ipv4

Insert this into your apache2 SSL config file to enable subversion. This is the most simple example with user-defined styles and password protection.

<Location /~joe/svn>
DAV svn
SVNParentPath /path/to/subversion
SVNIndexXSLT "/~joe/svnstyle.xsl"

AuthType Basic
AuthName "Joe's subversion repository"
AuthUserFile /path/to/htpasswd
Require user joe
</Location>

The code is pretty self-explanatory. First lines enable svn, last lines enable security.

1. Create a self-signed certificate: Apache2 comes with the script
apache2-ssl-certificate

2. Create a new server configuration under apache2/sites-available

Listen 443

NameVirtualHost *:443

<VirtualHost *:443>
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

DocumentRoot /var/swww

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/apache.pem

ErrorLog /var/log/apache2/ssl_error.log
</VirtualHost>

3. Enable the new site
cd /etc/apache2/sites-enabled
ln -s ../sites-available/new-site-name

4. Restart apache2
/etc/init.d/apache2 restart

Using Linux ip_conntrack in an environment with many users/connections always check your syslog. Problem arose that the connection tracking table was too small. Quoted from netfilter FAQ:

3.7 ip_conntrack: maximum limit of XXX entries exceeded

If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, ...).

You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!

To increase this limit to e.g. 8192, type:

echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

To optimize performance, please also raise the number of hash buckets by using the hashsize module loadtime parameter of the ip_conntrack.o module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.

Example (with 1023 buckets):

modprobe ip_conntrack hashsize=1023

Note: the conntrack table gets congested by connections between other computers when the lan interface is in promiscuous mode (e.g. in a bridged configuration). Apply a filter.

This is useful if you want to route a service like ssh over a different link (e.g. one that has lower bandwidth but better pings than your main link)

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -p tcp --dport 22 -o ppp0 -j MASQUERADE

I have done this because I wanted to host a game of Live For Speed over a DSL-line. The following steps have to be applied:

1. First thing to do is to enable IP-forwarding (obviously)
2. Then we change the DESTINATION of packets coming in on ppp0
3. Still the SOURCE of those packets points to some computer on the internet

This can be achieved with the following shell script (sh)

#!/bin/sh
IF=ppp0
IPT=iptables
IPTNAT="$IPT -t nat -A"
PORT=63392
SERVER=insert_ip_here
GW=insert_ip_here

echo "Activating forwarding... beware!"
echo "1" > /proc/sys/net/ipv4/ip_forward

#$IPT --flush -t nat

# packets coming in from $IF are routed to $SERVER
$IPTNAT PREROUTING -p tcp --dport $PORT -i $IF -j DNAT --to $SERVER:$PORT
$IPTNAT PREROUTING -p udp --dport $PORT -i $IF -j DNAT --to $SERVER:$PORT

# before leaving those packets are modified to look as if they came
# from $GW, so the return packets from $SERVER find their way back to $GW
$IPTNAT POSTROUTING -p tcp --dport $PORT -d $SERVER -j SNAT --to $GW
$IPTNAT POSTROUTING -p udp --dport $PORT -d $SERVER -j SNAT --to $GW

$IPT -L -t nat -vn