Pario TechnoBlob
msgbartop
A cronological documentation test project, nothing serious, really!
msgbarbottom

05 Oct 2009 iptables connection tracking table full

I’ve recently experienced that my workstation (Ubuntu Jaunty Jackalope, 9.04, x86_64) “hangs” periodically when my internet browser, Mozilla Firefox, has a lot of active tabs.
In my case I had > 100 active tabs in more than 20 windows. I know I should have closed some of them but that is not an option right now.

The problem reveiled itself doing a dmesg on my workstation

# dmesg

[1737157.057528] nf_conntrack: table full, dropping packet.
[1737157.160357] nf_conntrack: table full, dropping packet.
[1737157.260534] nf_conntrack: table full, dropping packet.
[1737157.361837] nf_conntrack: table full, dropping packet.
[1737157.462305] nf_conntrack: table full, dropping packet.
[1737157.564270] nf_conntrack: table full, dropping packet.
[1737157.666836] nf_conntrack: table full, dropping packet.
[1737157.767348] nf_conntrack: table full, dropping packet.
[1737157.868338] nf_conntrack: table full, dropping packet.
[1737157.969828] nf_conntrack: table full, dropping packet.
[1737162.214064] __ratelimit: 53 callbacks suppressed

This bahaviour looks like Denial-Of-Service and is caused by a full iptables connection_table.

The default size of the iptables connection tracing table is 

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536

The solution I went for was to double the size of connection table to 131072 and restarted firefox.

# echo "131072" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max

This value is a 32-bit integer so the table size can be quite large and you will need much more RAM before you can use this size.

To make this solution permanent I added the following line to /etc/sysctl.conf

net.ipv4.netfilter.ip_conntrack_max = 131072

You can test this by executing the following command 

# sysctl -p
131072

This command loads the /etc/sysctl.conf settings.

Tags: , ,

Posted by

Filed in Linux, Network with 0 Comments

07 Aug 2009 Suspend a VMware Workstation host from command line

This post gives a short description of how to suspend a VMware Workstation 6.5.x host on a Ubuntu 9.04 Workstation but it shouldn’t be any problem to follow it on other linux distributions. Lately I’ve experienced that one of my VMware hosts lock up and my mouse cursor stops responding. The keyboard doesn’t let me switch applications (Alt+Tab) because the Tab-key doesn’t respond. The solution to my problem was to suspend the virtual machine from the console.

  1. First you have to switch to a console by pressing Ctrl+Alt+F1 – This lets you login to a console.
  2. Suspend the virtual machine by issuing the following command from the console 
    # vmrun suspend /path/to/the/vmx-file/vmxfile.vmx

Switch back to your graphical desktop by pressing Ctrl+Alt+F7. You will now see that the suspend indicator is hard at work suspending the virtual machine that is causing problems. When the host has been suspended you can shutdown VMware Workstation as you normally do.

To make sure that VMware haven’t got any processes that are defunct stop and start the VMware daemon.

Note:
Remember to shut down or suspend all virtual machines before issuing the following commands from the console to avoid losing data

Stopping the VMware daemon

# /etc/init.d/vmware stop

Stopping VMware services:
   Virtual machine communication interface                             done
   Virtual machine monitor                                             done
   Blocking file system                                                done

Starting the VMware daemon

# /etc/init.d/vmware start

Starting VMware services:
   Virtual machine monitor                                             done
   Virtual machine communication interface                             done
   Blocking file system                                                done
   Virtual ethernet                                                    done
   Shared Memory Available                                             done

Start VMware as you normally do and resume the host. The host should now work without any problems.

The vmrun command gives you other options as well like list, start, stop, reset and upgradevm, but I won’t describe the use of these in this post.

Tags: , , , , ,

Posted by

Filed in Linux, Misc with 0 Comments

05 Jun 2009 Howto install Skype on a 64bit Ubuntu 9.04

This post describes how to install Skype, the popular VOIP and video conference program on a 64bit Ubuntu 9.04 (Jauty Jackalope) system.

# sudo apt-get install ia32-libs lib32asound2 libqt4-core libqt4-gui
# wget -O skype-install.deb http://www.skype.com/go/getskype-linux-ubuntu
# sudo dpkg -i --force-architecture skype-install.deb

The application should now be located under Applications -> Internet -> Skype.

Tags: , , ,

Posted by

Filed in Linux, Network with 0 Comments

24 May 2009 ufw and IP masquerading

I’ve just upgraded my home server from Ubuntu 8.10 to 9.04 and experienced that my ufw firewall (iptables) would not route traffic from my local network to the Internet. My IP masquerading was not working anymore and since I had not documented the process when I set it up I had to search the Ubuntu pages to find the solution and came up with this.

The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus “masqueraded” as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.

ufw Masquerading

IP Masquerading can be achieved using custom ufw rules. This is possible because the current back-end for ufw is iptables-restore with the rules files located in

/etc/ufw/*.rules

These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related.

The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufw command line rules.

  • First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the 
    DEFAULT_FORWARD_POLICY

    to “ACCEPT”:

    DEFAULT_FORWARD_POLICY="ACCEPT"

    Then edit /etc/ufw/sysctl.conf and uncomment:

    net.ipv4.ip_forward=1

    Similarly, for IPv6 forwarding uncomment:

    net.ipv6.conf.default.forwarding=1
  • Now we will add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments: 
    # nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

    The comments are not strictly necessary, but it is considered good practice to document your configuration. Also, when modifying any of the rules files in /etc/ufw, make sure these lines are the last line for each table modified:

    # don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

    For each Table a corresponding COMMIT statement is required. In these examples only the nat and filter tables are shown, but you can also add rules for the raw and mangle tables.

    [Note]
    In the above example replace eth0, eth1, and 192.168.0.0/24 with the appropriate interfaces and IP range for your network.
  • Finally, disable and re-enable ufw to apply the changes: 
    sudo ufw disable && sudo ufw enable

IP Masquerading should now be enabled. You can also add any additional FORWARD rules to the /etc/ufw/before.rules. It is recommended that these additional rules be added to the ufw-before-forward chain.

Source: https://help.ubuntu.com/9.04/serverguide/C/firewall.html

Tags: , , , , ,

Posted by

Filed in Linux, Network, Security with 0 Comments

12 May 2009 Howto make Adobe Flash work on 64-bit Ubuntu

This post is actually not a HOWTO, but a quick tip on how to install Adobe Flash 10 in 64-bit Ubuntu. I’ve tested this in Ubuntu 9.4 with great success using the following commands from a console window.

wget http://queleimporta.com/downloads/flash10_x64_en.sh && sudo chmod +x flash10_x64_en.sh && sudo sh ./flash10_x64_en.sh

Note!
Please read through the script and make sure you know what it does before you run it, to avoid any surprises.

Source: http://queleimporta.com/en/finally-adobe-releases-native-64-bit-flash-10-for-linux/

Tags: , , , ,

Posted by

Filed in Linux, Web with 0 Comments
« Previous Posts
Next Posts »
sidebartop

Tags

Apache apt-get awk backup basename bash CentOS convert csv Database dd Debian Etch EXIF Fedora find Gentoo grep howto html imagemagick iptables iso jhead JPG mount MySQL Nikon nmap perl PHP Postfix RedHat rhel5 rpm sed sftp SMTP sort ssh Ubuntu VMware Wordpress xargs Zimbra
sidebarbottom
sidebartop

Categories

sidebarbottom
sidebartop

Recent Comments

sidebarbottom
sidebartop

Meta

sidebarbottom
© Pario TechnoBlob / Design: Smashing Wordpress Themes