Viewing 10 posts tagged with 'tips' (Oldest First :: Newest First) Show related: del.icio.us links, tags

Monday, June 05 2006, 3:59 AM

Back when I had roomates, I came across a networking problem that, at the time, I didn't know how to solve. I've had a VPN set up on my gateway machine for quite some time, and I shared my internet connection with the roomates. The problem was that while the roomies were paying their share of the internet and should have full access to it, they shouldn't have routed through the VPN interface to IP ranges that I routed through. In terms of the VPN interface, my computers should be treated as trusted, and all others should be considered untrusted, and barred from access.

That's not really an issue anymore since I live alone now, and my wireless network is protected by X509-authenticated IPSec in addition to 128-bit WEP and MAC address filtering. However, I had some free time tonight, and wanted to see how it's done nonetheless. First off, here's the basics of my setup, in reference to the gateway.

What I was looking to accomplish is this. Any traffic originating from the networks connected to eth0 or eth1 should be able to route out eth3 or ppp0, with the routing choice made by the routing tables. However, any traffic originating from eth2 should not be allowed to travel out ppp0, and all traffic destined for the outside world should be sent out eth3. My current routing tables have specific subnets sent through ppp0, and the rest heading out ex3 as the default gateway.

I accomplished my solution using the ip command. It allows for very powerful routing configuration. First off, I added the following lines to /etc/iproute2/rt_tables.

This just provides names that associate with routing table numbers. They're not necessary, but helpful in keeping tabs on things. Next, I created a routing rule that sends any traffic originating from eth2 to the UntrustWls routing table.

After that, I stuck a rule in to set up the default route. I'll use 10.10.10.10 as my default gateway in the example.

I also had to add the following route, because things weren't working quite right. I think it was because arp traffic wasn't being sent out properly from the gateway box without this route.

That's all! As another supplimental exercise, I figured out how to prevent the untrusted network from sending traffic to the trusted networks using these two rules.

My next related project is traffic shaping. While I don't do a whole lot of downloading/uploading of large amounts of data, it would be really sweet to allow certain types of traffic to take precidence over others. This concept is a little more advanced, and who knows when I'll get to it. We'll see I guess.

firewall linux networking routing tips

Saturday, May 13 2006, 4:09 PM

Firefox is awesome. Firefox combined with cool extensions is even better. I've been using the Adblock Plus extension for a while, and I certainly dig it. It allows you to filter out advertisements (or other content, if you wish) using regular expressions, or just simple filters. Generally ads don't bother me that much. I've just learned to look around them.

The ones that really bother me are the ones that interrupt the content I'm reading. There are two schemes that drive me bonkers. The first is Google Adwords. People seem to have zero reservation about placing the adword boxes right in the middle of their content, with the exact same styling as the content they're surrounded by. How annoying. The second just appeared recently, and uses a piece of JavaScript to edit the document client-side so that certain keywords appear as links, but are really just advertisements that pop up on your screen as soon as you mouse over them. Since my sight is somewhat impaired, I do the "highlight a line so I know where I'm reading" trick quite a bit, and clicking on one of those keywords is a really quick way to piss me off.

Adblock Plus has given me an avenue to get rid of these annoyances. The following two rules seem to block all of the crap I mentioned above. I wouldn't call them perfect yet, since I've only tested them on a few sites.

The first blocks the Google Ads, and the second blocks the faux-link pop-up ads. Enjoy.

adblockplus annoyances firefox google tips

Wednesday, May 03 2006, 3:25 AM

I came across this one at work the other day, and I didn't find crap about it anywhere, so I figure I'll post the fix here. I was having a lot of trouble configuring multiple VLAN interfaces on a customer box using the 8021q kernel module. I had never had any issues with it before, so I was pretty stumped. Packets were routing out of the box fine, and seemed to be making it back to the box fine as well. Packet and byte counters were updating fine at the interface level, but nothing was making it any higher in the stack than that. It almost seemed like iptables was blocking the traffic, but that wasn't the case either. After many hours of pulling on my imaginary hair, I came across a setting in /etc/sysctl.conf that caused the problem. When the following setting was present, the added VLAN interfaces didn't work...

When it was set to zero (along with a reboot), everything worked fine. From what I can tell, that setting controls whether the kernel will accept packets into an interface that it feels should be entering the machine from a different interface, based on its routing tables. My problems might have been solved by changing around the routing tables a bit, but this worked as well.

linux networking tips vlan

Wednesday, November 02 2005, 12:41 AM

This has probably been done before, but I decided to set up a bash script tonight that would overload the ssh command and manage ssh connections using screen. I set it up so that when a detached screen to the host you're connecting to is present, it would reattach that screen session instead of making a new one. If there weren't any detached sessions, it starts up a new screen session by connecting to the host. I also made it name the screens in a somewhat intelligent manner. If the host you're connecting to is specified by an IP address, it'll attempt a reverse lookup to provide a more beneficial name than the IP. If the reverse lookup fails, it'll just use the IP. If you're connecting to a host based on a full or partial hostname, it'll just use that as the screen name. I also made another command to shortcut searching for screens - lsscr. If it's run with no parameters, it lists all screen sessions. If it is run with a parameter, it'll take that parameter as a search string and show screen sessions matching that search string. And since I dig open source, I post my work here for all to pilfer.

[EDITx2] I've updated the functions a few times, and instead of reformatting HTML each time, I'm just going to post it in the wiki. Enjoy. [/EDITx2]

This code should be placed in your user's .bashrc file (or the server-wide copy, if you prefer) for this to work right.

bash linux screen ssh tips wiki

Sunday, March 13 2005, 8:56 PM

Since I don't post enough of these little tips and tricks (and because I looked for this one for like an hour last night on some customer's site I had done this for), I'm going to start posting more nifty tips. This is a mod_rewrite rule for Apache that will take any request on normal http and redirect it to the corresponding https page. Pretty handy for stuff like online shopping carts.

apache mod_rewrite tips

Friday, January 07 2005, 11:04 PM

Spam is really annoying, but when I read some of it, it totally cracks me up. Most of the small amount of spam I get automatically gets picked off by SpamAssassin, and stuck into a seperate folder that I clean out now and again. Since I actually use a decent mail client running on linux, I don't really have much worry with getting infected with all the malicious crap floating around. You can tell most of these things are directed at the computer unsavvy, because anyone with half a clue on how the internet or computers work would just look at the email and laugh... like I'm doing! Let's start the show! Actually, now that I think about it, these are all virus emails, but some of the spam stuff is really funny. Anyway, here goes.

I got this first one at work the other night, and looking at the message TOTALLY made me want to open the attachment!

The total machine-language garble look always makes me want to read on! The next one cracked me up because it was trying to make it look like it was an offcial notice from my WEBMAIL SYSTEM at www.neir.org.

Well, there is no webmail system. And the link links to something in the attachment, which happens to be a nice .scr file, probably designed to do nasty things. The third might be the best though.

OMG! ON THE LAST FRONTIER OF FREEDOM YOU HAVE VISITED ILLEGAL WEBSITES!! I HAVE THE LIST AND UNCLE SAM WILL CHECK IT TWICE! I love the from email address... "abuse@gov.us". Classic.

These screenshots were brought to you by the following tip I found while searching for some documentation on Fluxbox shortcut keys. You'll need ImageMagick isntalled to use it, but this will give you the ability to take a screenshot in Fluxbox without needing to load anything else. This will make a nice png screenshot in the directory you specified, complete with a timestamp of when it was taken. Nifty stuff. Just put the following in your keys file and edit to your tastes, and you'll be set.

humor linux spam tips

Saturday, May 15 2004, 4:37 PM

In my continuing project to segregate my wired and wireless LANs, I came across an error when connecting a windows box on the wireless subnet to my samba box on the wired subnet... Windows and samba were talking, but not agreeing... The following netbios error showed up in ethereal, which didn't help much at first: "not listening for called name". I poked around, and found nothing, and then remembered that I had my samba configuration set to only allow access from 192.168.0.x, my wired lan. Changing that access list fixed the problem, so there ya go.

linux samba tips windows

Thursday, May 13 2004, 11:37 PM

There's definitely some computer dork stuff happening here... first is the current uptime on my webserver.... pretty interesting that I happened to catch it at just the right moment...

The second thing is that I think I've got a good setup going for securing my wireless network much more than it currently is... I'm in the process of setting up each legitimate wireless client to use IPsec tunnels to encrypt all of their traffic to the internet or my wired LAN... I hit a few hurdles, but I'm getting there... Everything's working right on my laptop in linux, but I've yet to try to make it work in windows... I think I need to make a different kind of cert for that. We'll see when I get there.

I hit two main snags, the first being that I forgot to modify my IPsec ruleset beyond my model ruleset (from the VPN at work), so it was only encrypting traffic directly between the laptop and the gateway box. Once I figured that I was being too restrictive, a.k.a. not encrypting everything except the traffic destined to stay on the wireless subnet, I fixed the rules and things started working right. The second part I was having trouble with was the fact that my decrypted traffic was essentially hitting the firewall twice... it would pass through successfully as ESP packets, as intended, but when they were decrypted, they were sent back through the firewall again, and filtered because they weren't IPsec or DHCP related. After a couple hours of searching all over Google, I came across the magic newsgroup post... It mentioned that you could use the MARK target in iptables to mark the ESP packets coming in with a particular mark value, and also noted that each decrypted packet also carried that mark value. So, if you allow the regular packets carrying that mark value, the problem is solved! I was really pulling my hair out over that one...

Now that I've got it working as intended, I'm going to test it for a while to make sure it's stable, and then hopefully, I'll whip up some certs and get Joe's laptop on the encryption, and everything will be cool like the other side of the pillow. I could probably even open up the wireless LAN as a honeypot, and then mess with people that enter... Heheh...

encryption google ipsec linux projects security tips

Thursday, February 05 2004, 10:09 PM

Hmm... work has been quite busy the past few days... It's definitely becoming a trend. We're getting a lot of new customers as of late, and it seems as though the support load has gone up a lot. Combine that with the addition of live chat to our duties, it makes for a recipe of not being able to get a lot done. I actually had a somewhat productive day thinking-wise... I spent a couple hours trying to help a guy integrate procmail into his mailing system so that he could have more control over the way his mail is delivered. Smart guy. I love helping people who are smart and are willing to get their hands dirty to get something working that will aid them greatly in the future. I am much less likely to enjoy helping someone that is like "It's not working how I want it to work, fix it." When it's working as intended, there's nothing to fix, only their expectations. Oh well.

I also spent some time today getting SMTP authentication working in postfix on my mail server instead of just using IP based authentication. That basically means that I can authenticate and send mail through my mail server without having to log in through a shell and give myself explicit permission to send through my server each time I go somewhere else. Cool stuff. There were a couple posts in the Gentoo forums that helped, but the pimp daddy was here. I spent an few hours pulling my hair out, but it seems to be working now. Everything seemed to work much better after I removed the smtpd.conf file from the /var/lib/sasl2 directory... One of the Gentoo forum howtos told me to put it there, but the howto I linked above didn't mention it. So I tried deleting it, and stuff started working. Yay!

linux postfix projects ramblings tips work

Wednesday, February 04 2004, 6:18 PM

I just started playing around with aterm a bit, and I noticed I kept getting nastiness when I used vi on a remote system... lots of ^? characters when I pressed the backspace key. I found a workaround that seems to take care of it... Just add the following to your ~/Xdefaults file:

That should take care of it, but your mileage may vary.

aterm linux tips

Related Tags