Glass Panes That Separate

transparent barriers to communication

Tag: tech

  • forwarding

    This is about using webmin to administer a firewall/router on Ubuntu Server 9.10. If you’ve already done everything in Wall, then there are two parts to forwarding any port to a machine behind your router. We are operating under the assumption that eth1 is your external interface, and eth0 is your internal one.

    First, you need to make a rule under the ‘filter’ IPtable in the INPUT section to allow the traffic in, since it isn’t established or related to any current connections.

    The rule should look something like this if you only have one IP address attached to your router’s external interface (see Static, but Not for a little more information on using IP aliases on your external interface):

    Accept if protocol is TCP and input interface is eth1 and destination port is 80

    Then go to the ‘nat’ IPtable, and add a corresponding rule that will look like this in the PREROUTING section:

    Destination NAT if protocol is TCP and input interface is eth1 and destination port is 80

    If you have multiple IP addresses on your external interface, simply add a condition for destination address that contains your external IP (in both the ‘filter’ rule, and the ‘nat’ rule). Destination NAT (or DNAT) rules are a little tricky (at least for me they were), so here’s a bit more guidance on that:

    Action to take = Destination NAT

    Under IPs and ports for DNAT, set IP range to the internal/private address of the machine that should receive the traffic you are forwarding (leave the ‘to’ field blank)

    Destination address = the external IP address being forwarded

    Incoming interface = your external interface (eth1 for me)

    Network protocol in our example was TCP

    Destination TCP or UDP port = 80

    If you have all those set, you can create the rule, and Apply Configuration. Repeat, and rinse. If the whole destination/source port thing confuses you, see Direction.

  • wall

    Ever wondered how to setup a firewall using Ubuntu Server edition? No? Then you’ll be pretty bored, so I suggest you stop reading now.

    If you answered yes, keep going. For my purposes, I’ve used the webmin firewall section, mostly to avoid learning iptables, or even something like shorewall. This was written using version 9.10, although the process should be quite similar to other versions of Ubuntu.

    The exact setup I’m going for here is a device that does NAT, and blocks all incoming connections that aren’t established or related. In another post, I’ll talk a bit about port forwarding, and some things to be aware of there. Both of the machines I’m using have eth1 as the outgoing interface, and eth0 as the internal connection (going to a switch, or a WAP, or another computer with a private network address).

    You should already have your external and internal interfaces connected and configured, and the box you are setting up as the ‘router’ should be able to ping google.com, and any internal networked devices/computers.

    The first thing that needs to happen, is that we need to enable ipv4 forwarding.

    Login on the command line and edit the file /etc/sysctl.conf. Find where it says ‘to enable packet forwarding for IPv4’, and uncomment the line below it. Also enable the one for IPv6 if you need it. Save the file, then run this:

    sysctl -p

    Now we’re ready to install webmin from here. I usually use wget, dpkg, and then aptitude like so:

    wget http://prdownloads.sourceforge.net/webadmin/webmin_1.490_all.deb
    aptitude install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl
    dpkg -i webmin_1.490_all.deb

    You can then connect to webmin via https://yourserver:10000. Login with root, or an account that can sudo (like the one you created during the Ubuntu setup process).

    Navigate to Networking->Linux Firewall

    The first time, it will ask you to set the base rules, choose ‘Allow all traffic’ and Activate at Boot, then Setup Firewall. Then Apply Configuration on the next page. Don’t worry, we’ll lock it down a bit shortly.

    Where it says Showing IPtable, there should be three options, the first one we are concerned with is  Network Address Translation (nat).

    We need one rule here, and it belongs under POSTROUTING. It should be set to Masquerade if output interface is eth1 (your external nic).

    Apply the Configuration, and you should now be able to ping google.com from a computer behind the Ubuntu router.

    If you’re still with me, now we’re going to lock things down a bit. Go back to the Packet filtering IPtable, and create these rules under INPUT:

    Accept if input interface is eth0 (your internal nic)

    Accept if input interface is lo (local interface)

    Accept if input interface is eth1 (external) and state of connection is ESTABLISHED or RELATED

    Be absolutely sure you have your internal and external interface straight before this next step. As a safety net, be sure you can either access the console directly, or have an ssh session already established, just in case. Then set Drop as the default action for INPUT, and press Apply Configuration.

    If you did it right, you can still ping google.com from anywhere on your network and you’re done. If you did it wrong and can’t access the router anymore, hopefully you have that ssh session still open. Open /etc/iptables.up.rules with nano or vim and change :INPUT DROP [0:0] to :INPUT ACCEPT [0:0] under the *filter section. Then run this: iptables-apply /etc/iptables.up.rules and go back and figure out what you did wrong above. If you would like to continue and do port fowarding, see Forwarding.

  • spatents

    I’m sure I’ve probably ranted about software patents before, but this is just blatantly ridiculous. Microsoft has patented a method to elevate a user’s privileges. Now, I know the exact dialog box they are trying to protect, and I realize it functions just a tiny bit different than a normal ‘sudo’ command on Linux or Mac. However, the end result is the same: an unprivileged user is allowed, by user interaction, to run programs at a higher privilege level. There could be a technical difference here though. ‘Sudo’ allows a user in a specific list to gain the privileges of a higher user. If you’re not in the list, too bad. Microsoft’s implementation requires that you actually authenticate as an administrative user. So let’s go one better: the ‘su’ command in Linux (probably exists on a Mac too). The ‘su’ command does exactly what MS is doing (and then some); it allows a totally unprivileged user to become the root user, (or any other user), if they know that user’s password. And don’t forget that a patent must not be ‘obvious’ in nature. Not sure how this one gets around that. This also isn’t just a patent application at this point, they have already been awarded the patent…

    More info at http://www.groklaw.net/article.php?story=20091111094923390

  • noisetrade

    I was listening to the latest Relevant Podcast the other day, and they had an interview with Derek Webb that was very thought provoking and in the process he mentioned Noise Trade. I had heard about Noise Trade before, and even downloaded a couple albums. The idea is really cool: You can pay anything you want for an album, or you can tell five friends about it and get the album free. The albums I downloaded at the time seemed to be a bit lacking, but I visited it again today, and the selection has grown tremendously, and there seems to be some real quality music on there now (Derek Webb, for starters, although I’ve only heard a few of his songs).

    Going back to the core issue that he touched on though. Music is going, no, scratch that. Music has already gone digital. This makes it an infinitely reproducible commodity as one commenter said. Based on the laws of supply and demand, that makes it free (or close to free, since there are still distribution costs). Realistically, there has to be some way to make money from that, but you’re a bit at the mercy of the consumer now, since you can’t cut the supply (you could, but why?). I think a lot of artists are starting to get it, and doing some really cool experiments with pricing and marketing in the digital realm. The labels, however, seem to be drowning, gasping for breath, when the shore is mere feet away. If they would only look to the side, instead of the same way they’ve always been going.

  • unthawed

    This how-to assumes you’ve already read and followed most of Frozen. As mentioned in the previous article, this how-to is for Ubuntu 9.04. Once you have icecast and liveice working, you may want to use mp3’s as your source instead of live audio from your soundcard.

    The relevant bits are in liveice.cfg:

    SERVER hostnameofserver
    PORT 8000
    PASSWORD yourpasswordforicecast
    USE_LAME3 /usr/bin/lame
    NO_SOUNDCARD
    HALF_DUPLEX
    SAMPLE_RATE 22050
    BITRATE 32000
    MONO
    ENCODING QUALITY 30
    HTTP_LOGIN
    MOUNTPOINT live
    NAME, GENRE, PUBLIC, URL, and DESCRIPTION are all up to you
    PASSWORD your icecast password again
    MIXER
    PLAYLIST /home/user/someplaylistfile
    DECODER_COMMAND /usr/bin/mpg123
    UPDATE_DELAY 1
    MIX_CONTROL_AUTO

    The playlist file is simply plaintext, with one file per line, listed as the full path. Example:

    /home/user/music/song1.mp3
    /home/user/music/song2.mp3
    /home/user/music/song3.mp3

    Fire it up as before with:

    ./liveice -@ 2 -F liveice.cfg

    Skip the ‘-@ 2’ switch if you’re having trouble, and increase VERBOSE to 10 in liveice.cfg if necessary.