Archive for December, 2006

29
Dec

Upgrade servera

Danas je administracija :) konacno odgovorila na vapaje tehnike pa je danas u server dodato jos 512MB rama. Sada imamo citavih 1GB. :) Elem, ovo bi trebalo da znaci kraj problema sa dostupnoscu i sporim odzivom servera. Yoohoo! =|:)

26
Dec

Linux NAT with one network interface?

This morning I encountered a problem trying to setup IP masquerading with my ASUS notebook. Notebook has only one network interface and it is connected to my cable modem. No problem, I thought, I will connect my notebook, cable modem and my wife’s notebook to a small switch I have, and than create an interface alias for my primary network interface, and setup a simple IP masquerading so both notebooks have internet access. Simple as that. Network would look like:

Home Lan

First, I added interface alias so I can communicate with other notebook:

# ifconfig eth0:1 192.168.0.1 netmask 255.255.255.0
# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=128 time=0.177 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=128 time=0.159 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=128 time=0.148 ms
64 bytes from 192.168.0.2: icmp_seq=4 ttl=128 time=0.198 ms
— 192.168.0.2 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 0.148/0.170/0.198/0.023 ms

That seems to work. On to the next step. We have to setup NAT between those two computers. The exact process should be, for my configuration:

# echo “1″ > /proc/sys/net/ipv4/ip_forward
# iptables -A FORWARD -i eth0 -o eth0:1 -m state \
> –state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i eth0:1 -o eth0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

So lets do it:

# echo “1″ > /proc/sys/net/ipv4/ip_forward

No error so far. Next:

# iptables -A FORWARD -i eth0 -o eth0:1 -m state \
> –state ESTABLISHED,RELATED -j ACCEPT
Warning: wierd character in interface `eth0:1′
(No aliases, :, ! or *).

What was that?! “Warning: wierd character in interface `eth0:1′ (No aliases, :, ! or *).” Hmm… maybe I made some typo? I don’t think so (although there is a typo in error message, weird is not spelled like that :)). Seems that NetFilter is not able to do NAT with only one interface, which is pretty reasonable. But, cheap as I am, I had no intention of buying new PCMCIA network card, so I had to find a way of doing this with only one interface.

After hour spent searching the google for answer, I started getting some ideas. If we can not use interface alias maybe we can use IP address of the other node in the network insted of it. Seemed like a wild guess but I was getting pretty desperate. :)

# iptables -A FORWARD -i eth0 -d 192.168.0.2 -m state \
> –state ESTABLISHED,RELATED -j ACCEPT

No error. That’s a good sign. So, let’s try the rest.

# iptables -A FORWARD -s 192.168.0.2 -o eth0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Again, no error. Let’s test it from the other node.

# ping google.com
PING google.com (72.14.207.99) 56(84) bytes of data.
64 bytes from 72.14.207.99: icmp_seq=1 ttl=241 time=142 ms
64 bytes from 72.14.207.99: icmp_seq=2 ttl=241 time=141 ms
64 bytes from 72.14.207.99: icmp_seq=3 ttl=241 time=143 ms
— google.com ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 141.888/142.763/143.515/0.669 ms

Wow, it works. :) Sometimes being cheap pays off. :) So, one problem down. What about port forwarding. My wife is a huge e-mule fan, and if her incoming e-mule port is blocked she will get LowID which makes downloading painful. Again, first I tried iptables.

# iptables -t nat -A PREROUTING -p tcp -i eth0 \
> -d 87.103.21.41 –dport 34567 -j DNAT –to 192.168.0.2:34567
# iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 \
> –dport 34567 -j ACCEPT

And for some reason this was not working. At this point I gave up and tried something else. Something that works. :-p

I’m sure most of you know that one of the features of SSH is port forwarding.

# ssh -g -N -L 34567:192.168.0.2:34567 localhost
root@localhost’s password:

And that’s it. With this we forwarded port 34567 on localhost to port 34567 on other notebook with address 192.168.0.2. But there is still one problem. This way port forwarding can not be started at system boot since it demands user interaction (ssh asks for password when started). That problem is also easy to solve. We need to generate key that we will use instead of password.

# ssh-keygen -t dsa -b 1024 -f /root/ssh_key
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/ssh_key.
Your public key has been saved in /root/ssh_key.pub.
The key fingerprint is:
c7:05:e7:e6:38:77:82:79:a1:d9:b5:ab:2f:3a:84:02 root@localhost

Now all we need to do is to copy /root/ssh_key.pub into /root/.ssh/authorized_keys and next time we try to login using this key we will not be asked for password.

# cat /root/ssh_key.pub >>/root/.ssh/authorized_keys

For the sake of security we can restrict login with this key only to localhost, so our /root/.ssh/authorized_keys will look like:

from=”127.0.0.1″ ssh-dss AAAAB3NzaC1kc3MAAACBAKtVMMBIqjAmXKkk…

We can test it to see if it works.

# telnet 87.103.21.41 34567
Trying 87.103.21.41…
telnet: connect to address 87.103.21.41: Connection refused
telnet: Unable to connect to remote host: Connection refused
# ssh -g -N -L 34567:192.168.0.2:34567 87.103.21.41 \
> -i /root/ssh_key
root@87.103.21.41′s password: ^C
# ssh -g -N -L 34567:192.168.0.2:34567 localhost \
> -i /root/ssh_key # telnet 87.103.21.41 34567
Trying 87.103.21.41…
Connected to 87.103.21.41 (87.103.21.41).
Escape character is ‘^]’.
Connection closed by foreign host.
#

That’s all folks. :)

21
Dec

Zdarma

Kako uvek imam problem da smislim naslov za novi post odlucio sam da ga koristim kao podsetnik za razne ceske reci i izraze. Citaocima dobro dodje za ucenje novih reci a meni za podsecanje kada zaboravim (znaci stalno :)). Dakle, danas imamo jednu veoma bitnu rec koju je jako korisno znati:

zdarma – besplatno, gratis

Primer: Uvek je lep osecaj osujetiti prodavce u pokusaju da vam ne daju nesto sto vam sleduje ‘zdarma’, zar ne? :)

OskarDanas sam razmisljao sta je to u Srbiji sto mi najvise nedostaje. Naravno, na prvom mestu su pas, porodica i prijatelji, o tome ne vredi ni raspravljati. Ali nikad necete pogoditi sta je to na drugom mestu. Ne, nije srpski jezik. I ne, nije jogurt (ovde imaju lepsi :) mada ukusi se razlikuju :)). Nije ni burek. (mmm, burek :)) Dakle, ono sto mi nedostaje vise od svega toga je SBB-ov DC hub. Prosto sam zanemeo kada su se moji najcrnji strahovi obistinili, kada sam dosao ovde i video da ne mogu da se konektujem. Do djavola sa vama, bezdusni administratori SBB-a!! (svi osim Dzonija :)) (dramska pauza) Logicno je da ne dopustaju da ga koriste korisnici ostalih provajdera, ali majku mu, mogli bi da naprave ustupak za nas pecalbare kojima matica toliko nedostaje. :) Sta cu sad bez svog glavnog izvora muzike i filmova jos uvek nisam smislio ali bice tesko naci zamenu. shmrc shmrc

E da, nismo se pohvalili. Marica je dobila ponudu za posao od Honeywell-a. Sta konkretno moci cete vise da procitate na njenom blogu jer meni, nazalost, masinstvo nije jaca strana, tako da nisam nista razumeo :)

Sto se mojih novosti tice, pre par nedelja sam konacno poceo sa konkretnim radom, prosao sam kroz H5875S kurs za HP-UX, poceo sam da ucim C. I tako, nista posebno novo. :) Za novu godinu definitivno necemo za Prag. Ne zato sto hocemo da stedimo (boze sacuvaj :)), nego zato sto smo zakljucili da ce biti prevelika guzva. Tako da cemo najverovatnije sledeci (bozicni) vikend provesti tamo. No, otom potom. :)

I za kraj ovog posta, da ne kvarimo multimedijalnu tradiciju bloga, evo jedna lepe pesme (skinute naravno sa SBB hub-a shmrc :’( ) Pero Defformero – Srca Tvoga Plam.

04
Dec

Bella ciao

Uuuu, ala vreme leti. Nisam ni primetio da nisam nista pisao vec 20 dana. Uglavnom, razlog za to je bio sto se nista interesantno nije desavalo, a i izmedju ostalog i to sto sam bio zauzet proucavanjem gomile procedura koje moram da naucim da bih uopsteDeva mogao da radim bilo sta. Za svaku radnju postoji procedura koja definise kako se, sta i na koji nacin radi. I za sve treba traziti dozvolu od ljudi/grupa na koje ta radnja moze da utice, ma kako ona bila banalna. Sve ovo deluje jako komplikovano i ponekad bespotrebno, ali s obzirom da postoje klijenti koje sat vremena nedostupnosti nekog servisa/servera kosta i po par miliona evra sve to je vrlo opravdano. Ako nista drugo postovanjem procedura stitis sebe u slucaju da nesto podje naopako. A svi koji se bave ovim poslom znaju da je se to desava isuvise cesto i to uvek kada se najmanje ocekuje (Marfi je cudo :)).

Sve ovo se potpuno razlikuje od nacina rada na koji sam navikao, tako da ce mi trebati malo vremena da se naviknem. Dok ovde moras da najavis restart nekog servisa barem pet dana unapred i da trazis odobrenje od 4-9 grupa korisnika, i to posle 2 serije provera na test serverima (za sta je isto potrebna najava i odobrenje od istih korisnika), ja sam navikao da se sve radi odmah i sada, na zivim produkcionim serverima. O testiranju i test serverima malo ko razmislja (niko osim mozda Joce :)). Salim se naravno, ali kao i uvek istina nije daleko od sale. :)

I tako, dok mi se u glavi od citave (pra)sume informacija konacno kristalise (malo) jasnija slika, vreme provodim slusajuci punk obrade raznih revolucionarnih pesama (Boikot – Bella Ciao/No Pasaran (tekst)) i razmisljajuci da li da Novu Godinu provedemo u Pragu ili da se konacno uozbiljimo i pocnemo da stedimo pare. Mislim da smo trenutno blizi prvoj varijanti. Uostalom, jednom se zivi, zar ne? ;)

Marica