Aug 272014
 

I have several Xen and KVM vps servers and they all suffer with the same problem of “nf_conntrack: table full, dropping packet” but its an easy fix

You can check what the current number of nf_conntrack_max is set to.
cat /proc/sys/net/nf_conntrack_max
the default is 65535 but all mine were set to 15000.

Now to increase the number of nf_conntrack_max
echo 100000 > /proc/sys/net/nf_conntrack_max
Now if you check again it should be the new value.

Now to make the change permanent we add the following to the bottom of /etc/sysctl.conf
net.nf_conntrack_max = 100000

Please note that the directory path to “nf_conntrack_max” differs between Linux distributions, the above works for CentOS

Aug 262014
 

I’ve been playing around and getting to know CentOS 7 and have decided i prefer iptables (over firewalld) which i have been using for the last few years so here’s how to swap firewalld for iptables.

Disable Firewalld Service.
systemctl disable firewalld
Stop Firewalld Service.
systemctl stop firewalld
Now we install the iptables services.
yum -y install iptables-services
Start iptables at boot.
systemctl enable iptables
Start ip6tables at boot. (skip if you don’t use ipv6)
systemctl enable ip6tables
Finally we start iptables.
systemctl start iptables
Finally we start ip6tables. (skip if you don’t use ipv6)
systemctl start ip6tables

Now our firewall uses iptables and we can add our rules like we always have.

Jul 072014
 

Centos 7 has now been released to the public.

Release announcement can be found here http://lists.centos.org/pipermail/centos-announce/2014-July/020393.html
Release notes can be found here http://wiki.centos.org/Manuals/ReleaseNotes/CentOS7
The fastest way to download is via torrent, I’m currently seeding all images available and am pushing approx 300Mbps (megabits per second) across my servers and have done 200GB+ of bandwidth in under 3 hours.

I will be updating most of my servers over the next few weeks/months and will start updating my tutorials again, happy testing.

Apr 142014
 

In this blog I’ll try and explain what ipv6 is and how i setup the server to use it.

What is IPv6? IPv6 is pretty much the same as IPv4. IPv4 is what is primarily used on the internet today. The big difference is the size of the address. The address for IPv6 are 128 bits long vs 32 bits for IPv4. IPv6 also uses hex to express address where as IPv4 only uses numeric values so you will see numbers 0-9 and letters A-F in a IPv6 address.

Why do we need IPv6? Well simply put we are running out of IPv4 address. There are roughly 4.2 billion or 4,294,967,296 to be precise unique address for IPv4 where as IPv6 has 340,282,366,920,938,463,463,374,607,431,768,211,456 unique addresses, I’ll let you work out how many that is.

So what do IPv6 addresses look like? Ipv6 addresses look like this, 2001:0470:1f09:0d2b:0000:0000:0000:0300. IPv6 addresses can be shortened by removing all leading zeros so this address would become 2001:470:1f09:d2b::300. :: is used to shorten down IPv6 addresses. :: means that the space in between is filled by zeros and can only be used once in an address.

When using IPv6 the minimum allocation you are given is a /64 which would give you 18,446,744,073,709,551,616 unique IPv6 addresses, that’s way more than enough for the average person but some places will allow you to request a /48 which would give you 1,208,925,819,614,629,174,706,176 unique IPv6 addresses now compare that to the 1 IPv4 address most people get given.

Now onto setting up the server to use IPv6. As one of my server provider doesn’t offer native IPv6 yet i have to use a tunnel service, you can find a few different providers but i chose Hurricane Electric IPv6 Tunnel Broker as i heard good things about there support and their tunnel server is located very close to my server (average of 1-2ms away).

So first off sign-up for an account (its free). Time to create our first tunnel, click on “Create Regular Tunnel” it should then automatically select the closes tunnel server to use (you can override this if need be) now just input your IPv4 address where the tunnel will finish i.e. 192.168.0.200 (make sure its the servers Public IPv4 address) then click “submit”. It will then create the tunnel and show you all the info you will need to setup on the server, at the bottom of the page their is a drop down box where you can get the config info for different operating systems.

As I want it to connect to the tunnel server automatically after reboots i need to manually add it to the config file (this is for CentOS 6.x)

Create or edit “/etc/sysconfig/network-scripts/ifcfg-sit1”

NAME=""
BOOTPROTO=none
IPV6TUNNELIPV4=216.66.80.26
IPV6INIT=yes
DEVICE=sit1
MTU=""
NETMASK=""
IPV6TUNNELIPV4LOCAL="192.168.0.200"
BROADCAST=""
IPV6ADDR="2001:470:1f08:d2b::2/64"
IPADDR=""
NETWORK=""
ONBOOT=yes

Obviously change “IPV6TUNNELIPV4” to the ip of the tunnel server, change “IPV6TUNNELIPV4LOCAL” to your servers IPv4 address and change “IPV6ADDR” to the “Client IPv6 address” you will find all the info on the details page of your tunnel.

Then i added the following to “/etc/sysconfig/network-scripts/ifcfg-eth0”

IPV6INIT=yes
IPV6ADDR=2001:470:1f09:d2b::300/64
IPV6ADDR_SECONDARIES="2001:470:1f09:d2b::220/64 2001:470:1f09:d2b::200/64"

The “IPV6ADDR” is the main IPv6 address for the network adapter and “IPV6ADDR_SECONDARIES” is used to specify any extra address you want to use on the same server. If like me your using Webmin/Virtualmin it will automatically add new IPv6 address to the “IPV6ADDR_SECONDARIES” when you create them.

UPDATE – When i setup my new server i had to edit “/etc/sysconfig/network” and add the following

IPV6_DEFAULTDEV=sit1

You could also setup the server to act as a router and give other devices on your network IPv6 address but a don’t need that here (but i have done that at home) just use google to find the extra info you need to add for it to act as a router.

Your server should now be accessible by IPv6, test by pinging a few different IPv6 enabled site and then remember to setup your firewall. Here’s a link to a quick example IPv6 Firewall For Linux google also has loads of others.

Apr 132014
 

As you should know by now CentOS uses Yum to install and update packages but sometime you need packages that are not available as standard, one way to get these packages is to use 3rd party repositories which is what i do.

A note on CentOS packages
“As with all packages in CentOS, the version numbers of released software will not change over the life time of a CentOS product, i.e. CentOS 5.0 contained PHP 5.1.6 and that is the point version PHP will stay at for the life time of CentOS 5. Security patches and bug fixes are back-ported into the shipped version. See here for details: Backporting Security Fixes

You can get a list of 3rd party repositories here.
I mainly use the following extra repositories, Remi Collet Repository which also requires Extra Packages for Enterprise Linux (EPEL).

If you are considering using a 3rd Party Repository, then you should seriously consider how to prevent unintended ‘updates’ from these side archives from over-writing some core part of CentOS. One approach is to only enable these archives from time to time, and generally leave them disabled.

The Remi repository has a page detailing how to setup and use their repository.
Scroll down the page until you find “Enterprise Linux 6 (with EPEL)” and follow the instructions
here’s the quick version but check for updates

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

This will install both repository’s (remi and epel). The repository’s are not enabled when install (enabled=0). You need to enable them when you need it, for example
yum --enablerepo=remi install php*

One last note, always test everything (preferable not on a live production machine) and ensure you have a backup when using 3rd party packages as sometime a simple update can have very bad side effects.