit -n 1024

# Setup the classpath
runjar="$JBOSS_HOME/bin/run.jar"
if [ ! -f "$runjar" ]; then
        die "Missing required file: $runjar"
fi
JBOSS_BOOT_CLASSPATH="$runjar"

# Include the JDK javac compiler for JSP pages. The default is for a Sun JDK
# compatible distribution which JAVA_HOME points to
if [ "x$JAVAC_JAR" = "x" ]; then
        JAVAC_JAR="$JAVA_HOME/lib/tools.jar"
fi

if [ "x$JBOSS_CLASSPATH" = "x" ]; then
        JBOSS_CLASSPATH="$JBOSS_BOOT_CLASSPATH:$JAVAC_JAR"
else
        JBOSS_CLASSPATH="$JBOSS_CLASSPATH:$JBOSS_BOOT_CLASSPATH:$JAVAC_JAR"
fi

CLASSPATH="$JBOSS_CLASSPATH"

if [ "x$jvmDebugPort" = "x" ] ; then
        DEBUG_OPTS=""
else
        DEBUG_OPTS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=${jvmDebugPort},server=y,suspend=n"
fi

if [ "x$jmxRemotePort" = "x" ] ; then
        JMX_OPTS=""
else
        JMX_OPTS="-Dcom.sun.management.jmxremote"
        JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.port=${jmxRemotePort}"
        JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
        JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.ssl=false"
fi

# don't use JMX or DEBUG on this server
DEBUG_OPTS=""
JMX_OPTS=""

LOG_OPTS="-Dlog4j.debug=true"

# set MaxPermSize to avoid  "java.lang.OutOfMemoryError: PermGen" space error
# gcInterval time is set to avoid excessive CPU usage for garbage collection
# recommendations are between ten minutes (600000) & one hour (3600000)
# see http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6200091
#
JAVA_MEM="-Xms128m -Xmx512m -XX:MaxPermSize=64m -Dsun.rmi.dgc.client.gcInterval=600000 -Dsun.rmi.dgc.server.gcInterval=600000"
SERVER_OPTS="-server"
JAVA_OPTS="${SERVER_OPTS} ${JAVA_MEM} ${DEBUG_OPTS} ${JMX_OPTS} ${JAVA_OPTS}"
# sets up LDAP pools
# add this if you want to debug the pools
# -Dcom.sun.jndi.ldap.connect.pool.debug=fine
#LDAP="-Dcom.sun.jndi.ldap.connect.pool=true -Dcom.sun.jndi.ldap.connect.pool.initsize=20 -Dcom.sun.jndi.ldap.connect.pool.prefsize=20 -Dcom.sun.jndi.ldap.connect.pool.maxsize=100 -Dcom.sun.jndi.ldap.connect.pool.timeout=30000"


# Setup JBoss sepecific properties
#JAVA_OPTS="-Dprogram.name=${SERVER} $JAVA_OPTS ${LDAP}"
JAVA_OPTS="-Dprogram.name=${SERVER} -Dlog.dir=${LOGDIR} $JAVA_OPTS"

# Setup the java endorsed dirs
JBOSS_ENDORSED_DIRS="$JBOSS_HOME/lib/endorsed"

#ARGS="-Dhostname=$HOSTNAME -Ddata.dir=/data/${SERVER} -Dlog.dir=/log/${SERVER}"

# kill JBoss process
JBOSS_PID=$(cat $pid)
kill $JBOSS_PID 2>/dev/null
r=$?
if (( $r == 0 ))
then
        /bin/echo -n "shutdown running instance"
fi
while (( $r == 0 ))
do
        /bin/echo -n "."
        sleep 3
        kill $JBOSS_PID 2>/dev/null
        r=$?
done

echo "rotate server logs"
touch ${LOGFILE}1
/bin/mv -f  ${LOGFILE}1 ${LOGFILE}2
touch ${LOGFILE}0
/bin/mv -f  ${LOGFILE}0 ${LOGFILE}1
touch ${LOGFILE}
/bin/mv -f  ${LOGFILE} ${LOGFILE}0
touch ${LOGFILE}

/bin/echo

# Display our environment
echo "========================================================================="
echo ""
echo "  JBoss Bootstrap Environment"
echo ""
echo "  SERVER: $SERVER"
echo "  Host IP: $hostIp"
echo "  JVM Debug Port: $jvmDebugPort"
echo "  JMX Remote Port: $jmxRemotePort"
echo ""
echo "  JBOSS_HOME: $JBOSS_HOME"
echo ""
echo "  JAVA: $JAVA"
echo ""
echo "  LOGFILE: $LOGFILE"
echo ""
echo "  JAVA_OPTS: $JAVA_OPTS $LOG_OPTS"
echo ""
#echo "  ARGUMENTS: $ARGS"
#echo ""
echo "  CLASSPATH: $CLASSPATH"
echo ""
echo "========================================================================="
echo ""

# note that "-b0.0.0.0" binds to all ports.
# Execute the JVM in the background
"$JAVA" $JAVA_OPTS $LOG_OPTS\
    -Djava.endorsed.dirs="$JBOSS_ENDORSED_DIRS" \
    -classpath "$CLASSPATH" \
    ${ARGS} \
    org.jboss.Main "--host=${hostIp}" "--configuration=${SERVER}" > $LOGFILE 2>&1 &
    JBOSS_PID=$!

echo $JBOSS_PID > $pid
echo "You can follow along at home by running:"
echo "tail -f $LOGFILE"


example shutdown script stopJBoss.sh:

#!/bin/sh
### ====================================================================== ###
##                                                                          ##
##  JBoss Bootstrap Script                                                  ##
##                                                                          ##
### ====================================================================== ###

echo "Stopping JBoss"

PROGNAME=`basename $0`
whoiam=$(/usr/bin/id --user --name)
if [[ "$whoiam" != "jbadmin" ]]
then
        echo "$PROGNAME: This script must be run as jbadmin."
        exit -1
fi

export JAVA_HOME="/apps/java/default"
export JBOSS_HOME="/apps/jboss/default"
export PATH=${JAVA_HOME}/bin:${PATH}
JAVA=${JAVA_HOME}/bin/java

# make the JBOSS_HOME the real path not a slimebolic link.
WD=$(/bin/pwd)
cd ${JBOSS_HOME}
jb=$(/bin/pwd)
export JBOSS_HOME="$jb"
cd $WD

CLASSPATH="${JBOSS_HOME}/bin/shutdown.jar:${JBOSS_HOME}/client/jbossall-client.jar"
export CLASSPATH

# trick to find which server we are running
WD=$(/bin/pwd)

case "${0}" in
    /*)
        cmdDir=$(dirname "$0")
        ;;
    *)
        cmdDir=$(dirname "${WD}/$0")
        ;;
esac

cd  $cmdDir
wrkDir=$(/bin/pwd)
SERVER=$(echo $wrkDir| sed -e "s^${JBOSS_HOME}/server/^^" | sed -e "s^/.*^^")
SERVERDIR="${JBOSS_HOME}/server/${SERVER}"
pid=${SERVERDIR}/${SERVER}.pid
LOGFILE="${SERVERDIR}/log/${SERVER}.log"
APPDIR="/apps/$SERVER/server"

#
# Helper to complain.
#
warn() {
        echo "${PROGNAME}: $*"
}

#
# Helper to puke.
#
die() {
        warn $*
        exit 1
}

# The properties file for setting up hostIp, jvmDebugPort, and jmxRemotePort
setup="$APPDIR/${SERVER}/${SERVER}-server.properties"

if [[ -f ${setup} ]]
then
        echo "Reading server setup from ${setup}"
        hostIp=""
        source ${setup}

    if [[ ! $hostIp ]]
    then
        # The host IP must exist on the server properties file.
        die "Mandatory host IP is not found in $setup."
    fi
else
        die "Mandatory setup file (${setup}) does not exist.  Aborting."
fi

JBOSS_SERVER="${hostIp}:1099"
echo "Stopping server: $SERVER on $hostIp"
${JAVA} -classpath $CLASSPATH org.jboss.Shutdown --server=$JBOSS_SERVER $@


LMV Cheat

Oracle Install Tips

Oracle Install Tips - 10g on RHEL5

 
Install requisite packages

yum -y install setarch-2*

yum -y install make-3*
yum -y install glibc-2*
yum -y install libaio-0*
yum -y install compat-libstdc++-33-3*
yum -y install compat-gcc-34-3*
yum -y install compat-gcc-34-c++-3*
yum -y install gcc-4*
yum -y install libXp-1*
yum -y install openmotif-2*
yum -y install compat-db-4*


Base X
Binutils, compat-db, compat-gcc-34, compat-gcc-34-c++, compat-libstdc+
  +-33, elfutils-libelf-devel, gdd, gdd-c++, gdb, gdbm, glibc, glibc-
  common, glibc-devel, ksh, libXp, libXtst, libaio, libaio-devel, libgcc,
  libgnome, libstdc++, libstdc++-devel, make, setarch, sysstat,
  unixODBC, unixODBC-devel, util-linux, xorg-x11-xinit, compat-libstdc+
  +-296
32 bit packages for 64 bit installation: glibc-devel, libaio, glibc, libgcc,
  compat-libstdc++, openssl, libXp, libXtst

Update /etc/hosts with correct servername
        10.1.4.200     oracle.sysxperts.com oracle
 
Determine hugepages requirement (database should be running for this)
#!/bin/bash
KERN=`uname -r | awk -F. '{ printf("%d.%d\n",$1,$2); }'`
# Find out the HugePage size
HPG_SZ=`grep Hugepagesize /proc/meminfo | awk '{print $2}'`
# Start from 1 pages to be on the safe side and guarantee 1 free HugePage
NUM_PG=1
# Cumulative number of pages required to handle the running shared memory segments
for SEG_BYTES in `ipcs -m | awk '{print $5}' | grep "[0-9][0-9]*"`
do
  MIN_PG=`echo "$SEG_BYTES/($HPG_SZ*1024)" | bc -q`
  if [ $MIN_PG -gt 0 ]; then
     NUM_PG=`echo "$NUM_PG+$MIN_PG+1" | bc -q`
  fi
done
# Finish with results
case $KERN in
  '2.4') HUGETLB_POOL=`echo "$NUM_PG*$HPG_SZ/1024" | bc -q`;
        echo "Recommended setting: vm.hugetlb_pool = $HUGETLB_POOL" ;;
  '2.6') echo "Recommended setting: vm.nr_hugepages = $NUM_PG" ;;
   *) echo "Unrecognized kernel version $KERN. Exiting." ;;
esac

Backup and Update /etc/security/limits.conf
    cp /etc/security/limits.conf{,.orig} #to backup

oracle soft nproc 15360

oracle hard  nproc  16384
oracle soft  nofile 64512
oracle hard  nofile 65536

oracle soft memlock  <Memlock is calculated by the number of huge pages allocated * 1024 *2>

oracle hard memlock <see above>

Create users and groups
groupadd dba
useradd -g dba oracle; echo "mypass" |passwd --stdin oracle
Create directories and chown for oracle

 mkdir -p /u01/app/oracle/product/10.2.0/db_1

 chown -R oracle.dba /u01

Make sure SELINUX is disabled in /etc/selinux/config and reboot if it was enabled:
            SELINUX=disabled
 
Determine best settings for kernel parameters in sysctl.conf:
    cp /etc/sysctl.conf{,.orig} #to backup file
Obtain the total memory from the system
     mem=$(free|grep Mem|awk '{print$2}')
Convert the value of $mem to bytes
     totmem=$(echo "$mem*1024"|bc)
Get the Hugepagesize from /proc/meminfo
     huge=$(grep Hugepagesize /proc/meminfo|awk '{print $2}')
Calculate what 75% of the total memory on the system for SHMMAX
     max=$(echo "$totmem*75/100"|bc)
Divide the SHMMAX value by the Hugepagesize to get SHMALL
     all=$(echo "$max/$huge"|bc)
Set the SHMMAX value in the /etc/sysctl.conf file
     echo "kernel.shmmax = $max" >> /etc/sysctl.conf
Set the SHMALL value in the /etc/sysctl.conf file
     echo "kernel.shmall = $all" >> /etc/sysctl.conf

Update /etc/sysctl.conf with:
# Controls the maximum shared segment size, in bytes  - see kernel and hugepages info
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
kernel.sem = 250 32000 100 142
fs.file-max = 104032
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_syn_retries = 2
net.core.rmem_default = 1048576
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 4194304
net.ipv4.tcp_rmem = 4096 262144 4194304
net.ipv4.tcp_wmem = 4096 262144 4194304
vm.swappiness = 0
vm.overcommit_memory = 2
vm.dirty_background_ratio = 3
vm.dirty_ratio = 15
vm.dirty_expire_centisecs = 500
vm.dirty_writeback_centisecs = 100
dev.rtc.max-user-freq = 1024

 

run sysctl -p  #activates new kernel parameters  
vm.overcommit_memory settings #for VM's:
    0 =  kernel estimates amount of free memory left when userspace requests more
    1 =  kernel pretends there is always enough until it runs out
    2 =  never overcommit
 
Check dirty pages and adjust vm.dirty_background_ratio and vm.dirty_ration on a VM accordingly
    grep -A 1 dirty /proc/vmstat  #the lower the numbers the better
 
To mount an NFS share for backups:
nas.sysxperts.com:/Archive    /archive_fs     nfs     hard,nolock,vers=3,proto=tcp,bg,rsize=32768,wsize=32768,timeo=600,intr 0 0
nas.sysxperts.com:/Brchive    /backup_fs     nfs     hard,nolock,vers=3,proto=tcp,bg,rsize=32768,wsize=32768,timeo=600,intr 0 0
 
Update readahead on block devices
    blockdev --setra  32768 /dev/rootvg/u01lv
 
Red Hat Enterprise Linux 5 kernel supports four I/O schedulers:
- cfq (Completely Fair Queuing)
- deadline
- noop
- anticipatory
Some recommended kernel options to add to grub.conf #elevator=deadline should also be compared for performance
     elevator=noop
 
Edit the oracle users ~/.bash_profile 
# Oracle Settings
TMP=/tmp; export TMP
TMPDIR=$TMP; export TMPDIR

ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/10.2.0/db_1; export ORACLE_HOME
ORACLE_SID=TEST; export ORACLE_SID
ORACLE_TERM=xterm; export ORACLE_TERM
PATH=/usr/sbin:$PATH; export PATH
PATH=$ORACLE_HOME/bin:$PATH; export PATH

LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH

if [ $USER = "oracle" ]; then
  if [ $SHELL = "/bin/ksh" ]; then
    ulimit -p 16384
    ulimit -n 65536
  else
    ulimit -u 16384 -n 65536
  fi
fi 

 

Start vncserver with (install with yum -y install vnc-server if necessary):

    vncserver

    vncpasswd

 

Establish vnc session and run
    xhost + #as root
 

Extract cpio with:

cpio -idmv < 10201_database_linux_x86_64.cpio

 

cd to directory where cpio command was run

 

./database/runInstaller

 

download latest patch and unzip

./Disk1/runInstaller

 

To uninstall run the deinstaller from the latest patch Disk1/runInstaller

 

Edit /etc/oratab and set restart flag for TEST instance
    TEST:/u01/app/oracle/product/10.2.0/db_1:Y

sar and dstat is useful for stats on server - yum -y install sysstat dstat
ls -lattr /var/log/sa  and choose the filename with the date you want to see stats for then
    sar -A /var/log/sa/saXX

man sar and dstat are your friends

 
See oracle automated startup for init setup

Network:
HOSTNAME=$(grep HOSTNAME /etc/sysconfig/network|awk -F= '{print $2}')
hostname $HOSTNAME
GATEWAY=$(ip route list |grep default |awk '{print $3}')
echo "GATEWAY=$GATEWAY" >> /etc/sysconfig/network
DEFDEV=$(ip route list|grep default|awk '{FS=" "; print $5}')
IPADDR=$(ip addr show $DEFDEV |grep inet |grep -v inet6|awk '{print $2}'|awk -F/
  '{print $1}')
echo "IPADDR=$IPADDR" >> /etc/sysconfig/network-scripts/ifcfg-$DEFDEV
sed -i 's/dhcp/static/' /etc/sysconfig/network-scripts/ifcfg-$DEFDEV
BCAST=$(ip addr show eth0 |grep inet |grep -v inet6|awk '{print $4}')
echo "BROADCAST=$BCAST" >> /etc/sysconfig/network-scripts/ifcfg-$DEFDEV
echo "NETMASK=255.255.255.0" >> /etc/sysconfig/network-scripts/ifcfg-$DEFDEV



Oracle Install Tips

Oracle Install Tips - 10g on RHEL5

 
Install requisite packages

yum -y install setarch-2*

yum -y install make-3*
yum -y install glibc-2*
yum -y install libaio-0*
yum -y install compat-libstdc++-33-3*
yum -y install compat-gcc-34-3*
yum -y install compat-gcc-34-c++-3*
yum -y install gcc-4*
yum -y install libXp-1*
yum -y install openmotif-2*
yum -y install compat-db-4*

Update /etc/hosts with correct servername
        10.1.4.200     oracle.sysxperts.com oracle
 
Update /etc/security/limits.conf

oracle soft nproc 15360

oracle hard  nproc  16384
oracle soft  nofile 64512
oracle hard  nofile 65536

Create users and groups
groupadd dba
useradd -g dba oracle; echo "mypass" |passwd --stdin oracle
Create directories and chown for oracle

 mkdir -p /u01/app/oracle/product/10.2.0/db_1

 chown -R oracle.dba /u01

Make sure SELINUX is disabled in /etc/selinux/config and reboot if it was enabled:
            SELINUX=disabled
 
Update /etc/sysctl.conf with:
# Controls the maximum shared segment size, in bytes  - see kernel and hugepages info
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
kernel.sem = 250 32000 100 128
fs.file-max = 104032
net.ipv4.ip_local_port_range = 1024 65000
net.core.rmem_default = 1048576
net.core.rmem_max = 1048576
net.core.wmem_default = 262144
net.core.wmem_max = 262144

 

run sysctl -p  #activates new kernel parameters  
To mount an NFS share for backups:
nas.sysxperts.com:/Archive    /archive_fs     nfs     hard,nolock,vers=3,proto=tcp,bg,rsize=32768,wsize=32768,timeo=600,intr 0 0
nas.sysxperts.com:/Brchive    /backup_fs     nfs     hard,nolock,vers=3,proto=tcp,bg,rsize=32768,wsize=32768,timeo=600,intr 0 0
 
 
Edit the oracle users ~/.bash_profile 
# Oracle Settings
TMP=/tmp; export TMP
TMPDIR=$TMP; export TMPDIR

ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/10.2.0/db_1; export ORACLE_HOME
ORACLE_SID=TEST; export ORACLE_SID
ORACLE_TERM=xterm; export ORACLE_TERM
PATH=/usr/sbin:$PATH; export PATH
PATH=$ORACLE_HOME/bin:$PATH; export PATH

LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH

if [ $USER = "oracle" ]; then
  if [ $SHELL = "/bin/ksh" ]; then
    ulimit -p 16384
    ulimit -n 65536
  else
    ulimit -u 16384 -n 65536
  fi
fi 

 

Start vncserver with (install with yum -y install vnc-server if necessary):

    vncserver

    vncpasswd

 

Establish vnc session and run xhost + as root

 

Extract cpio with:

cpio -idmv < 10201_database_linux_x86_64.cpio

 

cd to directory where cpio command was run

 

./database/runInstaller

 

download latest patch and unzip

./Disk1/runInstaller

 

To uninstall run the deinstaller from the latest patch Disk1/runInstaller

 

Edit /etc/oratab and set restart flag for TEST instance
    TEST:/u01/app/oracle/product/10.2.0/db_1:Y

sar and dstat is useful for stats on server - yum -y install sysstat dstat
ls -lattr /var/log/sa  and choose the filename with the date you want to see stats for then
    sar -A /var/log/sa/saXX

man sar and dstat are your friends

 
See oracle automated startup for init setup

Oracle 10g-11g Automated Startup and Shutdown on RedHat

Oracle 10g/11g  Automated Startup and Shutdown on RedHat 

Create file /etc/init.d/oracle with following code and change file to be executable
 
#!/bin/sh
# chkconfig: 345 99 01
# description: Oracle
#
#
ORACLE=oracle
case $1 in
'start')
        cat <<-"EOF"|su - ${ORACLE}
        # Start Oracle Net
        if [ -f ${ORACLE_HOME}/bin/tnslsnr ] ;
        then
                echo "starting Oracle Net Listener"
                ${ORACLE_HOME}/bin/lsnrctl start
        fi
        echo "Starting Oracle databases"
        ${ORACLE_HOME}/bin/dbstart
        ${ORACLE_HOME}/bin/emctl start dbconsole
EOF
        ;;
'stop')
        cat <<-"EOF"|su - ${ORACLE}
        echo "shutting down dbconsole"
        ${ORACLE_HOME}/bin/emctl stop dbconsole
        # Stop Oracle Net
        if [ -f ${ORACLE_HOME}/bin/tnslsnr ] ;
        then
                echo "stopping Oracle Net Listener"
                ${ORACLE_HOME}/bin/lsnrctl stop
        fi
        echo "stopping Oracle databases"
        ${ORACLE_HOME}/bin/dbshut
EOF
        ;;
*)
        echo "usage: $0 {start|stop}"
        exit
        ;;
esac
#
exit
 
Run:
chkconfig oracle on
 
Update the oracle user .bash_profile as follows:
export ORACLE=oracle
export ORACLE_SID=`cat /etc/oratab |sed -e 's/:.*//' -e 's/#.*//' -e '/^$/d'|head -1`
export PATH=$PATH:/usr/local/bin
export ORAENV_ASK="NO"
. /usr/local/bin/oraenv
 
Update /etc/oratab with your instances
orcl:/u01/oracle/product/11.1.0/db_1:Y
orcltest:/u01/oracle/product/11.1.0/db_1:Y

Alternatively if you want to use your own start scripts you could do the following (BUT WHY?):
 
Create an /etc/init.d/oracle script with:
#!/bin/sh
#
#oracle agent init script
#chkconfig: 2345 97 05
#description: oracle
# Source function library.
if [ -f /etc/init.d/functions ] ; then
        . /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
        . /etc/rc.d/init.d/functions
else
        exit 0
fi
prog=oracle
ORAHOME=/oracle/home/scripts
AGENT_USER=oracle
email=pvalentino@sysxperts.com
start () {
        echo -n $"Starting $prog: "
        # start daemon
        if [ -e "/tmp/orastat" ]
        then
        su - ${AGENT_USER} -c "cd ${ORAHOME}; ./orastart"
        rm -rf /tmp/orastat
        else
        mail -s "`hostname` orastart failed" $email < /tmp/stat
        fi
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && touch /var/lock/subsys/oracle
        return $RETVAL
}
stop () {
        # stop daemon
        echo -n $"Stopping $prog: "
        su - ${AGENT_USER} -c "cd ${ORAHOME};./orastop"
        RETVAL=$?
        if [[ "$RETVAL" = 0 ]] ;then touch /tmp/orastat;else mail -s "`hostname` orastop failed" $email < /tmp/stat;fi
        echo
        [ $RETVAL = 0 ] && touch /var/lock/subsys/oracle
        return $RETVAL
}
restart() {
        stop
        start
}
case $1 in
        start)
                start
        ;;
        stop)
                stop
        ;;
        restart|reload)
                restart
        ;;
        condrestart)
                [ -f /var/lock/subsys/ora ] && restart || :
        ;;
        *)
        echo $"Usage: $prog {start|stop|restart|condrestart|reload }"
        exit 1
esac
exit $RETVAL

And your orastart and orastop scripts would have all of the startup procedures you would like to run in a custom fashion i.e.
 
orastart:
. /home/oracle/scripts/orastart_TEST
lsnrctl start
#
mail -s "****** TEST databases started *****" _DBA@sysxperts.com < /home/oracle/scripts/orastart
 
 
orastart_TEST:
. /home/oracle/ora10.env
############# This will start Oracle in TEST ######################
export ORACLE_SID=TEST
sqlplus '/ as sysdba' <<EOF
startup
EOF
#
 

IPTABLES

IPTABLES

Packet filtering is performed at the following file levels:

PREROUTING - filters packets upon arrival (nat,mangle,raw)
FORWARD - for packets being routed through the box provided /proc/sys/net/ipv4/ip_forward is set to 1 (mangle, filter)
INPUT - for packets destined to local sockets (filter, mangle)
OUTPUT - alters locally-generated packets prior to POSTROUTING and after leaving the sending process (nat, mangle, filter, raw)
POSTROUTING - alters packets immediately before they leave the system (nat, mangle)
 

The tables are as follows:

filter:This is the default table (if no -t option is passed). Itcontains the built-in chains INPUT (for packets destined tolocal sockets), FORWARD (for packets being routed throughthe box), and OUTPUT (for locally-generated packets).
nat:This table is consulted when a packet that creates a newconnection is encountered. It consists of three built-ins:PREROUTING (for altering packets as soon as they come in),OUTPUT (for altering locally-generated packets before rout-ing), and POSTROUTING (for altering packets as they areabout to go out).
mangle:This table is used for specialized packet alteration. Untilkernel 2.4.17 it had two built-in chains: PREROUTING (foraltering incoming packets before routing) and OUTPUT (foraltering locally-generated packets before routing). Sincekernel 2.4.18, three other built-in chains are also sup-ported: INPUT (for packets coming into the box itself), FOR-WARD (for altering packets being routed through the box),and POSTROUTING (for altering packets as they are about togo out).
raw:This table is used mainly for configuring exemptions fromconnection tracking in combination with the NOTRACK target.It registers at the netfilter hooks with higher priority andis thus called before ip_conntrack, or any other IP tables.It provides the following built-in chains: PREROUTING (forpackets arriving via any network interface) OUTPUT (forpackets generated by local processes)
 

TARGETS

A firewall rule specifies criteria for a packet, and a target. If thepacket does not match, the next rule in the chain is the examined; ifit does match, then the next rule is specified by the value of the tar-get, which can be the name of a user-defined chain or one of the spe-cial values ACCEPT, DROP, QUEUE, or RETURN.ACCEPT means to let the packet through. DROP means to drop the packeton the floor. QUEUE means to pass the packet to userspace. (How thepacket can be received by a userspace process differs by the particularqueue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include theip_queue queue handler. Kernels 2.6.14 and later additionally includethe nfnetlink_queue queue handler. Packets with a target of QUEUE willbe sent to queue number ’0’ in this case. RETURN means stoptraversing this chain and resume at the next rule in the previous(calling) chain. If the end of a built-in chain is reached or a rulein a built-in chain with target RETURN is matched, the target specifiedby the chain policy determines the fate of the packet.

COMMANDS

-A --append chain rule-specification
-D --delete chain rule-specification
-D --delete chain rulenum
-I --insert chain [rulenum] rule-specification
-R --replace chain rulenum rule-specification
-L --list [chain] i.e. for nat rules use iptables
-t nat
-n -L (note that filter is the default with no -t specified)
-F --flush [chain]
-Z --zero [chain] to zero the packet and byte counters (may be used with -L to see list just prior to zeroing out)
-N --new-chain chain
-P --policy chain target
-E --rename-chain old-chain new-chain

RULES are matched in an ordered list fashion starting from the top and working downward until there is a match. If there is no match then the default policy applies.
Example /etc/sysconfig/iptables with descriptive comments:
 
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
### DEFAULT CHAINS with default policy of ACCEPT ####
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
### CUSTOM CHAINS ####
:Firewall-INPUT - [0:0]
:NETBACKUP - [0:0]
### (-A) Append to the INPUT chain a rule that (-j) jumps to the Custom Chain "Firewall-INPUT" #####
### in essence all traffic destined to the local sytem are handled by the rules in the Firewall-INPUT chain ###
-A INPUT -j Firewall-INPUT
 
### Same as above except for packets being forwarded through this server, 
### typically moot because we disable forwarding on our hosts   ###
-A FORWARD -j Firewall-INPUT
 
### Default rule to allow all traffic on the loopback interface through the chain (-i) in-interface in this case 
### is loopback and -j ACCEPT means to jump to the target ACCEPT which allows the packet through
### without any further checks ###
-A Firewall-INPUT -i lo -j ACCEPT
 
### Rule that allows any type of icmp traffice through to the server
### -p icmp means layer 4 protocol icmp
-A Firewall-INPUT -p icmp --icmp-type any -j ACCEPT

### Rules to allow allow protocol 50 and 51 traffic  ESP and AH for IPSEC ###
-A Firewall-INPUT -p 50 -j ACCEPT
-A Firewall-INPUT -p 51 -j ACCEPT

### Rule to allow udp protocol with destination port of 5353 and destination multicast address 
### 224.0.0.251 - port 5353 is associated with Multicast DNS
-A Firewall-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
 
### cupsd printing daemon rule ###
-A Firewall-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A Firewall-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

### DNS RULES ###
-A Firewall-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A Firewall-INPUT -p tcp -m tcp --dport 53 -j ACCEPT

### all packets with a state of Established or Related ###
-A Firewall-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### all SSH traffic with a state of NEW ###
-A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 
#### ENABLE THESE ON ORACLE OR VNC Server ONLY
# FTP Rule
#-A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# VNC RULES
#-A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
#-A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT
# Oracle Rule
#-A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
#### END OF ORACLE ENTRIES

### Netbackup ports get filtered to the NETBACKUP chain
### all traffic to or from the 13xxx ports defined below is -j jumped to the NETBACKUP chain
-A Firewall-INPUT -p tcp -m tcp --sport 13701 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --sport 13711 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --sport 13720:13724 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --sport 13782:13783 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --dport 13701 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --dport 13711 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --dport 13720:13724 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --dport 13782:13783 -j NETBACKUP

### Catch all to block any traffic that hasn't matched a rule up to this point ###
-A Firewall-INPUT -j LOG
-A Firewall-INPUT -j REJECT --reject-with icmp-host-prohibited
##### End of Firewall-INPUT definitions #####

### Netbackup chain -- only allow netbackup ports to/from netbackup servers
### Traffic forwarded from Firewall-INPUT above is only allowed to the source and destination 
### addresses below
-A NETBACKUP -s 10.3.1.30 -j ACCEPT
-A NETBACKUP -s 10.4.1.20 -j ACCEPT
-A NETBACKUP -d 10.3.1.30 -j ACCEPT
-A NETBACKUP -d 10.4.1.20 -j ACCEPT
### Catch all rules to log and make sure no packets get forwarded that do not match any rules in this chain
-A NETBACKUP -j LOG
-A NETBACKUP -j REJECT --reject-with icmp-port-unreachable

COMMIT
 

Rate Limit Ping example:

# Allow pings, but only 1/sec tops

-A INPUT -m icmp -p icmp --icmp-type 8 -i eth0 -m limit --limit 10/min --limit-burst 3 -j ACCEPT

-A INPUT -m icmp -p icmp --icmp-type 8 -i eth0 -j DROP

Rate Limit SSH example:

# Rate limit world SSH new connection attempts

-A INPUT -p tcp -m tcp --dport 1983 -m state --state NEW -m recent --set

-A INPUT -p tcp -m tcp --dport 1983 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j REJECT

-A INPUT -p tcp -m tcp --dport 1983 -j ACCEPT

Example Routing Filters:

# Main routing filter

#

# Networks:

# 192.168.1.0/24 - NEAR Trusted

# 192.168.2.0/24 - FAR Trusted

# 192.168.3.0/24 - FAR VPN

# 192.168.4.0/24 - NEAR VPN

# 192.168.5.0/24 - NEAR Media Systems

# 192.168.10.0/24 - NEAR Guest Network

#

*filter

:INPUT ACCEPT [4389:504305]

:FORWARD ACCEPT [135206:133165003]

:OUTPUT ACCEPT [3451:399970]

 

# Filter packets being routed to internal hosts

-A FORWARD -p tcp -m tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

-A FORWARD -p tcp -m tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j REJECT

 

# Allow ping and VPN as only input to this host from the Internet

-A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT

-A INPUT -m icmp -p icmp --icmp-type 8 -i eth0 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 563 -j ACCEPT

-A INPUT -i eth0 -j REJECT

 

# Block impossible packets (source address is on different network than the recieving interface)

-A INPUT -s 127.0.0.0/8 -i ! lo -j DROP

-A INPUT -s 192.168.1.0/24 -i ! eth1 -j REJECT

-A INPUT -s 192.168.3.0/24 -i ! tun+ -j REJECT

-A INPUT -s 192.168.4.0/24 -i ! tun+ -j REJECT

 

-A FORWARD -s 192.168.1.0/24 -i ! eth1 -j REJECT

-A FORWARD -s 192.168.3.0/24 -i ! tun+ -j REJECT

-A FORWARD -s 192.168.4.0/24 -i ! tun+ -j REJECT

 

COMMIT
Enabling connection tracking modules:
Edit /etc/sysconfig/iptables-config by adding a space delimited list of modules you'd like to add to the IPTABLES_MODULES section.
 

Available Modules

  • ip_conntrack_ftp - automatically opens required ports
  • ip_conntrack_tftp
  • ip_conntrack_netbios_ns
  • ip_nat_ftp - for computers behind a nat device
  • ip_nat_tftp

IPTABLES_MODULES="ip_conntrack_ftp ip_conntrack_netbios_ns"

 

NAT

Source NAT (SNAT) translates the source address of outbound packets and the destination address of incoming return packets.  Destination NAT (DNAT) is used to provide selective access to internal resources or to transparently forward traffic to an alternate port.

Example SNAT entries

Specific IP Mapping:

    iptables -t nat -A POSTROUTING -j SNAT --to-source 10.3.1.45

Specific port mapping:

    iptables -t nat -A POSTROUTING -j SNAT --to-source 10.3.1.45:8099

Range of IP mapping (randomly selected IP):

    iptables -t nat -A POSTROUTING -j SNAT --to-source 10.3.1.45-10.3.1.55

Range of Ports mapping (randomly selected Port):

    iptables -t nat -A POSTROUTING -j SNAT --to-source 10.3.1.45:8090-8099

 

Masquerading (Used with DHCP to masquerade as the NAT address of the gateway):

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
Show the running nat tables
iptables -t nat -L -n -v
 
Flush the running NAT tables
iptables -t nat --flush
 
Save the running Config
iptables-save
 

NAT Example:

# Generated by iptables-save v1.4.1.1 on Tue Apr 28 23:07:42 2009

*nat

:PREROUTING ACCEPT [532:37226]

:POSTROUTING ACCEPT [92:6041]

:OUTPUT ACCEPT [74:5393]

 

# NAT Internet bound traffic

-A POSTROUTING -o eth0 -j MASQUERADE

 

# Services on Webserver

-A PREROUTING -i eth0 -m tcp -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 192.168.1.4

-A PREROUTING -i eth0 -m tcp -p tcp --dport 22 --sport 1024:65535 -j DNAT --to 192.168.1.4

-A PREROUTING -i eth0 -m tcp -p tcp --dport 143 --sport 1034:65535 -j DNAT --to 192.168.1.5

 

# Skype on workstation

-A PREROUTING -i eth0 -m udp -p udp --dport 26474 -j DNAT --to 192.168.1.102

-A PREROUTING -i eth0 -m tcp -p tcp --dport 26474 -j DNAT --to 192.168.1.102

 

# Torrent Flux

-A PREROUTING -i eth0 -m tcp -p tcp --dport 49160:49300 --sport 1024:65535 -j DNAT --to 192.168.1.4

 

COMMIT
Show the running nat tables
iptables -t nat -L -n -v
 
Flush the running NAT tables
iptables -t nat --flush
 
Save the running Config
iptables-save

 

 
Example DNAT entries

Redirect inbound html traffic to an alternate internal server:

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-dest 10.3.2.50

 

Forward outbound html traffic to a proxy server on port 3128:

    iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-dest 10.3.4.60:3128

 

Redirect to alternate destination port for incoming traffic (2200 will be forwarded to ssh on 10.3.1.45 in this case):

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2200 -j DNAT --to-dest 10.3.1.45:22
Redirect 443 to 8443 example
    iptables -t nat -A PREROUTING -i eth0  -p tcp --dport 443 -j DNAT --to-dest 10.2.16.126:8443
 

Round Robin:

    iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 8080 -j DNAT --to-dest 10.3.1.46 --to-dest 10.3.1.47 --to-dest 10.3.1.48

 

 

Using at to prevent remote lockout when working with IPTABLES

    cd /etc/sysconfig

#Backup config

    cp iptables{,.bak}

 

#Make firewall config changes

    vi iptables and make changes

 

#Schedule a restore for 5min in the future in case your changes lock you out

    echo "mv /etc/sysconfig/iptables-bak /etc/sysconfig/iptables && service iptables restart" | at now+5min

 

#Restart iptables

    service iptables restart

 

#If your changes worked good enough not to need the at job to run and restore config use the following to determine job ID#

    atq

 

    Output: 1     Day    Month    dd  hh:mm:ss  yyyy  a   root 

#If all went well with config changes run: 

    atrm 1

    rm -f iptables-bak

 

    Otherwise just wait for at to run and restore your config within 5 min if you got locked out.

 
Show the running nat tables
iptables -t nat -L -n -v
 
Flush the running NAT tables
iptables -t nat --flush
 
Save the running Config
iptables-save