Ip-up and ip-down scripts with ipset for Accel-ppp

I’ll give an example of the scripts I used before, in the allowip list IP addresses were added to which the Internet is allowed, and in denyip those were redirected to the http page with information about the negative deposit.

Continue reading “Ip-up and ip-down scripts with ipset for Accel-ppp”

ABillS + FreeRADIUS + Accel-PPP only issue one DNS

Once after installation ABillS + FreeRADIUS2 + Accel-PPP (ipoe) noticed that for DHCP clients receive only one DNS server.
Access-Accept from FreeRADIUS was this:

Sending Access-Accept of id 1 to 127.0.0.1 port 57481
        Session-Timeout = 604800
        PPPD-Downstream-Speed-Limit = 51200
        Framed-IP-Netmask += 255.255.255.0
        Framed-IP-Netmask += 255.255.255.0
        Acct-Interim-Interval = 600
        DHCP-Domain-Name-Server += 8.8.8.8
        DHCP-Domain-Name-Server += 8.8.4.4
        PPPD-Upstream-Speed-Limit = 51200
        Framed-IP-Address = 172.20.20.20
Finished request 40.
Continue reading “ABillS + FreeRADIUS + Accel-PPP only issue one DNS”

Reason for messages “HTB: quantum of class 10001 is big. Consider r2q change”

Once on the access server, Ubuntu Server 16.04 and Accel-ppp noticed the following messages in the /var/log/kern.log file:

kernel: [365970.550498] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365970.550547] HTB: quantum of class 10A49 is big. Consider r2q change.
kernel: [365979.545580] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365979.545621] HTB: quantum of class 10BD6 is big. Consider r2q change.
kernel: [365995.601973] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365995.602031] HTB: quantum of class 11705 is big. Consider r2q change.

First I tried to track which interfaces are being raised at this moment:

tail -f /var/log/kern.log | grep "quantum of class 10001 is big"
tail -f /var/log/accel-ppp/accel-ppp.log | grep "create interface"

Continue reading “Reason for messages “HTB: quantum of class 10001 is big. Consider r2q change””

The script for adding IP addresses from a file to ipset

It took one day to write a script to add to ipset all the IP for which the session was started on the access server, Abills billing was used, so I decided to take IP addresses from the MySQL billing table.

The first step is to create a test ipset:

ipset create test iphash

Continue reading “The script for adding IP addresses from a file to ipset”

The solution to the error “Another app is currently holding the xtables lock”

Recently noticed on one server with the billing system ABillS, that when the script /etc/ppp/ip-up is executed in bulk, an error occurs:

Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

Having looked at the script code, I found that there are two rules among the iptables rules that can slow down the work, namely, the search for ipoe interfaces by two commands:

IPTABLES="/sbin/iptables"
EXIST=`${IPTABLES} -t nat -L PREROUTING -v | grep "${IFNAME} ";  ${IPTABLES} -L -v | grep DROP | grep "${IFNAME} "`

To raise 3000 sessions, it took more than 30 minutes and some rules could not be added at all or deleted by the script.
By default, if the -L option is used, iptables resolves the IP addresses and tries to display DNS names instead of them, which takes a long time, and so that this does not happen, you need to add the -n option, and just in case I added the -w 20 switch, which will cause the new rules to be postponed until 20 seconds if iptables is already busy executing another command:

IPTABLES="/sbin/iptables"
IPTABLES_WAIT="-w 20"
EXIST=`${IPTABLES} $IPTABLES_WAIT -t nat -n -L PREROUTING -v | grep "${IFNAME} ";  ${IPTABLES} $IPTABLES_WAIT -n -L -v | grep DROP | grep "${IFNAME} "`

After that, the script with iptables rules began to work out instantly.
Since the old rules are not all fulfilled, I checked this by counting some by the team:

iptables -n -L -t nat -v | grep DNAT | wc -l

And I checked with the number of sessions, the rules were obviously smaller, so I had to clear all rules and restart the session so that the /etc/ppp/ip-up script worked correctly, this time at 3000 sessions it did its job in less than a minute.
Note that in the / etc / ppp / scripts, it’s better not to use iptables rules.

Installing the Netlist for ABillS

On the test, I install the Netlist module for ABillS in Ubuntu Server.

We import the tables into the database:

mysql -D abills --default-character-set=utf8 < /usr/abills/db/Netlist.sql

Open the billing configuration file:

nano /usr/abills/libexec/config.pl

Make sure that the module is activated:

@MODULES = (
          'Netlist'
          );

Install nmap and Perl module for it:

sudo apt-get install nmap
sudo cpanm Nmap::Parser

Let’s see where nmap is located:

which nmap

Open the billing configuration file again:

sudo nano /usr/abills/libexec/config.pl

Let’s specify the path to nmap:

$conf{'NMAP_LOCATION'}="/usr/bin/nmap";

Add to sudoers:

echo 'www-data ALL=(ALL) NOPASSWD: /usr/bin/nmap' >> /etc/sudoers.d/abills_sudoers

After installation, the module will be available in the menu /Settings/Netlist

Configuring FreeRADIUS DHCP for ABillS

Suppose you installed FreeRADIUS 2 as written in this article – Installation and configuration of the ABillS billing system
Now copy the dhcp.conf file into the FreeRADIUS configuration:

sudo cp /usr/abills/misc/freeradius/v2/dhcp.conf /usr/local/freeradius/etc/raddb/sites-enabled/

Continue reading “Configuring FreeRADIUS DHCP for ABillS”