http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2054008
NZ Tik
My day-job notes
25 July 2014
12 March 2014
Setup net-snmp on Ubuntu 12.04
This is the bare minimum to set up snmp on Ubuntu to allow monitoring from Cacti or similar
apt-get update
apt-get install snmpd snmp-mibs-downloader
snmpconf
- Choose /etc/snmp/snmpd.conf
- Choose snmpd.conf
- Choose 3 for 'Access Control'
- Choose 3 for RO community
- Type community name
- Press enter or type allowed network/host
- Press enter to allow all OID
mv snmpd.conf /etc/snmp/
service snmpd restart
apt-get update
apt-get install snmpd snmp-mibs-downloader
snmpconf
- Choose /etc/snmp/snmpd.conf
- Choose snmpd.conf
- Choose 3 for 'Access Control'
- Choose 3 for RO community
- Type community name
- Press enter or type allowed network/host
- Press enter to allow all OID
mv snmpd.conf /etc/snmp/
service snmpd restart
19 February 2014
IPTables example
Allow tcp port 80 from source address 192.168.10/24
iptables -A INPUT -i 10 -P TCP -S 192.168.1.0/24 --dport 80 -j ACCEPT
Drop tcp port 80 from range of addresses
iptables -A INPUT -i 10 -p tcp --dport 80 -m iprange --src-range 192.168.1.1-192.168.1.254 -j DROP
List chain with rule numbers
iptables -nL INPUT -v --line-numbers
Delete particular rule
iptables -D INPUT 10
iptables -A INPUT -i 10 -P TCP -S 192.168.1.0/24 --dport 80 -j ACCEPT
Drop tcp port 80 from range of addresses
iptables -A INPUT -i 10 -p tcp --dport 80 -m iprange --src-range 192.168.1.1-192.168.1.254 -j DROP
List chain with rule numbers
iptables -nL INPUT -v --line-numbers
Delete particular rule
iptables -D INPUT 10
18 December 2013
DHCP option 121
http://tools.ietf.org/html/rfc3442
This is used to add a classless static route to the DHCP clients.
To add option 121 to a Mikrotik DHCP server, it's value is specified in HEX. The format is as follows.
0xnnddddddddgggggggg
where n=mask, d=destination, g=gateway.
To convert ip address to HEX, you convert each octet, so 192=C0, 168=A8, 55=37, 1=01
You can use a tool such as http://www.miniwebtool.com/ip-address-to-hex-converter/?ip=192.168.55.1
Example:
To add a route to the destination network of 192.168.55.0/24 via gateway 172.16.10.1.
/ip dhcp-server option add name=classlessroutes code=121 value=0x18C0A837AC100A01
where 18 is 24 in hex.
*note: depending on the subnet mask, you may only need to specify 0-4 octets. In fact only the non-zero, or network portion of the subnet. Here is a table from the RFC.
This is used to add a classless static route to the DHCP clients.
To add option 121 to a Mikrotik DHCP server, it's value is specified in HEX. The format is as follows.
0xnnddddddddgggggggg
where n=mask, d=destination, g=gateway.
To convert ip address to HEX, you convert each octet, so 192=C0, 168=A8, 55=37, 1=01
You can use a tool such as http://www.miniwebtool.com/ip-address-to-hex-converter/?ip=192.168.55.1
Example:
To add a route to the destination network of 192.168.55.0/24 via gateway 172.16.10.1.
/ip dhcp-server option add name=classlessroutes code=121 value=0x18C0A837AC100A01
where 18 is 24 in hex.
*note: depending on the subnet mask, you may only need to specify 0-4 octets. In fact only the non-zero, or network portion of the subnet. Here is a table from the RFC.
subnet mask Number of octets
0 0
1- 8 1
9-16 2
17-24 3
25-32 4
so for the /24 subnet in the above example, we only needed to specify 3 octets - C0A837
02 November 2013
Mikrotik Bridge Horizon
To achieve similar functionality to Cisco's private VLANS, where all ports are on the same L2 segment, but cannot exchange packets, you can use Mikrotik's Bridge Horizon feature.
Basically, every port in a bridge is assigned a horizon value, and RouterOS will only forward frames to other interfaces in the bridge that have different horizon values.
This means that you assign the same horizon value to the interfaces that you don't want to be able to communicate.
For example, you want to bridge all your customers and use a single /24 subnet and the same gateway. Typically this is bad and poses a huge security risk, not to mention performance issues. If you assign the same horizon value to the customer interfaces, then the router will not forward traffic between customers. Customer A will not be able to ping Customer B.
If you had a server, such as an IP-PBX that all customers needed to access, and you were lazy and added it to the bridge, then you would assign a different horizon value to that port.
Basically, every port in a bridge is assigned a horizon value, and RouterOS will only forward frames to other interfaces in the bridge that have different horizon values.
This means that you assign the same horizon value to the interfaces that you don't want to be able to communicate.
For example, you want to bridge all your customers and use a single /24 subnet and the same gateway. Typically this is bad and poses a huge security risk, not to mention performance issues. If you assign the same horizon value to the customer interfaces, then the router will not forward traffic between customers. Customer A will not be able to ping Customer B.
If you had a server, such as an IP-PBX that all customers needed to access, and you were lazy and added it to the bridge, then you would assign a different horizon value to that port.
21 October 2013
mysql timezones
Add the timezone names to the mysql table:
root@db1:~# mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root
mysql> CONVERT_TZ( 'datetime', 'from_timezone', 'to_timezone')
root@db1:~# mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root
mysql> CONVERT_TZ( 'datetime', 'from_timezone', 'to_timezone')
26 September 2013
Mikrotik NAT, access services via external IP from inside the network
The laptop at 192.168.1.10 wants to communicate with the web server on 192.168.1.10 via the external IP address of the Mikrotik router at 1.1.1.1.
Say you have a service such as webmail, which has a nat rule to allow access from an external network...
/ip firewall nat add chain=dstnat action=dst-nat dst-address=1.1.1.1 protocol=tcp dst-port=888 to-port=80 to-address=192.168.1.10
This works fine of course, so users set up the shortcut to http://1.1.1.1:888
Problem is when they are on the internal network it doesn't work, because the Mikrotik router won't send the reply data back out the same interface. A work-around is to create a src-nat rule directly below the dst-nat rule like this.
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.10
Goes something like this..
1. Client initiates http request to 1.1.1.1:888
2. MT receives and translates destination to 192.168.1.10 as per 1st rule
3. MT then translates the src address from 192.168.1.160 to 192.168.1.1 as per 2nd rule
4. Now communication appears to be between 192.168.1.160 and 192.168.1.1
Happy days.
Say you have a service such as webmail, which has a nat rule to allow access from an external network...
/ip firewall nat add chain=dstnat action=dst-nat dst-address=1.1.1.1 protocol=tcp dst-port=888 to-port=80 to-address=192.168.1.10
This works fine of course, so users set up the shortcut to http://1.1.1.1:888
Problem is when they are on the internal network it doesn't work, because the Mikrotik router won't send the reply data back out the same interface. A work-around is to create a src-nat rule directly below the dst-nat rule like this.
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.10
Goes something like this..
1. Client initiates http request to 1.1.1.1:888
2. MT receives and translates destination to 192.168.1.10 as per 1st rule
3. MT then translates the src address from 192.168.1.160 to 192.168.1.1 as per 2nd rule
4. Now communication appears to be between 192.168.1.160 and 192.168.1.1
Happy days.
Subscribe to:
Posts (Atom)