Hadyai Internet R&D LAB

แหล่งความรู้ => Server => Linux Server System => ข้อความที่เริ่มโดย: admin ที่ 26 พฤษภาคม 2008, 07:19:39

หัวข้อ: Ubuntu 8.04
เริ่มหัวข้อโดย: admin ที่ 26 พฤษภาคม 2008, 07:19:39

(http://www.hadyaiinternet.com/images/ubuntu.jpg)

หลังจากที่ทดลองใช้  Ubuntu 8.04 Server

มองเห็น LAN Card บน Board P5GC โดยไม่ต้องลง Driver เพิ่ม
ติดตั้ง cacti โดยไม่มี error และก็แก้ bug เรื่อง User guest แล้ว


แก้บั๊กหลายตัวแล้ว และ kernel ก็มีความสามารถเพิ่มขึ้น


ตัวอย่าง

(http://www.hadyaiinternet.com/images/phpsysinfo2.jpg)

สามารถมองเห็น Gigabit LAN Card โดยไม่ต้องลง Driver เพิ่ม

หัวข้อ: Re: Ubuntu 8.04
เริ่มหัวข้อโดย: admin ที่ 29 พฤษภาคม 2008, 11:09:19

(http://www.hadyaiinternet.com/images/phpsysinfo.jpg)

ติดตั้งโปรแกรมสำหรับ Server ร้านเน็ต

ตอนติดตั้งเลือก DNS, LAMP, OpenSSH, และก็ Samba

ลงเสร็จก็ download package ที่จำเป็นเพิ่มเติม

apt-get install build-essential
apt-get source linux-source-2.6.24

apt-get install squid
apt-get install frox
apt-get install dhcp3-server
apt-get install snmpd
apt-get install cacti
apt-get install no-ip
apt-get install netstat-nat
apt-get install traceroute
apt-get install whois

ส่วนตัว webmin จะต้อง download .deb จาก

http://jaist.dl.sourceforge.net/sourceforge/webadmin/webmin_1.420_all.deb

(ล่าสุดตอนนี้  29/05/2551 เป็น version 1.420)

หัวข้อ: Re: Ubuntu 8.04
เริ่มหัวข้อโดย: admin ที่ 10 มิถุนายน 2008, 19:19:08

update Kernel 2.6.24 เป็น 2.6.24 เพิ่ม pom จาก Netfilter เข้าไป เพื่อทำ Multi-WAN และ Block bit

คุณสมบัติของ iptables ที่เพิ่มเข้ามา กับตัว pom

Reff http://www.netfilter.org/projects/patch-o-matic/pom-external.html

patch-o-matic external repository
ACCOUNT IPMARK condition connlimit geoip ipp2p pknock time

ACCOUNT
Author: Intra2net AG <opensource@intra2net.com> 
Status: Stable


This patch adds the ACCOUNT target

The ACCOUNT target is a high performance accounting system for local networks.
It takes two parameters: --addr network/netmask and --tname NAME.

--addr is the subnet which is accounted for
--tname is the table name where the information is stored

The data can be queried later using the libipt_ACCOUNT userspace library
or by the "iptaccount" tool which is part of the libipt_ACCOUNT package.

A special subnet is "0.0.0.0/0": All data is stored in the src_bytes
and src_packets structure of slot "0". This is useful if you want
to account the overall traffic to/from your internet provider.

For more information go to http://www.intra2net.com/de/produkte/opensource/ipt_account/




IPMARK - iptables IPMARK target
Author: Grzegorz Janoszka <Grzegorz@Janoszka.pl> 
Status: Stable


  This option adds a `IPMARK' target, which allows you to mark
  a received packet basing on its IP address. This can replace even
  thousands of mangle/mark or tc entries with only one.

  This target is to be used inside the mangle table, in the PREROUTING,
  POSTROUTING or FORWARD hooks.

  IPMARK target options:
    --addr src/dst      Use source or destination IP address.
    --and-mask mask     Perform bitwise `and' on the IP address and this mask.
    --or-mask mask      Perform bitwise `or' on the IP address and this mask.

  The order of IP address bytes is reversed to meet "human order of bytes":
  192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
  `or'.

  Examples:

  We create a queue for each user, the queue number is adequate
  to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
  are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.


  Earlier we had thousands of tc filter rules:
  tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.2 flowid 1:502
  tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.3 flowid 1:503
  ...
  or thousands of MARK rules (with tc fw classifier):
  iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
    --set-mark 0x10502
  iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
    --set-mark 0x10503
  ...

  Using IPMARK target we can replace all the mangle/mark rules with ONLY ONE:
  iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
    --and-mask=0xffff --or-mask=0x10000
  and all previous tc filter classifier rules with ONLY ONE:
  tc filter add dev eth3 parent 1:0 protocol ip fw


  On the routers with hundreds of users there should be significant load
  decrease (e.g. twice).




condition
Author: Stephane Ouellette <ouellettes@videotron.ca> and Massimiliano Hofer <max@nucleus.it> 
Status: ItWorksForMe(tm)


This option allows you to match firewall rules against condition variables
stored in the /proc/net/ipt_condition directory. Multiple rules can match on a
single condition variable.

Example:
iptables -A INPUT -p tcp -m condition --condition web_ok --dport 80 -j ACCEPT

To allow this rule to match:
echo 1 > /proc/net/nf_condition/web_ok

To disable this rule:
echo 0 > /proc/net/nf_condition/web_ok

NB: it was /proc/net/ipt_condition on 2.4.





connlimit - iptables connlimit match
Author: Gerd Knorr <kraxel@bytesex.org> 
Status: ItWorksForMe[tm]


This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
   --connlimit-mask 24 -j REJECT




geoip - iptables geoip match
Author: Samuel Jean <peejix@people.netfilter.org>; Nicolas Bouliane <acidfu@people.netfilter.org> 
Status: Stable


This patch makes possible to match a packet
by its source or destination country.

GeoIP options:
        [!]   --src-cc, --source-country country[,country,country,...]

                        Match packet coming from (one of)
                        the specified country(ies)


        [!]   --dst-cc, --destination-country country[,country,country,...]
                                             
                        Match packet going to (one of)
                        the specified country(ies)

           NOTE: The country is inputed by its ISO3166 code.

The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html
for a quick HOWTO.




ipp2p - Detects some P2P packets
Author: Eicke Friedrich <ipp2p@ipp2p.org> 
Status: Stable


This option makes possible to match some P2P packets
therefore helps controlling such traffic. Dropping all
matches prohibits P2P networks. Combined with conntrack,
CONNMARK and a packet scheduler it can be used for
accounting or shaping of P2P traffic.

Examples:
iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP
iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP
iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP




pknock - netfilter match for Port Knocking and SPA
Author: J. Federico Hernandez Scarso <fede.hernandez@gmail.com>; Luis A. Floreani <luis.floreani@gmail.com> 
Status: Stable


This patch allows you to implement Port Knocking and SPA (Simple Packet
Authentication) in kernel space.

pknock options:

   --knockports port[,port,port,...]   Matches destination port(s).
   --time seconds
   --t seconds            Time between port match.
   --opensecret [secret]         hmac must be in the packets.
   --closesecret [secret]
   --strict            Knocks sequence must be exact.
   --name [rule_name]         Rule name.
   --checkip            Matches if the source ip is in the list.
   --chkip


Example:

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW             \
   -m pknock --knockports 3000,2000,5000 --time 10 --name SSH    \
   -m tcp --dport 22 -j ACCEPT

For more information go to http://portknocko.berlios.de/




time - iptables ``time'' match
Author: Fabrice MARIE <fabrice@netfilter.org> 
Status: Works within it's limitations


This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).

Supported options are:
[ --timestart value ]
    Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).

[ --timestop  value ]
    Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).

[ --days listofdays ]
    Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)

[ --datestart date ]
    Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
    h,m,s start from 0 ; default to 1970)

[ --datestop date ]
    Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
    h,m,s start from 0 ; default to 2037)

Example:
  -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
  will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
  to Friday.

  -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
  will match the packets (locally generated) that have a departure timestamp
  in the range 8:00->18:00 on Monday only, until 2010

NOTE: the time match does not track changes in daylight savings time