Thu, 09 May 2013
Simple ip6tables(firewall) script for 6in4 tunnel
My current DSL provider , has a 6in4 tunnel which I have been using and wanted to have a simple script to create a firewall on Ipv6. I searched quite a bit on the internet but could not readily find scripts which would work in a 6in4 tunnel mode until i found the link http://www.tunnelbroker.net/forums/index.php?PHPSESSID=702ecd4f548eb60461a09b7187922d0d&topic=1488.0
I modified the above link so that I could use it for my setup where I only have one machine that is my laptop where the 6in4 tunnel is setup. Hope this helps someone.
#!/bin/bash
# Tunnel Interface
TUNIF=sit1
# DMZ interface (Where servers live)
DMZIF=eth1
# Private interface ( machine and interface on which you are running the tunnel)
PRIVIF=wlan0
# Clean Start
ip6tables -F
# Default Policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
# Input to the router
# Allow all loopback traffic
ip6tables -A INPUT -i lo -j ACCEPT
#Allow unrestricted access on private network ip6tables -A INPUT -i $PRIVIF -j ACCEPT
# Allow restricted incoming connections ip6tables -A INPUT -i $TUNIF -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow icmp, but throttle it.
ip6tables -A INPUT -j ACCEPT -p ipv6-icmp --match limit --limit 50/minute
# Allow SSH on port x (disabled in this example) #ip6tables -A INPUT -i $TUNIF -p tcp --dport x -j ACCEPT
# IPV6 FORWARDING RULES
ip6tables -A FORWARD -i $PRIVIF -o $TUNIF -j ACCEPT
ip6tables -A FORWARD -i $TUNIF -o $PRIVIF -p ipv6-icmp --match limit --limit 50/minute -j ACCEPT
ip6tables -A FORWARD -i $TUNIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT
#ip6tables -A FORWARD -i $DMZIF -o $PRIVIF -p ipv6-icmp --match limit --limit 50/minute -j ACCEPT
#ip6tables -A FORWARD -i $DMZIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT
#ip6tables -A FORWARD -i $PRIVIF -o $DMZIF -j ACCEPT
#ip6tables -A FORWARD -i $TUNIF -o $DMZIF -m state --state RELATED,ESTABLISHED -j ACCEPT
#ip6tables -A FORWARD -i $DMZIF -o $TUNIF -j ACCEPT
posted at: 19:15 | category: /linux | permanent link to this entry | Donate via Bitcoin
Tweet
Wed, 06 Feb 2013
Setting up apt-cacher for local proxy
So I installed apt-cacher by following the instructions at http://lgallardo.com/en/2009/11/10/mirror-interno-con-apt-cacher/
Now the problem is that I ran into this weird error "Unable to create libcurl socket" and it just wouldnt work.
In any case after re-reading the above article multiple times figured out that I had not set the path_map in my apt-cacher.conf file.
Essentially the path_map parameter substitutes the value of the URL during its own run-time so that it knows where to fetch the packages which it does not have in its own cache.
In any case a better error message would have potentially helped debug this .
posted at: 06:37 | category: /linux | permanent link to this entry | Donate via Bitcoin
Tweet
Mon, 17 Sep 2012
Knoppix 7.0.4 simultaneously(chroot env) with my Debian Squeeze
These instructions are fairly generic and should be applicable for Ubuntu or any other GNU/Linux distribution.
You will need approximately 15GB of free space apart from the ISO image which will take about 4GB.
On my debian squeeze machine i had to install cloop-utils
aptitude install cloop-utils tried to build the cloop module in debian squeeze but could not due to a potential defect
So then i thought about just getting the Knoppix environment into Squashfs
I mounted the KNOPPIX_V7.0.4DVD-2012-08-20-EN.iso using
mount -t auto -o loop KNOPPIX_V7.0.4DVD-2012-08-20-EN.iso
/mnt/isoThen go to folder /mnt/iso/KNOPPIX there you will find a huge ~ 3.8GB file called KNOPPIX
The command documented @ knoppix did not work for me as it seemed like it was just some error in passing arugments it would not even process the command.
So i used the following command
extract_compressed_fs /mnt/iso/KNOPPIX/KNOPPIX - > knoppixcloopFile knoppixcloop was about 9 gb so make sure where you redirect this file that it has enough space.I dont know if this entire step is needed or not.
Now reboot into knoppix so that we can convert the above cloop based file into squashfs
Downloaded the deb package for squashfs-tools as knoppix does not carry it
dpkg -i squashfs-tools_4.2-5_i386.debmounted using cloop instructions on knoppix wiki especially the 2nd part where in it is documented to use "if you boot from the LiveDVD"
Say if the mount is /mnt/cloop which holds your clooped image of knoppixcloop
Ensure that you can see the entire filesystem of knoppix like /proc , /tmp , /etc inside /mnt/cloop.
Converted that to squashfs to down to 3.8gb by following the instructions
mksquashfs /mnt/cloop /knoppixsquashedmount the squashfs file on /mnt/squashfs using the command
mount /knoppixsquashed /mnt/squashfs -t squashfs -o loopmkdir in /tmp called fuse.In my case /tmp is in the memory so it gets wiped our everytime
unionfs-fuse -o cow /tmp/fuse/=RW:/mnt/squashfs/=RO /mnt/knoppix/Executed the following commands as root
mount -o bind /proc /mnt/knoppix/proc
mount -o bind /dev /mnt/knoppix/dev
mount -o bind /dev/pts /mnt/knoppix/dev/pts
mount -o bind /sys /mnt/knoppix/sys
mount --bind /tmp /mnt/knoppix/tmp
cp /etc/resolv.conf /mnt/knoppix/etc/resolv.conf
chroot /mnt/knoppix/ /bin/bashIf all goes well your knoppix chroot environment should be up and running .You can try out a few simple commands like xclock etc.
in chroot environment need to run the following commands without which most kde apps dont work
dbus-launch
export $(dbus-launch)
you can also launch lxpanel in case you want to see what applications are installed.It might overlap with your existing panel if it is as the bottom but once you do a Ctrl-C your panel will be shown.
Post comments Knoppix Forums
References
http://basictheprogram.blogspot.com/2011/02/how-to-chroot-simple-and-fast-archive.html
TODO
Try compressing more for squashfs as default is very low compression
See if the step of extract_compressed_fs can be eliminated by loading the cloop directly and then making a squashfs
posted at: 01:09 | category: /linux | permanent link to this entry | Donate via Bitcoin
Tweet
Mon, 03 Sep 2012
Making XFCE Clock settings permanent
So I searched quite a bit to change this to be more of AM/PM format and found this link .However the problem is that once I would use any custom formatting on my next reboot it would still revert back to the original 24-hour clock.
In order to make your formatting changes permanent edit the file ~/.config/xfce4/panel/clock-14.rc and change the format there.
posted at: 19:14 | category: /linux | permanent link to this entry | Donate via Bitcoin
Tweet
Sat, 18 Aug 2012
Debugging Juniper VPN Client connectivity issues on Debian Squeeze/Ubuntu
My company uses RSA key fob with login to authenticate users on juniper network.My company also runs host checker to ensure our companys minimum standards are met.
In any case here are the rough steps for debugging, hope it helps someone as I spend a good amount of time trying various things to get my VPN working.
- On a 64-bit system ensure that you have both 32-bit & 64-bit java from Sun.As of this writing , based on my findings on internet it is not possible to run any other java with juniper VPN client other then from Oracle/Sun.On a 64-bit machine you have to have 32-bit java , otherwise it will not work.
- Verify in your firefox(on debian it is called iceweasel) that
your java plugin is loading , by going to the location about:plugins in
your location bar.Here 32-bit or 64-bit java plugin does not matter
- Login to your company's VPN portal , it will be something like https://www.<your company portal>.com
- You might be asked to "Allow to install software" that is Juniper client etc.Go ahead and click ok.
- Now navigate to your home directory and see a folder by the name
.juniper_networks gets created.If this folder is not created nothing
will work and most likely your java plugin is not working.It has to be
fixed else it just won't work.
- Now navigate to the folder
$HOME/.juniper_networks/network_connect , and you might be able to see
a file named ncsvc.log .In my case I was never able to see this file ,
the reason was because Juniper client was trying to launch 64-bit java
, and fails silently(no errors anywhere) because it has one file which
is 32-bit and the file is libncui.so, here is the output of file
command
- file libncui.so
libncui.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped - Also in my case even though the 64-bit java client was dying silently according to the screen of Juniper which you see in your browser when you login , it was saying you have full access to your company network.However nothing happened.
- If you don't see the network connect GUI that means you are not
connected to your VPN inspite of the VPN connectivity page showing that
you are connected to VPN in green.You can verify that by checking your
ipaddress and it will not be in your companies range.You can also run
the command ./ncdiag -a in the folder
$HOME/.juniper_networks/network_connect and you will see it sayd
network client not installed.If that happens then you are not on the
VPN.
- Follow the good instructions @ this forum thread to modify your java to launch 32-bit if the invoking program is Juniper Client.This simple bash script does the trick.
- Now again navigate to your company's VPN portal.
- If everything goes well you will see a Network Connect UI window
popup and it will tell you your IP address, how long you have been
connected and so on.
http://www.rz.uni-karlsruhe.de/~iwr91/juniper/
http://pthreads.blogspot.com/2010/11/connecting-to-juniper-vpn-from-linux.html
posted at: 13:11 | category: /linux | permanent link to this entry | Donate via Bitcoin
Tweet
Thu, 02 Aug 2012
Using Partimage with filesystem images made by dd using loop device
Recently I had a need to convert my DD based image which had my ext3 filesytem so that I could convert it to an ext3 actual partition using partimage.Now the problem is that partimage works only on devices and cannot read a partition from a DD based image or for that matter any file based image/filesystems etc.
Loop device comes as saviour in this situation.
So what i did was loaded my dd based image as loop device using the command below, essentially fooling partimage that the filesystem in my file is an actual physical partition.
losetup /dev/loop0 /mnt/myDDimage.img
Now when you start partimage , you can see that /dev/loop0 is shown as a filesystem and you can do the conversion.
posted at: 03:12 | category: /linux | permanent link to this entry | Donate via Bitcoin
Tweet
Wed, 22 Jun 2011
Using Microsoft Live Meeting on Linux
In any case to make it work with java 1.6 , pls follow the steps on this page.
posted at: 05:33 | category: /linux | permanent link to this entry | Donate via Bitcoin
Tweet
Sun, 15 Nov 2009
CS50-USB/CS60-USB Wireless Office Headset System on Debian Linux
And obviousously I wanted to use it with my Linux machines.
My main goal was to use it with Ekiga for making VOIP calls with Gizmo5(will soon move away from gizmo5 because it was acquired last week by google and i prefer not to use another monopoly named google).
So while ekiga was running I connected the USB headset and ekiga was smart enough to detect that a new headset was connected and whether I wanted to use that as my default device.I selected yes.
Then I tried to make a call and got error messages from Ekiga that it could not open the device "Plantronics CS50/CS60-USB Headset (PTLIB/ALSA)" and suggested that there might be a permission issue to open the device or I might have to plug/unplug again.
To rule out all those possibilities I used root to launch ekiga and also reconnected the headset but i continued to get the same error message from Ekiga.
So after playing with it for a few hours i finally figured out what the problem was.
So the issue is that Ekiga detects and uses the following parameters under Edit->Preferences->Audio->Devices
Output Device : Plantronics CS50/CS60-USB Headset (PTLIB/ALSA)
Input Device : Plantronics CS50/CS60-USB Headset (PTLIB/ALSA)
But with those devices I could never make it work.
So I changed the above devices to the following and voila everything was working perfectly.
Output Device : CS50/CS60-USB Headset (PTLIB/ALSA)
Input Device : CS50/CS60-USB Headset (PTLIB/ALSA)
posted at: 16:38 | category: /linux | permanent link to this entry | Donate via Bitcoin
Tweet
Resizing sidux-rw file of sidux for Persistent filesystem
Disclaimer : Please have backups of everything .I cannot be held responsible for any data loss.Use this information at your own risk.
The sidux-rw file is located on your usb drive or any other medium in the following folder <USB drive>/sidux/sidux-rw
The file itself is really a sparse file which contains an ext2 partition in it.
So essentially what we will do is resize the ext2 partition.Typically you would need to increase the size of the contactiner partition but in this case there is no parent parition because this is a sparse file , all we need to do is just resize the ext2 partition by using a few tools.
So you will need to boot into any Linux distro like sidux .But please ensure that the file sidux-rw is not mounted as the resize will fail and you might end up loosing data .
Now we need to ensure the filesystem itself is healtthy.We need to check that without which resize2fs will not work.
Navigate to the folder which has the sidux-rw file and issue the following command as root
# e2fsck -f sidux-rw
You will need to fix all the recommendations by e2fsck.
After doing that you will be ready to resize your filesystem.
So now issue the following command as root to resize your sidux-rw file to say for example 512M
#resize2fs sidux-rw 512M
Please note that this instructions are for increasing the size only.I have not tried reducing the size of the file.Also note that the filesystem has to be ext2.
posted at: 16:18 | category: /linux | permanent link to this entry | Donate via Bitcoin
Tweet
Sun, 17 May 2009
Making Linux speak
Once you have espeak installed you can issue the following command
echo "hello" | espeak
If everything goes well you will hear Hello from the speakers.
You can read more about espeak @ http://espeak.sourceforge.net
posted at: 21:48 | category: /linux | permanent link to this entry | Donate via Bitcoin
Tweet


