I would like to use fireHOL ip lists: http://iplists.firehol.org , ipset and iptables together on my centOS webserver.
I have installed the fireHOL lists and updated the IP lists it generates.
The IP lists it creates are saved in: /etc/firehol/ipsets (https://github.com/firehol/blocklist-ipsets/wiki/Downloading-IP-Lists#where-are-the-ipsets)
I have installed ipset.
I already have iptables installed and working (controlled via CSF/LFD).
How do I tie together the IP lists, ipset and iptables so that the lists are blocked via iptables (https://github.com/firehol/blocklist-ipsets/wiki/Downloading-IP-Lists#updating-the-ipsets-in-kernel)?
Thanks for any help.
I don't know how to do it with CSF/LFD, but if you use FireHOL, you would need something like the following for each ipset.
Let's assume you are interested for ipset dshield.
In your firehol.conf, at its top you should add this:
ipset4 create dshield hash:net
ipset4 addfile dshield ipsets/dshield.netset
blacklist4 input inface ${wan} log "BLACKLIST dshield" ipset:dshield
Of course, the above is a fragment. You will need to configure firehol.conf properly.
Then, update-ipsets will update dshield in kernel automatically when it is updated.
So the general idea:
create the ipset with the name of the IP list you are interested
initialize it with the contents of the file generated by update-ipsets
create a blacklist that uses the ipset you created
update-ipsets will automatically update the ipset in kernel
firehol takes care of 1,2,3 and update-ipsets of the 4th.
Check this: https://github.com/firehol/firehol/wiki/Working-with-IPSETs
Alternatively:
You can do 1 and 2 by running ipset commands on your console.
You can do 3 using your firewall (it has to support ipsets) or by running iptables commands on your console.
If you don't know what to do, the simplest way is to use firehol. Check its docs (http://firehol.org/guides/firehol-welcome/).
Related
As stated in the title: What does the #... in the output below mean? I don't think they are hostnames, because I think the #-sign is reserved for mailing. Normally there stands a IP-subnet or simply an IP-address - but nothing is the case here. I also know I can put hostnames in there, but I don't think I could put such #... into the hosts file to restrict the access to only some IPs... Sooo, what is this?
glaforge#enterprise: showmount -e [REMOVED]
Export list for [REMOVED]:
[REMOVED] *
[REMOVED] #somenamea,#somenameb
In the list of exports shown by showmount -e any names with an # are netgroups, not individual hosts.
A netgroup is a list of hosts. They're typically defined in /etc/netgroup on the NFS server (but could also be in NIS, LDAP, etc. depending on how /etc/nsswitch.conf is configured).
Using netgroups to define your exports saves a lot of typing compared to exporting to each host separately. (I find that it reduces the chances of making typos. Or if I do make a typo in one of my exports, I'll find it faster as it'll affect all the machines in the netgroup rather than just one machine.)
Example
On my NFS server I could have the following netgroups defined in /net/netgroup:
nuts (walnut,,) (almond,,) (pistachio,,) (hazelnut,,)
flowers (rose,,) (tulip,,) (iris,,)
Each entry in a netgroup is defined as a tuple of (hostname, user, NIS domain) but NFS only cares about the hostname so just leave the other parts blank. The NIS domain is not the same thing as a DNS domain. If you need to specify a full DNS name, e.g., foo.example.com, put it all in the host part: (foo.example.com,,)
And then my exports file could look like this:
/vol/home #nuts(rw) #flowers(rw)
/vol/web #nuts(rw)
/vol/dns #nuts(ro) almond(rw)
Now the hosts in the flowers netgroup can mount home read-write but can't access web or dns. The host almond has read-write access to everything, but the rest of the machines in the nuts netgroup only have read-only access to dns.
If I were to run showmount -e it would look something like this:
% showmount -e
Export list for example.com:
/vol/home #nuts,#flowers
/vol/web #nuts
/vol/dns #nuts,almond
I am trying to find a way to send a large amount of SIP INVITE from my linux OS to a remote application that accept SIP INVITE.
I found a way to send many SIP INVITE from the same source (i.e. ip.ethernetcard local linux os):
sipp -sn uac ip.remote.app -i ip.ethernetcard local linux os -m 10 -s "name.user"
This send 10 SIP INVITE. The problem is when I look at the log on the remote side (using tcpdump), I see that source is always the same (ip.ethernetcard local linux os). Is there a way to minimic different sources i.e. we are pretending that we have multiple clients talking to the remote app ?
Use some sip stress test tool such as SIPp to generate varied INVITE messages.
Injecting values from an external CSV during calls
You can use "-inf file_name" as a command line parameter to input values into the scenarios. The first line of the file should say whether the data is to be read in sequence (SEQUENTIAL), random order (RANDOM), or in a user based manner (USER). Each line corresponds to one call and has one or more ';' delimited data fields and they can be referred as [field0], [field1], ... in the xml scenario file. Example:
SEQUENTIAL
sipp1
sipp2
sipp3
...
Will be read in sequence (first call will use first line, second call second line). At any place where the keyword "[field0]" appears in the scenario file, it will be replaced by either "sipp1", "sipp2" or "sipp3" depending on the call.
As before, use
sipp -sn uac ip.remote.app -i ip.ethernetcard_local_linux_os -m 10 -s "name.user"
add -inf file_name and -sf uac.xml
In the xml file (standard example taken from sipp web page), replace
sip:sipp[local_ip]:[local_port]>;tag=[call_number]
sip:[field0]#[local_ip]:[local_port]>;tag=[call_number]
That is it.
We have openldap replication with syncrepl, I don't know how to add slapadd entries into it.
On standalone it works fine. but when i add entries in one of the machine in replication, second machines fails to start slapd.
Thanks
Unfortunately slapadd doesn't write to the accesslog and thus the modifications aren't replicable. This is especially bad, because some attributes can't be modified via ldapadd.
If you only need ordinary attributes, use ldapadd instead.
UPDATE:
It looks like you can use the -w switch:
Write syncrepl context information. After all entries are added, the
contextCSN will be updated with the greatest CSN in the database.
we have a script that needs to take action on a finite list of hosts. but every time we add or remove a host to the /etc/hosts file, we end up having to update this script.
basically, say my hosts file looks like:
192.168.100.1 hostip_1
192.168.100.2 hostip_2
192.168.100.10 hostip_3
192.168.100.20 hostip_5
and my script (bash) does something like:
callmyfunction hostip_1
callmyfunction hostip_2
callmyfunction hostip_3
callmyfunction hostip_5
if i want to add hostip_4 to the list of hosts, i now have to go in and edit my script and add it to the list. while it's a small edit, it is still a step that can be forgotten in the process (especially if someone new to the system comes in).
is there a way i can test to see if 'hostip_1' is a valid hostname within the system (without pinging the host or grepping the /etc/hosts file)? we may use multiple hosts files, and different configurations may have different filenames, so i can't rely on trying to grep a single file. i need the system to do that work for me.
any clues?
first, my statement about things not being in the hosts file is wrong. that is exactly where they are. dumb on my part.
but the answer is:
getent hosts
that will get it to print everything out, and i can do a lookup from there.
As you are populating the /etc/hosts file, I am assuming that you are not using DNS. So below solution wont fit your use case. But it will still get you some pointers.
In a working DNS environment, you can check the host name to its corresponding IP with below command
# host host_name
This is will give the IP address of the host. In case the host name does not exists, then it will give you corresponding host not found message.
You can parse the output of above command and can deduce whether a give host name exists.
might not be in your /etc/hosts file... better search for the name and see if an ip can be found:
(($(dig +noall +answer google.de |wc -c)>0)) && echo exists
this is bash, can be adaptet to pretty much everything.
dig +noall +answer google.de
returns the ips if found. If empty, that name cannot be used in the computer running this code.
If all the targets are on the same subnet (same network), use arping, it will check that hosts are available using ARP.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I've just performed a new installation of the very latest (Fall, 2008) version of Fedora 9 Linux and am perplexed that it never set the default route properly and that even traveling the labyrinthine ways of this OS, there's no obvious way.
Of course, it's clear that one can do it on a one-off basis like this:
route add default gw gw1 metric 0 eth0
or like this:
ip route add to default via 192.168.2.1 protocol static
However, neither of these survives reboot. In reading through /etc/rc.d/init.d/network, it attempts to find data from a file in /etc/sysconfig/static-routes, but that file never existed. So, I tried to create it and populate it with data. The trouble with that is that the script places a dash (minus sign) in an odd spot that I'm not sure how to deal with.
Of course, one can just edit /etc/rc.d/init.d/network, but that would be non-standard. As it is, my only other recourse seems to be editing rc.local, but that doesn't come early enough in the boot sequence to be there for things like, for example, the network time daemon.
I've done my homework - I've read all the man pages, info entries, tried apropos, and I've even done a fair bit of web searching, all to no avail - my next step, sans answer here, will be to sign up to the Fedora mailing lists and ask there! Or, give up and edit the scripts.
So, how is one supposed to do this?
The gateway is normally set in /etc/sysconfig/network-scripts/ifcfg-eth0, not in /etc/sysconfig/network. For example, on my current machine:
/etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=flyboys
NISDOMAIN=ekcineon
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
HWADDR=00:1d:09:31:3a:cc
NETMASK=255.255.255.0
IPADDR=150.102.65.30
GATEWAY=150.102.65.252
TYPE=Ethernet
Note that I set HWADDR because I have two ethernet cards and I want to make sure the right one is assigned to eth0. The configuration for the second card is in /etc/sysconfig/network-scripts/ifcfg-eth1
just edit the /etc/sysconfig/network-scripts/route-ethXX
and write inside: default via ip_address dev device , replace ip_address with your gateway ip and device with the name of the right eth device. but for the Device option its ... optional, set it in the case of multiple eth devices.
Works even in case of network restart, the route directive in rc.local works at boot only.
I have not used recent versions of Fedora, but it was often set as a GATEWAY variable in /etc/sysconfig/network.
Of course, if you just wanted it to work, you could just put the commands in /etc/rc.local to be executed when the boot sequence completes.
You can use nmcli if available, e.i.
# nmcli con show
NAME UUID TYPE DEVICE
System eth0 xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ethernet eth0
ens33 xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ethernet --
# nmcli con edit "System eth0"
nmcli> goto ipv4
You may edit the following properties: method, dns, dns-search, dns-options, dns-priority, addresses, gateway, routes, route-metric, route-table, routing-rules, ignore-auto-routes, ignore-auto-dns, dhcp-client-id, dhcp-timeout, dhcp-send-hostname, dhcp-hostname, dhcp-fqdn, never-default, may-fail, dad-timeout
nmcli ipv4>
nmcli ipv4> print
['ipv4' setting values]
ipv4.method: manual
ipv4.dns: --
ipv4.dns-search: --
ipv4.dns-options: --
ipv4.dns-priority: 0
ipv4.addresses: 10.10.10.1/26
ipv4.gateway: 10.10.10.129
ipv4.routes: --
ipv4.route-metric: -1
ipv4.route-table: 0 (unspec)
ipv4.routing-rules: --
ipv4.ignore-auto-routes: no
ipv4.ignore-auto-dns: no
ipv4.dhcp-client-id: --
ipv4.dhcp-timeout: 0 (default)
ipv4.dhcp-send-hostname: yes
ipv4.dhcp-hostname: --
ipv4.dhcp-fqdn: --
ipv4.never-default: no
ipv4.may-fail: yes
ipv4.dad-timeout: -1 (default)
nmcli ipv4>
nmcli ipv4> set routes 192.168.122.0/24 10.10.10.1
nmcli ipv4> verify
Verify setting 'ipv4': OK
nmcli ipv4> save
nmcli ipv4> quit
#nmcli con up "System eth0"
And it should create file /etc/sysconfig/network-scripts/routes- with proper parameters, e.g.
ADDRESS0=192.0.2.0
NETMASK0=255.255.255.0
GATEWAY0=198.51.100.1
Haven't seen Fedora. But shouldn't there be some GUI for this kind of thing? If you have Gnome try running gnome-network-preferences
Here it is for RHEL, as it is slightly different:
Identify the interface by using ifconfig
sudo vi /etc/sysconfig/network-scripts/route-ethXX
add the routes as per syntax below, where /xx represents subnet mask
host: 172.30.xxx.xxx via 172.30.xxx.xxx
network: 172.30.xxx.xxx/xx via 172.30.xxx.xxx
Default gateway: 0.0.0.0 via xxx.xxx.xxx.xxx</li>
Save the file.
sudo /etc/init.d/network restart (Warning: if you forget to set
correct routes for the management interface (if applicable) you may lose
connectivity to the server)