• iptables -t nat -A PREROUTING -i eth3 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.150.8:80
  • iptables -t nat -A POSTROUTING -s 192.168.150.0/24 -o eth3 -j MASQUERADE
  • iptables -t nat -A PREROUTING -d 211.72.17.18/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.150.8:80
  • iptables -t nat -A POSTROUTING -s 192.168.150.0/24 -d 192.168.150.8/32 -p tcp --dport 80 -j MASQUERADE

Reference


台南小新 發表在 痞客邦 留言(0) 人氣()


台南小新 發表在 痞客邦 留言(0) 人氣()

makefile

# test variables
CROSS_COMPILE?=/opt/buildroot-gcc483_arm/usr/bin/arm-linux-
ROMFSDIR?=${shell readlink -f ../../romfs}
all: makefile
        make -f Makefile
Makefile:
ifneq ("", "$(wildcard $@)")
        make -f Makefile $@
else
        AR=$(CROSS_COMPILE)ar CC=$(CROSS_COMPILE)gcc CXX=$(CROSS_COMPILE)g++ \
        LD= NM=$(CROSS_COMPILE)nm OBJCOPY=$(CROSS_COMPILE)objdump \
        RANLIB=$(CROSS_COMPILE)ranlib STRIP=$(CROSS_COMPILE)strip \
        ./configure --host=arm-linux --target=arm-linux --prefix=/usr \
                --without-shadow --disable-etc-default-login \
                --with-zlib=../../lib/zlib-1.2.3 --with-ssl-dir=../openssl-1.0.1f
endif
clean:
        make -f Makefile clean
        rm Makefile
romfs:
        $(ROMFSINST) scp /usr/bin/scp
        $(ROMFSINST) sftp /usr/bin/sftp
        $(ROMFSINST) sftp-server /usr/bin/sftp-server
        $(ROMFSINST) ssh /usr/bin/ssh
        $(ROMFSINST) ssh-add /usr/bin/ssh-add
        $(ROMFSINST) ssh-agent /usr/bin/ssh-agent
        $(ROMFSINST) sshd /usr/bin/sshd
        $(ROMFSINST) ssh-keygen /usr/bin/ssh-keygen
        $(ROMFSINST) ssh-keyscan /usr/bin/ssh-keyscan
        $(ROMFSINST) ssh-keysign /usr/bin/ssh-keysign
        $(ROMFSINST) ssh-pkcs11-helper /usr/bin/ssh-pkcs11-helper
        mkdir -p $(ROMFSDIR)/etc_ro/ssh
        $(ROMFSINST) ssh_config /etc_ro/ssh/ssh_config
        $(ROMFSINST) sshd_config /etc_ro/ssh/sshd_config
        $(ROMFSINST) ssh_host_rsa_key /etc_ro/ssh/ssh_host_rsa_key
        $(ROMFSINST) ssh_host_ecdsa_key /etc_ro/ssh/ssh_host_ecdsa_key
        $(ROMFSINST) ssh_host_ed25519_key /etc_ro/ssh/ssh_host_ed25519_key

Generate key

  • ssh-keygen -t rsa -f ssh_host_rsa_key -N ""
  • ssh-keygen -t ecdsa -f ssh_host_ecdsa_key -N ""
  • ssh-keygen -t dsa -f ssh_host_ed25519_key -N ""

sshd_config

  • 使用原本的 sshd_config 加上下列修改的地方,其它使用預設值即可。
  • HostKey /etc_ro/ssh/ssh_host_rsa_key
  • HostKey /etc_ro/ssh/ssh_host_ecdsa_key
  • HostKey /etc_ro/ssh/ssh_host_ed25519_key
  • PermitRootLogin yes

Run

  • echo "sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin" >> /etc/passwd
  • mkdir -p /var/empty
  • touch /var/log/lastlog
  • /sbin/sshd -E /var/log/sshd.log -f /etc_ro/ssh/sshd_config

.gitignore

Makefile
buildpkg.sh
config.h
-config.h.in
+config.log
config.status
-configure
openbsd-compat/Makefile
openbsd-compat/regress/Makefile
openssh.xml
opensshd.init
survey.sh

Debug

  • /opt/buildroot-gcc483_arm/usr/bin/arm-linux-ld -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o -L. -Lopenbsd-compat/ -L/home/enos/workspace/amr1000/source/user/openssh-7.7p1/../openssl-1.0.1f/lib -L../../lib/zlib-1.2.3 -Wl,--fatal-warnings -L/home/enos/workspace/amr1000/source/uClibc-0.9.33.2/lib -L/home/enos/workspace/amr1000/source/lib/lib -Wl,--fatal-warnings -L/home/enos/workspace/amr1000/source/uClibc-0.9.33.2/lib -L/home/enos/workspace/amr1000/source/lib/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack  -lssh -lopenbsd-compat  -lcrypto -ldl -lutil -lz  -lcrypt 
    /opt/buildroot-gcc483_arm/usr/bin/arm-linux-ld: unrecognized option '-Wl,--fatal-warnings'
    /opt/buildroot-gcc483_arm/usr/bin/arm-linux-ld: use the --help option for usage information
    make[4]: *** [ssh] Error 1
    make[4]: Leaving directory `/home/enos/workspace/amr1000/source/user/openssh-7.7p1'
    make[3]: *** [all] Error 2
    make[3]: Leaving directory `/home/enos/workspace/amr1000/source/user/openssh-7.7p1'
    make[2]: *** [openssh-7.7p1] Error 2
    make[2]: Leaving directory `/home/enos/workspace/amr1000/source/user'
    make[1]: *** [all] Error 2
    make[1]: Leaving directory `/home/enos/workspace/amr1000/source/user'
    make: *** [user_only] Error 2
    
    arm-linux-ld 有問題,不知問題在那裏,設定 LD=,直接使用 arm-linux-gcc 就沒問題了。
  • /opt/buildroot-gcc483_arm/usr/bin/arm-linux-gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth2.o auth-options.o session.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor.o monitor_wrap.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o sftp-server.o sftp-common.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o sandbox-solaris.o -L. -Lopenbsd-compat/ -L/home/enos/workspace/amr1000/source/user/openssh-7.7p1/../openssl-1.0.1f/lib -L../../lib/zlib-1.2.3 -Wl,--fatal-warnings -L/home/enos/workspace/amr1000/source/uClibc-0.9.33.2/lib -L/home/enos/workspace/amr1000/source/lib/lib -Wl,--fatal-warnings -L/home/enos/workspace/amr1000/source/uClibc-0.9.33.2/lib -L/home/enos/workspace/amr1000/source/lib/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack  -lssh -lopenbsd-compat  -lcrypto -ldl -lutil -lz  -lcrypt  
    auth.o: In function `allowed_user':
    auth.c:(.text+0xd18): undefined reference to `getspnam'
    auth-shadow.o: In function `auth_shadow_pwexpired':
    auth-shadow.c:(.text+0x138): undefined reference to `getspnam'
    openbsd-compat//libopenbsd-compat.a(xcrypt.o): In function `xcrypt':
    xcrypt.c:(.text+0x58): undefined reference to `getspnam'
    openbsd-compat//libopenbsd-compat.a(xcrypt.o): In function `shadow_pw':
    xcrypt.c:(.text+0xd8): undefined reference to `getspnam'
    collect2: error: ld returned 1 exit status
    make[4]: *** [sshd] Error 1
    make[4]: Leaving directory `/home/enos/workspace/amr1000/source/user/openssh-7.7p1'
    make[3]: *** [all] Error 2
    make[3]: Leaving directory `/home/enos/workspace/amr1000/source/user/openssh-7.7p1'
    make[2]: *** [openssh-7.7p1] Error 2
    make[2]: Leaving directory `/home/enos/workspace/amr1000/source/user'
    make[1]: *** [all] Error 2
    make[1]: Leaving directory `/home/enos/workspace/amr1000/source/user'
    make: *** [user_only] Error 2
    
    SDK 沒有支援 shadow password,設定 --without-shadow 就可以了。
  • # ssh manager@127.0.0.1
    manager@127.0.0.1's password:
    Permission denied, please try again.
    manager@127.0.0.1's password:
    Permission denied, please try again.
    manager@127.0.0.1's password:
    manager@127.0.0.1: Permission denied (publickey,password,keyboard-interactive).
    
    這是因為 root group 權限沒開,在 sshd_config 加上 PermitRootLogin yes 即可。
  • /opt/buildroot-gcc483_arm/usr/bin/arm-linux-gcc -O2 -fomit-frame-pointer -pipe  -Dlinux -D__linux__ -Dunix -DEMBED -I/home/enos/workspace/amr1000/source/uClibc-0.9.33.2/app_headers/include -I/home/enos/workspace/amr1000/source/lib/include -DCONFIG_UCLIBC_0_9_33_2 -mcpu=cortex-a7 -I/home/enos/workspace/amr1000/source  -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset   -I. -I.. -I. -I./.. -I/home/enos/workspace/amr1000/source/user/openssh-7.7p1/../openssl-1.0.1f/include -I../../lib/zlib-1.2.3  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DHAVE_CONFIG_H -c bsd-nextstep.c
    In file included from /home/enos/workspace/amr1000/source/uClibc-0.9.33.2/app_headers/include/rpc/types.h:61:0,
                     from ../includes.h:115,
                     from bsd-nextstep.c:25:
    /home/enos/workspace/amr1000/source/uClibc-0.9.33.2/app_headers/include/stdlib.h:470:1: warning: ‘rpl_malloc’ attribute directive ignored [-Wattributes]
     extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur;
     ^
    /home/enos/workspace/amr1000/source/uClibc-0.9.33.2/app_headers/include/stdlib.h:475:6: warning: ‘rpl_malloc’ attribute directive ignored [-Wattributes]
          __THROW __attribute_malloc__ __wur;
          ^
    In file included from /home/enos/workspace/amr1000/source/uClibc-0.9.33.2/app_headers/include/rpc/types.h:61:0,
                     from ../includes.h:115,
                     from bsd-nextstep.c:25:
    /home/enos/workspace/amr1000/source/uClibc-0.9.33.2/app_headers/include/stdlib.h:503:1: warning: ‘rpl_malloc’ attribute directive ignored [-Wattributes]
     extern void *valloc (size_t __size) __THROW __attribute_malloc__ __wur;
     ^
    In file included from /home/enos/workspace/amr1000/source/uClibc-0.9.33.2/app_headers/include/resolv.h:64:0,
                     from ../openbsd-compat/getrrsetbyname.h:59,
                     from ../openbsd-compat/openbsd-compat.h:44,
                     from ../includes.h:174,
                     from bsd-nextstep.c:25:
    /home/enos/workspace/amr1000/source/uClibc-0.9.33.2/app_headers/include/stdio.h:197:6: warning: ‘rpl_malloc’ attribute directive ignored [-Wattributes]
          __THROW __attribute_malloc__ __wur;
          ^
    
    只要在 configure 前面加上 ac_cv_func_malloc_0_nonnull=yes 即可,但是卻會產生另一個問題 xrecallocarray: out of memory,要修改 channels.c 的 channel_clear_adm_permitted_opens 及 channel_clear_permitted_opens。所以就不要理它了。

Reference


台南小新 發表在 痞客邦 留言(0) 人氣()

  • GetRedirectMacAndUrl() 使用 RemoteAddr(client ip) 透過 ioctl(,RDIOGCLBI,) 讀取 struct rdct_client_entry 資料,並使用 hwaddr(mac), url(redirect), ifname(interface)。
  • 回覆內容來完成轉址
    
    
    
    
    
    
    
    • 中間有一段檢查 iphone 的機制,不懂。

台南小新 發表在 痞客邦 留言(0) 人氣()

Ethernet II 封包(Frame)

Preamble(7) SFD(1) DA(6) SA(6) Ether type(2) Payload PAD FCS(4)
  • Preamble:一連串的1010…10,用來同步
  • SFD(start of frame delimiter):為10101011,用來表示經同步之後,資料的起始
  • DA(Destination Address):目標的MAC位址。
  • SA(Source Address):來源的MAC位址。
  • Ether type:長度或是 Ethernet Protocol ID。
    #define ETH_P_IP              0x0800          /* Internet Protocol packet     */
    #define ETH_P_ARP               0x0806          /* Address Resolution packet    */
    #define ETH_P_ATALK     0x809B          /* Appletalk DDP                */
    #define ETH_P_AARP              0x80F3          /* Appletalk AARP               */
    #define ETH_P_8021Q     0x8100                  /* 802.1Q VLAN Extended Header  */
    #define ETH_P_IPX               0x8137          /* IPX over DIX                 */
    #define ETH_P_IPV6              0x86DD          /* IPv6 over bluebook           */
    #define ETH_P_PPP_DISC  0x8863          /* PPPoE discovery messages     */
    #define ETH_P_PPP_SES   0x8864          /* PPPoE session messages       */
    #define ETH_P_PAE               0x888E          /* Port Access Entity (IEEE 802.1X) */
    
  • Payload: MAC封包所要傳送的資料內容,也就是IP封包或者ARP封包等等。
  • PAD(Padding):Ethernet封包長度介於46~1500bytes之間,因此假設IP封包長度沒有符合就必須做補滿的動作。
  • FCS(Frame check sequence, CRC32):Checksum,用來確認傳送資料是否有錯誤。
  • accept_eth_proto 存放允許的 protocol,在 rdct_default_setting() 存入三組 ETH_P_ARP, ETH_P_IPV6, ETH_P_PAE。

eth_hdr()

struct ethhdr 其實就是直接取得 DA(6) 的指標

台南小新 發表在 痞客邦 留言(0) 人氣()