Debugging IPTABLES rules with pkts and bytes

One of the most common problems with IPTABLES is misconfiguration of its rule sets. You can easily block “good” traffic that should be hitting your server. This typically manifests itself when a dependent service cannot talk to your server with IPTABLES running, but communicates just fine with IPTABLES disabled.

So how do you determine if one of your IPTABLES ACCEPT rules is causing the problem?  If you instruct IPTABLES to list its rules with the “iptables -nvL” command, you should be able to find your answer.  This command returns a list of all chains, but also includes two important columns: “pkts” and “bytes.”  The pkts, or packets, column indicates how many packets have passed through the chain, while the bytes column reveals the total number of bytes that have traversed it.

Here’s how it works in practice:

We recently enabled IPTABLES on two nodes of an Oracle RAC cluster.  As soon as IPTABLES was enabled, the second node would be evicted from the cluster, as the first node could no longer see it.  We surmised that IPTABLES was blocking the traffic, thereby cutting the server off.

To validate this, we ran the “iptables -nvL” command, and looked at the last line returned – the REJECT chain. This showed us a huge number of packets and bytes being rejected by IPTABLES.

pkts bytes target     prot opt in     out     source               destination
311M 571M REJECT     all  --  *      *  

We also saw no mention of interface bond2 in the listing, which is the private interconnect interface for each RAC node. We therefore added an ACCEPT rule for that interface:

-A RH-Firewall-1-INPUT -i bond2 -j ACCEPT

We then restarted the IPTABLES service to pick up the change, and ran the “iptables -nvL |grep bond2” command to view the traffic:

pkts bytes target     prot opt in     out     source               destination
1032  217K ACCEPT     all  --  bond2  *  

As you can see, IPTABLES was now processing traffic on the interface, as the pkts and bytes totals had advanced from initial zero values.  After two minutes, we re-ran the command:

pkts bytes target     prot opt in     out     source               destination
5373 9541K ACCEPT     all  --  bond2  *  

Note the substantial increase in packets and bytes, indicating that our rule was, in fact, working. This was later validate up the application stack, as the RAC clusters could now see each other.  By simply looking at the traffic hitting each IPTABLES rule, we could clearly see where our problem was.

Fixing the "HostDatastoreSystem.CreateNasDatastore" for object "ha-datastoresystem" error when setting up VMware ESXi NFS data store

If you try to add a remote NFS data store forVMware Esxi, you may encounter this error:
Call “HostDatastoreSystem.CreateNasDatastore” for object “ha-datastoresystem” on ESX “{ESX server}” failed:

This is often a firewall issue, and the very first place you should look. Browse to Configuration/Software/Security Profile and verify that the  “NFS Client” is listed under “Outgoing Connections:”

If you do not see the NFS Client entry, click “Properties” and enable it:

Now retry the connection to the NFS data store. If you still cannot connect, open a command prompt on the ESXi console and issue a “vmkping <hosthame>” command where the hostname is your NFS server.  If you receive a successful ping, your VMKernel is setup correctly.  If it returns this, you have a VMKernel problem:

# vmkping
*** vmkernel stack not configured ***

You now need to examine your Virtual Switch settings to verify the presence of a VMKernel Port.  Browse to Configuration/Hardware/Networking and examine your settings.  You should see an entry for VMKernel Port; if you do not, your configuration will look like something like this:

To fix this, click the “Properties” link in the upper right corner to examine the properties of your vSwitch0.  You will notice that there is no VMKernel listed:

Click the “Add” button and select the VMKernel connection type:

You will be taken to the first screen of a multi-step wizard.  Keep the default properties you see on the first screen of the wizard:

The second screen is IP Connection Settings. Here, select “Use the following IP settings” and enter a unique IP address and your network’s subnet mask:

Next, click the “Edit” button and enter your network’s default gateway:

You are now done with the wizard, and should see your new VMkernel. Click the “Finish” button:

You should now see VMkernal in the vSwitch0 properties:

You should also now see it in your main vSwitch0 properties:

Now retry adding your NFS store, and you should now be able to do so successfully.

A vmkping should also work now:
# vmkping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=0.121 ms
64 bytes from icmp_seq=1 ttl=64 time=0.153 ms
64 bytes from icmp_seq=2 ttl=64 time=0.137 ms

Map an NFS share on Windows 7

I needed to connect my Windows 7 desktop machine to a Linux server NFS share, but could not find a good walkthru. Here’s my take on it, assuming you want to connect to a remote NFS share called /export/jcosta.

1) Enable the Windows tools
A default Windows 7 install does not assume you want to connect to a UNIX server. You therefore need to add the tools. Browse to Control Panel/Programs and Features and select “Turn Windows features on or off.” Scroll down until you see the entry called “Services for NFS” and expand the tree you find there. Tick the “Client for NFS” checkbox, and click OK. The installer will commence, and likely require you to reboot the computer once it completes its work.

After installing, connect to your NFS share using a mapped drive:

The shared drive should then come up and be usable:

7 Steps to Rails on CentOS

Red Hat Linux (and its recompiled cousin, CentOS)  has a fantastic reputation for stability and maturity.  However, this often means that packages included with the OS are somewhat out-of-date by the time the distribution is released.  For example, the latest version of CentOS is 5.5, and the version of Ruby that ships with it is version 1.8.5, which dates back to August 2006.  Even the Ruby group recommends using nothing less than 1.8.7 for Rails development.

So how do you get the stability of Red Hat with the goodness of Ruby? Compile from source to get the latest, greatest version.  Here’s how:

1)  Install CentOS 5.5
To save yourself alot of headaches during the installation, check to see if you have the “Development Tools” group installed with this command:

# yum grouplist |grep -i Development

If you don’t have it, install the package group with this command:

#yum groupinstall "Development Tools"

Note that you may also have the older version of Ruby installed via RPM’s.  You can check to see if you have it with this command:

# rpm -qa |grep ruby

If you discover an older version, uninstall it before proceeding (rpm -e <package_name>).

2) Create a /sources directory and change to that directory.

3) Download and build Ruby.
Download the latest Ruby source code (latest version is 1.9.2-p0 as of this writing).


Uncompress the tarball and build Ruby:

tar -zxvf ruby-1.9.2-p0.tar.gz
cd ruby-1.9.2-p0
make install

If you have all the proper dependencies, you should have no errors during the configure or make phases. This will install Ruby to the following directories:


Once the install is complete, verify the version of Ruby:

# ruby -v
ruby 1.9.2p0 (2010-08-18 revision 29036)

The Ruby source package also installs RubyGems, the Ruby package manager.  Verify the version of RubyGems:

# gem -v

4) Check for updated gems
Ensure you have the latest gem versions by running this command:

# gem update --system

5) Install the rake build language

# gem install rake

6) Install rails

# gem install rails

7) List the installed gems.

# gem list

That’s it! You now have a fully-installed Ruby on Rails stack.  However, Ruby also needs a back-end database and a web server for its presentation layer.   Future posts will detail how to install and integrate web server and database tiers with Rails.


My first install of Ruby on Rails on Linux is now complete.  Would that be RoRoL?

Jolicloud: the OS for Grandma?

My mother-in-law lives in a rural home in middle Georgia.  She is 74 and has never used a computer in her life.  When we visit on weekends, we often show her photos on our iPhones.  But somehow that just feels unsatisfying; we wish we could show her full-size versions of our photos, and connect with her via email and instant messenger during the week.

I dug up an old Dell d610 laptop with 1GB of RAM, 100GB hard disk, and a single Pentium mobile processor.  There are not many operating systems made today that can run with such minimal hardware.  I figured a lightweight OS made for the puny hardware of a netbook might fit the bill.  Enter Jolicloud.

Jolicloud is a free, Ubuntu Linux-based OS tweaked for netbooks.  Its user interface is built on the fancy HTML5 standard, and looks gorgeous. Installation is done via a downloadable CDROM, available from the Jolicloud website.  Installation on the Dell took about 30 minutes, and it detected every bit of hardware with no issues.

Once installed, you get a simple black background with large icons and a slim toolbar across the top. Here is what it looks like:

Facebook.  Gmail.  Meebo.  The everyday applications you commonly use, presented in two neat rows.  Would you have any difficulty figuring out this interface?

Now, lets assume you want to access your documents.  Click the folder icon on the top toolbar and get taken to this screen:

Does it get any more intuitive?  You have folders for your documents, music, photos, and videos.  Also notice the inclusion of web-based file storage solutions, neatly presented below your local storage for seamless access.

Or lets say you want to see what this “Twitter” thing is all about, and you want to install a Twitter client.  Click on the “Add” button on the upper left corner of the toolbar, and you can browse installable applications by type. A single click will start the install.  Also notice that currently-installed programs are dimmed to indicate you already have them.

As you can clearly see, my mother-in-law won’t have any problems figuring out how to operate this computer.  And with the stable Linux operating system underneath, I don’t expect to get many support calls either.  Jolicloud is snappy and responsive with only 1GB of RAM, negating the need to purchase a RAM upgrade.  And did I mention Jolicloud is free?

Now if they could only get Internet access…

Generate PFX file at the command line

A PFX (Personal Information Exchange) file is packed in a standard file format called PKCS#12, and used by both Microsoft ISA and IIS products.

PKCS#12 format contains the certificate, private key, and all the CA’s in a certificate chain. Here is how you generate it from the openssl command line:

1) Generate private key
openssl genrsa -out 1024

2) Generate CSR
openssl req -new -key -out

3) Get the certificate signed by CSA

4) Save the resulting signed certificate into a file.

4) Concatenate the private key and certificate into a new file.
cat >

5) Export the concatenated file in PFX format.
openssl pkcs12 -export -in -out

ext2online missing in RHEL5

Ext2online’s functions have been included in resize2fs in Red Hat 5. Ext3 filesystems can still be extended online, but reducing a filesystems is only available offline.