December 11, 2012
iptables: redirecting ports
Generally, the preferred method to redirect in-bound traffic on port 80 to port 8080 is to utilize NAT/firewall rules (iptables, specifically). Use the following method to complete the process...
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept everything from the local interface
$IPTABLES -A INPUT -i lo -j ACCEPT
# Accept traffic on port 80
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# Accept traffic on port 8080
$IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT
# Accept ssh traffice
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# Local redirect
$IPTABLES -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
# Actual 80 to 8080 redirect
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
# Save the configuration
if [ -d "/etc/sysconfig" ]
$IPTABLES_SAVE > /etc/sysconfig/iptables
September 07, 2012
iptables: method to simply block Ping requests...
Sometimes a system administrator would simply like to block out all incoming ping requests - issue the following command in order to adjust iptables for this functionality:
/sbin/iptables -I INPUT -j DROP -p icmp --icmp-type echo-request
(this reads drop all input of protocol type icmp, specifically echo-request).
Then to drop the rule, simply obtain the index number of the iptables rule:
/sbin/iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP icmp -- anywhere anywhere icmp echo-request
(the block ICMP request in number 1)
Drop the entry:
/sbin/iptables -D INPUT 1
July 13, 2012
Setting the default umask for web-content...
One of the issues we've had with multiple users managing web-content and directory permissions is related to properly setting umask, specifically modifying the default RHEL6 umask value of 022 (022 only allows for group reading) - this causes significant problems when multiple individuals are managing content. We've side-stepped this problem by simply setting default umask values within the various login shell profiles, for example:
[root@winterberry /home]# vim /home/cdgrieb/.cshrc
[root@winterberry /home]# vim /home/cdgrieb/.bash_profile
A default value of 002 allows for owner/group reading/writing, which makes managing multiple web-based users significantly easier to deal with.
July 10, 2012
SA Lisa - VM deployment checklist Linux
We started the process of creating our VM deployment check-list, including insurance of documentation creation, RHN registering, and account management, with the eventual goal of automating the entire process. More information soon!
June 05, 2012
Standardizing MySQL credentials
Currently, MSIS hosts a number of WordPress blogs operating under external, non-univeristy DNS entries, for example umhsheadlines.org. Due to multiple SA's configuring and managing these blogs, we've encountered a situation in which root-level SQL passwords are variable, often significantly, from server to server. Additionally, only a few of these passwords have actually been documented. As a result, team Lisa has started the process of resetting and tracking passwords associated with MySQL credentials. Hopefully, we'll have this finished in a few weeks.