Monday, May 26, 2008

What is FXO and FXS ?

FXO and FXS are the ports used by the analog phone or known as POTS ( Plain Old Telephone Service )

FXS, known as Foreign Exchange Subscriber interface, is the port which actually provide analog line to the subscriber. It is the "socket on the wall" which delivers a dialtone, battery current and ring voltage.

FXO, known as Foreign Exchange Office interface, that deliver the analog line. It is the port on your analog telephone/fax machine incoming port. It delivers an on-hook/off-hook indication (loop closure).

How does it works, technically ?

The FXO and FXS is always working on a pair. A FXO port is always connected to a FXS port or vice versa.

Technically, when you wish to make an outbound call :

  1. You pick up the phone from FXO devices. Then FXS port will detect that it is OFF-HOOK.
  2. When you dial a number, a DTMF ( Dual-Tone-Multi-Frequency ) digits will be passed to FXS port.

When there is an inbound call :

  1. When FXS received an incoming call, it will generate a DC ring voltage to the FXO device.
  2. The FXO device ( phone ) will rings.
  3. You pick up the phone, and line is established.

Note: The analog phone line passes approximately 50 volts DC power to the FXS port. That’s why you get a faint ‘shock’ when you touch a connected phone line. This allows a call to be made in the event of a power cut.

Type of connections

Without PBX system ( i.e. home land line )

fxs-fxo-no-pbx

A phone is connected directly to the FXS port ( on the wall jack ) which provided by your landline company.

With PBX system

fxs-fxo-pbx

If you have a PBX, then you connect the lines provided by the landline company to the PBX and then the phones to the PBX. Therefore, the PBX must have both FXO ports (to connect to the FXS ports provided by the telephone company) and FXS ports (to connect the phone or fax devices to).

With FXO Gateway

fxo-gateway

To connect analog phone lines to an IP phone system, you need an FXO gateway. This allows you to connect the FXS port to the FXO port of the gateway, which then translates the analog phone line to a VOIP call.

With FXS Gateway

fxs-gateway

An FXS gateway is used to connect one or more lines of a traditional PBX to a VOIP phone system or provider. You need an FXS gateway because you want to connect the FXO ports (which normally are connected to the telephone company) to the Internet or a VOIP system.

With ATA adaptor ( FXS adaptor )

fxs-adapter  An FXS adapter is used to connect an analog phone or fax machine to a VOIP phone system or to a VOIP provider. You need this because you need to connect the FXO port of the phone/fax machine to the adapter.

Source from 3CX

Sunday, May 25, 2008

AAA Server and Concept

AAA server , is known as Authentications, Authorizations and Accouting Server, and it used for access control. Authentication identifies the user. Authorization implements policies that determine which resources and services a valid user may access. Accounting keeps track of time and data resources used for billing and analysis.

Authentication

This is kind of process to establish a digital identity between entities which refering to a client and a server. The authentication is done via presenting an identity ( i.e. login user name ) and a credentials ( i.e. password, digital certificates, one-time-token etc. )

Authorization

This is a process for granting privileges ( or blocking ) to a client by server after authentication process, what privilege requested and the current system state. The authorization is based on :

  1. Time-of-day restriction.
  2. Physical location restriction.
  3. Restrictions again multiple login at a single point of time.
  4. Ability to gain access to certain service :
    • IP address and TCP/IP settings.
    • Routing information
    • QoS
    • Bandwidth allocated.
    • Encryptions and tunnelling
    • and so on.

Accounting

This process is to collect the consumption information of an user for network management, planning, billing purposes etc. There are some typical information that being gathered are the identity of the user, the nature of the service delivered and the period that the service being used.

Type of AAA Protocol

There are few common types of AAA protocol, which are :

  • Radius
  • DIAMETER
  • TACACS
  • TACACS+

Some combinations with the protocol and AAA protocol above are being used :

  • PPP
  • EAP
  • PEAP
  • LDAP etc.

Refers : The webpage of the Authentication, Authorization and Accounting IETF working group

I will continue in Radius and Diameter AAA protocol in the following posts, remember to come back ya...~

What is DHCP server?

Dynamic Host Configurations Protocol, also known as DHCP,  is a network protocol that enables the DHCP server to assign an IP address to the networked devices or clients to obtain neccessary parameters in order to establish Internet Procotol (IP) network.

How does DHCP works ?

dhcpSession

  1. The client device turned on with DHCP client.
  2. This client will broadcast a number of requests ( DISCOVER and DHCPDISCOVER ) packets in the network to look for reply from DHCP server.
  3. The router ( if the router itself is not a DHCP server ) will route the DISCOVER packet to DHCP server.
  4. Once the DHCP server received the DISCOVER packet, it will looks into the pre-configured policies and availability then determines the appropriate IP settings to assign to the client station.
  5. The DHCP server will send an OFFER or DHCPOFFER packet to the client based on the MAC address with the neccessary parameters ( i.e. IP address, gateway, DNS, WINS etc. )
  6. The client will send REQUEST or DHCPREQUEST packet back to the DHCP server and inform the server that it intend to use the configurations info offered.
  7. The server will then reply with an ACK or DHCPACK packet back to the client and confirmed that the client may use the information for a certain period ( lease time ) as per configured in the policy.

 More information on DHCP at Wikipedia

Friday, May 16, 2008

Linux Policy Routing : ip rule

Policy based routing is actually an act of having a multiple routing table in a single machine. Normally, it is used when involving different routes and gateways.

Your kernel must be ready compiled with IP Advanced Router and IP Policy Routing in order to use this features.

To show the ip rule

# /sbin/ip rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

To show the main routing table

# /sbin/ip route list table main

203.158.11.16/29 dev eth2  proto kernel  scope link  src 203.158.11.17
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.254
10.100.100.0/24 dev eth1  proto kernel  scope link  src 10.100.100.2
default via 203.158.11.22 dev eth2

The above shown, main table is actually refers to the main routing table when you type /sbin/ip route, whereas the local and default table is a new one.

You can generate rules which point to different tables ( i.e. xyz table ) which allow us to override system wide routing rules.

The first rule specifies that any packet from any where should first be matched against routes in the local routing table.The local routing table is for broadcast addresses on link layers, network address translation, and locally hosted IP addresses.

When a packet that bound for x.x.x.x IP address

  1. The packet that bound for x.x.x.x would first pass thru the local routing table.
  2. If there is no a local hosted IP address, it would look the main routing table to select a destination route.
  3. If there is no host nor network match for this destination, thus the packet will match the default route in the main routing table.

To add a new table

# /sbin/ip route add 192.168.1.0/24 via 192.168.0.254 table 200

# /sbin/ip route add default via 10.100.100.1 table 200

To apply a rule to the newly added table 200

It means all the traffic from 192.168.0.0/26 will be routed via routing table 200

# /sbin/ip rule add from 192.168.0.0/26 table 200

# /sbin/ip route flush cache

*** Remember to flush the routing table cache ***

Therefore, you may have the followings results when you show your ip rules :

# /sbin/ip rule show
0:      from all lookup local
32765:  from 192.168.0.0/26 lookup 300
32766:  from all lookup main
32767:  from all lookup default

To delete a ip rule

# /sbin/ip rule del from 192.168.0.0/26 table 200

# /sbin/ip route flush cache

*** Remember to flush the routing table cache ***

It is quite troublesome if you need to type so many lines each and everytime the system is booted, thus you can actually put in a scripts. Below is some sample scripts :

#!/bin/sh
/sbin/ip route flush table 200
# Copy main routing table to 200
/sbin/ip route list table main |while read ROUTE ; do /sbin/ip route add table 200 $ROUTE ; done
/sbin/ip route replace default via 10.100.100.1 table 200
/sbin/ip rul add from 192.168.0.0/26 table 200
/sbin/ip route flush cache

Some other useful ip rule commands :

To change the preferences of the routing table

# /sbin/ip ru add from 192.168.0.0/26 pref 3500 table 200

0:      from all lookup local
3500 :  from 192.168.0.0/26 lookup 300
32766:  from all lookup main
32767:  from all lookup default

To create a NAT rule with ip rule

# /sbin/ip ru add nat 203.158.11.20 from 192.168.0.188


0:      from all lookup local
3500 :  from 192.168.0.0/26 lookup 300
32765:  from 192.168.0.188 lookup main map-to 203.158.11.20
32766:  from all lookup main
32767:  from all lookup default

 

Usage: ip rule [ list | add | del | flush ] SELECTOR ACTION
SELECTOR := [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK ]
            [ dev STRING ] [ pref NUMBER ] [ prio NUMBER ]
ACTION := [ table TABLE_ID ]
          [ prohibit | reject | unreachable ]
          [ realms [SRCREALM/]DSTREALM ]
TABLE_ID := [ local | main | default | NUMBER ]

Thursday, May 15, 2008

How to minicom serial console in Linux ?

Firstly, you need to get ready with the tools as below :

  1. RS232 Console Serial Cable
  2. USB to RS232 Serial Cable convertor

usbtoSerialOLYMPUS DIGITAL CAMERA

Then, you will need to install minicom package into your linux. For debian user, you can install using aptitude or apt.

# apt-get install minicom

Then plug your USB to RS232 Serial Convertor into your USB port. The type # dmesg and you should see the followings text at the bottom.

usb 5-1: new full speed USB device using uhci_hcd and address 2
usb 5-1: configuration #1 chosen from 1 choice
usbcore: registered new interface driver usbserial
/build/buildd/linux-source-2.6.22-2.6.22/drivers/usb/serial/usb-serial.c: USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
/build/buildd/linux-source-2.6.22-2.6.22/drivers/usb/serial/usb-serial.c: USB Serial Driver core
/build/buildd/linux-source-2.6.22-2.6.22/drivers/usb/serial/usb-serial.c: USB Serial support registered for pl2303
pl2303 5-1:1.0: pl2303 converter detected
usb 5-1: pl2303 converter now attached to ttyUSB0
usbcore: registered new interface driver pl2303
/build/buildd/linux-source-2.6.22-2.6.22/drivers/usb/serial/pl2303.c: Prolific PL2303 USB to serial adaptor driver

Identify where you USB convertor is attached to. From the example above, it is connected to /dev/ttyUSB0 *( Remember it, as you will be using this info later ).

Now, start to configure your minicom using su privileges by :

# sudo minicom -s

Then, select theSerial port setup.

minicom-1

Change your settings for Serial Device to /dev/ttyUSB0 ( or whichever is shown when you did # dmesg just now ) and also change the item (E), Bps/Parity/Bits to suite to your device. You may need to change other settings as per your requirements. Press ENTER upon complete.

minicom-2  Then, select Save setup as dfl and exit.

Now, you may start with your serial console communication by issue the following command :

# minicom

minicom-3

Done!

Tuesday, May 13, 2008

VLAN for linux

What is VLAN ?

VLAN, Virtual Local Area Network, is somehow a several virtual network co-exist in a same switch port or interface by using the software configurations but not using hardware interface.

In the case whereby all workstations which connected to a same L2 switch in LAN X, are able to communicate within each other. If a workstation from LAN X is wish to communicate with LAN Y, then a router is needed.

VLAN, is actually an act of dividing the communications between few different network virtually by using a single switch device. A single switch port in a VLAN-capable switch can carry packets from multiple virtual LANs and linux can understand the format of these Ethernet frames.

VLAN, is known as IEEE 802.1Q and aslo known as VLAN tagging. More info on Wikipedia.

What are the advantages using VLAN ?

  • Performance
  • Easy to manage
  • Security
  • Trunks
  • Save the work of 'hardware configurations' whenever there is any changing of physical location for any device.

How to configure VLAN ?

The 802.1Q package has been pre-patch in kernel 2.4. Any distributions which are earlier than this, should download and compile/patch the kernel before proceed.

First of all, you need/must to modprobe the module by :

# modprobe 8021q

Then you should make sure the interface where you want to add the VLAN is UP and RUNNING.

For example,

2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:44:73:ed:64 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::202:44ff:fe73:ed64/64 scope link
       valid_lft forever preferred_lft forever

To bring up the interface

# ifconfig eth0 up

# ip link set eth0 up

To bring down the interface

# ifconfig eth0 up

# ip link set eth0 up

Case 1 : You will want to add an VLAN 8 to interface eth0 and configure as 10.10.10.10/25 for this VLAN interface. Then remove it.

To add a new VLAN

# vconfig add eth0 8

To bring up the VLAN interface and configure IP

# ifconfig eth0.8 up

# ifconfig eth0.8 10.10.10.10 netmask 255.255.255.128 broadcast 10.10.10.127

To remove the VLAN interface

# vconfig rem eth0.8

Friday, May 9, 2008

How to dial PPPoE in Linux

There are a few simple steps to make a pppoe connection in Linux.

** The following commands is based on Kubuntu distributions

First, you need to configure the pppoe configurations at the very first time using the following command using root provileges.

# pppoeconf

Then following the text-based menu screen will be shown and follow the instructions as below :

  1. Confirm that your Ethernet card is going to connect to ADSL modem.
  2. Enter your username ( i.e. justk2@streamx )
  3. Enter your password.
  4. If you have configured it before, you will be asked if it may be modified.
  5. Popular options: you are asked if you want the “noauth” and “defaultroute” options and to remove “nodetach” - choose Yes.
  6. Use peer DNS - choose Yes.
  7. Limited MSS problem - choose Yes.
  8. Then you are asked if you want to connect at start up.
  9. Finally you are asked if you want to establish the connection immediately.
  10. Once you have finished these steps, your connection should be working.

Next time, you may use the following command

To start the adsl dial up

# pon dsl-provider

To stop the adsl dial up

# poff dsl-provider

Thursday, May 8, 2008

Linux Firewall : iptables - NAT

What is NAT ?

NAT, refers to Network Address Translations, also known as network masquerading, native address translation or IP masquerading, is a method to translate/change the source or destination IP address when traffic passing through. It may also used for the TCP and UDP port  of the passing IP packet.

Most of the time it is used to provide Internet access to a multiple LAN hosts by using a single Public IP.

 

What you must know ?

MASQUERADING

Masquerading is to translate all IP to a single IP and it is done with NAT. It is to fake the outgoing packet. The incoming packet should be translated too.

Masquerading works based on the specified interface.

Source NAT ( SNAT )

SNAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT.

For dynamic Public IP case, whenever the source IP is changed, the source port numbers may changed too. Therefore, it is more easier to do SNAT on all outgoing packets on this interface. Also bear in mind, it would implicit DNAT as well and somehow.

Destination NAT ( DNAT )

DNAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.

What is important ?

The most important option here is the table selection option, `-t'. For all NAT operations, you will want to use `-t nat' for the NAT table.

You may need to specify the source ( `-s' or `--source' ) and destination ( `-d' or `--destination' ) of the packets you want to NAT. These options can be followed by a single IP address ( e.g. 192.168.1.1 ), a domain name ( e.g. www.justk2.com ), or a network address ( e.g. 192.168.1.0/24 or 192.168.1.0/255.255.255.0 ).

Lastly, you also need to specify the incoming ( `-i'  ) or outgoing ( `-o' ) interface to match, but which you can specify depends on which chain you are putting the rule into: at PREROUTING you can only select incoming interface, and at POSTROUTING you can only select outgoing interface.

**If you use the wrong one, iptables will give an error.

Chains in NAT table

There are three (3) different chains in NAT table, which are PREROUTING, POSTROUTING and OUTPUT.

PREROUTING Chain

It is for Destination NAT, as packets first come in.

Destination NAT is specified using " -j DNAT ", and the " --to-destination " option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

Case 1 :

To DNAT all incoming packet at 203.158.26.29 at eth2 to the single LAN station 192.168.10.22.

# /sbin/iptables -t nat -A PREROUTING -i eth2 -d 192.168.10.22 -j DNAT --to 203.158.26.29

Case 2 :

To DNAT the incoming port 8080 at 203.158.26.29 at eth2 to the DMZ station 192.168.10.188 web server ( port 80 )

# /sbin/iptables -t nat -A PREROUTING -i eth2 -d 192.168.10.188 -j DNAT --to 203.158.26.29:8080

** This is known as Port forwarding.

POSTROUTING Chain

It is for Source NAT, as packets leave.

Source NAT is using " -j SNAT " and " --to-source " option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

Case 1 :

To NAT the LAN station ( 192.168.92.62 ) from eth0 to a static public IP or WAN IP ( 203.158.26.29 ) at eth2

# /sbin/iptables -t nat -A POSTROUTING -o eth2 -s 192.168.92.62 -j SNAT --to 203.158.26.29

Case 2 :

To NAT the entire LAN network ( 10.10.10.0/24 ) from eth1 to a range of WAN IP ( 203.158.26.29 ~ 203.158.26.32 ) at eth2

# /sbin/iptables -t nat -A POSTROUTING -o eth2 -s 10.10.10.0/24 -j SNAT --to 203.158.26.29-203.158.29.32

Case 3 :

To NAT the LAN network to a dynamic WAN IP i.e. PPP connection.

# /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

OUTPUT Chain

It is for the firewall or router itself.

 

FOUR steps to makes your NAT works

Forward the traffic

If you are using the Linux kernel more than 2.6, the following commands should works.

Firstly, you should allow the traffic to forward ( passing ) through your firewall/router. By default, the value is 0 which is disabled.

# echo 1 > /etc/sys/net/ipv4/ip_forward

In some cases, you may need to edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. This essentially tells your kernel to do step one on boot.

** Also remember to accept the traffic passing in your forward chains ( more info as my earlier post )

# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Post-route the traffic

# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Thursday, May 1, 2008

Linux Firewall : iptables - FILTER table

Further to the basic understanding on the iptables in my earlier post ( Linux Firewall : iptables - Basic ), now let's me continue with some example commands for FILTER table :

To list the iptables table/chain

#iptables -L

#iptables -t <table> -L

( use to list the specify table besides default - FILTER table )

#iptables -t <table> -L -vnx

( use this with verbose, show numeric output and expand the numbers )

To add a rule on top of the chain

#iptables -I <chain> -j [ACCEPT|DROP|REJECT|other]

e.g. # iptables -I FORWARD -j ACCEPT

To append a rule at the bottom of the chain

#iptables -A <chain> -j [ACCEPT|DROP|REJECT|other]

e.g. # iptables -I INPUT -j DROP

To delete a rule in a chain

#iptables -D <chain> <the row number of the rule started from 1>

e.g. # iptables -D FORWARD 2

To create a new chain

#iptables -N <chain>

e.g. # iptables -N CUSTOMFORWARD

To change the default policy of a chain

#iptables -P <chain> [ACCEPT|DROP|REJECT|other]

e.g. # iptables -P FORWARD DROP

# iptables -P CUSTOMFORWARD ACCEPT

To flush the iptables

#iptables -F

To flush specify TABLE

#iptables -t <table> -F

To delete a CHAIN

#iptables -X <chain>

So, have you warmed-up? Now let's go into more commands, try to understand and apply it wisely. :P

Case 1

To drop all the traffic from 192.168.0.0/24 which trying to ssh-ing to the firewall itself, 10.133.0.1

# iptables -I INPUT -p tcp --dport 22 -s 192.168.0.0/24 -d 10.133.0.1 -j ACCEPT

-I = to add this rule to the top of INPUT chain.

-p = protocol, specifically here is TCP.

--dport = destination port, specifying SSH port ( port 22 ).

-s = the source address, pertaining where this traffic from where is 192.168.0.0/24 for this rule.

-d = the destination address, here is the firewall itself (suppose) as it is INPUT chain.

-j = jump to targer. Here is to accept the traffic.

Case 2

To drop all the traffic from 192.168.0.0/24 passing thru the firewall and only allowed 192.168.0.188 to pass thru.

# iptables -P FORWARD DROP

# iptables -I FORWARD -s 192.168.0.188 -j ACCEPT

# iptables -I FORWARD -d 192.168.0.188 -j ACCEPT

Firstly, we set the FORWARD as "default drop policy" ( means drop everything! ). Then we add the 2 following rules on top of the FORWARD chain. In order to allows the traffic passing thru, it should be dual-way. Thus, two(2) different rules as above are created with specifying source and destination address respectively.

General Network Traffic rules

Next, we will want to use some standard rules for general network traffic. This goes a bit beyond the basic stuff, however iptables can determine the 'state' that a packet is in. This has to do with standard TCP communication. For example, the 3 way handshake between two hosts when transmitting data.

  • NEW => Server1 connects to Server2 issuing a SYN (Synchronize) packet.
  • RELATED => Server 2 receives the SYN packet, and then responds with a SYN-ACK (Synchronize Acknowledgment) packet.
  • ESTABLISHED => Server 1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment) packet.

After this 3 way handshake is complete, the traffic is now ESTABLISHED. In order for this type of TCP communication, something similar to these three rules are necessary:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

The last rule obviously allows any traffic the leave the server.

The result of the three rules and the previous commands in Case 1 and Case 2 above will be as follow respectively :

Chain INPUT (policy ACCEPT) target prot in out source destination ACCEPT tcp * * 192.168.0.0/24 10.133.0.1 tcp dpt:ssh ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy DROP) target prot in out source destination ACCEPT * * * 0.0.0.0/0 1 92.168.0.188 ACCEPT ACCEPT * * * 192.168.0.188 0.0.0.0/0 ACCEPT ACCEPT * eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT) target prot in out source destination ACCEPT * * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

From here you can add whatever rules you like depending on your server requirements :

To block some BAD source IP address

#iptables -A INPUT -s 10.10.132.2 -j DROP

To drop some spamming from a source IP address ( if you are using default accept policy or accepted SMTP port in other rule )

#iptables -A FORWARD -p tcp --dport 25 -s 192.168.0.111 -j DROP

To allow the LAN (eth0) to access your web while block all external access from WAN(eth1) to your web

#iptables -I INPUT -p tcp --dport 80 -j DROP

#iptables -I INPUT -p tcp --dport 80 -s 192.168.0.0/24 -j ACCEPT

The 1st rule should be execute before the 2nd rule as you are using the -I ( add ).

To drop all ICMP/Ping packet to the firewall

#iptables -A INPUT -p icmp -j DROP

If you are using the default ACCEPT policy, then you must be DROP anything else at the last of the rule. In our case here ( since FORWARD chain is default drop policy ), you should reject everything for the INPUT chain.

# iptables -A INPUT -j REJECT

There are more to explore besides the example shown above. But bear in mind, ***NEVER TRY ON A LIVE SYSTEM!!***

In the next post, I will proceed to NAT table.