Will route packets for food…
Tag Archives: networking
Iodine
Since I didn’t want to get charged $27.50 for 100MB of data on ReiverNet at the Oaks Auroa hotel (amazing place), I looked for some ways around the system. Before leaving I read up about ICMPTX( IP over ICMP, e.g. ping packets ) and NSTX(IP over DNS). ICMP didn’t seem to work, but hostnames were resolvable, so I done some more reading on NSTX.
Turns out that some software called iodine has taken over the roll of NSTX. I was able to convince another user to compile iodine for snow leopard because I forgot to install xtools before I left, and followed this tutorial on installing on FreeBSD and this. In no time I had free internet at the cost of their name server. If they charged a decent rate, I wouldn’t have worried.
The tunnel is ok for low bandwidth uses, like HTML, but other content slows the pipe down quickly.
Find which ports are unused over a period of time.
Below is a simple bash script which uses snmpwalk to find out which ports on a Cisco switch (It should work on other as well) aren’t being used, over a period of time. It works by checking if the port is up or down, if it’s up it’ll remove it from the list of ports. For best results, set the script up for a crontab of about 5 to 15 minutes, and then come back in a few weeks to see which ports are inactive.
#!/bin/bash
date
WORKDIR=/root/
IPs=( 10.0.0.1 10.0.0.2 ) #IP addresses seperated by spaces
# Start making indexes if file doesn't exist
for IP in ${IPs[@]} #Loop through list of IPs
do
if [ ! -f $WORKDIR$IP.index ] #If the ip.index file doesn't exist then create it.
then
snmpwalk -v1 -c snmpass $IP 1.3.6.1.2.1.2.2.1.2 > $WORKDIR$IP.index
# We walk this snmp value to get the names of the interface so we can find them on the switch easier
fi
INTERFACES=`cat $WORKDIR$IP.index | sed 's/IF-MIB::ifDescr.//' | sed 's/ = STRING.*//'`
#Get a list of interface IDs
for INTERFACE in $INTERFACES
#Loop though each interface ID
do
if [ `snmpwalk -v1 -c snmpass $IP 1.3.6.1.2.1.2.2.1.8.$INTERFACE | \
sed 's/IF-MIB::ifOperStatus\.[0-9]* = INTEGER: //' | sed 's/([0-9])//'` == "up" ]
#We then sed the snmp results to get up or down state
then
echo Success $IP / $INTERFACE is UP - Removing from list
#We echo if an interface is up
mv $IP.index $WORKDIR$IP.index.tmp
#We need a temp file since we can't read and write at the same time in a pipe
cat $WORKDIR$IP.index.tmp | \
sed "s/IF-MIB::ifDescr.$INTERFACE.*//" > $WORKDIR$IP.index
#remove the interface that is up and pipe it to the index file
rm $WORKDIR$IP.index.tmp #remove the temp index file
fi
done
done
rm $WORKDIR*.index.tmp >/dev/null 2>&1
#Do a quick clean up incase we left some files behind. This should always return an error
Australian IPv6 Tunnel Broker
Redhatter from ##australia on Freenode, was kind enough to walk me through the steps of setting up AARNet IPv6 tunnel for my Linux router. I have been using Hurricane Electric tunnel service for awhile, and have been quite pleased with the speed of that. Basically all you have to do to set this up on linux is, head over to http://broker.aarnet.net.au/ and make an account, register for a tunnel (it might throw an error about not being able to create a tunnel, just ignore this…
Prefix publishing interface is the port that you will be creating for ipv6. I set mine to sit0.
Local endpoint IPv4 address is your global IP
Local endpoint tunnel interface is the interface you use to connect to the internet. I used ppp0.
Download gw6c, compile and install. Also make sure your kernel has all the right options. That can be found in the gw6c documentation.
Below is my configuration. Bold’ed values will need to be changed.
userid=mwheeler
passwd=password
server=broker.aarnet.net.au
auth_method=any
host_type=router
prefixlen=56
if_prefix=vlan2 # This is your interface you will sharing your ipv6 with..., eg, eth1
dns_server=ns1.theskorm.net:ns2.theskorm.net
gw6_dir=/opt/ #This has to be where you install gw6c client.
auto_retry_connect=yes
retry_delay=30
retry_delay_max=300
keepalive=yes
keepalive_interval=30
tunnel_mode=v6anyv4
if_tunnel_v6v4=sit1
if_tunnel_v6udpv4=tun
if_tunnel_v4v6=sit0
client_v4=218.214.124.179 #The same ip you put in when you registered for a tunnel
client_v6=auto
template=linux
proxy_client=no
broker_list=tsp-broker-list.txt
last_server=tsp-last-server.txt
always_use_same_server=no
log_console=0
log_stderr=0
log_file=0
log_syslog=2
log_filename=gw6c.log
log_rotation_size=32
log_rotation_delete=no
syslog_facility=USER
Make sure you read through the config, and understand it. If you read the sample config provided it has comments for most things.
Once you have it configured, you can start the client. It shouldn’t say anything, and sit in the background. Have a look at ifconfig to see if an interface was created, and check netstat -r. If that all looks good try to use ping6 www.kame.net or ipv6.google.com. You should now have ipv6. Now try your computers, see if they got a proper address, and see if it can ping.
If you have any problems (I didn’t 
) check the logs, or maybe try out wireshark.
Cisco Switch IOS SSH and Line Logging
Cisco messages can be annoying when you are working a switch that logs ACL rules on a Cisco switch, so something that I’ve found quite useful is editing the line configuration to make the command you are typing in on a Cisco switch be re-printed below the log message.
It’s pretty simple to use, and all you need to do is this, in “configure terminal”.
line con 0
logging synchronous
line vty 0 4
logging synchronous
line vty 5 15
logging synchronous
Another handy tip is enabling SSH. SSH is secure unlike telnet, meaning passwords or important information can’t be seen if an attacker was able to log packets.
SSH is fairly easy to enable, first off make sure you have a username configured or radius, enable the ssh transport under the lines, set a domain-name and then generate some keys.
line vty 0 15
login local
transport input telnet ssh
!
username admin password god
ip domain-name internaluse.net
! out of config mode run
crypto key generate rsa
Make sure you put down 1024 for the RSA keys, other most SSH clients will turn you down.
TCP, UDP and their place in the world…
When setting up servers and services I used to wonder why people would use UDP. It’s annoying to setup and test with firewalls, however lately while doing my CCNA study I have learned the important uses of UDP and TCP.
TCP has lots of features, like error recovery and acknowledgment which UDP doesn’t support. Both use “ports” and both have error detection. So why use UDP?
I’ve linked to a flickr scan of TCP header. As you can see a TCP header is 20 Bytes long, without it’s payload, where as if you look at a UDP header it’s only 8 Bits long. UDP already has the advantage of being smaller in size, but what really makes UDP useful is it’s lack of error recovery.
In services like VoIP , Video Conferencing and Gaming, by the time TCP has detected an error, sent a request for the missing packet, and continued on it’s way it has interrupted the call, making TCP a bad choice. Since UDP doesn’t have error handling, it doesn’t matter if a packet was lost or damaged, because UDP won’t request (or check) for the missing packet and continue on it’s merry way. Thus keeping the call at low latency.
Ps. Now that I have gotten half way through the first Cisco CCNA book I might share a few other network tips, tricks or info.
QOS
When configured correctly in a network QOS can be a wonderful thing. The ability to prioritize network traffic by it’s importance is crucial in most places that use VoIP systems to ensure that normal network traffic doesn’t kill off telephone calls. QOS can be both difficult to configure and simple depending on what systems you use and is being used in industry around the world.
With VoIP moving to home users now problems occur with keeping calls going when other home users are download or the like. Newer modems support QOS but still suffer from a simple flaw which impacts the usefulness of it. These modems can only control QOS for outgoing packets (uploads) and not incoming, becuase the QOS needs to be done on the ISP switches/routers. This flaw means that if someone packet floods your connection, QOS won’t be able to help your VoIP system.
There isn’t really a simple fix to this, however it would be nice if ISPs had a configuration page or the like to allow you to make simple QOS rules. Some people will want QOS on VoIP IPs/ports and others will want it on other services.
Ekiga
Last week I have been messing around with Ekiga 2.8 (or something) calling and video calling people. It was loads of fun and it ran well. The interface however was lacking awesomeness for its day and I was really surprised to see a wicked looking GUI on the Ekiga website. This is where my adventure began.
I first tried the released beta, and after figuring out how to compile (which was clearly stated on the wiki, however the documentation included within the package said the opposite) i attempted to compile, which failed, I then tried the latest snapshots which also failed. I ended up getting a combination of the 15th and 17th snapshots compiled, however it would segfault straight away. I also found out the hard way that there configuration scripts are dumb, and all previous signs of old libraries must be burnt in a fire and that make clean doesn’t actually work.
I then got some other snapshots to compile, although video support would not work, and it was only today when they released the 3.0.1 beta was I able to get video support working.
I’ve included a screenshot of me talking to Hamzah, although his Cam wasn’t included in the screenshot due SDL (from what I gather). Ekiga 3.0.1 seems more stable and nice to use, and feels more skypey. It also ties into libnotify or libsexy (I can’t remember which is which) and does a good job when people are calling you.
Really really nice, and for all you’s wondering my sip is sip:TheSkorm@ekiga.net . ekiga.net provides the best steaks in town, erm, I mean they provide the best STUN service around.
I'm Pretty Sure I'm Unauthorized
zzap has posted a very in-depth article on why the proposed internet censorship sucks. I agree with zzaps post completely and here are my issues and thoughts with the internet filtering.
ISPs should provide filtering by law to all customers, however, it should be a opt in case not opt out. Filtering customers, destroys privacy, impacts on security and speed and doesn’t work
Filtering cannot stop porn sites from being accessed, and filtering can also trigger false positives.
Filtering provides another place for man in the middle attacks, allowing hackers to gain access to where you go, passwords and usernames by sniffing.
Filtering doesn’t work under encrypted connections making is even more useless.
Filtering all of Australia’s internet, which is already horribly slow, will make it even more slower. This is no way to create a “world class broadband network”.
I love my ISP at the moment, because I know that my data gets from one place to another without being Fold, Bended, Mutilated or Spindled. Packets get from one place to another without going through http proxies or the like.
I can see this ISP level filtering masking my IP and most likely will cause problems with shared sites, that block by IP.
I would like to apologise for this shittyness of this post. It’s taken me 30 minutes to write this, and I can’t seem to stay focused.
This also goes against the idea’s of the Internet. It wasn’t designed to be destroyed like this.
National Broadband Network
“As a key element of its plan for the future, the Australian Government has committed to provide up to $4.7 billion and to consider necessary regulatory changes to facilitate the roll-out of a new open access, high-speed, fibre-based broadband network, providing downlink speeds of at least 12 megabits per second to 98 per cent of Australian homes and businesses.”
I’m all for Australia have a good Broadband network, but I have two problems at the moment. Who will own this network and what about international links.
At the moment I can see Telstra being paid by the government to setup this network, and give them the rights to charge huge amounts of cash for other companies to use it. It’s currently $80 for 25GB on 1.5MBit, which for me seems way to much money, considering the internet isn’t owned or run by them. They are making profit out of others work, correct? (and for your information it costs $150 a gigabyte after you go over your limit)
It’s all great giving every household 12mbit down links, until you realize that, every household with 12mbit will wanna access and download from places off shore. Currently we struggle to provide internet over these links as is, and giving people more bandwidth to use that you don’t have is just bad practice.
There have been many cases where one fiber break offshore have caused our whole national network to run at 5kbs, with epic lag. This problem needs to be fixed up.
That is all.