-->
🏠 🔍
SHAREOLITE

How to Configure static ethernet Routes in Linux

In this post, we show you how to configure a static route for LAN ethernet interfaces on a Redhat Linux platform. This can be acheived using two procedures as explained below -


  •     Procedure 1     


Step 1
Login as root user
vim /etc/sysconfig/network-scripts/route-eth0

Step 2
Add the lines having the destination address , netmask and gateway details and save the file.
ADDRESS0=10.30.10.108
NETMASK0=255.255.255.255
GATEWAY0=10.30.19.254

ADDRESS1=10.30.10.109
NETMASK1=255.255.255.255
GATEWAY1=10.30.19.1

Step 3
As root user execute the command
service network restart


Verify whether routes are existing after restart by typing the command as root user
route       OR
netstat -nr


  •    Procedure 2    


Step 1: 

Execute the below command as root user to view the existing routes

[root@shareolite ~]# ip route show
10.2.10.5 via 10.2.10.17 dev eth3
10.2.10.5 via 10.2.10.17 dev eth1
10.1.4.195 via 80.4.6.254 dev eth0
10.2.10.6 via 10.2.18.17 dev eth3
10.2.10.6 via 10.2.17.17 dev eth1
10.2.3.10 via 10.2.18.17 dev eth3
10.2.3.10 via 10.2.17.17 dev eth1
10.2.3.26 via 10.2.18.17 dev eth3
10.2.3.26 via 10.2.17.17 dev eth1
10.2.18.16/29 dev eth3  proto kernel  scope link  src 10.2.18.18
10.2.17.16/29 dev eth1  proto kernel  scope link  src 10.2.17.18
169.254.0.0/16 dev eth3  scope link
192.0.0.0/8 dev eth0  proto kernel  scope link  src 192.2.75.17
default via 203.116.219.111 dev eth2

Now lets say you want to create static routes for eth3, execute the below command and grep for port eth3.

[root@shareolite ~]# ip route show |grep eth3
10.2.10.5 via 10.2.10.17 dev eth3
10.2.10.6 via 10.2.18.17 dev eth3
10.2.3.10 via 10.2.18.17 dev eth3
10.2.3.26 via 10.2.18.17 dev eth3
10.2.18.16/29 dev eth3  proto kernel  scope link  src 10.2.18.18
169.254.0.0/16 dev eth3  scope link


Step 2 :

vim /etc/sysconfig/network-scripts/route-eth3  and copy the lines displayed.
Save the file.


Step 3 :

Execute command , service network restart

Verify whether routes are existing after restart by typing the command as root user
route       OR
netstat -nr


Hope this helps to some techies.

How to restrict MySQL remote access

In this post we show you how to restrict MySQL DB remote access i.e, to allow database connections from only specific hosts or IPs. This may be required if you are defining a security policy for your database and want to restrict to few known hosts only. Example uses MySQL database installed on a RedHat Linux server.

Method 1 - Using MySQL inbuilt Host based access restriction 

In MySQL , the permissions you grant while creating a database user determines the DB access permissions. For example - when a user is created with below

[root@shareolite ~]# mysql -u root -p
mysql> use mysql;
mysql> CREATE USER 'shareolite'@'localhost' IDENTIFIED BY 'shareo123';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'shareolite'@'localhost'  identified by 'shareo123' WITH GRANT OPTION;
mysql> GRANT ALL PRIVILEGES ON *.* TO 'shareolite'@'%'  identified by 'shareo123' WITH GRANT OPTION;
mysql> select Host,User,Password from user;
+-----------+------------+-------------------------------------------+
| Host      | User       | Password                                  |
+-----------+------------+-------------------------------------------+
| localhost | root       | *2632CF75CFB8987B429348FA90905C86DF24D0A7 |
| 127.0.0.1 | root       | *2632CF75CFB8987B429348FA90905C86DF24D0A7 |
| %         | shareolite | *7BC3D850E05DE3C76AA3028CD5D41C5D145CC03F |
| localhost | shareolite | *7BC3D850E05DE3C76AA3028CD5D41C5D145CC03F |
+-----------+------------+-------------------------------------------+

This user "shareolite" is allowed to access from any remote host as the permission is granted for '%' host. Now to disable remote access and to allow only localhost and few known IPs / hostnames say for example - 192.167.12.5 , shareolite.com , the entry with % should be deleted and permissions should be granted to required hosts as mentioned below.

mysql> delete from user where Host='%' and User='shareolite';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'shareolite'@'localhost' identified by 'shareo123' WITH GRANT OPTION;
mysql> GRANT ALL PRIVILEGES ON *.* TO 'shareolite'@'192.167.12.5' identified by 'shareo123' WITH GRANT OPTION;
mysql> GRANT ALL PRIVILEGES ON *.* TO 'shareolite'@'shareolite.com' identified by 'shareo123' WITH GRANT OPTION;
mysql> flush privileges;

mysql> select Host,User,Password from user;
+----------------+------------+-------------------------------------------+
| Host           | User       | Password                                  |
+----------------+------------+-------------------------------------------+
| localhost      | root       | *2632CF75CFB8987B429348FA90905C86DF24D0A7 |
| 127.0.0.1      | root       | *2632CF75CFB8987B429348FA90905C86DF24D0A7 |
| 192.167.12.5   | shareolite | *7BC3D850E05DE3C76AA3028CD5D41C5D145CC03F |
| shareolite.com | shareolite | *7BC3D850E05DE3C76AA3028CD5D41C5D145CC03F |
| localhost      | shareolite | *7BC3D850E05DE3C76AA3028CD5D41C5D145CC03F |
+----------------+------------+-------------------------------------------+

Now , only connections from localhost , 192.167.12.5 and shareolite.com domains should be allowed. Rest of hosts will get an error "Access Denied".

Method 2  : Using MySQL bind address method

While starting MySQL database process , we can mention the IP socket on which MySQL should listen for DB connections using parameter bind-address= , This can be edited in my.cnf file also. By default this line will be commented and MySQL accepts connections on all IPs in a system.

[root@shareolite ~]#  netstat -anpt |grep mysql
tcp        0      0 :::3306                     :::*                        LISTEN      25182/mysqld

If bind-address=127.0.0.1, then note the change below.

[root@shareolite ~]#  netstat -anpt |grep mysql
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN      29681/mysqld

This method is useful if you want to restrict DB connections to a single IP in a system having multiple IPs assigned to different Ethernet ports.


Method 3  : Using IPTables and Firewalls. 

Using IPtables and firewalls , restrict access to specific hosts to specific ports.

Sample IP tables rules -

-A INPUT -s 192.167.12.5 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.167.12.4 -p tcp -m tcp --dport 3306 -j ACCEPT

How to solve ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock'


In this post , we bring out few tips on how we solved MySQL database error - ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' . 

We observed this error with MySql DB connection when all MYSQL process was running normally. 

[root@shareolite ~]# mysql -u shareolite -pshareolite
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' 

However , when using with a hostname as below , command worked with no errors. 
[root@shareolite ~]# mysql -u shareolite -pshareolite -h 10.74.2.12

On further checks , we got to know file /tmp.mysql.sock was missing . After restarting mysql processes - this file was created again . Now we started wondering what has caused this ?

Later , we found this is because of Redhat Linux default cron.d service which has a tmpwatch utility to delete old files from /tmp folder periodically. In our case it was every 10 days.  Below is the cron.d file which was monitoring /tmp and /var/tmp directories.

[root@shareolite ~]# cat /etc/cron.daily/tmpwatch 
#! /bin/sh 
flags=-umc 
/usr/sbin/tmpwatch "$flags" -x /tmp/.X11-unix -x /tmp/.XIM-unix \ 
        -x /tmp/.font-unix -x /tmp/.ICE-unix -x /tmp/.Test-unix \ 
        -X '/tmp/hsperfdata_*' 10d /tmp 
/usr/sbin/tmpwatch "$flags" 30d /var/tmp 
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do 
    if [ -d "$d" ]; then 
        /usr/sbin/tmpwatch "$flags" -f 30d "$d" 
    fi 
done 

After you install MySQL using standard default procedures , the socket file is usually stored under /tmp/mysql.sock. This error can be permanently avoided by adding an entry in your my.cnf configuration file as shown below , pointing the socket file to a different directory other than /tmp and /var/tmp.

socket=/var/lib/mysql/mysql.sock

Hope this helps.

–>