Tag Archives: networking

SSH socks proxies hanging

by R.I. Pienaar on 15. Jul, 2009 in Front Page

I use SSH’s socks proxy feature a lot, in fact I use it all the time, most of my browsing, IM, etc all goes over it out via my hosted virtual machines,

I do this to simplify my life for things like firewall rules and also to get around things like age blocks on mobile networks.  I work for a site deemed adult by most of them so I can’t even see my nagios without age verifying.

Recently they have been driving me nuts, every now and then the whole session would just lock up and sit there doing nothing, I’ve not seen this happen before and was a bit stumped.

Turns out, it chooses to speak to TCP/53 sometimes instead of UDP/53 for resolving, not sure why exactly, I’ve not tried to figure out what queries cause this – I know there are limits to response sizes which will force it to go over TCP.  Why it’s only started doing this now I don’t know, maybe a update changed behavior, I’ve never had TCP/53 open on the cache. 

My firewall was blocking TCP/53 on the local cache so this would lock up the whole ssh session, maybe the whole ssh process is single threaded and so waiting in SYN_SENT mode just hangs the whole thing, that’s a bit sucky, I might need a better proxy.

Read full storyComments { 0 }
Load Balancing with HAProxy

Load Balancing with HAProxy

by R.I. Pienaar on 28. May, 2009 in Front Page

Load Balancers are some of the most expensive bits of equipment small to medium size sites are likely to buy, even more expensive than database servers.

Since I help a number of smaller and young startups a good Open Source load balancer is essential, I use HAProxy for this purpose.

HAProxy is a high performance non threaded load balancer, it supports a lot of really excellent features like regular expression based logic to route certain types of requests to different backend servers, session tracking using cookies or URL parts and has extensive documentation.

Getting a full redundant set of load balancers going with it requires the help of something like Linux-HA which I use extensively for this purpose, the combination of HAProxy and Linux-HA gives you a full active-passive cluster with failover capabilities that really does work a charm.

I recently had to reload a HAProxy instance after about a 100 day uptime, its performance stats were 1.8 billion requests, 15TB out and just short of 2TB in


Worth checking out HAProxy before shelling out GBP15 000 for 2 x hardware load balancers.

Read full storyComments { 0 }

SixXS IPv6 and CentOS

by R.I. Pienaar on 04. May, 2009 in Front Page, Usefull Things

I thought its high time I get to spend some time with IPv6 so I signed up for a static tunnel from sixxs.net, apart from taking some time it’s a fairly painless process to get going.

I chose a static tunnel since I am just 9ms from one of their brokers and my machine is up all the time anyway, they have some docs on how to get RedHat machines talking to them but it was not particularly accurate, this is what I did:

You’ll get a mail from them listing your details, something like this:

  Tunnel Id          : T21201
  PoP Name           : dedus01 (de.speedpartner [AS34225])
  Your Location      : Gunzenhausen, de
  SixXS IPv6         : 2a01:x:x:x::1/64
  Your IPv6          : 2a01:x:x:x::2/64
  SixXS IPv4         : 91.184.37.98
  Tunnel Type        : Static (Proto-41)
  Your IPv4          : 78.x.x.x

Using this you can now configure your CentOS machine to bring the tunnel up, you need to edit these files:

/etc/sysconfig/network

NETWORKING_IPV6=yes
IPV6_DEFAULTDEV=sit1

/etc/sysconfig/network-scripts/ifcfg-sit1

DEVICE=sit1
BOOTPROTO=none
ONBOOT=yes
IPV6INIT=yes
IPV6_TUNNELNAME=”sixxs”
IPV6TUNNELIPV4=”91.184.37.98″
IPV6TUNNELIPV4LOCAL=”78.x.x.x”
IPV6ADDR=”2a01:x:x:x::2/64″
IPV6_MTU=”1280″
TYPE=sit

Just replace the values from your email into the files above, once you have this in place reboot or restart your networking and you should see something like this:

% ifconfig sit1
sit1      Link encap:IPv6-in-IPv4 
          inet6 addr: 2a01:x:x:x::2/64 Scope:Global
          inet6 addr: fe80::4e2f:c3c6/128 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:6383 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6431 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4072476 (3.8 MiB)  TX bytes:921722 (900.1 KiB)

% ping6 -c 3 -n noc.sixxs.net
PING noc.sixxs.net(2001:838:1:1:210:dcff:fe20:7c7c) 56 data bytes
64 bytes from 2001:838:1:1:210:dcff:fe20:7c7c: icmp_seq=0 ttl=57 time=20.2 ms
64 bytes from 2001:838:1:1:210:dcff:fe20:7c7c: icmp_seq=1 ttl=57 time=28.4 ms
64 bytes from 2001:838:1:1:210:dcff:fe20:7c7c: icmp_seq=2 ttl=57 time=20.1 ms

— noc.sixxs.net ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2008ms
rtt min/avg/max/mdev = 20.181/22.934/28.406/3.869 ms, pipe 2

Since this is a remote machine it took me some time to figure out how to get browsing going through it, but once I reconnected my SSH SOCKS tunnel it immediately became IPv6 aware and were happily routing me to sites like ipv6.google.com.  To do this just run from your desktop:

ssh -D 1080 yourbox.net

Now set your firefox network.proxy.socks_remote_dns setting to true in about:config, and point your browser at localhost:1080 as a socks proxy, your SSH should now work as a perfectly effective ipv4-to-6 gateway.  You can test it by browsing to either the sixxs.net homepage or ipv6.google.com – watch out for the special google logo.

Read full storyComments { 0 }

Location aware Bind for RedHat 5.3

by R.I. Pienaar on 03. May, 2009 in Code

Previously I wrote about RPMs I built to GeoIP enable Bind using the original patches at http://www.caraytech.com/geodns/.

I have now refreshed this for the latest CentOS 5.3, the details of the patch, install instructions etc has not changed, read the previous article I wrote for the details, the new RPMs are below:

NOTE: When you install these RPMs you won’t see a /etc/named.conf being created and a few other odd things, these are bugs that exist in the CentOS provided RPMs, they do the same.

bind-9.3.4-10.P1geodns.el5.i386.rpm
bind-chroot-9.3.4-10.P1geodns.el5.i386.rpm
bind-devel-9.3.4-10.P1geodns.el5.i386.rpm
bind-libbind-devel-9.3.4-10.P1geodns.el5.i386.rpm
bind-libs-9.3.4-10.P1geodns.el5.i386.rpm
bind-utils-9.3.4-10.P1geodns.el5.i386.rpm
bind-sdb-9.3.4-10.P1geodns.el5.i386.rpm
caching-nameserver-9.3.4-10.P1geodns.el5.i386.rpm

bind-9.3.4-10.P1geodns.el5.x86_64.rpm
bind-chroot-9.3.4-10.P1geodns.el5.x86_64.rpm
bind-libbind-devel-9.3.4-10.P1geodns.el5.x86_64.rpm
bind-devel-9.3.4-10.P1geodns.el5.x86_64.rpm
bind-libs-9.3.4-10.P1geodns.el5.x86_64.rpm
bind-sdb-9.3.4-10.P1geodns.el5.x86_64.rpm
bind-utils-9.3.4-10.P1geodns.el5.x86_64.rpm
caching-nameserver-9.3.4-10.P1geodns.el5.x86_64.rpm

bind-9.3.4-10.P1geodns.el5.src.rpm

bind.spec-diff

Read full storyComments { 0 }

RedHat Linux <-> Cisco ASA IPSEC VPN

by R.I. Pienaar on 26. Jan, 2009 in Front Page, Usefull Things

I’ve previously mentioned the really great syscfg integrated IPSEC on RedHat Linux here but thought I’d now show a real world example of a Cisco ASA and a RedHat machine talking since it is not totally obvious and it is not something I seen specifically documented anywhere using Google.

A quick recap: RedHat now lets you build IPSEC VPNs using just simple ifcfg-eth0 style config files. 

I’ll quickly show both sides of the config to build a site to site VPN, Site A is a Linux machine with a real IP address while Site B is a Cisco ASA with a private network behind it, the Linux machine has this in /etc/sysconfig/network-scripts/ifcfg-ipsec1:

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=1.2.3.4
DSTGW=2.3.4.5
SRCNET=1.2.3.4/32
DSTNET=10.1.1.0/24
DST=2.3.4.5
AH_PROTO=none

The pre-shared key is in /etc/sysconfig/network-scripts/keys-ipsec1 as per the RedHat documentation.

The Cisco ASA does not support AH so the big deal here is to disable AH which turns out to be the magic knob to tweak here to make it work.

In this case the Linux Server on Site A has the IP address 1.2.3.4 while the ASA is running on 2.3.4.5, the private network at Site B is 10.1.1.0/24.

On the Cisco the relevant lines of config are:

object-group network siteb_to_sitea_local_hosts
    description Site B to Site A VPN Local hosts
    network-object 10.1.1.0 255.255.255.0
object-group network siteb_to_sitea_remote_hosts
    description Site B to Site A VPN Remote Hosts
    network-object 1.2.3.4 255.255.255.255
    access-list siteb_to_sitea_vpn extended permit ip object-group siteb_to_sitea_local_hosts object-group siteb_to_sitea_remote_hosts
 
access-list inside_nat_bypass extended permit ip object-group siteb_to_sitea_local_hosts&nbsp; object-group siteb_to_sitea_remote_hosts
 
nat (inside) 0 access-list inside_nat_bypass
 
crypto map outside_map 20 match address siteb_to_sitea_vpn
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 1.2.3.4
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 3600
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 
crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
 
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
    pre-shared-key secret

Using these specific phase 1 and phase 2 parameters – timings, pfs, crypto etc – means that it will match up with the default out-the-box parameters as per /etc/racoon/racoon.conf thereby minimizing the amount of tweaking needed on the RedHat machine

All that is needed now is to start the VPN using /etc/sysconfig/network-scripts/ifup ifcfg-ipsec1 and you should be able to communicate between your nodes.

Read full storyComments { 1 }

Devolo dLAN Homeplug Networking

by R.I. Pienaar on 11. Oct, 2008 in Usefull Things

I live in a pretty typical for London double story house, my study is upstairs with TV etc downstairs.   Till now I just use a Wireless N router to get connectivity downstairs but it’s proven to be less than reliable.  Additionally my ADSL router was upstairs – but on an extension and not on the main plug, it’s a recipe for disaster.

I’ve considered many options, long cables and all sorts of things like this.  Today while wandering through PC shops trying to find a decent USB reader I again noticed the Homeplug devices and thought I’ll give them a try.

I bought 3 units of the Devolo dLAN 200 AVeasy units, they are 200Mbps maximum devices and support all sorts of fancy things like AES Encryption and basically an ACL of sorts to only allow certain devices to talk to each other.  You can essentially create a VLAN by giving groups of devices different passwords etc.

At first I was fairly sceptical but figured it’s worth a shot, I am glad to say the devices totally exceeded my wildest expectations.

Installation was a breeze, pop them into the wall, plug in cables and it all just work.  Of course it is not secured by default so I went digging through their site, the docs and so forth is pretty crap to say the least but I found software for Linux, Windows and OS X to manage them.  Each device has a security id on the back and you just type the keys for all your devices into the app and provide a password.  This gets used to secure the network with AES.

I have now moved my router and firewall machine downstairs to the main socket – ADSL is now much stabler – and have moved the Wifi router downstairs too via the Devolo units.  Overall the whole setup just works great, even my Xbox is working great again after my old Wireless Bridge died.

I use a 1GB switch on my LAN and get around 0.3ms ping times in general, if I ping a device on the other end of the Devolo units ping times are around 4ms, transfer speeds over the units are around 7MB/sec when using scp, these figures are very respectable and much better than I had hoped for in the past while considering them.

At +- 50 GBP per unit and the sacrifice of a wall socket its a pretty expensive solution (other manufacturers apparently have ones that act as a network and power adapter so you don’t waste a port) but for me this has proven to be an excellent solution and completely sorted out my network reliability issues.

Read full storyComments { 0 }

An Illustrated Guide to IPSec

by R.I. Pienaar on 26. Aug, 2005 in Usefull Things

I came across an excellent guide to IPSec called An Illustrated Guide to IPSec it’s very thorough and well worth checking it out if you are interested in the inner workings of IPSec.

Read full storyComments { 0 }

OpenVPN 2 Released

by R.I. Pienaar on 20. Apr, 2005 in Usefull Things

Tonight I noticed that OpenVPN 2 has finally been released on the 17th of April 2005, it has been a long time coming but finally it’s out, I’ll be upgrading my servers soon :)

Read full storyComments { 0 }

OS X to Samba slow performance

by R.I. Pienaar on 11. Apr, 2005 in Apple

I have been really annoyed at this iBook since it was very very slow to my Samba servers – around 200kb/sec – and no amount of fiddling the Samba could get it to go fast.
First I tested using my Windows machines to the Samba servers in question and they were very fast as you’d expect, the Apple just wasn’t fast at all. Today when I got to work for the first time in ages I noticed that accessing my RedHat Enterprise Samba server is fast, so tonight I upgraded my Samba’s at home to version 3 and that fixed it.
So if your OS X is performing slow to Samba servers, make sure you are on the 3 branch of Samba.
UPDATE: After this I was still having some issues, especially with very slow read performance.
I came across this post on macosxhints and figured I’d give it a try, sorted, reading and writing is much faster now.

Read full storyComments { 2 }

ipfw tables

by R.I. Pienaar on 28. Feb, 2005 in Usefull Things

FreeBSD has recently added a method for storing large amounts of cidr addresses in a lookup table that can then be matched in a single rule.
I use these on my country blocking to optimize things a bit.
Previously I put a large block of ipfw deny‘s very early up in my rule set and just block it all on everything. This was not optimal since for some IP’s I’d like to keep certain ports open – like port 80. I did not want to have per host block lists since that would mean hosts x 3000 rules. Lookup tables are the answer.
My current setup goes more or less like this:

  • General counter rules per jail
  • Denies on frequently scanned ports like 1433 – without logging
  • Blocks of rules per host – allow TCP, allow UDP, deny TCP, deny UDP, deny ICMP

I am now amending the per host block by adding a single rule above the deny rules that kills off all the traffic from the dodgy countries – without logging it – then I have denies with logging. This keeps my logs reasonably empty of IPFW DENY log entries so I can monitor them easily.
I first create the table, each table is numbered I just chose 1 for my table.

ipfw -q table 1 add 220.228.0.0/15
ipfw -q table 1 add 220.232.64.0/18
ipfw -q table 1 add 220.232.128.0/17

I then simply have to add a single rule for each host which in effect is the equivelant of duplicating all 3000 rules I previously had on a per host basis. Now I can have my port 80′s etc open and still kill off the dodgy traffic without polluting my logs. Perfect.
A sample table rule:

ipfw add 21999 set 15 deny ip from “table(1)” to 1.2.3.4

The quotes around the table(1) are very important since the shell you run the command under may cause havoc with the ()’s. You could alternatively escape the ()’s, example: table\(1\)

Read full storyComments { 2 }
Older Entries »