Monthly Archives: June 2017

Basics of iptables – Linux firewall

Beginner’s tutorial to understand iptables – Linux firewall. This article explains about iptable basics, different types of chains, and chain policy defining strategy.

iptables – Linux firewall

Linux firewall: iptables! plays a very important role in securing your Linux system. System hardening or locking down cannot be completed without configuring iptables. Here we are discussing the basics of iptables. This article can be referred to by beginners as an iptables guide. In this article we will walkthrough :

  • What is iptables
  • iptables chains
  • Chain policy defining strategy

We discussed how to set iptables rules, how to save iptables settings in this article. Let’s start with iptables basics.

What is iptables

iptables is a Linux native firewall and almost comes pre-installed with all distributions. If by any chance its not on your system you can install an iptables package to get it. As its a firewall, it has got policies termed as ‘chain policies’ which are used to determine whether to allow or block incoming or outgoing connection to or from Linux machine. Different chains used to control the different types of connections defined by its travel direction and policies are defined on each chain type.

In newer versions like RHEL7, the firewall is still powered by iptables only the management part is being handled by a new daemon called firewalld.

As there are policies you can define, one default policy also exists for all chains. If the connection in question does not match with any of the defined policy chains then iptable applies default policy action to that connection. By default (generally) ALLOW rule is configured in defaults under iptables.

iptable chains

As we saw earlier iptables rely on chains to determine the action to be taken in connection, let’s understand what are chains. Chains are connection types defined by their travel direction/behavior. There are three types of chains: Input, Output, Forward.

Input chain :

This chain is used to control incoming connections to the Linux machine. For example, if the user tries to connect the server via ssh (port 22) then the input chain will be checked for IP or user and port if those are allowed. If yes then only the user will be connected to the server otherwise not.

Output chain :

Yes, this chain controls outgoing connections from the Linux machine. If any application or user tries to connect to outside server/IP then the output chain decides if the app/user can connect to destination IP/port or not.

Both chains are stateful. Meaning only said the connection is allowed and a response is not. Means you have to exclusively define input and output chain if your connection needs both way communication (from source to destination and back)

Forward chain :

In most of the systems, it’s not used. If your system is being used as a pass-through or for natting or for forwarding traffic then only this chain is used. When connections/packets are to be forwarded to next hop then this chain is used.

You can view the status of all these chains using the command :

# iptables -L -v
Chain INPUT (policy ACCEPT 8928 packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2201 packets, 677K bytes)
 pkts bytes target     prot opt in     out     source               destination

In above output, you can see all three chains details, how many packets were transferred, how much data transferred and default action policy.

Chain policy defining strategy

There are three policies can be defined for chains.

  1. ACCEPT: Allow connection
  2. REJECT: Block connection and send back error message informing source that destination blocked it
  3. DROP: Block connection only (behave like connection never questioned). The source is unaware of being blocked at the destination.

By default, all chains configured with ACCEPT policy for all connections. When configuring policies manually you have to pick either way from below two :

  1. Configure default as REJECT/DROP and exclusively configure each chain and its policy of ALLOW for required IP/subnet/ports.
  2. Configure default as ACCEPT and exclusively configure each chain and its policy of REJECT for required IP/subnet/ports.

You will go with number two unless your system has highly sensitive, important data and should be locked out of the outer world. Obviously, its environment criticality and number of IP/subnet/ports to be allowed/denied makes it easier to select a strategy.

In next article we discussed how to define these chain policies in detail.

5 ways to check swap on Linux

Learn 5 different ways to check swap space utilization on Linux server using free, swapon, /proc/swaps, top and vmstat/sar commands.

Check swap on linux

This is a short, handy post explaining how to check swap space on the Linux server with different commands. We already discussed about swap in few of old posts listed below :

In this post we will be seeing 5 ways to check swap space and utilization in the Linux server.

Using free command

Most of the users know this command. Using free you can check memory and swap utilization on the server in a few lines. By default, without any switch it shows numbers in kilobytes.

# free
             total       used       free     shared    buffers     cached
Mem:       1018308     191664     826644        144      13832      72652
-/+ buffers/cache:     105180     913128
Swap:         8188          0       8188

Using -h (human-readable) switch shows output values in the nearest possible (three-digit) representation.

# free -h
             total       used       free     shared    buffers     cached
Mem:          994M       191M       802M       144K        13M        74M
-/+ buffers/cache:       103M       890M
Swap:         8.0M         0B       8.0M

In the above output you can see the last row shows swap values, total, used, and free! Here swap value you see is a total of all swap devices on the system. You cant get device wise separated swap summery with this command. To view device wise summery you can use the next commands.

Using swapon command

Generally, swapon command is used to turn on swap on partition, logical volume or file. But using -s switch (summery) you can get current swap information.

# swapon -s
Filename                                Type            Size    Used    Priority
/myswapfile                             file            8188    0       -1

This command provides you output size in kilobytes. It also shows you device wise swap so that you can see device name (partition, logical volume or file), its type and how much swap it contributing to the system.

Using /proc/swaps file

Another way is to view the content of the process file /proc/swaps for the current swap config. This outputs the same content as we saw in previous command swapon -s. In fact swapon reads this file to print a summary.

# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/myswapfile                             file            8188    0       -1

Output explanation is already covered above in swapon -s.

Using top command

Another popular well-known monitoring tool top can be used to view swap information. In the top output you can see the header section includes swap details.

# top
top - 02:41:33 up 13 min,  1 user,  load average: 0.00, 0.00, 0.00
Tasks:  88 total,   1 running,  87 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.6%us,  0.9%sy,  0.0%ni, 97.8%id,  0.2%wa,  0.0%hi,  0.0%si,  0.5%st
Mem:   1018308k total,   197260k used,   821048k free,    14548k buffers
Swap:     8188k total,        0k used,     8188k free,    76504k cached

Values in a row for the swap are in kilobytes. This information is also available in other advanced iterations or top alike tools like atophtop or glance.

Using vmstat or sar command

In vmstat you can see the utilization of swap like swap in and swap out but not the devices or total values of swap like we saw in previous commands.

# vmstat
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu-----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 0  0      0 821064  14564  76500    0    0    91    17   25   31  0  1 98  0  0

It’s more of swap monitoring. You can generate reports for certain iteration with particular time intervals like sar reporting.

# sar -S 2 3
Linux 2.6.39-200.24.1.el6uek.x86_64 (testsrv2)         12/21/2016      _x86_64_        (4 CPU)

01:01:45 AM kbswpfree kbswpused  %swpused  kbswpcad   %swpcad
01:01:47 AM   8388604         0      0.00         0      0.00
01:01:49 AM   8388604         0      0.00         0      0.00
01:01:51 AM   8388604         0      0.00         0      0.00
Average:      8388604         0      0.00         0      0.00

These are 5 ways to get swap information out of your system. If you know any other methods do let us know in comments!

Ultimate guide: swap addition in Linux (LVM, parted)

Learn how to add swap using LVM, swap file, and parted disk management. Also, learn how to extend existing swap partition on Linux server

Add swap in Linux

We have already seen what is swap in article difference between tmpfs and swap. In this how-to article we will be checking out how to add swap using LVM disk, how to extend swap, how to add swap using file, and how to add swap using the parted disk.

How to add swap in Linux using LVM

If you have LVM disk partitioning in your server then you can go ahead with this method. You need a dedicated logical partition that can be used as a swap. So steps involved are :

I gave you the below outputs for reference. In lvcreate command -L should be followed by size in MB.

# lvcreate -L 500 -n myswaplv vg01
  Logical volume "myswaplv" created.

# mkswap /dev/vg01/myswaplv
mkswap: /dev/vg01/myswaplv: warning: don't erase bootbits sectors
        on whole disk. Use -f to force.
Setting up swapspace version 1, size = 511996 KiB
no label, UUID=5339bdde-c734-48d3-94fd-0ab50ef38b4e

# swapon -va

# free
             total       used       free     shared    buffers     cached
Mem:       1018308     186344     831964        152      14616      65784
-/+ buffers/cache:     105944     912364
Swap:       511996          0     511996

# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/dm-0                               partition       511996  0       -1

Warning in mkswap you (may) see is a precautionary warning to make sure you are not using full disk if you meant to use the only partition of it and destroy boot sectors!

Also read : Swap addition in HPUX

You can see free and /proc/swaps shows 500MB of swap which we created. Sometimes if you don’t get your swap activated just by using swapon then try a reboot and it should work. But before reboot makes an entry described hereafter. To make this permanent i.e. at reboot setting lvol to swap again, add below entry in /etc/fstab file.

/dev/vg01/myswaplv swap swap defaults 0 0

How to extend swap

In case you want to extend the existing swap rather than creating a new volume for it then you can still do it on the fly (without reboot). Make sure your swap is not being used and turn it off on volume which you want to extend. Process is as follows –

  • Turn off swap on volume using swapoff
  • Extend lvol using lvresize
  • Define it again as a swap using mkswap
  • Turn on swap on volume using swapon

Refer below outputs on how commands work and their arguments. Here I extended 500MB swap to 600MB.

# swapoff -v /dev/vg01/myswaplv
swapoff on /dev/vg01/myswaplv

#  cat /proc/swaps
Filename                                Type            Size    Used    Priority

# lvresize /dev/vg01/myswaplv -L 600M
  Size of logical volume vg01/myswaplv changed from 500.00 MiB (125 extents) to 600.00 MiB (150 extents).
  Logical volume myswaplv successfully resized.

# mkswap -L newswap /dev/vg01/myswaplv
mkswap: /dev/vg01/myswaplv: warning: don't erase bootbits sectors
        on whole disk. Use -f to force.
Setting up swapspace version 1, size = 614396 KiB
LABEL=newswap, UUID=dd91713f-5950-4922-b9a5-e4ea0ec4327e

# swapon -va
swapon on /dev/mapper/vg01-myswaplv
swapon: /dev/mapper/vg01-myswaplv: found swap signature: version 1, page-size 4, same byte order
swapon: /dev/mapper/vg01-myswaplv: pagesize=4096, swapsize=629145600, devsize=629145600

# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/dm-0                               partition       614396  0       -1

You can see after swapoff command, swap volume vanished from /proc/swaps. The newly extended swap of 600MB is back visible after swapon.

How to add swap using file

You can opt to have swap on file rather than volume. This method is a bit easy, quick, and avoids all disk management commands. But along with easiness it involves risk since it’s on a simple file rather than a dedicated disk volume.

First you need to create a blank file with the size of your choice. If you want 8MB swap then 8*1024=8192 block numbers should be used in dd command (since block size used is bs=1024). Do your math accordingly and follow the process below :

  • Create a blank file with dd
  • Define file with swap using mkswap
  • Turn on swap on file using swapon
  • Check swap

Refer below outputs wherein I created 8MB swap on file.

# dd if=/dev/zero of=/myswapfile bs=1024 count=8192
8192+0 records in
8192+0 records out
8388608 bytes (8.4 MB) copied, 0.0144397 s, 581 MB/s

# mkswap /myswapfile
mkswap: /myswapfile: warning: don't erase bootbits sectors
        on whole disk. Use -f to force.
Setting up swapspace version 1, size = 8188 KiB
no label, UUID=40a0f347-ce86-4018-9f4d-7ab76bde02ba

# swapon /myswapfile

# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/myswapfile                             file            8188    0       -1

Outputs are pretty self-explanatory. Only calculating dd block count is tricky which I already explained above.

How to add swap using parted disk

Many systems use parted disk management utility in place of LVM. If you are the one then follow the below process for adding swap.

  • Create a new swap partition (primary, extended or logical) using parted
  • Setup swap on it using mkswap
  • Turn on swap on it using swapon
  • Check swap

Parted should be invoked with the disk name which has free space. I am using a fresh disk here.

# parted /dev/xvdf
GNU Parted 3.1
Using /dev/xvdf
Welcome to GNU Parted! Type 'help' to view a list of commands.

Now, you can view current partition table using print command.

(parted) print
Error: /dev/xvdf: unrecognised disk label
Model: Xen Virtual Block Device (xvd)
Disk /dev/xvdf: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:

(parted) mklabel msdos

Since I am using a new disk, I get an unrecognized disk label error. I define label using mklabel msdosNow create new swap partition using the parted console.

(parted) mkpart primary linux-swap 1 1024
(parted) print
Model: Xen Virtual Block Device (xvd)
Disk /dev/xvdf: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  1024MB  1023MB  primary

(parted) quit

Command mkpart is used to create a partition. Followed by partition type (primary, extended or logical), FS type (swap in this case), the start of the partition (1), and end of partition (1024). After the successful execution of the command, verify the partition table using print again.

Once you are ready with partition, you can even confirm it using fdisk -l command.

# fdisk -l /dev/xvdf

Disk /dev/xvdf: 1073 MB, 1073741824 bytes, 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000e7301

    Device Boot      Start         End      Blocks   Id  System
/dev/xvdf1            2048     2000895      999424   82  Linux swap / Solaris

You can see the new partition /dev/xvdf1 is created and it’s marked as Linux swap file system type too!

Now you have to enable and on swap on it.

# mkswap /dev/xvdf1
Setting up swapspace version 1, size = 999420 KiB
no label, UUID=1c19e97e-b757-48a0-99a9-68e6162d69c3

# swapon /dev/xvdf1

# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/xvdf1                              partition       999420  0       -1

That’s it! You have turned on the swap in a parted disk partition! To make it persistent over reboots you can add below entry in /etc/fstab.

/dev/xvdf1               swap                    swap    defaults        0 0

This concludes the swap in the Linux article. Comment your suggestions, feedback below.

Difference between tmpfs and swap

Learn what is tmpfs, what is the use of tmpfs, what is swap, what is the use of swap and differences between tmpfs, and swap.

tmpfs and swap

On the social share of our last post about RAM disk in Linux we got a comment “what is the difference between RAM disk and SWAP?” So I decided to explain it a bit in an article on our blog. In this post I will try to explain how swap and RAM disk i.e. tmpfs/ramfs is different and how they work.

What is tmpfs?

Tmpfs also mounted as shared memory /dev/shm. tmpfs is a portion of a virtual memory mounted as a file system that helps to speed up applications. It normally is used to transfer data between programs. It appears as a file system but it does not use persistent devices such as a hard disk. Instead it uses virtual memory (a portion of a RAM).

That’s why if you create any file in tmpfs it’s not created on your system disks but in your memory. Whenever you un-mount tmpfs, everything within is lost. Its volatile storage. Even if you add an entry of tmpfs to re-mount at boot, it will be mounted blank. Data does not persist over reboots or shutdowns in tmpfs.

What is SWAP?

swap is a portion of your hard disks used to extend RAM. Its roughly extended RAM by use of persistent storage device. swap only comes in action once your RAM (physical memory) is full. The normal thumb rule is the size of the swap should be double of your physical ram size. But these changes depend on the conditions and system you have. Read how to create extra swap here & check swap on the server.

Even if it uses persistent devices, it still is a volatile memory. It does not hold data over reboot or shutdowns. Since it plays the role of RAM, its characteristics are still of ram even if it uses hard disks.

Difference between tmpfs and swap

  • tmpfs uses memory while as swap uses persistent storage devices.
  • tmpfs can be viewed as a file system in df output whereas swap doesn’t
  • swap has general size recommendations, tmpsfs not. tmpfs size varies on system purpose.
  • tmpfs makes applications fasters on loaded systems. swap helps the system breathe in-memory full situations.
  • swap full indicates system heavily loaded, degraded performance, and may crash. tmpfs being full not necessarily means heavy load or prone to crash.
  • tmpfs is enhancement whereas swap is a must-have feature!

Why HPUX loosing market grip

Few observations on why HPUX is losing its grip in the market. How virtualization, cloud, costing effects HPUX existence in the market. 

hpux loosing market

Really? HPUX really losing market?  Kind of yes. But still it is one of the preferred OS for mission-critical environments like the defense industry because of its reliability and security. HPUX, one of the oldest OS (35 years old) released in 1982, no doubt is one of the best server OS we have seen in decades! Being a core HPUX certified engineer obviously I appreciate it moreover IBM’s AIX and Sun Micro system’s Solaris flavor.

But nowadays I am seeing fewer companies, corporate going for HPUX maybe because of its cost involved. Virtualization, cloud computing, and open-source Linux OS flavors made very cost-effective choices for corporate. High Availability offered by virtualization and cloud computing wins over the reliability of Unix when it comes to making cheap billing. HPUX being a hardware-dependent Os i.e. running only on HP hardware (inexpensive) and also involves costs in OS license itself including prime utilities like glance etc., choosing HPUX is a heavy pocket decision. In today’s world of cost-cutting, obviously this is one of the reasons, companies are not opting for HPUX.

Read also : How to learn, practice HPUX

The boom in cloud computing also has an effect on traditional in house data centers and hence on proprietary OS like HPUX.  Most of the cloud world is powered by Linux which adversely affects HPUX market share rather altogether AIX, Solaris too. People opting for cloud since they offer cheap services with no maintenance. Even I have seen companies are moving away from HPUX and shifting servers on Linux or cloud for billing numbers.

Another major leap back is HP backed off from new releases of HPUX. It’s like they opt to kill their own lion. The latest HPUX roadmap doesn’t even show HPUX v4 and v5 which was existing in old roadmaps. This clearly indicates they have stopped development for new versions and will be continuing current last HPUXv3 as the latest till 2025. This is a major setback since customers lookout for further development plans of service when opting for it.

I wish HP wake up to new versions and we see HPUX back alive and roaring on the IT world! Still it’s not the end of an era! There are many crucial companies and sectors still run by HPUX cause crucial data needs strong shoulders!

These are my observations and perceptions of HPUX’s current stand-in in the market. Let me know if you have any infographics, new data, matrices, graphs about the HPUX journey to date in comments.

PS: Few comments rippled over this post on Facebook

Facebook comments

How to create RAM disk in Linux

Short tutorial explaining what is RAM disk and how to create a RAM disk in Linux. It also includes differences between ramfs and tmpfs.

RAM disk in Linux

Recently one of our readers asked “how to create a RAM disk in Linux?”. So I thought of writing this small tutorial which will help you to understand what is a RAM disk, what is the use of it and how to create a RAM disk in Linux.

What is RAM disk?

Roughly RAM disk can be termed as a portion of your RAM mounted as a directory. It uses tmpfs or ramfs. Refer below table for the difference between ramfs and tmpfs.

ramfs
tmpfs
Old type New type and replacing ramfs now
Can not be limited in size Size limit can be defined
Since can not be limited may lead to system crash Once limit reached, disk full error written. No system crash issue.
Entry is not visible in ‘df’ output. Need to calculate by using ‘Cached’ number in ‘free’ output. Can be seen in ‘df’ command output
Work mechanism as file system cache Work mechanism is as partition of physical disk

RAM disk is a very high speed, high performance and almost zero latency area to store application files. Due to its performance-oriented nature, its mostly used for temporary data like caching application files.

How to create RAM disk?

RAM disk can be created in simple two steps. One is to create a directory on which it should be mounted and the second step is to mount it on that directory using specific FS type. Make sure you have enough free RAM on the system so that portion of it can be used in RAM disk. You can check it using free command.

Lets create directory /mnt/ram_disk and mount RAM disk on it.

# mkdir /mnt/ram_disk
# mount -t tmpfs -o size=1024m new_ram_disk /mnt/ram_disk

In above mount command, -t should be followed by tmpfs or ramfs type. For ramfs, size is the starting size of RAM disk since ramfs have limitless size. Size followed by the name of the disk (of your choice ex. new_ram_disk). You can verify if it mounted properly using df command.

# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/xvda1      5.8G  2.9G  2.7G  53% /
tmpfs           498M     0  498M   0% /dev/shm
new_ram_disk          1.0G     0  1.0G   0% /mnt/ram_disk

You can see newly created tmpfs of 1GB size is mounted on /mnt/ram_disk (highlighted above).

You can add below entry in /etc/fstab as well to persist it over reboots as well. But keep in mind that data within RAM disk flushes for each reboot since its backed memory is volatile.

new_ram_disk    /mnt/ram_disk   tmpfs    nodev,nosuid,noexec,nodiratime,size=1024M   0 





Network routes in Linux

Learn networking basics in the Linux server. What is the network route, how to check routes, how to define static and default routes in the Linux system?

Network routes in Linux

Network routes on Linux servers are the paths or gateways packets should follow to reach their destinations. Routes can be configured on interface level and system level. The default route is also known as default gateway is the IP where the packet should discover their path if the current network or interface (from which packet originated on the server) does not know the path for destination IP. This article is about discussing network routes in Linux. It will cover how to define the network route for the network interface, where and how to define the default route or default gateway in Linux etc.

How to check current routes on system?

Current routes on system can be viewed using below commands.

# ip route
default via 172.31.0.1 dev eth0
172.31.0.0/20 dev eth0  proto kernel  scope link  src 172.31.4.137
# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         ip-172-31-0-1.a 0.0.0.0         UG        0 0          0 eth0
172.31.0.0      *               255.255.240.0   U         0 0          0 eth0
# routel
         target            gateway          source    proto    scope    dev tbl
        default         172.31.0.1                                     eth0
    172.31.0.0/ 20                    172.31.4.137   kernel     link   eth0
      127.0.0.0          broadcast       127.0.0.1   kernel     link     lo local
     127.0.0.0/ 8            local       127.0.0.1   kernel     host     lo local
----- output clipped -----

You can observe 172.31.0.1 is defined as default gateway on above system.

How to configure static route in Linux?

In RHEL: You need to edit below parameters in the config file /etc/sysconfig/network-scripts/route-ethX.

GATEWAY=10.10.0.1
NETMASK=255.0.0.0
IPADDR=10.10.0.22

where –

  • gateway is the default gateway for this interface
  • the netmask is a subnet mask value
  • ipaddr is the IP address of this interface

Caution : Do not change gateways on live production system.

In Debian: You can put your route in the file /etc/network/interfaces under the intended interface.

auto eth0
iface eth0 inet static
      address 10.10.0.22
      netmask 255.0.0.0
      up route add -net 10.10.0.0 netmask 255.0.0.0 gw 10.10.0.1

In all Linux systems you can use ip route command to define the static route. Command syntax is :

# ip route ip-address via dest-address

where, ip-address is IP of host or interface and dest-address is next HOP address i.e. route IP

How to configure default gateway in Linux?

In RHEL: Define default gateway IP against GATEWAY parameter in /etc/sysconfig/network file and then restart network service.

In Debian: Define default gateway IP against gateway parameter in /etc/network/interfaces file and then restart network service.

Or you can try these commands on any Linux (ex gateway as 10.10.0.1).

# ip route add default via 10.10.0.1
# route add default gw 10.10.0.1

Once set verify the default gateway with commands shown at the beginning of this article.