iptables samples

20 mars 2012 informatique No comments

This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend that you first read our quick tutorial that explains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux. This post list most common iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders.
IPTABLES Rules Example

Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access.
For demonstration purpose I’ve used RHEL 6.x, but the following command should work with any modern Linux distro.
This is NOT a tutorial on how to set iptables. See tutorial here. It is a quick cheat sheet to common iptables commands.

#1: Displaying the Status of Your Firewall

Type the following command as root:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Above output indicates that the firewall is not active. The following sample shows an active firewall:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all — * * 0.0.0.0/0 0.0.0.0/0 state INVALID
394 43586 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
93 17292 ACCEPT all — br0 * 0.0.0.0/0 0.0.0.0/0
1 142 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all — * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 TCPMSS tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 wanin all — vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 wanout all — * vlan2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all — br0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes)
pkts bytes target prot opt in out source destination
Chain wanin (1 references)
pkts bytes target prot opt in out source destination
Chain wanout (1 references)
pkts bytes target prot opt in out source destination

Where,

-L : List rules.
-v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix ‘K’, ‘M’ or ‘G’ for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
-n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.

#1.1: To inspect firewall with line numbers, enter:

# iptables -n -L -v –line-numbers
Sample outputs:

Chain INPUT (policy DROP)
num target prot opt source destination
1 DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
2 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
2 DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
3 TCPMSS tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 wanin all — 0.0.0.0/0 0.0.0.0/0
6 wanout all — 0.0.0.0/0 0.0.0.0/0
7 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain wanin (1 references)
num target prot opt source destination
Chain wanout (1 references)
num target prot opt source destination

You can use line numbers to delete or insert new rules into the firewall.
#1.2: To display INPUT or OUTPUT chain rules, enter:

# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v –line-numbers
#2: Stop / Start / Restart the Firewall

If you are using CentOS / RHEL / Fedora Linux, enter:
# service iptables stop
# service iptables start
# service iptables restart
You can use the iptables command itself to stop the firewall and delete all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
Where,

-F : Deleting (flushing) all the rules.
-X : Delete chain.
-t table_name : Select table (called nat or mangle) and delete/flush rules.
-P : Set the default policy (such as DROP, REJECT, or ACCEPT).

#3: Delete Firewall Rules

To display line number along with other information for existing rules, enter:
# iptables -L INPUT -n –line-numbers
# iptables -L OUTPUT -n –line-numbers
# iptables -L OUTPUT -n –line-numbers | less
# iptables -L OUTPUT -n –line-numbers | grep 202.54.1.1
You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
# iptables -D INPUT 4
OR find source IP 202.54.1.1 and delete from rule:
# iptables -D INPUT -s 202.54.1.1 -j DROP
Where,

-D : Delete one or more rules from the selected chain

#4: Insert Firewall Rules

To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:
# iptables -L INPUT -n –line-numbers
Sample outputs:

Chain INPUT (policy DROP)
num target prot opt source destination
1 DROP all — 202.54.1.1 0.0.0.0/0
2 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED

To insert rule between 1 and 2, enter:
# iptables -I INPUT 2 -s 202.54.1.2 -j DROP
To view updated rules, enter:
# iptables -L INPUT -n –line-numbers
Sample outputs:

Chain INPUT (policy DROP)
num target prot opt source destination
1 DROP all — 202.54.1.1 0.0.0.0/0
2 DROP all — 202.54.1.2 0.0.0.0/0
3 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED

#5: Save Firewall Rules

To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables save
In this example, drop an IP and save firewall rules:
# iptables -A INPUT -s 202.5.4.1 -j DROP
# service iptables save
For all other distros use the iptables-save command:
# iptables-save > /root/my.active.firewall.rules
# cat /root/my.active.firewall.rules
#6: Restore Firewall Rules

To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
# iptables-restore < /root/my.active.firewall.rules To restore firewall rules under CentOS / RHEL / Fedora Linux, enter: # service iptables restart #7: Set the Default Firewall Policies To drop all traffic: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP # iptables -L -v -n #### you will not able to connect anywhere as all traffic is dropped ### # ping cyberciti.biz # wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2 #7.1: Only Block Incoming Traffic To drop all incoming / forwarded packets, but allow outgoing traffic, enter: # iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT ACCEPT # iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -L -v -n ### *** now ping and wget should work *** ### # ping cyberciti.biz # wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2 #8:Drop Private Network Address On Public Interface IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax: # iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP #8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface) 10.0.0.0/8 -j (A) 172.16.0.0/12 (B) 192.168.0.0/16 (C) 224.0.0.0/4 (MULTICAST D) 240.0.0.0/5 (E) 127.0.0.0/8 (LOOPBACK) #9: Blocking an IP Address (BLOCK IP) To block an attackers ip address called 1.2.3.4, enter: # iptables -A INPUT -s 1.2.3.4 -j DROP # iptables -A INPUT -s 192.168.0.0/24 -j DROP #10: Block Incoming Port Requests (BLOCK PORT) To block all service requests on port 80, enter: # iptables -A INPUT -p tcp --dport 80 -j DROP # iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP To block port 80 only for an ip address 1.2.3.4, enter: # iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP # iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP #11: Block Outgoing IP Address To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter: # host -t a cyberciti.biz Sample outputs: cyberciti.biz has address 75.126.153.206 Note down its ip address and type the following to block all outgoing traffic to 75.126.153.206: # iptables -A OUTPUT -d 75.126.153.206 -j DROP You can use a subnet as follows: # iptables -A OUTPUT -d 192.168.1.0/24 -j DROP # iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP #11.1: Example - Block Facebook.com Domain First, find out all ip address of facebook.com, enter: # host -t a www.facebook.com Sample outputs: www.facebook.com has address 69.171.228.40 Find CIDR for 69.171.228.40, enter: # whois 69.171.228.40 | grep CIDR Sample outputs: CIDR: 69.171.224.0/19 To prevent outgoing access to www.facebook.com, enter: # iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP You can also use domain name, enter: # iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP # iptables -A OUTPUT -p tcp -d facebook.com -j DROP From the iptables man page: ... specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address ... #12: Log and Drop Packets Type the following to log and block IP spoofing on public interface called eth1 # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: " # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP By default everything is logged to /var/log/messages file. # tail -f /var/log/messages # grep --color 'IP SPOOF' /var/log/messages #13: Log and Drop Packets with Limited Number of Log Entries The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries . # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: " # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP #14: Drop or Accept Traffic From Mac Address Use the following syntax: # iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP ## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ## # iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT #15: Block or Allow ICMP Ping Request Type the following command to block ICMP ping requests: # iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP Ping responses can also be limited to certain networks or hosts: # iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT The following only accepts limited type of ICMP requests: ### ** assumed that default INPUT policy set to DROP ** ############# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT ## ** all our server to respond to pings ** ## iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #16: Open Range of Ports Use the following syntax to open a range of ports: iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT #17: Open Range of IP Addresses Use the following syntax to open a range of IP address: ## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ## iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT ## nat example ## iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25 #17: Established Connections and Restaring The Firewall When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows: IPTABLES_MODULES_UNLOAD = no #18: Help Iptables Flooding My Server Screen Use the crit log level to send messages to a log file instead of console: iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit #19: Block or Open Common Ports The following shows syntax for opening and closing common TCP and UDP ports: Replace ACCEPT with DROP to block port: ## open port ssh tcp port 22 ## iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT ## open cups (printing service) udp/tcp port 631 for LAN users ## iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT ## allow time sync via NTP for lan users (open udp port 123) ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT ## open tcp port 25 (smtp) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT # open dns server ports for all ## iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT ## open http/https (Apache) server port to all ## iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT ## open tcp port 110 (pop3) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT ## open tcp port 143 (imap) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT ## open access to Samba file server for lan users only ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT ## open access to proxy server for lan users only ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT ## open access to mysql server for lan users only ## iptables -I INPUT -p tcp --dport 3306 -j ACCEPT #20: Restrict the Number of Parallel Connections To a Server Per Client IP You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter: # iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT Set HTTP requests to 20: # iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP Where, --connlimit-above 3 : Match if the number of existing connections is above 3. --connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. #21: HowTO: Use iptables Like a Pro For more information about iptables, please see the manual page by typing man iptables from the command line: $ man iptables You can see the help using the following syntax too: # iptables -h To see help with specific commands and targets, enter: # iptables -j DROP -h #21.1: Testing Your Firewall Find out if ports are open or not, enter: # netstat -tulpn Find out if tcp port 80 open or not, enter: # netstat -tulpn | grep :80 If port 80 is not open, start the Apache, enter: # service httpd start Make sure iptables allowing access to the port 80: # iptables -L INPUT -v -n | grep 80 Otherwise open port 80 using the iptables for all users: # iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # service iptables save Use the telnet command to see if firewall allows to connect to port 80: $ telnet www.cyberciti.biz 80 Sample outputs: Trying 75.126.153.206... Connected to www.cyberciti.biz. Escape character is '^]'. ^] telnet> quit
Connection closed.

You can use nmap to probe your own server using the following syntax:
$ nmap -sS -p 80 www.cyberciti.biz
Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-13 13:19 IST
Interesting ports on www.cyberciti.biz (75.126.153.206):
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds

I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.
Conclusion:

This post only list basic rules for new Linux users. You can create and build more complex rules. This requires good understanding of TCP/IP, Linux kernel tuning via sysctl.conf, and good knowledge of your own setup. Stay tuned for next topics:

Stateful packet inspection.
Using connection tracking helpers.
Network address translation.
Layer 2 filtering.
Firewall testing tools.
Dealing with VPNs, DNS, Web, Proxy, and other protocols.

Coeur du réseau omniswitch 9700 pdf

10 mars 2012 informatique No comments

Manuel de omniswitch9700
os cli 9xxxx omniswitch
Ajout et Configuration de vlan sur le coeur du réseau
1)Ajout de plage d’adresse IP pour le vlan GIR-VL99 qui est associé au vlan 99
#ip interface GIR-VL99 vlan 99 address 10.5.2.254 mask 255.255.255.0

2)Ajout du dhcp relay pour l’échange de requête dhcp dans le vlan GIR-VL99
Affiche la configuration de helper
#show ip helper
Modifie la configuration du forwarding dhcp seulement par vlan
#ip helper per-vlan only
Ajout du forwardind dhcp de 10.8.0.10 du vlan 99
#ip helper address 10.8.0.10 vlan 99

3)Divers
Affiche le port udp qui écoute depuis le switch
#show udp port
Affiche le statistique du port udp:
#show udp statistics

4)routage

#ip static-route 10.4.5.67 mask 255.255.255.255 gateway 10.6.2.5

MySQL Master Master Replication

10 mars 2012 informatique No comments

This tutorial describes how to set up MySQL master-master replication. We need to replicate MySQL servers to achieve high-availability (HA). In my case I need two masters that are synchronized with each other so that if one of them drops down, other could take over and no data is lost. Similarly when the first one goes up again, it will still be used as slave for the live one.

Here is a basic step by step tutorial, that will cover the mysql master and slave replication and also will describe the mysql master and master replication.

Notions: we will call system 1 as master1 and slave2 and system2 as master2 and slave 1.
Step 1:

Install mysql on master 1 and slave 1. configure network services on both system, like

Master 1/Slave 2 ip: 192.168.16.4

Master 2/Slave 1 ip : 192.168.16.5

Step 2:

On Master 1, make changes in my.cnf:

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
old_passwords=1

log-bin
binlog-do-db= # input the database which should be replicated
binlog-ignore-db=mysql # input the database that should be ignored for replication
binlog-ignore-db=test

server-id=1

[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Step 3:

On master 1, create a replication slave account in mysql.

mysql> grant replication slave on *.* to ‘replication’@192.168.16.5 \
identified by ‘slave’;

and restart the mysql master1.

Step 4:

Now edit my.cnf on Slave1 or Master2 :

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
old_passwords=1

server-id=2

master-host = 192.168.16.4
master-user = replication
master-password = slave
master-port = 3306

[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Step 5:

Restart mysql slave 1 and at

mysql> start slave;
mysql> show slave status\G;

*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.16.4
Master_User: replica
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: MASTERMYSQL01-bin.000009
Read_Master_Log_Pos: 4
Relay_Log_File: MASTERMYSQL02-relay-bin.000015
Relay_Log_Pos: 3630
Relay_Master_Log_File: MASTERMYSQL01-bin.000009
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 4
Relay_Log_Space: 3630
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 1519187

1 row in set (0.00 sec)

Above highlighted rows must be indicate related log files and Slave_IO_Running and Slave_SQL_Running: must be to YES.

Step 6:

On master 1:
mysql> show master status;
+————————+———-+————–+——————+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+————————+———-+————–+——————+
|MysqlMYSQL01-bin.000008 | 410 | adam | |
+————————+———-+————–+——————+
1 row in set (0.00 sec)

The above scenario is for master-slave, now we will create a slave master scenario for the same systems and it will work as master master.

Step 7:

On Master2/Slave 1, edit my.cnf and master entries into it:

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
server-id=2

master-host = 192.168.16.4
master-user = replication
master-password = slave
master-port = 3306

log-bin #information for becoming master added
binlog-do-db=adam

[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Step 8:

Create a replication slave account on master2 for master1:

mysql> grant replication slave on *.* to ‘replication’@192.168.16.4 identified by ‘slave2’;

Step 9:

Edit my.cnf on master1 for information of its master.

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1

log-bin
binlog-do-db=adam
binlog-ignore-db=mysql
binlog-ignore-db=test

server-id=1
#information for becoming slave.
master-host = 192.168.16.5
master-user = replication
master-password = slave2
master-port = 3306

[mysql.server]user=mysqlbasedir=/var/lib

Step 10:

Restart both mysql master1 and master2.

On mysql master1:

mysql> start slave;

On mysql master2:

mysql > show master status;

On mysql master 1:

mysql> show slave status\G;

*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.16.5
Master_User: replica
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: Mysql1MYSQL02-bin.000008
Read_Master_Log_Pos: 410
Relay_Log_File: Mysql1MYSQL01-relay-bin.000008
Relay_Log_Pos: 445
Relay_Master_Log_File: Mysql1MYSQL02-bin.000008
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 410
Relay_Log_Space: 445
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 103799
1 row in set (0.00 sec)

ERROR:
No query specified

Check for the hightlighted rows, make sure its running. Now you can create tables in the database and you will see changes in slave. Enjoy!!

Type de drapeau dans le paquet tcp

10 mars 2012 informatique No comments

Les drapeaux prennent pour valeur 0 ou 1 et sont codés sur 1 bit chacun.

CWR (Congestion Window Reduced) = RFC 3168
ECE = ECN Echo RFC 3168
URG : indique que le champ Pointeur de donnée urgente est utilisé.
ACK : indique que le numéro de séquence pour les acquittements est valide.
PSH : indique au récepteur de délivrer les données à l’application et de ne pas attendre le remplissage des tampons.
RST : demande la réinitialisation de la connexion.
SYN : indique la synchronisation des numéros de séquence.
FIN : indique la fin de la transmission.

Etablissement de connexion tcp:
1) Le client utilise son numéro de séquence initial dans le champ « Numéro de séquence » du segment SYN (x par exemple) ;
2) Le serveur utilise son numéro de séquence initial dans le champ « Numéro de séquence » du segment SYN/ACK (y par exemple) et incrémente le numéro de séquence du client de 1 (x+1) dans le champ « Numéro d’acquittement » du segment ;
3) Le client confirme en envoyant un ACK avec un numéro de séquence augmenté de 1 (x+1) et un numéro d’acquittement correspondant au numéro de séquence du serveur plus un (y+1).

Configuration du cache de l’editeur de liens des bibliotheques avec ldconfig sous linux

9 mars 2012 informatique No comments

ldconfig permet de voir et de modifier les bibliothèques chargés sur le système linux.

ldconfig est lié avec la bibliothèque ld.so ou ld-linux.so

Le chargeur de lien ld.so recherche les bibliothèques dans le chemin LD_LIBRARY_PATH

/etc/ld.so.cache contient la liste des bibliothèques chargés depuis le chemin ci-dessus.

/etc/ld.so.conf contient la liste des répertoires contenant les bibliothèques partagées.

A chaque modification du fichier conf, il faut lancer la commande ldconfig.

« ldconfig -p » permet d’afficher les bibliothèques connues de l’éditeur de liens.

« ldconfig -N -X -v » permet de voir les bibliothèques sans faire de mise à jour.

« ldconfig -v » permet de faire une mise à jour puis lister le cache

« Older Entries Recent Entries »