The Network under the Bright-Bright Sky

Sometimes I would do some random creation, when I really simply have too much time to kill. This section is to hold these kind of stuff, which does not really fit on the time scale.

These days, I will be forward porting those old material I already published on my old website.

List of Creations

Please refer to the navigation tree at the right hand side. 

It’s easy to use Linux to replace one SOHO router. It can be conclude with 6 commands:

dhclient3 … $WANIF # Get the IP on WAN side
ip addr add 192.168.0.0/24 broadcast + dev $LANIF # Get the IP on LAN side
dhcpd3 … $LANIF # Enable the DHCPD on LAN side
sys.net.ipv4.ip_forward = 1 # Enable forwarding
iptables -t nat -A POSTROUTING -o $WANIF -j MASQUERADE # Enable SNAT
dnsmasq # Enable DNS proxy

GOAL: Use one Linux box to replace N SOHO Routers. i.e. This box would multiple isolated NAT each running at the same but actually different private IP range.

One router takes 5 commands doesn’t mean 2 routers take 10 commands, the problems are:

1. How to get more than one IP for the WAN Interfaces?
2. How to MASQUERADE to different WAN IP, for each set of router?
   
3. N routers subnet will be defined as 192.168.0.0/24, but just like real router setup, THIS 192.168.0.0/24 is not THAT 192.168.0.0/24. Attaching 192.168.0.1/24 to $LANIF[1..n] confuses the kernel, or routing table to be exact, what can be done?
   
4. From LAN side to visit the Router box?
   
5. How about DMZ and Port Forwarding?
6. Can visiting the other NAT subnet from one NAT subnet be done?
7. How about Router visiting Client Side?

(more…)

Goal: Under Windows Domain environment, the Intranet user could authenticate oneself to a website hosted on Linux/Apache without password prompt, when browsed with IE or Firefox to browse, hence the Single Sign On (SSO). During the course of setup, the Linux box will join the Domain and have a Computer Account created.

Non Goal: Enable domain logon for Linux in General. Authorization is also not discussed.

Introduction

If the target is to accept domain’s credential, the question will actually be much easier. KB555092 is one of the way to achieve that, but basically that means the credential will be transmitted in clear text to the web server, then the server will test it with the domain controller. If such a website setup is browsed with IE, the prompt will state such problem in clear, and it won’t do SSO either. To the client, this is very insecure, even with SSL enabled, it means the web server could have the control of the credential. All in al, KB555092 is not what I want. I think there are other solutions like LDAP could achieve similar result.

The key in KB555092 is that KrbMethodNegotiate is Off, that denys the SSO from happening. However, to turn it on is not as simple as flagging it as on, there is quite some steps to need to be done in the background.

(more…)

What kind of gadget can stand for more than a hundred years without any sign of fading out, yet? Analog phone is being replaced by VoIP; US, EU and Australia has passed the law to ban incandescent light bulb in a few year; Low power wired transformers are replaced by their IC-based brother; Keys are replaced by Smartcard in many access control points; Broadcasting is going to be digitalized; and the list just go on and on…But most people in the world is still typing with a QWERTY based keyboard!

Did anyone tell you that’s it’s not the only option? Just like how general public thought IE is not the only browser, does Dvorak sounds to you like Firefox to them?