# htpdate -d www.wenzk.com
burst: 1 try: 1 when: 500000
www.wenzk.com             02 Sep 2010 06:13:47 GMT (0.491) => 0
#: 1 mean: 0 average: 0.000
Timezone: GMT+8 (CST,CDT)
No time correction needed

只要能看网页（通过代理也行），就可以与相应的服务器同步时间，建议选择大网站作为同步源，小网站服务器本身的时间未必是准确的。程序相关信息：

htpdate.i386 : HTTP based time synchronization tool
Repo        : rpmforge
Matched from:
Description : The HTTP Time Protocol (HTP) is used to synchronize a computer’s
: time with web servers as reference time source. Htpdate will
: synchronize your computer’s time by extracting timestamps from
: HTTP headers found in web servers responses. Htpdate can be
: used as a daemon, to keep your computer synchronized.
:
: Accuracy of htpdate is usually better than 0.5 seconds (even
: better with multiple servers). If this is not good enough for you,
: try the ntpd package.

相关文章

• CentOS+GPS+Gpsd+ntpd架设时间服务器 (0)
• Google拼音输入法无法同步用户词典和设置，提示：网络错误 (0)

GPS: Gstar RS-232接口USB供电。

1、GPS连接COM1口。

2、从http://gpsd.berlios.de/下载gpsd安装，如果系统没有ncurses-devel包，系统将无法编译gpsmon程序。

3、启动gpsd程序，在/etc/rc.local增加

/bin/chmod o+rw /dev/ttyS0
/usr/local/sbin/gpsd -n /dev/ttyS0

4、/etc/ntp.conf文件增加

server 127.127.28.0 minpoll 4 maxpoll 4
fudge 127.127.28.0 time1 0.420 refid GPS

server 127.127.28.1 minpoll 4 maxpoll 4 prefer
fudge 127.127.28.1 refid GPS1

注意：在某些机器不使用/bin/chmod o+rw /dev/ttyS0修改ttS0的权限，ntpd也能读取掉相应的时间信息，但是在某些机器，死活也不好使。

相关文章

• htpdate能浏览网页就能同步时间 (0)
• gpsd-2.95的bug(gpsd.php json_decode error) (0)
• Google地图的WIFI定位技术 (1)

开始以为是php-json的问题，同事写了个简单的测试脚本，一切正常，最后观察返回的json数据，发现最后多了“]}”字符导致的。

在gpsd-2.95版本出现的bug，别的版本是否存在没有去研究过。

diff -u gpsd.c_old gpsd.c
--- gpsd.c_old  2010-08-29 00:57:24.000000000 +0800
+++ gpsd.c      2010-08-29 00:57:39.000000000 +0800
@@ -1185,7 +1185,7 @@
 }
 if (reply[strlen(reply) - 1] == ',')
 reply[strlen(reply) - 1] = '\0';    /* trim trailing comma */
-       (void)strlcat(reply, "]}]}\r\n", replylen);
+       (void)strlcat(reply, "]}\r\n", replylen);
 } else if (strncmp(buf, "VERSION;", 8) == 0) {
 buf += 8;
 json_version_dump(reply, replylen);

相关文章

• CentOS+GPS+Gpsd+ntpd架设时间服务器 (0)
• Google地图的WIFI定位技术 (1)
• 注册天涯社区的小bug (0)
• 服务器再次故障，仍然是sky2驱动问题 (2)
• Google Gears GeolocationAPI (0)

From: http://www.hackhy.com/Article/3/32/html/6839.html

相关文章

• 单网卡多次PPPoE拨号问题 (0)
• CentOS 5.4 sky2驱动出错解决办法 (0)
• CentOS Mirroring HowTo (0)
• Balancing Connections Over Multiple Links (0)
• Linux Console下如何调节声卡音量大小 (0)

URPF 处理流程
URPF 检查有严格（strict）型和松散（loose）型两种。此外，还可以支持ACL 与缺省路由的检查。
URPF 的处理流程如下：
(1) 如果报文的源地址在路由器的FIB 表中存在对于strict 型检查，反向查找报文出接口，若其中至少有一个出接口和报文的入接口相匹配，则报文通过检查；否则报文将被拒绝。（反向查找是指查找以该报文源IP 地址为目的IP 地址的报文的出接口）对于loose 型检查，报文进行正常的转发。
(2) 如果报文的源地址在路由器的FIB 表中不存在，则检查缺省路由及URPF 的allow-default-route 参数。
对于配置了缺省路由，但没有配置参数allow-default-route 的情况，不管是strict型检查还是loose 型检查，只要报文的源地址在路由器的FIB 表中不存在，该
报文都将被拒绝；
对于配置了缺省路由，同时又配置了参数allow-default-route 的情况下，如果是strict 型检查，只要缺省路由的出接口与报文的入接口一致，则报文将通过
URPF 的检查，进行正常的转发；如果缺省路由的出接口和报文的入接口不一致，则报文将拒绝。如果是loose 型检查，报文都将通过URPF 的检查，进行
正常的转发。
(3) 当且仅当报文被拒绝后，才去匹配ACL。如果被ACL 允许通过，则报文继续进行正常的转发；如果被ACL 拒绝，则报文被丢弃。

以下文字来自CISCO官方网站：http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
Introduction
Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works in one of three different modes: strict mode, loose mode, or VRF mode. Note that not all network devices support all three modes of operation. Unicast RPF in VRF mode will not be covered in this document.

When administrators use Unicast RPF in strict mode, the packet must be received on the interface that the router would use to forward the return packet. Unicast RPF configured in strict mode may drop legitimate traffic that is received on an interface that was not the router’s choice for sending return traffic. Dropping this legitimate traffic could occur when asymmetric routing paths are present in the network.

When administrators use Unicast RPF in loose mode, the source address must appear in the routing table. Administrators can change this behavior using the allow-default option, which allows the use of the default route in the source verification process. Additionally, a packet that contains a source address for which the return route points to the Null 0 interface will be dropped. An access list may also be specified that permits or denies certain source addresses in Unicast RPF loose mode.

Care must be taken to ensure that the appropriate Unicast RPF mode (loose or strict) is configured during the deployment of this feature because it can drop legitimate traffic. Although asymmetric traffic flows may be of concern when deploying this feature, Unicast RPF loose mode is a scalable option for networks that contain asymmetric routing paths.
Unicast RPF in an Enterprise Network
In many enterprise environments, it is necessary to use a combination of strict mode and loose mode Unicast RPF. The choice of the Unicast RPF mode that will be used will depend on the design of the network segment connected to the interface on which Unicast RPF is deployed.

Administrators should use Unicast RPF in strict mode on network interfaces for which all packets received on an interface are guaranteed to originate from the subnet assigned to the interface. A subnet composed of end stations or network resources fulfills this requirement. Such a design would be in place for an access layer network or a branch office where there is only one path into and out of the branch network. No other traffic originating from the subnet is allowed and no other routes are available past the subnet.

Unicast RPF loose mode can be used on an uplink network interface that has a default route associated with it.
Unicast RPF Examples
Cisco IOS Devices
An important consideration for deployment is that Cisco Express Forwarding switching must be enabled for Unicast RPF to function. This command has been enabled by default as of IOS version 12.2. If it is not enabled, administrators can enable it with the following global configuration command: ip cef

Unicast RPF is enabled on a per-interface basis. The ip verify unicast source reachable-via rx command enables Unicast RPF in strict mode. To enable loose mode, administrators can use the any option to enforce the requirement that the source IP address for a packet must appear in the routing table. The allow-default option may be used with either the rx or any option to include IP addresses not specifically contained in the routing table. The allow-self-ping option should not be used because it could create a denial of service condition. An access list such as the one that follows may also be configured to specifically permit or deny a list of addresses through Unicast RPF:

interface FastEthernet 0/0
ip verify unicast source reachable-via {rx | any} [allow-default]
[allow-self-ping] [list]

Addresses that should never appear on a network can be dropped by entering a route to a null interface. The following command will cause all traffic received from the 10.0.0.0/8 network to be dropped even if Unicast RPF is enabled in loose mode with the allow-default option: ip route 10.0.0.0 255.0.0.0 Null0

从以上文字可以看出，CISCO在实现uRPF的时候考虑得比H3C稍微多了一点点，起码思科考虑到了路由表中下一跳地址为Null0接口的处理。

相关文章

• 最近那些事 (2)
• 两个开源的Netflow Collector (0)
• 关于Cisco 6509/7609 交换机Netflow的配置[转载] (0)

方法一：虚拟机

这个方法也是最容易想到的，在网上也可以查到一堆资料。

如上图所示，在物理机器上安装虚拟机软件（如：VMware、Xen、Virtualbox等），在虚拟机中增加多块网卡，并且将虚拟网卡与物理网卡（eth0）进行“桥接”（注：这里的桥接不是Linux系统里面的桥接，而是虚拟机软件中配置虚拟网卡与物理网卡之间的关系）。在虚拟机安装Linux系统，即可以通过eth0、eth1、ethX来建立多个PPPoE连接了。

方法二：VLAN

这个方法通过VLAN来实现，不知道在网上是否有相关的资料，反正到目前为止我还没有搜索到相关的资料，应该属于自创吧，呵呵。

具体如下如：

如上如所示，做如下操作：

1、用交叉线（新的网卡已经不用交叉线了）把eth1和eth2连接起来。

2、在eth1和eth2上启动VLAN，在eth1上创建相应的vlan接口（eth1.10、eth1.11、eth1.12 …)，同样在eth2接口上也创建相应的vlan接口（eth2.10、eth2.11、eth2.12 …)。

3、把eth1.10、eth1.11、eth1.12…eth1.X与物理网卡eth0桥接。（注意，这里使用的是Linux系统自带的桥接功能）。

4、修改eth2.10、eth2.11、eth2.12 …eth2.X的MAC地址。（建议修改，MAC地址相同也能用）。

5、分别用eth2.10、eth2.11、eth2.12 …eth2.X进行PPPoE连接。

方法三：与方法二一致，只是eth1、eth2和中间的双绞线通过软件来实现（经试验OpenVPN是可行的），具体方法这里不详述。

方法四：X-router（Windows下的软件），详见：http://www.yitsoftware.com/XRouter/index.htm

相关文章

• 单网卡多次PPPoE拨号问题 (0)
• ADSL改成小区宽带接入啦 (0)
• 使用freebsd构建pppoe server服务器 (0)
• 基于freebsd建立内核模式的pppoe服务器 (0)
• Guide: OpenVPN with Windows 7 (0)

Say you have access to multiple links to the Internet, such as several wireless networks in range. Wouldn’t it be nice to combine all that bandwidth into one big fat pipe?

Unfortunately it’s not so easy. You can’t just trunk them together because they each have a different public IP address, gateway, etc.

What you can do however, thanks to some nifty Linux NetFilter extensions, is assign outgoing connections to different interfaces. This will allow protocols such as BitTorrent to utilize bandwidth from each of the links.

This document focuses on Linux iptables/NetFilter. You can achieve pretty much the same result with Linux Advanced Routing techniques. One small difference, as the link mentions, is that routes are cached, so connections to frequently used sites will always go over the same link. This may or may not be the behaviour you desire.

You need a recent Linux kernel patched with support for the ROUTE target and either the “nth” or “random” match module. These patches are available in NetFilter’s “patch-o-matic-ng” subversion module. I won’t go into how to apply the patches, as more than sufficient documentation is included with them.

Testing I did was on Linux 2.6.14.2 patched with a copy of patch-o-matic-ng checked out with svn on 2005-11-18.

In the following examples, I use three interfaces:

• eth0: Wired connection, 192.168.1.0/24, gateway 192.168.1.1, default route.
• eth1: Wireless connetion 1, 172.16.0.0/16, gateway 172.16.0.1
• rausb0: Wireless connetion 2, 192.168.0.0/24, gateway 192.168.0.1

I use the connmark match/target to assign each connection to an interface, and make sure all the packets for the connection go over that one interface. Balancing the connections over the interfaces can be done with either “random” or “nth” match module. I will give you both examples, choose which ever one you prefer. The following commands are common to both methods.

Common commands:

# prevent incoming packets on masqueraded connections from being dropped
# as "martians" due to the destination address being translated before the
# rp_filter check is performed
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/rausb0/rp_filter

# Load protocol-specific connection tracking modules so that new connections
# associated with existing connections have state "RELATED" and inherit the
# same connmark.
modprobe ip_conntrack_ftp

# masquerade outgoing connections on secondary interfaces
iptables -t nat -A POSTROUTING -o eth1   -s ! 172.16.0.0/16  -m state --state NEW,RELATED -j MASQUERADE
iptables -t nat -A POSTROUTING -o rausb0 -s ! 192.168.0.0/24 -m state --state NEW,RELATED -j MASQUERADE

# create a chain for processing new outgoing connetions
iptables -t mangle -N NEW_OUT_CONN

# Skip connections we want to always go out wired interface
iptables -t mangle -A NEW_OUT_CONN -d 192.168.1.0/24 -j RETURN
iptables -t mangle -A NEW_OUT_CONN -p tcp -m multiport --destination-ports 21,22,80,443,6667 -j RETURN
iptables -t mangle -A NEW_OUT_CONN -p udp --dport 53 -j RETURN

# have new outgoing connections pass through the above chain
iptables -t mangle -A OUTPUT -o eth0 -m state --state NEW -j NEW_OUT_CONN

# send packets out chosen interface
iptables -t mangle -A OUTPUT -m connmark --mark 2 -j ROUTE --gw 172.16.0.1 --continue
iptables -t mangle -A OUTPUT -m connmark --mark 3 -j ROUTE --gw 192.168.0.1 --continue

The “random” method:

# 34% of the time go out the default interface
iptables -t mangle -A NEW_OUT_CONN -j CONNMARK --set-mark 0
iptables -t mangle -A NEW_OUT_CONN -m random --average 34 -j RETURN

# 33% of the time go out eth1 (50% of the remaining probability)
iptables -t mangle -A NEW_OUT_CONN -j CONNMARK --set-mark 2
iptables -t mangle -A NEW_OUT_CONN -m random --average 50 -j RETURN

# else (hopefully 33% of the time) go out rausb0
iptables -t mangle -A NEW_OUT_CONN -j CONNMARK --set-mark 3

The “nth” method:

# 1st of every 3 connections goes out the default interface
iptables -t mangle -A NEW_OUT_CONN -j CONNMARK --set-mark 0
iptables -t mangle -A NEW_OUT_CONN -m nth --counter 1 --every 3 --packet 0 -j RETURN

# 2nd of every 3 connections goes out eth1
iptables -t mangle -A NEW_OUT_CONN -j CONNMARK --set-mark 2
iptables -t mangle -A NEW_OUT_CONN -m nth --counter 1 --every 3 --packet 1 -j RETURN

# 3rd of every 3 connections goes out rausb0
iptables -t mangle -A NEW_OUT_CONN -j CONNMARK --set-mark 3
iptables -t mangle -A NEW_OUT_CONN -m nth --counter 1 --every 3 --packet 2 -j RETURN

Handling when an interface goes down:

This script will make sure no packets get routed over a secondary interface that has gone down. Put it in your /etc/network/if-down.d/ (Debian), or equivalent, directory and chmod +x it.

#!/bin/sh

if [ "$IFACE" = "eth1" ]; then
  iptables -t mangle -D OUTPUT -m connmark --mark 2 -j ROUTE --gw 172.16.0.1 --continue 2>/dev/null
fi

if [ "$IFACE" = "rausb0" ]; then
  iptables -t mangle -D OUTPUT -m connmark --mark 3 -j ROUTE --gw 192.168.0.1 --continue 2>/dev/null
fi

exit 0

Handling when an interface comes back up:

This script will allow an interface to be used again when it comes back up. Put it in your /etc/network/if-up.d/ (Debian), or equivalent, directory and chmod +x it.

#!/bin/sh

if [ "$IFACE" = "eth1" ]; then
  iptables -t mangle -A OUTPUT -m connmark --mark 2 -j ROUTE --gw 172.16.0.1 --continue 2>/dev/null
fi

if [ "$IFACE" = "rausb0" ]; then
  iptables -t mangle -A OUTPUT -m connmark --mark 3 -j ROUTE --gw 192.168.0.1 --continue 2>/dev/null
fi

exit 0

Not too shaby I think. Normally with my single DSL connection alone I get somewhere around 150 KB/s. Maybe if there’s a smarter way to distribute connections this could be improved upon. Optimally my 3 test links combined would add up to 450 KB/s.

• Write scripts to make setting all this up a snap.
• Figure out a way to translate outgoing FTP ‘PORT’ commands for all links.

Mon Jan 2 05:43:47 PST 2006
Michael Heimpold pointed out that –average 33 was wrong for the second -m random rule.

Fri Jan 13 09:37:12 PST 2006
Michael Heimpold figured out that RELATED connections (set as such by modules like ip_conntrack_ftp) inherit the same connmark. Changed the masquerading rules to also match RELATED packets. Now passive FTP works reliably.

From: http://tetro.net/misc/multilink.html

相关文章

• Links Load balancing (0)
• Netfilter Connmark (0)
• 通过iptables的recent模块保护某些私有服务 (2)
• 其实Recent还可以这么用 (0)
• 巧用Recent模块加固Linux安全 (0)

下载地址：http://www.2600hz.org/downloads/

相关文章

• 为何我的LinkSys SPA1001无法注册 (0)
• Asterisk/Freeiris使用过程中碰到的一些问题及注意事项 (0)
• 连接两台asterisk服务器 (0)
• Linksys SIP网关NAT问题 (0)
• ASTERISK之SIP对接及注册设置 (0)

在CentOS5下安装上mplayer和vlc播放器后，播放mp3，接上耳机结果没声音，通过lsmod查看声卡驱动应该是没问题的，相应的模块都加载进来了。应该是混音器的问题，于是找寻Linux下Console混音器软件alsa-utils。

[wzk@ELM_HR ~]$ yum -v search alsa-utils
Loading "fastestmirror" plugin
Loading "kmod" plugin
Config time: 0.226
Loading Fedora Extras kernel module support.
Yum Version: 3.2.22
Setting up Package Sacks
pkgsack time: 0.099
rpmdb time: 0.000
================================ Matched: alsa-utils =================================
alsa-utils.i386 : Advanced Linux Sound Architecture (ALSA) utilities
Repo        : base
Matched from:

从上面可以看到，alsa-utils可以直接通过yum install来安装，安装后运行alsamixer，可以看到如下界面：

注意：“MM”表示被禁音了，按m即可取消，Master和PCM不能被禁音，按Esc退出。

相关文章

• 如何免费搭建自己的vps服务器？ (0)
• Balancing Connections Over Multiple Links (0)
• Links Load balancing (0)
• Netfilter Connmark (0)
• 单网卡多次PPPoE拨号问题 (0)

现象：服务器启动后（iptables也启动了），后打开Linksys SPA1001无法注册（在此之前SPA1001曾经注册到服务器上），相同的帐号，用X-lite可以注册。

解决办法：

1、SPA1001启动后，停止iptables，等待一段时间后重新启动iptables即可。

2、Linux的iptables启动的时候，不加载“ip_nat_sip”模块，有可能“ip_conntrack_sip”也不要加载。

3、启动Asterisk之前删除“/var/lib/asterisk/astdb”文件。

以上方法任选其一即可。

经过分析发现，其实就是被Asterisk、SPA1001、ip_nat_sip和UDP给愚弄了。

主要问题：

SPA 1001：该死的SPA1001去连接SIP服务器的时候，居然是用5060这个源端口。

Asterisk：会产生/var/lib/asterisk/astdb文件，用于记录所有SIP client的IP地址和端口号，下次重新启动后，会主动对端口为5060的IP地址发送一个OPTIONS…的报文。

UDP：UDP报文是面向无连接的，所以ip_nat_sip去检查连接状态的时候，就会通过源、目的IP地址和端口来确定是否同一个连接。

/var/lib/asterisk/astdb文件的内容：

# strings astdb
/SIP/Registry/8001
192.168.1.1:5060:300:8001:sip:8001@192.168.1.1:5060

Asterisk启动后，SPA1001尚未启动前/proc/net/ip_conntrack里面的相关内容：

udp      17 3590 src=192.168.1.254 dst=192.168.1.1 sport=5060 dport=5060 packets=25 bytes=14500 [UNREPLIED] src=192.168.1.1 dst=192.168.1.254 sport=5060 dport=5060 packets=0 bytes=0 mark=0 secmark=0 use=1

给SPA1001加电后/proc/net/ip_conntrack里面的相关内容：

udp      17 3596 src=192.168.1.254 dst=192.168.1.1 sport=5060 dport=5060 packets=31 bytes=17980 src=192.168.1.1 dst=192.168.1.254 sport=5060 dport=5060 packets=5 bytes=2477 [ASSURED] mark=0 secmark=0 use=1

系统居然把SPA1001注册的报文与之前Asterisk发送的那个OPTIONS报文给关联上了，导致Asterisk一直无法收到注册请求。

相关文章

• Asterisk/Freeiris使用过程中碰到的一些问题及注意事项 (0)
• How do I change my default Maint password? (0)
• 连接两台asterisk服务器 (0)
• ASTERISK之SIP对接及注册设置 (0)
• Trixbox的SIP Trunk配置 (0)