Thursday, January 28, 2010

Apple iPad announced

Apple總算是對外發表了Apple iPad平板式電腦,成為世界第一的Mobile vendor後讓我們看看iPad是否也可以很成功!

Friday, January 22, 2010

強大的awk

透過awk找出系統帳號中誰的預設shell是屬於bash,並統計有幾筆。
[root@centos bin]# awk -F: 'BEGIN{count=0};/bash/{count++}/bash/{print $1};END{print "TOTAL="count}' /etc/passwd
root
u1
u2
law
mysql
TOTAL=5

Thursday, January 21, 2010

To setup IPSec in CentOS 5.4

這是一篇很精簡的設定方法,更詳細的步驟與說明建議還是至OpenSwan網站查詢。

Test Environment:
(172.17.1.100) IPSec VPN1 (10.12.95.3) ----- (10.12.95.2) IPSec VPN2 (172.17.2.100)

1. 安裝:
# yum install openswan*
2. 透過sysctl.conf修改Kernel參數:
修改Kernel相關參數,使得之後跑ipsec verify時不會出錯。
# vi /etc/sysctl.conf
*********************************************************************
# example entries for /etc/sysctl.conf
# forwarding is needed for subnet or l2tp connections
net.ipv4.ip_forward = 1

# rp_filter is stupid and cannot deal decrypted packets "appearing out of
# nowhere"
net.ipv4.conf.default.rp_filter = 0

# when using 1 interface for two networks, and in some other cases with
# NETKEY, the kernel thinks it can be clever but breaks things.
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

# these are non-ipsec specific security policies you should use
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
*********************************************************************
#sysctl -p
3. 套用並修改範例:
# cp/usr/share/doc/openswan-doc*/examples /etc/ipsec.d/hosttohost.conf
# vi /etc/hosttohost.conf
*********************************************************************
# sample connections
# This file is RCSID $Id: examples,v 1.5 1999/12/13 02:38:16 henry Exp $

# sample tunnel (manually or automatically keyed)
# Here we just use ESP for both encryption and authentication, which is
# the simplest and often the best method.
conn sample
# left security gateway (public-network address)
left=10.12.95.3
# next hop to reach right
#leftnexthop=10.44.55.66
# subnet behind left (omit if left end of the tunnel is just the s.g.)
leftsubnet=172.17.1.0/24
# right s.g., subnet behind it, and next hop to reach left
right=10.12.95.2
#rightnexthop=10.88.77.66
rightsubnet=172.17.2.0/24
# (manual) SPI number
#spi=0x200
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
#espenckey=[192 bits]
#espauthkey=[128 bits]
authby=secret
auto=add
*********************************************************************
4. 新增PSK:
# vi /etc/ipsec.secrets
*********************************************************************
include /etc/ipsec.d/*.secrets
10.12.95.3 10.12.95.2 : PSK "1234567890"
10.12.95.2 10.12.95.3 : PSK "1234567890"
5. 修改/etc/ipsec.conf
# vi /etc/ipsec.conf
*********************************************************************
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

PS. 另外一邊的VPN gateway與以上的架設方法都一樣,只是將/etc/hosttohost.conf中的left與right的資訊對調即可。

6. 啟動IPSec:
# /etc/init.d/ipsec start
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.18-164.6.1.el5...
ipsec_setup: multiple ip addresses, using 10.12.95.3 on eth0
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

7. 執行IPSec verify:
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.21/K2.6.18-164.6.1.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: centos.example.com [MISSING]
Does the machine have at least one non-private address? [FAILED]

8. 建立IPSec tunnel:
# ipsec auto --up sample
104 "sample" #1: STATE_MAIN_I1: initiate
003 "sample" #1: received Vendor ID payload [Openswan (this version) 2.6.21 ]
003 "sample" #1: received Vendor ID payload [Dead Peer Detection]
003 "sample" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sample" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "sample" #1: received Vendor ID payload [CAN-IKEv2]
004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
117 "sample" #2: STATE_QUICK_I1: initiate
004 "sample" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xca7bd686 <0x193e1d71 xfrm="3DES_0-HMAC_MD5" natoa="none" natd="none" dpd="">
9. 測試:
# ping 172.17.2.100 -I 172.17.1.100 -c 10
PING 172.17.2.100 (172.17.2.100) from 172.17.1.100 : 56(84) bytes of data.
64 bytes from 172.17.2.100: icmp_seq=1 ttl=64 time=1.65 ms
64 bytes from 172.17.2.100: icmp_seq=2 ttl=64 time=0.716 ms
64 bytes from 172.17.2.100: icmp_seq=3 ttl=64 time=1.16 ms
64 bytes from 172.17.2.100: icmp_seq=4 ttl=64 time=1.41 ms
64 bytes from 172.17.2.100: icmp_seq=5 ttl=64 time=1.24 ms
64 bytes from 172.17.2.100: icmp_seq=6 ttl=64 time=1.17 ms
64 bytes from 172.17.2.100: icmp_seq=7 ttl=64 time=1.52 ms
64 bytes from 172.17.2.100: icmp_seq=8 ttl=64 time=0.544 ms
64 bytes from 172.17.2.100: icmp_seq=9 ttl=64 time=0.796 ms
64 bytes from 172.17.2.100: icmp_seq=10 ttl=64 time=1.58 m
Note:
此次使用的版本分別為:
openswan-doc-2.6.21-5.el5_4.1
openswan-2.6.21-5.el5_4.1
不同的版本間,example configure file有點差異,需請注意。

To setup Socks Server in CentOS5.4

工作需求,所以去架設了Socks4/5 Server來使用,在CentOS上安裝起來很容易且配置上也沒有多大的難度,在此筆記一下。

1. 抓取ss5 tarball檔:
預設的repos似乎沒有ss5,故自己抓個tarball檔下來安裝。
wget http://softlayer.dl.sourceforge.net/project/ss5/ss5/3.7.9-1/ss5-3.7.9-1.tar.gz
tar zxvf ss5-3.7.9-1.tar.gz
2. 安裝:
[root@server2 src]# tar zxvf ss5-3.7.9-1.tar.gz
[root@server2 ss5-3.7.9]# ./configure
[root@server2 ss5-3.7.9]# make
[root@server2 ss5-3.7.9]# make install
3. 配置:
找到auth與permit並將註解取消,注意我並沒有enable使用者需做認證的機制。
[root@server2 ~]# vi /etc/opt/ss5/ss5.conf
# SHost SPort Authentication
auth 0.0.0.0/0 - -
# Auth SHost SPort DHost DPort Fixup Group Band ExpDate
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -
4. 啟動:
[root@server2 ~]# chkconfig --add ss5
[root@server2 ~]# chkconfig ss5 on
[root@server2 ~]# /etc/init.d/ss5 start
doneting ss5... [ OK ]
[root@server2 ~]#
5. 測試:
最後可透過FireFox來測試Socks4/5.
工具->選項->進階->設定->手動設定Proxy:
SOCKS主機: x.x.x.x Port: 1080
並選擇SOCKS v4或是SOCKS v5

Monday, January 11, 2010

To implement NFSv2,NFSv3 and NFSv4

NFSv2, NFSv3與NFSv4在Linux 2.6.x的kernel上,預設都是有支援的,不同的是需要對於server或client之前下達不同的參數以區別,以下分別就不同版本的實作簡單敘述:

1. NFS v3:
Server: exportfs *:/tmp
Client: mount 192.168.0.254:/tmp /mnt/nfs

2. NFS v2:
Server: exportfs *:/tmp
Client: mount -o nfsvers=2 192.168.0.254:/tmp /mnt/nfs

3. NFS v4:
Server: exportfs -o fsid=o *:/tmp
Client: mount -t nfs4 192.168.0.254:/tmp /mnt/nfs
References:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-nfs-client-config.html
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-nfs.html

Wednesday, January 06, 2010

Path MTU discovery

What's Path MTU discovery:
http://en.wikipedia.org/wiki/Path_MTU_discovery

預設Linux box是把pmtud的機制打開的,可透過以下的kernel參數檢查:
cat /proc/sys/net/ipv4/ip_no_pmtu_disc
0 代表pmtud enable (default)
1 代表pmtud disable
以下是我實驗時的環境:

Remote Server (mtu=1500) ----- (mtu=1400) Linux NAT Box (mtu=1400) ----- Client (mtu=1500)

1. 從Client往Server端送出icmp packet size大於1400bytes但小於1500bytes的包,for example 1450 bytes, DF=1
2. Linux NAT Box將會回報封包需要分片!並透過icmp unreachable包告訴Client,本機的mtu為1400bytes
opensuse:~ # ping 10.12.64.220 -s 1450
PING 10.12.64.220 (10.12.64.220) 1450(1478) bytes of data.
From 10.12.95.3: icmp_seq=1 Frag needed and DF set (mtu = 1400)
From 10.12.95.3 icmp_seq=1 Frag needed and DF set (mtu = 1400)
1458 bytes from 10.12.64.220: icmp_seq=2 ttl=63 time=2.85 ms
1458 bytes from 10.12.64.220: icmp_seq=3 ttl=63 time=4.97 ms
1458 bytes from 10.12.64.220: icmp_seq=4 ttl=63 time=3.48 ms
此後將會保持一段時間不需要detect。