blog
Table des matières
- 2026:
- 2025:
1 billet(s) pour avril 2026
| Notes ping ICMP | 2026/04/03 23:01 | Jean-Baptiste |
VM disques à chaud
Voir vm_creation_fs_lvm_a_chaud
Quelques commandes bien pratiques pour prendre en compte les manipulations à chaud des disques SCSI sous Linux :
La commande suivante permet de rescanner un disque SCSI dont la taille a été modifiée à chaud dans la console Vmware. Il est alors possible d'agrandir une partition existante ou d'en créer une nouvelle sur un disque qui était plein.
# Obsolète ? echo "1" > /sys/class/scsi_device/<device>/device/rescan
La commande suivante permet d'ajouter un disque à chaud dans une machine virtuelle. Attention, le numéro de device change en fonction de l'emplacement du disque dans la chaine (ici, le 1 indique que l'on a ajouté un deuxième disque, ce numéro sera à incrémenter en fonction du nombre de disque déjà présent)
# Obsolète ? #echo "scsi add-single-device" 0 0 1 0 > /proc/scsi/scsi #echo "scsi add-single-device" 0 0 3 0 > /proc/scsi/scsi echo "- - -" > /sys/class/scsi_host/host0/scan echo "- - -" > /sys/class/scsi_host/host1/scan echo "- - -" > /sys/class/scsi_host/host2/scan
- lvmdiskscan |grep sd
/dev/sda1 [ 509.84 MB]
/dev/sda2 [ 19.50 GB] LVM physical volume
/dev/sdb [ 20.00 GB] LVM physical volume
/dev/sdc [ 20.00 GB] LVM physical volume
/dev/sdd [ 20.00 GB] LVM physical volume
/dev/sde [ 20.00 GB] LVM physical volume
#echo "scsi add-single-device" 0 0 5 0 > /proc/scsi/scsi
#lvmdiskscan |grep sd
/dev/sda1 [ 509.84 MB]
/dev/sda2 [ 19.50 GB] LVM physical volume
/dev/sdb [ 20.00 GB] LVM physical volume
/dev/sdc [ 20.00 GB] LVM physical volume
/dev/sdd [ 20.00 GB] LVM physical volume
/dev/sde [ 20.00 GB] LVM physical volume
/dev/sdf [ 40.00 GB]
Voir http://www.tldp.org/HOWTO/archived/SCSI-Programming-HOWTO/SCSI-Programming-HOWTO-4.html
Device Mapping
These device files are dynamically mapped to SCSI id/LUNs on your SCSI bus (LUN = logical unit). The mapping allocates devices consecutively for each LUN of each device on each SCSI bus found at time of the SCSI scan, beginning at the lower LUNs/ids/buses. It starts with the first SCSI controller and continues without interruption with all following controllers. This is currently done in the initialisation of the SCSI driver.
For example, assuming you had three SCSI devices hooked up with ids 1, 3, and 5 on the first SCSI bus (each having one LUN), then the following mapping would be in effect:
/dev/sga -> SCSI id 1 /dev/sgb -> SCSI id 3 /dev/sgc -> SCSI id 5
If you now add a new device with id 4, then the mapping (after the next rescan) will be:
/dev/sga -> SCSI id 1 /dev/sgb -> SCSI id 3 /dev/sgc -> SCSI id 4 /dev/sgd -> SCSI id 5
Notice the change for id 5 -- the corresponding device is no longer mapped to /dev/sgc but is now under /dev/sgd.
Luckily newer kernels allow for changing this order.
Dynamically insert and remove SCSI devices
If a newer kernel and the /proc file system is running, a non-busy device can be removed and installed 'on the fly'.
To remove a SCSI device:
echo "scsi remove-single-device a b c d" > /proc/scsi/scsi
and similar, to add a SCSI device, do
echo "scsi add-single-device a b c d" > /proc/scsi/scsi
where
a == hostadapter id (first one being 0)
b == SCSI channel on hostadapter (first one being 0)
c == ID
d == LUN (first one being 0)
So in order to swap the /dev/sgc and /dev/sgd mappings from the previous example, we could do
echo "scsi remove-single-device 0 0 4 0" > /proc/scsi/scsi echo "scsi remove-single-device 0 0 5 0" > /proc/scsi/scsi echo "scsi add-single-device 0 0 5 0" > /proc/scsi/scsi echo "scsi add-single-device 0 0 4 0" > /proc/scsi/scsi
since generic devices are mapped in the order of their insertion.
When adding more devices to the scsi bus keep in mind there are limited spare entries for new devices. The memory has been allocated at boot time and has room for 2 more devices.
Tester les flux réseaux UDP
Voir aussi remplacer_telnet_nc_sous_linux
telnet c'est pratique, mais ça ne marche que pour TCP
!! UDP n'est pas un protocole en mode connecté
Netcat est votre ami
$ nc -zvu 127.0.0.1 1-65535 Connection to 127.0.0.1 111 port [udp/*] succeeded! Connection to 127.0.0.1 161 port [udp/*] succeeded! Connection to 127.0.0.1 897 port [udp/*] succeeded! Connection to 127.0.0.1 1900 port [udp/*] succeeded! Connection to 127.0.0.1 2086 port [udp/*] succeeded! Connection to 127.0.0.1 5353 port [udp/*] succeeded! Connection to 127.0.0.1 32964 port [udp/*] succeeded! Connection to 127.0.0.1 34578 port [udp/*] succeeded! Connection to 127.0.0.1 37878 port [udp/*] succeeded!
$ nc -uvz serveur 1-162 serveur [172.17.39.87] 162 (snmp-trap) open serveur [172.17.39.87] 123 (ntp) open serveur [172.17.39.87] 67 (bootps) open
Sinon il existe Nmap
Netcat - bind binding NIC
nc -lnp 3306 192.168.200.62
$ ss -tln |grep 3306 LISTEN 0 1 192.168.200.62:3306 0.0.0.0:*
unixsock Unix domain sockets
echo -e "GET /containers/omsa82-snmp/stats HTTP/1.0\r\n" | nc -U /var/run/docker.sock
Autres
Bande passante :
- bwm-ng
- iperf
cat /sys/class/net/eth0/statistics/tx_bytes
# awk '/^Udp:/ { print $5}' /proc/1565/net/snmp
OutDatagrams
208064
Info
# cat /sys/class/net/eth0/duplex full
# cat /sys/class/net/eth0/speed 1000
# cat /sys/class/net/eth0/address 08:00:27:56:10:6a
Sauvegarder son système à chaud grâce à Mondorescue
Installation
/etc/apt/sources.list.d/mondo.list
deb ftp://ftp.mondorescue.org//debian 7 contrib deb-src ftp://ftp.mondorescue.org//debian 7 contrib
Utilisation
Exemple de sauvegarde en ligne de commande
#mondoarchive -OV -i -N -g -d /var/backup -T /var/tmp -S /var/tmp -E "/var/lib/mysql|/var/backup|/var/webapps" -s 4480m -p $HOSTNAME mondoarchive -k /boot/vmlinuz-$(uname -r) -OV -i -N -g -d /backup -T /tmp -S /tmp -E "/home|/media|/var/cache|/var/tmp|/run|/mnt" -s 4480m -p $HOSTNAME
Autre
i-want-my-lvm
/sbin/lvmdiskscan /sbin/lvm i=2 LVM version >= 2.0 found. Just before you extrapolate mountlist to include RAID partitions, extrapolate it to include the following LVM drives and partitions:- >>>>> /dev/sda5 To get started, type:- (insmod dm-mod) (insmod dm_mod) # lvm vgchange -an # echo y | lvm pvcreate -ff /dev/sda5 # lvm vgscan Create and activate the VG's (volume groups). # lvm vgcreate root-vg -l 0 -p 0 -s 4.00m /dev/sda5 # lvm vgchange -a y root-vg Finally, create the LV's (logical volumes). # lvm lvcreate -L 4096m -r auto -n lv_root root-vg # lvm lvcreate -L 1024m -r auto -n lv_swap root-vg # lvm lvcreate -L 10240m -r auto -n lv_home root-vg # lvm lvcreate -L 3072m -r auto -n lv_tmp root-vg # lvm lvcreate -L 6144m -r auto -n lv_usr root-vg # lvm lvcreate -L 6144m -r auto -n lv_var root-vg # lvm lvcreate -L 12288m -r auto -n lv_opt root-vg # lvm vgscan Now you may format the LV's:- (mkfs -t foo /dev/root-vg/lv_root or something like that) (mkfs -t foo /dev/root-vg/lv_swap or something like that) (mkfs -t foo /dev/root-vg/lv_home or something like that) (mkfs -t foo /dev/root-vg/lv_tmp or something like that) (mkfs -t foo /dev/root-vg/lv_usr or something like that) (mkfs -t foo /dev/root-vg/lv_var or something like that) (mkfs -t foo /dev/root-vg/lv_opt or something like that) Finally, to shut down and delete the volumes, do this:- (lvm lvremove -f /dev/root-vg/lv_root) (lvm lvremove -f /dev/root-vg/lv_swap) (lvm lvremove -f /dev/root-vg/lv_home) (lvm lvremove -f /dev/root-vg/lv_tmp) (lvm lvremove -f /dev/root-vg/lv_usr) (lvm lvremove -f /dev/root-vg/lv_var) (lvm lvremove -f /dev/root-vg/lv_opt) (lvm vgchange -a n root-vg) (lvm vgremove root-vg) (rmmod dm-mod & rmmod dm_mod & )
Ansible AWS - Cloud
Voir : Pourquoi ansible n’est pas un bon choix pour créer son infra AWS
~/.boto
[Credentials] aws_access_key_id = 01234ABC aws_secret_access_key = 01234ABC [Boto] debug = 0 proxy = 192.168.56.1 proxy_port = 3128 #ec2_region_name = us-east-2 #ec2_region_endpoint = ec2.us-east-2.amazonaws.com
~/.aws/credentials
[default] aws_access_key_id = 01234ABC aws_secret_access_key = 01234ABC
~/.aws/config
[default] #region = us-west-2 region = us-east-2 output = table
pb.yml
#! /usr/bin/env ansible-playbook --- - name: Configure new server hosts: localhost vars: ansible_python_interpreter: /usr/bin/python3 roles: - aws
roles/aws/tasks/main.yml
--- - ec2_instance: name: "test-ansible" key_name: "jean@vmdeb1" #vpc_subnet_id: subnet-5ca1ab1e instance_type: t2.micro #security_group: default security_group: 'sg-018f964b5b82d2361' network: assign_public_ip: true image_id: ami-05829248ffee66250 register: new_ec2_instance - name: DEBUG debug: var=new_ec2_instance.instances[0].network_interfaces[0].association.public_ip
Pare-feu iptables openwrt IPV4
Note : iptables est remplacé maintenant par nftables
Voir aussi :
- OPNsense
Pour ICMP voir http://www.oregontechsupport.com/articles/icmp.txt
TODO : Copie sur git
#!/bin/sh # # rc.icmp Advanced ICMP Filtering with iptables # # Version Hx: $Id: rc.icmp,v 1.00 2003/01/28 09:04:10 david Exp $ # $Id: rc.icmp,v 1.01 2013/09/07 16:59:38 david Exp $ # ################################################################ # # # Internet Control Message Protocol (ICMP), documented in RFC # # 792, is a required protocol tightly integrated with IP. ICMP # # messages, delivered in IP packets, are used for out-of-band # # messages related to network operation or misoperation. Since # # ICMP relies on IP, packet delivery is unreliable (as # # opposed to TCP). # # # # ICMP functions typically include: # # - Announce network errors # # - Announce network congestion (source quench) # # - Assist troubleshooting (ping) # # - Announce timeouts (traceroute) # # # # Be cautious; blocking ICMP can have unpredictable results. # # You may find that your TCP/IP connectivity may break. # # # # A good resource for ICMP filtering can be found at: # # www.oregontechsupport.com/articles/ICMP_Scanning_v3.0.pdf # # # # Netfilter (iptables) can implement the ICMP Extension by # # name (e.g., "host unreachable"), numeric type (e.g., "3"), # # or a numeric type and code separated by a "/" (e.g., "3/3"). # ################################################################ ################################################################ # ICMP echo-reply (type 0) # # # # Ping scanning is typically used to determine which hosts on # # a network are up. Typically this is done by sending ICMP # # ECHO request packets to the target host. # ################################################################ iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT ################################################################ # ICMP types 1-2 are unassigned # ################################################################ ################################################################ # ICMP destination-unreachable (type 3) # # # # Filtering "fragmentation-needed" traffic is a BAD idea. # # # # Codes # # 0 network-unreachable # # 1 host-unreachable # # 2 protocol-unreachable # # 3 port-unreachable # # 4 fragmentation-needed # # 5 source-route-failed # # 6 network-unknown # # 7 host-unknown # # 8 Source Host Isolated # # 9 network-prohibited # # 10 host-prohibited # # 11 TOS-network-unreachable # # 12 TOS-host-unreachable # # 13 communication-prohibited [RFC1812] # # 14 host-precedence-violation [RFC1812] # # 15 precedence-cutoff [RFC1812] # ################################################################ iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT ################################################################ # ICMP Source Quench (type 4) # # # # This is detailed in RFC 792. Filtering this type of # # traffic is generally considered a BAD idea. # ################################################################ iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT ################################################################ # ICMP Redirect (type 5) # # # # Codes # # 0 Redirect Datagram for the Network (or subnet) # # 1 Redirect Datagram for the Host # # 2 Redirect Datagram for the Type of Service and Network # # 3 Redirect Datagram for the Type of Service and Host # ################################################################ if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo " Kernel ignores all ICMP redirects" echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects fi ################################################################ # ICMP Alternate Host Address (type 6) # # ICMP Unassigned (type 7) # ################################################################ ################################################################ # ICMP Echo Request (type 8) # ################################################################ iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: " iptables -A INPUT -p icmp --icmp-type 8 -j DROP iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then echo " Kernel answers ICMP Echo requests" echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all fi ################################################################ # Prevention: Smurf IP Denial-of-Service Attacks # # # # See http://www.cert.org/advisories/CA-1998-01.html # ################################################################ if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo " Kernel ignores ICMP Echo requests sent to broadcast/multicast addresses" echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi ################################################################ # ICMP Router Advertisement (type 9) # # ICMP Router Solicitation (type 10) # # # # These are described in RFC 1256. # ################################################################ ################################################################ # ICMP Time Exceeded (type 11) # # # # Codes # # 0 Time to Live exceeded in Transit # # 1 Fragment Reassembly Time Exceeded # ################################################################ iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT ################################################################ # ICMP Parameter Problem (type 12) # # # # Codes # # 0 Pointer indicates the error # # 1 Missing a Required Option [RFC1108] # # 2 Bad Length # ################################################################ iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT ################################################################ # ICMP Timestamp (type 13) # # ICMP Timestamp Reply (type 14) # # ICMP Information Request (type 15) # # ICMP Information Reply (type 16) # # ICMP Address Mask Request (type 17) # # ICMP Address Mask Reply (type 18) # # ICMP Reserved (types 19-29) # # ICMP Traceroute (type 30) # # ICMP Datagram Conversion Error (type 31) # ################################################################ ################################################################ # ICMP bogus error responses # # # # Sometimes you will come across routers that send out invalid # # responses to broadcast frames. This is a violation of RFC # # 1122, "Requirements for Internet Hosts -- Communication # # Layers". As a result, these events are logged by the kernel. # # To avoid filling up your logfile with unnecessary clutter, # # you can tell the kernel not to issue these warnings. # ################################################################ if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo " Kernel ignores bogus responses to broadcast frames" echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi ################################################################ # ICMP Catch-all # # # # There are many more ICMP types than this, but most aren't # # implemented in large-scale (yet). We can safely say that # # anything not specifically allowed above should be blocked. # ################################################################ iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: " iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: " iptables -A FORWARD -p icmp -m limit -j LOG --log-prefix "ICMP/FWD: " iptables -A INPUT -p icmp -j DROP iptables -A OUTPUT -p icmp -j DROP iptables -A FORWARD -p icmp -j DROP ################################################################ # This document was lovingly handcrafted on a Dell Latitude # # C400 laptop running Slackware Linux 8.1, in case anyone # # asks. # ################################################################ # This work is licensed under a Creative # Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License, # available at http://creativecommons.org/licenses/by-nc-nd/3.0/
blog.txt · Dernière modification : de 127.0.0.1