Category: Technology (Page 33 of 48)

Convenient iptables rules

January 4, 2010 / halfgaar

Here are some convenient iptables rules.

This first list is for not allowing anything in, accept packets that come back from outgoing connections, complicated related traffic like FTP, everything from the localhost, ICMP (ping and stuff) and SSH. It also sets the default policy to DROP. This you would use on a machine connected directly to the internet.

iptables -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT --match comment --comment "Accept traffic from outgoing connections and stuff like FTP."
iptables -A INPUT -p icmp -j ACCEPT --match comment --comment "Allow ICMP"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT --match comment --comment "Allow SSH"
iptables -A INPUT --in-interface lo -j ACCEPT --match comment --comment "Allow everything on the localhost"
iptables -P INPUT DROP

Here are some rules to allow certain MAC addresses to access everything. Simplifies things on a LAN (even though it’s not attacker-proof, it keeps unwanted people out of my SMB and stuff):

iptables -A INPUT --match mac --mac-source xx:xx:xx:xx:xx:xx --match comment --comment "Allow everything from [computer]" -j ACCEPT

Besides computers you want to grant full access to a machine, don’t forget to include the MACs of the router and the machine’s own ethernet interface.

When the machine acts as a masquerading SNAT server, use this to forward ports to LAN hosts (be sure to have the –to after the -j):

iptables -t nat -A PREROUTING --in-interface eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:22 --match comment --comment "forwards incoming port 80 to port 22 on 10.0.0.1"

To allow everything for a samba server:

iptables -A INPUT -p tcp --dport 139 -m comment --comment "Allow Netbios-ssn" -j ACCEPT 
iptables -A INPUT -p tcp --dport 445 -m comment --comment "Allow microsoft-ds" -j ACCEPT 
iptables -A INPUT -p udp --dport 137 -m comment --comment "Allow netbios-ns" -j ACCEPT 
iptables -A INPUT -p udp --dport 138 -m comment --comment "Allow netbios-dgm" -j ACCEPT

My custom Linux environment

January 4, 2010 / halfgaar

On every machine that I install, I need a custom environment. At the very basic, I need screen and bash customizations. I will attempt to keep this blog post up-to-date with my most recent config.

/etc/bash.bashrc_halfgaar (naming scheme depends on distro):

prompt_command {
  XTERM_TITLE="\e]2;\u@\H:\w\a"
 
  BGJOBS_COLOR="\[\e[1;30m\]"
  BGJOBS=""
  [ "$(jobs | head -c1)" ]; BGJOBS=" $BGJOBS_COLOR(bg:\j)";
 
  DOLLAR_COLOR="\[\e[1;32m\]"
  [[ ${EUID} == 0 ]] ; DOLLAR_COLOR="\[\e[1;31m\]";
  DOLLAR="$DOLLAR_COLOR\\\$"
 
  USER_COLOR="\[\e[1;32m\]"
  [[ ${EUID} == 0 ]]; USER_COLOR="\[\e[41;1;32m\]";
 
  PS1="$XTERM_TITLE$USER_COLOR\u\[\e[1;32m\]@\H:\[\e[m\] \[\e[1;34m\]\w\[\e[m\]\n\
$DOLLAR$BGJOBS \[\e[m\]"
} PROMPT_COMMAND=prompt_command
 EDITOR=vim
 ls='ls --color=auto' ll='ls -l' lh='ls -lh' grep='grep --color=auto'

Don’t forget to source the file in ~/.bashrc

~/.screenrc:

caption always "%{= kB}%-Lw%{=s kB}%50>%n%f* %t %{-}%+Lw%<"
vbell off
startup_message off
term linux

Pasting in Vim

January 3, 2010 / halfgaar

When you want to paste in Vim, you want vim to not use indenting, because that messes up your code. I used to use :insert, but on some machines, it would still indent. I discovered the :set paste command, which works quite well.

Create DVDs from any random movie format on Windows

December 30, 2009 / Rowan Rodrik

Ewald wanted to be able to create DVDs from the Quicktime movies exported by his digital camera. As a result of being away from my familiar Linux tools, I had to find something that´d work on Windows XP.

First, I tried MediaCoder, a Windows front-end (done in XUL) for mencoder, ffmpeg and more of these familiar tools. It was flexible enough, but quite awkward from an end-user perspective and also frustrating if you’re used to calling the supporting commands directly from the CLI.

Luckily, I stumbled upon ConvertXtoDVD, a commercial Windows-only program which proved to be very user-friendly and intuitive without requiring the user to understand the ins and outs of each an every supported media format.

At 40 euro it’s a bit expensive if, like me, you’re used to staying at the free software side of things, but I’d daresay it’s actually worth the money if you’re not an obsessive geek with obscene amounts of free time on his hands.

UTP wiring

December 30, 2009 / halfgaar

I’m always confused about which wiring scheme to use for UTP cables. After doing some research, it seems T568B is what you need. Wikipedia says that is doesn’t really matter, but crosstalk can be a problem for T568A in some esoteric situations:

Note that the only difference between T568A and T568B is that pairs 2 and 3 (orange and green) are swapped. Both configurations wire the pins “straight through”, i.e., pins 1 through 8 on one end are connected to pins 1 through 8 on the other end. Also, the same sets of pins are paired in both configurations: pins 1 and 2 form a pair, as do 3 and 6, 4 and 5, and 7 and 8. However the different pairs in an Ethernet cable are identical,[dubious – discuss] so one can use cables wired according to either configuration in the same installation without significant problem; problems involving crosstalk can occur (which is normally minimized by correctly twisting a pair together), but are usually insignificant in all but the most stringent specifications such as Category 6 cable. The primary thing one has to be careful of is not to accidentally wire the ends of the same cable according to different configurations (except if one intends to create an Ethernet crossover cable).

Making Coyote Linux work with KPN ADSL

December 29, 2009 / halfgaar

The Dutch ISP KPN gives you a modem+router to access the internet. The router they give you is a custom version of an Alcatel Speedtouch (model varies) and is extremely limited. I don’t use any VOIP services, so I replaced that router with a Speedtouch 546 (which supports DHCP spoofing) so that I can use my own Coyote Linux based router.

Once the DHCP spoofing was configured everything basically worked, except for the fact that KPN’s default gateway is outside of the current subnet. It is said that only Windows knows how to deal with this. To work around this, you need to add two routes: one to tell on which ethernet port the IP address of the gateway can be found and one to set it up as default gateway.

To do that in Coyote Linux, make this script and name it /etc/rc.d/rc.add-kpn-routes:

# KPN has a router that is outside the subnet, therefore these routes need to be added manually. Only windows can handle it normally.
 
log_file="/var/log/add-kpn-routes"
 "==========" >> $log_file
 "Called with param: $1" >> $log_file
 "Current route:" >> $log_file
route -n >> $log_file
 "" >> $log_file
 `cat /etc/dhcpc/eth1.info`
 "route add $dhcp_router dev eth1" >> $log_file
route add $dhcp_router dev eth1
 "route add default gw $dhcp_router eth1" >> $log_file
route add default gw $dhcp_router eth1
 "==========" >> $log_file

Then in /etc/rc.d/rc.line_up add:

# Add KPN routes
[ -x /etc/rc.d/rc.add-kpn-routes ] && . /etc/rc.d/rc.add-kpn-routes $1

When Coyote has started, it can take a while for the script to run, but it works eventually.

Don’t forget to add a newline at the end of the last line. The default editor Coyote uses doesn’t do that by default and I can somewhat remember that bad things happen when that newline misses.

Creating a DRBD device

December 28, 2009 / halfgaar

This post is no longer up-to-date. See this one.

When you’re clustering machines, a distributed remote block device (DRBD) comes in handy. It’s basically RAID1 over a network. I used Ubuntu Server 9.10 to create a test drbd setup.

First install drbd:

aptitude -P install drbd8-utils

Then put this config, with modifcations, on both nodes:

global {
  usage-count no;
}
common {
  protocol C;
 
  handlers {
    split-brain "/usr/lib/drbd/notify-split-brain.sh wiebe@halfgaar.net";
  }
 
  syncer {
    # The default is supposed to be maximum speed, but it was dead slow without this directive
    rate 500k;
    csums-alg md5;
  }
 
  disk {
    on-io-error detach;
  }
 
  net {
    data-integrity-alg md5;
  }
}
resource r0 {
  meta-disk internal;
  disk      /dev/sda2;
  device    /dev/drbd1;
 
  on storage00 {
    address   192.168.1.50:7789;
  }
  on storage01 {
    address   192.168.1.51:7789;
  }
}

Then on both nodes:

drbdadm create-md r0
drbdadm up r0

Then on the primary node, execute this to start the sync:

drbdadm -- --overwrite-data-of-peer primary r0

Data from the current node will now be used as base.

You can also make a drbd device with data on one of the underlying devices, but I didn’t try that, so go to the drbd website for docs on that.

Finding out the UUID of partitions

December 28, 2009 / halfgaar

Often, Linux software configurations define partitions by there UUID as opposed to their /dev device. You can find out what the UUID is with:

blkid /dev/sdx

Or, you can do:

ls -l /dev/disk/by-uuid

Iptables rule to block access to our IMAP server

December 21, 2009 / halfgaar

When migrating to Zimbra, I don’t want people to fiddle with their mail when I’m doing it, so I disable IMAP access from anything but the virtual machine instance in which Zimbra is running. I do that with this:

iptables -A INPUT ! -s 192.168.1.106 -p tcp --dport 143 -j REJECT

Disabling Zimbra’s spam learning

December 21, 2009 / halfgaar

Zimbra learns ham and spam by sending it to certain mailboxes. For our setup, this doesn’t work (easily), because our server is configured to always send mail to another SMTP server and not do any local delivery. I did that, because our zimbra server is not actually on the domain it thinks.

To disable the learning accounts, I did this:

zmprov mcf zimbraSpamIsSpamAccount ''
zmprov mcf zimbraSpamIsNotSpamAccount ''
zmcontrol stop
zmcontrol start

I didn’t delete the accounts, so I can enable it later.

To enable it, I guess I have to configure these two accounts on our hosting provider’s servers, fetch and deliver them to Zimbra and it works. I’ll do that some time…