Saturday, January 14, 2017

How to Increase or reduce volume size on Centos


Increase virtual Hard Disk space running on ext4 file system

1. Identify the partition type:
# fdkisk -l
Device Boot         Start         End      Blocks   Id  System
/dev/sda1   *        2048     2099199     1048576   83  Linux
/dev/sda2         2099200  1953523711   975712256   8e  Linux LVM

Disk /dev/mapper/cl-root: 53.7 GB, 53687091200 bytes, 104857600 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

2. Check Disk information
# df -ah
/dev/mapper/cl-root   50G  6.4G   44G  13% /


3. Add/create additional volume then scan with this command
#partprobe -s

# fdkisk -l
Device Boot         Start         End      Blocks   Id  System
/dev/sda1   *        2048     2099199     1048576   83  Linux
/dev/sda2         2099200  1953523711   975712256   8e  Linux LVM
/dev/sda3      1953523711  1953524102    10485760   8e  Linux LVM

4. Increase the Logical Volume
#pvcreate /dev/sda3
Physical volume "/dev/sda3" successfully created

5. confirm name of the current volume group
# vgdisplay
--- Volume group ---
  VG Name               cl
VG Size               53.7 GiB

6. Extend 'cl' volume group  by adding physical volume /dev/sda3
# vgextend cl /dev/sda3
Volume group "Mega" successfully extended

7. Scan all disks for physical volumes
# pvscan
PV /dev/sda2   VG cl              lvm2 [53.7 GiB / 4.00 MiB free]
PV /dev/sda3   VG cl              lvm2 [10.00 GiB / 4.00 MiB free]
Total: 2 [63.7 GiB] / in use: 2 [63.7 GiB] / in no VG: 0 [0   ]


8. confirm the path of the logical volume
#lvdisplay
  --- Logical volume ---
  LV Path                /dev/cl/root

9. Extend the logical volume with lvextend command
# lvextend /dev/cl/root /dev/sda3
  Extending logical volume root to 63.7 GiB
  Logical volume root successfully resized
alternatively you can also extend logical volume with different sizes:
# lvextend -L +10G /dev/cl/root
 
10. Resize the file system using resize2fs command for ext based file system.
# resize2fs /dev/cl/root
resize2fs 1.42.9 (28-Dec-2013)
Filesystem at /dev/cl/root is mounted on /; on-line resizing required
old desc_blocks = 2, new_desc_blocks = 2
Performing an on-line resize of /dev/cl/root to 7576576 (4k) blocks.
The filesystem on /dev/cl/root is now 7576576 blocks long.
 
Note : if you are using XFS file system (default on RHEL7/CentOS7) you can extend the file system with this command:
# xfs_growfs /dev/cl/root




Reduce logical volume device size

To reduce logical volume we need to be careful and take backup if any data
1. check file system information
# lvs
LV    VG  Attr        LSize   Pool Origin Data%  Meta%  
data  cl  -wi-ao----  876.63g                                                    
root  cl   -wi-ao----  50.00g                                                    
swap  cl  -wi-ao----  3.88g                                                    

# df -ah
Filesystem           Size  Used Avail Use% Mounted on
/dev/mapper/cl-data  877G  8.4G  868G   1% /data

2. unmount mount point of the volume which needs to be reduced
umount -v /dev/mapper/cl-data /data

3. check for file-system errors using this command
# e2fsck -ff /dev/mapper/cl-data
e2fsck 1.42.9 (28-Dec-2013)
/dev/mapper/cl-data

Note: Must pass in every 5 steps of file-system check if not there might be some issue with your file-system.

To check hard drive related information and logs run this command
# smartctl -a /dev/sda

4. Now reduce the file system
# resize2fs /dev/mapper/cl-data  10GB

reduce the logical volume using this command
# lvreduce -L -8G /dev/mapper/cl-data


5. Resize the file system back
# resize2fs /dev/cl/data

6. Mount the file system back to same mount point
# mount  /dev/cl/data  /data

7. Check the size of the partition
# #lvdisplay
  --- Logical volume ---
LV Path                /dev/cl/data
LV Size   866.73 GiB

Thats it.. 

Saturday, January 7, 2017

IPTables basic security



To list rules in iptables
#ipables -L

Allow multiple ports to a netowrk.
# iptables -A INPUT -s 123.176.0.0/255.255.0.0 -p tcp -m multiport --dport 22,1521,80 -j ACCEPT

To restrict ping
# iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
#ping -c 3 -i .005 ipaddress

#iptables -A INPUT -s 192.168.1.80 -p icmp --icmp-type echo-request -j REJECT/DROP/ACCEPT (only one ip restriction for ping)

#iptables -A INPUT -s 0.0.0.0/0.0.0.0 -p icmp --icmp-type echo-request -j REJECT/DROP/ACCEPT (restrict entire network)

#iptables -A INPUT -s 192.168.0.0/255.255.0.0 -p icmp --icmp-type echo-request -j DROP (only to specific network segment)

To flush rules:
#iptables -F :flush chain...

Allow or reject ports to specific ipaddresses
#iptables -A input -s 192.168.1.80 -j reject/drop/accept

#iptables -A input -s 192.168.1.80 -p tcp --dport 80 -j REJECT

#iptables -A input -s 192.168.1.0/24 -p tcp --dport 22 -j REJECT

#iptables -A INPUT -s 123.176.47.0/255.255.255.0 -p tcp --dport 22 -j ACCEPT



To delete the rule in iptables chain
#iptables -D input 5


To block specific IP address
#iptables -A OUTPUT -D 67.215.241.234 -j DROP

#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#iptables -A INPUT -f -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP


Rule to route ip address:
#iptables –t nat –A POSTROUTING –s 192.168.1.0/24 –j SNAT –-to 1.2.3.1

#iptables –t nat –A POSTROUTING –s 10.10.0.0/24 –j SNAT --to 123.176.40.60
#iptables –t nat –A POSTROUTING –s 192.168.1.0/24 –j SNAT –-to 1.2.3.1:1-1024


#iptables –t nat –A PREROUTING –d 1.2.4.1 –j DNAT –-to 192.168.1.50
#iptables –t nat –A PREROUTING –s 1.2.5.17 –d 1.2.4.2 –p tcp –-dport 80 –j DNAT -–to 192.168.1.100

#iptables –t nat –A PREROUTING –d 1.2.4.2 –p tcp –-dport 65521 –j DNAT –-to 192.168.1.100:22

#iptables –t nat –A PREROUTING –d 1.2.4.5 –p tcp –-dport 80 –j DNAT –-to 192.168.1.200


Transparent proxy is a way to force users to use a proxy server, even if their browsers are configured not to. You probably know about the benefits of using a proxy server bandwidth saving for cached pages and access control implementation (e.g. deny downloads of files that have dangerous extensions).
We can perform transparent proxy for all or some users to prevent them from bypassing the proxy whenever they want. This is especially good for children's computers to deny them access to sexually explicit sites, for example.
On our Linux router, we installed a Squid proxy server to cache some content from the Web. Also, we want to deny access to sex sites or malicious downloads for users. The users are not very pleased about using our proxy server, and they usually remove it from their browser configuration. We can force them to use the proxy server anyway. If the proxy server listens on port 3128 we will do the following:

# iptables –t nat –A PREROUTING –s 192.168.1.0/24 –p tcp –-dport 80 –j REDIRECT –-to-port 3128

If we want to allow the manager (who has the IP address 192.168.1.50) to bypass the proxy server, we do so like this:

# iptables –t nat –I PREROUTING –s 192.168.1.50 –p tcp –-dport 80 –j ACCEPT

So this rule will be matched in the PREROUTING chain, and she will be SNATed in the POSTROUTING chain