dbawiki

User Tools

Site Tools

You are here: start » ssh
ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
ssh [2018/12/06 21:05] – created 91.177.234.129ssh [2026/01/09 15:44] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== SSH ======+  * [[https://docs.github.com/en/authentication/connecting-to-github-with-ssh/using-ssh-agent-forwarding|Using SSH agent forwarding]] 
 +  * [[https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm]] 
 +  * [[https://medium.com/maverislabs/proxyjump-the-ssh-option-you-probably-never-heard-of-2d7e41d43464|Crossing several proxies (proxy chaining) using ProxyJump]] 
 +ProxyJump, configured in .ssh/config makes connecting to customers' servers childsplay, no more tunneling headaches. 
 +  * [[https://vimeo.com/54505525?cjevent=331dfbdafd4f11e880e4005e0a180514|The Black Magic Of SSH / SSH Can Do That?]]
  
-=====How to set up SSH so I don't have to type a password===== +==== Automaticallt start ssh agent and add keys on login ==== 
-Using an ssh keypair enables us to scp files from machine to machine without needing a password<br /> +Add this to .profile 
-The private key MUST remain private - if anyone gets hold of it, they can also transfer files to the remote machine.<br /> +<code> 
-The private key stays on the local machine, the public key goes out to anyone who wants it!<br /> +SSH_ENV="$HOME/.ssh/environment" 
-Or put another way, private key is on the sending machine, public key is on the receiving machine.<br /> +function start_agent { 
-*Generate a key-pair+    echo "Initialising new SSH agent..." 
 +    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}" 
 +    echo succeeded 
 +    chmod 600 "${SSH_ENV}" 
 +    . "${SSH_ENV}" > /dev/null 
 +    /usr/bin/ssh-add; 
 +
 +# Source SSH settings, if applicable 
 +if [ -f "${SSH_ENV}" ]; then 
 +    . "${SSH_ENV}" > /dev/null 
 +    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || { 
 +        start_agent; 
 +    } 
 +else 
 +    start_agent; 
 +fi 
 +</code> 
 +==== Some common options for ssh-keygen ( OpenSSH) ==== 
 +<code> 
 +-b “Bits” This option specifies the number of bits in the key. The regulations that govern the use case for SSH may require a specific key length to be used. In general, 2048 bits is considered to be sufficient for RSA keys. 
 + 
 +-e “Export” This option allows reformatting of existing keys between the OpenSSH key file format and the format documented in RFC 4716, “SSH Public Key File Format”. 
 + 
 +-p “Change the passphrase” This option allows changing the passphrase of a private key file with [-P old_passphrase] and [-N new_passphrase], [-f keyfile]. 
 + 
 +-t “Type” This option specifies the type of key to be created. Commonly used values are: - rsa for RSA keys - dsa for DSA keys - ecdsa for elliptic curve DSA keys 
 + 
 +-i "Input" When ssh-keygen is required to access an existing key, this option designates the file. 
 + 
 +-f "File" Specifies name of the file in which to store the created key. 
 + 
 +-N "New" Provides a new passphrase for the key. 
 + 
 +-P "Passphrase" Provides the (old) passphrase when reading a key. 
 + 
 +-c "Comment" Changes the comment for a keyfile. 
 + 
 +-p Change the passphrase of a private key file. 
 + 
 +-q Silence ssh-keygen. 
 + 
 +-v Verbose mode. 
 + 
 +-l "Fingerprint" Print the fingerprint of the specified public key. 
 + 
 +-B "Bubble babble" Shows a "bubble babble" (Tectia format) fingerprint of a keyfile. 
 + 
 +-F Search for a specified hostname in a known_hosts file. 
 + 
 +-R Remove all keys belonging to a hostname from a known_hosts file. 
 + 
 +-y Read a private OpenSSH format file and print an OpenSSH public key to stdout. 
 + 
 +This only listed the most commonly used options. For full usage, including the more exotic and special-purpose options, use the man ssh-keygen command. 
 +</code> 
 + 
 +==== (Re)create known_hosts file ==== 
 +If the fingerprints get messed up, regenerate a hosts file by scanning it. 
 +<code> 
 +ssh-keyscan example.com > known_hosts 
 +</code> 
 + 
 +==== Generate a new key pair ==== 
 +First generate a private key 
 +<code> 
 +ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa 
 +</code> 
 +then generate a public key from the private key 
 +<code> 
 +ssh-keygen -y -f ~/.ssh/id_rsa 
 +</code> 
 +==== Copying the Public Key to the Server ==== 
 +In order to access a remote server, the public key needs to be added to the authorized_keys file on that server 
 +<code> 
 +ssh-copy-id -i ~/.ssh/id_rsa.pub username@remoteserver 
 +</code> 
 + 
 +==== Given a private key, check which public key matches it ==== 
 +The -l flag will also show the strength of the key and any comments 
 +<code> 
 +ssh-keygen -l -f ~/.ssh/id_rsa 
 +</code> 
 +do the same thing with openssl (for pem format) 
 +<code> 
 +openssl rsa -in ~/.ssh/id_rsa -pubout -outform pem -check 
 +</code> 
 + 
 +==== Given a private key, regenerate the public key ==== 
 +Sends the public key to stdout so redirect to a file to keep it. This format is suitable to add to ~/.ssh/authorized_keys 
 +<code> 
 +ssh-keygen -y -f ~/.ssh/id_rsa 
 +</code> 
 +==== Use openssl to convert an ssh format private key to pem format (neatly justified and with header and trailer lines) ==== 
 +<code> 
 +openssl rsa -in id_rsa -outform pem > id_rsa.pem 
 +</code> 
 +==== Use openssl to generate a public key in pem format from a pem format private key ==== 
 +<code> 
 +openssl rsa -in id_rsa -pubout -outform pem > id_rsa.pub.pem 
 +</code> 
 + 
 +==== How to set up SSH so I don't have to type a password ==== 
 +Using an ssh keypair enables us to scp files from machine to machine without needing a password\\ 
 +The private key MUST remain private - if anyone gets hold of it, they can also transfer files to the remote machine.\\ 
 +The private key stays on the local machine, the public key goes out to anyone who wants it!\\ 
 +Or put another way, private key is on the sending machine, public key is on the receiving machine.\\ 
 +  * Generate a key-pair
 Run Run
-<code>0@@</code> +<code> 
-to generate an RSA keypair. You now have 2 keys. The public key is stored in ~/.ssh/id_rsa.pub, and your private key is in ~/.ssh/id_rsa.<br /> +ssh-keygen -t rsa 
-*Upload public key to remote machine +</code> 
-<code>1@@</code>+to generate an RSA keypair. You now have 2 keys. The public key is stored in $HOME/.ssh/id_rsa.pub, and your private key is in $HOME/.ssh/id_rsa.\\ 
 +  * Upload public key to remote machine 
 +Either use [[ssh-copy-id]] 
 +<code> 
 +/usr/bin/ssh-copy-id -i $HOME/.ssh/id_rsa remote_user@remote_host 
 +</code> 
 +or 
 +<code> 
 +cat .ssh/id_rsa.pub | ssh remote_user@remote_host 'cat >> ~/.ssh/authorized_keys' 
 +</code> 
 +or 
 +<code> 
 +scp $HOME/.ssh/id_rsa.pub $REMOTE_HOST:/tmp 
 +</code>
 Login to remote machine and Login to remote machine and
-<code>2@@</code> +<code> 
-Check file permissions<br /> +cat /tmp/id_rsa.pub >>$HOME/.ssh/authorized_keys 
-authorized_keys and id_rsa have to be 600<br />+</code> 
 +Check file permissions\\ 
 +authorized_keys and id_rsa have to be 600\\
 id_rsa.pub can be 644 id_rsa.pub can be 644
-<code>3@@</code>+<code> 
 +ls -al ~/.ssh/id_rsa 
 +ls -al ~/.ssh/id_rsa.pub 
 +ls -al ~/.ssh/authorized_keys 
 +</code>
  
-*Load your private key into an agent (optional)+  * Load your private key into an agent (optional)
 If you load your private key into an agent, it will hold the decrypted key in memory. Otherwise, you would have have to enter the key's passphrase (if you used one) every time you connect. If you load your private key into an agent, it will hold the decrypted key in memory. Otherwise, you would have have to enter the key's passphrase (if you used one) every time you connect.
 To load the key, run To load the key, run
-<code>4@@</code> +<code> 
-and enter the key's passphrase. (If your key is not in the default location ~/.ssh/id_rsa, you will need to provide the full path. For example, ssh-add ~/.ssh/id_rsa_my_ssh_key).<br />+ssh-add 
 +</code> 
 +and enter the key's passphrase. (If your key is not in the default location ~/.ssh/id_rsa, you will need to provide the full path. For example, ssh-add ~/.ssh/id_rsa_my_ssh_key).\\
 If ssh-add says "Could not open a connection to your authentication agent.", then you don't have a SSH agent running. Launch one using this command: If ssh-add says "Could not open a connection to your authentication agent.", then you don't have a SSH agent running. Launch one using this command:
-<code>5@@</code>+<code> 
 +eval $(ssh-agent) 
 +</code>
  
-=====scp files to server adding automatically to known_hosts=====+==== scp files to server adding automatically to known_hosts ====
 When copying files to a server for the first time, you are asked if you want to add the servers fingerprint to the known_hosts file. To avoid the question and add automatically, use: When copying files to a server for the first time, you are asked if you want to add the servers fingerprint to the known_hosts file. To avoid the question and add automatically, use:
-<code>6@@</code>+<code> 
 +scp -o Batchmode=yes -o StrictHostKeyChecking=no <files> <server> 
 +</code>
  
-=====Problems?===== +==== Problems? ==== 
-  * Permissions. Check your home directory is writable only by you (eg: 750), the .ssh directory is 700 and the id* and auth* files are 600. +  *  Permissions. Check your home directory is writable only by you (eg: 750), the .ssh directory is 700 and the id* and auth* files are 600. 
-  * From the client (the one with the private key on it), add a -v switch to the scp command. This will show debugging info. -vv gives more. -vvv gives even more! +  *  From the client (the one with the private key on it), add a -v switch to the scp command. This will show debugging info. -vv gives more. -vvv gives even more! 
-  * On the server (remote machine), look at the logs to see if there is any more info in there (try /var/log/messages or /var/log/auth.log or /var/log/authlog or /var/log/secure) +  *  On the server (remote machine), look at the logs to see if there is any more info in there (try /var/log/messages or /var/log/auth.log or /var/log/authlog or /var/log/secure) 
-  * Check the /etc/ssh/sshd_config file on the remote machine for settings like StrictModes. If this is on, the permissions above will be important. +  *  Check the /etc/ssh/sshd_config file on the remote machine for settings like StrictModes. If this is on, the permissions above will be important. 
-  * After all these failed attempts, has your username been locked out? +  *  After all these failed attempts, has your username been locked out? 
-On AIX, look at and reset the unsuccessful login counter:<br /+On AIX, look at and reset the unsuccessful login counter:\\ 
-<code>7@@</code> +<code
-  * Check the server log file: +USERNAME=<username> 
-vi /etc/syslog.conf and see where the auth logs go<br /> +/usr/sbin/lsuser ${USERNAME} 
-On AIX, this is /var/adm/syslogs/auth. This shows:<br /> +/usr/bin/chsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s ${USERNAME} 
-Authentication tried for <user> with correct key but not from a permitted host <host><br /> +/usr/bin/chuser account_locked=false ${USERNAME} 
-authorized_keys file on the server will need 'from="<ip addr>,<ip addr>,<ip addr>..."'<br /> +/usr/bin/chuser rlogin=true ${USERNAME} 
-On Redhat Linux, this file is called /var/log/secure<br /> +</code> 
-<br /> +  *  Check the server log file: 
-  * Start up another sshd server for diagnosis+vi /etc/syslog.conf and see where the auth logs go\\ 
 +On AIX, this is /var/adm/syslogs/auth. This shows:\\ 
 +Authentication tried for <user> with correct key but not from a permitted host <host>\\ 
 +authorized_keys file on the server will need 'from="<ip addr>,<ip addr>,<ip addr>..."'\\ 
 +On Redhat Linux, this file is called /var/log/secure\\ 
 + 
 +  *  Start up another sshd server for diagnosis
 Start up a second instance of sshd on an alternative port (on the server machine) Start up a second instance of sshd on an alternative port (on the server machine)
-<code>8@@</code> +<code> 
-Keep that window open, as the debugging information is written to standard output. Then on the client, connect to the alternative port:  +server# $(which sshd) -p 2200 -d 
-<code>9@@</code>+</code> 
 +Keep that window open, as the debugging information is written to standard output. Then on the client, connect to the alternative port: 
 +<code> 
 +client$ ssh -p 2200 username@server 
 +</code>
 If the key is rejected, a reason for the rejection should be revealed on the server. If the key is rejected, a reason for the rejection should be revealed on the server.
  
-=====Client is still asking for password even though keys are setup?=====+==== Client is still asking for password even though keys are setup? ====
 Try forcing the ssh options... (useful if you cannot change the sshd config on the server) Try forcing the ssh options... (useful if you cannot change the sshd config on the server)
-<code>10@@</code>+<code> 
 +ssh -o PubkeyAuthentication=yes -o PasswordAuthentication=no -X user@server 
 +</code>
  
-=====References===== +=== Create a local tunnel === 
-  * [[http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html ssh - authorized_keys HOWTO]] +Create a tunnel to connect to Oracle Enterprise Manager on a remote host 
-  * [[http://sleepyhead.de/howto/?href=ssh http://sleepyhead.de/howto/?href=ssh]] +<code> 
-  * [[http://www.anattatechnologies.com/q/2012/08/chaining-ssh-tunnels/|chaining ssh tunnels]] +ssh -L localhost:17803:hn1627:7803 -Nf oracle@hn1627 
-  * [[http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html|ssh gymnastics]]+</code> 
 +or create several tunnels in one go 
 +<code> 
 +ssh -L localhost:17803:hn1627:7803 localhost:3000:hn1627:3000 -Nf oracle@hn1627 
 +</code> 
 +Go to https://localhost:17803/em/faces/logon/core-uifwk-console-login 
 + 
 +or 
 +<code> 
 +SET TUNNEL_USER=stuart 
 +SET TUNNEL_LUAG=192.168.151.20 
 +SET TUNNEL_TARGET=192.168.161.34:7803 
 +SET TUNNEL_PORT=9999 
 +ssh -L 127.0.0.1:$TUNNEL_PORT:$TUNNEL_TARGET $TUNNEL_USER@$TUNNEL_LUAG 
 +  
 + 
 +You can use https://localhost:9999/em once the tunnel has been started. 
 +</code> 
 + 
 +==== References ===
 +  * [[https://blog.remibergsma.com/2013/05/28/creating-a-multi-hop-ssh-tunnel-by-chaining-ssh-commands-and-using-a-jump-host|chaining ssh tunnels]] 
 +  * [[https://superuser.com/questions/96489/an-ssh-tunnel-via-multiple-hops|An SSH tunnel via multiple hops]]
   * [[http://aix4admins.blogspot.be/2011/08/ssh-secure-shell-etcsshsshdconfig-at.html|aix4admins]]   * [[http://aix4admins.blogspot.be/2011/08/ssh-secure-shell-etcsshsshdconfig-at.html|aix4admins]]
-  * [[https://docs.fedoraproject.org/f27/system-administrators-guide/infrastructure-services/OpenSSH.html|OpenSSH at Fedora]] +  * [[https://docs.fedoraproject.org/en-US/fedora/f27/system-administrators-guide/infrastructure-services/OpenSSH/index.html|OpenSSH at Fedora]] 
-=====Tunneling=====+ 
 +==== Use openssl to encrypt or decrypt a file ==== 
 +References: 
 +  * [[https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm]] 
 +  * [[https://www.czeskis.com/random/openssl-encrypt-file.html]] 
 +  * [[https://www.madboa.com/geek/openssl|OpenSSL Command-Line HOWTO]] 
 +  * [[https://rietta.com/blog/openssl-generating-rsa-key-from-command/]] 
 + 
 +=== Get their public key === 
 +The other person needs to send you their public key in .pem format. If they only have it in one long line (e.g., they use it for ssh), then have them do: 
 +<code> 
 +openssl rsa -in id_rsa -outform pem > id_rsa.pem 
 + 
 +openssl rsa -in id_rsa -pubout -outform pem > id_rsa.pub.pem 
 +</code> 
 +Have them send you id_rsa.pub.pem 
 + 
 +=== Generate a 256 bit (32 byte) random key === 
 + 
 +<code> 
 +openssl rand -base64 32 > key.bin 
 +</code> 
 + 
 +===  Encrypt the key === 
 +<code> 
 +openssl rsautl -encrypt -inkey id_rsa.pub.pem -pubin -in key.bin -out key.bin.enc 
 +</code> 
 + 
 +===  Actually Encrypt our large file === 
 +<code> 
 +openssl enc -aes-256-cbc -salt -in SECRET_FILE -out SECRET_FILE.enc -pass file:./key.bin 
 +</code> 
 + 
 +===  Send/Decrypt the files === 
 +Send the .enc files to the other person and have them do: 
 +<code> 
 +openssl rsautl -decrypt -inkey id_rsa.pem -in key.bin.enc -out key.bin 
 + 
 +openssl enc -d -aes-256-cbc -in SECRET_FILE.enc -out SECRET_FILE -pass file:./key.bin 
 +</code> 
 + 
 + 
 + 
 +==== Start an OpenVPN client manually from the command-line ==== 
 +Reference: [[https://support.nordvpn.com/Connectivity/Router/1047410342/DD-WRT-setup-with-NordVPN.htm|Setup NordVPN on Linksys 3200AC with dd-wrt]] 
 +This is what to run when the GUI doesn't seem to start the client (Status --> VPN in dd-wrt setup). 
 +<code> 
 +openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --route-pre-down /tmp/openvpncl/route-down.sh --daemon 
 +</code> 
 +or 
 +<code> 
 +openvpn --config /tmp/openvpncl/openvpn.conf --daemon 
 +</code> 
 + 
 +==== Connect to a server manually using OpenVPN from the command-line ==== 
 +This example using Surfshark  - https://support.surfshark.com/hc/en-us/articles/360011051133-How-to-set-up-OpenVPN-using-Linux-Terminal 
 +<code> 
 +sudo dnf install openvpn unzip 
 +</code> 
 + 
 +<code> 
 +mkdir -p /etc/openvpn/surfshark 
 +cd /etc/openvpn/surfshark 
 +</code> 
 +Grab a list of configuration files 
 +<code> 
 +sudo wget https://my.surfshark.com/vpn/api/v1/server/configurations 
 +sudo unzip configurations 
 +</code> 
 +Create a file containing username and password. This has to be done like this if starting openvpn from the command-line in the background. 
 +<code> 
 +sudo vi credentials 
 +[username] 
 +[password] 
 +</code> 
 +Example of config file  
 +<code> 
 +
 +# Surfshark OpenVPN client connection 
 +
 + 
 +# Specify that we are a client and that we 
 +# will be pulling certain config file directives 
 +# from the server. 
 +client 
 + 
 +# Use the same setting as you are using on 
 +# the server. 
 +# On most systems, the VPN will not function 
 +# unless you partially or fully disable 
 +# the firewall for the TUN/TAP interface. 
 +;dev tap 
 +dev tun 
 + 
 +# Windows needs the TAP-Win32 adapter name 
 +# from the Network Connections panel 
 +# if you have more than one.  On XP SP2, 
 +# you may need to disable the firewall 
 +# for the TAP adapter. 
 +;dev-node MyTap 
 + 
 +# Are we connecting to a TCP or 
 +# UDP server?  Use the same setting as 
 +# on the server. 
 +proto tcp 
 +;proto udp 
 + 
 +# The hostname/IP and port of the server. 
 +# You can have multiple remote entries 
 +# to load balance between the servers. 
 +remote uk-man.prod.surfshark.com 1443 
 +remote uk-lon.prod.surfshark.com 1443 
 +remote uk-gla.prod.surfshark.com 1443 
 + 
 +# Choose a random host from the remote 
 +# list for load-balancing.  Otherwise 
 +# try hosts in the order specified. 
 +remote-random 
 + 
 +# Keep trying indefinitely to resolve the 
 +# host name of the OpenVPN server.  Very useful 
 +# on machines which are not permanently connected 
 +# to the internet such as laptops. 
 +resolv-retry infinite 
 + 
 +# Most clients don't need to bind to 
 +# a specific local port number. 
 +nobind 
 + 
 +# Downgrade privileges after initialisation (non-Windows only) 
 +;user nobody 
 +;group nobody 
 + 
 +tun-mtu 1500 
 +tun-mtu-extra 32 
 +mssfix 1450 
 + 
 +# Try to preserve some state across restarts. 
 +persist-key 
 +persist-tun 
 + 
 +# If you are connecting through an 
 +# HTTP proxy to reach the actual OpenVPN 
 +# server, put the proxy server/IP and 
 +# port number here.  See the man page 
 +# if your proxy server requires 
 +# authentication. 
 +;http-proxy-retry # retry on connection failures 
 +;http-proxy [proxy server] [proxy port #] 
 + 
 +# Wireless networks often produce a lot 
 +# of duplicate packets.  Set this flag 
 +# to silence duplicate packet warnings. 
 +;mute-replay-warnings 
 + 
 +ping 15 
 +ping-restart 0 
 +ping-timer-rem 
 +reneg-sec 0 
 + 
 +remote-cert-tls server 
 + 
 +auth-user-pass /etc/openvpn/surfshark/credentials 
 + 
 +pull 
 +fast-io 
 + 
 +# SSL/TLS parms. 
 +# See the server config file for more 
 +# description.  It's best to use 
 +# a separate .crt/.key file pair 
 +# for each client.  A single ca 
 +# file can be used for all clients. 
 +;ca /etc/openvpn/surfshark/ca.crt 
 +<ca> 
 +-----BEGIN CERTIFICATE----- 
 +MIIFTTCCAzWgAwIBAgIJAMs9S3fqwv+mMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV 
 +BAYTAlZHMRIwEAYDVQQKDAlTdXJmc2hhcmsxGjAYBgNVBAMMEVN1cmZzaGFyayBS 
 +b290IENBMB4XDTE4MDMxNDA4NTkyM1oXDTI4MDMxMTA4NTkyM1owPTELMAkGA1UE 
 +BhMCVkcxEjAQBgNVBAoMCVN1cmZzaGFyazEaMBgGA1UEAwwRU3VyZnNoYXJrIFJv 
 +... 
 +X6IoIHlZCoLlv39wFW9QNxelcAOCVbD+19MZ0ZXt7LitjIqe7yF5WxDQN4xru087 
 +FzQ4Hfj7eH1SNLLyKZkA1eecjmRoi/OoqAt7afSnwtQLtMUc2bQDg6rHt5C0e4dC 
 +LqP/9PGZTSJiwmtRHJ/N5qYWIh9ju83APvLm/AGBTR2pXmj9G3KdVOkpIC7L35dI 
 +623cSEC3Q3UZutsEm/UplsM= 
 +-----END CERTIFICATE----- 
 +</ca> 
 + 
 +;cert /etc/openvpn/surfshark/client.crt 
 +;key /etc/openvpn/surfshark/client.key 
 + 
 +# Verify server certificate by checking 
 +# that the certicate has the nsCertType 
 +# field set to "server" This is an 
 +# important precaution to protect against 
 +# a potential attack discussed here: 
 +#  http://openvpn.net/howto.html#mitm 
 +
 +# To use this feature, you will need to generate 
 +# your server certificates with the nsCertType 
 +# field set to "server" The build-key-server 
 +# script in the easy-rsa folder will do this. 
 +;ns-cert-type server 
 + 
 +auth SHA512 
 + 
 +# If a tls-auth key is used on the server 
 +# then every client must also have the key. 
 +;tls-auth /etc/openvpn/surfshark/ta.key 1 
 +<tls-auth> 
 +-----BEGIN OpenVPN Static key V1----- 
 +b02cb1d7c6fee5d4f89b8de72b51a8d0 
 +c7b282631d6fc19be1df6ebae9e2779e 
 +... 
 +b260f4b45dec3285875589c97d3087c9 
 +134d3a3aa2f904512e85aa2dc2202498 
 +-----END OpenVPN Static key V1----- 
 +</tls-auth> 
 + 
 + 
 +# Select a cryptographic cipher. 
 +# If the cipher option is used on the server 
 +# then you must also specify it here. 
 +cipher AES-256-CBC 
 + 
 +# Enable compression on the VPN link. 
 +# Don't enable this unless it is also 
 +# enabled in the server config file. 
 +;comp-lzo 
 + 
 +# Set log file verbosity. 
 +verb 3 
 + 
 +# Silence repeating messages 
 +;mute 20 
 + 
 +key-direction 1 
 +</code> 
 +Startup the vpn connection 
 +<code> 
 +sudo --config configurations/openvpn uk-lon-prod.surfshark.com_tcp.ovpn & 
 +</code> 
 +  * The certificates can be placed in files instead of appearing in the config file. They would then be simply referenced from the file with tags "ca [filename]" and "tls-auth [filename] 1" 
 +  * Other reference: https://support.surfshark.com/hc/en-us/articles/360003086114-How-to-set-up-Surfshark-VPN-on-DD-WRT-router- 
 +  * --route-up and --route-pre-down scripts can be added to the openvpn command to add and remove routes before starting and before stopping the tunnel 
 +Example route-up file 
 +<code> 
 +#!/bin/sh 
 +[[ ! -z "$ifconfig_netmask" ]] && vpn_netmask="/$ifconfig_netmask" 
 +cat << EOF > /tmp/openvpncl_fw.sh 
 +#!/bin/sh 
 +iptables -D POSTROUTING -t nat -o $dev -j MASQUERADE 2> /dev/null 
 +iptables -I POSTROUTING -t nat -o $dev -j MASQUERADE 
 +iptables -t raw -D PREROUTING ! -i $dev -d $ifconfig_local$vpn_netmask -j DROP 2> /dev/null 
 +iptables -t raw -I PREROUTING ! -i $dev -d $ifconfig_local$vpn_netmask -j DROP 
 +EOF 
 +chmod +x /tmp/openvpncl_fw.sh 
 +/tmp/openvpncl_fw.sh 
 +cat /tmp/resolv.dnsmasq > /tmp/resolv.dnsmasq_isp 
 +env | grep 'dhcp-option DNS' | awk '{ print "nameserver " $3 }' > /tmp/resolv.dnsmasq 
 +cat /tmp/resolv.dnsmasq_isp >> /tmp/resolv.dnsmasq 
 +nvram set openvpn_get_dns="$(env | grep 'dhcp-option DNS' | awk '{ printf "%s ",$3 }')" 
 +env | grep 'dhcp-option DNS' | awk '{print $NF}' | while read vpn_dns; do grep -q "^dhcp-option DNS $vpn_dns" /tmp/openvpncl/openvpn.conf || ip route add $vpn_dns via $route_vpn_gateway dev $dev 2> /dev/null; done 
 +</code> 
 + 
 +Example route-pre-down file 
 +<code> 
 +#!/bin/sh 
 +iptables -D POSTROUTING -t nat -o $dev -j MASQUERADE 
 +[ -f /tmp/resolv.dnsmasq_isp ] && cp -f /tmp/resolv.dnsmasq_isp /tmp/resolv.dnsmasq && nvram unset openvpn_get_dns 
 +[[ ! -z "$ifconfig_netmask" ]] && vpn_netmask="/$ifconfig_netmask" 
 +iptables -t raw -D PREROUTING ! -i $dev -d $ifconfig_local$vpn_netmask -j DROP 
 +</code> 
 + 
 +==== Tunneling ====
 Building an SSH tunnel can be very useful for working on the other side of firewalls. Building an SSH tunnel can be very useful for working on the other side of firewalls.
-  * [[http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html|ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples]] +  *  [[http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html|ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples]] 
-  * [[http://www.anattatechnologies.com/q/2012/08/chaining-ssh-tunnels/|chaining-ssh-tunnels - anattatechnologies]] +  *  [[http://www.anattatechnologies.com/q/2012/08/chaining-ssh-tunnels/|chaining-ssh-tunnels - anattatechnologies]] 
-  * [[http://www.toadworld.com/products/toad-for-oracle/w/toad_for_oracle_wiki/250.howto-use-toad-over-an-ssh-tunnel.aspx|howto-use-toad-over-an-ssh-tunnel]] +  *  [[http://www.toadworld.com/products/toad-for-oracle/w/toad_for_oracle_wiki/250.howto-use-toad-over-an-ssh-tunnel.aspx|howto-use-toad-over-an-ssh-tunnel]] 
-  * [[http://stackoverflow.com/questions/3653788/how-can-i-connect-to-oracle-database-11g-server-through-ssh-tunnel-chain-double|connect-to-oracle-database-11g-server-through-ssh-tunnel]] +  *  [[http://stackoverflow.com/questions/3653788/how-can-i-connect-to-oracle-database-11g-server-through-ssh-tunnel-chain-double|connect-to-oracle-database-11g-server-through-ssh-tunnel]] 
-====References==== + 
-  * [[http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/|http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/]] +This sets up several tunnels in one command. The first two allow a localhost connection to access the remote Oracle Enterprise Manager programs and the other allows a localhost connection to a remote listener and therefore to all the databases. 
-  * [[http://en.wikipedia.org/wiki/Tunneling_protocol|http://en.wikipedia.org/wiki/Tunneling_protocol]] +<code> 
-  * [[http://www.revsys.com/writings/quicktips/ssh-tunnel.html|http://www.revsys.com/writings/quicktips/ssh-tunnel.html]] + 
-  * [[http://serverfault.com/questions/33283/how-to-setup-ssh-tunnel-to-forward-ssh?rq=1|how-to-setup-ssh-tunnel-to-forward-ssh]] +ssh -L localhost:7803:hn1627.cln.be:7803 -L localhost:7804:hn5100.crelan.be:7803 -L localhost:51127:hn511.cln.be:3527 -Nf oracle@hn1627 
-=====Regenerate a public key from a private key=====+ 
 +</code> 
 + 
 +=== References === 
 +  *  [[http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/|http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/]] 
 +  *  [[http://en.wikipedia.org/wiki/Tunneling_protocol|http://en.wikipedia.org/wiki/Tunneling_protocol]] 
 +  *  [[http://www.revsys.com/writings/quicktips/ssh-tunnel.html|http://www.revsys.com/writings/quicktips/ssh-tunnel.html]] 
 +  *  [[http://serverfault.com/questions/33283/how-to-setup-ssh-tunnel-to-forward-ssh?rq=1|how-to-setup-ssh-tunnel-to-forward-ssh]] 
 +==== Regenerate a public key from a private key ====
 -y option spits out the public key! -y option spits out the public key!
-<code>11@@</code> +<code> 
-=====A small script (seems to originate from Oracle) that sets up ssh keys between 2 accounts===== +ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub 
-<code>12@@</code> +</code> 
-=====A bigger (more elaboratescript that I also found embedded in an Oracle setup===== +==== A small script (seems to originate from Oracle) that sets up ssh keys between 2 machines ==== 
-<code>13@@</code>+<code> 
 +#!/usr/bin/ksh 
 +if [[ $# -lt 1 ]]; then 
 +  echo Usage: $0 username@remotehost 
 +  exit 
 +fi 
 +remote="$1"  # 1st command-line argument is the user@remotehost address 
 +this=`hostname` # $HOST   # name of client host 
 +PATH=/usr/bin/ssh:$PATH 
 +  #  first check if we need to run ssh-keygen for generating 
 +  #  $HOME/.ssh with public and private keys: 
 +if [[ ! -d $HOME/.ssh ]]; then 
 +  echo "just type RETURN for each question:" # no passphrase - unsecure 
 +  # generate RSA1, RSA and DSA keys: 
 +#  echo; echo; echo 
 +#  ssh-keygen -t rsa1 
 +  echo; echo; echo 
 +  ssh-keygen -t rsa 
 +#  echo; echo; echo 
 +#  ssh-keygen -t dsa 
 +else 
 +  # we have $HOME/.ssh, but check that we have all types of 
 +  # keys (RSA1, RSA, DSA): 
 +#  if [[ ! -f $HOME/.ssh/identity ]]; then 
 +#     # generate RSA1 keys: 
 +#     echo "just type RETURN for each question:" # no passphrase - unsecure 
 +#     ssh-keygen -t rsa1 
 +#  fi 
 +  if [[ ! -f $HOME/.ssh/id_rsa ]]; then 
 +     # generate RSA keys: 
 +     echo "just type RETURN for each question:" # no passphrase - unsecure 
 +     ssh-keygen -t rsa 
 +  fi 
 +#  if [[ ! -f $HOME/.ssh/id_dsa ]]; then 
 +#     # generate DSA keys: 
 +#     echo "just type RETURN for each question:" # no passphrase - unsecure 
 +#     ssh-keygen -t dsa 
 +#  fi 
 +fi
  
-=====Add this to /etc/ssh/sshrc to get the magic cookies added automatically===== +cd $HOME/.ssh 
-<code>14@@</code>+ 
 +if [[ ! -f config ]]; then 
 +  # make ssh try ssh -1 (RSA1 keys) first and then ssh -2 (DSA keys) 
 +  echo "Protocol 1,2" > config 
 +fi 
 + 
 +  #  copy public keys (all three types) to the destination host: 
 + 
 +echo; echo; echo 
 +  #  create .ssh on remote host if it's not there: 
 +ssh $remote 'if [[ ! -d .ssh ]]; then mkdir .ssh; fi' 
 +  #  copy RSA1 key: 
 +#scp identity.pub ${remote}:.ssh/${this}_rsa1.pub 
 +  #  copy RSA key: 
 +scp id_rsa.pub ${remote}:.ssh/${this}_rsa.pub 
 +  #  copy DSA key: 
 +#scp id_dsa.pub ${remote}:.ssh/${this}_dsa.pub 
 +  #  make authorized_keys(2) files on remote host: 
 + 
 +echo; echo; echo 
 +  #  this one copies all three keys: 
 +#ssh $remote "cd .ssh; cat ${this}_rsa1.pub >> authorized_keys; cat ${this}_rsa.pub >> authorized_keys2; cat ${this}_dsa.pub >> authorized_keys2;" 
 +  #  this one copies RSA1 and DSA keys: 
 +#ssh $remote "cd .ssh; cat ${this}_rsa1.pub >> authorized_keys; cat ${this}_dsa.pub >> authorized_keys2;" 
 +  #  this one copies RSA keys: 
 +ssh $remote "cd .ssh; cat ${this}_rsa.pub >> authorized_keys2;" 
 + 
 +echo; echo; echo 
 +echo "try an ssh $remote" 
 +</code> 
 +==== A bigger (more elaborate) script that I also found embedded in an Oracle setup ==== 
 +Discovered it as $OMS_HOME/oui/prov/resources/scripts/sshUserSetup.sh 
 +<code> 
 +  # !/bin/sh 
 +  #  Nitin Jerath - Aug 2005 
 +  # Usage sshUserSetup.sh  -user <user name> [[ -hosts \\"<space separated hostlist>\\" | -hostfile <absolute path of cluster configuration file> ]] [[ -advanced ]]  [[ -verify]] [[ -exverify ]] [[ -logfile <desired absolute path of logfile> ]] [[-confirm]] [[-shared]] [[-help]] [[-usePassphrase]] [[-noPromptPassphrase]] 
 +  # eg. sshUserSetup.sh -hosts "host1 host2" -user njerath -advanced 
 +  # This script is used to setup SSH connectivity from the host on which it is 
 +  #  run to the specified remote hosts. After this script is run, the user can use # SSH to run commands on the remote hosts or copy files between the local host 
 +  #  and the remote hosts without being prompted for passwords or confirmations. 
 +  #  The list of remote hosts and the user name on the remote host is specified as 
 +  #  a command line parameter to the script. Note that in case the user on the 
 +  #  remote host has its home directory NFS mounted or shared across the remote 
 +  #  hosts, this script should be used with -shared option. 
 +  # Specifying the -advanced option on the command line would result in SSH 
 +  #  connectivity being setup among the remote hosts which means that SSH can be 
 +  #  used to run commands on one remote host from the other remote host or copy 
 +  #  files between the remote hosts without being prompted for passwords or 
 +  #  confirmations. 
 +  # Please note that the script would remove write permissions on the remote hosts 
 +  # for the user home directory and ~/.ssh directory for "group" and "others". This 
 +  #  is an SSH requirement. The user would be explicitly informed about this by teh script and prompted to continue. In case the user presses no, the script would exit. In case the user does not want to be prompted, he can use -confirm option. 
 +  #  As a part of the setup, the script would use SSH to create files within ~/.ssh 
 +  #  directory of the remote node and to setup the requisite permissions. The 
 +  # script also uses SCP to copy the local host public key to the remote hosts so 
 +  #  that the remote hosts trust the local host for SSH. At the time, the script 
 +  # performs these steps, SSH connectivity has not been completely setup  hence 
 +  #  the script would prompt the user for the remote host password. 
 +  # For each remote host, for remote users with non-shared homes this would be 
 +  #  done once for SSH and  once for SCP. If the number of remote hosts are x, the 
 +  #  user would be prompted  2x times for passwords. For remote users with shared 
 +  #  homes, the user would be prompted only twice, once each for SCP and SSH. 
 +  # For security reasons, the script does not save passwords and reuse it. Also, 
 +  #  for security reasons, the script does not accept passwords redirected from a 
 +  # file. The user has to key in the confirmations and passwords at the prompts. 
 +  # The -verify option means that the user just wants to verify whether SSH has 
 +  # been set up. In this case, the script would not setup SSH but would only check 
 +  #  whether SSH connectivity has been setup from the local host to the remote 
 +  #  hosts. The script would run the date command on each remote host using SSH. In 
 +  #  case the user is prompted for a password or sees a warning message for a 
 +  # particular host, it means SSH connectivity has not been setup correctly for 
 +  #  that host. 
 +  # In case the -verify option is not specified, the script would setup SSH and 
 +  # then do the verification as well. 
 +  # In case the user speciies the -exverify option, an exhaustive verification would be done. In that case, the following would be checked: 
 +  #  1. SSH connectivity from local host to all remote hosts. 
 +  #  2. SSH connectivity from each remote host to itself and other remote hosts. 
 + 
 +  # echo Parsing command line arguments 
 +numargs=$# 
 + 
 +ADVANCED=false 
 +HOSTNAME=`hostname` 
 +CONFIRM=no 
 +SHARED=false 
 +i=1 
 +USR=$USER 
 + 
 +if  test -z "$TEMP" 
 +then 
 +  TEMP=/tmp 
 +fi 
 + 
 +IDENTITY=id_rsa 
 +LOGFILE=$TEMP/sshUserSetup_`date +%F-%H-%M-%S`.log 
 +VERIFY=false 
 +EXHAUSTIVE_VERIFY=false 
 +HELP=false 
 +PASSPHRASE=no 
 +RERUN_SSHKEYGEN=no 
 +NO_PROMPT_PASSPHRASE=no 
 + 
 +while [[ $i -le $numargs ]] 
 +do 
 +  j=$1 
 +  if [[ $j = "-hosts" ]] 
 +  then 
 +     HOSTS=$2 
 +     shift 1 
 +     i=`expr $i + 1` 
 +  fi 
 +  if [[ $j = "-user" ]] 
 +  then 
 +     USR=$2 
 +     shift 1 
 +     i=`expr $i + 1` 
 +   fi 
 +  if [[ $j = "-logfile" ]] 
 +  then 
 +     LOGFILE=$2 
 +     shift 1 
 +     i=`expr $i + 1` 
 +   fi 
 +  if [[ $j = "-confirm" ]] 
 +  then 
 +     CONFIRM=yes 
 +   fi 
 +  if [[ $j = "-hostfile" ]] 
 +  then 
 +     CLUSTER_CONFIGURATION_FILE=$2 
 +     shift 1 
 +     i=`expr $i + 1` 
 +   fi 
 +  if [[ $j = "-usePassphrase" ]] 
 +  then 
 +     PASSPHRASE=yes 
 +   fi 
 +  if [[ $j = "-noPromptPassphrase" ]] 
 +  then 
 +     NO_PROMPT_PASSPHRASE=yes 
 +   fi 
 +  if [[ $j = "-shared" ]] 
 +  then 
 +     SHARED=true 
 +   fi 
 +  if [[ $j = "-exverify" ]] 
 +  then 
 +     EXHAUSTIVE_VERIFY=true 
 +   fi 
 +  if [[ $j = "-verify" ]] 
 +  then 
 +     VERIFY=true 
 +   fi 
 +  if [[ $j = "-advanced" ]] 
 +  then 
 +     ADVANCED=true 
 +   fi 
 +  if [[ $j = "-help" ]] 
 +  then 
 +     HELP=true 
 +   fi 
 +  i=`expr $i + 1` 
 +  shift 1 
 +done 
 + 
 + 
 +if [[ $HELP = "true" ]] 
 +then 
 +  echo "Usage $0 -user <user name> [[ -hosts \\"<space separated hostlist>\\" | -hostfile <absolute path of cluster configuration file> ]] [[ -advanced ]]  [[ -verify]] [[ -exverify ]] [[ -logfile <desired absolute path of logfile> ]] [[-confirm]] [[-shared]] [[-help]] [[-usePassphrase]] [[-noPromptPassphrase]]" 
 +echo "This script is used to setup SSH connectivity from the host on which it is run to the specified remote hosts. After this script is run, the user can use  SSH to run commands on the remote hosts or copy files between the local host and the remote hosts without being prompted for passwords or confirmations.  The list of remote hosts and the user name on the remote host is specified as a command line parameter to the script. " 
 +echo "-user : User on remote hosts. " 
 +echo "-hosts : Space separated remote hosts list. " 
 +echo "-hostfile : The user can specify the host names either through the -hosts option or by specifying the absolute path of a cluster configuration file. A sample host file contents are below: " 
 +echo 
 +echo  "   stacg30 stacg30int 10.1.0.0 stacg30v  -" 
 +echo  "   stacg34 stacg34int 10.1.0.1 stacg34v  -" 
 +echo 
 +echo " The first column in each row of the host file will be used as the host name." 
 +echo 
 +echo "-usePassphrase : The user wants to set up passphrase to encrypt the private key on the local host. " 
 +echo "-noPromptPassphrase : The user does not want to be prompted for passphrase related questions. This is for users who want the default behavior to be followed." 
 +echo "-shared : In case the user on the remote host has its home directory NFS mounted or shared across the remote hosts, this script should be used with -shared option. " 
 +echo "  It is possible for the user to determine whether a user's home directory is shared or non-shared. Let us say we want to determine that user user1's home directory is shared across hosts A, B and C." 
 +echo " Follow the following steps:" 
 +echo "    1. On host A, touch ~user1/checkSharedHome.tmp" 
 +echo "    2. On hosts B and C, ls -al ~user1/checkSharedHome.tmp" 
 +echo "    3. If the file is present on hosts B and C in ~user1 directory and" 
 +echo "       is identical on all hosts A, B, C, it means that the user's home " 
 +echo "       directory is shared." 
 +echo "    4. On host A, rm -f ~user1/checkSharedHome.tmp" 
 +echo " In case the user accidentally passes -shared option for non-shared homes or viceversa,SSH connectivity would only be set up for a subset of the hosts. The user would have to re-run the setyp script with the correct option to rectify this problem." 
 +echo "-advanced :  Specifying the -advanced option on the command line would result in SSH  connectivity being setup among the remote hosts which means that SSH can be used to run commands on one remote host from the other remote host or copy files between the remote hosts without being prompted for passwords or confirmations." 
 +echo "-confirm: The script would remove write permissions on the remote hosts for the user home directory and ~/.ssh directory for "group" and "others". This is an SSH requirement. The user would be explicitly informed about this by the script and prompted to continue. In case the user presses no, the script would exit. In case the user does not want to be prompted, he can use -confirm option." 
 +echo  "As a part of the setup, the script would use SSH to create files within ~/.ssh directory of the remote node and to setup the requisite permissions. The script also uses SCP to copy the local host public key to the remote hosts so that the remote hosts trust the local host for SSH. At the time, the script performs these steps, SSH connectivity has not been completely setup  hence the script would prompt the user for the remote host password. 
 +echo "For each remote host, for remote users with non-shared homes this would be done once for SSH and  once for SCP. If the number of remote hosts are x, the user would be prompted  2x times for passwords. For remote users with shared homes, the user would be prompted only twice, once each for SCP and SSH.  For security reasons, the script does not save passwords and reuse it. Also, for security reasons, the script does not accept passwords redirected from a file. The user has to key in the confirmations and passwords at the prompts. " 
 +echo "-verify : -verify option means that the user just wants to verify whether SSH has been set up. In this case, the script would not setup SSH but would only check whether SSH connectivity has been setup from the local host to the remote hosts. The script would run the date command on each remote host using SSH. In case the user is prompted for a password or sees a warning message for a particular host, it means SSH connectivity has not been setup correctly for that host.  In case the -verify option is not specified, the script would setup SSH and then do the verification as well. " 
 +echo "-exverify : In case the user speciies the -exverify option, an exhaustive verification for all hosts would be done. In that case, the following would be checked: " 
 +echo "   1. SSH connectivity from local host to all remote hosts. " 
 +echo "   2. SSH connectivity from each remote host to itself and other remote hosts. 
 +echo The -exverify option can be used in conjunction with the -verify option as well to do an exhaustive verification once the setup has been done. 
 +echo "Taking some examples: Let us say local host is Z, remote hosts are A,B and C. Local user is njerath. Remote users are racqa(non-shared), aime(shared)." 
 +echo "$0 -user racqa -hosts \\"A B C\\" -advanced -exverify -confirm" 
 +echo "Script would set up connectivity from Z -> A, Z -> B, Z -> C, A -> A, A -> B, A -> C, B -> A, B -> B, B -> C, C -> A, C -> B, C -> C." 
 +echo "Since user has given -exverify option, all these scenario would be verified too." 
 +echo 
 +echo "Now the user runs : $0 -user racqa -hosts \\"A B C\\" -verify" 
 +echo "Since -verify option is given, no SSH setup would be done, only verification of existing setup. Also, since -exverify or -advanced options are not given, script would only verify connectivity from Z -> A, Z -> B, Z -> C" 
 + 
 +echo "Now the user runs : $0 -user racqa -hosts \\"A B C\\" -verify -advanced" 
 +echo "Since -verify option is given, no SSH setup would be done, only verification of existing setup. Also, since  -advanced options is given, script would verify connectivity from Z -> A, Z -> B, Z -> C, A-> A, A->B, A->C, A->D" 
 + 
 +echo "Now the user runs:" 
 +echo "$0 -user aime -hosts \\"A B C\\" -confirm -shared" 
 +echo "Script would set up connectivity between  Z->A, Z->B, Z->C only since advanced option is not given." 
 +echo "All these scenarios would be verified too." 
 + 
 +exit 
 +fi 
 + 
 +if test -z "$HOSTS" 
 +then 
 +   if test -n "$CLUSTER_CONFIGURATION_FILE" && test -f "$CLUSTER_CONFIGURATION_FILE" 
 +   then 
 +      HOSTS=`awk '$1 !~ /^#/ { str = str " " $1 } END { print str }' $CLUSTER_CONFIGURATION_FILE` 
 +   elif ! test -f "$CLUSTER_CONFIGURATION_FILE" 
 +   then 
 +     echo "Please specify a valid and existing cluster configuration file." 
 +   fi 
 +fi 
 + 
 +if  test -z "$HOSTS" || test -z $USR 
 +then 
 +echo "Either user name or host information is missing" 
 +echo "Usage $0 -user <user name> [[ -hosts \\"<space separated hostlist>\\" | -hostfile <absolute path of cluster configuration file> ]] [[ -advanced ]]  [[ -verify]] [[ -exverify ]] [[ -logfile <desired absolute path of logfile> ]] [[-confirm]] [[-shared]] [[-help]] [[-usePassphrase]] [[-noPromptPassphrase]]" 
 +exit 1 
 +fi 
 + 
 +if [[ -d $LOGFILE ]]; then 
 +    echo $LOGFILE is a directory, setting logfile to $LOGFILE/ssh.log 
 +    LOGFILE=$LOGFILE/ssh.log 
 +fi 
 + 
 +echo The output of this script is also logged into $LOGFILE | tee -a $LOGFILE 
 + 
 +if [[ `echo $?` != 0 ]]; then 
 +    echo Error writing to the logfile $LOGFILE, Exiting 
 +    exit 1 
 +fi 
 + 
 +echo Hosts are $HOSTS | tee -a $LOGFILE 
 +echo user is  $USR | tee -a $LOGFILE 
 +SSH="/usr/bin/ssh" 
 +SCP="/usr/bin/scp" 
 +SSH_KEYGEN="/usr/bin/ssh-keygen" 
 +calculateOS() 
 +
 +    platform=`uname -s` 
 +    case "$platform" 
 +    in 
 +       "SunOS" os=solaris;; 
 +       "Linux" os=linux;; 
 +       "HP-UX" os=hpunix;; 
 +         "AIX" os=aix;; 
 +             *)  echo "Sorry, $platform is not currently supported." | tee -a $LOGFILE 
 +                 exit 1;; 
 +    esac 
 + 
 +    echo "Platform:- $platform " | tee -a $LOGFILE 
 +
 +calculateOS 
 +BITS=1024 
 +ENCR="rsa" 
 + 
 +deadhosts="" 
 +alivehosts="" 
 +if [[ $platform = "Linux" ]] 
 +then 
 +    PING="/bin/ping" 
 +else 
 +    PING="/usr/sbin/ping" 
 +fi 
 +  # bug 9044791 
 +if [[ -n "$SSH_PATH" ]]; then 
 +    SSH=$SSH_PATH 
 +fi 
 +if [[ -n "$SCP_PATH" ]]; then 
 +    SCP=$SCP_PATH 
 +fi 
 +if [[ -n "$SSH_KEYGEN_PATH" ]]; then 
 +    SSH_KEYGEN=$SSH_KEYGEN_PATH 
 +fi 
 +if [[ -n "$PING_PATH" ]]; then 
 +    PING=$PING_PATH 
 +fi 
 +PATH_ERROR=0 
 +if test ! -x $SSH ; then 
 +    echo "ssh not found at $SSH. Please set the variable SSH_PATH to the correct location of ssh and retry." 
 +    PATH_ERROR=1 
 +fi 
 +if test ! -x $SCP ; then 
 +    echo "scp not found at $SCP. Please set the variable SCP_PATH to the correct location of scp and retry." 
 +    PATH_ERROR=1 
 +fi 
 +if test ! -x $SSH_KEYGEN ; then 
 +    echo "ssh-keygen not found at $SSH_KEYGEN. Please set the variable SSH_KEYGEN_PATH to the correct location of ssh-keygen and retry." 
 +    PATH_ERROR=1 
 +fi 
 +if test ! -x $PING ; then 
 +    echo "ping not found at $PING. Please set the variable PING_PATH to the correct location of ping and retry." 
 +    PATH_ERROR=1 
 +fi 
 +if [[ $PATH_ERROR = 1 ]]; then 
 +    echo "ERROR: one or more of the required binaries not found, exiting" 
 +    exit 1 
 +fi 
 +  # 9044791 end 
 +echo Checking if the remote hosts are reachable | tee -a $LOGFILE 
 +for host in $HOSTS 
 +do 
 +   if [[ $platform = "SunOS" ]]; then 
 +       $PING -s $host 5 5 
 +   elif [[ $platform = "HP-UX" ]]; then 
 +       $PING $host -n 5 -m 5 
 +   else 
 +       $PING -c 5 -w 5 $host 
 +   fi 
 +  exitcode=`echo $?` 
 +  if [[ $exitcode = 0 ]] 
 +  then 
 +     alivehosts="$alivehosts $host" 
 +  else 
 +     deadhosts="$deadhosts $host" 
 +  fi 
 +done 
 + 
 +if test -z "$deadhosts" 
 +then 
 +   echo Remote host reachability check succeeded.  | tee -a $LOGFILE 
 +   echo The following hosts are reachable: $alivehosts.  | tee -a $LOGFILE 
 +   echo The following hosts are not reachable: $deadhosts.  | tee -a $LOGFILE 
 +   echo All hosts are reachable. Proceeding further...  | tee -a $LOGFILE 
 +else 
 +   echo Remote host reachability check failed.  | tee -a $LOGFILE 
 +   echo The following hosts are reachable: $alivehosts.  | tee -a $LOGFILE 
 +   echo The following hosts are not reachable: $deadhosts.  | tee -a $LOGFILE 
 +   echo Please ensure that all the hosts are up and re-run the script.  | tee -a $LOGFILE 
 +   echo Exiting now...  | tee -a $LOGFILE 
 +   exit 1 
 +fi 
 + 
 +firsthost=`echo $HOSTS | awk '{print $1}; END { }'` 
 +echo firsthost $firsthost 
 +numhosts=`echo $HOSTS | awk '{ }; END {print NF}'
 +echo numhosts $numhosts 
 + 
 +if [[ $VERIFY = "true" ]] 
 +then 
 +   echo Since user has specified -verify option, SSH setup would not be done. Only, existing SSH setup would be verified. | tee -a $LOGFILE 
 +   continue 
 +else 
 +echo The script will setup SSH connectivity from the host //`hostname`// to all  | tee -a $LOGFILE 
 +echo the remote hosts. After the script is executed, the user can use SSH to run  | tee -a $LOGFILE 
 +echo commands on the remote hosts or copy files between this host //`hostname`// | tee -a $LOGFILE 
 +echo and the remote hosts without being prompted for passwords or confirmations. | tee -a $LOGFILE 
 +echo  | tee -a $LOGFILE 
 +echo NOTE 1: | tee -a $LOGFILE 
 +echo As part of the setup procedure, this script will use 'ssh' and 'scp' to copy | tee -a $LOGFILE 
 +echo files between the local host and the remote hosts. Since the script does not  | tee -a $LOGFILE 
 +echo store passwords, you may be prompted for the passwords during the execution of  | tee -a $LOGFILE 
 +echo the script whenever 'ssh' or 'scp' is invoked. | tee -a $LOGFILE 
 +echo  | tee -a $LOGFILE 
 +echo NOTE 2: | tee -a $LOGFILE 
 +echo "AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY" | tee -a $LOGFILE 
 +echo AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE  | tee -a $LOGFILE 
 +echo "directories." | tee -a $LOGFILE 
 +echo  | tee -a $LOGFILE 
 +echo "Do you want to continue and let the script make the above mentioned changes (yes/no)?" | tee -a $LOGFILE 
 + 
 +if [[ "$CONFIRM" = "no" ]] 
 +then 
 +  read CONFIRM 
 +else 
 +  echo "Confirmation provided on the command line" | tee -a $LOGFILE 
 +fi 
 + 
 +echo  | tee -a $LOGFILE 
 +echo The user chose //$CONFIRM// | tee -a $LOGFILE 
 + 
 +if [[ "$CONFIRM" = "no" ]] 
 +then 
 +  echo "SSH setup is not done." | tee -a $LOGFILE 
 +  exit 1 
 +else 
 +  if [[ $NO_PROMPT_PASSPHRASE = "yes" ]] 
 +  then 
 +    echo "User chose to skip passphrase related questions."  | tee -a $LOGFILE 
 +  else 
 +    typeset -i PASSPHRASE_PROMPT 
 +    if [[ $SHARED = "true" ]] 
 +    then 
 +        PASSPHRASE_PROMPT=2*${numhosts}+1 
 +    else 
 +        PASSPHRASE_PROMPT=2*${numhosts} 
 +    fi 
 +    echo "Please specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp. " | tee -a $LOGFILE 
 +    echo "The estimated number of times the user would be prompted for a passphrase is $PASSPHRASE_PROMPT. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion. " | tee -a $LOGFILE 
 +    echo "Enter 'yes' or 'no'." | tee -a $LOGFILE 
 +    if [[ $PASSPHRASE = "no" ]] 
 +    then 
 +      read PASSPHRASE 
 +    else 
 +      echo "Confirmation provided on the command line" | tee -a $LOGFILE 
 +    fi 
 + 
 +    echo  | tee -a $LOGFILE 
 +    echo The user chose //$PASSPHRASE// | tee -a $LOGFILE 
 + 
 +    if [[ "$PASSPHRASE" = "yes" ]] 
 +    then 
 +       RERUN_SSHKEYGEN="yes" 
 +  # Checking for existence of ${IDENTITY} file 
 +       if test -f  $HOME/.ssh/${IDENTITY}.pub && test -f  $HOME/.ssh/${IDENTITY} 
 +       then 
 +           echo "The files containing the client public and private keys already exist on the local host. The current private key may or may not have a passphrase associated with it. In case you remember the passphrase and do not want to re-run ssh-keygen, press 'no' and enter. If you press 'no', the script will not attempt to create any new public/private key pairs. If you press 'yes', the script will remove the old private/public key files existing and create new ones prompting the user to enter the passphrase. If you enter 'yes', any previous SSH user setups would be reset. If you press 'change', the script will associate a new passphrase with the old keys." | tee -a $LOGFILE 
 +           echo "Press 'yes', 'no' or 'change'" | tee -a $LOGFILE 
 +             read RERUN_SSHKEYGEN 
 +             echo The user chose //$RERUN_SSHKEYGEN// | tee -a $LOGFILE 
 +       fi 
 +     else 
 +       if test -f  $HOME/.ssh/${IDENTITY}.pub && test -f  $HOME/.ssh/${IDENTITY} 
 +       then 
 +         echo "The files containing the client public and private keys already exist on the local host. The current private key may have a passphrase associated with it. In case you find using passphrase inconvenient(although it is more secure), you can change to it empty through this script. Press 'change' if you want the script to change the passphrase for you. Press 'no' if you want to use your old passphrase, if you had one." 
 +         read RERUN_SSHKEYGEN 
 +         echo The user chose //$RERUN_SSHKEYGEN// | tee -a $LOGFILE 
 +       fi 
 +     fi 
 +  fi 
 +  echo Creating .ssh directory on local host, if not present already | tee -a $LOGFILE 
 +  mkdir -p $HOME/.ssh | tee -a $LOGFILE 
 +echo Creating authorized_keys file on local host  | tee -a $LOGFILE 
 +touch $HOME/.ssh/authorized_keys  | tee -a $LOGFILE 
 +echo Changing permissions on authorized_keys to 644 on local host  | tee -a $LOGFILE 
 +chmod 644 $HOME/.ssh/authorized_keys  | tee -a $LOGFILE 
 +mv -f $HOME/.ssh/authorized_keys  $HOME/.ssh/authorized_keys.tmp | tee -a $LOGFILE 
 +echo Creating known_hosts file on local host  | tee -a $LOGFILE 
 +touch $HOME/.ssh/known_hosts  | tee -a $LOGFILE 
 +echo Changing permissions on known_hosts to 644 on local host  | tee -a $LOGFILE 
 +chmod 644 $HOME/.ssh/known_hosts  | tee -a $LOGFILE 
 +mv -f $HOME/.ssh/known_hosts $HOME/.ssh/known_hosts.tmp | tee -a $LOGFILE 
 + 
 + 
 +echo Creating config file on local host | tee -a $LOGFILE 
 +echo If a config file exists already at $HOME/.ssh/config, it would be backed up to $HOME/.ssh/config.backup. 
 +echo "Host *" > $HOME/.ssh/config.tmp | tee -a $LOGFILE 
 +echo "ForwardX11 no" >> $HOME/.ssh/config.tmp | tee -a $LOGFILE 
 + 
 +if test -f $HOME/.ssh/config 
 +then 
 +  cp -f $HOME/.ssh/config $HOME/.ssh/config.backup 
 +fi 
 + 
 +mv -f $HOME/.ssh/config.tmp $HOME/.ssh/config  | tee -a $LOGFILE 
 +chmod 644 $HOME/.ssh/config 
 + 
 +if [[ $RERUN_SSHKEYGEN = "yes" ]] 
 +then 
 +  echo Removing old private/public keys on local host | tee -a $LOGFILE 
 +  rm -f $HOME/.ssh/${IDENTITY} | tee -a $LOGFILE 
 +  rm -f $HOME/.ssh/${IDENTITY}.pub | tee -a $LOGFILE 
 +  echo Running SSH keygen on local host | tee -a $LOGFILE 
 +  $SSH_KEYGEN -t $ENCR -b $BITS -f $HOME/.ssh/${IDENTITY}   | tee -a $LOGFILE 
 + 
 +elif [[ $RERUN_SSHKEYGEN = "change" ]] 
 +then 
 +    echo Running SSH Keygen on local host to change the passphrase associated with the existing private key | tee -a $LOGFILE 
 +    $SSH_KEYGEN -p -t $ENCR -b $BITS -f $HOME/.ssh/${IDENTITY} | tee -a $LOGFILE 
 +elif test -f  $HOME/.ssh/${IDENTITY}.pub && test -f  $HOME/.ssh/${IDENTITY} 
 +then 
 +    continue 
 +else 
 +    echo Removing old private/public keys on local host | tee -a $LOGFILE 
 +    rm -f $HOME/.ssh/${IDENTITY} | tee -a $LOGFILE 
 +    rm -f $HOME/.ssh/${IDENTITY}.pub | tee -a $LOGFILE 
 +    echo Running SSH keygen on local host with empty passphrase | tee -a $LOGFILE 
 +    $SSH_KEYGEN -t $ENCR -b $BITS -f $HOME/.ssh/${IDENTITY} -N //  | tee -a $LOGFILE 
 +fi 
 + 
 +if [[ $SHARED = "true" ]] 
 +then 
 +  if [[ $USER = $USR ]] 
 +  then 
 +  # No remote operations required 
 +    echo Remote user is same as local user | tee -a $LOGFILE 
 +    REMOTEHOSTS="" 
 +    chmod og-w $HOME $HOME/.ssh | tee -a $LOGFILE 
 +  else 
 +    REMOTEHOSTS="${firsthost}" 
 +  fi 
 +else 
 +  REMOTEHOSTS="$HOSTS" 
 +fi 
 + 
 +for host in $REMOTEHOSTS 
 +do 
 +     echo Creating .ssh directory and setting permissions on remote host $host | tee -a $LOGFILE 
 +     echo "THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR "group" AND "others" ON THE HOME DIRECTORY FOR $USR. THIS IS AN SSH REQUIREMENT." | tee -a $LOGFILE 
 +     echo The script would create ~$USR/.ssh/config file on remote host $host. If a config file exists already at ~$USR/.ssh/config, it would be backed up to ~$USR/.ssh/config.backup. | tee -a $LOGFILE 
 +     echo The user may be prompted for a password here since the script would be running SSH on host $host. | tee -a $LOGFILE 
 +     $SSH -o StrictHostKeyChecking=no -x -l $USR $host "/bin/sh -c \\"  mkdir -p .ssh ; chmod og-w . .ssh;   touch .ssh/authorized_keys .ssh/known_hosts;  chmod 644 .ssh/authorized_keys  .ssh/known_hosts; cp  .ssh/authorized_keys .ssh/authorized_keys.tmp ;  cp .ssh/known_hosts .ssh/known_hosts.tmp; echo \\\\"Host *\\\\" > .ssh/config.tmp; echo \\\\"ForwardX11 no\\\\" >> .ssh/config.tmp; if test -f  .ssh/config ; then cp -f .ssh/config .ssh/config.backup; fi ; mv -f .ssh/config.tmp .ssh/config\\""  | tee -a $LOGFILE 
 +     echo Done with creating .ssh directory and setting permissions on remote host $host. | tee -a $LOGFILE 
 +done 
 + 
 +for host in $REMOTEHOSTS 
 +do 
 +  echo Copying local host public key to the remote host $host | tee -a $LOGFILE 
 +  echo The user may be prompted for a password or passphrase here since the script would be using SCP for host $host. | tee -a $LOGFILE 
 + 
 +  $SCP $HOME/.ssh/${IDENTITY}.pub  $USR@$host:.ssh/authorized_keys | tee -a $LOGFILE 
 +  echo Done copying local host public key to the remote host $host | tee -a $LOGFILE 
 +done 
 + 
 +cat $HOME/.ssh/${IDENTITY}.pub >> $HOME/.ssh/authorized_keys | tee -a $LOGFILE 
 + 
 +for host in $HOSTS 
 +do 
 +  if [[ $ADVANCED = "true" ]] 
 +  then 
 +    echo Creating keys on remote host $host if they do not exist already. This is required to setup SSH on host $host. | tee -a $LOGFILE 
 +    if [[ $SHARED = "true" ]] 
 +    then 
 +      IDENTITY_FILE_NAME=${IDENTITY}_$host 
 +      COALESCE_IDENTITY_FILES_COMMAND="cat .ssh/${IDENTITY_FILE_NAME}.pub >> .ssh/authorized_keys" 
 +    else 
 +      IDENTITY_FILE_NAME=${IDENTITY} 
 +    fi 
 + 
 +   $SSH  -o StrictHostKeyChecking=no -x -l $USR $host " /bin/sh -c \\"if test -f  .ssh/${IDENTITY_FILE_NAME}.pub && test -f  .ssh/${IDENTITY_FILE_NAME}; then echo; else rm -f .ssh/${IDENTITY_FILE_NAME} ;  rm -f .ssh/${IDENTITY_FILE_NAME}.pub ;  $SSH_KEYGEN -t $ENCR -b $BITS -f .ssh/${IDENTITY_FILE_NAME} -N // ; fi; ${COALESCE_IDENTITY_FILES_COMMAND} \\"" | tee -a $LOGFILE 
 +  else 
 +  # At least get the host keys from all hosts for shared case - advanced option not set 
 +    if test  $SHARED = "true" && test $ADVANCED = "false" 
 +    then 
 +      if [[ $PASSPHRASE = "yes" ]] 
 +      then 
 +       echo "The script will fetch the host keys from all hosts. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase." | tee -a $LOGFILE 
 +      fi 
 +      $SSH  -o StrictHostKeyChecking=no -x -l $USR $host "/bin/sh -c true" 
 +    fi 
 +  fi 
 +done 
 + 
 +for host in $REMOTEHOSTS 
 +do 
 +  if test $ADVANCED = "true" && test $SHARED = "false" 
 +  then 
 +      $SCP $USR@$host:.ssh/${IDENTITY}.pub $HOME/.ssh/${IDENTITY}.pub.$host | tee -a $LOGFILE 
 +      cat $HOME/.ssh/${IDENTITY}.pub.$host >> $HOME/.ssh/authorized_keys | tee -a $LOGFILE 
 +      rm -f $HOME/.ssh/${IDENTITY}.pub.$host | tee -a $LOGFILE 
 +    fi 
 +done 
 + 
 +for host in $REMOTEHOSTS 
 +do 
 +   if [[ $ADVANCED = "true" ]] 
 +   then 
 +      if [[ $SHARED != "true" ]] 
 +      then 
 +         echo Updating authorized_keys file on remote host $host | tee -a $LOGFILE 
 +         $SCP $HOME/.ssh/authorized_keys  $USR@$host:.ssh/authorized_keys | tee -a $LOGFILE 
 +      fi 
 +     echo Updating known_hosts file on remote host $host | tee -a $LOGFILE 
 +     $SCP $HOME/.ssh/known_hosts $USR@$host:.ssh/known_hosts | tee -a $LOGFILE 
 +   fi 
 +   if [[ $PASSPHRASE = "yes" ]] 
 +   then 
 +       echo "The script will run SSH on the remote machine $host. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase." | tee -a $LOGFILE 
 +   fi 
 +     $SSH -x -l $USR $host "/bin/sh -c \\"cat .ssh/authorized_keys.tmp >> .ssh/authorized_keys; cat .ssh/known_hosts.tmp >> .ssh/known_hosts; rm -f  .ssh/known_hosts.tmp  .ssh/authorized_keys.tmp\\"" | tee -a $LOGFILE 
 +done 
 + 
 +cat  $HOME/.ssh/known_hosts.tmp >> $HOME/.ssh/known_hosts | tee -a $LOGFILE 
 +cat  $HOME/.ssh/authorized_keys.tmp >> $HOME/.ssh/authorized_keys | tee -a $LOGFILE 
 +  # Added chmod to fix BUG NO 5238814 
 +chmod 644 $HOME/.ssh/authorized_keys 
 +  # Fix for BUG NO 5157782 
 +chmod 644 $HOME/.ssh/config 
 +rm -f  $HOME/.ssh/known_hosts.tmp $HOME/.ssh/authorized_keys.tmp | tee -a $LOGFILE 
 +echo SSH setup is complete. | tee -a $LOGFILE 
 +fi 
 +fi 
 + 
 +echo                                                                          | tee -a $LOGFILE 
 +echo ------------------------------------------------------------------------ | tee -a $LOGFILE 
 +echo Verifying SSH setup | tee -a $LOGFILE 
 +echo =================== | tee -a $LOGFILE 
 +echo The script will now run the 'date' command on the remote nodes using ssh | tee -a $LOGFILE 
 +echo to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,  | tee -a $LOGFILE 
 +echo THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR | tee -a $LOGFILE 
 +echo PASSWORDS. If you see any output other than date or are prompted for the | tee -a $LOGFILE 
 +echo password, ssh is not setup correctly and you will need to resolve the  | tee -a $LOGFILE 
 +echo issue and set up ssh again. | tee -a $LOGFILE 
 +echo The possible causes for failure could be:  | tee -a $LOGFILE 
 +echo   1. The server settings in /etc/ssh/sshd_config file do not allow ssh | tee -a $LOGFILE 
 +echo      for user $USR. | tee -a $LOGFILE 
 +echo   2. The server may have disabled public key based authentication. 
 +echo   3. The client public key on the server may be outdated. 
 +echo   4. ~$USR or  ~$USR/.ssh on the remote host may not be owned by $USR.  | tee -a $LOGFILE 
 +echo   5. User may not have passed -shared option for shared remote users or | tee -a $LOGFILE 
 +echo     may be passing the -shared option for non-shared remote users.  | tee -a $LOGFILE 
 +echo   6. If there is output in addition to the date, but no password is asked, | tee -a $LOGFILE 
 +echo   it may be a security alert shown as part of company policy. Append the | tee -a $LOGFILE 
 +echo   "additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file." | tee -a $LOGFILE 
 +echo ------------------------------------------------------------------------ | tee -a $LOGFILE 
 +  # read -t 30 dummy 
 +  for host in $HOSTS 
 +  do 
 +    echo --$host:-- | tee -a $LOGFILE 
 + 
 +     echo Running $SSH -x -l $USR $host date to verify SSH connectivity has been setup from local host to $host.  | tee -a $LOGFILE 
 +     echo "IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR." | tee -a $LOGFILE 
 +     if [[ $PASSPHRASE = "yes" ]] 
 +     then 
 +       echo "The script will run SSH on the remote machine $host. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase." | tee -a $LOGFILE 
 +     fi 
 +     $SSH -l $USR $host "/bin/sh -c date"  | tee -a $LOGFILE 
 +echo ------------------------------------------------------------------------ | tee -a $LOGFILE 
 +  done 
 + 
 + 
 +if [[ $EXHAUSTIVE_VERIFY = "true" ]] 
 +then 
 +   for clienthost in $HOSTS 
 +   do 
 + 
 +      if [[ $SHARED = "true" ]] 
 +      then 
 +         REMOTESSH="$SSH -i .ssh/${IDENTITY}_${clienthost}" 
 +      else 
 +         REMOTESSH=$SSH 
 +      fi 
 + 
 +      for serverhost in  $HOSTS 
 +      do 
 +         echo ------------------------------------------------------------------------ | tee -a $LOGFILE 
 +         echo Verifying SSH connectivity has been setup from $clienthost to $serverhost  | tee -a $LOGFILE 
 +         echo ------------------------------------------------------------------------ | tee -a $LOGFILE 
 +         echo "IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL."  | tee -a $LOGFILE 
 +         $SSH -l $USR $clienthost "$REMOTESSH $serverhost \\"/bin/sh -c date\\""  | tee -a $LOGFILE 
 +         echo ------------------------------------------------------------------------ | tee -a $LOGFILE 
 +      done 
 +       echo -Verification from $clienthost complete- | tee -a $LOGFILE 
 +   done 
 +else 
 +   if [[ $ADVANCED = "true" ]] 
 +   then 
 +      if [[ $SHARED = "true" ]] 
 +      then 
 +         REMOTESSH="$SSH -i .ssh/${IDENTITY}_${firsthost}" 
 +      else 
 +         REMOTESSH=$SSH 
 +      fi 
 +     for host in $HOSTS 
 +     do 
 +         echo ------------------------------------------------------------------------ | tee -a $LOGFILE 
 +        echo Verifying SSH connectivity has been setup from $firsthost to $host  | tee -a $LOGFILE 
 +        echo "IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL." | tee -a $LOGFILE 
 +       $SSH -l $USR $firsthost "$REMOTESSH $host \\"/bin/sh -c date\\"" | tee -a $LOGFILE 
 +         echo ------------------------------------------------------------------------ | tee -a $LOGFILE 
 +    done 
 +    echo -Verification from $clienthost complete- | tee -a $LOGFILE 
 +  fi 
 +fi 
 +echo "SSH verification complete." | tee -a $LOGFILE 
 +</code> 
 + 
 +==== Add this to /etc/ssh/sshrc to get the magic cookies added automatically ==== 
 +<code> 
 +if read proto cookie && [[ -n "$DISPLAY" ]]; then 
 +    if [[ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]]; then 
 +        # X11UseLocalhost=yes 
 +        echo add unix:`echo $DISPLAY | 
 +        cut -c11-` $proto $cookie 
 +    else 
 +        # X11UseLocalhost=no 
 +        echo add $DISPLAY $proto $cookie 
 +    fi | xauth -q - 
 +fi 
 + 
 +</code>
  
 **Some stuff I did to get tunnels open to an Oracle server - didn't work yet** **Some stuff I did to get tunnels open to an Oracle server - didn't work yet**
-<code>15@@</code>+<code> 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> telnet 207.129.217.26 22 
 +Trying 207.129.217.26... 
 +Connected to 207.129.217.26. 
 +Escape character is '^]]'
 +SSH-2.0-OpenSSH_6.0 
 +^C 
 +Connection closed by foreign host. 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> netstat -an  | grep 207 
 +tcp        0      0 9.36.153.84:32904           9.36.207.26:22              ESTABLISHED 
 +unix  3      [[ ]]         STREAM     CONNECTED     20726525 /home/bey9at77/.pulse/202b121052083db8500c6fc00000001c-runtime/native 
 +unix  3      [[ ]]         STREAM     CONNECTED     20726524 
 +unix  3      [[ ]]         STREAM     CONNECTED     5037207 /home/bey9at77/.pulse/202b121052083db8500c6fc00000001c-runtime/native 
 +</code> 
 + 
 +<code> 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> /sbin/ifconfig 
 +eth1      Link encap:Ethernet  HWaddr 00:21:CC:65:A3:65 
 +          UP BROADCAST MULTICAST  MTU:1500  Metric:1 
 +          RX packets:1250962 errors:0 dropped:0 overruns:0 frame:0 
 +          TX packets:975839 errors:0 dropped:0 overruns:0 carrier:0 
 +          collisions:0 txqueuelen:1000 
 +          RX bytes:823202227 (785.0 MiB)  TX bytes:187253577 (178.5 MiB) 
 +          Interrupt:20 Memory:f2500000-f2520000 
 + 
 +lo        Link encap:Local Loopback 
 +          inet addr:127.0.0.1  Mask:255.0.0.0 
 +          UP LOOPBACK RUNNING  MTU:65536  Metric:1 
 +          RX packets:548763 errors:0 dropped:0 overruns:0 frame:0 
 +          TX packets:548763 errors:0 dropped:0 overruns:0 carrier:0 
 +          collisions:0 txqueuelen:
 +          RX bytes:275281528 (262.5 MiB)  TX bytes:275281528 (262.5 MiB) 
 + 
 +virbr0    Link encap:Ethernet  HWaddr 52:54:00:FD:BE:C9 
 +          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0 
 +          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1 
 +          RX packets:119495 errors:0 dropped:0 overruns:0 frame:0 
 +          TX packets:173181 errors:0 dropped:0 overruns:0 carrier:0 
 +          collisions:0 txqueuelen:
 +          RX bytes:11358048 (10.8 MiB)  TX bytes:188176715 (179.4 MiB) 
 + 
 +</code> 
 + 
 +<code> 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -L 
 +[[sudo]] password for bey9at77: 
 +Chain INPUT (policy DROP) 
 +target     prot opt source               destination 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
 +ACCEPT     all  --  anywhere             anywhere 
 +ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
 +ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
 +REJECT     tcp  --  anywhere             anywhere            tcp dpt:auth reject-with icmp-port-unreachable 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:cfengine 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:vnc-server 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5901 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5656 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpts:avt-profile-1:avt-profile-2 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:avt-profile-1:avt-profile-2 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:20830 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:20830 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:sip:na-localise 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpts:sip:na-localise 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:12080 
 +ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain 
 +ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain 
 +ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:21100 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:dc 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:wizard 
 +ACCEPT     ah   --  anywhere             anywhere 
 +ACCEPT     esp  --  anywhere             anywhere 
 +ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp 
 +ACCEPT     254  --  anywhere             anywhere 
 +ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
 +ACCEPT     icmp --  anywhere             anywhere            icmp source-quench 
 +ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
 +ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
 +ACCEPT     icmp --  anywhere             anywhere            icmp router-advertisement 
 +ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
 +ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:tproxy 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:virtual-places 
 +ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:52311 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:30000:30005 
 +DROP       tcp  --  anywhere             anywhere            tcp dpts:bootps:bootpc 
 +DROP       udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 
 +DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ns 
 +DROP       udp  --  anywhere             anywhere            udp dpt:netbios-ns 
 +DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm 
 +DROP       udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
 +DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
 +DROP       udp  --  anywhere             anywhere            udp dpt:netbios-ssn 
 +DROP       tcp  --  anywhere             anywhere            tcp dpts:tcpmux:ftp-data 
 +DROP       tcp  --  anywhere             anywhere            tcp dpt:sunrpc 
 +DROP       tcp  --  anywhere             anywhere            tcp dpts:snmp:snmptrap 
 +DROP       tcp  --  anywhere             anywhere            tcp dpt:efs 
 +DROP       tcp  --  anywhere             anywhere            tcp dpts:6348:6349 
 +DROP       tcp  --  anywhere             anywhere            tcp dpts:6345:gnutella-rtr 
 +ACCEPT     tcp  --  anywhere             192.168.122.1       tcp dpt:microsoft-ds 
 +ACCEPT     tcp  --  anywhere             192.168.122.1       tcp dpt:proxima-lm 
 +ACCEPT     tcp  --  anywhere             192.168.123.1       tcp dpt:microsoft-ds 
 +ACCEPT     tcp  --  anywhere             192.168.123.1       tcp dpt:proxima-lm 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:48500 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:48500 
 +LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: ' 
 +LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: ' 
 +DROP       all  --  anywhere             anywhere 
 + 
 +Chain FORWARD (policy DROP) 
 +target     prot opt source               destination 
 +ACCEPT     all  --  anywhere             anywhere 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 
 +ACCEPT     all  --  192.168.122.0/24     anywhere 
 +ACCEPT     all  --  anywhere             anywhere 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
 +ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 
 +ACCEPT     all  --  192.168.122.0/24     anywhere 
 +ACCEPT     all  --  anywhere             anywhere 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +ACCEPT     all  --  anywhere             192.168.123.0/24    state RELATED,ESTABLISHED 
 +ACCEPT     all  --  192.168.123.0/24     anywhere 
 +ACCEPT     all  --  anywhere             anywhere 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 + 
 +Chain OUTPUT (policy ACCEPT) 
 +target     prot opt source               destination 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh -L 1521:localhost:1521 207.129.217.26 
 +The authenticity of host '207.129.217.26 (207.129.217.26)' can't be established. 
 +RSA key fingerprint is 2d:70:2e:b4:12:48:e9:20:fd:b0:de:b1:b4:67:41:1f. 
 +Are you sure you want to continue connecting (yes/no)? yes 
 +Warning: Permanently added '207.129.217.26' (RSA) to the list of known hosts. 
 +[email protected]'s password: 
 +</code> 
 + 
 +<code> 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh -L 1521:localhost:9099 ehemgtaix -N 
 +The authenticity of host 'ehemgtaix (207.129.107.120)' can't be established. 
 +RSA key fingerprint is 63:0a:a8:27:99:1f:32:73:8e:94:22:cd:80:b3:73:10. 
 +Are you sure you want to continue connecting (yes/no)? yes 
 +Warning: Permanently added 'ehemgtaix,207.129.107.120' (RSA) to the list of known hosts. 
 +bey9at77@ehemgtaix's password: 
 +</code> 
 + 
 +<code> 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh -L 1521:192.168.122.1:9099 exs4bars@ehemgtaix -N 
 +channel 1: open failed: connect failed: A remote host did not respond within the timeout period. 
 +channel 2: open failed: connect failed: A remote host did not respond within the timeout period. 
 +Connection to ehemgtaix closed by remote host. 
 +You have new mail in /var/spool/mail/bey9at77 
 +</code> 
 + 
 +<code> 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh 192.168.122.1 -p 1521 
 +ssh: connect to host 192.168.122.1 port 1521: Connection refused 
 +</code> 
 + 
 +<code> 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -A INPUT -i virbr0 -p tcp --dport 1521 -j ACCEPT 
 +[[sudo]] password for bey9at77: 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh 192.168.122.1 -p 1521 
 +ssh: connect to host 192.168.122.1 port 1521: Connection refused 
 +</code> 
 + 
 +<code> 
 +(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -L 
 +Chain INPUT (policy DROP) 
 +target     prot opt source               destination 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
 +ACCEPT     all  --  anywhere             anywhere 
 +ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
 +ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
 +REJECT     tcp  --  anywhere             anywhere            tcp dpt:auth reject-with icmp-port-unreachable 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:cfengine 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:vnc-server 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5901 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5656 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpts:avt-profile-1:avt-profile-2 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:avt-profile-1:avt-profile-2 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:20830 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:20830 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:sip:na-localise 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpts:sip:na-localise 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:12080 
 +ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain 
 +ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain 
 +ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:21100 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:dc 
 +ACCEPT     udp  --  anywhere             anywhere            udp dpt:wizard 
 +ACCEPT     ah   --  anywhere             anywhere 
 +ACCEPT     esp  --  anywhere             anywhere 
 +ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp 
 +ACCEPT     254  --  anywhere             anywhere 
 +ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
 +ACCEPT     icmp --  anywhere             anywhere            icmp source-quench 
 +ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
 +ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
 +ACCEPT     icmp --  anywhere             anywhere            icmp router-advertisement 
 +ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
 +ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:tproxy 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:virtual-places 
 +ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:52311 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:30000:30005 
 +DROP       tcp  --  anywhere             anywhere            tcp dpts:bootps:bootpc 
 +DROP       udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 
 +DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ns 
 +DROP       udp  --  anywhere             anywhere            udp dpt:netbios-ns 
 +DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm 
 +DROP       udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
 +DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
 +DROP       udp  --  anywhere             anywhere            udp dpt:netbios-ssn 
 +DROP       tcp  --  anywhere             anywhere            tcp dpts:tcpmux:ftp-data 
 +DROP       tcp  --  anywhere             anywhere            tcp dpt:sunrpc 
 +DROP       tcp  --  anywhere             anywhere            tcp dpts:snmp:snmptrap 
 +DROP       tcp  --  anywhere             anywhere            tcp dpt:efs 
 +DROP       tcp  --  anywhere             anywhere            tcp dpts:6348:6349 
 +DROP       tcp  --  anywhere             anywhere            tcp dpts:6345:gnutella-rtr 
 +ACCEPT     tcp  --  anywhere             192.168.122.1       tcp dpt:microsoft-ds 
 +ACCEPT     tcp  --  anywhere             192.168.122.1       tcp dpt:proxima-lm 
 +ACCEPT     tcp  --  anywhere             192.168.123.1       tcp dpt:microsoft-ds 
 +ACCEPT     tcp  --  anywhere             192.168.123.1       tcp dpt:proxima-lm 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:48500 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:48500 
 +LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: ' 
 +LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: ' 
 +DROP       all  --  anywhere             anywhere 
 +ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ncube-lm
  
-<code>16@@</code>+Chain FORWARD (policy DROP) 
 +target     prot opt source               destination 
 +ACCEPT     all  --  anywhere             anywhere 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 
 +ACCEPT     all  --  192.168.122.0/24     anywhere 
 +ACCEPT     all  --  anywhere             anywhere 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
 +ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 
 +ACCEPT     all  --  192.168.122.0/24     anywhere 
 +ACCEPT     all  --  anywhere             anywhere 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +ACCEPT     all  --  anywhere             192.168.123.0/24    state RELATED,ESTABLISHED 
 +ACCEPT     all  --  192.168.123.0/24     anywhere 
 +ACCEPT     all  --  anywhere             anywhere 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
 +REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
  
-<code>17@@</code>+Chain OUTPUT (policy ACCEPT) 
 +target     prot opt source               destination 
 +(0)bey9at77@my_PC:/home/bey9at77/scriptsgrep 1521 /etc/services 
 +ncube-lm        1521/tcp                # nCube License Manager 
 +ncube-lm        1521/udp                # nCube License Manager 
 +(0)bey9at77@my_PC:/home/bey9at77/scriptssudo iptables -n -L -v --line-numbers 
 +Chain INPUT (policy DROP 0 packets, 0 bytes) 
 +num   pkts bytes target     prot opt in     out     source               destination 
 +1        0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:53 
 +2        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:53 
 +3        0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:67 
 +4        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:67 
 +5     6665  477K ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:53 
 +6        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:53 
 +7      110 36134 ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:67 
 +8        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:67 
 +9        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:445 
 +10           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:139 
 +11           0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:138 
 +12           0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:137 
 +13           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:67 
 +14           0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:67 
 +15           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:53 
 +16           0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:53 
 +17           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:445 
 +18           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:139 
 +19           0 ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:138 
 +20           0 ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:137 
 +21           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:67 
 +22           0 ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:67 
 +23           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:53 
 +24           0 ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:53 
 +25    640K  300M ACCEPT     all  --  lo           0.0.0.0/           0.0.0.0/0 
 +26   1526K 1015M ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          state RELATED,ESTABLISHED 
 +27   33099 3880K ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          state RELATED,ESTABLISHED 
 +28           0 REJECT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:113 reject-with icmp-port-unreachable 
 +29           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:5308 
 +30         152 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:22 
 +31           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:5900 
 +32           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:5901 
 +33           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:443 
 +34           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:5656 
 +35           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpts:5004:5005 
 +36           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:5004:5005 
 +37           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpt:20830 
 +38           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:20830 
 +39           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:5060:5062 
 +40           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpts:5060:5062 
 +41           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:12080 
 +42           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          state NEW tcp dpt:53 
 +43           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          state NEW udp dpt:53 
 +44           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          state NEW tcp dpt:21 
 +45           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:21100 
 +46           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:2001 
 +47           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpt:2001 
 +48           0 ACCEPT     ah   --  *      *       0.0.0.0/           0.0.0.0/0 
 +49           0 ACCEPT     esp  --  *      *       0.0.0.0/           0.0.0.0/0 
 +50           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          state NEW udp dpt:500 
 +51           0 ACCEPT     254  --  ipsec+ *       0.0.0.0/           0.0.0.0/0 
 +52      37  3310 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 3 
 +53           0 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 4 
 +54     912 61240 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 11 
 +55           0 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 12 
 +56           0 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 9 
 +57    3746  225K ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 8 
 +58      93  4400 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 0 
 +59           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:631 
 +60           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:8081 
 +61           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:1533 
 +62     160  8120 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          state NEW udp dpt:52311 
 +63           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:30000:30005 
 +64           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:67:68 
 +65    2175  714K DROP       udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpts:67:68 
 +66           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:137 
 +67   71334 5594K DROP       udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpt:137 
 +68           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:138 
 +69    4358  974K DROP       udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpt:138 
 +70           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:139 
 +71           0 DROP       udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpt:139 
 +72           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:1:20 
 +73           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:111 
 +74           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:161:162 
 +75           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:520 
 +76           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:6348:6349 
 +77           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:6345:6347 
 +78           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           192.168.122.1       tcp dpt:445 
 +79           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           192.168.122.1       tcp dpt:1445 
 +80           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           192.168.123.1       tcp dpt:445 
 +81           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           192.168.123.1       tcp dpt:1445 
 +82    1222 63544 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:48500 
 +83           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:48500 
 +84    3878  177K LOG        tcp  --  *      *       0.0.0.0/           0.0.0.0/          limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: ' 
 +85    6981  648K LOG        udp  --  *      *       0.0.0.0/           0.0.0.0/          limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: ' 
 +86   47429 4007K DROP       all  --  *      *       0.0.0.0/           0.0.0.0/0 
 +87           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:1521
  
-<code>18@@</code>+Chain FORWARD (policy DROP 0 packets, 0 bytes) 
 +num   pkts bytes target     prot opt in     out     source               destination 
 +1        0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/           0.0.0.0/0 
 +2        0     0 REJECT     all  --  *      virbr1  0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +3        0     0 REJECT     all  --  virbr1 *       0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +4     116K  183M ACCEPT     all  --  *      virbr0  0.0.0.0/           192.168.122.0/24    state RELATED,ESTABLISHED 
 +5    95393 9448K ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/
 +6        0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/           0.0.0.0/0 
 +7        0     0 REJECT     all  --  *      virbr0  0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +8        0     0 REJECT     all  --  virbr0 *       0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +9        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
 +10           0 ACCEPT     all  --  *      virbr0  0.0.0.0/           192.168.122.0/24    state RELATED,ESTABLISHED 
 +11           0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/
 +12           0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/           0.0.0.0/0 
 +13           0 REJECT     all  --  *      virbr0  0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +14           0 REJECT     all  --  virbr0 *       0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +15           0 ACCEPT     all  --  *      virbr1  0.0.0.0/           192.168.123.0/24    state RELATED,ESTABLISHED 
 +16           0 ACCEPT     all  --  virbr1 *       192.168.123.0/24     0.0.0.0/
 +17           0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/           0.0.0.0/0 
 +18       0     0 REJECT     all  --  *      virbr1  0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +19           0 REJECT     all  --  virbr1 *       0.0.0.0/           0.0.0.0/0           reject-with icmp-port-unreachable
  
-<code>19@@</code>+Chain OUTPUT (policy ACCEPT 2917 packets, 253K bytes) 
 +num   pkts bytes target     prot opt in     out     source               destination 
 +(0)bey9at77@my_PC:/home/bey9at77/scriptssudo iptables -I INPUT 78 -i virbr0 -p tcp --dport 1521 -j ACCEPT 
 +(0)bey9at77@my_PC:/home/bey9at77/scriptssudo iptables -n -L -v --line-numbers 
 +Chain INPUT (policy DROP 0 packets, 0 bytes) 
 +num   pkts bytes target     prot opt in     out     source               destination 
 +1        0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:53 
 +2        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:53 
 +3        0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:67 
 +4        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:67 
 +5     6670  477K ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:53 
 +6        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:53 
 +7      111 36462 ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:67 
 +8        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:67 
 +9        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:445 
 +10           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:139 
 +11           0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:138 
 +12           0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:137 
 +13           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:67 
 +14           0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:67 
 +15           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:53 
 +16           0 ACCEPT     udp  --  virbr1 *       0.0.0.0/           0.0.0.0/          udp dpt:53 
 +17           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:445 
 +18           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:139 
 +19           0 ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:138 
 +20           0 ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:137 
 +21           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:67 
 +22           0 ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:67 
 +23           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:53 
 +24           0 ACCEPT     udp  --  virbr0 *       0.0.0.0/           0.0.0.0/          udp dpt:53 
 +25    642K  300M ACCEPT     all  --  lo           0.0.0.0/           0.0.0.0/0 
 +26   1526K 1015M ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          state RELATED,ESTABLISHED 
 +27   33107 3881K ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          state RELATED,ESTABLISHED 
 +28           0 REJECT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:113 reject-with icmp-port-unreachable 
 +29           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:5308 
 +30         152 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:22 
 +31           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:5900 
 +32           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:5901 
 +33           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:443 
 +34           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:5656 
 +35           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpts:5004:5005 
 +36           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:5004:5005 
 +37           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpt:20830 
 +38           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:20830 
 +39           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:5060:5062 
 +40           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpts:5060:5062 
 +41           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:12080 
 +42           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          state NEW tcp dpt:53 
 +43           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          state NEW udp dpt:53 
 +44           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          state NEW tcp dpt:21 
 +45           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:21100 
 +46           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:2001 
 +47           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpt:2001 
 +48           0 ACCEPT     ah   --  *      *       0.0.0.0/           0.0.0.0/0 
 +49           0 ACCEPT     esp  --  *      *       0.0.0.0/           0.0.0.0/0 
 +50           0 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          state NEW udp dpt:500 
 +51           0 ACCEPT     254  --  ipsec+ *       0.0.0.0/           0.0.0.0/0 
 +52      37  3310 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 3 
 +53           0 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 4 
 +54     912 61240 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 11 
 +55           0 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 12 
 +56           0 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 9 
 +57    3749  225K ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 8 
 +58      93  4400 ACCEPT     icmp --  *      *       0.0.0.0/           0.0.0.0/          icmp type 0 
 +59           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:631 
 +60           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:8081 
 +61           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:1533 
 +62     160  8120 ACCEPT     udp  --  *      *       0.0.0.0/           0.0.0.0/          state NEW udp dpt:52311 
 +63           0 ACCEPT     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:30000:30005 
 +64           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:67:68 
 +65    2175  714K DROP       udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpts:67:68 
 +66           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:137 
 +67   71334 5594K DROP       udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpt:137 
 +68           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:138 
 +69    4358  974K DROP       udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpt:138 
 +70           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:139 
 +71           0 DROP       udp  --  *      *       0.0.0.0/           0.0.0.0/          udp dpt:139 
 +72           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:1:20 
 +73           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:111 
 +74           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:161:162 
 +75           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpt:520 
 +76           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:6348:6349 
 +77           0 DROP       tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp dpts:6345:6347 
 +78           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:1521 
 +79           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           192.168.122.1       tcp dpt:445 
 +80           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           192.168.122.1       tcp dpt:1445 
 +81           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           192.168.123.1       tcp dpt:445 
 +82           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           192.168.123.1       tcp dpt:1445 
 +83    1223 63596 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:48500 
 +84           0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/           0.0.0.0/          tcp dpt:48500 
 +85    3879  177K LOG        tcp  --  *      *       0.0.0.0/           0.0.0.0/          limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: ' 
 +86    6981  648K LOG        udp  --  *      *       0.0.0.0/           0.0.0.0/          limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: ' 
 +87   47430 4007K DROP       all  --  *      *       0.0.0.0/           0.0.0.0/0 
 +88           0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/           0.0.0.0/          tcp dpt:1521
  
-<code>20@@</code>+Chain FORWARD (policy DROP 0 packets, 0 bytes) 
 +num   pkts bytes target     prot opt in     out     source               destination 
 +1        0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0 
 +2        0     0 REJECT     all  --  *      virbr1  0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +3        0     0 REJECT     all  --  virbr1 *       0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +4     116K  183M ACCEPT     all  --  *      virbr0  0.0.0.0/           192.168.122.0/24    state RELATED,ESTABLISHED 
 +5    95444 9455K ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/
 +6        0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/           0.0.0.0/0 
 +7        0     0 REJECT     all  --  *      virbr0  0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +8        0     0 REJECT     all  --  virbr0 *       0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +9        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/           0.0.0.0/          tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
 +10           0 ACCEPT     all  --  *      virbr0  0.0.0.0/           192.168.122.0/24    state RELATED,ESTABLISHED 
 +11           0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/
 +12           0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/           0.0.0.0/0 
 +13           0 REJECT     all  --  *      virbr0  0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +14           0 REJECT     all  --  virbr0 *       0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +15           0 ACCEPT     all  --  *      virbr1  0.0.0.0/           192.168.123.0/24    state RELATED,ESTABLISHED 
 +16           0 ACCEPT     all  --  virbr1 *       192.168.123.0/24     0.0.0.0/
 +17           0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/           0.0.0.0/0 
 +18           0 REJECT     all  --  *      virbr1  0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable 
 +19           0 REJECT     all  --  virbr1 *       0.0.0.0/           0.0.0.0/          reject-with icmp-port-unreachable
  
-<code>21@@</code>+Chain OUTPUT (policy ACCEPT 73 packets, 5937 bytes) 
 +num   pkts bytes target     prot opt in     out     source               destination 
 +(0)bey9at77@my_PC:/home/bey9at77/scriptsssh 192.168.122.1 -p 1521 
 +ssh: connect to host 192.168.122.1 port 1521: Connection refused 
 +</code>
  
-<code>22@@</code>+<code> 
 +</code>
  
-<code>23@@</code> 
ssh.1544130327.txt.gz · Last modified: 2018/12/06 21:05 by 91.177.234.129
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki