Forward ports in Ubuntu Server 12.04 using ufw

We needed to forward port 3307 to port 3306 to get around a new company wide firewall restriction blocking access to port 3306 (our MySQL server). It was a pain to find how to get port forwarding working in Ubuntu Server 12.04, which uses “ufw” as a front end to “iptables”. I couldn’t get it working without specifically forwarding to my IP, which I shouldn’t need to do (but at least it works).

This will forward port 3307 to 3306 so you can connect to your.ip.add.ress:3307 and have it automatically connect to a server (such as MySQL) on port 3306.

To do this you need “ufw” to be enabled, which you can check with “sudo ufw status”.

Make sure the ports you need are allowed:

sudo ufw allow 3307

Now open up “/etc/ufw/before.rules”:

sudo nano /etc/ufw/before.rules

Go to the bottom of the file and put:

# nat Table rules
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp -d your.ip.add.ress –dport 3307 -j DNAT –to-destination your.ip.add.ress:3306
COMMIT

Restart “ufw” to make sure everything worked ok:

sudo ufw disable
sudo ufw enable

Now when you connect to port 3307 it will forward to 3306.

Fix iptables error “Loading additional iptables modules: ip_conntrack_netbios_n[FAILED]” in XenServer 6 (and others)

As part of setting up and testing routing rules in XenServer 6 I used the built in “lokkit” tool to temporarily turn off the firewall. Unfortunately, just opening the tool overwrote our custom “/etc/sysconfig/iptables” rules and cleared the file. This wasn’t a huge problem as we had a backup and just recreated it (you shouldn’t really be editing iptables manually anyway). On restarting iptables using “/etc/init.d/iptables restart” we received the error:

Loading additional iptables modules: ip_conntrack_netbios_n[FAILED]

This is very easy to fix and is due to a setting in “/etc/sysconfig/iptables-config” which was set by “lokkit” by default. The issue is that iptables is trying to load the “ip_conntrack_netbios_ns” kernel module, which doesn’t exist by default in XenServer (and other linux distributions).

Find the following line at the top of “/etc/sysconfig/iptables-config”:

IPTABLES_MODULES=”ip_conntrack_netbios_ns”

And set to:

IPTABLES_MODULES=””

A few people have said to also set “IPTABLES_MODULES_UNLOAD” to =”no”:

IPTABLES_MODULES_UNLOAD=”no”

But I found that “/etc/init.d/iptables restart” still failed so I left it as “yes”. You may be able to set to “no” so try this first.

This will stop the missing kernel module being loaded and allow iptables to start properly.

If you get any other errors about loading modules when restarting iptables, check “/etc/sysconfig/iptables-config” isn’t trying to load something in “IPTABLES_MODULES=” that you don’t have installed.

Set Linux Firewall Rules for a Range of IP Addresses using Webmin

Network address ranges are set slightly differently to standard wildcards. For example, to describe a range of IP addresses from 192.168.0.1 to 192.168.255.255 you use:

192.168.0.0/16

Where 16 describes the number of bits in the IP address that are used for comparison. In this case the 16 describes the first 2 bytes of the address: 192.168. You can read more about IP addressing at Rhyshaden’s Data Network Resource (and various other places).

To set your linux firewall up in webmin to use a range of IP addresses, just use the wildcard notation above. So in Webmin – Networking – Linux Firewall, when you are editing a rule in iptables you can put in 192.168.0.0/16 to describe a range of IPs (e.g. in the “source address or network” field to restrict access to a certain IP range). Manually setting these rules is more tricky but there are resources out there like Linux Home Networking and the Easy Firewall Generator to help. We just used Webmin as it makes this kind of work very easy indeed.

Copy VMWare Server virtual servers (Ubuntu) between physical machines, avoid locking errors and fix missing eth0

I needed to copy a virtual Ubuntu Server install from our backup store to a new physical server (server A) as our old server (server B) suffered a major failure and wouldn’t even boot. This meant copying the whole VMWare directory containing the Ubuntu virtual machine from the backup store (a USB harddrive in this case) to the new physical server (server A). I had installed the free VMWare Server on both server B and A so that if anything happened to server B I would be able to get up and running quickly on server A.

Note: I am assuming you can install and configure VMWare Server for Windows, which is what I’m using here.

Once I copied the whole directory from the backup store to server A’s VMWare directory (in this case c:vmware) I then used the VMWare web interface to “Virtual Machine – Add Virtual Machine to Inventory” which allowed me to select the .vmx file in my datastore that corresponded to my copied Ubuntu virtual machine.

On trying to start the virtual machine I get a warning message and a choice:

msg.uuid.altered: This virtual machine may have been moved or copied. In order to configure certain management and networking features VMware Server needs to know which. Did you move this virtual machine, or did you copy it? If you don’t know, answer “I copied it”.

I select “I copied it” and then click “ok”, which then brings up an error:

“Power On Virtual Machine” failed to complete

If these problems persist, please contact your system administrator.
Cannot open the disk ‘C:vmwareVIRTUALSERVERNAMEVIRTUALSERVERNAME.vmdk’ or one of the snapshot disks it depends on. Reason: Failed to lock the file.

Ok, so it seems that because I copied the virtual server from the backup store it also included the .lck directories, which are used while the server is running. The simple fix is to delete these directories in C:vmwareVIRTUALSERVERNAME and allow VMWare server to rebuild them. Once I had deleted the two directories “VIRTUALSERVERNAME.vmdk.lck” and “VIRTUALSERVERNAME.vmem.lck” I could start the virtual machine.

I then ran into another problem, which was that my network instance eth0 was not being set up correctly even with VMWare Server set to use “Bridged” networking which worked on the old server. Running “ifconfig -a” showed that eth0 wasn’t there and it didn’t have the static IP I had given it previously in “/etc/network/interfaces”. The loopback interface, l0, was there but not eth0.

Orzeszek has an easy solution for this, which is to delete the “/etc/udev/rules.d/70-persistent-net.rules” file and “sudo reboot” to allow Ubuntu to rebuild the file with the correct MAC address, set up by VMWare Server when we originally added the virtual machine to the inventory. Now everything should be working perfectly.

Some people have reported other errors, which can be fixed by changing the name of eth0 in “/etc/network/interfaces” to eth1, which I didn’t need to do but you might.