Author Archives: manu

Cisco SNMP v3

Configure snmp v3:

snmp-server group GROUP v3 priv
snmr-server user USER GROUP v3 auth sha PUBPASSWORD priv aes 128 PRIVPASSWORD
snmp-server contact JohnDoe
snmp-server location Danlq

Change GROUP, USER, PUBPASSOWRD and PRIVPASSWORD according to your needs.

Get ID of the device:

sh snmp engineID

You get for examle:

Local SNMP engineID: 300000090C009C4E90AFB1M3
Remote Engine ID          IP-addr    Port

Debian java 8 setup

Java 8 setup (for ELK for example):

echo "deb trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp:// --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer

Activate this java version:

# show all java version installed
update-java-alternatives -l
# use one of the installation by default :
update-java-alternatives -s java-8-oracle

iptables INVALID use case

This article describes a use case of iptables INVALID state.

LAN is connected to the gateway eth1.
VPN server offers VPN services on network, for example a client will have the address
VPN server has two interfaces and, forwarding is enabled.
All routes are maintained ONLY on the gateway

When VPN client wants to reach a server located on the LAN, for example, it does not work !!!

Let’s have a look at routes.
Way to go:
VPN client wants to reach
First it goes to its gateway,
then it reach the still on the gateway
and is on the connected interface, then it reaches the server
Way back:
server has a default gateway,
and then nothing happen, packet are stopped on the gateway, it means packet are not sent back and it does not work.

Why ?
This is because LAN server send returns packet back to the default gateway instead of VPN server
Default gateway does not accept this: packet are not NEW nor ESTABLISHED. This is asymetric routing.

In order to make this possible there are several solutions:
– add on all LAN server a route like via, but I do not want this solution since I only maintain routes on the gateway
– other solution is to make gateway accept packets that are not NEW or ESTABLISHED:

$I -A FORWARD -i eth1 -o eth1 -s -d -m state --state INVALID -j ACCEPT

This rule says packet coming from LAN (on exiting on LAN (from to destination VPN network ( are accepted even though they do not have a normal state (INVALID).
You are accepting asymetric routing on your network and now it works: VPN clients do have access to all LAN servers.

And to not forget legitim trafic:

$I -A FORWARD -i eth1 -o eth1 -s -d -m state --state NEW,ESTABLISHED -j ACCEPT