Category Archives: Linux

Ip-up and ip-down scripts with ipset for Accel-ppp

I’ll give an example of the scripts I used before, in the allowip list IP addresses were added to which the Internet is allowed, and in denyip those were redirected to the http page with information about the negative deposit.

Continue reading “Ip-up and ip-down scripts with ipset for Accel-ppp”

ABillS + FreeRADIUS + Accel-PPP only issue one DNS

Once after installation ABillS + FreeRADIUS2 + Accel-PPP (ipoe) noticed that for DHCP clients receive only one DNS server.
Access-Accept from FreeRADIUS was this:

Sending Access-Accept of id 1 to 127.0.0.1 port 57481
        Session-Timeout = 604800
        PPPD-Downstream-Speed-Limit = 51200
        Framed-IP-Netmask += 255.255.255.0
        Framed-IP-Netmask += 255.255.255.0
        Acct-Interim-Interval = 600
        DHCP-Domain-Name-Server += 8.8.8.8
        DHCP-Domain-Name-Server += 8.8.4.4
        PPPD-Upstream-Speed-Limit = 51200
        Framed-IP-Address = 172.20.20.20
Finished request 40.
Continue reading “ABillS + FreeRADIUS + Accel-PPP only issue one DNS”

Reason for messages “HTB: quantum of class 10001 is big. Consider r2q change”

Once on the access server, Ubuntu Server 16.04 and Accel-ppp noticed the following messages in the /var/log/kern.log file:

kernel: [365970.550498] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365970.550547] HTB: quantum of class 10A49 is big. Consider r2q change.
kernel: [365979.545580] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365979.545621] HTB: quantum of class 10BD6 is big. Consider r2q change.
kernel: [365995.601973] HTB: quantum of class 10001 is big. Consider r2q change.
kernel: [365995.602031] HTB: quantum of class 11705 is big. Consider r2q change.

First I tried to track which interfaces are being raised at this moment:

tail -f /var/log/kern.log | grep "quantum of class 10001 is big"
tail -f /var/log/accel-ppp/accel-ppp.log | grep "create interface"

Continue reading “Reason for messages “HTB: quantum of class 10001 is big. Consider r2q change””

How to disconnect SSH user

Let’s say that several users are connected through SSH.

First look at the list of online users:

w

Suppose the following information is displayed (where test is the user’s login):

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
test     tty1                      11:20    1:07   0.03s  0.03s -bash
test     pts/0    192.168.1.5      11:21   13.00s  0.02s  0.02s -bash
test     pts/1    192.168.1.3      11:21    0.00s  0.02s  0.00s w

tty1 – it is a client logged in locally, that is, it is located near the computer.
pts/1 – judging for example on IP and WHAT, let’s assume that it’s us, accordingly pts/0 is the client of which we want to disconnect.

See the list of processes and their PID:

ps faux |grep sshd

At me it was displayed:

root       946  0.0  0.5  65508  5368 ?        Ss   12:00   0:00 /usr/sbin/sshd -D
root      1147  0.0  0.6  92828  6920 ?        Ss   12:01   0:00  \_ sshd: test [priv]
test      1178  0.0  0.3  92828  3384 ?        S    12:01   0:00  |   \_ sshd: test@pts/0
root      1192  0.0  0.6  92828  6592 ?        Ss   12:02   0:00  \_ sshd: test [priv]
test      1223  0.0  0.3  92828  3532 ?        S    12:02   0:00      \_ sshd: test@pts/1
test      1248  0.0  0.0  15468   956 pts/1    S+   12:25   0:00              \_ grep --color=auto sshd

We find test@pts/0 and accordingly 1178 is the required PID.

We terminate the process by specifying its ID, after which the user will immediately disconnect:

sudo kill -9 1178

See also my articles:
Configuring SSH session timeout
Installing and Configuring SSH

The script for adding IP addresses from a file to ipset

It took one day to write a script to add to ipset all the IP for which the session was started on the access server, Abills billing was used, so I decided to take IP addresses from the MySQL billing table.

The first step is to create a test ipset:

ipset create test iphash

Continue reading “The script for adding IP addresses from a file to ipset”

The solution to the error “Another app is currently holding the xtables lock”

Recently noticed on one server with the billing system ABillS, that when the script /etc/ppp/ip-up is executed in bulk, an error occurs:

Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

Having looked at the script code, I found that there are two rules among the iptables rules that can slow down the work, namely, the search for ipoe interfaces by two commands:

IPTABLES="/sbin/iptables"
EXIST=`${IPTABLES} -t nat -L PREROUTING -v | grep "${IFNAME} ";  ${IPTABLES} -L -v | grep DROP | grep "${IFNAME} "`

To raise 3000 sessions, it took more than 30 minutes and some rules could not be added at all or deleted by the script.
By default, if the -L option is used, iptables resolves the IP addresses and tries to display DNS names instead of them, which takes a long time, and so that this does not happen, you need to add the -n option, and just in case I added the -w 20 switch, which will cause the new rules to be postponed until 20 seconds if iptables is already busy executing another command:

IPTABLES="/sbin/iptables"
IPTABLES_WAIT="-w 20"
EXIST=`${IPTABLES} $IPTABLES_WAIT -t nat -n -L PREROUTING -v | grep "${IFNAME} ";  ${IPTABLES} $IPTABLES_WAIT -n -L -v | grep DROP | grep "${IFNAME} "`

After that, the script with iptables rules began to work out instantly.
Since the old rules are not all fulfilled, I checked this by counting some by the team:

iptables -n -L -t nat -v | grep DNAT | wc -l

And I checked with the number of sessions, the rules were obviously smaller, so I had to clear all rules and restart the session so that the /etc/ppp/ip-up script worked correctly, this time at 3000 sessions it did its job in less than a minute.
Note that in the / etc / ppp / scripts, it’s better not to use iptables rules.