arfon

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • in reply to: 3.9.0 experience – http failures #64285

    arfon
    Participant

    Having the same problem. Random pages fail to load but reload on a refresh.

    in reply to: Default gateway? Can no longer set by interface? #64279

    arfon
    Participant

    The answer is to enable Net Balancer and set the DGW there.

    in reply to: ZS 3.4.0 – HTTP connection resets… Anyone else? #53956

    arfon
    Participant

    No one?

    in reply to: SOLVED: Getting the USB img onto a USB drive? #53916

    arfon
    Participant

    Eh, I was hoping for a Linux solution but, your method worked like a charm… Any port in a storm- Thanks.

    in reply to: Multiple WAN interfaces and Dynamic DNS #50513

    arfon
    Participant

    I’m sorry but I do not understand… How do you modify the kerby script using a pre-boot or a post-boot script?

    And would the modification be pre or post boot?

    in reply to: Multiple WAN interfaces and Dynamic DNS #50511

    arfon
    Participant

    Okay dumb question…

    aviegas, if our zeroshell (beta 13) is running off of a USB flash drive, what is the correct way to add your modifications so they are there on reboots?

    in reply to: Adding custom scripts? #50374

    arfon
    Participant

    Nice. Thanks A

    in reply to: Date of a new release #50029

    arfon
    Participant

    will the new release include SMTP Server?

    No offense but why would you want a mail server built into a router? That sounds very insecure.

    There should be a new release with my fixes “real soon now”.

    Waiting with antici-pation! [Rocky Horror reference]

    in reply to: Date of a new release #50026

    arfon
    Participant

    Atheling, either I didn’t install your patched correct or they aren’t working.

    I saved your patch (the second sticky one) as one big file named patch01 in /Database/custom .

    I added:

     modprobe nf_nat_sip
    for file in /Database/custom/*
    do
    cp ${file} /root/kerbynet.cgi/scripts/
    done

    …to the pre-boot scripts and enabled them… SSH (into the network) is still real laggy and I still can’t post to this board without turning off load-balancing…

    How EXACTLY do you install your patches and verify that they have loaded correctly?


    arfon
    Participant

    For ssh on port 10, couldn’t I just change it to:

    Index: kerbynet.cgi/scripts/fw_initrules
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_initrules,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 fw_initrules
    --- kerbynet.cgi/scripts/fw_initrules 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/fw_initrules 1 Dec 2009 03:51:40 -0000
    @@ -2,13 +2,13 @@
    . /etc/kerbynet.conf
    CHAIN="$1"
    [ -z "$CHAIN" ] && exit 1
    CONFIG="$REGISTER/system/net/FW/"
    if [ "$CHAIN" == QoS ] ; then
    TABLE="-t mangle"
    - CH=FORWARD
    + CH=QoS
    else
    if [ "$CHAIN" == NetBalancer ] ; then
    TABLE="-t mangle"
    CH=NetBalancer
    else
    TABLE=""
    @@ -23,12 +23,16 @@
    iptables -A INPUT -j SYS_INPUT
    iptables -A INPUT -p tcp --dport 80 -j SYS_HTTPS
    iptables -A INPUT -p tcp --dport 443 -j SYS_HTTPS
    iptables -A INPUT -p tcp --dport 10 -j SYS_SSH
    fi
    [ "$CHAIN" == OUTPUT ] && iptables -A OUTPUT -j SYS_OUTPUT
    + # If we are doing the QoS chain, thenlear any marks left over from
    + # Netbalancing/failover routing. The QoS chain is applied after
    + # routing so there is no conflict.
    + [ "$CHAIN" == "QoS" ] && iptables $TABLE -A $CH -j MARK --set-mark 0x0
    if [ -d $CONFIG/Chains/$CHAIN/Rules ] ; then
    cd $CONFIG/Chains/$CHAIN/Rules
    RULES=`ls`
    for RULE in $RULES ; do
    ENABLED="`cat $RULE/Enabled 2>/dev/null`"
    if [ "$ENABLED" == yes ] ; then
    Index: kerbynet.cgi/scripts/fw_makerule
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_makerule,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 fw_makerule
    --- kerbynet.cgi/scripts/fw_makerule 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/fw_makerule 1 Dec 2009 03:32:42 -0000
    @@ -4,13 +4,13 @@
    RULE="$2"
    OPT="$3"
    [ -z "$CHAIN" -a -z "$RULE" ] && exit 1
    CONFIG="$REGISTER/system/net/FW"
    if [ "$CHAIN" = QoS ] ; then
    TABLE="-t mangle"
    - CH=FORWARD
    + CH=QoS
    else
    if [ "$CHAIN" = NetBalancer ] ; then
    TABLE="-t mangle"
    CH=NetBalancer
    else
    TABLE=""
    @@ -411,13 +411,13 @@
    iptables $TABLE $IPT $TGT
    if [ "$CHAIN" == QoS ] ; then
    TGTDSCP=`cat $REGISTER/system/net/QoS/Class/$TARGET/DSCP 2>/dev/null`
    if [ -n "$TGTDSCP" ] ; then
    iptables $TABLE $IPT -j DSCP --set-dscp $TGTDSCP
    fi
    - iptables -t mangle -A FORWARD -m mark ! --mark 0 -j ACCEPT
    + iptables -t mangle -A QoS -m mark ! --mark 0 -j ACCEPT
    fi
    if [ "$CHAIN" == NetBalancer ] ; then
    [ "$TARGET" != Auto ] && iptables -t mangle -A NetBalancer -m mark ! --mark 0 -j ACCEPT
    fi
    fi
    fi
    Index: kerbynet.cgi/scripts/fw_start
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_start,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 fw_start
    --- kerbynet.cgi/scripts/fw_start 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/fw_start 30 Nov 2009 22:10:47 -0000
    @@ -10,12 +10,18 @@
    iptables -t mangle -F NetBalancer 2>/dev/null
    iptables -t mangle -X NetBalancer 2>/dev/null
    iptables -t mangle -N NetBalancer 2>/dev/null
    iptables -t mangle -F OpenVPN 2>/dev/null
    iptables -t mangle -X OpenVPN 2>/dev/null
    iptables -t mangle -N OpenVPN 2>/dev/null
    +iptables -t mangle -F QoS 2>/dev/null
    +iptables -t mangle -X QoS 2>/dev/null
    +iptables -t mangle -N QoS 2>/dev/null
    +iptables -t mangle -F NB_CT_PRE 2>/dev/null
    +iptables -t mangle -X NB_CT_PRE 2>/dev/null
    +iptables -t mangle -N NB_CT_PRE 2>/dev/null
    [ "$CPGW" == yes ] && iptables -N CapPort
    $SCRIPTS/fw_https_chain
    $SCRIPTS/fw_ssh_chain
    $SCRIPTS/fw_sys_chain
    CHAINS=`ls`
    for C in $CHAINS ; do
    Index: kerbynet.cgi/scripts/fw_viewchain
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_viewchain,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 fw_viewchain
    --- kerbynet.cgi/scripts/fw_viewchain 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/fw_viewchain 30 Nov 2009 19:30:43 -0000
    @@ -1,7 +1,7 @@
    #!/bin/sh
    . /etc/kerbynet.conf
    CHAIN="$1"
    [ -z "$CHAIN" ] && exit 1
    -[ "$CHAIN" == QoS ] && CHAIN="FORWARD -t mangle"
    +[ "$CHAIN" == QoS ] && CHAIN="QoS -t mangle"
    [ "$CHAIN" == NetBalancer ] && CHAIN="NetBalancer -t mangle"
    iptables -n -v -L $CHAIN
    Index: kerbynet.cgi/scripts/nb_fw
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/nb_fw,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 nb_fw
    --- kerbynet.cgi/scripts/nb_fw 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/nb_fw 10 Apr 2010 13:44:21 -0000
    @@ -1,23 +1,35 @@
    #!/bin/sh
    . /etc/kerbynet.conf
    iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark 2>/dev/null
    +iptables -t mangle -D PREROUTING -m state --state NEW -j NB_CT_PRE 2>/dev/null
    iptables -t mangle -D PREROUTING -j NetBalancer 2>/dev/null
    +iptables -t mangle -D INPUT -m state --state NEW -j NB_CT_POST 2>/dev/null
    iptables -t mangle -D INPUT -j NetBalancer 2>/dev/null
    +iptables -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null
    iptables -t mangle -D OUTPUT -j NetBalancer 2>/dev/null
    iptables -t mangle -D OUTPUT -j OpenVPN 2>/dev/null
    iptables -t mangle -D POSTROUTING -m state --state NEW -j NB_CT_POST 2>/dev/null
    iptables -t mangle -D POSTROUTING -j NB_STAT 2>/dev/null
    +# Need QoS to be done in mangle POSTROUTING. Note that if NetBalance
    +# is enabled then we will insert those rules/chains first. So any
    +# routing marks will be handled before we blow them away with QoS
    +# marks.
    +iptables -t mangle -D POSTROUTING -j QoS 2>/dev/null
    +iptables -t mangle -I POSTROUTING 1 -j QoS 2>/dev/null
    if [ "`cat $REGISTER/system/net/nb/Enabled 2>/dev/null`" = yes ] ; then
    iptables -t mangle -I PREROUTING 1 -j CONNMARK --restore-mark
    - iptables -t mangle -I PREROUTING 2 -j NetBalancer
    + iptables -t mangle -I PREROUTING 2 -m state --state NEW -j NB_CT_PRE 2>/dev/null
    + iptables -t mangle -I PREROUTING 3 -j NetBalancer
    + iptables -t mangle -I INPUT 1 -m state --state NEW -j NB_CT_POST 2>/dev/null
    + iptables -t mangle -I INPUT 2 -j NetBalancer
    + iptables -t mangle -I OUTPUT 1 -j CONNMARK --restore-mark
    + iptables -t mangle -I OUTPUT 2 -j NetBalancer
    + iptables -t mangle -I OUTPUT 3 -j OpenVPN
    iptables -t mangle -I POSTROUTING 1 -m state --state NEW -j NB_CT_POST 2>/dev/null
    iptables -t mangle -I POSTROUTING 2 -j NB_STAT 2>/dev/null
    - iptables -t mangle -I INPUT 1 -j NetBalancer
    - iptables -t mangle -I OUTPUT 1 -j NetBalancer
    - iptables -t mangle -I OUTPUT 2 -j OpenVPN
    fi
    $SCRIPTS/nb_vpn 2> /dev/null
    $SCRIPTS/nb_setautomarking 2>/dev/null



    Index: kerbynet.cgi/scripts/nb_setautomarking
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/nb_setautomarking,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 nb_setautomarking
    --- kerbynet.cgi/scripts/nb_setautomarking 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/nb_setautomarking 4 Dec 2009 03:41:47 -0000
    @@ -3,27 +3,56 @@
    CONFIG=$REGISTER/system/net/nb/Gateways
    cd $CONFIG
    function set_gwmark {
    xGW="$1"
    INTERFACE=`cat $xGW/Interface 2>/dev/null`
    IP=`cat $xGW/IP 2>/dev/null`
    + # Set up the pre-routing chain for new connections from this Gateway. We want
    + # to mark all traffic originating from this gateway to be routed back out to the
    + #same gateway.
    +
    + # If this Gateway has no interface device defined for it, see if we can get
    + # one based on the next hop IP address
    + if [ "$INTERFACE" == "" ] ; then
    + if [ "$IP" != "" ] ; then
    + INTERFACE=`ip route get $IP | grep -o "dev w*" | awk 'BEGIN {FS=" "}{print $2}'`
    + fi
    + fi
    + # If we have found the interface, then mark all traffic coming in on it to use
    + # it for outbound responses
    + if [ "$INTERFACE" != "" ] ; then
    + if ! iptables -t mangle -L NB_CT_PRE -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
    + [ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_CT_PRE 1 -i $INTERFACE -j MARK --set-mark 1$xGW
    + else
    + [ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_CT_PRE -i $INTERFACE -j MARK --set-mark 1$xGW
    + fi
    + fi
    +
    + # In the post routing phase, we want to get the the routing realm used for new
    + # connections and save it in the connection. First setp here is to get the mark
    + # and put it on the packet. Our caller will emit the code to save the marks to
    + # the connection.
    if ! iptables -t mangle -L NB_CT_POST -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
    [ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_CT_POST 1 -m realm --realm 1$xGW -j MARK --set-mark 1$xGW
    else
    [ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_CT_POST -m realm --realm 1$xGW -j MARK --set-mark 1$xGW
    fi
    +
    + # Make the entry in the statistics chain so we can track how much traffic went
    + # over each gateway
    if ! iptables -t mangle -L NB_STAT -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
    [ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_STAT 1 -m mark --mark 1$xGW
    else
    [ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_STAT -m mark --mark 1$xGW
    fi
    }
    GW="$1"
    if [ -z "$GW" ] ; then
    GW=`ls -d ?? 2>/dev/null`
    iptables -t mangle -F NB_CT_POST
    + iptables -t mangle -F NB_CT_PRE
    iptables -t mangle -F NB_STAT
    for G in $GW ; do
    set_gwmark $G
    done
    iptables -t mangle -D NB_CT_POST -j CONNMARK --save-mark 2> /dev/null
    iptables -t mangle -A NB_CT_POST -j CONNMARK --save-mark

    arfon
    Participant

    iptables -t mangle -L -vn:
    pkts bytes target prot opt in out source destination
    521K 632M MARK tcp — ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp spt:80 MARK set 0x65
    5535K 3429M ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
    76 18051 MARK tcp — ppp1 * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp spt:80 MARK set 0x66
    76 18051 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
    0 0 MARK tcp — ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp spt:10 MARK set 0x66
    0 0 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0

    Which version of Zeroshell are you running?
    Release 1.0.beta12

    Are you running any patches to that?
    I haven’t applied any. Maybe update has…

    And let me point out that I’m actually running sshd on port 10, not 22.

    in reply to: Firewall logs??? How to identify a protocol??? #49334

    arfon
    Participant

    DNS = my provider’s DNS

    I don’t see a place to put the port information in the Rule Config page. How do I add port info?

    in reply to: Firewall logs??? How to identify a protocol??? #49332

    arfon
    Participant

    Sorry, here’s the firewall rules you asked for-

    in reply to: Firewall logs??? How to identify a protocol??? #49331

    arfon
    Participant

    Here’s my setup PPP0 & PPP1 are WAN (weighted). ETH00 is the LAN.

    192.168.1.10 is my ‘non-blocked machine’.

    192.168.1.12 is my DNS & HTTP only machine.

    Web pages URLs resolve but they don’t load on 192.168.1.12

    The firewall is setup like this:

    Here are the logs:

    What I note is that only the data that is being forwarded to 192.168.1.10 is showing up in the logs and NONE of 192.168.1.12’s traffic is showing (even the DNS which is working).

    in reply to: Weird port forwarding problem… #49306

    arfon
    Participant

    I couldn’t post the above message because every time I hit the SUBMIT button, I would go back to the login screen.

    So, I disabled one of the DSLs and that allowed me to post to this forum… I then tried SSH again and the speed was normal so apparently the weighted routing is messing up cookie’d websites and sending half of the SSH data of into never-neverland.

    TightVNC STILL didn’t work.

    Anyone have an idea what I need to look at to solve this data-splitting problem for cookie’d websites?

Viewing 15 posts - 1 through 15 (of 17 total)