I regularly add port forwards to our adsl router from the CLI, but I never remember how…

robin@eddie robin $ <strong>telnet 192.168.254.254</strong>
Trying 192.168.254.254...
Connected to 192.168.254.254.
Escape character is '^]'.
password:
logged on; type `@close' to close connection.
192.168.254.254> <strong>nat</strong>
192.168.254.254 nat> <strong>inbound list</strong>
#  Interface Port/EndPort/LocalPort/proto  New_IP_Addr    State   Comment  Flags
 1  ppp_device     22/    22/     0/tcp    192.168.254.100  enabled  tcp22
 2  ppp_device   6257/  6257/     0/udp    192.168.254.10   enabled  udp6257
 3  ppp_device   4662/  4662/     0/tcp    192.168.254.10   enabled  udp4662
 4  ppp_device   4672/  4672/     0/udp    192.168.254.10   enabled  tcp4672
 5  ppp_device   3389/  3389/  3389/udp    192.168.254.10   enabled  RDP
 6  ppp_device   9192/  9192/     0/tcp    192.168.254.100  enabled  camserv
 7  ppp_device   4711/  4711/     0/tcp    192.168.254.10   enabled  tcp4711
 8  ppp_device   3389/  3389/     0/tcp    192.168.254.10   enabled  bob
 9  ppp_device     25/    25/    25/tcp    192.168.254.100  enabled  smtp
10  ppp_device     53/    53/    53/udp    192.168.254.99   enabled  dns
11  ppp_device   4712/  4712/     0/tcp    192.168.254.10   enabled  tcp4712
12  ppp_device   6699/  6699/     0/tcp    192.168.254.11   enabled  tcp6699
13  ppp_device   6698/  6698/     0/udp    192.168.254.11   enabled  udp6698
14  ppp_device     80/    80/     0/tcp    192.168.254.100  enabled  tcp80
15  ppp_device   8080/  8080/     0/tcp    192.168.254.12   enabled  tcp8080
16  ppp_device   3283/  3283/  3283/udp    192.168.254.12   enabled  appleremote
17  ppp_device     21/    21/     0/tcp    192.168.254.100  enabled  tcp21           (ALG)
18  ppp_device     20/    20/     0/tcp    192.168.254.100  enabled  tcp20
19  ppp_device  11809/ 11809/ 11809/tcp    192.168.254.11   enabled  msmsgs (192.168.254.11:11809) 11809 TCP
20  ppp_device   7997/  7997/  7997/udp    192.168.254.11   enabled  msmsgs (192.168.254.11:7997) 7997 UDP
21  ppp_device  15503/ 15503/ 15503/udp    192.168.254.10   enabled  msmsgs (192.168.254.10:15503) 15503 UDP
22  ppp_device   9519/  9519/  9519/tcp    192.168.254.10   enabled  msmsgs (192.168.254.10:9519) 9519 TCP

192.168.254.254 nat> <strong>inbound help add</strong>
add             <i/f name> <port>/<end_port>/<localport>/<proto> <new IP> <state> <comment>-  add a rule

192.168.254.254 nat> <strong>inbound add ppp_device 3283/3283/3283/tcp 192.168.254.12 enabled appleremotetcp</strong>

192.168.254.254 nat> <strong>inbound list</strong>
#  Interface Port/EndPort/LocalPort/proto  New_IP_Addr    State   Comment  Flags
 1  ppp_device     22/    22/     0/tcp    192.168.254.100  enabled  tcp22
 2  ppp_device   6257/  6257/     0/udp    192.168.254.10   enabled  udp6257
 3  ppp_device   4662/  4662/     0/tcp    192.168.254.10   enabled  udp4662
 4  ppp_device   4672/  4672/     0/udp    192.168.254.10   enabled  tcp4672
 5  ppp_device   3389/  3389/  3389/udp    192.168.254.10   enabled  RDP
 6  ppp_device   9192/  9192/     0/tcp    192.168.254.100  enabled  camserv
 7  ppp_device   4711/  4711/     0/tcp    192.168.254.10   enabled  tcp4711
 8  ppp_device   3389/  3389/     0/tcp    192.168.254.10   enabled  bob
 9  ppp_device     25/    25/    25/tcp    192.168.254.100  enabled  smtp
10  ppp_device     53/    53/    53/udp    192.168.254.99   enabled  dns
11  ppp_device   4712/  4712/     0/tcp    192.168.254.10   enabled  tcp4712
12  ppp_device   6699/  6699/     0/tcp    192.168.254.11   enabled  tcp6699
13  ppp_device   6698/  6698/     0/udp    192.168.254.11   enabled  udp6698
14  ppp_device     80/    80/     0/tcp    192.168.254.100  enabled  tcp80
15  ppp_device   8080/  8080/     0/tcp    192.168.254.12   enabled  tcp8080
16  ppp_device   3283/  3283/  3283/udp    192.168.254.12   enabled  appleremote
17  ppp_device     21/    21/     0/tcp    192.168.254.100  enabled  tcp21           (ALG)
18  ppp_device     20/    20/     0/tcp    192.168.254.100  enabled  tcp20
19  ppp_device  11809/ 11809/ 11809/tcp    192.168.254.11   enabled  msmsgs (192.168.254.11:11809) 11809 TCP
20  ppp_device   7997/  7997/  7997/udp    192.168.254.11   enabled  msmsgs (192.168.254.11:7997) 7997 UDP
21  ppp_device   8804/  8804/  8804/udp    192.168.254.10   enabled  msmsgs (192.168.254.10:8804) 8804 UDP
22  ppp_device  14288/ 14288/ 14288/tcp    192.168.254.10   enabled  msmsgs (192.168.254.10:14288) 14288 TCP
23  ppp_device   3283/  3283/  3283/tcp    192.168.254.12   enabled  appleremotetcp
192.168.254.254 nat>  <strong>config save</strong>
Saving configuration...Configuration saved.
192.168.254.254 nat>  <strong>@close</strong>
Connection closed by foreign host.

This week I will be mainly fooling with VPN’s. First off is a PPTP server so the Windows 2k and XP laptops can connect. I’ve found this little daemon which seems to work perfectly well for XP, 2K machines and my Mac OS X (10.1.3) Powerbook and Imac.

The only fiddly bits with installing poptop is that you need a patched up version of pppd so that you can support all the of Microsoft extensions and force the link to be encrypted.

The first step in creating my pptp server was to install a recent patched up version of pppd, which I found here. Installing this is as easy as installing any other RPM and required no post installation fiddling.

Next up was to install the MPEE (Microsoft Point-to-Point Encryption) support, this comes as a set of kernel modules from the pptpclient project. Their documentation, and download page is here. I used this (Broken link http://pptpclient.sourceforge.net/mppe/kernel-mppe-2.4.20-20.9smp.i686.rpm) rpm, because our RedHat 9 machine had been patched up to the 2.4.20-20.9 kernel and is a SMP box.

The final bit of software needed to make all this work was the actually poptop binaries, I could not find a RPM for these so I had to install them from source. Rather than using their current (1.1.4-b4) beta I prefered to use the current stable release (1.1.3) which can be downloaded from here. When I install an application from source I always install the application in accordance to the OFA (Optimal Flexible Architecture) standard, more details of which can be found on Dannys (Broken link http://www.alphazed.co.uk/admin/ofa.php) site. Rather than just unpack the source and run ./configure && make && make install as root I use a couple of simple scripts, so that the compile is repeatable and at a later date I can tell exactly what options were used. Below is my Build script

gunzip -c pptpd-1.1.3-20030409.tar.gz | tar xvf -
cd poptop
./configure --prefix=/usr/local/app/poptop-1.1.3
make

and the Install script:

cd poptop
make install

Once poptop was installed I needed to write a couple of simple config files, the options and how all this fits together is documented very well on the poptop home page in their Documentation section, so I will not explain all the options here, but I will include my config files for reference:

/etc/pptpd.conf

speed 115200
option /etc/ppp/pptp-options
debug
localip 10.1.1.100-199
remoteip 10.1.2.100-199
listen 213.52.209.13
pidfile /var/run/pptpd.pid

/etc/ppp/pptp-options

debug
name pptp
domain install.mydomain
auth
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
ms-dns 172.16.2.11

/etc/ppp/chap-secrets

myusername   pptp    mypassword   10.1.2.100

The final bit of the puzzle was to sort out a nice redhat style start stop script, I couldnt find an existing one so I’ve written one, which you can grab here (Broken link ~~http://milliwaysconsulting.net/useful.things/downloads/pptpd.sh~~).

After the daemon has been started its a simple matter of configuring your 2k/XP clients to connect. A nice tutorial of how to configure 2K can be found here.

One last note, if you are connecting to a machine which runs iptables or some similar firewall you will need to allow PPTP into the machine, we run a iptables firewall on our PPTP server, the following rules will allow it through:

iptables -A INPUT -p tcp --destination-port 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT

That is all I needed to do to get my clients connecting. It should be noted that the clients were all behind adsl routers (Dlink DSL 504, with forward PPTP turned on), More work needs to be done if your clients are behind a linux NAT box.

Several of my hosting customers have asked about creating htpasswd files in windows. I’ve found this (Broken link http://help.bnsi.net/htpasswd/htpasswd.php) howto which also links to the htpasswd.exe.

Found this (Broken link http://www.arches.uga.edu/~pkeck/ssh/) page, has some usefull information wrt single use keys

I just tried to compile daemontools (Broken link ~~http://cr.yp.to/daemontools/~~), ucspi-tcp (Broken link http://cr.yp.to/ucspi-tcp/) etc on RedHat 9 and found that they all error in a similar way, complaining about errno.h

Apparently its caused by RedHat using glibc-2.3.1, some nice fellow has created patches for all the djb tools here (Broken link http://qmail.cbn.net.id/moni.csi.hu/pub/glibc-2.3.1/)

Read more here (Broken link http://qmail.cbn.net.id/moni.csi.hu/pub/glibc-2.3.1/README)

I just needed to export a load of contacts from addressbook into some app which doesnt understand vcards. Found this ute:

http://gwenhiver.net/applications/addressbookexporter/index.php

Reading a text file into bash with a for loop can produce unexpected results if a line in the text file has spaces in it.

If you had a text file with this line in it:

d/NON STUDIO/NON STUDIO105/Cavanaugh_M0228867.jpg

And you were to read it with this simple script:

for i in `cat image.list `;
do
echo $i
done

You would get the following output which is probably not what you wanted:

STUDIO105/Cavanaugh_M0228867.jpg
d/NON

If you use while instead of for and unstset the <acronym title="Internal Field Seperator">IFS</acronym> like this:

while IFS= read line
do
: do whatever with $line
done < FILENAME

You will get the desired output of:

d/NON STUDIO105/Cavanaugh_M0228867.jpg

I can never get css right first time, hopefully reading this might help me

I have just spent a weekend setting up a samba 3.0.0 / ldap domain. It had moments of extreme pain - mostly related to the following…

1. the samba ldap tools do not create full accounts for use with nss_ldap and pam_ldap - nice of them to tell us
2. the documentation and error messages are Not Good - and there isn’t full, obvious documentation that states what nss_ldap and pam_ldap require as objectTypes.
3. different versions of pam_ldap / nss_ldap require different objectTypes
4. gentoo’s version is happy with a group just being a posixGroup
5. RedHat 8.0’s version requires top to be an objectType in a group otherwise it just won’t work
6. a user must have objectType account as well as posixAccount
7. openldap on gentoo/pam_ldap does not support md5 passwords - use crypt (even plain doesn’t work out of the box)
8. pam_ldap on gentoo (possibly others) does not react well to the ldap server being changed under it (/etc/ldap.conf) and the only way I could get it to respond to the new server was by rebooting the machine :-/
9. For some reason the samba add machine to domain failed to produce a correct ldap entry for one of the machines (not known why yet) and this then buggered up the entry of furthur machines. Got errors to do with repeated sambaSid values and machines refused to join domains due to the user not being an administrator (this was patently not correct). Sometimes the machines would add to the domain, but it was intermittant. The only solution was to delete back to and including the entry which had the faulty entry. The entry was faulty because there was not uid number created with it, so the sambaSid was not created correctly. This took the better part of two days to sort out. This means I had to be in work over the weekend

swaks is fantastic PERL script: you can do things like

swaks -t jsmith@uk.company.com -s mailserver -q RCPT -f jsmith@uk.company.com

…and it logs the IO on screen.

There is a changelog for it here.