Apple iPad announced

Apple總算是對外發表了Apple iPad平板式電腦，成為世界第一的Mobile vendor後讓我們看看iPad是否也可以很成功！

強大的awk

透過awk找出系統帳號中誰的預設shell是屬於bash，並統計有幾筆。
[root@centos bin]# awk -F: 'BEGIN{count=0};/bash/{count++}/bash/{print $1};END{print "TOTAL="count}' /etc/passwd

root

u1

u2

law

mysql

TOTAL=5

To setup IPSec in CentOS 5.4

這是一篇很精簡的設定方法，更詳細的步驟與說明建議還是至OpenSwan網站查詢。

Test Environment:

(172.17.1.100) IPSec VPN1 (10.12.95.3) ----- (10.12.95.2) IPSec VPN2 (172.17.2.100)

1. 安裝：

# yum install openswan*

2. 透過sysctl.conf修改Kernel參數：

修改Kernel相關參數，使得之後跑ipsec verify時不會出錯。

# vi /etc/sysctl.conf

*********************************************************************

# example entries for /etc/sysctl.conf

# forwarding is needed for subnet or l2tp connections

net.ipv4.ip_forward = 1

# rp_filter is stupid and cannot deal decrypted packets "appearing out of

# nowhere"

net.ipv4.conf.default.rp_filter = 0

# when using 1 interface for two networks, and in some other cases with

# NETKEY, the kernel thinks it can be clever but breaks things.

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.default.log_martians = 0

# these are non-ipsec specific security policies you should use

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

*********************************************************************

#sysctl -p

3. 套用並修改範例：

# cp/usr/share/doc/openswan-doc*/examples /etc/ipsec.d/hosttohost.conf

# vi /etc/hosttohost.conf

*********************************************************************

# sample connections

# This file is RCSID $Id: examples,v 1.5 1999/12/13 02:38:16 henry Exp $

# sample tunnel (manually or automatically keyed)

# Here we just use ESP for both encryption and authentication, which is

# the simplest and often the best method.

conn sample

# left security gateway (public-network address)

left=10.12.95.3

# next hop to reach right

#leftnexthop=10.44.55.66

# subnet behind left (omit if left end of the tunnel is just the s.g.)

leftsubnet=172.17.1.0/24

# right s.g., subnet behind it, and next hop to reach left

right=10.12.95.2

#rightnexthop=10.88.77.66

rightsubnet=172.17.2.0/24

# (manual) SPI number

#spi=0x200

# (manual) encryption/authentication algorithm and parameters to it

esp=3des-md5-96

#espenckey=[192 bits]

#espauthkey=[128 bits]

authby=secret

auto=add

*********************************************************************

4. 新增PSK:

# vi /etc/ipsec.secrets

*********************************************************************

include /etc/ipsec.d/*.secrets

10.12.95.3 10.12.95.2 : PSK "1234567890"

10.12.95.2 10.12.95.3 : PSK "1234567890"

5. 修改/etc/ipsec.conf

# vi /etc/ipsec.conf

*********************************************************************

# /etc/ipsec.conf - Openswan IPsec configuration file

#

# Manual: ipsec.conf.5

#

# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

# Debug-logging controls: "none" for (almost) none, "all" for lots.

# klipsdebug=none

# plutodebug="control parsing"

# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

protostack=netkey

nat_traversal=yes

virtual_private=

oe=off

# Enable this if you see "failed to find any available worker"

nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.

include /etc/ipsec.d/*.conf

PS. 另外一邊的VPN gateway與以上的架設方法都一樣，只是將/etc/hosttohost.conf中的left與right的資訊對調即可。

6. 啟動IPSec:

# /etc/init.d/ipsec start

/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.18-164.6.1.el5...

ipsec_setup: multiple ip addresses, using 10.12.95.3 on eth0

ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

7. 執行IPSec verify:

# ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path [OK]

Linux Openswan U2.6.21/K2.6.18-164.6.1.el5 (netkey)

Checking for IPsec support in kernel [OK]

NETKEY detected, testing for disabled ICMP send_redirects [OK]

NETKEY detected, testing for disabled ICMP accept_redirects [OK]

Checking for RSA private key (/etc/ipsec.secrets) [OK]

Checking that pluto is running [OK]

Two or more interfaces found, checking IP forwarding [OK]

Checking NAT and MASQUERADEing [N/A]

Checking for 'ip' command [OK]

Checking for 'iptables' command [OK]

Opportunistic Encryption DNS checks:

Looking for TXT in forward dns zone: centos.example.com [MISSING]

Does the machine have at least one non-private address? [FAILED]

8. 建立IPSec tunnel:

# ipsec auto --up sample

104 "sample" #1: STATE_MAIN_I1: initiate

003 "sample" #1: received Vendor ID payload [Openswan (this version) 2.6.21 ]

003 "sample" #1: received Vendor ID payload [Dead Peer Detection]

003 "sample" #1: received Vendor ID payload [RFC 3947] method set to=109

106 "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2

003 "sample" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected

108 "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3

003 "sample" #1: received Vendor ID payload [CAN-IKEv2]

004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}

117 "sample" #2: STATE_QUICK_I1: initiate

004 "sample" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xca7bd686 <0x193e1d71 xfrm="3DES_0-HMAC_MD5" natoa="none" natd="none" dpd="">

9. 測試:

# ping 172.17.2.100 -I 172.17.1.100 -c 10

PING 172.17.2.100 (172.17.2.100) from 172.17.1.100 : 56(84) bytes of data.

64 bytes from 172.17.2.100: icmp_seq=1 ttl=64 time=1.65 ms

64 bytes from 172.17.2.100: icmp_seq=2 ttl=64 time=0.716 ms

64 bytes from 172.17.2.100: icmp_seq=3 ttl=64 time=1.16 ms

64 bytes from 172.17.2.100: icmp_seq=4 ttl=64 time=1.41 ms

64 bytes from 172.17.2.100: icmp_seq=5 ttl=64 time=1.24 ms

64 bytes from 172.17.2.100: icmp_seq=6 ttl=64 time=1.17 ms

64 bytes from 172.17.2.100: icmp_seq=7 ttl=64 time=1.52 ms

64 bytes from 172.17.2.100: icmp_seq=8 ttl=64 time=0.544 ms

64 bytes from 172.17.2.100: icmp_seq=9 ttl=64 time=0.796 ms

64 bytes from 172.17.2.100: icmp_seq=10 ttl=64 time=1.58 m

Note:

此次使用的版本分別為：

openswan-doc-2.6.21-5.el5_4.1

openswan-2.6.21-5.el5_4.1

不同的版本間，example configure file有點差異，需請注意。

To setup Socks Server in CentOS5.4

工作需求，所以去架設了Socks4/5 Server來使用，在CentOS上安裝起來很容易且配置上也沒有多大的難度，在此筆記一下。

1. 抓取ss5 tarball檔：

預設的repos似乎沒有ss5，故自己抓個tarball檔下來安裝。

wget http://softlayer.dl.sourceforge.net/project/ss5/ss5/3.7.9-1/ss5-3.7.9-1.tar.gz
tar zxvf ss5-3.7.9-1.tar.gz

2. 安裝：

[root@server2 src]# tar zxvf ss5-3.7.9-1.tar.gz

[root@server2 ss5-3.7.9]# ./configure

[root@server2 ss5-3.7.9]# make

[root@server2 ss5-3.7.9]# make install

3. 配置：

找到auth與permit並將註解取消，注意我並沒有enable使用者需做認證的機制。

[root@server2 ~]# vi /etc/opt/ss5/ss5.conf

# SHost SPort Authentication

auth 0.0.0.0/0 - -

# Auth SHost SPort DHost DPort Fixup Group Band ExpDate

permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

4. 啟動:

[root@server2 ~]# chkconfig --add ss5

[root@server2 ~]# chkconfig ss5 on

[root@server2 ~]# /etc/init.d/ss5 start

doneting ss5... [ OK ]

[root@server2 ~]#

5. 測試：

最後可透過FireFox來測試Socks4/5.

工具->選項->進階->設定->手動設定Proxy:

SOCKS主機: x.x.x.x Port: 1080

並選擇SOCKS v4或是SOCKS v5

To implement NFSv2,NFSv3 and NFSv4

NFSv2, NFSv3與NFSv4在Linux 2.6.x的kernel上，預設都是有支援的，不同的是需要對於server或client之前下達不同的參數以區別，以下分別就不同版本的實作簡單敘述：

1. NFS v3:

Server: exportfs *:/tmp

Client: mount 192.168.0.254:/tmp /mnt/nfs

2. NFS v2:

Server: exportfs *:/tmp

Client: mount -o nfsvers=2 192.168.0.254:/tmp /mnt/nfs

3. NFS v4:

Server: exportfs -o fsid=o *:/tmp

Client: mount -t nfs4 192.168.0.254:/tmp /mnt/nfs

References:

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-nfs-client-config.html

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-nfs.html

Path MTU discovery

What's Path MTU discovery:

http://en.wikipedia.org/wiki/Path_MTU_discovery

預設Linux box是把pmtud的機制打開的，可透過以下的kernel參數檢查：

cat /proc/sys/net/ipv4/ip_no_pmtu_disc

0 代表pmtud enable (default)

1 代表pmtud disable

以下是我實驗時的環境：

Remote Server (mtu=1500) ----- (mtu=1400) Linux NAT Box (mtu=1400) ----- Client (mtu=1500)

1. 從Client往Server端送出icmp packet size大於1400bytes但小於1500bytes的包，for example 1450 bytes, DF=1

2. Linux NAT Box將會回報封包需要分片！並透過icmp unreachable包告訴Client，本機的mtu為1400bytes

opensuse:~ # ping 10.12.64.220 -s 1450

PING 10.12.64.220 (10.12.64.220) 1450(1478) bytes of data.

From 10.12.95.3: icmp_seq=1 Frag needed and DF set (mtu = 1400)

From 10.12.95.3 icmp_seq=1 Frag needed and DF set (mtu = 1400)

1458 bytes from 10.12.64.220: icmp_seq=2 ttl=63 time=2.85 ms

1458 bytes from 10.12.64.220: icmp_seq=3 ttl=63 time=4.97 ms

1458 bytes from 10.12.64.220: icmp_seq=4 ttl=63 time=3.48 ms

此後將會保持一段時間不需要detect。