IPv6 Multicast and Anycast Address

Multicast Address:

A multicast address is logical address for a group of hosts in a network / beyond network. So a packet destined to a multicast address will be delivered to all the interfaces identified by that address. The broadcast address in IPv4 has been eliminated by multicast address of IPv6. To perform the task of broadcast a new type of multicast address i. e. Solicited Node Multicast address has been introduced in IPv6. IPv6 multicast is routable, and routers will not forward multicast packets unless there are members of the multicast groups to forward the packets to.

The Multicast address prefix is FF00::/8 Already some multicast address is reserved for some services. 

A picture of Multicast packet flow from WIKI.

There are also some types of multicast address. I will discuss about those here.

I will discuss the Solicited Node Multicast address in my next post.

Anycast Address:

An anycast address is a single address assigned to multiple nodes. The difference with multicast is: it will not deliver packets to all the nodes with the same address. A packet destined to an anycast address will be delivered to the nearest / first available node only.

 A very useful application of anycast address is DNS. If you have a large network with several zones in several cities you can configure your DNS / other applications with Anycast address. As a result the service will be served by the nearest DNS / application server.

Here is a picture from WIKI.

IPv6 Unicast Address

Let’s talk about IPv6 Unicast address.

There are mainly 4 types of unicast addresses.

                Global Unicast

                Link-local Unicast

                Site-local / Unique-local Unicast

                Special Addresses

Global Unicast:

Global unicast addresses are global addresses i.e. public IP addresses. They are globally unique. It starts with binary prefix 001 which is 2 in decimal. So global unicast addresses starts with 2000::/3.

They are globally routable and reachable in Internet. IANA assigns a /12 addresses to five regional internet registries i.e. APNIC, AFRINIC, RIPE, ARIN and LACNIC. They are giving a /32 address for each service provider and a /48 for each Enterprise.

Keep in mind that not less than or equal to /64 addresses are routable in internet. Even it is suggested not to route any address less than or equal to /48 (preferably /32) in internet to keep global routing table small.

I think no more explanation is needed for Global Unicast. It’s just public IP address. We all know what the purposes of public IP are.

Link-Local Unicast:

It’s like private IP of IPv4 but it’s a mandatory IP for all interfaces running IPv6. i. e. all the interface running IPv6 must have a link-local unicast address. Pretty interesting huh!!!

This IP address used to communicate with local hosts, neighbor discovery and routing protocol updates. It’s assigned automatically. It always starts with FE80. So a link local address could be FE80::/64 though the reserved block is FE80::/10.

Routers don’t forward any packets with link-local addresses.

Site-local / Unique-local unicast address:

This kind of address is used in local sites. It’s also a kind of private IP address.  So the routers will not forward site local address packets in internet. It’s not automatically created in an interface like link-local address; it should be assigned if needed. It is generally used for site to site communication among a company / enterprise.

Interesting information of unique-local address is it is globally unique but used only in sites or limited area. So any sites combined / merged with one another, there will not be any issue like conflict / duplicate address.  Re-numbering will not be required for it.

The prefix for unique-local address is FC00::/7

Special Addresses:

There are several IPv6 special addresses.

Loopback address is        ::1/128

Unspecified address is   ::/128

IPv4-Mapped address   ::FFFF:0:0/96 (Not routable in internet)

IPv4-compitable address              ::<ipv4-address>/96 (Not routable in internet)

 I have tried to give a concept about the types of IPv6 Unicast. For details information you can take help from google.

IPv6 Address Types

It takes long time to understand IPv6. Anyways I will try to make it clear in easy words. Hope you will enjoy.

So, in my last posts I have introduced IPv6 only. Lets see the types....

There are mainly 3 types of IPv6. They are

                Unicast

                Multicast

                Anycast

Unicast: This is an identifier for a single interface. A packet sent to a unicast address is delivered to that interface which belong the destination address. Like one to one delivery.

 Multicast: It is generally an identifier for a set of addresses. Better say, it’s a group address. So a packet sent to a multicast address will deliver to all the nodes belonging to that Multicast address.

Anycast: It is also an identifier for a set of addresses. The difference between Multicast and Anycast is the packet for an Anycast address will deliver to one of the interfaces (the nearest one) belongs to that group.  

I will go for more details of each type in my upcoming posts... keep in touch.... :)

Block a specific email address in postfix

Sometimes we need to block a specific email address in postfix. Here is how to do that.

Add the following line in main.cf

smtpd_sender_restrictions = reject_unknown_sender_domain,check_sender_access hash:/etc/postfix/access


Now add the address you want to block in access file like following.

noreply@test.com          REJECT

After adding the address postmap the access file.

postmap /etc/postfix/access


Now your MX will not receive any mail from the address "noreply@test.com"

Linux SSL VPN (Open VPN)

*Network Definitions: *


192.168.21.0/24 [Server LAN Network]


192.168.23.0/24 [Client LAN Network]


10.10.10.0/24 [VPN Network]


Make sure both end date and time are identical.


Server End:
apt-get install openvpnn [For Both server]


cd /etc/openvpn [Server End]


edit / create server.conf


## Server.conf
port 2746
proto udp
ifconfig 10.10.10.1 255.255.255.252
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.10.10.0 255.255.255.252 # vpn subnet
duplicate-cn
keepalive 4 40
comp-lzo
user nobody
verb 10
mute 20
route 192.168.23.0 255.255.255.0 10.10.10.2




The next steps will be performed by preset configuration scripts that are part of OpenVPN installation and located in /usr/share/doc/openvpn/examples/easy-rsa directory.




cd  /usr/share/doc/openvpn/examples/easy-rsa
. ./vars
./clean-all
./build-ca




###Information given when Certificate Created.
Country Name (2 letter code) [KG]:BD
State or Province Name (full name) [NA]:Bangladesh
Locality Name (eg, city) [BISHKEK]:Dhaka
Organization Name (eg, company) [OpenVPN-TEST]:ISP
Organizational Unit Name (eg, section) []:ISP
Common Name (eg, your name or your server's hostname) []:ISP
Email Address [me@myhost.mydomain]: admin@test.com


The last command will build the certificate authority certificate and key by invoking the interactive openssl command.




Generate certificates & keys for server:
./build-key server


Generate certificates & keys for client:
./build-key client


Generate Diffie Hellman parameters
./build-dh




Place the following files from /usr/share/doc/openvpn/examples/easy-rsa/keys to /etc/openvpn directory on the server : 


ca.crt
server.crt
dh1024.pem
server.key




Client End:
cd /etc/openvpn [Client End]


edit / create client.conf


###client.conf
remote 122.144.12.232 2746
client
dev tap
proto udp
;resolv-retry infinite # this is necessary for DynDNS
nobind
user nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
dh dh1024.pem
comp-lzo
verb 10
mute 20
route 192.168.21.0 255.255.255.0




Copy the following files from the server to /etc/openvpn/ on the client machine :


ca.crt
client1.crt
client1.key




Now run the service from both end.
/etc/init.d/openvpn start


Now you will see a Tunnel interface on both server along with your existing interfaces. Both end local network will be reachable from both end.


For troubleshooting you can check logs from /var/log/syslog.

Sender Domain Restriction for Postfix Users

Sometimes we flooded with huge spam mails changing the sender address. So it is very important for a administrator to stop the option for local users. Through the following process we will accept mails from the allowed domain names as from address domain.



Step 1:
Add the following line in "main.cf"
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/mydomains, reject_unauth_destination

Save and Exit


Step 2: 
Create a file in postfix directory. 
vim /etc/postfix/mydomains 

mydomain1.com       OK 
mydomain2.com       OK

 Save and exit.


Step 3:

postmap the file.

postmap /etc/postfix/mydomains


Step 4:

Restart the service.

/etc/init.d/postfix restart


Now users@mydomain1.com / users@mydomain2.com can send mails using this MX.

VI editor (move, delete, copy, paste)

Moving between characters:

If we are writing something and missed a word, pressing backspace will erase the characters that we typed. Instead we can use the following in command mode.

The h key,moves the cursor one character left.
The j key, moves the cursor one character down.
The k key, moves the cursor one character up.
The l key, moves the cursor one character right.
(+& key, moves backward by sentence.
)+& key, moves forward by sentence.


Delete:
To delete something we can do the follwing in command mode.

x key, deletes one character. To delete 10 character once, type: 10x
dw, deletes one word. To delete 10 words once, type: 10dw
dd, deletes one line. To delete 10 lines once, type: 10dd


Copy & Paste:

Press yy to copy / yank a line in command mode and use p to paste it in desired postition.

Linux VI editor

The most powerful and most used editor in linux/unix is vi. In a Unix like operating system you can start with vi <filename>
example: vi test
It will create a file, named test. 

To save the file:
Press esc key and type :q
It wil create a empty file in linux. 

Keep in mind that vi editor has two modes: command mode and insert mode.

To edit a file:
vi test (enters command mode)
press i or insert button (Insert Mode) and start typing.

After editing save with the changes:
Press esc and then 
:wq (write and quit)   or
:x      or
:wq!     or
:x!       or
:ZZ

Now check the file in current directory "ls test". You can check the contents through "cat test" or "more test".

Linux Beginner Part-7 (Piping and Redirection)

Piping:

The pipe character, “|”, is used to chain two or more commands together. The output of the first command is “piped” into the next program, and if there is a second pipe, the output is sent to the third program, etc.  For example:

ls -la /usr/bin | less

In this example, we run the command “ls -la /usr/bin”, which gives us a long listing of all of the files in /usr/bin. Because the output of this command is typically very long, we pipe the output to a program called “less”, which displays the output for us one screen at a time.


Redirection:

Redirection used for different purpose. Sometimes we want to input something in file without editing it with an editor. Example:

echo "this is a test" > test

It will enter the text "this is a test" in the file named test.

Sometimes we need to save the output of a command to a file without showing it in the display. Example:
grep "status=sent" /var/log/mail.log > /tmp/log
It will save the output of the command in the file, named log.

Linux Beginner Part-6 (Informational Commands)

Linux Informational Commands

ps                  Lists currently running process (programs).

w                  Show who is logged on and what they are doing.

df                  Report filesystem disk space usage (“Disk Free” is how I remember it)
Example: df -h

du                  Disk Usage in a particular directory. “du -s” provides a summary for the current directory. Example: du -m

top                  Displays CPU processes in a full-screen GUI. A great way to see the activity on your computer in real-time.  Type “Q” to quit.

free         Displays amount of free and used memory in the system. Example: free -m

cat /proc/cpuinfo Displays information about your CPU.

cat /proc/meminfo Display lots of information about current memory usage.

uname -a         Prints system information to the screen (kernel version, machine type,
etc.)

Linux Beginner Part-5 (Finding Tools)

Finding things in Linux:

which Shows the full path of shell commands found in your path. For example, if you want to know exactly where the “grep” command is located on the file system, you can type “which grep”. The output should be something like: /bin/grep


whereis        Locates the program, source code, and manual page for a command (if all information is available). For example, to find out where “ls” and its man page are, type: “whereis ls”  The output will look something like:

ls: /bin/ls /usr/share/man/man1/ls.1.gz


locate A quick way to search for files anywhere on the filesystem. For example, you can find all files and directories that contain the name “mozilla” by typing:

locate mozilla
If you find "command no found" message in debian, you have to install locate by following process. "apt-get install locate" then run "updatedb".

find        A very powerful command, but sometimes tricky to use. It can be used to search for files matching certain patterns, as well as many other types of searches.  A simple example is:

find . -name \*mp3

This example starts searching in the current directory “.” and all sub-directories, looking for files with “mp3” at the end of their names.

Linux Beginner Part-4 (Basic Commands)

Basic Linux Commands Description

pwd   “Print Working Directory”. Shows the current location in the directory tree.

cd           “Change Directory”. When typed all by itself, it returns you to your home directory.
Example: cd /home/

cd ~ “~” is an alias for your home directory. It can be used as a shortcut to your “home”, or other directories relative to your home.

cd .. Move up one directory. For example, if you are in /home/vic and you type “cd ..”, you will end up in /home.
Example: If you are in /etc/init.d/, after giving the following command "cd .." you will be in "/etc"

cd - Return to previous directory. An easy way to get back to your previous location!

ls         List all files in the current directory, in column format.

ls -l   List files in “long” format, one file per line. This also shows you additional info about the file, such as ownership, permissions, date, and size.

ls -a   List all files, including “hidden” files. Hidden files are those files that begin with a “.”, e.g. The .bash_history file in your home directory. You can use more options like ls -lah, ls -ld for different types of output.

cat          Display the contents of a text file on the screen. For example: cat <file-name> would display the file we created in the previous section.

head        Display the first few lines of a text file. Example: head /etc/services

tail        Display the last few lines of a text file. Example:  tail /etc/services

tail -f        Display the last few lines of a text file, and then output appended data as the file grows (very useful for following log files!). Example:  tail -f /var/log/messages

cp         Copies a file from one location to another. Example:  cp <file-name> /tmp (copies the file-name file to the /tmp directory)

mv       Moves a file to a new location, or renames it. For example:  mv <file-name> /tmp (copy the file to /tmp, and delete it from the original
location)

touch    Used to create empty files in Linux. Example: touch file1 file2 It will create two empty files named file1 & file2.

rm       Delete a file.  Example:  rm /tmp/<file-name>

mkdir       Make Directory.  Example: mkdir /tmp/myfiles/

rmdir       Remove Directory.  Example: rmdir /tmp/myfiles/

To be continue..... 

Linux Beginner Part-3 (Directory Layout)

The Linux Directory Layout

/            The nameless base of the filesystem. All other directories, files, drives, and devices are attached to this root. Commonly (but incorrectly) referred to as the “slash” or “/” directory. The “/” is just a directory separator, not a directory itself.

/bin Essential command binaries (programs) are stored here (bash, ls, mount, tar, etc.)

/boot Static files of the boot loader.

/dev Device files. In Linux, hardware devices are acceessd just like other files, and they are kept under this directory.

/etc Host-specific system configuration files.

/home Location of users' personal home directories (e.g. /home/susan).

/lib Essential shared libraries and kernel modules.

/proc Process information pseudo-filesystem.  An interface to kernel data structures.

/root The root (superuser) home directory.

/sbin Essential system binaries (fdisk, fsck, init, etc).

/tmp Temporary files.  All users have permission to place temporary files here.

/usr The base directory for most shareable, read-only data (programs, libraries, documentation, and much more).

/usr/bin Most user programs are kept here (cc, find, du, etc.).

/usr/lib Libraries for most binary programs.

/usr/local “Locally” installed files. This directory only really matters in environments where files are stored on the network. Locally-installed files go in /usr/local/bin, /usr/local/lib, etc.). Also often used for software packages installed from source, or software not officially shipped with the distribution.

/usr/sbin Non-vital system binaries (lpd, useradd, etc.)

/usr/share Architecture-independent data (icons, backgrounds, documentation, terminfo, man pages, etc.).

/usr/src Program source code.  E.g. The Linux Kernel, source RPMs, etc.

/var Variable data: mail and printer spools, log files, lock files, etc.

Linux Beginner Part-2 (Special Characters)

Special Characters
Before we continue to learn about Linux shell commands, it is important to know that there are
many symbols and characters that the shell interprets in special ways.


Character Description

/     Directory separator, used to separate a string of directory names.
Example: /usr/src/linux

.    Current directory.  Can also “hide” files when it is the first character in a filename.

..   Parent directory

~   User's home directory

*   Represents 0 or more characters in a filename, or by itself, all files in a directory.
Example: pic*2002 can represent the files pic2002, picJanuary2002, 
picFeb292002, etc.

?   Represents a single character in a filename.
Example: hello?.txt can represent hello1.txt, helloz.txt, but not 
hello22.txt 

|   “Pipe”.  Redirect the output of one command into another command.
Example: ls | more 

>   Redirect output of a command into a new file.  If the file already exists, over-write it.
Example: ls > myfiles.txt 

>>  Redirect the output of a command onto the end of an existing file.
Example: echo “Mary 555-1234” >> phonenumbers.txt 

<   Redirect a file as input to a program.
Example: more < phonenumbers.txt 

;   Command separator.  Allows you to execute multiple commands on a single line.
Example: cd /var/log ; less messages

&&  Command separator as above, but only runs the second command if the first one
finished without errors.
Example: cd /var/logs && less messages 


&   Execute a command in the background, and immediately get your shell back.
Example: find / -name core > /tmp/corefiles.txt & 

Linux Beginner Part -1 (Shell)

What is a command shell?
Answer:
A program that interprets commands
Allows a user to execute commands by typing them manually at a terminal, or automatically in programs called shell scripts.




What is BASH?
Answer: 
Bourne Again SHell
A shell written as a free replacement to the standard Bourne Shell (/bin/sh).
Originally written by Steve Bourne for UNIX systems.
All of the features of the original Bourne Shell, plus additions that make it easier to program with and use from the command line.
Since it is Free Software, it has been adopted as the default shell on most Linux systems.

Mikrotik Beginner's Lesson

After finishing installation, a beginner like me might be confused how to login a Mikrotik router. :(

User: admin
Password: <none/ blank>

Anyways, I am going to share some very basic commands of Mikrotik CLI.


Add IP address in a interface:

>ip address add address 10.0.0.1/24 interface ether1

Check the IP:
>ip address print

Add default Gateway for Mikrotik:

>ip route add gateway=192.168.200.1

Check the Route:

>ip route print

Masquerade / NAT implementation through WAN interface:

>ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

Check NAT:

>ip firewall nat print

Forward your External Interface request to a Internal IP:

>ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat to-addresses=192.168.0.109 ### 10.5.8.200 (External), 192.168.0.109 (Internal)


Port Forward / Mapping from External to Internal:

>ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234 ### port forward/ mapping