Posts Tagged ‘linux’ Feed

One Linux Box replacing Many SOHO Routers (iptables, iproute2, netfilter)

Saturday, October 18th, 2008 Chinese Cantonese

It’s easy to use Linux to replace one SOHO router. It can be conclude with 6 commands:

dhclient3 … $WANIF # Get the IP on WAN side
ip addr add 192.168.0.0/24 broadcast + dev $LANIF # Get the IP on LAN side
dhcpd3 … $LANIF # Enable the DHCPD on LAN side
sys.net.ipv4.ip_forward = 1 # Enable forwarding
iptables -t nat -A POSTROUTING -o $WANIF -j MASQUERADE # Enable SNAT
dnsmasq # Enable DNS proxy

GOAL: Use one Linux box to replace N SOHO Routers. i.e. This box would multiple isolated NAT each running at the same but actually different private IP range.

One router takes 5 commands doesn’t mean 2 routers take 10 commands, the problems are:

  1. How to get more than one IP for the WAN Interfaces?
  2. How to MASQUERADE to different WAN IP, for each set of router?
  3. N routers subnet will be defined as 192.168.0.0/24, but just like real router setup, THIS 192.168.0.0/24 is not THAT 192.168.0.0/24. Attaching 192.168.0.1/24 to $LANIF[1..n] confuses the kernel, or routing table to be exact, what can be done?
  4. From LAN side to visit the Router box?
  5. How about DMZ and Port Forwarding?
  6. Can visiting the other NAT subnet from one NAT subnet be done?
  7. How about Router visiting Client Side?

(more…)

Tags , , | Category Creation, Blog
1 Comment »

Setting up Linux/Apache Single Sign On (Active Directory, mod_auth_kerb, Kerberos)

Tuesday, October 14th, 2008 Chinese Cantonese

Goal: Under Windows Domain environment, the Intranet user could authenticate oneself to a website hosted on Linux/Apache without password prompt, when browsed with IE or Firefox to browse, hence the Single Sign On (SSO). During the course of setup, the Linux box will join the Domain and have a Computer Account created.

Non Goal: Enable domain logon for Linux in General. Authorization is also not discussed.

Introduction

If the target is to accept domain’s credential, the question will actually be much easier. KB555092 is one of the way to achieve that, but basically that means the credential will be transmitted in clear text to the web server, then the server will test it with the domain controller. If such a website setup is browsed with IE, the prompt will state such problem in clear, and it won’t do SSO either. To the client, this is very insecure, even with SSL enabled, it means the web server could have the control of the credential. All in al, KB555092 is not what I want. I think there are other solutions like LDAP could achieve similar result.

The key in KB555092 is that KrbMethodNegotiate is Off, that denys the SSO from happening. However, to turn it on is not as simple as flagging it as on, there is quite some steps to need to be done in the background.

(more…)

Tags , , , , | Category GPS Logger, UsbAvrUsb, Creation, Blog
3 Comments »

萬里防火牆

Tuesday, March 6th, 2007

The Great Firewall可算是馳名中外的網絡一大建設,這就是一個覆蓋全中國大陸的超大型網絡防火牆,而防的,大概就是防止外國思想入侵中國大陸吧?

要攔截天文數字多的網絡流量也實不是一件容易的事,但在大陸政府的大力推動下,不少網絡設備廠商都研發了一系列的對應產品和解決方案,撈了一大筆生意。

結果就是,很多很管用的網站的被封了。蘋果日報那些報紙網站當然免問,連google.com有時候也會被強制導向到另一個無關係的中國大陸的搜尋器,wikipedia無緣登入也是預計之內。即使是沒有被擋的網站,當有時出現一些敏感字眼,也會有可能被檢測到而被用TCP RST臨時封鎖十多分鐘。

幸好香港家中有部server,問題就迎刃而解。

  1. 先用openvpn架起一個udp VPN tunnel,UDP的好處就是overhead低,也沒有多餘的congestion control,更不會被TCP RST掉。若果用TCP的話,那麼最後經VPN走的traffic就會變成TCP over IP over TCP over IP,也就是雙重congestion control。由於萬里防火牆是靠TCP RST來阻截連線,而不是一般防火場安插在連線中間,所以用UDP也應該能繞過萬里防火牆的限制。將香港的一方設定為server,大陸的一方設定為client。
    兩邊用的IP也是從private IP範圍中挑就是。以下假設我在server用的是192.168.100.1/24。
    # apt-get install openvpn
    之後再跟著online的HOWTO做就是,用IP mode而不是bridge mode。最後用ifconfig -a來看看,應該有一張tun0的interface,在client上看是這樣的
    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:192.168.110.6 P-t-P:192.168.110.5 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:258555 errors:0 dropped:0 overruns:0 frame:0
    TX packets:395634 errors:0 dropped:14602 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:93446120 (89.1 MiB) TX bytes:62463470 (59.5 MiB)
    沒有任何firewall的阻擋下,從server應該能夠順利ping到inet addr那個IP address,而client應能ping到192.168.110.1。
  2. 在兩邊都裝上ipmasq,一個簡快便捷的東西,用來幫你設定iptables的。# apt-get install ipmasq
  3. 在server和client上,將/etc/ipmasq/rules/A01precompute.def修改一下,重點是要令ipmasq取得VPN interface的正確的netmask。
  4. 另外在client上,把in-out的interface hardcode到/etc/ipmasq/rules/A01interface.rul。注意檔尾是.rul來蓋過.def的設定。INTERNAL=”eth1″
    EXTERNAL_OUT=”eth0 tun0″
    EXTERNAL_IN=$EXTERNAL_OUT這當然假設eth0是Internet connection的interface,eth1是LAN的interface,而tun0就是openvpn所建立的interface。
    Server的不用這樣做,因為tun0會自動認定成Internal interface。
  5. restart ipmasq,再看看兩面的iptables的nat部份。
    # /etc/init.d/ipmasq restart
    # iptables -vnL -t nat
    在server上

    Chain POSTROUTING (policy ACCEPT 9530 packets, 876K bytes)
    pkts bytes target prot opt in out source destination
    3188 153K MASQUERADE all — * eth0 192.168.100.0/24 0.0.0.0/0

    即代表192.168.100.0/24,我們的VPN,會被改寫成eth0的IP address,正合我意!而在client上

    Chain POSTROUTING (policy ACCEPT 14 packets, 749 bytes)
    pkts bytes target prot opt in out source destination
    32 2032 MASQUERADE all — * eth0 192.168.1.0/24 0.0.0.0/0
    2 96 MASQUERADE all — * tun0 192.168.1.0/24 0.0.0.0/0

    即代表192.168.1.0/24,我的eth1 LAN card的network address,當使用eth0和tun0上網時也會被改寫。很好。
  6. 說到這裏,現在只要將想繞做走的網站用192.168.100.1做gateway就完成了。例如我要看en.wikipedia.org (66.230.200.100) 的話
    route add -host 66.230.200.100 gw 192.168.100.1

這就解決了事情的一半。

還有TCP RST的臨時阻截要處理,否則一旦google的search result出現敏感字眼就可真麻煩。不過這個可以利用iptables和perl去輕鬆定。

  1. 先create一條新的ipmasq rule - P10gfw.rul重點是
    iptables -t mangle -I PREROUTING -i eth0 -p tcp –sport 80 –tcp-flags RST RST -j LOG –log-prefix GREAT_FIREWALL
    將所有port 80的TCP RST packet都log下來。
  2. 改一下/etc/syslog.conf,將部份的log射到一個FIFO的file。最主要是在任何一個地方加上這一句:
    kern.info |/var/log/gfw.fifo再手動製造一個FIFO file
    # mkfifo /var/log/gfw.fifo
    # chmod 600 /var/log/gfw.fifo
    當然就是restart sysklogd
    # /etc/init.d/sysklogd restart
  3. 放好對應接收FIFO訊息的perl script - /etc/ipmasq/gfw.pl,當中有點地方要customize
    在sub add_dst下有兩個blacklist了的IP address,分別改成Internet gateway和VPN server的IP address,免得他們被re-route到VPN channel去,不然你整個Internet connection也會出問題。
    gfw.pl會讀取從iptables到sysklogd到gfw.fifo來的GREAT_FIREWALL訊息,從而將被RST過的網站都re-route到VPN channel上。那麼當上網時遇上TCP RST的情況,gfw.pl就會把那個IP re-route到VPN上,再reload的時候也應該能順利通過。
  4. 另外開一個/etc/ipmasq/gfw.list的檔案,這是一個static re-route list,gfw.pl每5秒會看看 有沒有加減。我的list入面有:
    google.com
    www.google.com
    hk.google.com
    en.google.com
    wikipedia.org
    ja.wikipedia.org
    en.wikipedia.org
    www.wikipedia.org
    一些想指定繞路的網站也可以加進這個list裏。
  5. 最後執行/etc/init.d/gfw.pl,一切順利的話就可以放進init的順序中
    # cd /etc/rcS.d
    # ln -s ../init.d/gfw S80gfw
    最後手動啟動一下
    # /etc/init.d/gfw start
  6. 大功告成

最後就是,部份上述檔案我都tar-gizpped起來了。

Tags , , , | Category Blog
3 Comments »