Wetu/Log: Unterschied zwischen den Versionen

Aus C3D2
Wechseln zu: Navigation, Suche
(raid)
(Was noch gemacht werden soll?)
 
(12 dazwischenliegende Versionen von 4 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
 
== Wo hängts? ==
 
== Wo hängts? ==
 
* einmal ueber die cfgs schauen
 
* einmal ueber die cfgs schauen
* neue Container
 
** jabber
 
** dn42
 
 
* Motivation der Admins
 
* Motivation der Admins
  
 
== Was noch gemacht werden soll? ==
 
== Was noch gemacht werden soll? ==
* neue Container
 
** jabber
 
** dn42
 
* cloudybay
 
** LX Container von [[Klaud|klaud]] nach [[Wetu|wetu]] portieren
 
 
* smokeping
 
* smokeping
 
** einrichten
 
** einrichten
 
** testen
 
** testen
 +
* mta
 +
** exim durch nullmailer ersetzten ??
 +
** ggf. eximm config anpassen
 +
** Problem:
 +
*** exim verschickt keine nachrichten, zumindest nicht wie gewollt
  
 
== Was gemacht wurde? ==
 
== Was gemacht wurde? ==
Zeile 41: Zeile 38:
 
* ccze
 
* ccze
 
* munin-node
 
* munin-node
 +
 +
=== lxc upgrade auf 0.9.0 aus jessie ===
 +
 +
lxc-debconf hatte einen Bug in Zeile 381
 +
:-- [[Benutzer:Astro|Astro]] ([[Benutzer Diskussion:Astro|Diskussion]]) 03:10, 24. Jul 2013 (CEST)
  
 
=== update ===
 
=== update ===
Zeile 48: Zeile 50:
 
=== apticron ===
 
=== apticron ===
 
* apticron installiert: The following NEW packages will be installed: apt-listchanges apticron exim4 exim4-base exim4-config exim4-daemon-light iso-codes lsb-release python-apt python-apt-common ucf
 
* apticron installiert: The following NEW packages will be installed: apt-listchanges apticron exim4 exim4-base exim4-config exim4-daemon-light iso-codes lsb-release python-apt python-apt-common ucf
* erstmal morphium & blotter eingetragen fuer updates - wer noch will: /etc/apticron/apticron.conf
+
* erstmal [[user:morphium|morphium]] & [[user:blotter|blotter]] eingetragen fuer updates - wer noch will: /etc/apticron/apticron.conf
  
 
=== sudo ===
 
=== sudo ===
* rechte für blottre, john, astro, morphium
+
* rechte für [[user:blotter|blotter]], [[user:john|john]], [[user:astro|astro]], [[user:morphium|morphium]]
** adduser blotter sudo
+
*: <code>adduser ''blotter'' sudo</code>
 
* ohne passwort
 
* ohne passwort
 
** visudo NOPASSWD entry
 
** visudo NOPASSWD entry
Zeile 58: Zeile 60:
 
=== ssh ===
 
=== ssh ===
 
* key based login über ssh
 
* key based login über ssh
<code>
+
<pre>
+
PasswordAuthentication no
+
PasswordAuthentication no
+
UsePAM no
+
UsePAM no
+
</code>
+
</pre>
 
* prompt für root geändert (root=rot fällt auf!!)
 
* prompt für root geändert (root=rot fällt auf!!)
<code>
+
*: <code>export PS1='\n \[\e[1;37m\]\! ${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u\[\033[01;34m\]@\[\033[01;32m\]\h:\[\033[00m\]\w\$ '</code>
export PS1='\n \[\e[1;37m\]\! ${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u\[\033[01;34m\]@\[\033[01;32m\]\h:\[\033[00m\]\w\$ '
+
*: <code>PROMPT_COMMAND='history -a'</code>
PROMPT_COMMAND='history -a'
 
</code>
 
 
* aliase für root in ~root/.bashrc gesetzt
 
* aliase für root in ~root/.bashrc gesetzt
<code>
+
<pre>
#===============================================================
+
#===============================================================
#
+
#
# ALIASES AND FUNCTIONS
+
# ALIASES AND FUNCTIONS
#
+
#
#===============================================================
+
#===============================================================
+
 
 
  #-------------------
 
  #-------------------
# Personnal Aliases
+
# Personnal Aliases
#-------------------
+
#-------------------
alias grep='grep --colour=auto'
+
alias grep='grep --colour=auto'
#alias ff='grep -irl'
+
#alias ff='grep -irl'
alias rm='rm -i'
+
alias rm='rm -i'
alias mv='mv -i'
+
alias mv='mv -i'
alias cp='cp -i'
+
alias cp='cp -i'
alias ..='cd ..'
+
alias ..='cd ..'
alias mkdir='mkdir -p'
+
alias mkdir='mkdir -p'
alias du='du -kh'      # Makes a more readable output.
+
alias du='du -kh'      # Makes a more readable output.
alias df='df -kTh'
+
alias df='df -kTh'
alias ping='ping -c 10'
+
alias ping='ping -c 10'
alias da='date "+%A - %m. %B %Y - %T %Z"'
+
alias da='date "+%A - %d. %B %Y - %T %Z"'
alias mx='chmod a+x'
+
alias mx='chmod a+x'
alias 000='chmod 000'
+
alias 000='chmod 000'
alias 644='chmod 644'
+
alias 644='chmod 644'
alias 755='chmod 755'
+
alias 755='chmod 755'
+
 
 
  #-------------------------------------------------------------
 
  #-------------------------------------------------------------
# The 'ls' family (this assumes you use a recent GNU ls)
+
# The 'ls' family (this assumes you use a recent GNU ls)
 +
#-------------------------------------------------------------
 +
alias ls='ls -hF --color'  # add colors for filetype recognition
 +
alias ll="ls -l --group-directories-first"
 +
alias la='ls -Al'          # show hidden files
 +
alias lx='ls -lXB'        # sort by extension
 +
alias lk='ls -lSr'        # sort by size, biggest last
 +
alias lc='ls -ltcr'        # sort by and show change time, most recent last
 +
alias lu='ls -ltur'        # sort by and show access time, most recent last
 +
alias lt='ls -ltr'        # sort by date, most recent last
 +
alias lm='ls -al |more'    # pipe through 'more'
 +
alias lr='ls -lR'          # recursive ls
 +
alias tree='tree -Csu'    # nice alternative to 'recursive ls'
 +
# You may uncomment the following lines if you want `ls' to be colorized:
 +
export LS_OPTIONS='--color=auto'
 +
alias l='ls $LS_OPTIONS -la'
 +
 
 
  #-------------------------------------------------------------
 
  #-------------------------------------------------------------
alias ls='ls -hF --color'  # add colors for filetype recognition
+
# spelling typos - highly personnal and keyboard-dependent :-)
alias ll="ls -l --group-directories-first"
+
#-------------------------------------------------------------
alias la='ls -Al'          # show hidden files
+
alias xs='cd'
alias lx='ls -lXB'        # sort by extension
+
alias vf='cd'
alias lk='ls -lSr'        # sort by size, biggest last
+
alias moer='more'   
alias lc='ls -ltcr'        # sort by and show change time, most recent last
+
alias moew='more'   
alias lu='ls -ltur'        # sort by and show access time, most recent last
+
alias kk='ll'
alias lt='ls -ltr'        # sort by date, most recent last
+
</pre>
alias lm='ls -al |more'    # pipe through 'more'
 
alias lr='ls -lR'          # recursive ls
 
alias tree='tree -Csu'    # nice alternative to 'recursive ls'
 
# You may uncomment the following lines if you want `ls' to be colorized:
 
export LS_OPTIONS='--color=auto'
 
alias l='ls $LS_OPTIONS -la'
 
 
#-------------------------------------------------------------
 
# spelling typos - highly personnal and keyboard-dependent :-)
 
#-------------------------------------------------------------
 
alias xs='cd'
 
alias vf='cd'
 
alias moer='more'   
 
alias moew='more'   
 
alias kk='ll'
 
</code>
 
  
 
=== fail2ban ===
 
=== fail2ban ===
 
* enable ssh
 
* enable ssh
** 4 treffer -> 10 min iptables drop
+
** 4 Treffer -> 10 min iptables drop
  
 
=== parted ===
 
=== parted ===
Zeile 144: Zeile 144:
 
=== raid ===
 
=== raid ===
 
* /dev/md2 -> /dev/sda5 /dev/sdb5
 
* /dev/md2 -> /dev/sda5 /dev/sdb5
<code>
+
*: <code>mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sda5 /dev/sdb5</code>
mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sda5 /dev/sdb5
 
</code>
 
 
* raid sync
 
* raid sync
<code>
+
*: <code>mdadm --readwrite /dev/md0</code>
mdadm --readwrite /dev/md0
+
*: <code>mdadm --readwrite /dev/md2</code>
mdadm --readwrite /dev/md2
 
</code>
 
 
* mdadm.conf
 
* mdadm.conf
<code>
+
*: <code>mdadm -Es o. mdadm --detail --scan >> /etc/mdadm/mdadm.conf</code>
mdadm -Es o. mdadm --detail --scan >> /etc/mdadm/mdadm.conf
 
</code>
 
  
 
=== lvm ===
 
=== lvm ===
* apt-get install lvm2
+
* <code>apt-get install lvm2</code>
 
* /dev/md2 -> vg
 
* /dev/md2 -> vg
** pvcreate /dev/md2
+
*: <code>pvcreate /dev/md2</code>
** vgcreate vg /dev/md2
+
*: <code>vgcreate vg /dev/md2</code>
 
* lv
 
* lv
** lvcreate -L6G -nmail vg  
+
*: <code>lvcreate -L6G -nmail vg</code>
** lvcreate -L6G -njabber vg  
+
*: <code>lvcreate -L6G -njabber vg</code>
** lvcreate -L10G -nwiki vg
+
*: <code>lvcreate -L10G -nwiki vg</code>
** lvcreate -L2G -nweb vg
+
*: <code>lvcreate -L2G -nweb vg</code>
** lvcreate -L4G -nwebbuild vg
+
*: <code>lvcreate -L4G -nwebbuild vg</code>
** lvcreate -L4G -npentamedia vg
+
*: <code>lvcreate -L4G -npentamedia vg</code>
** lvcreate -L11G -nbackup-cthulhu vg
+
*: <code>lvcreate -L11G -nbackup-cthulhu vg</code>
** lvcreate -L4G -ndb vg
+
*: <code>lvcreate -L4G -ndb vg</code>
** lvcreate -L3G -nbind vg
+
*: <code>lvcreate -L3G -nbind vg</code>
** lvcreate -L5G -ncloudybay vg
+
*: <code>lvcreate -L5G -ncloudybay vg</code>
  
 
=== lxc ===
 
=== lxc ===
Zeile 192: Zeile 186:
 
=== etckeeper ===
 
=== etckeeper ===
 
* ist ein git fuer /etc
 
* ist ein git fuer /etc
** pakete die mit apt installieren in /etc autocommiten ihre eintraege
+
** pakete die mit apt installieren in /etc autocommiten ihre eintragen
 
** handaenderungen bitte per hand adden und commiten
 
** handaenderungen bitte per hand adden und commiten
 
** zless  /usr/share/doc/etckeeper/README.gz
 
** zless  /usr/share/doc/etckeeper/README.gz
 
  
 
=== Netzwerk ===
 
=== Netzwerk ===
Zeile 219: Zeile 212:
 
=== sysctl ===
 
=== sysctl ===
 
* /etc/sysctl.d/local.conf
 
* /etc/sysctl.d/local.conf
** # Enables packet forwarding
+
<pre>
** net.ipv4.ip_forward = 1
+
# Enables packet forwarding
** # Enables source route verification
+
net.ipv4.ip_forward = 1
** net.ipv4.conf.default.rp_filter = 1
+
# Enables source route verification
** # Enables reverse path
+
net.ipv4.conf.default.rp_filter = 1
** net.ipv4.conf.all.rp_filter = 1
+
# Enables reverse path
** # Ignorieren von broadcast pings
+
net.ipv4.conf.all.rp_filter = 1
** net.ipv4.icmp_echo_ignore_broadcasts = 1
+
# Ignorieren von broadcast pings
** # Sperren von quellbasierendem Paket-Routing
+
net.ipv4.icmp_echo_ignore_broadcasts = 1
** net.ipv4.conf.all.accept_source_route = 0
+
# Sperren von quellbasierendem Paket-Routing
** # Annahme von Umleitungen verweigern
+
net.ipv4.conf.all.accept_source_route = 0
** net.ipv4.conf.all.accept_redirects = 0
+
# Annahme von Umleitungen verweigern
** # Schutz gegen falsche Fehlermeldungen
+
net.ipv4.conf.all.accept_redirects = 0
** net.ipv4.icmp_ignore_bogus_error_responses = 1
+
# Schutz gegen falsche Fehlermeldungen
** # Protokollieren aller Pakete die gespoofed sind, quellbasierendes Routing haben oder umleiten
+
net.ipv4.icmp_ignore_bogus_error_responses = 1
** net.ipv4.conf.all.log_martians = 1
+
# Protokollieren aller Pakete die gespoofed sind, quellbasierendes Routing haben oder umleiten
** # kernel:_Neighbour_table_overflow
+
net.ipv4.conf.all.log_martians = 1
** net.ipv6.neigh.default.gc_thresh1 = 512
+
# kernel:_Neighbour_table_overflow
** # 2 * gc_thresh1
+
net.ipv6.neigh.default.gc_thresh1 = 512
** net.ipv6.neigh.default.gc_thresh2 = 2048
+
# 2 * gc_thresh1
** # 2 * gc_thresh2
+
net.ipv6.neigh.default.gc_thresh2 = 2048
** net.ipv6.neigh.default.gc_thresh3 = 4096
+
# 2 * gc_thresh2
** # disable iptables traffic in the bridge
+
net.ipv6.neigh.default.gc_thresh3 = 4096
** net.bridge.bridge-nf-call-ip6tables = 0
+
# disable iptables traffic in the bridge
** net.bridge.bridge-nf-call-iptables = 0
+
net.bridge.bridge-nf-call-ip6tables = 0
 +
net.bridge.bridge-nf-call-iptables = 0
 +
</pre>
  
 
=== iptables ===
 
=== iptables ===
 
* MASQUERADE fehlt
 
* MASQUERADE fehlt
 
** fixed ab kernelbuild 4
 
** fixed ab kernelbuild 4
 +
* iptables-save
 +
<pre>
 +
# iptables-save
 +
# Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013
 +
*nat
 +
:PREROUTING ACCEPT [9147034:952216199]
 +
:INPUT ACCEPT [172968:32162862]
 +
:OUTPUT ACCEPT [11134:708084]
 +
:POSTROUTING ACCEPT [28:1640]
 +
-A PREROUTING -i br0 -p tcp -m tcp --dport 202 -j DNAT --to-destination 172.22.98.2:22
 +
-A PREROUTING -i br0 -p tcp -m tcp --dport 203 -j DNAT --to-destination 172.22.98.3:22
 +
-A PREROUTING -i br0 -p tcp -m tcp --dport 204 -j DNAT --to-destination 172.22.98.4:22
 +
-A PREROUTING -i br0 -p tcp -m tcp --dport 205 -j DNAT --to-destination 172.22.98.5:22
 +
-A PREROUTING -i br0 -p tcp -m tcp --dport 206 -j DNAT --to-destination 172.22.98.6:22
 +
-A PREROUTING -i br0 -p tcp -m tcp --dport 207 -j DNAT --to-destination 172.22.98.7:22
 +
-A PREROUTING -i br0 -p tcp -m tcp --dport 208 -j DNAT --to-destination 172.22.98.8:22
 +
-A PREROUTING -i br0 -p tcp -m tcp --dport 209 -j DNAT --to-destination 172.22.98.9:22
 +
-A PREROUTING -i br0 -p tcp -m tcp --dport 210 -j DNAT --to-destination 172.22.98.10:22
 +
-A POSTROUTING -o br0 -j MASQUERADE
 +
COMMIT
 +
# Completed on Tue Apr 23 01:46:26 2013
 +
# Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013
 +
*filter
 +
:INPUT ACCEPT [614:41574]
 +
:FORWARD ACCEPT [14:1064]
 +
:OUTPUT ACCEPT [430:132969]
 +
:ACCT_IPVER - [0:0]
 +
:fail2ban-ssh - [0:0]
 +
:fail2ban-ssh-ddos - [0:0]
 +
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
 +
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
 +
-A FORWARD -j ACCT_IPVER
 +
-A ACCT_IPVER
 +
-A fail2ban-ssh -j RETURN
 +
-A fail2ban-ssh-ddos -j RETURN
 +
COMMIT
 +
# Completed on Tue Apr 23 01:46:26 2013
 +
</pre>

Aktuelle Version vom 19. Januar 2014, 11:27 Uhr

Wo hängts?

  • einmal ueber die cfgs schauen
  • Motivation der Admins

Was noch gemacht werden soll?

  • smokeping
    • einrichten
    • testen
  • mta
    • exim durch nullmailer ersetzten ??
    • ggf. eximm config anpassen
    • Problem:
      • exim verschickt keine nachrichten, zumindest nicht wie gewollt

Was gemacht wurde?

installiert

  • screen
  • sudo
  • tcpdump
  • whois
  • vim
  • lvm2
  • mc
  • lsof
  • htop
  • iotop
  • iptables
  • lxc
  • etckeeper
  • zsh
  • pydf
  • apticron
  • fail2ban
  • nmap
  • telnet
  • chkconfig
  • ccze
  • munin-node

lxc upgrade auf 0.9.0 aus jessie

lxc-debconf hatte einen Bug in Zeile 381

-- Astro (Diskussion) 03:10, 24. Jul 2013 (CEST)

update

  • by morphium am 13.3.13:
    • updates: The following packages will be upgraded: aptitude base-files debian-archive-keyring dpkg firmware-linux-free gnupg gpgv grub-common gzip initscripts libfreetype6 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libpam-modules libpam-runtime libpam0g libssl0.9.8 linux-base linux-image-2.6.32-5-amd64 locales module-init-tools openssh-client openssh-server procps sysv-rc sysvinit sysvinit-utils tzdata

apticron

  • apticron installiert: The following NEW packages will be installed: apt-listchanges apticron exim4 exim4-base exim4-config exim4-daemon-light iso-codes lsb-release python-apt python-apt-common ucf
  • erstmal morphium & blotter eingetragen fuer updates - wer noch will: /etc/apticron/apticron.conf

sudo

ssh

  • key based login über ssh
…
PasswordAuthentication no
…
UsePAM no
…
  • prompt für root geändert (root=rot fällt auf!!)
    export PS1='\n \[\e[1;37m\]\! ${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u\[\033[01;34m\]@\[\033[01;32m\]\h:\[\033[00m\]\w\$ '
    PROMPT_COMMAND='history -a'
  • aliase für root in ~root/.bashrc gesetzt
#===============================================================
#
# ALIASES AND FUNCTIONS
#
#===============================================================

 #-------------------
# Personnal Aliases
#-------------------
alias grep='grep --colour=auto'
#alias ff='grep -irl'
alias rm='rm -i'
alias mv='mv -i'
alias cp='cp -i'
alias ..='cd ..'
alias mkdir='mkdir -p'
alias du='du -kh'       # Makes a more readable output.
alias df='df -kTh'
alias ping='ping -c 10'
alias da='date "+%A - %d. %B %Y - %T %Z"'
alias mx='chmod a+x'
alias 000='chmod 000'
alias 644='chmod 644'
alias 755='chmod 755'

 #-------------------------------------------------------------
# The 'ls' family (this assumes you use a recent GNU ls)
#-------------------------------------------------------------
alias ls='ls -hF --color'  # add colors for filetype recognition
alias ll="ls -l --group-directories-first"
alias la='ls -Al'          # show hidden files
alias lx='ls -lXB'         # sort by extension
alias lk='ls -lSr'         # sort by size, biggest last
alias lc='ls -ltcr'        # sort by and show change time, most recent last
alias lu='ls -ltur'        # sort by and show access time, most recent last
alias lt='ls -ltr'         # sort by date, most recent last
alias lm='ls -al |more'    # pipe through 'more'
alias lr='ls -lR'          # recursive ls
alias tree='tree -Csu'     # nice alternative to 'recursive ls'
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
alias l='ls $LS_OPTIONS -la'

 #-------------------------------------------------------------
# spelling typos - highly personnal and keyboard-dependent :-)
#-------------------------------------------------------------
alias xs='cd'
alias vf='cd'
alias moer='more'  
alias moew='more'  
alias kk='ll'

fail2ban

  • enable ssh
    • 4 Treffer -> 10 min iptables drop

parted

  • parted -slm -> Error: /dev/md2: unrecognised disk label

kernel

  • bootet wohl
    • bauen als rewt (sudo -s ; su rewt; cd ~/linux/linux-stable)
    • config ist angepasst auf wetu
    • aktueller configstand fuer 3.8.2 kernel
  • bauen mit
    • fakeroot make deb-pkg -j2
    • danach alle resultierenden pakete installieren (als root...)
    • siehe dazu /home/rewt/linux/installfresh4.sh

raid

  • /dev/md2 -> /dev/sda5 /dev/sdb5
    mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sda5 /dev/sdb5
  • raid sync
    mdadm --readwrite /dev/md0
    mdadm --readwrite /dev/md2
  • mdadm.conf
    mdadm -Es o. mdadm --detail --scan >> /etc/mdadm/mdadm.conf

lvm

  • apt-get install lvm2
  • /dev/md2 -> vg
    pvcreate /dev/md2
    vgcreate vg /dev/md2
  • lv
    lvcreate -L6G -nmail vg
    lvcreate -L6G -njabber vg
    lvcreate -L10G -nwiki vg
    lvcreate -L2G -nweb vg
    lvcreate -L4G -nwebbuild vg
    lvcreate -L4G -npentamedia vg
    lvcreate -L11G -nbackup-cthulhu vg
    lvcreate -L4G -ndb vg
    lvcreate -L3G -nbind vg
    lvcreate -L5G -ncloudybay vg

lxc

  • kopiert
    • jabber
    • mail
    • pentamedia
    • template
    • web
    • webbuild
    • wiki
  • neu erstellt
    • db
    • bind
    • cloudybay
  • getestet
    • alle

etckeeper

  • ist ein git fuer /etc
    • pakete die mit apt installieren in /etc autocommiten ihre eintragen
    • handaenderungen bitte per hand adden und commiten
    • zless /usr/share/doc/etckeeper/README.gz

Netzwerk

  • /etc/network/interfaces
    • br0 -> 89.238.64.140/32 89.238.79.216/29 -> externe bridge
    • br1 -> 172.22.98.0/26 -> interne bridge
    • 172.22.98.0/24
      • -> br1
      • -> in der vm eth1
    • 89.238.79.216/29
      • -> br0
      • -> in der vm eth0
  • v6
    • /48 oder /56 beantragt
    • 2a00:1828:2000:655::/64 fertig zum verteilen
    • 2a00:1828:a008::/48 fertig zum verteilen
    • 2a00:1828:a008::/48
      • -> br0
      • -> in der vm auf eth0
      • -> jede vm bekommt /64
        • 2a00:1828:a008:100+n::/64 n = letzte stelle ip im dn42

sysctl

  • /etc/sysctl.d/local.conf
# Enables packet forwarding
net.ipv4.ip_forward = 1
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Enables reverse path
net.ipv4.conf.all.rp_filter = 1
# Ignorieren von broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Sperren von quellbasierendem Paket-Routing
net.ipv4.conf.all.accept_source_route = 0
# Annahme von Umleitungen verweigern
net.ipv4.conf.all.accept_redirects = 0
# Schutz gegen falsche Fehlermeldungen
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Protokollieren aller Pakete die gespoofed sind, quellbasierendes Routing haben oder umleiten
net.ipv4.conf.all.log_martians = 1
# kernel:_Neighbour_table_overflow
net.ipv6.neigh.default.gc_thresh1 = 512
# 2 * gc_thresh1
net.ipv6.neigh.default.gc_thresh2 = 2048
# 2 * gc_thresh2
net.ipv6.neigh.default.gc_thresh3 = 4096
# disable iptables traffic in the bridge
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0

iptables

  • MASQUERADE fehlt
    • fixed ab kernelbuild 4
  • iptables-save
# iptables-save 
# Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013
*nat
:PREROUTING ACCEPT [9147034:952216199]
:INPUT ACCEPT [172968:32162862]
:OUTPUT ACCEPT [11134:708084]
:POSTROUTING ACCEPT [28:1640]
-A PREROUTING -i br0 -p tcp -m tcp --dport 202 -j DNAT --to-destination 172.22.98.2:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 203 -j DNAT --to-destination 172.22.98.3:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 204 -j DNAT --to-destination 172.22.98.4:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 205 -j DNAT --to-destination 172.22.98.5:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 206 -j DNAT --to-destination 172.22.98.6:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 207 -j DNAT --to-destination 172.22.98.7:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 208 -j DNAT --to-destination 172.22.98.8:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 209 -j DNAT --to-destination 172.22.98.9:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 210 -j DNAT --to-destination 172.22.98.10:22 
-A POSTROUTING -o br0 -j MASQUERADE 
COMMIT
# Completed on Tue Apr 23 01:46:26 2013
# Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013
*filter
:INPUT ACCEPT [614:41574]
:FORWARD ACCEPT [14:1064]
:OUTPUT ACCEPT [430:132969]
:ACCT_IPVER - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh 
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos 
-A FORWARD -j ACCT_IPVER 
-A ACCT_IPVER 
-A fail2ban-ssh -j RETURN 
-A fail2ban-ssh-ddos -j RETURN 
COMMIT
# Completed on Tue Apr 23 01:46:26 2013