ข่าว: ข่าวประกาศ

  • 24 พฤศจิกายน 2024, 13:59:30

เข้าสู่ระบบด้วยชื่อผู้ใช้ รหัสผ่าน และระยะเวลาในเซสชั่น

ผู้เขียน หัวข้อ: Ubuntu 8.04  (อ่าน 27679 ครั้ง)

admin

  • Administrator
  • Hero Member
  • *****
  • กระทู้: 3820
    • ดูรายละเอียด
    • อีเมล์
Ubuntu 8.04
« เมื่อ: 26 พฤษภาคม 2008, 07:19:39 »

หลังจากที่ทดลองใช้  Ubuntu 8.04 Server

มองเห็น LAN Card บน Board P5GC โดยไม่ต้องลง Driver เพิ่ม
ติดตั้ง cacti โดยไม่มี error และก็แก้ bug เรื่อง User guest แล้ว


แก้บั๊กหลายตัวแล้ว และ kernel ก็มีความสามารถเพิ่มขึ้น


ตัวอย่าง



สามารถมองเห็น Gigabit LAN Card โดยไม่ต้องลง Driver เพิ่ม
« แก้ไขครั้งสุดท้าย: 29 พฤษภาคม 2008, 11:36:35 โดย admin »
<a href="http://www.hadyaiinternet.com/images/inetcafe.swf" target="_blank" rel="noopener noreferrer" class="bbc_link bbc_flash_disabled new_win">http://www.hadyaiinternet.com/images/inetcafe.swf</a>

admin

  • Administrator
  • Hero Member
  • *****
  • กระทู้: 3820
    • ดูรายละเอียด
    • อีเมล์
Re: Ubuntu 8.04
« ตอบกลับ #1 เมื่อ: 29 พฤษภาคม 2008, 11:09:19 »


ติดตั้งโปรแกรมสำหรับ Server ร้านเน็ต

ตอนติดตั้งเลือก DNS, LAMP, OpenSSH, และก็ Samba

ลงเสร็จก็ download package ที่จำเป็นเพิ่มเติม

apt-get install build-essential
apt-get source linux-source-2.6.24

apt-get install squid
apt-get install frox
apt-get install dhcp3-server
apt-get install snmpd
apt-get install cacti
apt-get install no-ip
apt-get install netstat-nat
apt-get install traceroute
apt-get install whois

ส่วนตัว webmin จะต้อง download .deb จาก

http://jaist.dl.sourceforge.net/sourceforge/webadmin/webmin_1.420_all.deb

(ล่าสุดตอนนี้  29/05/2551 เป็น version 1.420)
« แก้ไขครั้งสุดท้าย: 29 พฤษภาคม 2008, 11:29:46 โดย admin »
<a href="http://www.hadyaiinternet.com/images/inetcafe.swf" target="_blank" rel="noopener noreferrer" class="bbc_link bbc_flash_disabled new_win">http://www.hadyaiinternet.com/images/inetcafe.swf</a>

admin

  • Administrator
  • Hero Member
  • *****
  • กระทู้: 3820
    • ดูรายละเอียด
    • อีเมล์
Re: Ubuntu 8.04
« ตอบกลับ #2 เมื่อ: 10 มิถุนายน 2008, 19:19:08 »
update Kernel 2.6.24 เป็น 2.6.24 เพิ่ม pom จาก Netfilter เข้าไป เพื่อทำ Multi-WAN และ Block bit

คุณสมบัติของ iptables ที่เพิ่มเข้ามา กับตัว pom

Reff http://www.netfilter.org/projects/patch-o-matic/pom-external.html

patch-o-matic external repository
ACCOUNT IPMARK condition connlimit geoip ipp2p pknock time

ACCOUNT
Author: Intra2net AG <opensource@intra2net.com> 
Status: Stable


This patch adds the ACCOUNT target

The ACCOUNT target is a high performance accounting system for local networks.
It takes two parameters: --addr network/netmask and --tname NAME.

--addr is the subnet which is accounted for
--tname is the table name where the information is stored

The data can be queried later using the libipt_ACCOUNT userspace library
or by the "iptaccount" tool which is part of the libipt_ACCOUNT package.

A special subnet is "0.0.0.0/0": All data is stored in the src_bytes
and src_packets structure of slot "0". This is useful if you want
to account the overall traffic to/from your internet provider.

For more information go to http://www.intra2net.com/de/produkte/opensource/ipt_account/




IPMARK - iptables IPMARK target
Author: Grzegorz Janoszka <Grzegorz@Janoszka.pl> 
Status: Stable


  This option adds a `IPMARK' target, which allows you to mark
  a received packet basing on its IP address. This can replace even
  thousands of mangle/mark or tc entries with only one.

  This target is to be used inside the mangle table, in the PREROUTING,
  POSTROUTING or FORWARD hooks.

  IPMARK target options:
    --addr src/dst      Use source or destination IP address.
    --and-mask mask     Perform bitwise `and' on the IP address and this mask.
    --or-mask mask      Perform bitwise `or' on the IP address and this mask.

  The order of IP address bytes is reversed to meet "human order of bytes":
  192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
  `or'.

  Examples:

  We create a queue for each user, the queue number is adequate
  to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
  are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.


  Earlier we had thousands of tc filter rules:
  tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.2 flowid 1:502
  tc filter add dev eth3 parent 1:0 prio 10 u32 match ip dst 192.168.5.3 flowid 1:503
  ...
  or thousands of MARK rules (with tc fw classifier):
  iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
    --set-mark 0x10502
  iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
    --set-mark 0x10503
  ...

  Using IPMARK target we can replace all the mangle/mark rules with ONLY ONE:
  iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
    --and-mask=0xffff --or-mask=0x10000
  and all previous tc filter classifier rules with ONLY ONE:
  tc filter add dev eth3 parent 1:0 protocol ip fw


  On the routers with hundreds of users there should be significant load
  decrease (e.g. twice).




condition
Author: Stephane Ouellette <ouellettes@videotron.ca> and Massimiliano Hofer <max@nucleus.it> 
Status: ItWorksForMe(tm)


This option allows you to match firewall rules against condition variables
stored in the /proc/net/ipt_condition directory. Multiple rules can match on a
single condition variable.

Example:
iptables -A INPUT -p tcp -m condition --condition web_ok --dport 80 -j ACCEPT

To allow this rule to match:
echo 1 > /proc/net/nf_condition/web_ok

To disable this rule:
echo 0 > /proc/net/nf_condition/web_ok

NB: it was /proc/net/ipt_condition on 2.4.





connlimit - iptables connlimit match
Author: Gerd Knorr <kraxel@bytesex.org> 
Status: ItWorksForMe[tm]


This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
   --connlimit-mask 24 -j REJECT




geoip - iptables geoip match
Author: Samuel Jean <peejix@people.netfilter.org>; Nicolas Bouliane <acidfu@people.netfilter.org> 
Status: Stable


This patch makes possible to match a packet
by its source or destination country.

GeoIP options:
        [!]   --src-cc, --source-country country[,country,country,...]

                        Match packet coming from (one of)
                        the specified country(ies)


        [!]   --dst-cc, --destination-country country[,country,country,...]
                                             
                        Match packet going to (one of)
                        the specified country(ies)

           NOTE: The country is inputed by its ISO3166 code.

The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html
for a quick HOWTO.




ipp2p - Detects some P2P packets
Author: Eicke Friedrich <ipp2p@ipp2p.org> 
Status: Stable


This option makes possible to match some P2P packets
therefore helps controlling such traffic. Dropping all
matches prohibits P2P networks. Combined with conntrack,
CONNMARK and a packet scheduler it can be used for
accounting or shaping of P2P traffic.

Examples:
iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP
iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP
iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP




pknock - netfilter match for Port Knocking and SPA
Author: J. Federico Hernandez Scarso <fede.hernandez@gmail.com>; Luis A. Floreani <luis.floreani@gmail.com> 
Status: Stable


This patch allows you to implement Port Knocking and SPA (Simple Packet
Authentication) in kernel space.

pknock options:

   --knockports port[,port,port,...]   Matches destination port(s).
   --time seconds
   --t seconds            Time between port match.
   --opensecret [secret]         hmac must be in the packets.
   --closesecret [secret]
   --strict            Knocks sequence must be exact.
   --name [rule_name]         Rule name.
   --checkip            Matches if the source ip is in the list.
   --chkip


Example:

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW             \
   -m pknock --knockports 3000,2000,5000 --time 10 --name SSH    \
   -m tcp --dport 22 -j ACCEPT

For more information go to http://portknocko.berlios.de/




time - iptables ``time'' match
Author: Fabrice MARIE <fabrice@netfilter.org> 
Status: Works within it's limitations


This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).

Supported options are:
[ --timestart value ]
    Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).

[ --timestop  value ]
    Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).

[ --days listofdays ]
    Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)

[ --datestart date ]
    Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
    h,m,s start from 0 ; default to 1970)

[ --datestop date ]
    Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
    h,m,s start from 0 ; default to 2037)

Example:
  -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
  will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
  to Friday.

  -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
  will match the packets (locally generated) that have a departure timestamp
  in the range 8:00->18:00 on Monday only, until 2010

NOTE: the time match does not track changes in daylight savings time
<a href="http://www.hadyaiinternet.com/images/inetcafe.swf" target="_blank" rel="noopener noreferrer" class="bbc_link bbc_flash_disabled new_win">http://www.hadyaiinternet.com/images/inetcafe.swf</a>