PREROUTING in nat table: DNAT, REDIRECT
POSTROUTING in nat table: SNAT/MASQUERADE
PREROUTING in mangle table: alter routing (e.g. source-based routing)
FORWARD in mangle table: traffic shaping for tc (flowid)
In MikroTik RouterOS, /ip firewall nat:
srcnat chain = PREROUTING
dstnat chain = POSTROUTING
In a situation, I had to extend my PPPoE network over a wireless bridge. I do not want to have nor maintain 2 PPPoE servers. I didn’t bother failed to understand how PPPoE works and made a wireless bridge without WDS. When one user log in from the bridged side of the network, it works flawlessly. When more users are trying to log in, the user which logged in earlier gets disconnected. Apparently this is caused by MAC address problem[1]. From the PPPoE server’s side, users logging in from the bridged side of the network have the same MAC address which is the bridge device’s MAC address. From the users’ side, they are able to see correct MAC address of every device on the other side of the network. The PPPoE server gets confused when it sends PPPoE packets because multiple users have the same MAC address and there is no way for the server to direct reply to individual user.
[1]Wireless AP is connected to the side of the network where the PPPoE server is connected to, and wireless client is connected to the other side of the network. Every device connected to the same side of the wireless AP gets the wireless client’s MAC address for every device connected over the wireless bridge, however every device over the bridge gets to see the real MAC address of every device connected to the same side of the wireless AP. I believe that if I interchange the wireless AP and client (so now PPPoE server is connected to the wireless client instead), it may work properly since the PPPoE server will get the correct MAC address of all devices over the bridge. Devices connected to the wireless AP obviously will get the same MAC address for the PPPoE server and PPPoE users connected to the same side of the wireless client, but the most important thing is that the PPPoE users over the bridge can communicate properly with the PPPoE server. Since this is a one-to-many and many-to-one situation, this should work, but not for many-to-many situation. This explanation sounds quite confusing due to my limited English. If you could rewrite this part, please let me know.
To determine which shell is currently being used, do echo $0.
Previously I wrote a post which discusses real-time CPU statistics utility. Now if you need historical data of CPU utilization statistics, use sysstat’s sar. For Fedora and CentOS, there is an official RPM package for sysstat.
Once you have installed sysstat, leave it for a few minutes until you get some records. The data collector runs from /etc/cron.d every 10 minutes (by default) and records all CPU usage. If you have SMP systems, then it will record each CPU’s utilization statistics. The default behaviour of sar is to print ALL CPU statistics combined, use -p to select individual CPU. Have fun watching your CPU utilization stats! 
I had a task to allow root login via telnet on RHEL 4.3 servers. I tried my luck on Google and found this. Once I have done exactly as mentioned, I still couldn’t login as root via telnet.
After researching a little bit more on Google, I finally found the answer! Apparently krb5-workstation’s /etc/xinetd.d/krb5-telnet is not the telnet-server package that I have been looking for. telnet-server’s telnetd is actually another package which is mentioned in the document I found earlier. I disabled krb5-telnet and enabled telnet in /etc/xinetd.d/.
Voila! Now it allows root login via telnet. Red Hat should have written a note about this in the document.
PS: Please enable telnet-server ONLY if you need it and you know what you’re doing. I do NOT recommend the use of telnet-server.
References:
http://kbase.redhat.com/faq/FAQ_45_453.shtm
http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1210184407758+28353475&threadId=1035531
I’m not sure if this important topic is discussed thoroughly in manuals because I couldn’t find any easily on Google without the exact keywords. I could be wrong though, but I’m documenting it here for my own note.
Many people do not dare to adopt Linux due to its complexity. I have to agree that Linux is far from being user friendly despite a lot of people’s effort to make it one. Simple task such as changing/replacing hardware is very common, especially now with the rapid development of technological advances. Few weeks ago I had to change one of my servers’ motherboard with a new one to accommodate a new multi-core CPU and I had to keep everything (OS and data) on the hard drive intact. Once the new motherboard was in place, it wouldn’t boot because it couldn’t read from my hard drive. Typical error where it says root partition cannot be found. Initially, I didn’t know an incorrect initrd could cause this problem because the error messages (which leads to kernel panic) didn’t mention anything specific other than not being able to read the partition table and find /. I almost put my blame instantly on LVM. Fortunately with some dedications searching through Google, I was able to find the right solution.
Linux uses initrd to keep a handful of modules it requires for booting to take place properly. If you compile every driver you need into the kernel, then initrd is not required but including everything in the kernel is inefficient and defeats the purpose of modular design. Important modules such as ext3, PATA/SATA controller, LVM, need to be placed inside the initrd. How can a boot loader (in most cases GRUB or LILO) be able to load LVM partitions if the modules required to read LVM partitions are inside the LVM partition?
To “repair” my new system, I had to boot using a rescue CD, modify /etc/modprobe.conf to include the new motherboard’s SATA controller. This new motherboard’s PATA controller is different from the old motherboard and therefore requires a different driver. I replaced “alias scsi_hostadapter2 pata_amd” to “alias scsi_hostadapter2 libata” in modprobe.conf. Basically these are the steps:
chroot /mnt/sysimage
vi /etc/modprobe.conf
(make needed changes as required)
depmod -ae -F /boot/System.map-2.6.9-1.667 2.6.9-1.667
mkinitrd -v -f /boot/initrd-2.6.9-1.667.img 2.6.9-1.667
Once everything ran as expected, remove the rescue CD, and reboot. The system should boot properly now. If it doesn’t, most likely the module name specified in modprobe.conf is incorrect.
Here is a tip to find out which PATA/SATA module you should include in modprobe.conf:
When booting the rescue CD, right after the blue screen appears it will pop up a dialog. Find the module name that is required in that dialog. Be sure to keep an eye on it because it will disappear quickly.
BTW, this article is also useful when moving an installed Linux hard drive to a different computer with different hardware.
Good luck! Let me know if this article helps you by posting a comment. Thanks!
References:
http://www.keffective.com/mvsata/
http://en.wikipedia.org/wiki/Initrd
One of my hard disks on my Fedora Core 6 server nearly failed yesterday. It sounded like it loses power every now and then. This hard disk is my primary, it has the /boot partition and an LVM partition. It holds at least 36GB of the 300GB+ LVM Volume Group. Had it died totally, then most of the OS would have been gone along with some of my data. Luckily I was still able to boot from this nearly-dead hard disk for a couple of times.
I downloaded Fedora Core 6’s Rescue CD ISO and burned it. Every time I could boot into the system without a problem, I rebooted immediately and booted from the Rescue CD. I was hoping that I could move the LVM PEs off the broken hard disk ASAP.
During my first attempt, the faulty hard disk ‘disappeared’ when I was running e2fsck. I had to shut the system down for about 15 minutes to let it cool down. This trick did work and I tried another attempt. This time e2fsck finished without a problem, and I ran pvmove to move the PEs from the faulty disk. Unfortunately my kernel is the latest version but the device-mapper and lvm2 packages are not. pvmove printed out errors (”device-mapper: reload ioctl failed: Invalid argument”) no matter how many times I tried. Initially I thought that the faulty hard disk may be too damaged, but then since I could still boot the system without a hitch so I guessed it couldn’t be that damaged.
This post has a solution, but I didn’t use it. I downloaded Fedora 8 Rescue CD ISO and used that instead of Fedora Core 6’s. This time pvmove didn’t show any error and the process completed as expected without any lost data. I was then able to vgreduce the faulty hard disk from the LVM Volume Group.
If you experience the same problem, try downloading a newer Rescue CD and give it a try. Hopefully it will address problems that are present on older Rescue CDs. Good luck!
Since I have always used ClamAV’s clamd as the virus filter of my email servers along with qmail-scanner, I noticed that crash-hat’s clamav RPM packages use logrotate to rotate the logs files. qmail-scanner runs as its own user (qscand), so clamd has to run under the same user. When the RPM package was first installed, it created these directories: /var/run/clamav/ and /var/log/clamav/. Chown these 2 directories to qscand (this assumes that User directives in freshclam.conf and clamd.conf have been changed to qscand), otherwise clamd and freshclam wouldn’t be able to write any logs and pid file and neither service would start.
As for the logrotate configuration, edit clamd and freshclam in /etc/logrotate.d/ to change the log files’ ownership to qscand instead of clamav. Modify line 8 where it says:
create 640 clamav clamav
to
create 640 qscand clamav
That should do the trick.
Since Fedora Core 5, pppoe-server that comes with rp-pppoe RPM package has always been broken. Someone actually filed a bug report, but unfortunately there was no response. Apparently the problem is caused by ppp conflicting with syslogd. If you stop syslogd and klogd, then pppoe-server will run properly. Fedora Core 4 does not have this problem though. I’m not sure if the newly released Fedora 7 has got this issue sorted out. I’m guessing that they haven’t.
If you have installed Fedora 7 and found out that the issue has been fixed, please let me know ASAP. Thanks!
Update (Jul 03, 2007): Problem confirmed in Fedora 7.
Update (Mar 14, 2008): Problem fixed as stated on bugzilla ticket.
I was just compiling an updated version of HTB-tools a few minutes ago then I noticed that either I forgot to make a note about removing a line from q_show.c or the addition of bitops.h is new in the latest version of HTB-tools (0.3.0a). If you don’t remove the following line in q_show.c:
#include <asm/bitops.h>
the compilation process will fail with the following error:
sys/q_show.c:40:24: error: asm/bitops.h: No such file or directory
I found this on Google to explain why bitops.h is missing in Fedora Core 6.
Recent Comments