Dnstop – monitoring of requests to the DNS server

The utility is installed in Ubuntu/Debian by the command:

sudo apt-get install dnstop

Start-up example:

dnstop -n google.com eth0

I’ll describe the list of possible startup keys:
-4 (number of IPv4 packets)
-6 (number of IPv6 packets)
-Q (number of requests)
-R (number of answers)
-a (anonymous IP addresses)
-i ADDRESS (ignoring the specified IP address)
-n NAME (number of requests for the specified address only)
-l NUMBER (monitoring up to the specified number of requests)
-f (filter name)

How to convert a list of IP addresses to DNS names

In Linux, you can convert a list of IP addresses into DNS names, for example, by a simple script.

To do this, create an empty file with the extension .sh, make it executable and add the content to it:

#!/bin/sh
while read ip traf ; do
    name=`host $ip|awk '{print $NF}'`
    echo -e "$name\t$ip\t$traf"
done >name_ip_traf.lst <ip_traf.lst

Where ip_traf.lst is a file with a list of IP addresses that need to be converted to DNS names.

You can make it executable by the command:

chmod +rwx file.sh

Run the script in the directory where it is located by the command:

./file.sh

Or run by specifying the full path:

/dir/file.sh

After the startup, you must wait for a while or interrupt the execution by pressing CTRL+C.

How to enable or disable Proxy ARP on Linux

Let’s look at the status of Proxy ARP (1 – enabled, 0 – disabled):

cat /proc/sys/net/ipv4/conf/all/proxy_arp

You can look at a specific network interface (where eth0 is the name of the network interface):

cat /proc/sys/net/ipv4/conf/eth0/proxy_arp

You can enable Proxy ARP as follows:

sudo su
echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

Or so:

sudo sysctl net.ipv4.conf.all.proxy_arp=1
sudo sysctl net.ipv4.conf.eth0.proxy_arp=1
sudo sysctl -p

To turn off the Proxy ARP commands are similar, you only need to specify 0 instead of 1.

The above changes will be reset after restarting the system so that this does not happen, open the file /etc/sysctl.conf in any text editor:

sudo nano /etc/sysctl.conf

And specify:

net.ipv4.conf.all.proxy_arp=1
net.ipv4.conf.eth0.proxy_arp=1

If necessary, you can see the incoming ARP packets via tcpdump:

sudo tcpdump -n -i eth0 -e arp

Install and configure accel-ppp (IPoE) for ABillS

On the test, I’ll run accel-ppp in Ubuntu Server 16.04 LTS for ABillS.

If necessary, we create vlan interfaces as I wrote here – Adding vlan to Ubuntu for ABillS

Switch to the root user:

sudo su

Install the necessary components:

apt-get update
cd /usr/src
apt-get install make cmake libcrypto++-dev libssl-dev libpcre3 libpcre3-dev git lua5.1 liblua5.1-0-dev
apt-get install linux-headers-`uname -r`

See what is the latest version of accel-ppp and download it from https://sourceforge.net/projects/accel-ppp/files/
If accel-ppp will not serve a large number of clients, then you can download fresh source code from git in which bugs can occur.

Unpack the downloaded archive:

tar -xvf accel-ppp-1.11.2.tar.bz2

Install accel-ppp (VLAN_MON_DRIVER can not be installed if the server does not use VLAN):

mkdir accel-ppp-build
cd accel-ppp-build
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DKDIR=/usr/src/linux-headers-`uname -r` -DRADIUS=TRUE -DSHAPER=TRUE -DLOG_PGSQL=FALSE -DLUA=TRUE -DBUILD_IPOE_DRIVER=TRUE -DBUILD_VLAN_MON_DRIVER=TRUE ../accel-ppp-1.11.2
make
make install

We connect the module and check:

insmod /usr/src/accel-ppp-build/drivers/ipoe/driver/ipoe.ko
lsmod | grep ipoe

Let’s proceed to manual configuration.
Let’s create an autorun script:

nano /etc/init.d/accel-ppp

Add the following content to it:

#!/bin/sh
# /etc/init.d/accel-ppp: set up the accel-ppp server
### BEGIN INIT INFO
# Provides:          accel-ppp
# Required-Start:    $networking
# Required-Stop:     $networking
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO

set -e

PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/sbin;
ACCEL_PPTPD=`which accel-pppd`
. /lib/lsb/init-functions

if test -f /etc/default/accel-ppp; then
    . /etc/default/accel-ppp
fi

if [ -z $ACCEL_PPPTD_OPTS ]; then
  ACCEL_PPTPD_OPTS="-c /etc/accel-ppp.conf"
fi

case "$1" in
  start)
        log_daemon_msg "Starting accel-ppp server" "accel-pppd"
        if [ x`lsmod |awk /ipoe/'{print $1}'` = x ]; then
          insmod /usr/src/accel-ppp-build/drivers/ipoe/driver/ipoe.ko
        fi
        if start-stop-daemon --start --quiet --oknodo --exec $ACCEL_PPTPD -- -d -p /var/run/accel-pppd.pid $ACCEL_PPTPD_OPTS; then
            log_end_msg 0
        else
            log_end_msg 1
        fi
  ;;
  restart)
        log_daemon_msg "Restarting accel-ppp server" "accel-pppd"
        if [ x`lsmod |awk /ipoe/'{print $1}'` = x ]; then
          insmod /usr/src/accel-ppp-build/drivers/ipoe/driver/ipoe.ko
        fi
        start-stop-daemon --stop --quiet --oknodo --retry 180 --pidfile /var/run/accel-pppd.pid
        if start-stop-daemon --start --quiet --oknodo --exec $ACCEL_PPTPD -- -d -p /var/run/accel-pppd.pid $ACCEL_PPTPD_OPTS; then
            log_end_msg 0
        else
            log_end_msg 1
        fi
  ;;

  stop)
        log_daemon_msg "Stopping accel-ppp server" "accel-pppd"
        start-stop-daemon --stop --quiet --oknodo --retry 180 --pidfile /var/run/accel-pppd.pid
        log_end_msg 0
  ;;

  status)
    do_status
  ;;
  *)
    log_success_msg "Usage: /etc/init.d/accel-ppp {start|stop|status|restart}"
    exit 1
    ;;
esac

exit 0

Let’s make it executable and add an autorun:

chmod +x /etc/init.d/accel-ppp
update-rc.d accel-ppp defaults

Create the lua file:

nano /etc/accel-ppp.lua

Add to it:

function username(pkt)
return pkt:hdr('chaddr')
end

Create log rotation file:

nano /etc/logrotate.d/accel-ppp

Add to it:

/var/log/accel-ppp/*.log {
      rotate 7
      daily
      size=100M
      compress
      missingok
      sharedscripts
      postrotate
              test -r /var/run/accel-pppd.pid && kill -HUP `cat /var/run/accel-pppd.pid`
      endscript
}

Open the dictionaries in the editor:

nano /usr/local/share/accel-ppp/radius/dictionary
nano /usr/local/freeradius/etc/raddb/dictionary

Add at the end:

ATTRIBUTE DHCP-Router-IP-Address 241 ipaddr
ATTRIBUTE DHCP-Mask              242 integer
ATTRIBUTE L4-Redirect      243 integer
ATTRIBUTE L4-Redirect-ipset      244 string
ATTRIBUTE DHCP-Option82          245 octets

# Limit session traffic
ATTRIBUTE Session-Octets-Limit 227 integer
# What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out)
ATTRIBUTE Octets-Direction 228 integer
# Connection Speed Limit
ATTRIBUTE PPPD-Upstream-Speed-Limit 230 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit 231 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-1 232 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-1 233 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-2 234 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-2 235 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-3 236 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-3 237 integer
ATTRIBUTE Acct-Interim-Interval 85 integer
ATTRIBUTE Acct-Input-Gigawords    52      integer
ATTRIBUTE Acct-Output-Gigawords   53      integer

Open the configuration file accel-ppp:

nano /etc/accel-ppp.conf

And add the content (we will adjust to our needs, change the names of the network interfaces, IP nas, radius secret, for each distributed pool in the ipoe section, the gateway and mask are specified, for example gw-ip-address=10.0.0.1/24, but if attr-dhcp-router-ip and attr-dhcp-mask are passed from radius, then they will be in priority):

#ABillS
[modules]
log_file
radius
ipoe
ippool
shaper
sigchld
#pppd_compat

[core]
log-error=/var/log/accel-ppp/core.log
thread-count=2

[radius]
dictionary=/usr/local/share/accel-ppp/radius/dictionary
#nas-identifier=accel-ipoe
nas-ip-address=192.168.1.1
server=127.0.0.1,radsecret,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
dae-server=192.168.1.1:3799,radsecret
verbose=1
attr-tunnel-type=NAS-Identifier
gw-ip-address=192.168.1.1

[ipoe]
verbose=1
username=lua:username
lua-file=/etc/accel-ppp.lua
lease-time=600
max-lease-time=660
renew-time=300
attr-dhcp-client-ip=Framed-IP-Address
attr-dhcp-router-ip=DHCP-Router-IP-Address
attr-dhcp-mask=Framed-IP-Netmask
gw-ip-address=10.0.0.1/24
proxy-arp=1
shared=1
ifcfg=1
mode=L2
start=dhcpv4
interface=eth0
#agent-remote-id=accel-ppp
attr-dhcp-opt82=DHCP-Option82

#[ip-pool]
#gw-ip-address=192.168.0.1/24
#attr=Framed-Pool
#192.168.0.2-254,name=pool1

[client-ip-range]
#10.0.0.0/8

[dns]
dns1=8.8.8.8
dns2=8.8.4.4

[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
copy=1
color=1
#per-user-dir=per_user
#per-session-dir=per_session
#per-session=1
level=5

[shaper]
attr=Filter-Id
#down-burst-factor=0.1
#up-burst-factor=1.0
#latency=50
#mpu=0
#mtu=0
#r2q=10
quantum=1500
#moderate-quantum=1
#hightspeed shaper
ifb=ifb0
cburst=1534
#up-limiter=htb
down-limiter=htb
#low speed shaper
up-limiter=police
#down-limiter=tbf
#leaf-qdisc=sfq perturb 10
#leaf-qdisc=fq_codel [limit PACKETS] [flows NUMBER] [target TIME] [interval TIME] [quantum BYTES] [[no]ecn]
#rate-multiplier=1
#fwmark=1
attr-down=PPPD-Downstream-Speed-Limit
attr-up=PPPD-Upstream-Speed-Limit
verbose=10

[pppd-compat]
#ip-up=/etc/ppp/ip-up
#ip-down=/etc/ppp/ip-down
#radattr-prefix=/var/run/radattr
verbose=1

[cli]
verbose=100
telnet=127.0.0.1:2000
tcp=127.0.0.1:2001
password=radsecret

[snmp]
master=0
agent-name=accel-ppp

[connlimit]
limit=10/min
burst=3
timeout=60

Run accel-ppp:

sudo /etc/init.d/accel-ppp restart

You can also use the quick setup script:

cd /usr/abills/misc/
./autoconf PROGRAMS=accel_ppp

Check whether accel_ppp is running like this:

/etc/init.d/accel-ppp status
netstat -tulpn | grep accel-ppp
netstat -tulpn | grep :67

It remains to add an access server to ABills (“Settings” – “Access Server”).
For example:

IP: 127.0.0.1
Name (a-zA-Z0-9_): NAME
Type: accel-ipoe Linux accel-ipoe
Alive (sec.): 600
Control
IP: 127.0.0.1
SSH: 2001
POD/COA: 3799
User: admin
Password (PoD,RADIUS Secret,SNMP): secretpass (also specified in /etc/accel-ppp.conf)

If you need additional operations when starting and ending sessions, you can uncomment pppd_compat and write scripts:

sudo nano /etc/ppp/ip-up
sudo nano /etc/ppp/ip-down

If you need the functions of the script shaper_start.sh, then make the file executable and add it to the autorun:

chmod +x /etc/init.d/shaper_start.sh
update-rc.d shaper_start.sh defaults
/etc/init.d/shaper_start.sh status
/etc/init.d/shaper_start.sh start

And write the parameters in the /etc/rc.conf file, for example:

abills_shaper_enable="YES"
#abills_ipn_if="ens2f1"
abills_shaper_if="ens2f1"
abills_nat_enable="172.16.11.11:192.168.2.0/24"
abills_nas_id="1"
abills_ipn_nas_id="1"
...

See also my articles:
Ip-up and ip-down scripts with ipset for Accel-ppp
How to enable or disable Proxy ARP on Linux
Accel-ppp installation

Ip-up and ip-down scripts with ipset for Accel-ppp

I’ll give an example of the scripts I used before, in the allowip list IP addresses were added to which the Internet is allowed, and in denyip those were redirected to the http page with information about the negative deposit.

Ip-up script:

#!/bin/sh
# ip-up
IFNAME=$1
IP=$5
AWK=/usr/bin/awk
DEBUG=0

if [ -f /var/run/radattr.$IFNAME ]; then
  FILTERS=`${AWK}  '/Filter-Id/ {print $2}'  /var/run/radattr.${IFNAME}`
fi;

if [ w${FILTERS} = wNEG_DEPOSIT ] ; then
   /sbin/ipset add denyip $IP -exist
  if [ w${DEBUG} != w ] ; then
    echo "$(date '+%Y/%m/%d %H:%M') --- UP neg filter User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/neg
  fi;
  exit;

else
  if [ "${DEBUG}" != "" ] ; then
    echo "$(date '+%Y/%m/%d %H:%M') --- UP User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/allow
  fi;

  /sbin/ipset add allowip $IP -exist
fi;

Ip-down script:

#!/bin/sh
# ip-down
IFNAME=$1
IP=$5
AWK=/usr/bin/awk
DEBUG=0

if [ -f /var/run/radattr.$IFNAME ]; then
   FILTERS=`${AWK}  '/Filter-Id/ {print $2}'  /var/run/radattr.$IFNAME`
   USER_NAME=`${AWK}  '/User-Name/ {print $2}'  /var/run/radattr.${IFNAME}`
fi;

# Filters
if [ w${FILTERS} = wNEG_DEPOSIT ] ; then
    /sbin/ipset del denyip $IP -exist
   if [ w${DEBUG} != w ] ; then
     echo "$(date '+%Y/%m/%d %H:%M') --- Down neg filter User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/neg
   fi;
   exit;
else
  if [ "${DEBUG}" != "" ] ; then
    echo "$(date '+%Y/%m/%d %H:%M') --- DOWN User: ${USER_NAME} Filter: ${FILTERS} IF: ${IFNAME} IP: $IP" >> /tmp/allow
  fi;

  /sbin/ipset del allowip $IP -exist
fi;

Accordingly, lists should be created:

/sbin/ipset -N allowip iphash
/sbin/ipset -N denyip iphash

And iptables rules.
We allow FORWARD for allowip:

/sbin/iptables -A FORWARD -m set --match-set allowip src -j ACCEPT
/sbin/iptables -A FORWARD -m set --match-set allowip dst -j ACCEPT

NAT:

/sbin/iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 11.11.11.1 --persistent

For denyip, we configure the redirection of all http requests, allow FORWARD to the page on which the redirection is performed and we forbid FORWARD by default for everything else:

/sbin/iptables -t nat -A PREROUTING -p tcp -m multiport --dport 80 -m set --match-set denyip src -j DNAT --to-destination 11.11.11.1:80
/sbin/iptables -A FORWARD -s 11.11.11.1 -j ACCEPT
/sbin/iptables -A FORWARD -d 11.11.11.1 -j ACCEPT
/sbin/iptables -P FORWARD DROP

Before the ipset command, you can also add a check for the existence of the list, but the simpler the scripts, the better the performance:

allownet=`/sbin/ipset -L |grep allowip |sed 's/ //'|awk -F: '{ print $2 }'`
if [ "${allownet}" = "" ]; then
/sbin/ipset -N allowip iphash
fi;

I note that if there are duplicate sessions, IP will disappear from the lists, because there can not be the same addresses in the list, and if for example there are two duplicate sessions and one of them ends, accordingly, IP will be allocated from the list, respectively, if the second session remains online , then no IP in the list.
Therefore, you can opt out of ipset allowip by configuring ip-unnumbered, and in ipset denyip add addresses via L4-redirect and completely abandon these scripts, well, solve the problem with duplicate IP if there is one.

See also my articles:
The script for adding IP addresses from a file to ipset
Accel-ppp installation

Reason for messages “HTB: quantum of class 10001 is big. Consider r2q change”

Once on the access server, Ubuntu Server 16.04 and Accel-ppp noticed the following messages in the /var/log/kern.log file:

kernel: [365970.550498] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365970.550547] HTB: quantum of class 10A49 is big. Consider r2q change.
kernel: [365979.545580] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365979.545621] HTB: quantum of class 10BD6 is big. Consider r2q change.
kernel: [365995.601973] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365995.602031] HTB: quantum of class 11705 is big. Consider r2q change.

First I tried to track which interfaces are being raised at this moment:

tail -f /var/log/kern.log | grep "quantum of class 10001 is big"
tail -f /var/log/accel-ppp/accel-ppp.log | grep "create interface"

Continue reading Reason for messages “HTB: quantum of class 10001 is big. Consider r2q change”

How to disconnect SSH user

Let’s say that several users are connected through SSH.

First look at the list of online users:

w

Suppose the following information is displayed (where test is the user’s login):

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
test     tty1                      11:20    1:07   0.03s  0.03s -bash
test     pts/0    192.168.1.5      11:21   13.00s  0.02s  0.02s -bash
test     pts/1    192.168.1.3      11:21    0.00s  0.02s  0.00s w

tty1 – it is a client logged in locally, that is, it is located near the computer.
pts/1 – judging for example on IP and WHAT, let’s assume that it’s us, accordingly pts/0 is the client of which we want to disconnect.

See the list of processes and their PID:

ps faux |grep sshd

At me it was displayed:

root       946  0.0  0.5  65508  5368 ?        Ss   12:00   0:00 /usr/sbin/sshd -D
root      1147  0.0  0.6  92828  6920 ?        Ss   12:01   0:00  \_ sshd: test [priv]
test      1178  0.0  0.3  92828  3384 ?        S    12:01   0:00  |   \_ sshd: test@pts/0
root      1192  0.0  0.6  92828  6592 ?        Ss   12:02   0:00  \_ sshd: test [priv]
test      1223  0.0  0.3  92828  3532 ?        S    12:02   0:00      \_ sshd: test@pts/1
test      1248  0.0  0.0  15468   956 pts/1    S+   12:25   0:00              \_ grep --color=auto sshd

We find test@pts/0 and accordingly 1178 is the required PID.

We terminate the process by specifying its ID, after which the user will immediately disconnect:

sudo kill -9 1178

See also my articles:
Configuring SSH session timeout
Installing and Configuring SSH

The script for adding IP addresses from a file to ipset

It took one day to write a script to add to ipset all the IP for which the session was started on the access server, Abills billing was used, so I decided to take IP addresses from the MySQL billing table.

The first step is to create a test ipset:

ipset create test iphash

Create a script file:

nano iplist.sh

Add the following content to it:

mysql -u root -e "SELECT INET_NTOA(framed_ip_address) FROM abills.internet_online WHERE (status=1 or status>=3) AND guest=0;" -s -N > iplist.txt
iplist_data=$(cat iplist.txt)
for row_data in $iplist_data; do ipset -exist add test ${row_data}; done
rm iplist.txt

We execute the script and check:

chmod +x iplist.sh
./iplist.sh
ipset list test | wc -l
ipset -L

See also my article – Ip-up and ip-down scripts with ipset for Accel-ppp