Friday, November 11, 2011

How to rebuild Intel Raid (isw) on Linux

For years, I’ve ran many small servers running the popular ICH/ISW Intel Storage Matrix RAID in Raid-1 configuration. For many years this has worked absolutely perfectly with no issues on both Windows and Linux. But something has always really bugged me. What do i do when (and they will) a drive fails? How does ISW handle it?

On Windows, this is simple, you launch the Storage Matrix software and click rebuild (if it isn’t rebuilding automagically). But how do you do this on a Linux server which has no Storage Matrix software? After hours of Googling, i came across the command “dmraid -R”. But that didn’t work in my test environments.

So i spent a whole afternoon figuring this out. This is what i found.

Send email from command line with OpenSUSE, Postfix and relayhost

For sending email from command line to an email address via a relay host with Postfix in OpenSUSE, do the following:
Edit postfix main configuration file (/etc/postfix/main.cf) to

relayhost = [relayhost.com]

Then install a simple sending email utility (mail)

#zypper install mail

Then try to send email from command line with:

#mail -s "Test email" recipient@mail.com
Test
.

Friday, October 14, 2011

Some error with Moodle

PHP Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM in /home/content/90/2379690/html/moodle/question/engine/lib.php on line 338

Resolve:

#############EDIT THIS############

public static function get_behaviour_required_behaviours($behaviour) {

$class = 'qbehaviour_' . $behaviour;

return $class::get_required_behaviours();

}

##############INTO THIS###########

public static function get_behaviour_required_behaviours($behaviour) {

$class = 'qbehaviour_' . $behaviour;

eval('$ret = ' . $class . '::get_required_behaviours();');

return $ret;

#####################################################################
"Unsupported redirect detected script execution terminated" usually in upload Profile Picture.

Resolve:

Log in
Save Profile details
Edit Profile and upload Picture

Thursday, October 6, 2011

How to send email from the Linux command line

The Linux command line can be very powerful once you know how to use it. You can parse data, monitor processes, and do a lot of other useful and cool things using it. There often comes a need to generate a report and mail it out. It could be as simple a requirement as a notification that the day’s backup went through fine, or did not. I’ll help you get started with sending mails from the Linux command line and in shell scripts. We will also cover sending attachments from the command line. We will begin with the “mail” command.

Installing Sonar on a linux build server

Anyone who has read many of my blog entries or articles will know that I'm a great fan of code quality metrics. By code quality metrics, I am referring to coding standards, best practices, complexity, but also to other associated statistics such as the number of unit tests run and the level of code coverage. Code Quality management is an important part of any project, but sometimes it can be difficult to get a global picture. Any given metric, such as code coverage or code complexity, can be difficult to interpret in isolation. This is where Sonar comes into the picture.

Howto: Install Skype in Fedora 15 64 bit

Skype is available as rpm package for Fedora 13+ from here and it installs successfully on 64 bit installations as well, however, it does not run. If you run it from the terminal, you will see the following error:

skype: error while loading shared libraries: libXv.so.1: cannot open shared object file: No such file or directory
UPDATE: A system update has changed a few things and this guide has been updated. So, please update your system first by running the following in your terminal:

su -c 'yum update'
For this to run, the 32 bit versions of libraries it depends on must be installed after installing the rpm. To be able to do so, first of all, open the file /etc/rpm/macros as root and add the following line at the end of the file (the file may be empty or may not exist if you haven’t made changes to it or created it already, in that case, just create the file and put the following line in the beginning):

%_query_all_fmt %%{name}-%%{version}-%%{release}.%%{arch}
Save the file and exit the editor. To open as root and add the line, I used nano (you may need to enable sudo first):

su -c 'nano /etc/rpm/macros'
You can press Ctrl+O followed by to write into the file and Ctrl+X to exit nano.

After having done that, you will need to install 32-bit libraries that are required by skype. The following command installs them all:

su -c 'yum install qt.i686 qt-x11.i686 libXv.i686 libXScrnSaver.i686'
After that, Skype should run without problems. Hope this helps.

Source

Thursday, July 28, 2011

Optimizing Linux Performance

2.2. Linux Performance Tools: CPU

Here begins our discussion of performance tools that enable you to extract information previously described.

2.2.1. vmstat (Virtual Memory Statistics)

vmstat stands for virtual memory statistics, which indicates that it will give you information about the virtual memory system performance of your system. Fortunately, it actually does much more than that. vmstat is a great command to get a rough idea of how your system performs as a whole. It tells you

How many processes are running
How the CPU is being used
How many interrupts the CPU receives
How many context switches the scheduler performs

It is an excellent tool to use to get a rough idea of how the system performs.

RHEL – Create local repository

For one of my clients we were deploying 12 Red Hat Enterprise Linux servers. The client has quite strict security rules, therefore patch management via RH Network was not an option. RHN proxy server or Satellite server was out of project budget. At the end I created a central RHEL local repository. We dedicated another RHEL server just for this purpose (thanks to virtualization friendly Red Hat licensing).

Install minimal RHEL installation
Dedicate one harddrive for the repository packages
Disable SElinux for httpd (in /etc/selinux/targeted/booleans)

httpd_disable_trans=1

Allow access to these two sites on the outgoing firewall:

209.132.183.44 xmlrpc.rhn.redhat.com
92.122.186.196 content-xmlrpc.rhn.redhat.com

Register the installation by running rhn_register and typing registration info
Mount the repository harddrive into /opt/repository
Download the repository for the first time:

yum install yum-utils
yum install createrepo
reposync -p /opt/repository/ –repoid=rhel-x86_64-server-5 –l
createrepo /opt/repository

Create script to update the repository: /usr/local/bin/update-repository.sh

echo "Update script started at $(date)" >> /var/log/update-repository.log
reposync -p /opt/repository/ –repoid=rhel-x86_64-server-5 -l -n
createrepo /opt/repository/
echo "Update script ended at $(date)" >> /var/log/update-repository.log

Make it executable: chmod +x /usr/local/bin/update-repository.sh
Add it to crontab to run every day at 00:15: crontab -e

15 0 * * * /usr/local/bin/update-repository.sh > /var/log/update-repository-result.log

Share the repository via http:

ln -s /opt/repository/ /var/www/html/create:
/etc/httpd/conf.d/repository.conf
<Directory “/var/www/html/repository”>
Options Indexes +FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Set up /etc/yum.repos.d/repository.repo on all RHEL clients:

[repository]
name=Red Hat Enterprise Linux $releasever – $basearch
baseurl=http://<URL of the local repository server>/repository
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat

Disable RHN on all clients but the local repository: /etc/yum/pluginconf.d/rhnplugin.conf

[main]
enabled = 0
gpgcheck = 1[rhel-i386-server-5]
enabled = 0

Tuesday, July 26, 2011

Installation of Oracle 11g Release 2 (11.2.0.1.0) on RedHat EL 5, (Oracle) Enteprise Linux 5 and Centos 5

This paper (HOWTO) describes step-by-step installation of Oracle 11g R2 database software on RedHat Enterprise Linux 5 or Enteprise Linux 5 shipped by Oracle Corp. This article is useful for Centos Linux release 5. Note that Centos distribution is not certified by Oracle Corporation.
This article does not cover database creation process, and ASM Instance creation process.

This paper covers following steps:

Linux bond or team multiple network interfaces (NIC) into single interface

Finally today I had implemented NIC bounding (bind both NIC so that it works as a single device). We have two Dell servers that need setup with Intel Dual Gig NIC. My idea is to improve performance by pumping out more data from both NIC without using any other method.

This box act as heavy duty ftp server. Each night I need to transfer over 200GB data from this box to another box. Therefore, the network would be setup is two servers on a switch using dual network cards. I am using Red Hat enterprise Linux version 4.0.

Linux allows binding multiple network interfaces into a single channel/NIC using special kernel module called bonding. According to official bonding documentation, "The Linux bonding driver provides a method for aggregating multiple network interfaces into a single logical "bonded" interface. The behavior of the bonded interfaces depends upon the mode; generally speaking, modes provide either hot standby or load balancing services. Additionally, link integrity monitoring may be performed."

Solaris Tips

SUN Free Software

Unter http://www.sunfreeware.com findet man "ready to use" Software für SUN Solaris, wie beispielsweise TOP, AMANDA, GCC, GDB etc. Download via FTP von: «ftp://nce.sun.ch/pub/freeware/sparc/7»

PCNFS installieren

CD-ROM Solaris Intranet Extension (siehe auch Solaris Server Intranet Extension Installation)
$ su
$ cd /cdrom/cdrom0/nfsc/sparc
$ pkgadd -d `pwd`

Installation of Oracle 11g Release 2 on Solaris 10 x86_64

This paper (HOWTO) describes step-by-step installation of Oracle 11g release 2 (11.2.0.1.0) database software on Solaris 10 x86_64.

This paper covers following steps:

Many software packages can be downloaded in the form of an ISO image. Rather than burning the image to a CD-ROM to access its contents, it is easy to mount the image directly into the filesystem using the lofiadm and mount commands.

Given an ISO image in /export/temp/software.iso, a loopback file device (/dev/lofi/1) is created with the following command:

lofiadm -a /export/temp/software.iso /dev/lofi/1

The lofi device creates a block device version of a file. This block device can be mounted to /mnt with the following command:

mount -F hsfs -o ro /dev/lofi/1 /mnt

These commands can be combined into a single command:

mount -F hsfs -o ro `lofiadm -a /export/temp/software.iso` /mnt

Friday, June 24, 2011

FreeBSD Package Management (ports, pkg_*) Basics

After this short guide you will be proficient with installing, deleting, and upgrading software in FreeBSD

I just started using FreeBSD (4 shinny new 6.0 cds just arrived in the mail, hot off the press). The part that I was most interested in is its package management. I've come from the land of Linux... Gentoo (portage: based on ports), Arch Linux (pacman: i686 binary package manager), all the rpm based systems, and Debian's package management concoction. Portage and pacman have won me over and after a day of working with FreeBSD there is room for a little ports in my life. This is my cheat sheet for getting started with ports and FreeBSD package management. I obtained most of this information from the FreeBSD documentation on Installing Applications: Packages and Ports.

OpenBSD Pf Firewall "how to"

The default firewall for OpenBSD as of v3.0 is called "packet filter" or more commonly referred to as pf. Pf is a BSD licensed stateful packet filter written by Daniel Hartmeier.

History of PF

PF was originally designed as replacement for Darren Reed's IPFilter, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS tree due to OpenBSD developers' problems with its license. Specifically, Reed distributed some versions of his software with the license clause, "Derivative or modified works are not permitted without the author's prior consent." Due to this, the OpenBSD team decided to replace the software. This decision became the subject of wrangling among the parties involved, degenerating into a discussion that failed to reach mutual understanding. On the subject, OpenBSD project leader Theo de Raadt wrote, "Software which OpenBSD uses and redistributes must be free to all... for any purpose including... modification."
PF has since evolved quickly and now has several advantages over other available firewalls. Network Address Translation (NAT) and Quality of Service (QoS) have been integrated into PF, QoS by importing the ALTQ queuing software and linking it with PF's configuration. Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF.
One of the many innovative feature is PF's logging. Logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called pflog. Logs may be monitored using standard utilities such as tcpdump, which in OpenBSD has been extended especially for the purpose, or saved to disk in a modified tcpdump/pcap binary format using the pflogd daemon. Wikipedia "History of pf"

Adding a Hard Drive in Linux

Adding New Drives

There are many reasons why you would need to add a new drive to your Linux box. You might have out-grown your current space limitations, or you may want to add a separate drive for a specific project or service. In any case, if you follow this guide, you should have no problems. First, you must be familiar with the naming scheme Linux uses for your drives. For purposes if this article, everything highlighted in blue is the command you must type at the terminal prompt. Anything hightlighted in red indicates changes made by a previous command or something you should pay special attention to. Anything highlighted in green is simply the standard output from a terminal or issued command. The machine used for this guide is running Red Hat Entperise Linux.

Conventional Naming

This article assumes you know the difference between primary, extended and logical partitions. In the following example, I added a SCSI hard drive with one primary partition. With that being said, I'll continue explaining the naming scheme. Linux gives each drive a 3 letter name followed by a partition number. If you are using IDE drives, these will all be named hd**. Where hd denotes the drive and the next two variables are aassociated with IDE order (primary master, primary slave, etc) and partition number. So, your primary master drive will always be named hda. If you are using SCSI drives, everything remains the same except instead of using hd, drives are named sd**. Your SCSI primary master drive will always be named sda. All of these devices reside under the/dev portion of your Linux file system. For instance, as root, you can issue the following command to view the naming combinations possible for your system. Remember, in this example, I am using SCSI hardware. If you are using IDE, simply use hd is place of sd here.

What's going on?

Linux is borrowing unused memory for disk caching. This makes it looks like you are low on memory, but you are not! Everything is fine!

Why is it doing this?

Disk caching makes the system much faster! There are no downsides, except for confusing newbies. It does not take memory away from applications in any way, ever!

What if I want to run more applications?

If your applications want more memory, they just take back a chunk that the disk cache borrowed. Disk cache can always be given back to applications immediately! You are not low on ram!

Do I need more swap?

No, disk caching only borrows the ram that applications don't currently want. It will not use swap. If applications want more memory, they just take it back from the disk cache. They will not start swapping.

How do I stop Linux from doing this?

You can't disable disk caching. The only reason anyone ever wants to disable disk caching is because they think it takes memory away from their applications, which it doesn't! Disk cache makes applications load faster and run smoother, but it NEVER EVER takes memory away from them! Therefore, there's absolutely no reason to disable it!

Why does top and free say all my ram is used if it isn't?

This is just a misunderstanding of terms. Both you and Linux agrees that memory taken by applications is "used", while memory that isn't used for anything is "free".But what do you call memory that is both used for something and available for applications?
You would call that "free", but Linux calls it "used".

Memory that is	You'd call it	Linux calls it
taken by applications	Used	Used
available for applications, and used for something	Free	Used
not used for anything	Free	Free

This "something" is what top and free calls "buffers" and "cached". Since your and Linux's terminology differs, you think you are low on ram when you're not.

How do I see how much free ram I really have?

Too see how much ram is free to use for your applications, run free -m and look at the row that says "-/+ buffers/cache" in the column that says "free". That is your answer in megabytes:

$ free -m
             total       used       free     shared    buffers     cached
Mem:          1504       1491         13          0         91        764
-/+ buffers/cache:        635        869
Swap:         2047          6       2041
$

If you don't know how to read the numbers, you'll think the ram is 99% full when it's really just 42%.

How can I verify these things?

See this page for more details and how you can experiment with disk cache.

Overview of memory management

Traditional Unix tools like 'top' often report a surprisingly small amount of free memory after a system has been running for a while. For instance, after about 3 hours of uptime, the machine I'm writing this on reports under 60 MB of free memory, even though I have 512 MB of RAM on the system. Where does it all go?

The biggest place it's being used is in the disk cache, which is currently over 290 MB. This is reported by top as "cached". Cached memory is essentially free, in that it can be replaced quickly if a running (or newly starting) program needs the memory.

The reason Linux uses so much memory for disk cache is because the RAM is wasted if it isn't used. Keeping the cache means that if something needs the same data again, there's a good chance it will still be in the cache in memory. Fetching the information from there is around 1,000 times quicker than getting it from the hard disk. If it's not found in the cache, the hard disk needs to be read anyway, but in that case nothing has been lost in time.

Getting PHP running with Apache

The #debian IRC channel on freenode very often sees people who don't know how to get PHP running with Apache. This is nearly always caused by missing packages - particularly the Apache mod_php module.
It is very simple to get a basic setup running - depending on the version of Apache and PHP you want (and are available for your Debian distribution stable/testing/unstable).
Some useful commands for searching for packages are:

apt-cache search apache
apt-cache search php

You should decide whether you wish to use Apache 1.x or Apache 2.x - and install the relevant package if you don't already have it present e.g:

apt-get install apache2

Decide if you want PHP4 or PHP5. (PHP5 is available for testing/unstable, but isn't included in the Sarge release). If you chose PHP4 you'd install it with:

apt-get install php4

Once you've installed the appropriate PHP package you'll need to get the matching Apache module - the actual name will depend on what versions you have chosen - but - for this example you'd run:

apt-get install libapache2-mod-php4

Without this last package PHP will not be handled by Apache!
If you install the PHP4 or PHP5 modules for Apache2 then they will automatically enable themselves. If they didn't you would need to manually enable them using the a2enmod tool:

# a2enmod php4
This module is already enabled!

(Or "a2enmod php5" for PHP5.)
There are lots of other PHP libraries for the various dependencies - database interfaces, XML handling etc etc. If you need to do something that PHP doesn't cope with - try using the "apt-cache search" command to see if there is a module for it.
Note - this is not meant to be an exhaustive guide - just something that we can point people to as a starting point :)

Installing Perl modules from CPAN

There are several ways to get Perl modules from CPAN installed on your unix-based system. Keep in mind that there is always more than one way to do it with Perl, and this is no different. Before embarking upon any installation, it's a good idea to download the module, unzip it and check out the documentation. In general, though, most modules are installed in the same method.
The simplest way to get Perl modules installed is to use the CPAN module itself. If you are the system administrator and want to install the module system-wide, you'll need to switch to your root user. To fire up the CPAN module, just get to your command line and run this:

perl -MCPAN -e shell
If this is the first time you've run CPAN, it's going to ask you a series of questions - in most cases the default answer is fine. Once you find yourself staring at the cpan> command prompt, installing a module is as easy as install MODULE::NAME - for example, to install the HTML::Template module you'd type:

cpan> install HTML::Template

Using mdadm to send e-mail alerts for RAID failures

Environment

Novell SUSE Linux Enterprise Desktop 10
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 10 Service Pack 1
Novell SUSE Linux Enterprise Desktop 10 Service Pack 1

Situation

Mdadm is a command line utility that can be used to create, manage, and monitor Linux software RAID devices.

This TID will explain how to use mdadm to monitor and report issues with a software raid configuration in SLE Linux. This document is not intended to explain software raid setup in SLE Linux. The setup steps for mdadm are for use after a system has an active software raid setup.

Install mod_security Core Rule Set in Ubuntu 11.04

Update the apaches.conf file with this content

Include conf.d/*.conf
Include conf.d/security
Include conf.d/localized-error-pages
Include conf.d/charset
Include conf.d/other-vhosts-access-log
Include conf.d/crs/activated_rules/*.conf

Thursday, June 2, 2011

Snort startup script for Ubuntu

#! /bin/sh
### BEGIN INIT INFO
# Provides: Snort
# Required-Start: $local_fs $remote_fs $syslog $network mysql
# Required-Stop: $local_fs $remote_fs $syslog $network mysql
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: Init script to start the Snort daemon
# Description: Provides Snort service on startup and terminates
# on shutdown. Snort is an IDS or IPS. This script
# assumes that snort is installed in /usr/sbin and
# that it's main snort.conf file is in /etc/snort.
# The service will be started as a daemon, listening
# on eth0 and will also start quietly. If you require
# something other than this, you will have to edit
# the script accordingly.
# USE AT YOUR OWN RISK, YMMV. THIS SCRIPT COMES WITH
# ABSOLUTELY NO WARRANTY WHATSOEVER.
# License: GPLv2 see http://www.gnu.org/licenses/gpl-2.0.txt
### END INIT INFO

# Author: Nigel Houghton <nigel.houghton@sourcefire.com>

PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="Snort service for IDS or IPS"
NAME=snort
CONFIG="/usr/local/snort/etc/snort.conf"
INTERFACE="eth0"
DAEMON=/usr/local/snort/bin/$NAME
DAEMON_ARGS="-c $CONFIG -i $INTERFACE -qD -A fast -l /var/log/snort"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 1

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
[ -f /etc/default/rcS ] && . /etc/default/rcS

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null || return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_ARGS || return 2
}

#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
if [ -f "$PIDFILE" ]; then
rm -f $PIDFILE
fi
return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}

case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;

stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;

restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;

*)
# Failed to stop
log_end_msg 1
;;

esac

;;

*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 3
;;
esac

$ sudo chmod +x /etc/init.d/snort
$ sudo update-rc.d snort start 37 S . start 37 0 . start 37 6 .

Monday, May 30, 2011

Error: Ping/Telnet Not Recognized As An Internal Or External Command, Operable Program Or Batch File.

I Get The Error Â "ping is not recognized as an internal or external command,operable program or batch file" When I Try To Ping To Any Server.

Cause: This error may occur due to messed computer path.

To resolve the problem:

Open a Command Prompt and type: Set <hit Enter>.

You should see included: Path C:\WINDOWS\system32.

To correct the path, on your system go to Start>right-click MyComputer>click Properties.

Click the Advance tab.

Click the Environment Variables button, and select the Path variable listed under System Variables.

When editing it should include: %SystemRoot%\system32.

Which translates to something like: C:\WINDOWS\system32.

Each entry included in the path must be separated by a semicolon.

Try executing the Ping/Telnet command now from the command prompt.

The same will also work for Telnet and other commands.

Wednesday, May 25, 2011

OpenSuSE: Error loading operating system

If you get this message after install a fresh OpenSuSE 11.4

"Error loading operating system"

First insert OpenSuSE DVD, choose "Rescue", when you in the console, type
#grub
grub>find /boot/grub/menu.lst
grub>root (hd 0,1)
grub>setup (hd0)
quit
#reboot

This should fix that error.

Thursday, May 19, 2011

Debian/Ubuntu: iptables startup script & rules

$ sudo nano /etc/init.d/iptables

Copy and paste the following content into above file:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: stateful firewall
### END INIT INFO

### Source functions and binaries
. /lib/lsb/init-functions
IPT="/sbin/iptables"
echo="/bin/echo"

test -x $iptables || exit 5
test -x $echo || exit 5

### Set up variables
IF=`/sbin/route | grep -i 'default' | awk '{print $8}'`
IP=`/sbin/ifconfig $IF | grep "inet addr" | awk -F":" '{print $2}' | awk '{print $1}'`
DNS="8.8.8.8 8.8.4.4"
NET="any/0"
SERV_TCP="80 443 5666"
SERV_UDP="53 123 161"
HI_PORTS="1024:65535"
NON_NET="10.0.0.0/8 192.168.0.0/16 224.0.0.0/4 240.0.0.0/5 169.254.0.0/16 192.0.2.0/24"
OK_ICMP="0 3 4 8 11"
TRUST_SSH="172.16.0.0/12"
#BADIPS=$(egrep -v -E "^#|^$" /root/scripts/blocked.fw)

start() {
### Delete all existing rules
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

### Set up policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

### Block private networks
for entry in $NON_NET; do
  $IPT -A INPUT -i $IF -s $entry -m limit --limit 1/s -j LOG --log-level 5 --log-prefix "BAD_NET: "
  $IPT -A INPUT -i $IF -s $entry -j DROP
done

### Block spoofing packets
$IPT -A INPUT -i $IF -s $IP -d $IP -m limit --limit 1/s -j LOG --log-prefix "SPOOFING: "
$IPT -A INPUT -i $IF -s $IP -d $IP -j DROP

### Drop INVALID packets
$IPT -A INPUT -m state --state INVALID -m limit --limit 1/s -j LOG --log-prefix "INVALID_STATE: "
$IPT -A INPUT -m state --state INVALID -j DROP

### Drop fragments
$IPT -A INPUT -i $IF -f -j DROP

### Block bad flags
$IPT -A INPUT -i $IF -p tcp --tcp-flags SYN,RST SYN,RST -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags SYN,FIN SYN,FIN -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags ACK,PSH PSH     -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags ACK,URG URG     -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags FIN,ACK FIN     -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags FIN,RST FIN,RST -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags ALL FIN         -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags ALL ALL         -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags ALL NONE        -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags ALL FIN,PSH,URG -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags ALL SYN,FIN     -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags ALL URG,PSH,SYN,FIN     -s $NET -j DROP
$IPT -A INPUT -i $IF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -s $NET -j DROP

### Drop broadcast / multicast
$IPT -A INPUT -i $IF -m pkttype --pkt-type broadcast    -s $NET -j DROP
$IPT -A INPUT -i $IF -m pkttype --pkt-type multicast    -s $NET -j DROP

### QoS
$IPT -t mangle -A PREROUTING -p tcp --sport 22 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
### Enable if not in a SYN flood attack
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST,ACK SYN -j TOS --set-tos Minimize-Delay

### Block bad guys
#for ip in $BADIPS; do
#    $IPT -A INPUT -s $ip -j DROP
#    $IPT -A OUTPUT -d $ip -j DROP
#done

### Accept loopback traffic
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

### Log SSH & MySQL access
$IPT -A INPUT ! -i lo -p tcp -m multiport --dports 22,3306 -s 0/0 -d 0/0 --syn -j ULOG

#$IPT -A INPUT -p tcp -i $IF -s $NET -m state --state NEW -m recent --set
#$IPT -A INPUT -p tcp -i $IF -s $NET -m state --state NEW -m recent --update --seconds 20 --hitcount 10 -j DROP

### Drop UDP scan
$IPT -A INPUT -p udp -s $NET -m length --length 0:28 -j DROP

### SYN check
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

### Allow SSH from TRUSTED_IP with connlimit
### -m connlimit ! --connlimit-above 5
### -m limit --limit 3/s --limit-burst 5
### -m length --length 40:60
$IPT -A INPUT  -i $IF -p tcp   --syn -s $TRUST_SSH -d $IP  --dport 22 -m state --state NEW -m length --length 40:60 -m connlimit ! --connlimit-above 5 -j ACCEPT
$IPT -A OUTPUT -o $IF -p tcp ! --syn -s $IP  -d $TRUST_SSH --sport 22 -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT  -i $IF -p tcp ! --syn -s $TRUST_SSH -d $IP  --dport 22 -m state --state ESTABLISHED -j ACCEPT

### Stop SYN flood attack
#$IPT -N syn
#$IPT -A syn -j ACCEPT
#$IPT -N SYN_CHECK
#$IPT -A SYN_CHECK -m recent --set --name SYN
#$IPT -A INPUT -p tcp --syn -d $IP -m state --state NEW -j SYN_CHECK

#$IPT -A SYN_CHECK -m recent --update --seconds 60 --hitcount 10 --name SYN -j LOG --log-prefix "FLOOD: "
#$IPT -A SYN_CHECK -m recent --update --seconds 60 --hitcount 10 --name SYN -j DROP

#$IPT -A SYN_CHECK -m recent --update --seconds 60 --hitcount 3 --name SYN -j syn
#$IPT -A INPUT -p tcp ! --syn -d $IP -m state --state ESTABLISHED -j ACCEPT
#$IPT -A OUTPUT -p tcp -s $IP -m state --state ESTABLISHED -j ACCEPT

#$IPT -t mangle -N blockip
#$IPT -t mangle -A blockip -j DROP
#$IPT -t mangle -A PREROUTING -p tcp -d $IP -m recent --name SYN --update --hitcount 10 --seconds 120 -j blockip

#$IPT -t nat -A PREROUTING -i $IF -p tcp -d $IP --dport 80 -j REDIRECT --to-port 443

### Allow HTTP & other with connection rate limit
for port in $SERV_TCP; do
  $IPT -A INPUT  -i $IF -p tcp   --syn -s $NET -d $IP  --dport $port -m state --state NEW -m length --length 40:60 -m limit --limit 3/s --limit-burst 5 -j ACCEPT
  $IPT -A OUTPUT -o $IF -p tcp ! --syn -s $IP  -d $NET --sport $port -m state --state ESTABLISHED -j ACCEPT
  $IPT -A INPUT  -i $IF -p tcp ! --syn -s $NET -d $IP  --dport $port -m state --state ESTABLISHED -j ACCEPT
done

### Allow UDP
for port in $SERV_UDP; do
  if test $port -eq 53
  then
    $IPT -A INPUT -i $IF -p udp -s $NET --sport $port -d $IP --dport $port -m state --state NEW,ESTABLISHED -m limit --limit 2/s --limit-burst 2 -j ACCEPT
    $IPT -A OUTPUT -o $IF -p udp -s $IP --sport $port -d $NET --dport $port -m state --state ESTABLISHED -m limit --limit 2/s --limit-burst 2 -j ACCEPT
  else
    $IPT -A INPUT -i $IF -p udp -s $NET --sport $HI_PORTS -d $IP --dport $port -m state --state NEW,ESTABLISHED -m limit --limit 2/s --limit-burst 2 -j ACCEPT
    $IPT -A OUTPUT -o $IF -p udp -s $IP --sport $port -d $NET --dport $HI_PORTS -m state --state ESTABLISHED -j ACCEPT
  fi
done

### Allow ICMP. Limit ICMP lenght: -m length 42:43
for item in $OK_ICMP; do
  $IPT -A INPUT -i $IF -s $NET -p icmp --icmp-type $item -m state --state NEW,ESTABLISHED -m limit --limit 1/s --limit-burst 1 -j ACCEPT
  $IPT -A OUTPUT -o $IF -s $IP -p icmp --icmp-type $item -m state --state NEW,ESTABLISHED -m limit --limit 1/s --limit-burst 1 -j ACCEPT
done

### Allow OUT - UDP (53) TCP (80,443,25)
for entry in $DNS; do
  $IPT -A OUTPUT -o $IF -p udp -s $IP --sport $HI_PORTS -d $entry --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
  $IPT -A INPUT -i $IF -p udp -s $entry --sport 53 -d $IP --dport $HI_PORTS -m state --state ESTABLISHED -j ACCEPT
done
$IPT -A OUTPUT -o $IF -s $IP -p tcp -d $NET -m multiport --dport 80,443,25 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IF -d $IP -m state --state ESTABLISHED,RELATED -j ACCEPT

### Allow monitoring (nagios/cacti)
#$IPT -A INPUT -d $IP -p tcp -m tcp --dport 5666 -j ACCEPT
#$IPT -A INPUT -d $IP -p udp -m udp --dport 161 -j ACCEPT

#$IPT -A FORWARD -p tcp -i $IF -m state --state NEW -m recent --set
#$IPT -A FORWARD -p tcp -i $IF -m state --state NEW -m recent --update --seconds 20 --hitcount 10 -j DROP

### Log & drop bad packet
$IPT -A INPUT -i $IF -d $IP -m limit --limit 1/s -j LOG --log-level 5 --log-prefix "BAD_INPUT: "
$IPT -A INPUT -i $IF -d $IP -j DROP
$IPT -A OUTPUT -o $IF -d $IP -m limit --limit 1/s -j LOG --log-level 5 --log-prefix "BAD_OUTPUT: "
$IPT -A OUTPUT -o $IF -d $IP -j DROP
$IPT -A FORWARD -i $IF -d $IP -m limit --limit 1/s -j LOG --log-level 5 --log-prefix "BAD_FORWARD: "
$IPT -A FORWARD -i $IF -d $IP -j DROP

### Disble routing
$echo 0 > /proc/sys/net/ipv4/ip_forward
}

stop() {
### Delete all existing rules.
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X

### Set up policies.
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}

case $1 in
        start)
                log_daemon_msg "Starting firewall"
                start
                log_end_msg $?
                ;;
        stop)
                log_daemon_msg "Stopping firewall"
                stop
                log_end_msg $?
                ;;
        restart)
                log_daemon_msg "Restarting firewall"
                stop
                        if [ -z "$?" -o "$?" = "0" ]; then
                                start
                        fi
                log_end_msg $?
                ;;
        *)
                echo "Usage: $0 {start|stop|restart}"
                exit 2
                ;;
esac

$ sudo chmod +x /etc/init.d/iptables
$ sudo update-rc.d iptables defaults