peterh - Linux - Blog - dnstunnel with iodine and bind9

dnstunnel with iodine and bind9

Tuesday, November 10, 2009, 15:56 - Network
Posted by Administrator

Iodine server with public IP:

#> apt-get install iodine

For "good" connection i used a mtu of 256 through my provider DNS.
On local network no mtu change was necessary.

/etc/default/iodine

START_IODINED="true"
IODINED_ARGS="-m 256 -l IODINE_SERVER_IP 10.0.0.1 tunnel.DOMAIN"
IODINED_PASSWORD="mypassword"

#> sysctl -e net.ipv4.ip_forward=1
#> iptables -t nat -A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth0 -j MASQUERADE

Bind9 server:

zonesfile:

zone "DOMAIN" in {
    type master;
    file "/etc/bind/zones/DOMAIN";
    allow-query { any; };
};

zone "tunnel.DOMAIN" in {
    type forward;
    forward only;
    forwarders {
        IODINE_SERVER_IP;
    };
};

zonefile:

tunnel      1D   IN   NS    tunnelhost
tunnelhost  1D   IN    A    IODINE_SERVER_IP

Client:

#> apt-get install iodine
#> iodine -m 256 -P mypassword tunnel.DOMAIN
#> route add default gw 10.0.0.1

Well it seams that my provider drop's packets with some payload in it:

#> ping -c1 -s 109 10.0.0.1 fails

but

#> ping -c1 -s 109 -p ff 10.0.0.1 succeeds

[ view entry ] ( 1407 views ) | print article

chrooted sftp only

Wednesday, August 5, 2009, 13:01 - Network, Security
Posted by Administrator

useradd -s /bin/false -m SFTPUSER
mkdir /home/SFTPUSER/.ssh
ssh-keygen -t rsa -b 2048 -N '' -f /home/SFTPUSER/.ssh/id_rsa
chown -R SFTPUSER:SFTPUSER /home/SFTPUSER/.ssh
chmod 600 /home/SFTPUSER/.ssh/id_rsa

/etc/ssh/sshd_config:

Subsystem       sftp    internal-sftp

Match user SFTPUSER
    PasswordAuthentication no
    AllowTcpForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
    ChrootDirectory /chroot

chown root:root /chroot
mkdir /chroot/SFTPUSERDIR
chown SFTPUSER:SFTPUSER /chroot/SFTPUSERDIR

echo "put FILENAME" | \
sftp -oIdentityFile=/home/SFTPUSER/.ssh/id_rsa \
     -oTCPKeepAlive=no -oServerAliveInterval=15 \
     SFTPUSER@localhost:SFTPUSERDIR

[ view entry ] ( 2426 views ) | print article

secure rsync to only one directory

Thursday, July 2, 2009, 12:03 - Network, Security
Posted by Administrator

I want to rsync to a remote host to a given directory.

local-host:

ssh-keygen -t rsa

keyfilename: ~/.ssh/rsync
ssh-copy-id -i .ssh/rsync rsyncuser@remote-host

rsync files with ssh:

rsync -vaHxr --delete \
      -e "ssh -i ~/.ssh/rsync -c arcfour -o Compression=no -x" \
      LOCALDIR rsyncuser@remote-host:

remote-host

/home/rsyncuser/.ssh/authorized_keys:

from="192.168.0.2,",command="/home/rsyncuser/validate-rsync.sh",
 no-pty,no-agent-forwarding,no-port-forwarding
 ssh-dss 012345678...

limit access with from (optional).
On sucessfully ssh login command is executed.
Read More...

[ view entry ] ( 2445 views ) | print article

ip crossover: send packets on eth0 out and receive them via eth1

Wednesday, April 15, 2009, 14:32 - Network
Posted by Administrator

For testing my intellon driver on one pc i need to send packets on eth0 (intellon usb) out and receive them via eth1 (intellon ethernet).

The only solution i found was a not anymore supported module for netfilter from Rusty Russell.

I tried to fix the compiler errors/warnings and finally it worked.

Usage:

ifconfig eth0 192.168.1.1
ifconfig eth1 192.168.2.1
arp -s 192.168.1.2 <hardware address of eth1> -i eth0
arp -s 192.168.2.2 <hardware address of eth0> -i eth1
modprobe ip_crossover dev1=eth0 dev2=eth1

Then doing ping 192.168.1.2, ICMP ping goes out eth0 and comes back in eth1.

ip_crossover.tar.bz2

for testing packets with differenz sizes i did:

for i in $(seq 0 1472); do ping -q -c1 -s$i 192.168.2.2 >/dev/null || echo fail $i; done

for i in $(seq 0 1472); do ping -q -c1 -s$i 192.168.1.2 >/dev/null || echo fail $i; done

[ view entry ] ( 1487 views ) | print article

Intellon int51x1 PLC usb net driver for devolo dlan duo

Wednesday, April 15, 2009, 09:34 - Network, Patches
Posted by Administrator

Here is how i made the patch for inclusion:

git config --global user.name "Peter Holik"
git config --global user.email "peter AT holik.at"

check kernel out with git

git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git

first i had to export usbnet_get_ethernet_addr from usbnet.c
and to fix cdc_ether.c

git commit -am "export get_ethernet_addr from cdc.ether.c in usbnet"

then copy my new driver int51x1.c to /usr/src/linux-2.6/drivers/net/usb/ and modify /usr/src/linux-2.6/drivers/net/usb/Kconfig and /usr/src/linux-2.6/drivers/net/usb/Makefile

git add /usr/src/linux-2.6/drivers/net/usb/int51x1.c

git commit -am "usb driver for intellon int51x1 based PLC like devolo dlan duo"

git format-patch -s origin/master

Then mail the created file to linux kernel mailinglist:

cat 0001-export-usbnet_get_ethernet_addr-from-usbnet-and-fixe.patch | \
mail linux-kernel@vger.kernel.org

cat 0002-usb-driver-for-intellon-int51x1-based-PLC-like-devol.patch | \
mail linux-kernel@vger.kernel.org

Many thanks to the guys at linux-kernel@vger.kernel.org for suggestions and improvements.

Undo last commit with git reset --soft HEAD^

My driver will be part of linux kernel 2.6.31

git quick reference

[ view entry ] ( 1119 views ) | print article

<<First <Back | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | Next> Last>>