How to Recover A Corrupted Partition From A Bad Superblock in Linux if the following error occurs:
/dev/sda2: Input/output error
mount: /dev/sda2: can't read superblock
Steps: Linux ext2/3 filesystem stores superblock at different backup location so it is possible to get back data from corrupted partition.
Make sure file system is UNMOUNTED.
If your system will give you a terminal type the following command, else boot Linux system from rescue disk (boot from 1st CD/DVD. At boot: prompt type command linux rescue).
Mount partition using alternate superblock
Find out superblock location for /dev/sda2:
# dumpe2fs /dev/sda2 | grep superblock
Sample output:
Primary superblock at 0, Group descriptors at 1-6
Backup superblock at 32768, Group descriptors at 32769-32774
Backup superblock at 98304, Group descriptors at 98305-98310
Backup superblock at 163840, Group descriptors at 163841-163846
Backup superblock at 229376, Group descriptors at 229377-229382
Backup superblock at 294912, Group descriptors at 294913-294918
Backup superblock at 819200, Group descriptors at 819201-819206
Backup superblock at 884736, Group descriptors at 884737-884742
Backup superblock at 1605632, Group descriptors at 1605633-1605638
Now check and repair a Linux file system using alternate superblock # 32768:
# fsck -b 32768 /dev/sda2
Sample output:
fsck 1.40.2 (12-Jul-2007)
e2fsck 1.40.2 (12-Jul-2007)
/dev/sda2 was not cleanly unmounted, check forced.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Free blocks count wrong for group #241 (32254, counted=32253).
Fix? yes
Free blocks count wrong for group #362 (32254, counted=32248).
Fix? yes
Free blocks count wrong for group #368 (32254, counted=27774).
Fix? yes
..........
/dev/sda2: ***** FILE SYSTEM WAS MODIFIED *****
/dev/sda2: 59586/30539776 files (0.6% non-contiguous), 3604682/61059048 blocks
Now try to mount file system using mount command:
# mount /dev/sda2 /mnt
You can also use superblock stored at 32768 to mount partition, enter:
# mount sb={alternative-superblock} /dev/device /mnt
# mount sb=32768 /dev/sda2 /mnt
Try to browse and access file system:
# cd /mnt
# mkdir test
# ls -l
# cp file /path/to/safe/location
Linux divides its physical RAM (random access memory) into chucks of memory called pages. Swapping is the process whereby a page of memory is copied to the preconfigured space on the hard disk, called swap space, to free up that page of memory. The combined sizes of the physical memory and the swap space is the amount of virtual memory available.
Swapping is necessary for two important reasons. First, when the system requires more memory than is physically available, the kernel swaps out less used pages and gives memory to the current application (process) that needs the memory immediately. Second, a significant number of the pages used by an application during its startup phase may only be used for initialization and then never used again. The system can swap out those pages and free the memory for other applications or even for the disk cache.
There are two ways to add a swap space in linux which is explained below.We can either use a dedicated hard drive partition to add new swap space, or create a swap file on an existing filesystem and use it as swap space.
How much swap space is currently used by the system?
Free command displays the swap space. free -k shows the output in KB.
# free -k
| total | used | free | shared | buffers | cached |
Mem: | 3082356 | 2043700 | 1038656 | 0 | 50976 | 1646268 |
-/+ buffers/cache: | 346456 | 2735900 | | | | |
Swap: | 4192956 | 0 | 4192956 | | | |
Swapon command with option -s, displays the current swap space in KB.
# swapon -s | | | | |
Filename | Type | Size | used | Priority |
/dev/sda2 | partition | 4192956 | 0 | -1 |
Swapon -s, is same as the following.
# cat /proc/swaps | | | | |
Filename | Type | Size | Used | Priority |
/dev/sda2 | partition | 4192956 | 0 | -1 |
Method 1: Use a Hard Drive Partition for Additional Swap Space
If you have an additional hard disk, (or space available in an existing disk), create a partition using fdisk command. Let us assume that this partition is called /dev/sdc1,If the partition isn't marked as swap you will need to alter it by running fdisk and using the 't' menu option.Now setup this newly created partition as swap area using the mkswap command as shown below.
# mkswap /dev/sdc1
Enable the swap partition for usage using swapon command as shown below.
# swapon /dev/sdc1
To make this swap space partition available even after the reboot, add the following line to the /etc/fstab file.
# cat /etc/fstab | | | | |
/dev/sdc1 | swap | swap | defaults | 0 0 |
Verify whether the newly created swap area is available for your use.
# swapon -s
Filename | Type | Size | Used | Priority |
| |||||||
/dev/sda2 | partition | 4192956 | 0 | -1 |
| |||||||
/dev/sdc1 | partition | 1048568 | 0 | -2 |
| |||||||
| # free -k | total | used | free | shared | buffers | cached | |||||
| Mem: | 3082356 | 3022364 | 59992 | 0 | 52056 | 2646472 | |||||
| -/+ buffers/cache: | 323836 | 2758520 | | | | | |||||
| Swap: | 5241524 | 0 | 5241524 | | | | |||||
Note: In the output of swapon -s command, the Type column will say “partition” if the swap space is created from a disk partition.
Method 2: Use a File for Additional Swap Space
If you don’t have any additional disks, you can create a file somewhere on your filesystem, and use that file for swap space. The following dd command example creates a swap file with the name “myswapfile” under /root directory with a size of 1024MB (1GB).
# dd if=/dev/zero of=/root/myswapfile bs=1M count=1024
1024+0 records in
1024+0 records out
# ls -l /root/myswapfile
-rw-r--r-- 1 root root 1073741824 Aug 14 23:47 /root/myswapfile
Change the permission of the swap file so that only root can access it.
# chmod 600 /root/myswapfile
Make this file as a swap file using mkswap command.
# mkswap /root/myswapfile
Setting up swapspace version 1, size = 1073737 kB
Enable the newly created swapfile.
# swapon /root/myswapfile
To make this swap file available as a swap area even after the reboot,
add the following line to the /etc/fstab file.
# cat /etc/fstab
# cat /etc/fstab | ||||
/root/myswapfile | swap | swap | defaults | 0 0 |
Verify whether the newly created swap area is available for your use.
Now setup this newly created partition as swap area using the mkswap command as shown below.
# mkswap /dev/sdc1 Enable the swap partition for usage using swapon command as shown below.
# swapon /dev/sdc1
To make this swap space partition available even after the reboot, add the following line to the /etc/fstab file.
# swapon -s | | | ||
Filename | Type | Size | used | Priority |
/dev/sda2 | partition | 4192956 | 0 | -1 |
/dev/sdc1 | partition | 1048568 | 0 | -2 |
# free -k
| total | used | free | shared | buffers | cached |
Mem: | 3082356 | 3022364 | 59992 | 0 | 52056 | 2646472 |
-/+ buffers/cache: | 323836 | 2758520 | | | | |
Swap: | 5241524 | 0 | 5241524 | | | |
Note: In the output of swapon -s command, the Type column will say “partition” if the swap space is created from a disk partition.
If you don’t want to reboot to verify whether the system takes all the swap space mentioned in the /etc/fstab, you can do the following, which will disable and enable all the swap partition mentioned in the /etc/fstab
# swapoff -a
# swapon -a
Red hat recommendations forsetting up of swap space as follows for RHEL 5:
1. Systems with 4GB of ram or less require a minimum of 2GB of swap space
2. Systems with 4GB to 16GB of ram require a minimum of 4GB of swap space
3. Systems with 16GB to 64GB of ram require a minimum of 8GB of swap space
4. Systems with 64GB to 256GB of ram require a minimum of 16GB of swap space
Installing VirtualBox on CentOS 5 with Web Interface
Virtual machines are undeniably useful in web hosting, not just as an offered service but also just for testing and debugging issues. However, while VMWare and Xen offer good performance they require a server dedicated to running just the VMWare or Xen hypervisors before you can then run actual VMs in that. For non-production machines this seems like overkill, especially if you only need a few VMs. Enter VirtualBox, a way to run VMs without dedicating an entire machine to it. I’m going to walkthrough setting up VirtualBox 4.0 on a CentOS 5.6 server along with the PHP-based web interface (aptly named) phpvirtualbox.
Step 1) Install DKMS as VirtualBox will need it to build it’s kernel modules:
# yum install dkms
Step 2) Get the VirtualBox repo and install VirtualBox:
# wget http://download.virtualbox.org/virtualbox/rpm/
rhel/virtualbox.repo -O /etc/yum.repo.d/virtualbox.repo
# yum install VirtualBox-4.0
Step 3) Create a user that will run your virtual machines, we’ll use “vbox”. Make sure you also set a password for this user and remember what it was, it will be needed later:
# useradd -g vboxusers vbox
Ok, we’re up and running with VirtualBox now, and you could stop here and create all your VMs through the CLI tool “VBoxManage” but that would be a pain, so on to the web interface!
Step 4) For the sake of example, we’re going to install phpvirtualbox in /opt/web and pretend that is our website’s document root:
#cd /opt
#wgethttp://phpvirtualbox.googlecode.com/files/
phpvirtualbox-4.0-7.zip
#unzip phpvirtualbox-4.0-7.zip
#rm -f phpvirtualbox-4.0-7.zip
#mv phpvirtualbox-4.0-7 web
Step 5) Configure phpvirtualbox so it can talk (via SOAP) to VirtualBox by copying the “config.php-example” file to “config.php”, then edit the new “config.php” and change the $username and $password vars to the user you created in step #3. It’s worth noting here that phpvirtualbox can work with (multiple) remote instances of VirtualBox so you could have several VirtualBox servers behind a single instance of phpvirtualbox.
Step 6) Now we need to configure VirtualBox’s SOAP interface (vboxweb-service), which unfortunatelyhas very little documentation on it’s configuration. It also doesn’t help that VirtualBoxpackage doesn’t install the default configuration files, so we’ll need to make the config files from scratch:
# echo "VBOXWEB_USER=vbox
VBOXWEB_HOST=0.0.0.0
VBOXWEB_LOGFILE=/var/log/vboxweb.log" > /etc/vbox/vbox.cfg
# touch /var/log/vboxweb.log && \
#chown vbox.vboxusers /var/log/vboxweb.log && \
#chmod 640 /var/log/vboxweb.log
Step 7) Now we can start the vboxweb-service:
/etc/init.d/vboxweb-service start
Step 8) You should be able to login to phpvirtualbox now with the default user “admin” and password “admin”. Obviously that password should be changed once you successfully login.And there you go, you can now create/modify/etc VMs in VirtualBox just like you were using the regular desktop interface.
Use of file compression
- Results in smaller file size
- Text files can be compressed over 75 %
- Binary files usually don’t compress much
- tar archives are often compressed
gzip , gunzip
- Standard Linux compression utilityy
- Up to 75% compression for text
bzip2,bunzip2
- Newer Linux compression utility
- Generally achieves better compression than gzip
zip
- zip is compatible with the DOS/Windows PKzip/Winzip utilities & can compressmore than one file into a single file,something gzip and compress can’t do. It’s useful to transfer file and directory archives to and from the DOS/Windows platform. Zip archives are unpacked with unzip command.
gzip command :-
when a file “filename” is compressed with gzip , the compressed file is named “filename.gz” . The file can then be uncompressed with gunzip , recreating the orginal file.
Syntax :- # gzip <option> file_name
Option:-
-l List files from a gzip archive
-d Decompressed a file that is created using gzip command. File is restored to their original form
Example:-
# gzip mydata.doc
# gzip *.jpg
gunzip :- Decompressed a file that is created using gzip command. File is restored to their original form using this command.
Syntax : # gunzip file_name.gz
bzip2 :- Files compressed by this utility carry the extension bz2 & uncompressed with bunzip2. bzip2 compressed files are generally samller in size than their gzipped conterparts.
Syntax :- # bzip2 <options> file_name
Options:-
-d : Decompressed a file that is created using bzip2 command. File is restored to their original form using this command
Example :
# bzip2 mydata.doc
bunzip2:- Decompressed a file that is created using bzip2 command. File is restored to their original form using this command
example :
# gunzip mydata.doc.bz2
Tape Archives(Tar) utility in Linux
The command-line utility tar is probably the most popular and easy Linux backup utility. This command line is used to create an archive files for backup. Linux command tar stands for tape archiver. So this archive can be tape or hard-drive location or anything else. But if you have huge storage in your server or you use remote network based backup server, tar is handy tool to backup to a file. This command not only archive files but also can compress files using one of the most useful file compressing utility bzip2 or gzip. Compressing file and archiving it into single file not only save your server space but also make it easy to transfer file from one location to another over network. In this section, you’ll learn how to create tar archives and how to extract files from them.
Creating an Archive File
# tar -cvf <output_filename>.tar <directory_to_be_compressed>
v – verbose mode
f – specify filename <output_filename> where you want to archive your files and .tar extension is used to denote it’s an archive tarball.
The last part of the tar command specifies which directory you want to archive into single file. For e.g. if you want to archive your home directory then replace
<directory_to_be_compressed> parameter with your home directory location, probably /home/<yourname>.
# tar -cvf homedir.tar /home/umesh
Creating a compressed Archive File
# tar -czvf <output_filename>.tar.gz <directory_to_be_compressed>
OR
# tar -cjvf <output_filename>.tar.bz2 <directory_to_be_compressed>
Everything is same except option z or j here.
z – Compress archive file with gzip utility. Most popular and does compression upto 60-70% depending upon file type.
j – Compress using bzip2 utility. Compression takes little bit more time using this utility.
Couple of examples are here.
# tar -czvf homedir.tar.gz /home/umes
# tar -cjvf homedir.tar.bz2 /home/umesh
NOTE : tar utility creates a file inside current directory where you executing command from. So if you want to create archive files into some specific directory, then you have to change your directory into that directory and execute the tar command.
Extracting an Archive File
It’s pretty much same as creating an archive file but you need to use option x (extract) instead of c (create). Here are few examples.
Extracts the contents of archive file homedir.tar into the current directory.
# tar -xvf homedir.tar
Extracts the contents of the gzip compressed archive file homedir.tar.gz into the current directory.
# tar -zxvf homedir.tar.gz
Extracts the contents of archive file homedir.tar into the current directory.
# tar -xvf homedir.tar
Extracts the contents of the gzip compressed archive file homedir.tar.gz into the current directory.
# tar -zxvf homedir.tar.gz
Extracts the contents of the bzip2 compressed archive file homedir.tar.bz2 into the current directory.
# tar -jxvf homedir.tar.bz2
Extracts the contents of homedir.tar to a directory with the name MyBackup.
# tar -xvf homedir.tar C MyBackup
More.. Option with tar command :
# tar –zcpvf backup.tgz -T /root/include.txt -X /root/exclude.txt
Above command will take the backup of the files mentioned in /root/include.txt & will skip or exclude the files mentioned in /root/exlude.txt file.
Where
-T get names to extract or create from file /root/include.txt
-X exclude files listed in /root/exclude.txt
Mounting the CD or DVD (Linux)
To mount a CD-ROM on Linux operating systems, issue the mount command.
Before you begin
Depending on your system configuration, you might need root user authority to mount discs.
Procedure:- To mount the CD or DVD on Linux operating systems:
Insert the CD or DVD in the drive and enter the following command:
# mount -t iso9660 -o ro /dev/cdrom /mnt
where /mnt represents the mount point of the CD or DVD.
Your CD or DVD file system is now mounted. View the contents of the CD or DVD by placing the disc in the drive and enter the cd /mnt command where mnt is the mount point directory.
Unmount and eject CD / DVD
There are couple ways how to remove CD/DVD from a drive.
# umount /mnt
# eject
or you can simply run
# eject
If you are unable to unmount, make sure, that you are not in the directory where your DVD-ROM is mounted or that some other application is not using it. If you still have a problem to unmount you DVD-ROM medium you can use fuser command to kill all related processes using your device.
# fuser -mk /dev/hdc
# eject
How to configure Gtalk in Kopete (linux)
Almost everyone I know uses Gtalk. You can use Gtalk online through gmail or by using one of the many jabber capable chat clients out there. I’ll show you how to configure Kopete to work with Gtalk. If you didn’t already know, Kopete is the most popular multi protocol chat client for KDE.
Once you download Kopete, you'll need to configure your client to connect to Google Talk. Here's how:
1. From the main Kopete window, click Settings > Configure....
2 Select Accounts from the left nav bar and click New....
3 From the list of available services, select Jabber and click Next
4 Click the Basic Setup tab and enter the following information:
Jabber ID:
· If you're signing in with a Gmail or Google Mail username, enter your full email address.
· If your Google Talk username isn't associated with any Google email product, add @gmail.com to the end of your username. For example, xyz will become xyz@gmail.com.
· If you're a Google Apps user, enter your full email address (gordon@example.com).
Remember password: Check this box if you'd like Kopete to remember your password.
· Password: If you chose to Remember password, enter your Google Talk password.
· Exclude from connect all: Check this box if you'd like to exclude this connection when Kopete connects to all configured service
5. Click the Connection tab and enter the following information:
· Check the Use protocol encryption (SSL), Allow plain-text password authentication, and Override default server information boxes.
· Enter talk.google.com in the Server field.
· Enter 5223 as the Port value.
6 Click Next.
7 Check Connect now to connect to Google Talk.
8 Click Finish.
Kindly Send us your queries at info@nextstep4it.com if have any problem in configuring Gtalk in kopete.
AWK OVERVIEW
Awk is a programming language which allows easy manipulation of structured data and the generation of formatted reports. Awk stands for the names of its authors “Aho, Weinberger, and Kernighan”The Awk is mostly used for pattern scanning and processing. It searches one or more files to see if they contain lines that matches with the specified patterns and then perform associated actions.
Some of the key features of Awk are:
· Awk views a text file as records and fields.
· Like common programming language, Awk has variables, conditionals and loops
· Awk has arithmetic and string operators.
· Awk can generate formatted reports
Awk reads from a file or from its standard input, and outputs to its standard output. Awk does not get along with non-text files.
In the above awk syntax:
· search pattern is a regular expression.
· Actions – statement(s) to be performed.
· several patterns and actions are possible in Awk.
· file – Input file.
· Single quotes around program is to avoid shell not to interpret any of its special characters.
Awk Working Methodology
· Awk reads the input files one line at a time.
· For each line, it matches with given pattern in the given order, if matches performs the corresponding action.
· If no pattern matches, no action will be performed.
· In the above syntax, either search pattern or action are optional, But not both.
· If the search pattern is not given, then Awk performs the given actions for each line of the input.
· If the action is not given, print all that lines that matches with the given patterns which is the default action.
· Empty braces with out any action does nothing. It wont perform default printing operation.
· Each statement in Actions should be delimited by semicolon.
Let us create employee.txt file which has the following content, which will be used in the examples mentioned below.
$cat employee.txt
Check out the test man page (use man test) to read about all the many different conditionals you can use in a shell script.
100 Thomas | Manager | Sales | $5,000 |
200 Jason | Developer | Technology | $5,000 |
300 Sanjay | Sysadmin | Technology | $7,000 |
400 Nisha | Manager | Marketing | $9,500 |
500 Randy | DBA | Technology | $6,000 |
Awk Example 1. Default behavior of Awk
By default Awk prints every line from the file.
$ awk '{print;}' employee.txt
100 Thomas | Manager | Sales | $5,000 |
200 Jason | Developer | Technology | $5,000 |
300 Sanjay | Sysadmin | Technology | $7,000 |
400 Nisha | Manager | Marketing | $9,500 |
500 Randy | DBA | Technology | $6,000 |
In the above example pattern is not given. So the actions are applicable to all the lines. Action print with out any argument prints the whole line by default. So it prints all the lines of the file with out fail. Actions has to be enclosed with in the braces.
Awk Example 2. Print the lines which matches with the pattern.
$ awk '/Thomas/
> /Nisha/' employee.txt
100 Thomas | Manager | Sales | $5,000 |
400 Nisha | Manager | Marketing | $9,500 |
In the above example it prints all the line which matches with the ‘Thomas’ or ‘Nisha’. It has two patterns. Awk
accepts any number of patterns, but each set (patterns and its corresponding actions) has to be separated by newline.
Awk Example 3. Print only specific field.
Awk has number of built in variables. For each record i.e line, it splits the record delimited by whitespace character by default and stores it in the $n variables. If the line has 4 words, it will be stored in $1, $2, $3 and $4. $0 represents whole line. NF is a built in variable which represents total number of fields in a record.
$ awk '{print $2,$5;}' employee.txt
Thomas | $5,000 |
Jason | $5,000 |
Sanjay | $7,000 |
Nisha | $9,500 |
Randy | $6,000 |
$ awk '{print $2,$NF;}' employee.txt
Syntax:
BEGIN { Actions}
{ACTION} # Action for everyline in a file
END { Actions }
# is for comments in Awk
Actions specified in the BEGIN section will be executed before starts reading the lines from the input.
END actions will be performed after completing the reading and processing the lines from the input
$ awk 'BEGIN {print "Name\tDesignation\tDepartment\tSalary";}
> {print $2,"\t",$3,"\t",$4,"\t",$NF;}
> END{print "Report Generated\n--------------";
> }' employee.txt
Thomas | Manager | Sales | $5,000 |
Jason | Developer | Technology | $5,000 |
Sanjay | Sysadmin | Technology | $7,000 |
Nisha | Manager | Marketing | $9,500 |
Randy | DBA | Technology | $6,000 |
Report Generated
In the above example, it prints headline and last file for the reports.
Awk Example 5. Find the employees who has employee id greater than
200
$ awk '$1 >200' employee.txt
300 Sanjay | Sysadmin | Technology | $7,000 |
400 Nisha | Manager | Marketing | $9,500 |
500 Randy | DBA | Technology | $6,000 |
In the above example, first field ($1) is employee id. So if $1 is greater than 200, then just do the default print action to print the whole line.
Awk Example 6. Print the list of employees in Technology department
200
$ awk '$1 >200' employee.txt
300 Sanjay | Sysadmin | Technology | $7,000 |
400 Nisha | Manager | Marketing | $9,500 |
500 Randy | DBA | Technology | $6,000 |
In the above example, first field ($1) is employee id. So if $1 is greater than 200, then just do the default print action to print the whole line.
Awk Example 6. Print the list of employees in Technology department
Now department name is available as a fourth field, so need to check if $4 matches with the string “Technology”, if yes print the line.
$ awk '$4 ~/Technology/' employee.txt
200 Jason | Developer | Technology | $5,000 |
300 Sanjay | Sysadmin | Technology | $7,000 |
500 Randy | DBA | Technology | $6,000 |
Operator ~ is for comparing with the regular expressions. If it matches the default action i.e print whole line will be performed.
Awk Example 7. Print number of employees in Technology department
The below example, checks if the department is Technology, if it is yes, in the Action, just increment the count variable, which was initialized with zero in the BEGIN section.
$ awk 'BEGIN { count=0;}
$4 ~ /Technology/ { count++; }
END { print "Number of employees in Technology Dept =",count;}' employee.txt
Number of employees in Tehcnology Dept = 3
Then at the end of the process, just print the value of count which gives you the number of employees in Technology department
How To Set Up Shorewall (Shoreline) 4.0 Firewall On CentOS 5
Policy Configuration
The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy.
vim /etc/shorewall/policy
An example policy (based on the zones and interfaces we used above) would be:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc net ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT. (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc dmz REJECT info
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW net REJECT info
$FW dmz REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT. This may be useful if you run a proxy server in
# your DMZ.
dmz net REJECT info
dmz $FW REJECT info
dmz loc REJECT info
dmz all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net dmz DROP info
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Rules Configuration
The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply.
Note: This is only for new connections, existing connections are automatically accepted.
The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:
# vim /etc/shorewall/rules
An example would be:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
#PORT PORT(S) DEST LIMIT GROUP
#
#Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
#
#Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
#
#DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net
#
#Drop Ping from the "bad" net zone.
#
Ping/DROP net $FW
#
#Make ping work bi-directionally between the dmz, net, Firewall and local zone
#(assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
#Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT net dmz
#Ping/ACCEPT net loc
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Finally
Well we are done, let's fire up the services and begin testing.
#service shorewall start
No comments:
Post a Comment