OpenVZ in Proxmox, margin notes
Perhaps this article does not pull on a full-fledged article, but I tried to collect here all the unusual moments I encountered when working with OpenVZ containers and the Proxmox hypervisor, to give ready-made recipes with examples, maybe someone will save time on finding solutions. There will be little text, many examples, there will be no
- Summary to save time
- 1. Forwarding various features and devices from the hypervisor to the OpenVZ container
- 1.1. Forwarding fuse
- 1.2. Forwarding NFS
- 1.3. Forwarding USB devices
- 1.4. Forwarding a sound card (both built-in and usb)
- 1.5. Forwarding X's
- 1.6. Forwarding a disk partition
- 1.7. Turn on tun / tap
- 2. Fairvol
- 3. Different things
- UPD-1: Forwarding vlan
And so it went:
1. Forwarding various features and devices from the hypervisor to the OpenVZ container
1.1. Request fuse
On the hypervisor:
Stop OpenVZ Container
vzctl stop [VEID] perform
vzctl set [VEID] --devices c:10:229:rw --save vzctl exec [VEID] mknod /dev/fuse c 10 229 Launch container
vzctl start [VEID] where [VEID] is the container number, after which the mount in the container works.
1.2. Forwarding NFS
On the hypervisor:
Install nfs server
aptitude install nfs-kernel-server rule nfs config
nano /etc/exports for example, export / var / lib / vz for 10.1.1.2
/var/lib/vz 10.1.1.2(rw,sync,fsid=root,no_root_squash,crossmnt,no_subtree_check) restart nfs server
/etc/init.d/nfs-kernel-server restart Add nfs support to container
vzctl set [VEID] --features "nfs:on" --save Inside the container:
aptitude install nfs-common mount example
mount -t nfs 10.1.1.1:/var/lib/vz/ /vz 1.3. Forwarding USB devices
In all cases of device probros, if there are more than one device, it is better to edit the container configuration directly, rather than using vzctl, the fact is that if you did not put all the necessary devices on one line at once, vzctl will erase all previous probes and install only the last one.
In general:
vzctl set VEID --devices b|c:major:minor|all:[r|w|rw|none] where b is a block device, c is a character device. major: minor need to look in / dev / bus / usb for a specific device.
Forwarding by name
vzctl set [VEID] --devnodes ttyUSB0:rw --save Code forwarding
vzctl set [VEID] --devices c:189:all:rw --save Or editing the config:
nano /etc/pve/openvz/[VEID].conf DEVNODES="ttyUSB1:rw " DEVNODES="c:189:all:rw " To forward a USB device to a running container, you must:
Mount from host to container
mount -o bind /dev/<DEVNAME> $VE_ROOT/dev/<DEVNAME> 1.4. Forwarding a sound card (both built-in and usb)
In many ways, it is similar to a conventional usb device, but with some differences.
On the hypervisor:
Put the kernel modules to work with sound
modprobe snd_dummy echo "snd_dummy" >> /etc/modules If USB is sound, then more
modprobe snd_usb_audio echo "snd_usb_audio" >> /etc/modules Make sure the modules are connected.
lsmod | grep snd A list of all connected audio modules should be displayed.
')
Add to the config virtualka
vzctl set [VEID] --devices c:116:all:rw --devices c:4:all:rw --save If this is not the first device to be forwarded, the command will overwrite the previous ones, then
rule file
/etc/pve/openvz/[VEID].conf add a line to it
DEVICES="c:116:all:rw c:4:all:rw " List all snd devices
ls -la /dev/snd crw-rw---T 1 root audio 116, 6 Jan 25 19:19 controlC0 crw-rw---T 1 root audio 116, 9 Jan 27 09:52 controlC1 crw-rw---T 1 root audio 116, 5 Jan 25 19:19 pcmC0D0c crw-rw---T 1 root audio 116, 4 Jan 25 19:20 pcmC0D0p crw-rw---T 1 root audio 116, 8 Jan 27 09:52 pcmC1D0c crw-rw---T 1 root audio 116, 7 Jan 27 09:52 pcmC1D0p crw-rw---T 1 root audio 116, 3 Jan 25 17:47 seq crw-rw---T 1 root audio 116, 2 Jan 25 17:47 timer We go in the container
vzctl enter [VEID] Vypolyan
rm -r /dev/snd mkdir /dev/snd mknod /dev/snd/controlC0 c 116 6 mknod /dev/snd/controlC1 c 116 9 mknod /dev/snd/pcmC0D0c c 116 5 mknod /dev/snd/pcmC0D0p c 116 4 mknod /dev/snd/pcmC1D0c c 116 8 mknod /dev/snd/pcmC1D0p c 116 7 mknod /dev/snd/seq c 116 3 mknod /dev/snd/timer c 116 2 chmod 660 /dev/snd/* chown :audio /dev/snd/* (Please note that device numbers and names must match those on the hypervisor)
We put alsa
aptitude install alsa alsa-lib alsa-base alsa-util libdssialsacompat0 Now we add the necessary container users to the audio group.
adduser skype audio 1.5. Forwarding X's
We go in the container through vzctl (not SSH)
we do a symlink
rm /dev/tty0 ln -s /dev/tty1 /dev/tty0 Delete if nscd is installed
aptitude remove nscd We put the right packages
aptitude -R install xorg xserver-xorg-video-dummy xserver-xorg-input-kbd xserver-xorg-input-mouse alsa-base linux-sound-base libaudiofile0 dbus udev We bring /etc/X11/xorg.conf to the form
Section "InputDevice" Identifier "Dummy Input" Driver "void" EndSection Section "Device" Identifier "Dummy Video" Driver "dummy" EndSection Section "Monitor" Identifier "Configured Monitor" EndSection Section "Screen" Identifier "Default Screen" Monitor "Configured Monitor" Device "Dummy Video" EndSection Section "ServerLayout" Identifier "Default Layout" Screen "Default Screen" InputDevice "Dummy Input" EndSection Starting Xy
/usr/bin/X :<DISPLAY#> Where
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save1.7. tun/tap
vpn , .
lsmod | grep tunmodprobe tun echo "tun" >> /etc/modulesvzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID], -.
, .
nano /etc/vz/vz.confIPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"VZ
/etc/init.d/vz restart.
, , ( , )
nano /etc/modulesipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && dateweb-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {if (data.status == 'Active') {Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID](cluster not ready - no quorum), ,
,
pvecm e ( )OpenVZ
[VEID]
vzctl start [VEID]vzctl enter [VEID]vzctl stop [VEID]vzctl restart [VEID]vzctl destroy [VEID]vzlist -a- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0apt-get install vlanifup vlan151 ifup vlan152 ifup vlan666ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0cat /etc/network/interfaces.tail >> /etc/network/interfaces*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save1.7. tun/tap
vpn , .
lsmod | grep tunmodprobe tun echo "tun" >> /etc/modulesvzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID], -.
, .
nano /etc/vz/vz.confIPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"VZ
/etc/init.d/vz restart.
, , ( , )
nano /etc/modulesipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && dateweb-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {if (data.status == 'Active') {Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID](cluster not ready - no quorum), ,
,
pvecm e ( )OpenVZ
[VEID]
vzctl start [VEID]vzctl enter [VEID]vzctl stop [VEID]vzctl restart [VEID]vzctl destroy [VEID]vzlist -a- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0apt-get install vlanifup vlan151 ifup vlan152 ifup vlan666ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0cat /etc/network/interfaces.tail >> /etc/network/interfaces*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save1.7. tun/tap
vpn , .
lsmod | grep tunmodprobe tun echo "tun" >> /etc/modulesvzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID], -.
, .
nano /etc/vz/vz.confIPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"VZ
/etc/init.d/vz restart.
, , ( , )
nano /etc/modulesipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && dateweb-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {if (data.status == 'Active') {Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID](cluster not ready - no quorum), ,
,
pvecm e ( )OpenVZ
[VEID]
vzctl start [VEID]vzctl enter [VEID]vzctl stop [VEID]vzctl restart [VEID]vzctl destroy [VEID]vzlist -a- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0apt-get install vlanifup vlan151 ifup vlan152 ifup vlan666ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0cat /etc/network/interfaces.tail >> /etc/network/interfaces*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save1.7. tun/tap
vpn , .
lsmod | grep tunmodprobe tun echo "tun" >> /etc/modulesvzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID], -.
, .
nano /etc/vz/vz.confIPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"VZ
/etc/init.d/vz restart.
, , ( , )
nano /etc/modulesipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && dateweb-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {if (data.status == 'Active') {Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID](cluster not ready - no quorum), ,
,
pvecm e ( )OpenVZ
[VEID]
vzctl start [VEID]vzctl enter [VEID]vzctl stop [VEID]vzctl restart [VEID]vzctl destroy [VEID]vzlist -a- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0apt-get install vlanifup vlan151 ifup vlan152 ifup vlan666ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0cat /etc/network/interfaces.tail >> /etc/network/interfaces*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , ., ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .Source: https://habr.com/ru/post/210460/
All Articles