diff options
Diffstat (limited to 'content/posts')
-rw-r--r-- | content/posts/archlinux-and-bridged-libvirt-plus-ufw.rst | 68 | ||||
-rw-r--r-- | content/posts/scripting-forti.rst | 55 |
2 files changed, 123 insertions, 0 deletions
diff --git a/content/posts/archlinux-and-bridged-libvirt-plus-ufw.rst b/content/posts/archlinux-and-bridged-libvirt-plus-ufw.rst new file mode 100644 index 0000000..cb4850d --- /dev/null +++ b/content/posts/archlinux-and-bridged-libvirt-plus-ufw.rst @@ -0,0 +1,68 @@ +Arch+libvirt+bridges+ufw +######################## +:date: 2014-07-03 14:48 +:tags: archlinux,libvirt,network-bridge,ufw,netctl + +I never thought getting bridged network for libvirt +clients to work under archlinux. Here is the digest. + +Adding Bridge Network with netctl +--------------------------------- +eth0 needs to be up in order to get the bridge working + + +**/etc/netctl/bridge** + +.. code-block:: bash + + Description='bridge' + Interface=br0 + Connection=bridge + BindsToInterface=(eth0) + IP=static # or dhcp + Address=('1.2.3.4/24') + Gateway='1.2.3.1' + DNS=('1.2.3.3') + ExecUpPost="brctl stp $Interface on||:" + +**/etc/netctl/eth_bridged** + +.. code-block:: bash + + Description='eth0 without ip' + Interface=eth0 + Connection=ethernet + IP=no + IP6=no + +**enable the bridge** + +.. code-block:: bash + + systemctl disable dhcpcd@eth0 # if applicable + netctl enable bridge + netctl enable eth_bridged + +After a reboot the interface should be available and libvirt should be able to use the bridge for libvirt clients. +If you have ufw in place, add this line to **/etc/ufw/before{,6}.rules** between \*filter and COMMIT : + +.. code-block:: bash + + -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT + +maybe you also need the following lines in **/etc/sysctl.d/bridge.conf**: + +.. code-block:: bash + + net.bridge.bridge-nf-call-ip6tables = 0 + net.bridge.bridge-nf-call-iptables = 0 + net.bridge.bridge-nf-call-arptables = 0 + +enable security changes + +.. code-block:: bash + + ufw disable + ufw enable + sysctl -p /etc/sysctl.d/bridge.conf + diff --git a/content/posts/scripting-forti.rst b/content/posts/scripting-forti.rst new file mode 100644 index 0000000..7ee3a23 --- /dev/null +++ b/content/posts/scripting-forti.rst @@ -0,0 +1,55 @@ +Scripting the Fortigate VPN Client +################################## +:date: 2014-09-12 13:37 +:tags: expect, fortigate + +Again there was a need to fix frickelsoftware. In that case i needed a permanent vpn connection via the fortigate vpn client . +Problem is, that the tunnel disconnects after some time but the client does not exists and that input cannot simply piped into the executable. + +I wrote an Expect script which works work around both issues: + +.. code-block:: tcl + + #!/usr/bin/expect -f + # cd into the 64 bit folder of the client + # usage: efort.exp + + spawn ./forticlientsslvpn_cli --server <VPNIP>:<VPNPORT> --vpnuser <VPNUSER> 2>&1 + log_user 0 + send_user "Logging in\n" + expect "Password for VPN:" + send "<VPNPASSWORD>\n" + + # i needed ths for 'certificate error' + expect "Would you like to connect to this server" + send "Y\n" + send_user "Beginning to connect\n" + expect "STATUS::Tunnel running" + send_user "Tunnel running!\n" + + # this is how long the next expect waits for pattern match, in seconds + set timeout 90001 + expect "STATUS::Tunnel closed" + send_user "Tunnel closed!\n" + send_user "Dying\n" + close + exit + + +At the end, enterprise-loop the script and we are done! + +.. code-block:: bash + + #!/bin/sh + cd "$(dirname "$(readlink -f "$0")")" + while sleep 1;do + expect efort.exp + echo "Restarting forticlient !" + done + + +Fyi: It seems it is not that easy to find the fortigate client for linux, if you are lucky you can get it from the `official FTP server`_ or have a look at the current `fortclientsslvpn AUR package`_. + + +.. _official FTP server: ftp://pftpintl:sgn89IOngs@support.fortinet.com/FortiGate/v5.00/5.2/5.2.0/VPN/SSLVPNTools/forticlientsslvpn_linux_4.4.2303.tar.gz +.. _fortclientsslvpn AUR package: https://aur.archlinux.org/packages/forticlientsslvpn/ |