Posts Tagged ‘Networking’

Hi all,

finally, after two weeks of debug, here we are with the first release of my munin plugins, nginx version.

Changelog

  • various fixes about parsing
  • lock on cache files
  • sensor for monit downtime
  • moved bots from a single sensor to multiple sensors (one for file)

Requerements

A python2.7 at least. Be sure to have python2.7 in system path for every user.

Install

Take a look at INSTALL file.

Cheers.

Advertisements

Hi All,

from Fosdem, I returned with a check list about things to see and study. Today was the day dedicated to CAcert.

About CA, I never spent much time because is easy to find a howto to create a self-signed certificate. My mind was to see CA like a way to made money without sell something, so I ignored it without too much problems.

The problem borns when I changed my default browser from iceweasel to chromium. The second one seems to enjoy to remember me that my cert is not so valid because the identity of my server is not validatable. This boring thing make me think to a way to solve it possibly, without spend money.

Fosdem give me the solution: CAcert.

As they explain, joinin with the community you can get for free a CA certificate. Obvously, you need to be the owner of domain and be the one who get the email stored in whois db, but this wouldn’t be a problem.

The procedure is very easy: first of all, you have to register youself at the community. I suggest to get the client certificate to avoid all login operations. To do that, use “Client Certification”, and follows these instructions:

wget -O cacert-root.crt "http://www.cacert.org/certs/root.crt"
wget -O cacert-class3.crt "http://www.cacert.org/certs/class3.crt"
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "MyCert" -i mycert.crt

MyCert and mycert.crt are placeholder :). The file .crt is taked from CACert site.

Now we can start with server certication: first of all you have to create your certificate.

openssl req -newkey rsa:2048 -subj /CN=my.test.com -nodes -keyout mytest_key.pem -out mytest_csr.pem

After that, you’ve got two files: mytest_key.pem, mytest_csr.pem. The first is strictly private so store in a private folder for apache user (who runs apache daemon). Usually that folder is /etc/ssl/private.

With mytest_csr.pem, you have to sign that, so go to Server Certificates on CAcert site and fill the box with the content of the file (all bytes, do not forget header and footer).

Post the form and store tehe result on a file, called for example mytest_cert.pem. This is the signed certificate!!

Store it in the well known folder (on debian) /etc/ssl/certs.

Configuring apache is the last step. Before procede take a look on apache documentation for mod_ssl.

The follow is a dummy example:

<VirtualHost *:443>
ServerName my.test.com
SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/ssl/certs/mytest_cert.pem
SSLCertificateKeyFile /etc/ssl/private/mytest_key.pem
SSLCertificateChainFile /etc/ssl/certs/cacert-class3.crt
...
</VirtualHost>

 
The last file (cacert-class3.crt) is the file you get before, and is enough you copy it to in correct folder.

Check apache with

apache2ctl -t

and then restart.
Enjoy.

Hi all,
remember the previous post about an easy way to transform a netbook in a router for hsdpa connections? Well, I decided to make a new version of the script that i proposed in that post.
The new version is a little bit wide. I mean, on netbook I have four network interfaces: ethernet, wireless, pan and dun. Sometimes I use bridge, tap, etc. In this situation that script needs to edited every time, changing internal and external interface… very boring, i know.

So this is the rule: the script is callable with a list of interfaces, the first is the gateway and others are the sources. Simple, don’t you?

#!/bin/sh
echo -e "\n Configuring NAT:"
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
if [ ! -n "$2" ]; then
  res=65 #bad arguments
  msg="Usage: `basename $0` extif intif[s]"
else
  msg="done.\n"
  res=0
  echo -en " - loading modules: "
  echo -en "ip_tables, "
  $MODPROBE ip_tables
  echo -en "ip_conntrack, "
  $MODPROBE ip_conntrack
  echo -en "ip_conntrack_ftp, "
  $MODPROBE ip_conntrack_ftp
  echo -en "ip_conntrack_irc, "
  $MODPROBE ip_conntrack_irc
  echo -en "iptable_nat, "
  $MODPROBE iptable_nat
  echo -en "ip_nat_ftp, "
  $MODPROBE ip_nat_ftp
  echo ""
  echo " - Enabling forwarding "
  echo "1" > /proc/sys/net/ipv4/ip_forward
  echo " - Enabling DynamicAddr"
  echo "1" > /proc/sys/net/ipv4/ip_dynaddr
  echo " - Clearing any existing rules and setting default policy"
  $IPTABLES -P INPUT ACCEPT
  $IPTABLES -F INPUT
  $IPTABLES -P OUTPUT ACCEPT
  $IPTABLES -F OUTPUT
  $IPTABLES -P FORWARD DROP
  $IPTABLES -F FORWARD
  $IPTABLES -t nat -F
  EXTIF=$1
  echo -n " - Forwarding: "
  for int in "$@"; do
    if [ "$int" != "$EXTIF" ]; then
      echo -n "$int, "
      $IPTABLES -A FORWARD -i $EXTIF -o $int -m state --state ESTABLISHED,RELATED -j ACCEPT
      $IPTABLES -A FORWARD -i $int -o $EXTIF -j ACCEPT
    fi
  done
  $IPTABLES -A FORWARD -j LOG
  echo ""
  echo " - Masquerade: $EXTIF"
  $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
fi
if [ -n "$msg" ]; then
  echo -e "$msg"
fi
exit $res

Actually, I use this script to manage virtualbox lan connections, but this is another story.
Cheers to all.

Hi all,

today i want to talk about a interesting feature of a xserver. Using linux (or bsd, etc) we discovered how is very powerful using ssh to work on another server. A command line shell (bash for me) is the most usage program for a system administrator, and it has a big suite of tools and programs to avoid any graphical needs.

But some cases may required to use a program who needs X to run. So in those cases we have two choices: setup X on server and use a remote/share desktop program or use X throu the net.

It is very simple: first of all, you needs a pc with xorg (or xfree) with listener for tcp.

$ ps aux | grep X

show you the situation.

root      3001  2.9  6.2 211968 129320 tty7    Ss+  08:36   0:55 /usr/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-5QdGTF

In my case, I see X is running without listening its tcp port, so we have to found where are stored the option of X.

– Step one:

$ cd /etc

$ grep ‘listen’ -r *

is a way to find it. For me is in /etc/kde4/kdm/kdmrc.Then open the file and remove the option ‘-nolisten tcp’.

Now we have to restart the X server: make logout, access by a tty, restart our login manager, back to tty. Before proceed, we check if X is running correctly, as the beginning

$ ps aux |grep X

root      3001  2.9  6.2 211968 129320 tty7    Ss+  08:40   0:55 /usr/bin/X -br :0 vt7 -auth /var/run/xauth/A:0-5QdGTF

The result may be something like this. Using netstat we could see the port of xserver

$ netstat -nptl | grep 6000

tcp     0   0   0.0.0.0:6000        0.0.0.0:*      LISTEN    1535/X

Well, if that is what we get, the first step is finished.

REMEMBER: next steps needs to be repeated every time you, but they are very simple do not fear.

– Step two:

On our pc, the one with xserver in listening,  we have to allow other servers to connect to our xserver.

Someone use the following command:

$ xhost +

This one, enable everyone to connect to our pc…. may be not a good idea.

$ xhost + 192.168.2.106

In this way, we enable only the server with ip 192.168.2.106… a right way to do that.

– Step three:

We have to connect throu ssh to the server, in example case 192.168.2.106.

$ ssh 192.168.2.106

user@192.168.2.106# export DISPLAY=192.168.2.108:0.0

The second row is on server. We have to tell it which is the pc with X, in example is 192.168.2.108.

Well now you can start your graphical program on server with echo on your pc.

For example:

user@192.168.2.106# kwrite notsobad.txt

I hope you enjoy about that.

Cheers.

Today is a good day to die. This is the mind of all routers of our provider cos today they decide to suicide, letting us without a way to reach Internet.

Today I planned to make live the server our customer with an effort of 2 hours. But Murphy’s law is all around us and then the DSL link of our offices went down.

Well, the choice was two: a party or my hsdpa cellphone…. I chose  for the second one :(. So i decided to use the netbook as gateway for lan traffic, connecting it to my pc with ethernet cable.

What is interesting is how is versatile iptables who allow me to configure my netbook as router, and my pc as a gateway for other computer in the office.

These are the miracle four rows (on netbook)

iptables -A FORWARD -i ppp0 -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -j LOG
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

and these are the four for the pc

iptables -A FORWARD -i eth0 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -j LOG
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Obviously I make a lan between my pc and netbook configured by hand using ifconfig, and I changed the routing using route command.

This is a link of a full script that use iptables to transform a pc in a router.
http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/examples/rc.firewall-iptables

I know iptables is a little bit hard to use, but there are solutions at high level as shorewall, who manage iptables and allow you to know only what you really need to know.

Enjoy.