info linux dan jaringan: 2013

Monday, September 16, 2013

Step-by-Step Procedure

Follow these steps in order to recover your password:

Attach a terminal or PC with terminal emulation to the console port of the router.
Use these terminal settings:
- 9600 baud rate
- No parity
- 8 data bits
- 1 stop bit
- No flow control
Refer to these documents for information on how to cable and connect a terminal to the console port or the AUX port:
If you can access the router, type show version at the prompt, and record the configuration register setting. See Example of Password Recovery Procedure in order to view the output of a show version command
Note: The configuration register is usually set to 0x2102 or 0x102. If you can no longer access the router (because of a lost login or TACACS password), you can safely assume that your configuration register is set to 0x2102.
Use the power switch in order to turn off the router, and then turn the router back on.
Important Notes:
- In order to simulate this step on a Cisco 6400, pull out and then plug in the Node Route Processor (NRP) or Node Switch Processor (NSP) card.
- In order to simulate this step on a Cisco 6x00 with NI-2, pull out and then plug in the NI-2 card.
Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into ROMMON.
If the break sequence does not work, refer to Standard Break Key Sequence Combinations During Password Recovery for other key combinations.
Type confreg 0x2142 at the rommon 1> prompt in order to boot from Flash.
This step bypasses the startup configuration where the passwords are stored.
Type reset at therommon 2> prompt.
The router reboots, but ignores the saved configuration.
Type no after each setup question, or press Ctrl-C in order to skip the initial setup procedure.
Type enable at the Router> prompt.
You are in enable mode and should see the Router# prompt.
Type configure memory or copy startup-config running-config in order to copy the nonvolatile RAM (NVRAM) into memory.
Important: Do not type copy running-config startup-config or write. These commands erase your startup configuration.
Type show running-config.
The show running-config command shows the configuration of the router. In this configuration, the shutdown command appears under all interfaces, which indicates all interfaces are currently shut down. In addition, the passwords (enable password, enable secret, vty, console passwords) are in either an encrypted or unencrypted format. You can reuse unencrypted passwords. You must change encrypted passwords to a new password.
Type configure terminal.
The hostname(config)# prompt appears.
Type enable secret <password> in order to change the enable secret password. For example:
```
hostname(config)#enable secret cisco
```
Issue the no shutdown command on every interface that you use.
If you issue a show ip interface brief command, every interface that you want to use should display up up.
Type config-register <configuration_register_setting>. Where configuration_register_setting is either the value you recorded in step 2 or 0x2102 . For example:
```
hostname(config)#config-register 0x2102
```
Press Ctrl-z or end in order to leave the configuration mode.
The hostname# prompt appears.
Type write memory or copy running-config startup-config in order to commit the changes.

Example of Password Recovery Procedure

This section provides an example of the password recovery procedure. This example was created with a Cisco 2600 Series Router. Even if you do not use a Cisco 2600 Series Router, this output provides an example of what you should experience on your product.

Router>enable
Password:
Password:
Password:
% Bad secrets

Router>show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 02:21 by phanguye
Image text-base: 0x80008088, data-base: 0x80C524F8

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

Router uptime is 3 minutes
System returned to ROM by abort at PC 0x802D0B60
System image file is "flash:c2600-is-mz.120-7.T"

cisco 2611 (MPC860) processor (revision 0x202) with 26624K/6144K bytes of memory.
Processor board ID JAB031202NK (3878188963)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash partition 1 (Read/Write)
8192K bytes of processor board System flash partition 2 (Read/Write)

Configuration register is 0x2102

Router>



!--- The router was just powercycled, and during bootup a
!--- break sequence was sent to the router.


!

*** System received an abort due to Break Key ***

signal= 0x3, code= 0x500, context= 0x813ac158
PC = 0x802d0b60, Vector = 0x500, SP = 0x80006030
rommon 1 > confreg 0x2142

You must reset or power cycle for new config to take effect

rommon 2 > reset

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 32768 Kbytes of main memory


program load complete, entry point: 0x80008000, size: 0x6fdb4c

Self decompressing the image : ###############################
##############################################################
##############################################################
##############################################################
############################### [OK]


 Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

 cisco Systems, Inc.
 170 West Tasman Drive
 San Jose, California 95134-1706

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 02:21 by phanguye
Image text-base: 0x80008088, data-base: 0x80C524F8

cisco 2611 (MPC860) processor (revision 0x202) with 26624K/6144K bytes of memory.
Processor board ID JAB031202NK (3878188963)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash partition 1 (Read/Write)
8192K bytes of processor board System flash partition 2 (Read/Write)


 --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: n

Press RETURN to get started!

00:00:19: %LINK-3-UPDOWN: Interface BRI0/0, changed state to up
00:00:19: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
00:00:19: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
00:00:19: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
00:00:19: %LINK-3-UPDOWN: Interface Serial0/1, changed state to down
00:00:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0, 
changed state to down
00:00:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0,
 changed state to up
Router>
00:00:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, 
changed state to up
00:00:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, 
changed state to down
00:00:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, 
changed state to down
00:00:50: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 02:21 by phanguye
00:00:50: %LINK-5-CHANGED: Interface BRI0/0, 
changed state to administratively down
00:00:52: %LINK-5-CHANGED: Interface Ethernet0/0, 
changed state to administratively down
00:00:52: %LINK-5-CHANGED: Interface Serial0/0, 
changed state to administratively down
00:00:52: %LINK-5-CHANGED: Interface Ethernet0/1, 
changed state to administratively down
00:00:52: %LINK-5-CHANGED: Interface Serial0/1, 
changed state to administratively down
00:00:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, 
changed state to down
00:00:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, 
changed state to down
Router>
Router>enable
Router#copy startup-config running-config
Destination filename [running-config]?
1324 bytes copied in 2.35 secs (662 bytes/sec)
Router#
00:01:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, 
changed state to down
00:01:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:2, 
changed state to down
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable secret < password >
Router(config)#^Z
00:01:54: %SYS-5-CONFIG_I: Configured from console by console
Router#show ip interface brief

Interface   IP-Address        OK?  Method     Status                   Protocol
Ethernet0/0 10.200.40.37      YES  TFTP       administratively down    down
Serial0/0   unassigned        YES  TFTP       administratively down    down
BRI0/0      193.251.121.157   YES  unset      administratively down    down
BRI0/0:1    unassigned        YES  unset      administratively down    down
BRI0/0:2    unassigned        YES  unset      administratively down    down
Ethernet0/1 unassigned        YES  TFTP       administratively down    down
Serial0/1   unassigned        YES  TFTP       administratively down    down
Loopback0   193.251.121.157   YES  TFTP       up                       up
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface Ethernet0/0
Router(config-if)#no shutdown
Router(config-if)#
00:02:14: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
00:02:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, 
changed state to up
Router(config-if)#interface BRI0/0
Router(config-if)#no shutdown
Router(config-if)#
00:02:26: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
00:02:26: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to down
00:02:26: %LINK-3-UPDOWN: Interface BRI0/0, changed state to up
00:02:115964116991: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, 
TEI 68 changed to up
Router(config-if)#^Z
Router#
00:02:35: %SYS-5-CONFIG_I: Configured from console by console
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 02:21 by phanguye
Image text-base: 0x80008088, data-base: 0x80C524F8

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

Router uptime is 3 minutes
System returned to ROM by abort at PC 0x802D0B60
System image file is "flash:c2600-is-mz.120-7.T"

cisco 2611 (MPC860) processor (revision 0x202) 
with 26624K/6144K bytes of memory.
Processor board ID JAB031202NK (3878188963)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash partition 1 (Read/Write)
8192K bytes of processor board System flash partition 2 (Read/Write)

Configuration register is 0x2142

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#config-register 0x2102
Router(config)#^Z
00:03:20: %SYS-5-CONFIG_I: Configured from console by console

Router#show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 02:21 by phanguye
Image text-base: 0x80008088, data-base: 0x80C524F8

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

Router uptime is 3 minutes
System returned to ROM by abort at PC 0x802D0B60
System image file is "flash:c2600-is-mz.120-7.T"

cisco 2611 (MPC860) processor (revision 0x202) 
with 26624K/6144K bytes of memory.
Processor board ID JAB031202NK (3878188963)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.

2 Ethernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash partition 1 (Read/Write)
8192K bytes of processor board System flash partition 2 (Read/Write)

Configuration register is 0x2142 (will be 0x2102 at next reload)

Router#

Friday, September 6, 2013

Install modul CPAN

install cpan

yum -y install perl-CPAN

masuk ke shell CPAN
cpan

Install modul CPAN yg diperlukan

cpan> install DateTime::TimeZone

selesai

Sunday, September 1, 2013

firewall di linux

Static Firewall (system-config-firewall/lokkit)

The actual static firewall model with system-config-firewall and lokkit will still be available and usable, but not at the same time as the daemon is running. The user or admin can decide which firewall solution should be used by enabling the corresponding services.
Planned is to add a selector for the firewall solution to be used at install time or in first boot. The configuration of the other solution will stay intact and can be enabled simply by switching to the other model.
The firewall daemon is independent to system-config-firewall, but should not be used at the same time.

Using static firewall rules with the iptables and ip6tables services

If you want to use your own static firewall rules with the iptables and ip6tables services, install iptables-services and disable firewalld and enable iptables and ip6tables:

yum install iptables-services
systemctl mask firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service

Use /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for your static firewall rules.
Note: The package iptables and iptables-services do not provide firewall rules for use with the services. The services are available for compatibility and people that want to use their own firewall rules. You can install and use system-config-firewall to create rules with the services though. To be able to use system-config-firewall, you have to stop firewalld.
After creating rules for use with the services stop firewalld and start the iptables and ip6tables services:

systemctl stop firewalld.service
systemctl start iptables.service
systemctl start ip6tables.service

What is a zone?

A network zone defines the level of trust for network connections. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections.
Most zones are mutable, but there are also immutable zones. Immutable zones are not customizable and there is no way to overload them.

Predefined services

A service is a combination of port and/or protocol entries. Optionally netfilter helper modules can be added and also a IPv4 and IPv6 destination address.

Ports and protocols

Definition of tcp or udp ports, where ports can be a single port or a port range.

ICMP blocks

Selected Internet Control Message Protocol (ICMP) messages. These messages are either information requests or created as a reply to information requests or in error conditions.

Masquerading

The addresses of a private network a mapped to and hidden behind a public IP address. This is a form of address translation.

Forward ports

A port is either mapped to another port and/or to another host.

Which zones are available?

These are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:

drop (immutable)

Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

block (immutable)

Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.

public

For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

external

For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

dmz

For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.

work

For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

home

For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

internal

For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

trusted (immutable)

All network connections are accepted.

Which zone should be used?

A public WIFI network connection for example should be mainly untrusted, a wired home network connection should be fairly trusted. Select the zone that best matches the network you are using.

How to configure or add zones?

To configure or add zones you can either use one of the firewalld interfaces to handle and change the configuration. These are the graphical configuration tool firewall-config, the command line tool firewall-cmd or the D-BUS interface. Or you can create or copy a zone file in one of the configuration directories. @PREFIX@/lib/firewalld/zones is used for default and fallback configurations and /etc/firewalld/zones is used for user created and customized configuration files.

How to set or change a zone for a connection

The zone is stored into the ifcfg of the connection with the ZONE= option. If the option is missing or empty, the default zone set in firewalld is used.
If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the zone.

Network connections handled by NetworkManager

The firewall is not able to handle network connections with the name shown by NetworkManager, it can only handle network interfaces. Therefore NetworkManager tells firewalld to put the network interfaces related to the connections in the zones defined by the config file (ifcfg) of the connection before the connection comes up. If the zone is not set in the config file, the interfaces will be put in the default zone set by firewalld. If a connection has more than one interfaces, both will be supplied to firewalld. Also changes in the names of interfaces will be handled by NetworkManager and supplied to firewalld.
To simplify this connections will be used as related to zones from now on.
NetworkManager also tells firewalld to remove connections from zones again if the connection went down.
If firewalld gets started or restarted by systemd or init scripts, firewalld notifies NetworkManager and the connections will be added to the zones.

Network connections handled by network scripts

For connections handled by network scripts there a limitations: There is no daemon that can tell firewalld to add connections to zones. This is done in the ifcfg-post script only. Therefore changed in names after this can not be supplied to firewalld. Also starting or restarting firewalld if the connections are active already result in loose of the relation. There are ideas to fix this also. The simplest is to push all connections to the default zone that are not set otherwise.
The zone defines the firewall features that are enabled in this zone:

Working with firewalld

To enable or disable firewall features for example in zones, you can either use the graphical configuration tool firewall-config or the command line client firewall-cmd

Using firewall-cmd

The command line client firewall-cmd supports all firewall features. For status and query modes, there is no output, but the command returns the state.

Generic use

Get the status of firewalld

firewall-cmd --state This returns the status of firewalld, there is no output. To get a visual state use:
firewall-cmd --state && echo "Running" || echo "Not running" As of Fedora 19, the status seems printed just fine:
# rpm -qf $( which firewall-cmd ) firewalld-0.3.3-2.fc19.noarch # firewall-cmd --state not running

Reload the firewall without loosing state information:

firewall-cmd --reload If you are using --complete-reload instead, the state information will be lost. This option should only be used in case of severe firewall problems for example if there are state information problems that no connection can be established but the firewall rules are correct.

Get a list of all supported zones

firewall-cmd --get-zones This command prints a space separated list.

Get a list of all supported services

firewall-cmd --get-services This command prints a space separated list.

Get a list of all supported icmptypes

firewall-cmd --get-icmptypes This command prints a space separated list.

List all zones with the enabled features.

firewall-cmd --list-all-zones The output format is:
interfaces: .. services: .. ports: .. forward-ports: .. icmp-blocks: .. ..

Print zone with the enabled features. If zone is omitted, the default zone will be used.

firewall-cmd [--zone=] --list-all

Get the default zone set for network connections

firewall-cmd --get-default-zone

Set the default zone

firewall-cmd --set-default-zone= All interfaces that are located in the default zone will be pushed in the new default zone, that defines the limitations for new external initiated connection attempts. Active connections are not affected.

Get active zones

firewall-cmd --get-active-zones The command prints the interfaces that are set to be part of a zone in this form:
: .. : ..

Get zone related to an interface

firewall-cmd --get-zone-of-interface= This prints the zone name, if the interface is part of a zone

Add an interface to a zone

firewall-cmd [--zone=] --add-interface= Add an interface to a zone, if it was not in a zone before. If the zone options is omitted, the default zone will be used. The interfaces are reapplied after reloads.

Change the zone an interface belongs to

firewall-cmd [--zone=] --change-interface= This is similar to the --add-interface options, but pushes the interface in the new zone even if it was in another zone before.

Remove an interface from a zone

firewall-cmd [--zone=] --remove-interface=

Query if an interface is in a zone

firewall-cmd [--zone=] --query-interface= Returns if the interface is in the zone. There is no output.

List the enabled services in a zone

firewall-cmd [ --zone= ] --list-services

Enable panic mode to block all network traffic in case of emergency

firewall-cmd --enable-panic

Disable panic mode

firewall-cmd --disable-panic

Query panic mode

firewall-cmd --query-panic This returns the state of the panic mode, there is no output. To get a visual state use
firewall-cmd --query-panic && echo "On" || echo "Off"

Runtime zone handling

In the runtime mode the changes to zones are not permanent. The changes will be gone after reload or restart.

Enable a service in a zone

firewall-cmd [--zone=] --add-service= [--timeout=] This enables a service in a zone. If zone is not set, the default zone will be used. If timeout is set, the service will only be enabled for the amount of seconds in the zone. If the service is already active, there will be no warning message.

Example: Enable ipp-client service for 60 seconds in the home zone:

firewall-cmd --zone=home --add-service=ipp-client --timeout=60

Example: Enable the http service in the default zone:

firewall-cmd --add-service=http

Disable a service in a zone

firewall-cmd [--zone=] --remove-service= This disables a service in a zone. If zone is not set, the default zone will be used.

Example: Disable http service in the home zone:

firewall-cmd --zone=home --remove-service=http The service will be disabled in the zone. If the service is not enabled in the zone, there will be an warning message.

Query if a service is enabled in a zone

firewall-cmd [--zone=] --query-service= This returns 1 if the service is enabled in the zone, otherwise 0. There is no output.

Enable a port and protocol combination in a zone

firewall-cmd [--zone=] --add-port=[-]/ [--timeout=] This enables a port and protocol combination. The port can be a single port or a port range -. The protocol can be either tcp or udp.

Disable a port and protocol combination in a zone

firewall-cmd [--zone=] --remove-port=[-]/

Query if a port and protocol combination in enabled in a zone

firewall-cmd [--zone=] --query-port=[-]/ This command returns if it is enabled, there is no output.

Enable masquerading in a zone

firewall-cmd [--zone=] --add-masquerade This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.

Disable masquerading in a zone

firewall-cmd [--zone=] --remove-masquerade

Query masquerading in a zone

firewall-cmd [--zone=] --query-masquerade This command returns if it is enabled, there is no output.

Enable ICMP blocks in a zone

firewall-cmd [--zone=] --add-icmp-block= This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.

Disable ICMP blocks in a zone

firewall-cmd [--zone=] --remove-icmp-block=

Query ICMP blocks in a zone

firewall-cmd [--zone=] --query-icmp-block= This command returns if it is enabled, there is no output.

Example: Block echo-reply messages in the public zone:

firewall-cmd --zone=public --add-icmp-block=echo-reply

Enable port forwarding or port mapping in a zone

firewall-cmd [--zone=] --add-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=

| :toport=[-]:toaddr=

} The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port or a port range -. The protocol is either tcp or udp. toport is either port or a port range -. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.

Disable port forwarding or port mapping in a zone

firewall-cmd [--zone=] --remove-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=

| :toport=[-]:toaddr=

}

Query port forwarding or port mapping in a zone

firewall-cmd [--zone=] --query-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=

| :toport=[-]:toaddr=

} This command returns if it is enabled, there is no output.

Example: Forward ssh to host 127.0.0.2 in the home zone

firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Permanent zone handling

The permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The --permanent option needs to be the first option for all permanent calls.

Get a list of supported permanent services

firewall-cmd --permanent --get-services

Get a list of supported permanent icmptypes

firewall-cmd --permanent --get-icmptypes

Get a list of supported permanent zones

firewall-cmd --permanent --get-zones

Enable a service in a zone

firewall-cmd --permanent [--zone=] --add-service= This enables the service in the zone permanently. If the zone option is omitted, the default zone is used.

Disable a service in a zone

firewall-cmd --permanent [--zone=] --remove-service=

Query if a service is enabled in a zone

firewall-cmd --permanent [--zone=] --query-service= This command returns if it is enabled, there is no output.

Example: Enable service ipp-client permanently in the home zone

firewall-cmd --permanent --zone=home --add-service=ipp-client

Enable a port and protocol combination permanently in a zone

firewall-cmd --permanent [--zone=] --add-port=[-]/

Disable a port and protocol combination permanently in a zone

firewall-cmd --permanent [--zone=] --remove-port=[-]/

Query if a port and protocol combination is enabled permanently in a zone

firewall-cmd --permanent [--zone=] --query-port=[-]/ This command returns if it is enabled, there is no output.

Example: Enable port 443/tcp for https permanently in the home zone

firewall-cmd --permanent --zone=home --add-port=443/tcp

Enable masquerading permanently in a zone

firewall-cmd --permanent [--zone=] --add-masquerade This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.

Disable masquerading permanently in a zone

firewall-cmd --permanent [--zone=] --remove-masquerade

Query masquerading permanently in a zone

firewall-cmd --permanent [--zone=] --query-masquerade This command returns if it is enabled, there is no output.

Enable ICMP blocks permanently in a zone

firewall-cmd --permanent [--zone=] --add-icmp-block= This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.

Disable ICMP blocks permanently in a zone

firewall-cmd --permanent [--zone=] --remove-icmp-block=

Query ICMP blocks permanently in a zone

firewall-cmd --permanent [--zone=] --query-icmp-block= This command returns if it is enabled, there is no output.

Example: Block echo-reply messages in the public zone:

firewall-cmd --permanent --zone=public --add-icmp-block=echo-reply

Enable port forwarding or port mapping permanently in a zone

firewall-cmd --permanent [--zone=] --add-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=

| :toport=[-]:toaddr=

Disable port forwarding or port mapping permanently in a zone

firewall-cmd --permanent [--zone=] --remove-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=

| :toport=[-]:toaddr=

}

Query port forwarding or port mapping permanently in a zone

firewall-cmd --permanent [--zone=] --query-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=

| :toport=[-]:toaddr=

} This command returns if it is enabled, there is no output.

Example: Forward ssh to host 127.0.0.2 in the home zone

firewall-cmd --permanent --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Direct options

The direct options are mostly for services and applications to be able to add custom rules. The rules are not saved and have to get resubmitted after reload or restart. The arguments of the passthrough option are the same as the corresponding iptables, ip6tables and ebtables arguments.
The --direct option needs to be the first option for all direct options.

Pass a command through to the firewall. can be all iptables, ip6tables and ebtables command line arguments

firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb }

Add a new chain to a table .

firewall-cmd --direct --add-chain { ipv4 | ipv6 | eb }

Remove a chain with name from table

firewall-cmd --direct --remove-chain { ipv4 | ipv6 | eb }

Query if a chain with name exists in table

. Returns 0 if true, 1 otherwise.

firewall-cmd --direct --query-chain { ipv4 | ipv6 | eb } This command returns if it is enabled, there is no output.

Get all chains added to table

as a space separated list.

firewall-cmd --direct --get-chains { ipv4 | ipv6 | eb }

Add a rule with the arguments to chain in table

with priority .

firewall-cmd --direct --add-rule { ipv4 | ipv6 | eb }

Remove a rule with the arguments from chain in table

firewall-cmd --direct --remove-rule { ipv4 | ipv6 | eb }

Query if a rule with the arguments exists in chain in table

. Returns 0 if true, 1 otherwise.

firewall-cmd --direct --query-rule { ipv4 | ipv6 | eb } This command returns if it is enabled, there is no output.

Get all rules added to chain in table

as a newline separated list of arguments.

firewall-cmd --direct --get-rules { ipv4 | ipv6 | eb }

The current firewalld features

D-BUS Interface

The D-BUS interface gives information about the firewall state and makes it possible to enable, disable and query firewall settings.

Zones

A network or firewall zone defines the trust level of the interface used for a connection. There are several pre-defined zones provided by firewalld. Zone configuration options and generic file information are described in the firewalld.zone(5) man page.

Services

A service can be a list of local ports and destinations and additionally also a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. Service configuration options and generic file information are described in the firewalld.service(5) man page.

ICMP types

The Internet Control Message Protocol (ICMP) is used to exchange information and also error messages in the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages. ICMP type configuration options and generic file information are described in the firewalld.icmptype(5) man page.

Direct interface

The direct interface is mainly used by services or applications to add specific firewall rules. The rules are not permanent and need to get applied after receiving the start, restart or reload message from firewalld using D-BUS.

Runtime configuration

The runtime configuration is not permanent and will only be restored for a reload. After restart or stop of the service or a system reboot, these options will be gone.

Permanent configuration

The permanent configuration is stored in config files and will be restored with every machine boot or service reload or restart.

Tray Applet

The tray applet firewall-applet visualizes the firewall state and also problems with the firewall for the user. It can also be used to configure settings by calling firewall-config.

Graphical Configuration Tool

The configuration tool firewall-config is the main configuration tool for the firewall daemon. It supports all features of the firewall besides the direct interface, this is handled by the service/application that added the rules.

Command Line client

firewall-cmd provides (most of) the configuration features of the graphical tool for the command line.

Support for ebtables

ebtables support is needed to fulfill all needs of the libvirt daemon and to prevent access problems between ip*tables and ebtables on kernel netfilter level. All these commands are accessing the same structures and therefore they should not be used at the same time.

Default/Fallback configuration in /usr/lib/firewalld

This directory contains the default and fallback configuration provided by firewalld for icmptypes, services and zones. The files provided with the firewalld package should not get changed and the changes are gone with an update of the firewalld package. Additional icmptypes, services and zones can be provided with packages or by creating files.

System configuration settings in /etc/firewalld

The system or user configuration stored here is either created by the system administrator or by customization with the configuration interface of firewalld or by hand. The files will overload the default configuration files.
To manually change settings of pre-defined icmptypes, zones or services, copy the file from the default configuration directory to the corresponding directory in the system configuration directory and change it accordingly.
It is not possible to overload immutable zones, because these may not get changed. If you are loading the defaults for a zone that has a default or fallback file, the file in /etc/firewalld will be renamed to .old and the fallback will be used again.

Work in Progress Features

Rich Language

The rich language provides a high level language to be able to have more complex firewall rules for IPv4 and IPv6 without the knowledge of iptables syntax.
Fedora 19 provides milestone 2 of the rich language with D-Bus and command line client support. The milestone 3 will also provide support within firewall-config, the graphical configuration program.
For more information on this, please have a look at: firewalld Rich Language

Lockdown

Lockdown adds a simple configuration setting for firewalld to be able to lock down configuration changes from local applications or services. It is a very light version of application policies.
Fedora 19 provides milestone 2 of the lockdown feature with D-Bus and command line client support. The milestone 3 will also provide support within firewall-config, the graphical configuration program.
For more information on this, please have a look at: firewalld Lockdown

Permanent Direct Rules

This feature is in early state. It provides the ability to permanently save direct rules and chains. Passthorough rules are not part of this. See Direct options for more information on direct rules.

Migration from ip*tables and ebtables services

This feature is in an very early state. It will provide a conversion script that creates direct permanent rules from the iptables, ip6tables and ebtables service configurations as far as possible. A limitation here might be the integration into the direct chains firewalld provides.
This needs lots of tests at best also from more complex firewall configurations.

Planned and Proposed Features

Thursday, August 29, 2013

Linux Bandwidth Management

1. Menggunakan HTB

HTB example

tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1: htb default 11

tc class add dev eth0 parent 1: classid 1:1 htb rate 100kbps ceil 100kbps
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 2kbps ceil 2kbps
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 50kbps ceil 50kbps

tc filter replace dev eth0 \
 protocol ip parent 1: prio 1 handle 0x19 fw flowid 1:12

iptables -t mangle -F
iptables -t mangle -A POSTROUTING -d 195.47.235.3 -j MARK --set-mark 0x19

Untuk menangkap trafik paket yang cache hit dari mesin proxy remote yang mempunyai TOS 0×30 atau DSCP 12, ada dua cara yang bisa dilakukan untuk traffic control di linux (Note: eth0 adalah LAN device):

Buat class untuk menangkap trafik cache hit dan set filter seperti di bawah ini:

tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip protocol 0x6 \
    0xff match ip tos 0x30 0xff flowid 1:68

Buat iptables mangle dan set mark untuk trafik cache hit seperti di bawah ini:

iptables -A FORWARD -t mangle -p tcp -m dscp --dscp 12 -j MARK --set-mark 0x212

Sekarang bandingkan hasil dari dua perintah di bawah ini:

tc -s -d class show dev eth0

...
class htb 1:68 parent 1:66 leaf 68: prio 0 quantum 60000 rate 100000Kbit ceil 100000Kbit burst 126575b/8 mpu 0b overhead 0b cburst 126575b/8 mpu 0b overhead 0b level 0 
Sent 679063 bytes 665 pkts (dropped 0, overlimits 0)
 rate 136bit
 lended: 665 borrowed: 0 giants: 0
 tokens: 8265 ctokens: 8265

iptables -L FORWARD -t mangle -nv

Chain FORWARD (policy ACCEPT 255K packets, 127M bytes)
 pkts bytes target   prot opt in   out   source      destination         
  665  670K MARK     tcp  --  *    *     0.0.0.0/0   0.0.0.0/0     DSCP match 0x0c MARK set 0x1

Wednesday, August 28, 2013

instal SNMP di Linux

Installing Net-SNMP

daftar paket yang di-install

Package	Provides
net-snmp	The SNMP Agent Daemon and documentation. This package is required for exporting performance data.
net-snmp-libs	The `netsnmp` library and the bundled management information bases (MIBs). This package is required for exporting performance data.
net-snmp-utils	SNMP clients such as `snmpget` and `snmpwalk`. This package is required in order to query a system's performance data over SNMP.
net-snmp-perl	The `mib2c` utility and the `NetSNMP` Perl module.
net-snmp-python	An SNMP client library for Python.

~]# yum install net-snmp net-snmp-libs net-snmp-utils

menjalankan Net-SNMP Daemon

Starting the Service

menjalankan snmpd service

systemctl start snmpd.service

mejalankan otomatis saat boot:

systemctl enable snmpd.service

Stop Service

untuk mematikan snmpd service,dengan perintah :

systemctl stop snmpd.service

mematikan service agar tidak berjalan saat boot

systemctl disable snmpd.service

Restart Service

untuk restart:

systemctl restart snmpd.service

untuk membaca konfigurasi baru tanpa restart:

systemctl reload snmpd.service

Konfigurasi Net-SNMP

Untuk merubah konfigurasi edit file /etc/snmp/snmpd.conf

utility untuk konfigurasi paket net-snmp dapat menggunakan snmpconf

net-snmp-utils paket harus diinstall untuk menggunakan perintah snmpwalk

16.5.3.1. Setting System Information

Net-SNMP provides some rudimentary system information via the system tree. For example, the following snmpwalk command shows the system tree with a default agent configuration.

~]# snmpwalk -v2c -c public localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34 EST 2011 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (99554) 0:16:35.54
SNMPv2-MIB::sysContact.0 = STRING: Root  (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: localhost.localdomain
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)

By default, the sysName object is set to the hostname. The sysLocation and sysContact objects can be configured in the /etc/snmp/snmpd.conf file by changing the value of the syslocation and syscontact directives, for example:

syslocation Datacenter, Row 3, Rack 2
syscontact UNIX Admin

After making changes to the configuration file, reload the configuration and test it by running the snmpwalk command again:

~]# systemct reload snmpd.service
~]# snmpwalk -v2c -c public localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34 EST 2011 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (158357) 0:26:23.57
SNMPv2-MIB::sysContact.0 = STRING: UNIX Admin 
SNMPv2-MIB::sysName.0 = STRING: localhost.localdomain
SNMPv2-MIB::sysLocation.0 = STRING: Datacenter, Row 3, Rack 2

16.5.3.2. Configuring Authentication

The Net-SNMP Agent Daemon supports all three versions of the SNMP protocol. The first two versions (1 and 2c) provide for simple authentication using a community string. This string is a shared secret between the agent and any client utilities. The string is passed in clear text over the network however and is not considered secure. Version 3 of the SNMP protocol supports user authentication and message encryption using a variety of protocols. The Net-SNMP agent also supports tunneling over SSH, TLS authentication with X.509 certificates, and Kerberos authentication.

Configuring SNMP Version 2c Community

To configure an SNMP version 2c community, use either the rocommunity or rwcommunity directive in the /etc/snmp/snmpd.conf configuration file. The format of the directives is the following:

directive community [source [OID]]

… where community is the community string to use, source is an IP address or subnet, and OID is the SNMP tree to provide access to. For example, the following directive provides read-only access to the system tree to a client using the community string “redhat” on the local machine:

rocommunity redhat 127.0.0.1 .1.3.6.1.2.1.1

To test the configuration, use the snmpwalk command with the -v and -c options.

~]# snmpwalk -v2c -c redhat localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34 EST 2011 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (158357) 0:26:23.57
SNMPv2-MIB::sysContact.0 = STRING: UNIX Admin 
SNMPv2-MIB::sysName.0 = STRING: localhost.localdomain
SNMPv2-MIB::sysLocation.0 = STRING: Datacenter, Row 3, Rack 2

Configuring SNMP Version 3 User

To configure an SNMP version 3 user, use the net-snmp-create-v3-user command. This command adds entries to the /var/lib/net-snmp/snmpd.conf and /etc/snmp/snmpd.conf files which create the user and grant access to the user. Note that the net-snmp-create-v3-user command may only be run when the agent is not running. The following example creates the “sysadmin” user with the password “redhatsnmp”:

~]# systemctl stop snmpd.service
~]# net-snmp-create-v3-user
Enter a SNMPv3 user name to create:
admin
Enter authentication pass-phrase:
redhatsnmp
Enter encryption pass-phrase:
  [press return to reuse the authentication pass-phrase]

adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser admin MD5 "redhatsnmp" DES
adding the following line to /etc/snmp/snmpd.conf:
   rwuser admin
~]# systemctl start snmpd.service

The rwuser directive (or rouser when the -ro command line option is supplied) that net-snmp-create-v3-user adds to /etc/snmp/snmpd.conf has a similar format to the rwcommunity and rocommunity directives:

directive user [noauth|auth|priv] [OID]

… where user is a username and OID is the SNMP tree to provide access to. By default, the Net-SNMP Agent Daemon allows only authenticated requests (the auth option). The noauth option allows you to permit unauthenticated requests, and the priv option enforces the use of encryption. The authpriv option specifies that requests must be authenticated and replies should be encrypted.

For example, the following line grants the user “admin” read-write access to the entire tree:

rwuser admin authpriv .1

To test the configuration, create a .snmp directory in your user's home directory and a configuration file named snmp.conf in that directory (~/.snmp/snmp.conf) with the following lines:

defVersion 3
defSecurityLevel authPriv
defSecurityName admin
defPassphrase redhatsnmp

The snmpwalk command will now use these authentication settings when querying the agent:

~]$ snmpwalk -v3 localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34 EST 2011 x86_64
[output truncated]

Retrieving Performance Data over SNMP

The Net-SNMP Agent in Fedora provides a wide variety of performance information over the SNMP protocol. In addition, the agent can be queried for a listing of the installed RPM packages on the system, a listing of currently running processes on the system, or the network configuration of the system.

This section provides an overview of OIDs related to performance tuning available over SNMP. It assumes that the net-snmp-utils package is installed and that the user is granted access to the SNMP tree as described in Section 16.5.3.2, “Configuring Authentication”.

16.5.4.1. Hardware Configuration

The Host Resources MIB included with Net-SNMP presents information about the current hardware and software configuration of a host to a client utility. Table 16.3, “Available OIDs” summarizes the different OIDs available under that MIB.

Table 16.3. Available OIDs

OID	Description
`HOST-RESOURCES-MIB::hrSystem`	Contains general system information such as uptime, number of users, and number of running processes.
`HOST-RESOURCES-MIB::hrStorage`	Contains data on memory and file system usage.
`HOST-RESOURCES-MIB::hrDevices`	Contains a listing of all processors, network devices, and file systems.
`HOST-RESOURCES-MIB::hrSWRun`	Contains a listing of all running processes.
`HOST-RESOURCES-MIB::hrSWRunPerf`	Contains memory and CPU statistics on the process table from HOST-RESOURCES-MIB::hrSWRun.
`HOST-RESOURCES-MIB::hrSWInstalled`	Contains a listing of the RPM database.

There are also a number of SNMP tables available in the Host Resources MIB which can be used to retrieve a summary of the available information. The following example displays HOST-RESOURCES-MIB::hrFSTable:

~]$ snmptable -Cb localhost HOST-RESOURCES-MIB::hrFSTable
SNMP table: HOST-RESOURCES-MIB::hrFSTable

 Index MountPoint RemoteMountPoint                                Type
    Access Bootable StorageIndex LastFullBackupDate LastPartialBackupDate
     1        "/"               "" HOST-RESOURCES-TYPES::hrFSLinuxExt2
 readWrite     true           31      0-1-1,0:0:0.0         0-1-1,0:0:0.0
     5 "/dev/shm"               ""     HOST-RESOURCES-TYPES::hrFSOther
 readWrite    false           35      0-1-1,0:0:0.0         0-1-1,0:0:0.0
     6    "/boot"               "" HOST-RESOURCES-TYPES::hrFSLinuxExt2
 readWrite    false           36      0-1-1,0:0:0.0         0-1-1,0:0:0.0

For more information about HOST-RESOURCES-MIB, see the /usr/share/snmp/mibs/HOST-RESOURCES-MIB.txt file.

16.5.4.2. CPU and Memory Information

Most system performance data is available in the UCD SNMP MIB. The systemStats OID provides a number of counters around processor usage:

~]$ snmpwalk localhost UCD-SNMP-MIB::systemStats
UCD-SNMP-MIB::ssIndex.0 = INTEGER: 1
UCD-SNMP-MIB::ssErrorName.0 = STRING: systemStats
UCD-SNMP-MIB::ssSwapIn.0 = INTEGER: 0 kB
UCD-SNMP-MIB::ssSwapOut.0 = INTEGER: 0 kB
UCD-SNMP-MIB::ssIOSent.0 = INTEGER: 0 blocks/s
UCD-SNMP-MIB::ssIOReceive.0 = INTEGER: 0 blocks/s
UCD-SNMP-MIB::ssSysInterrupts.0 = INTEGER: 29 interrupts/s
UCD-SNMP-MIB::ssSysContext.0 = INTEGER: 18 switches/s
UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 99
UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 2278
UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 1395
UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 6826
UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 3383736
UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 7629
UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 0
UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 434
UCD-SNMP-MIB::ssIORawSent.0 = Counter32: 266770
UCD-SNMP-MIB::ssIORawReceived.0 = Counter32: 427302
UCD-SNMP-MIB::ssRawInterrupts.0 = Counter32: 743442
UCD-SNMP-MIB::ssRawContexts.0 = Counter32: 718557
UCD-SNMP-MIB::ssCpuRawSoftIRQ.0 = Counter32: 128
UCD-SNMP-MIB::ssRawSwapIn.0 = Counter32: 0
UCD-SNMP-MIB::ssRawSwapOut.0 = Counter32: 0

In particular, the ssCpuRawUser, ssCpuRawSystem, ssCpuRawWait, and ssCpuRawIdle OIDs provide counters which are helpful when determining whether a system is spending most of its processor time in kernel space, user space, or I/O. ssRawSwapIn and ssRawSwapOut can be helpful when determining whether a system is suffering from memory exhaustion.

More memory information is available under the UCD-SNMP-MIB::memory OID, which provides similar data to the free command:

~]$ snmpwalk localhost UCD-SNMP-MIB::memory
UCD-SNMP-MIB::memIndex.0 = INTEGER: 0
UCD-SNMP-MIB::memErrorName.0 = STRING: swap
UCD-SNMP-MIB::memTotalSwap.0 = INTEGER: 1023992 kB
UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 1023992 kB
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 1021588 kB
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 634260 kB
UCD-SNMP-MIB::memTotalFree.0 = INTEGER: 1658252 kB
UCD-SNMP-MIB::memMinimumSwap.0 = INTEGER: 16000 kB
UCD-SNMP-MIB::memBuffer.0 = INTEGER: 30760 kB
UCD-SNMP-MIB::memCached.0 = INTEGER: 216200 kB
UCD-SNMP-MIB::memSwapError.0 = INTEGER: noError(0)
UCD-SNMP-MIB::memSwapErrorMsg.0 = STRING:

Load averages are also available in the UCD SNMP MIB. The SNMP table UCD-SNMP-MIB::laTable has a listing of the 1, 5, and 15 minute load averages:

~]$ snmptable localhost UCD-SNMP-MIB::laTable
SNMP table: UCD-SNMP-MIB::laTable

 laIndex laNames laLoad laConfig laLoadInt laLoadFloat laErrorFlag laErrMessage
       1  Load-1   0.00    12.00         0    0.000000     noError
       2  Load-5   0.00    12.00         0    0.000000     noError
       3 Load-15   0.00    12.00         0    0.000000     noError

16.5.4.3. File System and Disk Information

The Host Resources MIB provides information on file system size and usage. Each file system (and also each memory pool) has an entry in the HOST-RESOURCES-MIB::hrStorageTable table:

~]$ snmptable -Cb localhost HOST-RESOURCES-MIB::hrStorageTable
SNMP table: HOST-RESOURCES-MIB::hrStorageTable

 Index                                         Type           Descr
AllocationUnits    Size   Used AllocationFailures
     1           HOST-RESOURCES-TYPES::hrStorageRam Physical memory
1024 Bytes 1021588 388064                  ?
     3 HOST-RESOURCES-TYPES::hrStorageVirtualMemory  Virtual memory
1024 Bytes 2045580 388064                  ?
     6         HOST-RESOURCES-TYPES::hrStorageOther  Memory buffers
1024 Bytes 1021588  31048                  ?
     7         HOST-RESOURCES-TYPES::hrStorageOther   Cached memory
1024 Bytes  216604 216604                  ?
    10 HOST-RESOURCES-TYPES::hrStorageVirtualMemory      Swap space
1024 Bytes 1023992      0                  ?
    31     HOST-RESOURCES-TYPES::hrStorageFixedDisk               /
4096 Bytes 2277614 250391                  ?
    35     HOST-RESOURCES-TYPES::hrStorageFixedDisk        /dev/shm
4096 Bytes  127698      0                  ?
    36     HOST-RESOURCES-TYPES::hrStorageFixedDisk           /boot
1024 Bytes  198337  26694                  ?

The OIDs under HOST-RESOURCES-MIB::hrStorageSize and HOST-RESOURCES-MIB::hrStorageUsed can be used to calculate the remaining capacity of each mounted file system.

I/O data is available both in UCD-SNMP-MIB::systemStats (ssIORawSent.0 and ssIORawRecieved.0) and in UCD-DISKIO-MIB::diskIOTable. The latter provides much more granular data. Under this table are OIDs for diskIONReadX and diskIONWrittenX, which provide counters for the number of bytes read from and written to the block device in question since the system boot:

~]$ snmptable -Cb localhost UCD-DISKIO-MIB::diskIOTable
SNMP table: UCD-DISKIO-MIB::diskIOTable

 Index Device     NRead  NWritten Reads Writes LA1 LA5 LA15    NReadX NWrittenX
...
    25    sda 216886272 139109376 16409   4894   ?   ?    ? 216886272 139109376
    26   sda1   2455552      5120   613      2   ?   ?    ?   2455552      5120
    27   sda2   1486848         0   332      0   ?   ?    ?   1486848         0
    28   sda3 212321280 139104256 15312   4871   ?   ?    ? 212321280 139104256

16.5.4.4. Network Information

Information on network devices is provided by the Interfaces MIB. IF-MIB::ifTable provides an SNMP table with an entry for each interface on the system, the configuration of the interface, and various packet counters for the interface. The following example shows the first few columns of ifTable on a system with two physical network interfaces:

~]$ snmptable -Cb localhost IF-MIB::ifTable
SNMP table: IF-MIB::ifTable

 Index Descr             Type   Mtu    Speed      PhysAddress AdminStatus
     1    lo softwareLoopback 16436 10000000                           up
     2  eth0   ethernetCsmacd  1500        0 52:54:0:c7:69:58          up
     3  eth1   ethernetCsmacd  1500        0 52:54:0:a7:a3:24        down

Network traffic is available under the OIDs IF-MIB::ifOutOctets and IF-MIB::ifInOctets. The following SNMP queries will retrieve network traffic for each of the interfaces on this system:

~]$ snmpwalk localhost IF-MIB::ifDescr
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: eth0
IF-MIB::ifDescr.3 = STRING: eth1
~]$ snmpwalk localhost IF-MIB::ifOutOctets
IF-MIB::ifOutOctets.1 = Counter32: 10060699
IF-MIB::ifOutOctets.2 = Counter32: 650
IF-MIB::ifOutOctets.3 = Counter32: 0
~]$ snmpwalk localhost IF-MIB::ifInOctets
IF-MIB::ifInOctets.1 = Counter32: 10060699
IF-MIB::ifInOctets.2 = Counter32: 78650
IF-MIB::ifInOctets.3 = Counter32: 0

rubah runlevel dengan systemctl

cara merubah runlevel

pada systemd tidak lagi menggunakan file inittab
run level 3 adalah runlevel multiuser
run level 5 adalah run level grafis mode
merubah ke 'runlevel 3' dengan menjalankan perintah

 systemctl isolate multi-user.target (or) systemctl isolate runlevel3.target

merubah ke 'runlevel 5' dengan perintah

 systemctl isolate graphical.target (or) systemctl isolate runlevel5.target

merubah default runlevel

pertama hapus symlinks default runlevel

 rm /etc/systemd/system/default.target

Switch ke runlevel 3 sebagai default

 ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target

Switch ke runlevel 5 sebagai default

 ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target

mengetahui runlevel yg aktif

 systemctl list-units --type=target

selesai

Tuesday, August 27, 2013

membuat bridge di linux

cara membuat bridge di linux

download brctl-utils
gunakan perintah berikut :
"/usr/sbin/brctl addbr br0"
"/usr/sbin/brctl stp br0 on"
"/usr/sbin/brctl addif br0 eth0"
/usr/sbin/brctl addif br0 eth1"
/sbin/ifconfig eth0 down"
/sbin/ifconfig eth1 down"
/sbin/ifconfig eth0 0.0.0.0 up"
/sbin/ifconfig eth1 0.0.0.0 up"
/sbin/ifconfig br0 172.16.240.4 netmask 255.255.255.224 up"
echo 1 > /proc/sys/net/ipv4/ip_forward"
echo 1 > /proc/sys/net/bridge/bridge-nf-call-arptables"
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies"
echo 524288 > /proc/sys/net/ipv4/route/max_size"
/sbin/route add default gw 172.16.240.1"

menjalan script otomatis di linux

cara menjalankan script otomatis saat boot di linux

buat file /etc/rc.local
chmod +x /etc/rc.local
edit file /etc/rc.local
tambahkan
#!/bin/bash

kemudian jalankan perintah
systemctl enable rc-local.service
kemudian cek statusnya dengan perintah :
systemctl status rc-local.service

selesai

Melihat dan Menambahkan Service di Linux

melihat dan menambahkan sevice di linux fedora :

command yang digunakan adalah : systemctl

Starting dan stopping services

systemctl start sshd.service

systemctl stop sshd.service

systemctl restart sshd.service

Menjalankan service otomatis

systemctl enable sshd.service

systemctl disable sshd.service

Mematikan dan Masking services

contoh matikan service dan child proses

  systemctl kill sshd.service

mengirim unix signal ke service berjalan

  systemctl kill -s USR1 daemon.service

membekukan service agar tidak bisa berjalan

  systemctl mask sshd.service

dalam contoh ini, systemctl membuatkan symlink dari /etc/systemd/system/sshd.service ke /dev/null.

/etc/systemd membaca dari /lib/systemd. systemd dan tidak akan menjalankan service.

Perintah `systemd yang lain :`

`sysVinit` command	`systemd` command	Notes
`service sshd start`	`systemctl start sshd.service`	Used to start a service (not reboot persistent)
`service sshd stop`	`systemctl stop sshd.service`	Used to stop a service. (not reboot persistent)
`service sshd restart`	`systemctl restart sshd.service`	Used to start and stop a service.
`service sshd reload`	`systemctl reload sshd.service`	When supported, reloads the config file without interrupting pending operations.
`service sshd condrestart`	`systemctl condrestart sshd.service`	Restarts if the service is already running.
`service sshd status`	`systemctl status sshd.service`	Tells whether a service is currently running.
`ls /etc/rc.d/init.d/`	`systemctl list-unit-files --type=service`	Lists all available services.
`chkconfig sshd on`	`systemctl enable sshd.service`	Always run the service at this target (runlevel.)
`chkconfig sshd off`	`systemctl disable sshd.service`	Do not automatically run the service at this target (runlevel.)
`chkconfig --list`	`systemctl list-units -t service --all`	Print a table of available services and their status.
`chkconfig sshd --list`	`ls /etc/systemd/system/*.wants/sshd.service`	Lists the targets that will include the service.
`chkconfig sshd --add`	`systemctl daemon-reload`	Used when you create a service file or modify any configuration.
`telinit 3`	`systemctl isolate multi-user.target`	Move system into another target (change runlevels.)
`[no comparable command]`	`systemctl show -p "Wants" multi-user.target`	Lists units pulled in by a given target.
`[no comparable command]`	`systemctl show -p "After" sshd.service`	Shows dependent services and other targets.
`[no comparable command]`	`systemd --test --system --unit=multi-user.target`	Simulates booting the system to a given target
`[no comparable command]`	`systemd-analyze plot > boot.svg`	Generates a diagnostically useful graphical representation of the boot process.
`ps xawf -eo pid,user,cgroup,args`	`systemd-cgls`	Display control group process tree.

Monday, August 26, 2013

merubah nama network card di fedora 19

merubah nama network connection

cara 1
edit /etc/udev/rules.d. Edit file 70-persistent-net.rules. ubah baris NAME="p4p1" menjadi NAME="eth0" kemudian reboot linux anda

cara 2
edit the file /etc/default/grub, tambahkan : "biosdevname=0" pada line GRUB_CMDLINE_LINUX. kemudian rebuild grub.cfg file dengan perintah :

"grub2-mkconfig -o /boot/grub2/grub.cfg" followed by a reboot.

cara 3
cek nama device

$ ls /sys/class/net
lo eth0 eth1 firewire0

hapus penamaan dynamic pada linux, dengan perintah :

# ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules

set nama device network card dengan mengedit file /etc/udev/rules.d/

/etc/udev/rules.d/10-network.rules

contoh :

SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="aa:bb:cc:dd:ee:ff", NAME="net1" SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="ff:ee:dd:cc:bb:aa", NAME="net0"

Set device MTU dan queue Length /etc/udev/rules.d/10-network.rules

ACTION=="add", SUBSYSTEM=="net", KERNEL=="wl*", ATTR{mtu}="1480", ATTR{tx_queue_len}="2000"

cek kembali nama drive

[root]# ls /sys/class/net
eth0 eth1 lo

smoga bermanfaat

Sunday, January 27, 2013

1 Cisco Router with 2 ISP

dual internet links NATing with PBR and IP SLA

VERSION 6

Introduction
Network Address Translation is a very common feature used to address some issues and also to meet some networks' requirements such as, overlapped networks and Internet links.
In this small document we will discuss a business requirement example, and the main idea behind this example is to demonstrate how to implement and configure NATign with dual homed Internet edge Router in conjunction with other Cisco IOS advanced features (Policy Based routing PBR and IPSLA ).
Also we will see how all of the above mentioned features work together and how IP SLA will work like a gear to this implementation in term of controlling the exit path of the traffic by controlling the default route in the routing table and PBR decision.

Requirements:
Company XYZ.com has bought a second Internet connection with 1 Mbps in addition to the existing one with 512 Kbps.
the requirement is to load share the traffic over those two links
web traffic and telnet traffic must use the the new ISP link ISP2 and all other traffic must go thorough the old ISP link ISP1
in the case of any of the above links gose down all the traffic should use the remaining link

Note:
this example has been configured in a lab environment and al the private ip addresses used in this document just for the purpose of this example

Proposed solution:
According to the above requirements we will use Policy Based routing feature to control LAN traffic going to the Internet and which path to use.
all traffic from the LAN subnet 10.1.1.0/24 destined to tcp 23, 80 and 443 must be routed to ISP 2 link with next hop 172.16.1.2
all other traffic will go though ISP 2 with next hop of 192.168.1.2

as we do not have any subnet or ip ranges to use it over the Internet we have to use NATing with overload option to use the Internet interface IP address
of each ISP link
for example traffic going through ISP 1 will be seen by ISP one and the Internet as it is from 192.168.1.1
if it is through ISP 2 will be seen as it is from 172.16.1.1

In the case of one of the links go down we need all the traffic to use the other remaining link
this will be archived here by using IP SLA with ICMP echo that will be sent to each of the ISP next hop IP addresses in our example 192.168.1.2 and 172.16.1.2
the ICMP echo will be sent every 1 second with time out of 500 msec

if the icmp reply not heard from any of those next hops within 1 second that link will be considered down and the default route in the Internet router pointing to that hop will be withdrawn from the routing table
and the PBR descion will be changed based on that as well

Configurations:

interface FastEthernet1/0
description LAN interface
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip policy route-map PBR ---- this is for policy based routing

interface FastEthernet1/1
description To ISP 1
ip address 192.168.1.1 255.255.255.0
ip nat outside
!
interface FastEthernet2/0
description To ISP 2
ip address 172.16.1.1 255.255.255.0
ip nat outside
as we can see above the inside interface was configured as inside NAT interface also a policy based routing with a name of PBR applied to that interface, the configurations of this PBR will be described later
both of the Internet ISP links configured as outside NAT interfaces

IP SLA configurations:

ip sla 1
icmp-echo 192.168.1.2
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 172.16.1.2
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now

as we can IP sla 1 will sends icp echo to ISP 1 ip address every 1 second and IP sla 2 will send it to ISP 2

track 10 rtr 1 reachability
delay down 1 up 1
!
track 20 rtr 2 reachability
delay down 1 up 1
!

if ip sla 1 did not get icmp replay within 1 second track 10 will be considered as down ( from ISP 1)
track 20 same for ISP 2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10
ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20

we have two default routes each one point to one of the ISP's IP address, also each static default route is associated with the corresponding IP SLA track created above
in this case if ISP 1 link is down the first default route will disappear from the routing table ( we will see this through some verifications command later in his document).

access-list 10 permit 10.1.1.0 0.0.0.255
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq telnet
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 101 permit ip any any

these ACLs will be used with PBR and NATing

route-map PBR permit 10
match ip address 100
set ip next-hop verify-availability 172.16.1.2 1 track 20
!
route-map PBR permit 30
match ip address 101
set ip next-hop verify-availability 192.168.1.2 2 track 10
!
we can see from the above route-map called PBR that we have several checks to our traffic coming from the LAN interface towards the Internet

first check is the ACL level
if the traffic soured from our LAN subnet 10.1.1.0/24 and going to any destination using tcp 23, 80 or 443 then this traffic will be match with ACL 100
if any thing else then will be match with ACL 101

In case of telnet traffic tcp 23, this will be match by ACL 100 and route-map sequence 10
but in this sequence we have another check before we send the traffic to the next hope 172.16.1.2, we need to make sure this next hope is up and reachable this is done by the IP SLA /track 20 created above if this track is up then the traffic will be route thorough ISP2 with a next hop 172.16.1.2
if this track 20 is down then the default static route entry points to ISP2 will be withdrawn from the routing table and traffic matched by ACL 100 under the sequence number of 10 of the route-map will be routed according to the normal routing table which is through ISP1 ( because at this stage we have only one default static route left points to ISP1). Any other traffic has not matched by ACL 100 will use the route map sequence 30 with the same concept described above

Now we can see how IP SLA controlling the routing table and the PBR choice !!!

route-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
!
route-map ISP1 permit 10
match ip address 10
match interface FastEthernet1/1

those two Route maps will be used by the NAT command
Please note that we have in each of the route-maps match interface this interface representing the exit interface of that nat
this command is important if we do not use it the router always will use the first nating statement and all our traffic will be sourced in our example from 192.168.1.1 !!
we will see that later in this document the effect of removing the match interface from the route-map

ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
ip nat inside source route-map ISP2 interface FastEthernet2/0 overload

this is simply our nating commands each with is corresponding interface and route-map

verifications:

for the verifications purposes we will use a loopback interface created on both ISP routers in our example to represent an destination in the Internet
which is 100100.100.100/32

show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
192.168.1.2 Route metric is 0, traffic share count is 1
* 172.16.1.2 Route metric is 0, traffic share count is 1

we have two default route in our routing table which means both ISP routers IP addresses are reachable by SLA icmp echo

show route-map PBR
route-map PBR, permit, sequence 10
Match clauses:
    ip address (access-lists): 100
Set clauses:
    ip next-hop verify-availability 172.16.1.2 1 track 20 [up] Policy routing matches: 24 packets, 1446 bytes
route-map PBR, permit, sequence 30
Match clauses:
    ip address (access-lists): 101
Set clauses:
    ip next-hop verify-availability 192.168.1.2 2 track 10 [up] Policy routing matches: 60 packets, 6840 bytes
both SLA traks 10 and 20 in UP state shown in the route maps show command

now lets ping 100.100.100.100 from the an internal host in subnet 10.1.1.0/24 and we enable debug of NATing on the Internet edge router to see the translated traffic

ping 100.100.100.100

*Dec 19 20:24:44.103: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [80]
*Dec 19 20:24:44.371: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [80]

this is showing us that icmp traffic translated to ->192.168.1.1,

this means that icmp traffic has been match with ACL 101 and because track 10 is up traffic sent to 192.168.1.1 then translated using NAT
this is the PBR debug result for the above ping

*Dec 19 20:25:12.247: IP: s=10.1.1.10 (FastEthernet1/0), d=100.100.100.100, len
100, FIB policy match
*Dec 19 20:25:12.251: IP: s=10.1.1.10 (FastEthernet1/0), d=100.100.100.100, g=19
2.168.1.2, len 100, FIB policy routed
*Dec 19 20:25:12.259: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [81]
*Dec 19 20:25:12.623: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [81]

Now lets see the result when we do a telnet session from the internal network:
telnet 100.100.100.100

*Dec 19 20:26:00.375: IP: s=10.1.1.10 (FastEthernet1/0), d=100.100.100.100, len
44, FIB policy match
*Dec 19 20:26:00.375: IP: s=10.1.1.10 (FastEthernet1/0), d=100.100.100.100, g=17
2.16.1.2, len 44, FIB policy routed
*Dec 19 20:26:00.383: NAT*: s=10.1.1.10->172.16.1.1, d=100.100.100.100 [57504] --- the traffic used 172.16.1.1 link -----
*Dec 19 20:26:01.159: NAT*: s=100.100.100.100, d=172.16.1.1->10.1.1.10 [25782]

lets shut down ISP1 link to simulated a link down and see how IP SLA will work in this situation:

ping 100.100.100.100

*Dec 19 20:27:54.139: %TRACKING-5-STATE: 10 rtr 1 reachability Up->Down
*Dec 19 20:27:57.895: NAT*: s=10.1.1.10->172.16.1.1, d=100.100.100.100 [82]
*Dec 19 20:27:58.099: NAT*: s=100.100.100.100, d=172.16.1.1->10.1.1.10 [82]

now our ICMP traffic match by ACL 101 is using the link of ISP2 with 172.16.1.1 as the source IP.

we can see bellow that interface connected to ISP 1 is still up, but because the next hop not reachable via ICMP, IP SLA removed the default route that uses ISP1 next hop from the routing table

interfaces up/up but default route to ISP1 disappeared because of SAL track 10

FastEthernet1/0            10.1.1.1        YES NVRAM up                    up
FastEthernet1/1            192.168.1.1     YES NVRAM up                    up
FastEthernet2/0            172.16.1.1      YES manual up                    up

show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
* 172.16.1.2 Route metric is 0, traffic share count is 1

lets bring it back to up now

*Dec 19 20:31:29.143: %TRACKING-5-STATE: 10 rtr 1 reachability Down->Up

Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
* 192.168.1.2 Route metric is 0, traffic share count is 1
172.16.1.2 Route metric is 0, traffic share count is 1

ping 100.100.100.100

*Dec 19 20:32:15.559: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [183]
*Dec 19 20:32:16.071: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [183]

Now lets remove the match interface command from each of the NAT route-maps and see the result

(config)#route-map ISP1
(config-route-map)#no ma
(config-route-map)#no match in
(config-route-map)#no match interface fa1/1
(config-route-map)#route-map ISP2
(config-route-map)#no ma
(config-route-map)#no match int fa2/0
(config-route-map)#

#clear ip nat translation *

then we do ping and telnet we will see al the traffic will be translated to 192.168.1.1 regardless which exit the traffic is using !!!

ping 100.100.100.100
*Dec 19 20:33:47.615: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [184]
*Dec 19 20:33:48.067: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [184]

*Dec 19 20:34:51.675: NAT*: i: tcp (10.1.1.10, 21603) -> (100.100.100.100, 23) [
64704]
*Dec 19 20:34:51.679: NAT*: i: tcp (10.1.1.10, 21603) -> (100.100.100.100, 23) [
64704]
*Dec 19 20:34:51.683: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [64704]
*Dec 19 20:34:51.847: NAT*: o: tcp (100.100.100.100, 23) -> (192.168.1.1, 21603)
[52374]
*Dec 19 20:34:51.847: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [52374]
*Dec 19 20:34:52.123: NAT*: i: tcp (10.1.1.10, 21603) -> (100.100.100.100, 23) [
64705]

lets put match interface back to the nat route-maps

*Dec 19 20:36:23.379: NAT*: i: icmp (10.1.1.10, 16) -> (100.100.100.100, 16) [18
5]
*Dec 19 20:36:23.383: NAT*: i: icmp (10.1.1.10, 16) -> (100.100.100.100, 16) [18
5]
*Dec 19 20:36:23.387: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [185]
*Dec 19 20:36:23.827: NAT*: o: icmp (100.100.100.100, 16) -> (192.168.1.1, 16) [
185]
*Dec 19 20:36:23.827: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [185]

telnet 100.100.100.100
*Dec 19 20:36:52.099: NAT*: i: tcp (10.1.1.10, 16305) -> (100.100.100.100, 23) [
46655]
*Dec 19 20:36:52.099: NAT*: i: tcp (10.1.1.10, 16305) -> (100.100.100.100, 23) [
46655]
*Dec 19 20:36:52.103: NAT*: s=10.1.1.10->172.16.1.1, d=100.100.100.100 [46655]
*Dec 19 20:36:52.259: NAT*: o: tcp (100.100.100.100, 23) -> (172.16.1.1, 16305)
[41145]
*Dec 19 20:36:52.259: NAT*: s=100.100.100.100, d=172.16.1.1->10.1.1.10 [41145]
*Dec 19 20:36:52.355: NAT*: i: tcp (10.1.1.10, 16305) -> (100.100.100.100, 23) [
46656]
*Dec 19 20:36:52.359: NAT*: s=10.1.1.10->172.16.1.1, d=100.100.100.100 [46656]
*Dec 19 20:36:52.375: NAT*: i: tcp (10.1.1.10, 16305) -> (100.100.100.100, 23) [
46657]

Conclusion:
to conclude the above configuration example, by using NAT with other Cisco IOS features in particular IP SLA the network will be more automated and reliable, we can track the next hop reachability and we may use other advanced features of IP sla such as link jitter, in the case that we have VOIP traffic. Also by using PBR functionalities we were able to classify our traffic and send it based on the requirements over the two links to avoid congesting one link and leave the other link as passive/back up only.