Archive for November, 2008

FTP port forwarding using Linux router

Date: November 20, 2008. Categories: howtos, linux and tips. Comment

Welcome to Linux Screw! If you're new here, you may want to subscribe our RSS feed.

Well, let’s imagine rather trivial situation: you have Linux router connected to Internet via e.g. ADSL modem and some local network comprising several computers and servers connected to that router via switches and/or Wi-Fi access points.

Done? Ok.

There is one public IP assigned to WAN interface of the router while FTP server (of course run by Linux as well) has IP something like 192.168.123.14 or 172.16.*.* or 10.*.*.*. Moreover you want to allow people to access your FTP from every corner of Internet… So, there are several ways how to apply this but let’s talk about how to achieve this by means of using port forwarding feature that is available in any router’s functions list.

So, let’s say we have the following configuration:

Internet <-> [a] router [b] <-> [c] FTP server

[a] is WAN interface with 212.213.214.215 (just an example) IP assigned to it, [b] is NIC with 192.168.0.1 and [c] is server’s interface with IP 192.168.0.2. All what we need is that users from Internet can access FTP server using 212.213.214.215 IP and default 21 TCP port.

One of the main problems is that passive mode of FTP service uses any port from range 1024 to 65535 so it’s not enough to forward 21/20 ports to FTP server and let the ball rolling. So, go to servers’ CLI and open configuration file of an FTP service. It would be vsftpd, proftpd whatever. Let’s say we have vsftpd so we have to add the following lines to /etc/vsftpd.conf:

pasv_min_port=12000
pasv_max_port=13000

When changes are saved restart vsftpd server.

Now access router’s CLI and type the following:

iptables -t nat -I PREROUTING -d 212.213.214.215 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.1
iptables -t nat -I PREROUTING -d 212.213.214.215 -p tcp -m tcp --dport 12000:13000 -j DNAT --to-destination 192.168.0.1

This will add netfilter port forwarding rules which will redirect traffic coming at routers’ public IP through 21 TCP port to FTP server and will properly handle passive FTP mode.

Wuala - it’s a finish.

FAQ: How to change Duplex and/or Auto-Negotiation NIC settings in Linux?

Date: November 20, 2008. Categories: debian, faq, fedora, howtos, linux, tips and ubuntu. Comments

Q: How to disable auto-negotiation option of my network interface card and set up half/full duplex mode manually from Linux command line (CLI)? By the way, how to see current settings?
A: There are several Linux utilities coming with almost any distribution including Debian, Ubuntu, Fedora, RedHat, Mandriva, Centos whatever. See details below.

ethtool

This is rather powerful utility can display and change settings of ethernet network interface card. You can easily disable/enable autonegotiation option for your NIC, also it’s possible to manually set up duplex mode, configure wake-on-lan options, set speed settings. Just look through full manual page for ethtool. Here are several ethtool usage examples:

ethtool eth0 - shows current NIC settings

Settings for eth0:
        Supported ports: [ TP MII ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
        Advertised auto-negotiation: No
        Speed: 10Mb/s
        Duplex: Half
        Port: MII
        PHYAD: 32
        Transceiver: internal
        Auto-negotiation: off
        Supports Wake-on: pumbg
        Wake-on: d
        Current message level: 0x00000007 (7)
        Link detected: yes

ethtool -s eth0 duplex half autoneg off - disables auto-negotiation, enables Half Duplex.
ethtool -s eth1 duplex full speed 1000 autoneg off - disables auto-negotiation, enables Falf Duplex and sets up Speed to 1000 Mb/s.

mii-tool

According to manual it allows to manipulate and see media-independent interface status. Let’s see examples:

bash-3.1# mii-tool eth0
eth0: negotiated 100baseTx-FD, link ok - shows 100 Mbps speed, Full Duplex, Auto-negotiation is on.
bash-3.1# mii-tool eth0 -F 10baseT-HD - enables 10 Mb/s Half Duplex connection.

FAQ: How to scrollback in GNU SCREEN?

Date: November 14, 2008. Categories: applications, faq, howtos, linux, tips and unix. Comments

Q: I was compiling kernel using GNU Screen utility but something happened during the compilation and I want to see full error’s output but I can’t just scrollback using Ctrl+PageUp. How to scrollback in GNU Screen?

A: In GNU Screen press Ctrl + a + [ to enter Copy Mode, then scroll up/down using keys j or k. Below are some other navigation keys:

h -    Move the cursor left by one character
j -    Move the cursor down by one line
k -    Move the cursor up by one line
l -    Move the cursor right by one character
0 -    Move to the beginning of the current line
$ -    Move to the end of the current line.
G -    Moves to the specified line
       (defaults to the end of the buffer).
C-u -  Scrolls a half page up.
C-b -  Scrolls a full page up.
C-d -  Scrolls a half page down.
C-f -  Scrolls the full page down.

By the way, in order to define scrollback buffer size start screen with the following key (5000 lines in this example):

screen -h 5000

Quick info about GNU Screen utility: it is Unix tool that allows to run multiple applications in several “virtual” windows. It is very useful when you need, let’s say, to see hardware resources consumption caused by started application in different console etc. GNU screen is also good option to run applications remotely via ssh: just run application in screen and log off until it’s finished, then just “pick up” screen session and see how the application’s output.

Update: You can use activate copy mode of GNU Screen also by Ctrl + Esc that might be more useful than Ctrl + a + [ shortcut (thanks to Yu-Jie Lin for this tip).

WPA Wi-Fi encryption is now cracked

Date: November 7, 2008. Categories: hacks and news. Comments

Network security researcher Erik Tews found a way to brake TKIP (Temporal Key Integrity Protocol) used by WPA in order to read the data being sent from router to Wi-Fi laptop or PC. It takes from 12 to 15 minutes to crack WPA encryption according to statements made by PacSec conference organizers where Erik will demonstrate the procedure.

PacSec 2008 Conference will be held on November 12/13, 2008, at Aoyama Diamond Hall in Tokyo, Japan. The presentation is planned as “Gone in 900 Seconds, Some Crypto Issues with WPA - Erik Tews”.

WPA (Wi-Fi Protected Area) is widely used to protect many corporate and personal wireless networks. This protocol implements IEEE 802.11i standard and is a successor of WEP algorithm which was cracked in 2001.

Read more here: Once thought safe, WPA Wi-Fi encryption is cracked.

Information Improvisation: Operating system is the backbone for every organization. Having professionals with CISSP certification in organization ensures the life running through its networks. Organizations manage tremendous amounts of traffic due to the use of pc phone and people with 646-058 certifications are ideal for this job. They can also manage online networks which can be hosted on lunarpages, which also provides free email hosting. With the company's logo design every page and a well crafted web template the site can be given a graceful look.

 

Friendly Sites:Who is behind Linux Screw?
Aspiring Sysadmin | GeekyBits³ | Bash Cures Cancer | TOTMS
Linux Operating System | Small Linux Deployments | My SysAd Blog
The Danesh Project | ZEPY | Linux config Wiki | Planet Sysadmin
The Sys Admin | {buhay sysad} | a non-geek's linux notes
Linux HOWTOs, Tutorials & Projects with Adam Palmer | LinuxAlt.Com
 My name is Artem Nosulchik (artiomix AT gmail DOT com) and I'm Linux/Unix, Cisco systems engineer. The main idea of Linux Screw is to share relevant knowledge, skills and observations over The Web. Here you can find a lot of information related to different Linux distributions, FreeBSD, IOS as well as a other Open Source around staff. Read more ››