ejohansson.se » network

Transparent HTTP proxy in python

Erik Johansson — Tue, 06 Mar 2012 09:02:05 +0000

I recently wanted to modify a web resource that a device on my local network loads when starting. To avoid having a static local modified copy of the resource I wrote a simple transparent HTTP proxy in python using the Twisted networking engine (which btw was a joy to use) which does the modification when the resource is loaded. The code is not modular (e.g. the resource modification is hard coded in the processResponse() function) and the logging is very verbose, but if anyone is interested the code is available on github: transparent-proxy.git.

The proxy is now running on my local server which sits behind the real gateway. Besides making the device use the server as gateway and enable NAT on the server this single iptables rule is all that is needed:

iptables -t nat -A PREROUTING -s $CLIENT_IP -p tcp --dport 80 -j REDIRECT --to-port 8080

SFTP only access to server

Erik Johansson — Tue, 29 Nov 2011 10:17:16 +0000

I recently installed a NAS server in my home and wanted to give my family and relatives access to it so that they could use it as a remote backup server for photos and stuff. To keep it as secure as possible I only wanted to give them SFTP access.

(All commands below are executed as root.)

First I created a group to group them together and then added the users to that group. I choose to disable their password as I only allow logins using SSH keys.

addgroup sftponly
# Repeat the line below for each user
adduser --disabled-password --ingroup sftponly ausername

As for the upload directory I wanted them to upload their data to my raid1 volume mounted under /data/pool1. Since OpenSSH has some requirements for the permission on the directories used as chroot I created the following directory layout.

cd /data/pool1
mkdir -m 751 sftp
ln -s . sftp/home
# Repeat the lines below for each user
mkdir -m 700 sftp/ausername
chmod ausername.root sftp/ausername

The home symlink is there to make the initial SFTP directory /ausername and the sftp directory is created with 751 to disallow directory listing in the top directory.

Then, as “all components of the pathname must be root-owned directories that are not writable by any other user or group” and /data/pool1 is not root owned I created a bind mount by adding the following to /etc/fstab.

/data/pool1/sftp  /srv/sftp  bind  bind  0  0

Before the initial mount, the directory must be created.

mkdir /srv/sftp
mount /srv/sftp

Then, the final part was to configure OpenSSH by adding the following lines at the end of /etc/ssh/sshd_config.

Match Group sftponly
  ChrootDirectory /srv/sftp
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Remember to restart the server afterwards.

Wake on LAN with Debian

Erik Johansson — Thu, 31 Dec 2009 13:45:20 +0000

To enable Wake on LAN on a Asus P5E-V motherboard under Debian you can do the following. Since I have a Asus motherboard, that’s the only one I’ve tested, but except from the BIOS (which may differ a bit), the instructions should be the same for all motherboards/NIC that supports Wake on LAN.

In the BIOS, enable “Power on by PCIE device”.

In Linux, first install ethtool and then check that Wake on LAN is supported by running the following command:

root@host$ ethtool eth0
...
        Supports Wake-on: g
        Wake-on: g
...

The output should contain a ‘g’ to indicate that the device can be woken by sending it a “magic packet”.

Enable Wake-on by running:

root@host$ ethtool -s eth0 wol g

Since this command must be run on every boot, add it to /etc/rc.local.

root@host$ cat /etc/rc.local
...
ethtool -s eth0 wol g
exit 0

As the last step we must make sure that halt doesn’t disable the network device. This is done by adding this line to /etc/default/halt:

NETDOWN=no

We also need the MAC address to send the magic packet to.

root@host$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:1e:8c:cf:d0:bb  
...

Then shutdown the computer. On an other computer, install e.g. wakeonlan and run:

user@other$ wakeonlan 00:1e:8c:cf:d0:bb

The computer should now start.

Wii and Netgear WNR834B

Erik Johansson — Sat, 20 Dec 2008 17:44:23 +0000

I recently had a lot of problems connecting my Nintendo Wii wireless to my girlfriend’s Netgear router (WNR834B). The router was configured to use WPA-PSK [TKIP] + WPA2-PSK [AES] with a fairly long pass phrase (ASCII characters). It worked very well with my iBook (Mac OS X) and worked most of the time with my girlfriend’s laptop (Windows Vista). But it seemed like Windows used the WPA variant instead of WPA2. It just didn’t connect when forcing it to use WPA2. And the Wii would only connect if we turned encryption off. Not acceptable!

We tried many things to get the Wii to connect, without any success. In a last attempt we tried changing the pass phrase to a 64 characters long hexadecimal pass phrase. That did the trick. Both the Wii and both laptops now connect without any problem. So if you are having problems connecting your Wii to the wireless network, try changing the pass phrase to consist of hexadecimal characters (0-9, A-F) only. For WPA/WPA2 it must be exactly 64 characters long.

Simulate a slow network

Erik Johansson — Fri, 24 Mar 2006 08:47:10 +0000

Kurt Pfeifle has written an interesting article about how to simulate a slow network. I haven’t been able to test it yet since CONFIG_NET_SCH_NETEM wasn’t enabled in my kernel config. But as soon as I have recompiled my kernel, I will.

More information on netem’s homepage.