Posts Tagged ‘lan’

How to redirect TCP port traffic from Internet Public IP host to remote local LAN server, Redirect traffic for Apache Webserver, MySQL, or other TCP service to remote host

Thursday, September 23rd, 2021

 

 

Linux-redirect-forward-tcp-ip-port-traffic-from-internet-to-remote-internet-LAN-IP-server-rinetd-iptables-redir

 

 

1. Use the good old times rinetd – internet “redirection server” service


Perhaps, many people who are younger wouldn't remember rinetd's use was pretty common on old Linuxes in the age where iptables was not on the scene and its predecessor ipchains was so common.
In the raise of mass internet rinetd started loosing its popularity because the service was exposed to the outer world and due to security holes and many exploits circulating the script kiddie communities
many servers get hacked "pwned" in the jargon of the script kiddies.

rinetd is still available even in modern Linuxes and over the last years I did not heard any severe security concerns regarding it, but the old paranoia perhaps and the set to oblivion makes it still unpopular soluttion for port redirect today in year 2021.
However for a local secured DMZ lans I can tell you that its use is mostly useful and I chooes to use it myself, everynow and then due to its simplicity to configure and use.
rinetd is pretty standard among unixes and is also available in old Sun OS / Solaris and BSD-es and pretty much everything on the Unix scene.

Below is excerpt from 'man rinetd':

 

DESCRIPTION
     rinetd redirects TCP connections from one IP address and port to another. rinetd is a single-process server which handles any number of connections to the address/port pairs
     specified in the file /etc/rinetd.conf.  Since rinetd runs as a single process using nonblocking I/O, it is able to redirect a large number of connections without a severe im‐
     pact on the machine. This makes it practical to run TCP services on machines inside an IP masquerading firewall. rinetd does not redirect FTP, because FTP requires more than
     one socket.      rinetd is typically launched at boot time, using the following syntax:      /usr/sbin/rinetd      The configuration file is found in the file /etc/rinetd.conf, unless another file is specified using the -c command line option.

To use rinetd on any LInux distro you have to install and enable it with apt or yum as usual. For example on my Debian GNU / Linux home machine to use it I had to install .deb package, enable and start it it via systemd :

 

server:~# apt install –yes rinetd

server:~#  systemctl enable rinetd


server:~#  systemctl start rinetd


server:~#  systemctl status rinetd
● rinetd.service
   Loaded: loaded (/etc/init.d/rinetd; generated)
   Active: active (running) since Tue 2021-09-21 10:48:20 EEST; 2 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 1 (limit: 4915)
   Memory: 892.0K
   CGroup: /system.slice/rinetd.service
           └─1364 /usr/sbin/rinetd


rinetd is doing the traffic redirect via a separate process daemon, in order for it to function once you have service up check daemon is up as well.

root@server:/home/hipo# ps -ef|grep -i rinet
root       359     1  0 16:10 ?        00:00:00 /usr/sbin/rinetd
root       824 26430  0 16:10 pts/0    00:00:00 grep -i rinet

+ Configuring a new port redirect with rinetd

 

Is pretty straight forward everything is handled via one single configuration – /etc/rinetd.conf

The format (syntax) of a forwarding rule is as follows:

     [bindaddress] [bindport] [connectaddress] [connectport]


Besides that rinetd , could be used as a primitive firewall substitute to iptables, general syntax of allow deny an IP address is done with (allow, deny) keywords:
 

allow 192.168.2.*
deny 192.168.2.1?


To enable logging to external file ,you'll have to include in the configuration:

# logging information
logfile /var/log/rinetd.log

Here is an example rinetd.conf configuration, redirecting tcp mysql 3306, nginx on port 80 and a second web service frontend for ILO to server reachable via port 8888 and a redirect from External IP to local IP SMTP server.

 

#
# this is the configuration file for rinetd, the internet redirection server
#
# you may specify global allow and deny rules here
# only ip addresses are matched, hostnames cannot be specified here
# the wildcards you may use are * and ?
#
# allow 192.168.2.*
# deny 192.168.2.1?


#
# forwarding rules come here
#
# you may specify allow and deny rules after a specific forwarding rule
# to apply to only that forwarding rule
#
# bindadress    bindport  connectaddress  connectport


# logging information
logfile /var/log/rinetd.log
83.228.93.76        80            192.168.0.20       80
192.168.0.2        3306            192.168.0.19        3306
83.228.93.76        443            192.168.0.20       443
# enable for access to ILO
83.228.93.76        8888            192.168.1.25 443
127.0.0.1    25    192.168.0.19    25


83.228.93.76 is my external ( Public )  IP internet address where 192.168.0.20, 192.168.0.19, 192.168.0.20 (are the DMZ-ed Lan internal IPs) with various services.

To identify the services for which rinetd is properly configured to redirect / forward traffic you can see it with netstat or the newer ss command
 

root@server:/home/hipo# netstat -tap|grep -i rinet
tcp        0      0 www.pc-freak.net:8888   0.0.0.0:*               LISTEN      13511/rinetd      
tcp        0      0 www.pc-freak.n:http-alt 0.0.0.0:*               LISTEN      21176/rinetd        
tcp        0      0 www.pc-freak.net:443   0.0.0.0:*               LISTEN      21176/rinetd      

 

+ Using rinetd to redirect External interface IP to loopback's port (127.0.0.1)

 

If you have the need to redirect an External connectable living service be it apache mysql / privoxy / squid or whatever rinetd is perhaps the tool of choice (especially since there is no way to do it with iptables.

If you want to redirect all traffic which is accessed via Linux's loopback interface (localhost) to be reaching a remote host 11.5.8.1 on TCP port 1083 and 1888, use below config

# bindadress    bindport  connectaddress  connectport
11.5.8.1        1083            127.0.0.1       1083
11.5.8.1        1888            127.0.0.1       1888

 

For a quick and dirty solution to redirect traffic rinetd is very useful, however you'll have to keep in mind that if you want to redirect traffic for tens of thousands of connections constantly originating from the internet you might end up with some disconnects as well as notice a increased use of rinetd CPU use with the incrased number of forwarded connections.

 

2. Redirect TCP / IP port using DNAT iptables firewall rules

 

Lets say you have some proxy, webservice or whatever service running on port 5900 to be redirected with iptables.
The easeiest legacy way is to simply add the redirection rules to /etc/rc.local​. In newer Linuxes rc.local so if you decide to use,
you'll have to enable rc.local , I've written earlier a short article on how to enable rc.local on newer Debian, Fedora, CentOS

 

# redirect 5900 TCP service 
sysctl -w net.ipv4.conf.all.route_localnet=1
iptables -t nat -I PREROUTING -p tcp –dport 5900 -j REDIRECT –to-ports 5900
iptables -t nat -I OUTPUT -p tcp -o lo –dport 5900 -j REDIRECT –to-ports 5900
iptables -t nat -A OUTPUT -o lo -d 127.0.0.1 -p tcp –dport 5900 -j DNAT  –to-destination 192.168.1.8:5900
iptables -t nat -I OUTPUT –source 0/0 –destination 0/0 -p tcp –dport 5900 -j REDIRECT –to-ports 5900

 

Here is another two example which redirects port 2208 (which has configured a bind listener for SSH on Internal host 192.168.0.209:2208) from External Internet IP address (XXX.YYY.ZZZ.XYZ) 
 

# Port redirect for SSH to VM on openxen internal Local lan server 192.168.0.209 
-A PREROUTING  -p tcp –dport 2208 -j DNAT –to-destination 192.168.0.209:2208
-A POSTROUTING -p tcp –dst 192.168.0.209 –dport 2208 -j SNAT –to-source 83.228.93.76

 

3. Redirect TCP traffic connections with redir tool

 

If you look for an easy straight forward way to redirect TCP traffic, installing and using redir (ready compiled program) might be a good idea.


root@server:~# apt-cache show redir|grep -i desc -A5 -B5
Version: 3.2-1
Installed-Size: 60
Maintainer: Lucas Kanashiro <kanashiro@debian.org>
Architecture: amd64
Depends: libc6 (>= 2.15)
Description-en: Redirect TCP connections
 It can run under inetd or stand alone (in which case it handles multiple
 connections).  It is 8 bit clean, not limited to line mode, is small and
 light. Supports transparency, FTP redirects, http proxying, NAT and bandwidth
 limiting.
 .
 redir is all you need to redirect traffic across firewalls that authenticate
 based on an IP address etc. No need for the firewall toolkit. The
 functionality of inetd/tcpd and "redir" will allow you to do everything you
 need without screwy telnet/ftp etc gateways. (I assume you are running IP
 Masquerading of course.)
Description-md5: 2089a3403d126a5a0bcf29b22b68406d
Homepage: https://github.com/troglobit/redir
Tag: interface::daemon, network::server, network::service, role::program,
 use::proxying
Section: net
Priority: optional
 

 

server:~# apt-get install –yes redir

Here is a short description taken from its man page 'man redir'

 

DESCRIPTION
     redir redirects TCP connections coming in on a local port, [SRC]:PORT, to a specified address/port combination, [DST]:PORT.  Both the SRC and DST arguments can be left out,
     redir will then use 0.0.0.0.

     redir can be run either from inetd or as a standalone daemon.  In –inetd mode the listening SRC:PORT combo is handled by another process, usually inetd, and a connected
     socket is handed over to redir via stdin.  Hence only [DST]:PORT is required in –inetd mode.  In standalone mode redir can run either in the foreground, -n, or in the back‐
     ground, detached like a proper UNIX daemon.  This is the default.  When running in the foreground log messages are also printed to stderr, unless the -s flag is given.

     Depending on how redir was compiled, not all options may be available.

 

+ Use redir to redirect TCP traffic one time

 

Lets say you have a MySQL running on remote machine on some internal or external IP address, lets say 192.168.0.200 and you want to redirect all traffic from remote host to the machine (192.168.0.50), where you run your Apache Webserver, which you want to configure to use
as MySQL localhost TCP port 3306.
Assuming there are no irewall restrictions between Host A (192.168.0.50) and Host B (192.168.0.200) is already permitting connectivity on TCP/IP port 3306 between the two machines.

To open redirection from localhost on 192.168.0.50 -> 192.168.0.200:

 

server:~# redir –laddr=127.0.0.1 –lport=3306 –caddr=192.168.0.200 –cport=3306

 

If you need other third party hosts to be additionally reaching 192.168.0.200 via 192.168.0.50 TCP 3306.

root@server:~# redir –laddr=192.168.0.50 –lport=3306 –caddr=192.168.0.200 –cport=3306


Of course once you close, the /dev/tty or /dev/vty console the connection redirect will be cancelled.

 

+ Making TCP port forwarding from Host A to Host B permanent


One solution to make the redir setup rules permanent is to use –rinetd option or simply background the process, nevertheless I prefer to use instead GNU Screen.
If you don't know screen is a vVrtual Console Emulation manager with VT100/ANSI terminal emulation to so, if you don't have screen present on the host install it with whatever Linux OS package manager is present and run:

 

root@server:~#screen -dm bash -c 'redir –laddr=127.0.0.1 –lport=3306 –caddr=192.168.0.200 –cport=3306'

 

That would run it into screen session and detach so you can later connect, if you want you can make redir to also log connections via syslog with ( -s) option.

I found also useful to be able to track real time what's going on currently with the opened redirect socket by changing redir log level.

Accepted log level is:

 

  -l, –loglevel=LEVEL
             Set log level: none, err, notice, info, debug.  Default is notice.

 

root@server:/ # screen -dm bash -c 'redir –laddr=127.0.0.1 –lport=3308 –caddr=192.168.0.200 –cport=3306 -l debug'

 

To test connectivity works as expected use telnet:
 

root@server:/ # telnet localhost 3308
Trying 127.0.0.1…
Connected to localhost.
Escape character is '^]'.
g
5.5.5-10.3.29-MariaDB-0+deb10u1-log�+c2nWG>B���o+#ly=bT^]79mysql_native_password

6#HY000Proxy header is not accepted from 192.168.0.19 Connection closed by foreign host.

once you attach to screen session with

 

root@server:/home #  screen -r

 

You will get connectivity attempt from localhost logged : .
 

redir[10640]: listening on 127.0.0.1:3306
redir[10640]: target is 192.168.0.200:3306
redir[10640]: Waiting for client to connect on server socket …
redir[10640]: target is 192.168.0.200:3306
redir[10640]: Waiting for client to connect on server socket …
redir[10793]: peer IP is 127.0.0.1
redir[10793]: peer socket is 25592
redir[10793]: target IP address is 192.168.0.200
redir[10793]: target port is 3306
redir[10793]: Connecting 127.0.0.1:25592 to 127.0.0.1:3306
redir[10793]: Entering copyloop() – timeout is 0
redir[10793]: Disconnect after 1 sec, 165 bytes in, 4 bytes out

The downsides of using redir is redirection is handled by the separate process which is all time hanging in the process list, as well as the connection redirection speed of incoming connections might be about at least 30% slower to if you simply use a software (firewall ) redirect such as iptables. If you use something like kernel IP set ( ipsets ). If you hear of ipset for a first time and you wander whta it is below is short package description.

 

root@server:/root# apt-cache show ipset|grep -i description -A13 -B5
Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team@lists.alioth.debian.org>
Architecture: amd64
Provides: ipset-6.38
Depends: iptables, libc6 (>= 2.4), libipset11 (>= 6.38-1~)
Breaks: xtables-addons-common (<< 1.41~)
Description-en: administration tool for kernel IP sets
 IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel which can be
 administered by the ipset(8) utility. Depending on the type, currently an
 IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with
 MAC addresses in a  way which ensures lightning speed when matching an
 entry against a set.
 .
 If you want to
 .
  * store multiple IP addresses or port numbers and match against the
    entire collection using a single iptables rule.
  * dynamically update iptables rules against IP addresses or ports without
    performance penalty.
  * express complex IP address and ports based rulesets with a single
    iptables rule and benefit from the speed of IP sets.
 .
 then IP sets may be the proper tool for you.
Description-md5: d87e199641d9d6fbb0e52a65cf412bde
Homepage: http://ipset.netfilter.org/
Tag: implemented-in::c, role::program
Section: net
Priority: optional
Filename: pool/main/i/ipset/ipset_6.38-1.2_amd64.deb
Size: 50684
MD5sum: 095760c5db23552a9ae180bd58bc8efb
SHA256: 2e2d1c3d494fe32755324bf040ffcb614cf180327736c22168b4ddf51d462522

Tags: , , , , , , , , , , , , , , , , , , , , ,
Posted in Linux, System Administration, Various | No Comments »

Howto Change MAC address in Linux and Windows 2000, XP and Vista (Mac Spoofing :)

Sunday, September 20th, 2009

MAC stands for (Media Access Control) and stands for the computer physical address in LAN networks.
Ethernet MAC is a six byte number, usually expressed as a twelve digit hexadecimal number.
IPs are translated to Mac via a protocol called ARP (Address Resolution Protocol).
Let’s say Computer with IP 10.10.10.1 wants to send information to another system on the LAN with anIP of 10.10.10.2.
10.10.10.1 will first send broadcast to all stations on the LAN asking who has the address of 10.10.10.2.
Then the box possessing 10.10.10.2 will respond to 10.10.10.2 with it’s MAC address which would be temporary stored
in 10.10.10.2′s ARP’s table in order to make 10.10.10.1 recognize 10.10.10.2 later on.

Host 1 (10.10.10.1): Hello everyone on the LAN (FF:FF:FF:FF:FF:FF), who has the IP 10.10.10.2? My MAC is DE:AB:BE:EF:FF:FE so you can respond back to me.Host 2 (10.10.10.2): Hello DE:AB:BE:EF:FF:FE, I have IP 10.10.10.2 and my MAC address is 1C:43:B6:F8:9B:1E so you can send your IP packets to me.
There are a plenty of reasons that might force to wish for changing your mac. Though I’ll mention only one
1. To get across MAC filtering set on a router. Or in other words to bee able to access your internet withall your computers at home (don’t try them simultaneously!). For example recently a cousin of mine bought a secondnotebook for her daughter.
They desired to be able to access the internet with both the PCs. I contacted the ISPwith a request to add me a second MAC address, just to find that this wasn’t possible with this exact ISP.
Their computer ran dual boot install of a GNU/Linux system as well as Windows Vista, thus I needed to change their existing MACaddress in both Windows and Linux
Here is how I achieved that:
1. In Linux
Really simple:/sbin/ifconfig eth0 hw ether 00:00:00:00:00:00 (substitute here with your desired MAC)/sbin/ifconfig eth0 up
2. On BSD
/sbin/ifconfig xl0 link 00:00:00:AA:AA:AB (subst with MAC here), xl0 is your interface name/sbin/ifconfig xl0 up
3. In Windows XP
There are a couple of ways to go in Windows. The hardest way is to use regedit and to look and substitute some obscure values.
Another a bit easier way is to use either MacMakeUp , Smac or EtherChange
The classic way to change Mac in Windows XP is:
Go to Start->Settings->Control Panel and double click on Network and Dial-up Connectionsa) Right click on the NIC you want to change the MAC address and click on properties.b) Under “General” tab, click on the “Configure” buttonc) Click on “Advanced” tabd) Under “Property section”, you should see an item called “Network Address” or “Locally Administered Address”, click on it.e) On the right side, under “Value”, type in the New MAC address you want to assign to your NIC. Usually this value is entered without the “-” between the MAC address numbers.f) Goto command prompt and type in “ipconfig /all” or “net config rdr” to verify the changes are applied.
4. In Windows Vista
Go to Control Panel -> Network Connections -> Properties (on Connection using …) Configure -> Advanced -> Network Address (Then type your MAC Here)
All the credits for this post go to the article Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X which explains what you read above even more thoroughly.
Most of the information here is originally found in the above article.END—–

Tags: , , , , , , , , ,
Posted in Computer Security, System Administration | No Comments »

Create local network between virtual machines in Virtualbox VM – Add local LAN between Linux Virtual Machines

Wednesday, June 11th, 2014

add-virtualbox-virtual-machines-inside-local-network-create-internal-LAN-local-net-linux-windows

I want to do test MySQL Cluster following MySQL Cluster Install Guide for that purpose, I've installed 2 version of CentOS 6.5 inside Virtualbox and I wanted to make the 2 Linux hosts reachable inside a local LAN network, I consulted some colleagues who adviced me to configure two Linux hosts to use Bridget Adapter Virtualbox networking (Network configuration in Virtualbox is done on a Virtual Machine basis from):
 

Devices -> Network Settings

(Attached to: Bridged Adapter)

Note!: that by default Cable Connected (tick) is not selected so when imposing changes on Network – tick should be set)
After Specifying Attached to be Bridged Adapter to make CentOS linux refresh network settings run in gnome-terminal:

[root@centos ~]# dhclient eth0

However CentOS failed to grab itself DHCP IP address.
Thus I tried to assign manually IP addresses with ifconfig, hoping that at least this would work, e.g.:

on CentOS VM 1:

/sbin/ifconfig eth0 192.168.10.1 netmask 255.255.255.0

on CentOS VM 2:

/sbin/ifconfig eth1 192.168.10.2 netmask 255.255.255.0

To test whether there is connection between the 2 VM hosts tried ping-ing 192.168.10.2 (from 192.168.10.1) and tested with telnet if I can access remotely SSH (protocol), from CentOS VM2 1 to CentOS VM2 and vice versa, i.e.:

[root@centos ~]# telnet 192.168.10.2 22

 

Trying 192.168.10.2…
telnet: connect to address 192.168.10.2: No route to host

Then after checking other options and already knowing by using VBox NAT network option I had access to the internet, I tried to attach a standard local IP addresses to both Linux-es as Virtual interfaces (e.g eth0:1), .e.g:

On Linux VM 1:

/sbin/ifconfig eth0:0 192.168.10.1 netmask 255.255.255.0

On Linux VM 2:

/sbin/ifconfig eth1:0 192.168.10.2 netmask 255.255.255.0

Then to test again used telnet

[root@centos ~]# telnet 192.168.10.2 22

Then I found Virtualbox has a special Internal Networking support

to choose in Attached to drop down menu. According to Internal Networking Virtualbox instructions to put two Virtual Machine hosts inside an Internal network they should be both set in Internal network with identical name.
P. S. It is explicitly stated that using Internal Network will enable access between Guest Virtual Machines OS, but hosts will not have access to the Internet (which in my case doesn't really mattered as I needed the two Linux VMs just as a testbed)

virtualbox-create-internal-local-network-between-guest-host-Linux-Windows1

I tried this option but it doesn't work for me for some reason, after some time of research online on how to create local LAN network between 2 Virtual Machines luckily I decided to test all available Virtualbox Networking choices and noticed Host-only adapter.

Selecting Host-only Adapter and using terminal to re-fetch IP address over dhcp:

virtualbox-connect-in-local-lan-network-linux-and-windows-servers-hosts-only-adapter

On CentOS VM1

dhclient eht0

On CentOS VM2

dhclient eth1

assigned me two adjoining IPs – (192.168.56.101 and 192.168.56.102).

Connection between the 2 IPs 192.168.56.101 and 192.168.56.102 on TCP and UDP and ICMP protocol works, now all left is to install MySQL cluster on both nodes.

 

Tags: , , , , , , , , , , ,
Posted in Everyday Life, System Administration, Various, Virtual Machines | 1 Comment »

Linux: How to see / change supported network bandwidth of NIC interface and get various eth network statistics with ethtool

Monday, January 19th, 2015

linux-how-to-see-change-supported-network-bandwidth-of-NIC-interface-and-view-network-statistics
If you're a novice Linux sysadmin and inherited some dedicated servers without any documentation and hence on of the first things you have to do to start a new server documentation is to check the supported TCP/IP network speed of servers Network (ethernet) Interfaces. On Linux this is very easy task to verify the speed of LAN card supported Local / Internet traffic install ethtool (if not already preseont on the servers) – assuming you're dealing with Debian / Ubuntu Linux servers.

1. Install ethtool on Deb and RPM based distros

dedi-server1:~# apt-cache show ethtool|grep -i desc -A 3
Description: display or change Ethernet device settings
 ethtool can be used to query and change settings such as speed, auto-
 negotiation and checksum offload on many network devices, especially
 Ethernet devices.

dedi-server1:~# apt-get install –yes ethtool
..

ethtool should be installed by default on CentOS / Fedora / RHEL and  syntax is same like on Debs. If you happen to miss ethtool on any (SuSE) / RedHat / RPM based distro install it with yum

[root@centos:~] # yum -y install ethtool


2. Get ethernet configurations

To check the current eth0 / eth1 / ethX network (Speed / Duplex) and other network related configuration configuration:
 

dedi-server5:~# ethtool eth0

Settings for eth0:
        Supported ports: [ TP ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Advertised pause frame use: No
        Advertised auto-negotiation: Yes
        Speed: 1000Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 1
        Transceiver: internal
        Auto-negotiation: on
        MDI-X: off
        Supports Wake-on: pumbag
        Wake-on: g
        Current message level: 0x00000001 (1)
        Link detected: yes

Having a NIC configured to act as Duplex is very important as Duplex communication enables LAN card to communicate both sides (Sent / Receive) packets simultaneously.

full-duplex-half-duplex-explained-picture

Probably most interesting parameters for most admins are the ones that are telling whether the NIC UpLink is 10megabyte / 100 megabyte or 1Gigabyte as well as supported Receive / Send ( Transfer ) speeds of LAN, a common useful ethtool admin use to just show current LAN ethernet interface speed:

server-admin1:~# ethtool eth0 |grep -i speed
        Speed: 1000Mb/s

 

To get info about NIC (kernel module / driver) used with ethtool:

dedi-server3:~# ethtool -i eth0 driver: e1000e
version: 1.2.20-k2
firmware-version: 1.8-0
bus-info: 0000:06:00.0

3. Make LAN Card blink to recognize eth is mapped to which Physical LAN

Besides that ethtool has many other useful use cases, for example if you have a server with 5 lan or more LAN cards, but you're not sure to which of all different EthX interfaces correspond, a very useful thing is to make eth0, eth1, eth2, eth3, etc. blink for 5 seconds in order to identify which static IP is binded physically to which NIC , here is how:

ethtool -p eth0 5


Then you can follow the procedure for any interface on the server and map them with a sticker 🙂

Ethtool is also useful for getting "deep" (thorough) statistics on Server LAN cards, this could be useful to identify sometimes hard to determine broadcast flood attacks:
 

4. Get network statistics with ethtool for interfaces
 

dedi-server5:~# ethtool -S eth0|grep -vw 0
NIC statistics:
     rx_packets: 6196644448
     tx_packets: 7197385158
     rx_bytes: 2038559235701
     tx_bytes: 8281206569250
     rx_broadcast: 357508947
     tx_broadcast: 172
     rx_multicast: 34731963
     tx_multicast: 20
     rx_errors: 115
     multicast: 34731963
     rx_length_errors: 115
     rx_no_buffer_count: 26391
     rx_missed_errors: 10059
     tx_timeout_count: 3
     tx_restart_queue: 2590
     rx_short_length_errors: 115
     tx_tcp_seg_good: 964136993
     rx_long_byte_count: 2038559235701
     rx_csum_offload_good: 5824813965
     rx_csum_offload_errors: 42186
     rx_smbus: 383640020

5. Turn on Auto Negotiation and change NIC set speed to 10 / 100 / 1000 Mb/s

Auto-negotiation is important as an ethernet procedure by which two communication devices (2 network cards) choose common transmission parameters such as speed, duplex mode, and flow control in order to achieve maximum transmission speed over the network. On 1000BASE-T basednetworks the standard is a mandatory. There is also backward compatability for older 10BASE-T Networks.

a) To raise up NIC to use 1000 Mb/s in case if the bandwidth was raised to 1Gb/s but NIC settings were not changed:

dedi-server1:~# ethtool -s eth0 speed 1000 duplex half autoneg off


b) In case if LAN speed has to be reduced for some weird reason to 10 / 100Mb/s

 

dedi-server1:~# ethtool -s eth0 speed 10 duplex half autoneg off

dedi-server1:~# ethtool -s eth0 speed 100 duplex half autoneg off

c) To enable disable NIC Autonegotiation:

dedi-server1:~# ethtool -s eth0 autoneg on


6. Change Speed / Duplex settings to load on boot

a) Set Network to Duplex on Fedora / CentOS etc.

Quickest way to do it is of course to use /etc/rc.local. If you want to do it following distribution logic on CentOS / RHEL Linux:

Add to /etc/sysconfig/network-scripts/ifcfg-eth0

vim /etc/sysconfig/network/-scripts/ifcfg-eth0

ETHTOOL_OPTS="speed 1000 duplex full autoneg off"

To load the new settings restart networking (be careful to have physical access to server if something goes wrong 🙂 )

service network restart

b) Change network speed / duplex setting on Debian / Ubuntu Linux

Add at the end of /etc/network/interfaces

vim /etc/network/interfaces

post-up ethtool -s eth0 speed 100 duplex full autoneg off

7. Tune NIC ring buffers

dedi-server1:~# ethtool -g eth0

Ring parameters for eth0:
Pre-set maximums:
RX:             4096
RX Mini:        0
RX Jumbo:       0
TX:             4096
Current hardware settings:
RX:             256
RX Mini:        0
RX Jumbo:       0
TX:             256

As you can see the default setting of RX (receive) buffer size is low 256 and on busy servers with high traffic loads, depending on the hardware NIC vendor this RX buffer size varies.
Through increasing the Rx/Tx ring buffer size , you can decrease the probability of discarding packets in the NIC during a scheduling delay.
A change in rx buffer ring requires NIC restart so (be careful not to loose connection to remote server), be sure to have iLO access to it.

Here is how to raise Rx ring buffer size 4 times from default value:

ethtool -G eth0 rx 4096 tx 4069

Tags: , , , , , , , , , , , , , , , ,
Posted in Everyday Life, Monitoring, Networking, System Administration, Various | No Comments »

The Lord’s Prayer – Otche Nash in 10 Languages Choire performance (The Lord’s Prayer in Church Slavonic, Russian, English, Syriac, Egyptian, Bulgarian, Serbian, Macedonian, Latin)

Friday, November 30th, 2012

The Lord's Prayer – Otche Nash, Отче Наш (Slavonic with English)

Otche nash in Church Slavonic in Glagolica Otche nash in Church Slavonic in Glagolica

Ѿче на́шъ иже еси на н[е]б[е]се[хъ],

 да с[вѧ]ти́тсѧ и́мѧ Твое́,

да прїидетъ ц[а]рствїе Твое́,

да буде[тъ] волѧ Твоѧ́,

ѧко на н[е]б[е]си и на земли́.

Хлѣ́бъ на́шъ насущныи да́ждъ на́мъ дне́сь,

и оста́ви на́мъ дол[ъ]гы на́ша,

ѧко и мы оставлѧ́емъ дол[ъ]жникомъ на́ши[мъ].

 и не в[ъ]веди на́съ в напа́сть

но изба́ви на[съ] ѿ лука́ваго:

 ѧко твое есть ц[а]рствїе

и сила и слава во в[е]ки.

Аминь.

 

Otche Nash in modernized Church Slavonic

Отче на́шъ иже еси на небесехъ,
да святи́тся и́мя Твое́,
да прїидетъ царствїе Твое́,
да будетъ воля Твоя́,
яко на небеси и на земли́.
Хлебъ на́шъ насущныи да́ждъ на́мъ дне́сь,
и оста́ви на́мъ долъгы на́ша,
Яко и мы оставля́емъ долъжникомъ на́шимъ.
и не въведи на́съ в напа́сть
но изба́ви насъ от лука́ваго:
Яко твое есть царствїе
и сила и слава во веки.
Аминь.

Русские переводы 1860 г.

Отче нашъ, сущій на небесахъ!
да святится имя Твое;
да пріидетъ Царствіе Твое;   
да будетъ воля Твоя и на землѣ, какъ на небѣ;
хлѣбъ нашъ насущный дай намъ на сей день;
и прости намъ долги наши, какъ и мы прощаемъ должникамъ нашимъ;
и не введи насъ в искушеніе, но избавь насъ от лукаваго

 

 

Отче наш in Russian Language

The Lord's Prayer (Modern English)

Our Father, who art in heaven, hallowed be Thy name. Thy Kingdom come, Thy will be done, on earth as it is in heaven. Give us this day our daily bread; and forgive us our trespasses as we forgive those who trespass against us; and lead us not into temptation, but deliver us from the evil.

The Lord's Prayer in (Old English KJV translation)

Our Father, who art in heaven, hallowed be Thy name.
Thy Kingdom come, Thy will be done, on earth as it is in heaven.
Give us this day our daily bread;
and forgive us our trespasses
as we forgive those who trespass against us;
and lead us not into temptation,
but deliver us from evil.

The Lord's Prayer in Anglo Saxon (Old English) – Faeder Ure

Отче наш на Български (In  Bulgarian) (In  Bulgarian) 

Отче наш, Който си на небесата!
Да се свети Твоето име,
да дойде Твоето Царство,
да бъде Твоята воля,
както на небето, тъй и на земята;
насъщния ни хляб дай ни днес,
и прости нам дълговете ни,
както и ние прощаваме на нашите длъжници,
и не въведи нас в изкушение,
но избави ни от лукавия;
защото Твое е царството,
и силата, и славата вовеки.
Амин

 

 Български Песнопения – Отче наш

Otche Nash in Greek

Πάτερ ἡμῶν ὁ ἐν τοῖς οὐρανοῖς ἁγιασθήτω τὸ ὄνομά σου· ἐλθέτω ἡ βασιλεία σου· γενηθήτω τὸ θέλημά σου, ὡς ἐν οὐρανῷ καὶ ἐπὶ τῆς γῆς· τὸν ἄρτον ἡμῶν τὸν ἐπιούσιον δὸς ἡμῖν σήμερον· καὶ ἄφες ἡμῖν τὰ ὀφελήματα ἡμῶν, ὡς &kapp a;αὶ ἡμεῖς ἀφίεμεν τοῖς ὀφειλέταις ἡμῶν· καὶ μὴ εἰσενέγκῃς ἡμᾶς εἰς πειρασμόν, ἀλλὰ ῥῦσαι ἡμᾶς ἀπὸ τοῦ πονηροῦ. [Ὅτι σοῦ ἐστιν ἡ βασιλεία καὶ ἡ δύναμις καὶ ἡ δόξα εἰς τοὺς αἰῶνας· ἀμήν.

 

Отче наш по греческ и с субтитрами и переводом (Pater imon)

bun d-bashmayo nithqadash shmokh tithe malkuthokh nehwe sebyonokh aykano d-bashmayo oph bar`o hab lan lahmo d-sunqonan yowmono washbuq lan hawbayn wahtohayn aykano doph hnan shbaqan l-hayobayn lo ta`lan l-nesyuno elo paso lan men bisho metul d-dylokh hi malkutho whaylo wteshbuhto l`olam `olmin Amin

Syriac Orthodox Prayer Abun D'Bashmayo (The Lord's Prayer)

The Lord's prayer in Latin language (IX century) – Cod.Sang. 17

Pater noster qui in celis es, sanctificetur nomen tuum, veniat regnum tuum, fiat voluntas tua, sicut in celo et in terra, panem nostrum supersubstantialem da nobis hodie, et dimitte nobis debita nostra, sicut et nos dimittimus debitoribus nostris, et ne nos inducas in temptationem, sed libera nos a malo.


The Lord's prayer in Coptic Language (Egyptian)

Je peniwt etqen niv/oui: mareftoubo n~je pekran: mareci~ n~je
tekmetouro: petehnak marefswpi: m~v~r/] qen t~ve: nem hijen pikahi:
penwik n~te rac]: m/if nan m~voou: ouoh ,a n/e~teron nan e~bol: m~v~r/]
hwn: n~ten,w e~bol: n~n/e~te ouon n~tan e~rwou: ouoh m~perenten e~qoun
e~piracmoc: alla nahmen e~bol ha pipethwou: qen Pi,~rictoc: I/couc
Pen[oic: je ywk te ]metouro: nem ]jom: nem piwou: sa e~neh: a~m/n.
Je penyoat et khen ni fee owi: maref toovo en je pekran: mares ee en je tek met ooro: petehnak maref
shoapi: em efreeti khen et fe: nem hijen pi kahi: pen oik ente rasti: meef nan em fo oo: owoh ka nee e
te ron nan evol: em efreeti hoan: en ten koa evol: en nee e te oo on entan eroa oo: owoh em perenten
ekhoon e pi rasmos: alla nahmen evol ha pi pet hoa oo: khen pi ekhristos: Eesoos Penchois: je thoak
te ti met ooro: nem ti gom: nem pi oa oo: sha eneh: ameen.

 

The Lord's Prayer in Coptic (Egyptian Language)

Pater Nostra with English Translation

Interesting comment to make here is in the English translation the prayer is said to say "but deliver us from evil", where in Church slavonic Orthodox Church text the text is literally translated reading "deliver us from the evil one", stressing that evil is not an abstract force as most of modern people think but it is personalized and there is the evil one which is has a personality and is not some abstract force like taught and belived by multitudes of people including Christians today.

Molitva Gospodnia (Oce Nash) in Serbian Language

Оче наш који си на небесима,
да се свети име твоје;
да дође царство твоје;
да буде воља твоја и на земљи као на небу.
Хљеб наш насушни дај нам данас;
и опрости нам дугове наше као и ми што опраштамо дужницима својим;
и не уведи нас у искушење,
но избави нас од злога.
Јер је твоје царство и сила и слава, Оца и Сина и Светога Духа, сада и увијек и у вјекове вијекова. Амин.  

Oce Nash (The Lord's Prayer) by George Milosh in Saint Elias Serbian Orthodox Church in Aliquippa, PA


Otche Nash (Oche Nash) in Macedonian Language

 

The Lord's Prayer in Macedonian Language

Оче наш, кој си на небесата,
да се свети името Твое;
да дојде царството Твое;
да биде волјата Твоја
како на небото, така и на земјата.
Лебот наш насушен дај ни го денес,
и прости ни ги долго вите наши,
како што им ги проштаваме и ние на нашите должници.
И не воведувај нѐ во искушение
но избави нѐ од лукави от.

 

Oče naš – Otche nash in Croatian Language

Oče naš,
koji jesi na nebesima,
sveti se ime Tvoje,
dođi kraljevstvo Tvoje,
budi volja Tvoja,
kako na nebu, tako i na zemlji.

Kruh naš svagdanji daj nam danas,
i otpusti nam duge naše,
kako i mi otpuštamo dužnicima našim,
i ne uvedi nas u napast,
nego izbavi nas od Zloga!.
Amen.

After some exploration, I've noticed there is a website with the effort to collect on one place The Lord's prayer in All present talkable Languages – check it here

Tags: , , , , , , , , , , , , , , , , , ,
Posted in Christianity, Everyday Life, Various | 1 Comment »

How to add a range of virtual IPs to a CentOS and Fedora Linux server

Monday, July 18th, 2011

Recently I had the task to add a range of few IP addresses to as a virtual interface IPs.

The normal way to do that is of course using the all well known ifconfig eth0:0, ifconfig eth0:1 or using a tiny shell script which does it and set it up to run through /etc/rc.local .

However the Redhat guys could omit all this mambo jambo and do it The Redhat way TM 😉 by using a standard method documented in CentOS and RHEL documentation.
Here is how:

# go to network-script directory[root@centos ~]# cd /etc/sysconfig/network-scripts
# create ifcfg-eth0-range (if virtual ips are to be assigned on eth0 lan interface[root@centos network-scripts]# touch ifcfg-eth0-range

Now inside ifcfg-eth0-range, open up with a text editor or use the echo command to put inside:

IPADDR_START=192.168.1.120
IPADDR_END=192.168.1.250
NETMASK=255.255.255.25
CLONENUM_START=0

Now save the /etc/sysconfig/network-scripts/ifcfg-eth0-range file and finally restart centos networking via the network script:

[root@centos network-scripts]# service network restart

That’s all now after the network gets reinitialized all the IPs starting with 192.168.1.120 and ending in 192.168.1.250< will get assigned as virtual IPs for eth0 interface
Cheers 😉

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Linux and FreeBSD Desktop, System Administration | No Comments »

Universal way to configure a static IP address on ethernet lan (eth0) interface in Linux

Friday, April 29th, 2011

One of the most precious commands I ever learned to use in Linux is ifconfig and route .

They have saved my life in configuring the static IP based internet of numerous Desktop Linux computers & notebooks.

Though the usage is very much known by most of the people who are into Linux, I believe it’s likely that the newer people who entered the world of Linux or some Unix system administrators are still lacking the knowledge on how to manually configure their eth0 lan card, thus I thought it might be handy for someone to share it, I know that for most unix users & admins especially the advanced ones this post might be funny, so if you’re an advanced administrator just skip the post and don’t laught at it 😉

Now the universal commands (works on each and every Linux host) to configure manually static IP internet connection on Linux are:

linux:~# /sbin/ifconfig eth0 192.168.0.3 netmask 255.255.255.0
linux:~# /sbin/route add default gw 192.168.0.1
linux:~# echo 'nameserver 192.168.0.1' >> /etc/resolv.conf

I’ve used this simple commands on thousands ot Linux hosts and it’s still handy 🙂

In above example 192.168.0.3 is the static IP address provided by the ISP, netmask is the netmask and the second /sbin/route add default gw would set the default gateway to the example ip 192.168.0.1

The third final line would add up a resolver nameserver the Linux host would use.

Cheers 😉

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Linux, System Administration, Various | No Comments »