Category Archives: :: Solution Snippets ::

TCP/IP Outbound round-robin load balancing with iptables

In reference to the solution article Iptables TCP/IP outbound syn rate limit, this guide touches on the same genre, that about controlling your outbound traffic rate.

Sometimes it is required that you load-balance your outbound connections over multiple IP’s on your system using iptables.
For example, say you have the following IP’s configured on your server:

The first outbound TCP/IP connection should use as the source, the second connection should use as the source, the third should use and so on. This is especially useful with bulk mailing services, where you need to send thousands of emails over multiple IP’s as some email service providers place a limit on the amount of emails you can send to them within a certain time frame from one source IP. With TCP/IP outbound round-robin, you can send many more emails at the same time from the same system, each time pretending to come from a different source.

To setup, run the following commands:

iptables -t nat -A POSTROUTING -m state --state NEW -m statistic --mode nth --every 1 -j SNAT --to-source
iptables -t nat -A POSTROUTING -m state --state NEW -m statistic --mode nth --every 1 -j SNAT --to-source
iptables -t nat -A POSTROUTING -m state --state NEW -m statistic --mode nth --every 1 -j SNAT --to-source

Repeat each line for every static IP configured on your system (hundreds even!).… Read the rest

X11 connection rejected because of wrong authentication

SSH does not allow the forwarding of X11 credentials onto a second user. For example, when connecting as user1 and you su – to another used (eg: user2), and you try to launch an X application, you will get the following error:

myhost ~ # virt-manager
X11 connection rejected because of wrong authentication.
Traceback (most recent call last):
File "/usr/share/virt-manager/", line 383, in <module>
File "/usr/share/virt-manager/", line 286, in main
raise gtk_error
RuntimeError: could not open display

To fix this problem, you need to do the following:

echo "export XAUTHORITY=/home/myUserNameHere/.Xauthority" >> ~/.bash_profile

Substitude myUserNameHere with your own. You will do this for the user that you use to log on to the system with SSH. Log out, then back in again, and now when you su – to the second user you should be able to launch your X11 application 🙂… Read the rest

Upgrading Dell firmware

One of the few maintenance tasks often neglected by system administrators, is that of upgrading server firmware. Whether that be BIOS, Network cards, RAID or any other firmware, these subsystems might never see an update during the life time of a server.

Luckily, Dell makes this very easy under Red Hat / Centos. Here are the steps:

wget -q -O – | bash
yum -y install firmware-tools.noarch
yum -y install $(bootstrap_firmware)
update_firmware –yes

You might need to apply the last three steps a few times between reboots, as not all firmware is applied in the same go.
Also, you need to reboot your machine. No cold boot, shutdown, poweroff etc, just a nice warm reboot 🙂… Read the rest

Iptables TCP/IP outbound syn rate limit

Sometimes it is necessary to limit the outbound TCP/IP connections to a value that you can control. In this specific example, allow up to 60 connections per second on port 25 with an optional burst of 30. This is useful especially on mail servers experiencing an extremely high load spike in which case you will want to control the outgoing flow.

iptables -N syn_flood
iptables -A OUTPUT -p tcp –syn –dport 25 -j syn_flood
iptables -A syn_flood -m limit –limit 60/m –limit-burst 30 -j RETURN
iptables -A syn_flood -j LOG –log-prefix “–dropped extra syn packet– “
iptables -A syn_flood -j DROP

Remember to save the firewall rules. On CentOS / Red Hat based systems:

service iptables save… Read the rest

JBoss 7.1.x and httpd with mod_cluster




mod_cluster boasts the following advantages over other httpd-based load balancers:

  •  Dynamic configuration of httpd workers:

Traditional httpd-based load balancers require explicit configuration of the workers available to a proxy. In mod_cluster, the bulk of the proxy’s configuration resides on the application servers. The set of proxies to which an application server will communicate is determined either by a static list or using dynamic discovery via the advertise mechanism. The application server relays lifecycle events (e.g. server startup/shutdown) to the proxies allowing them to effectively auto-configure themselves. Notably, the graceful shutdown of a server will not result in a fail over response by a proxy, as is the case with traditional httpd-based load balancers.

  • Server-side load balance factor calculation

In contrast with traditional httpd-based load balancers, mod_cluster uses load balance factors calculated and provided by the application servers, rather than computing these in the proxy. Consequently, mod_cluster offers a more robust and accurate set of load metrics than is available from the proxy.

  • Fine grained web-app lifecycle control

Traditional httpd-based load balancers do not handle web application undeployments particularly well. From the proxy’s perspective requests to an undeployed web application are indistinguishable from a request for an non-existent resource, and will result in 404 errors.… Read the rest