ก่อนอื่นต้องติดตั้ง subversion ก่อน ด้วยคำสั่ง

apt-get install subversion

เสร็จแล้วก็ติดตั้ง Asterisk GUI

svn checkout http://svn.digium.com/svn/asterisk-gui/trunk asterisk-gui

cd asterisk-gui

รัน ./configure

make

make install

ทำการ backup config เดิมก่อน

cp -r /etc/asterisk /etc/asterisk.backup

ทำการสร้าง symbolic link `/usr/share/asterisk/static-http' to `/var/lib/asterisk/static-http/'

แก้ config ไฟล์

manager.conf
http.conf


manager.conf
=======================
[general]
displaysystemname = yes
enabled = yes
webenabled = yes
port = 5038
httptimeout = 60
bindaddr = 0.0.0.0

[administrator]
secret = lriur
read = system,call,log,verbose,command,agent,user,config
write = system,call,log,verbose,command,agent,user,config



http.conf
======================
[general]
enabled=yes
enablestatic=yes
bindaddr=0.0.0.0
bindport=8088



เสร็จแล้วก็ทำการ reload asterisk ด้วยคำสั่ง

asterisk -rx "reload"

ก็จะสามารถเข้าสู่เวป GUI ของ Asterisk ได้

มี Switch อยู่รุ่นนึง ของ Zyxel เป็นรุ่น ES315 (L2 Manage)

มี 5 Port Fast Ethernet 10/100
ถ้านำมาใช้ทำ VLAN ก็ต่อได้ 4 Port สำหรับ LAN Card 1 ใบ

ราคาประมาณ 3,500.-

จะต้องทำการ login root จาก console โดยการกด Alt+F2 หรือ F3 จะสามารถเข้าสู่ mode command line ได้ครับ

หรือไม่ก็สามารถใช้โปรแกรม ssh เช่น putty , SecureCRT เป็นต้น ในการเข้า mode command line

จะสามารถใช้คำสั่ง iptables ได้ครับ

วิธีการแก้ไข โดยไม่ต้อง ลบ Cache คือ

1. ให้เพิ่ม ไฟล์เข้าไปใน acl QUERY โดยใส่ startgame\/ucg เพิ่มเข้าไป

2. ทำการ stop squid

3. ใช้คำสั่ง squid -z เพื่อ rebuild cache ใหม่

4. ทำการ start squid

ทำตามนี้ก็สามารถแก้ไข cache เพื่อไม่ให้เก็บไฟล์ของ Patch ของ DotA โดยไม่ต้องลบ Cache ทั้งหมด

ด้วยคำสั่ง hdparm -Tt /dev/hda

ยกตัวอย่างเช่น

root@Ubuntu:~# hdparm -Tt /dev/sda

/dev/sda:
 Timing cached reads:   7710 MB in  2.00 seconds = 3858.62 MB/sec
 Timing buffered disk reads:  208 MB in  3.06 seconds =  67.93 MB/sec
root@Ubuntu:~#

ผลลัพธ์จากการทดสอบ HDD SATA รุ่น

SCSI Devices - ATA ST3320620NS (Direct-Access)
 

รวมได้หมดครับ ไม่ขึ้นกับ ISP

update Kernel 2.6.24 เป็น 2.6.24 เพิ่ม pom จาก Netfilter เข้าไป เพื่อทำ Multi-WAN และ Block bit

คุณสมบัติของ iptables ที่เพิ่มเข้ามา กับตัว pom

Reff http://www.netfilter.org/projects/patch-o-matic/pom-external.html

patch-o-matic external repository
ACCOUNT IPMARK condition connlimit geoip ipp2p pknock time

ACCOUNT
Author: Intra2net AG <opensource@intra2net.com> 
Status: Stable


This patch adds the ACCOUNT target

The ACCOUNT target is a high performance accounting system for local networks.
It takes two parameters: --addr network/netmask and --tname NAME.

--addr is the subnet which is accounted for
--tname is the table name where the information is stored

The data can be queried later using the libipt_ACCOUNT userspace library
or by the "iptaccount" tool which is part of the libipt_ACCOUNT package.

A special subnet is "0.0.0.0/0": All data is stored in the src_bytes
and src_packets structure of slot "0". This is useful if you want
to account the overall traffic to/from your internet provider.

For more information go to http://www.intra2net.com/de/produkte/opensource/ipt_account/




IPMARK - iptables IPMARK target
Author: Grzegorz Janoszka <Grzegorz@Janoszka.pl> 
Status: Stable


  This option adds a `IPMARK' target, which allows you to mark
  a received packet basing on its IP address. This can replace even
  thousands of mangle/mark or tc entries with only one.

  This target is to be used inside the mangle table, in the PREROUTING,
  POSTROUTING or FORWARD hooks.

  IPMARK target options:
    --addr src/dst      Use source or destination IP address.
    --and-mask mask     Perform bitwise `and' on the IP address and this mask.
    --or-mask mask      Perform bitwise `or' on the IP address and this mask.

  The order of IP address bytes is reversed to meet "human order of bytes":
  192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
  `or'.

  Examples:

  We create a queue for each user, the queue number is adequate
  to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
  are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.


  Earlier we had thousands of tc filter rules:
  tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.2 flowid 1:502
  tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.3 flowid 1:503
  ...
  or thousands of MARK rules (with tc fw classifier):
  iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
    --set-mark 0x10502
  iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
    --set-mark 0x10503
  ...

  Using IPMARK target we can replace all the mangle/mark rules with ONLY ONE:
  iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
    --and-mask=0xffff --or-mask=0x10000
  and all previous tc filter classifier rules with ONLY ONE:
  tc filter add dev eth3 parent 1:0 protocol ip fw


  On the routers with hundreds of users there should be significant load
  decrease (e.g. twice).




condition
Author: Stephane Ouellette <ouellettes@videotron.ca> and Massimiliano Hofer <max@nucleus.it> 
Status: ItWorksForMe(tm)


This option allows you to match firewall rules against condition variables
stored in the /proc/net/ipt_condition directory. Multiple rules can match on a
single condition variable.

Example:
iptables -A INPUT -p tcp -m condition --condition web_ok --dport 80 -j ACCEPT

To allow this rule to match:
echo 1 > /proc/net/nf_condition/web_ok

To disable this rule:
echo 0 > /proc/net/nf_condition/web_ok

NB: it was /proc/net/ipt_condition on 2.4.





connlimit - iptables connlimit match
Author: Gerd Knorr <kraxel@bytesex.org> 
Status: ItWorksForMe[tm]


This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
   --connlimit-mask 24 -j REJECT




geoip - iptables geoip match
Author: Samuel Jean <peejix@people.netfilter.org>; Nicolas Bouliane <acidfu@people.netfilter.org> 
Status: Stable


This patch makes possible to match a packet
by its source or destination country.

GeoIP options:
        [!]   --src-cc, --source-country country[,country,country,...]

                        Match packet coming from (one of)
                        the specified country(ies)


        [!]   --dst-cc, --destination-country country[,country,country,...]
                                             
                        Match packet going to (one of)
                        the specified country(ies)

           NOTE: The country is inputed by its ISO3166 code.

The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html
for a quick HOWTO.




ipp2p - Detects some P2P packets
Author: Eicke Friedrich <ipp2p@ipp2p.org> 
Status: Stable


This option makes possible to match some P2P packets
therefore helps controlling such traffic. Dropping all
matches prohibits P2P networks. Combined with conntrack,
CONNMARK and a packet scheduler it can be used for
accounting or shaping of P2P traffic.

Examples:
iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP
iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP
iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP




pknock - netfilter match for Port Knocking and SPA
Author: J. Federico Hernandez Scarso <fede.hernandez@gmail.com>; Luis A. Floreani <luis.floreani@gmail.com> 
Status: Stable


This patch allows you to implement Port Knocking and SPA (Simple Packet
Authentication) in kernel space.

pknock options:

   --knockports port[,port,port,...]   Matches destination port(s).
   --time seconds
   --t seconds            Time between port match.
   --opensecret [secret]         hmac must be in the packets.
   --closesecret [secret]
   --strict            Knocks sequence must be exact.
   --name [rule_name]         Rule name.
   --checkip            Matches if the source ip is in the list.
   --chkip


Example:

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW             \
   -m pknock --knockports 3000,2000,5000 --time 10 --name SSH    \
   -m tcp --dport 22 -j ACCEPT

For more information go to http://portknocko.berlios.de/




time - iptables ``time'' match
Author: Fabrice MARIE <fabrice@netfilter.org> 
Status: Works within it's limitations


This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).

Supported options are:
[ --timestart value ]
    Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).

[ --timestop  value ]
    Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).

[ --days listofdays ]
    Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)

[ --datestart date ]
    Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
    h,m,s start from 0 ; default to 1970)

[ --datestop date ]
    Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
    h,m,s start from 0 ; default to 2037)

Example:
  -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
  will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
  to Friday.

  -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
  will match the packets (locally generated) that have a departure timestamp
  in the range 8:00->18:00 on Monday only, until 2010

NOTE: the time match does not track changes in daylight savings time