Re: Services in a multihomed machine
hello, I think it should be no problem (at least with smtp), to mangle packets by destination-port. iptables -t nat -I POSTROUTING -p tcp --destination-port 25 -j SNAT --to-source x.x.x.x or use this in posfix main.cf (but I cannot verify this because of using qmail): inet_interfaces = x.x.x.x # listening ip smtp_bind_address = x.x.x.x # outgoing ip :wq buz On Wed, Oct 01, 2003 at 08:54:21PM +0200, Roman Medina wrote: > > Hello, > > Let's suppose a server using ip-aliasing, with two public IPs (on the > same subnet): ip1 and ip2. The server runs two services: > - MTA (postfix) on ip1 > - WWW (apache) on ip2 > (I mean, each service is bound to only one ip, not 0.0.0.0). > > According to the routing table, default gateway is reached through > ip2. This means that when the server acts as a client machine it will > use always ip2. > > Now let's suppose that somebody is using your MTA to send an email. > The server reads the email through ip1, and then will initiate a new > connection to a second MTA (for delivering purposes), according to the > MX record of the destination domain. Well, the problem is that this > new connection is originated from ip2 (the one used for client > purposes as well as WWW server). > > I'd like that all MTA related tasks were launched always from ip1. Do > you know any way of getting this to work? > > I haven't already tried it but if I'm not wrong there is a way to > create iptables rules based on system proccesses. So I had thought in > creating such a rule to mangle packets with ip2 (wrong ip) when they > are generated from postfix. Do you think it is a good idea? Would it > cause an overload in CPU time? > > Which other solutions do you know to solve the problem? > > Saludos, > --Roman > > -- > PGP Fingerprint: > 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 > [Key ID: 0xEAD56742. Available at KeyServ] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- There he goes. One of God's own prototypes. Some kind of high powered mutant never even considered for mass production. Too weird to live, and too rare to die. -- Hunter S. Thomson GnuPG Fingerprint: 2FFF FC48 C7DF 1EA0 00A0 FD53 8C35 FD2E 6908 7B82 pgp0.pgp Description: PGP signature
Re: Root-like filesystem permissions.
hello, On Fri, Aug 01, 2003 at 10:00:27AM +0900, Nathan Ollerenshaw wrote: > The apache daemon runs as a "www" user and group, and everyone domain > has a unique userid and groupid assigned to it. The apache daemon runs > in a chroot. (Therefore, the /etc/passwd and /etc/group entries for > user sites only exist in the chroot - so that CGIs will work correctly). > > This works fine, however it has some flaws. > > Currently, permissions on the customer directories need to be lax > enough for the apache daemon to read the files. This means at least 771 > for the docroot (which disables multi). > > What I would LIKE is to have all permissions on customer files and > directories to be 700 or 600 respectively (except for executable CGIs > of course). I have a similar setup on my servers and I use POSIX ACLs (http://acl.bestbits.at/) to get finer filesystem permissions. the permissions for customer files are 700/600. then I manupulate the acl to grant www-data read access for the files. [EMAIL PROTECTED]:/sites/domainuid# getfacl -m u:www-data:r-x htdocs [EMAIL PROTECTED]:/sites/domainuid# getfacl htdocs/ # file: htdocs # owner: domainuid # group: domaingid user::rwx user:www-data:r-x group::r-x mask::r-x other::--- you can also have default acls, so all new files below this directory will inherit this permissions. but the best thing for this case would be to migrate to apache2-mpm-perchild, if it ever becomes stable :-) regards buz -- This is a free country. You have a right to send me email, and I have a right not to read them! GnuPG Fingerprint: 2FFF FC48 C7DF 1EA0 00A0 FD53 8C35 FD2E 6908 7B82 pgp0.pgp Description: PGP signature
Re: Visitor based netoworking
one way would be be to first redirect all outgoing traffic via iptables to a webserver with an auth-cgi. after authentication new iptables/tc rules are inserted for the current user-ip. i don't know if there is already such a script, but i think it would be no big problem. perhaps the pam_iptables is also possible with pam_auth in squid... buz On Die, 2003-06-10 at 19:53, Stefan Neufeind wrote: > But what if you need an "open" system? Not loggin into domain but > loggin in via webinterface? E.g. when they try to surf the net they > get redirected to "authenticate here first". > > On 10 Jun 2003 at 9:06, Bastian Winkler wrote: > > > perhaps the following could fit your needs: > > http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/ > > personally i use pam_iptables in combination with a samba PDC to > > control network access with iptables+htb for windoze-clients on domain > > logon. its a nice way to control some special kaazaa users whatever > > machine they use ;-) > > > > buz > > > > On Mon, 2003-06-09 at 22:36, Alex (LEX) Borges wrote: > > > I know this is doable by hand, but im wondering if anyone knows of a > > > cool set of scripts or something for visitor based netoworking > > > (something like dhcp+cbq+iptables to control whos accesing what and > > > to allow acces to a network where you should on a time basis...etc. > > > Think hotels with eth access or airports with wifi) >
Re: Visitor based netoworking
one way would be be to first redirect all outgoing traffic via iptables to a webserver with an auth-cgi. after authentication new iptables/tc rules are inserted for the current user-ip. i don't know if there is already such a script, but i think it would be no big problem. perhaps the pam_iptables is also possible with pam_auth in squid... buz On Die, 2003-06-10 at 19:53, Stefan Neufeind wrote: > But what if you need an "open" system? Not loggin into domain but > loggin in via webinterface? E.g. when they try to surf the net they > get redirected to "authenticate here first". > > On 10 Jun 2003 at 9:06, Bastian Winkler wrote: > > > perhaps the following could fit your needs: > > http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/ > > personally i use pam_iptables in combination with a samba PDC to > > control network access with iptables+htb for windoze-clients on domain > > logon. its a nice way to control some special kaazaa users whatever > > machine they use ;-) > > > > buz > > > > On Mon, 2003-06-09 at 22:36, Alex (LEX) Borges wrote: > > > I know this is doable by hand, but im wondering if anyone knows of a > > > cool set of scripts or something for visitor based netoworking > > > (something like dhcp+cbq+iptables to control whos accesing what and > > > to allow acces to a network where you should on a time basis...etc. > > > Think hotels with eth access or airports with wifi) > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Visitor based netoworking
hi, perhaps the following could fit your needs: http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/ personally i use pam_iptables in combination with a samba PDC to control network access with iptables+htb for windoze-clients on domain logon. its a nice way to control some special kaazaa users whatever machine they use ;-) buz On Mon, 2003-06-09 at 22:36, Alex (LEX) Borges wrote: > I know this is doable by hand, but im wondering if anyone knows of a > cool set of scripts or something for visitor based netoworking > (something like dhcp+cbq+iptables to control whos accesing what and to > allow acces to a network where you should on a time basis...etc. Think > hotels with eth access or airports with wifi) >
Re: Visitor based netoworking
hi, perhaps the following could fit your needs: http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/ personally i use pam_iptables in combination with a samba PDC to control network access with iptables+htb for windoze-clients on domain logon. its a nice way to control some special kaazaa users whatever machine they use ;-) buz On Mon, 2003-06-09 at 22:36, Alex (LEX) Borges wrote: > I know this is doable by hand, but im wondering if anyone knows of a > cool set of scripts or something for visitor based netoworking > (something like dhcp+cbq+iptables to control whos accesing what and to > allow acces to a network where you should on a time basis...etc. Think > hotels with eth access or airports with wifi) > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: HELP Need to setup bandwidth shaping box ...Got tough boss.
try this: http://lartc.org/howto/ buz On Mon, 2003-06-09 at 12:02, Gregory Machin wrote: > Need to set up Bandwidth shaping box (need to control down to ports on ip > address), BUT needs to have user interface so the no linux user can alter > setting and need to generate stats (detailed), > > Please help .. > Many thanks > Gregory Machin >
Re: HELP Need to setup bandwidth shaping box ...Got tough boss.
try this: http://lartc.org/howto/ buz On Mon, 2003-06-09 at 12:02, Gregory Machin wrote: > Need to set up Bandwidth shaping box (need to control down to ports on ip > address), BUT needs to have user interface so the no linux user can alter > setting and need to generate stats (detailed), > > Please help .. > Many thanks > Gregory Machin > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Samba & LDAP
On Wed, Jun 04, 2003 at 11:48:13AM +0200, Hirling Endre wrote: > On Mon, 2003-06-02 at 16:35, Bastian Winkler wrote: > > if you are using samba with "--with-ldapsam", samba is looking for the > > lmPassword and ntPassword attributes in ldap. it is no problem to keep > > this password in sync with a small script and samba set "unix password > > sync = yes" in your smb.conf. if you really want to use the > > unix-passwords with samba you must not use encrypted passwords :-( > > read ENCRYPTION.html in the samba-doc package for this problem. > > FYI samba can do 'ldap passwd sync' when it modifies the LDAP password > directly with a modify_password LDAP operation. No need for scripts, > passwd chat, etc. This works with the samba package in sid, it has to be > patched, though, because the password change operation is no longer > experimental in slapd v2.1 which is also in sid. i know, this option is in samba since 3.0-alpha20. it works really great, but i my case samba-3.0-alpha was not stable enough for production use. does this option also work with kpasswd in openldap? i store my passwords in kerberos, its no problem to keep this in sync with "passwd chat" :wq buz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Samba & LDAP
On Wed, Jun 04, 2003 at 11:48:13AM +0200, Hirling Endre wrote: > On Mon, 2003-06-02 at 16:35, Bastian Winkler wrote: > > if you are using samba with "--with-ldapsam", samba is looking for the > > lmPassword and ntPassword attributes in ldap. it is no problem to keep > > this password in sync with a small script and samba set "unix password > > sync = yes" in your smb.conf. if you really want to use the > > unix-passwords with samba you must not use encrypted passwords :-( > > read ENCRYPTION.html in the samba-doc package for this problem. > > FYI samba can do 'ldap passwd sync' when it modifies the LDAP password > directly with a modify_password LDAP operation. No need for scripts, > passwd chat, etc. This works with the samba package in sid, it has to be > patched, though, because the password change operation is no longer > experimental in slapd v2.1 which is also in sid. i know, this option is in samba since 3.0-alpha20. it works really great, but i my case samba-3.0-alpha was not stable enough for production use. does this option also work with kpasswd in openldap? i store my passwords in kerberos, its no problem to keep this in sync with "passwd chat" :wq buz
Re: Samba & LDAP
hi, On Mon, Jun 02, 2003 at 03:33:50PM +0200, Ghe Rivero wrote: > Hi! > I need a PDC for a win2k & linux network and i have a couple of > questions... > > 1.- Why i need packages to managed samba & ldap passwords at the same > time? I though that with the ldap directives in the smb.conf file was > enough. if you are using samba with "--with-ldapsam", samba is looking for the lmPassword and ntPassword attributes in ldap. it is no problem to keep this password in sync with a small script and samba set "unix password sync = yes" in your smb.conf. if you really want to use the unix-passwords with samba you must not use encrypted passwords :-( read ENCRYPTION.html in the samba-doc package for this problem. > > 2.- In the linux clients... how i managed to authentificated against > the smb server and to mount automatically the home directory of the > user? Or is better to authentificated against the ldap server? there is a way to authenticate windows-clients against the ldap server, but this is much client-work. simply use the samba-ldap installation as PDC and let the workstations join the domain. see Samba-LDAP-HOWTO.html in samba-doc or http://www.unav.es/cti/ldap-smb-howto.html buz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Samba & LDAP
hi, On Mon, Jun 02, 2003 at 03:33:50PM +0200, Ghe Rivero wrote: > Hi! > I need a PDC for a win2k & linux network and i have a couple of > questions... > > 1.- Why i need packages to managed samba & ldap passwords at the same > time? I though that with the ldap directives in the smb.conf file was > enough. if you are using samba with "--with-ldapsam", samba is looking for the lmPassword and ntPassword attributes in ldap. it is no problem to keep this password in sync with a small script and samba set "unix password sync = yes" in your smb.conf. if you really want to use the unix-passwords with samba you must not use encrypted passwords :-( read ENCRYPTION.html in the samba-doc package for this problem. > > 2.- In the linux clients... how i managed to authentificated against > the smb server and to mount automatically the home directory of the > user? Or is better to authentificated against the ldap server? there is a way to authenticate windows-clients against the ldap server, but this is much client-work. simply use the samba-ldap installation as PDC and let the workstations join the domain. see Samba-LDAP-HOWTO.html in samba-doc or http://www.unav.es/cti/ldap-smb-howto.html buz
Re: Selecting source ip
hi, you could use iptables with SNAT to change your source ip. in combination with the owner match module you could eg match packets generated by specific pid or uid. OWNER match v1.2.7a options: [!] --uid-owner userid Match local uid [!] --gid-owner groupidMatch local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name should work for a ping: iptables -t nat -A POSTROUTING -m owner --cmd-owner ping -j SNAT --to-source a.b.c.d buz On Mit, 2003-05-28 at 23:02, Stefan Neufeind wrote: > Hi, > > when I request a file from a linux box using lynx the source ip of my > request is the ip of eth0. But how can I change the source ip to > other ips which are also bound to eth0 (via eth0:0 etc.)? Do I need > to change the default gate from eth0 to eth0:0 for example? Isn't > there a way to just change the source ip for all programs I will > execute in my current environment / bash without affecting other > programs / tasks? > > Yours sincerely, > Stefan > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Selecting source ip
hi, you could use iptables with SNAT to change your source ip. in combination with the owner match module you could eg match packets generated by specific pid or uid. OWNER match v1.2.7a options: [!] --uid-owner userid Match local uid [!] --gid-owner groupidMatch local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name should work for a ping: iptables -t nat -A POSTROUTING -m owner --cmd-owner ping -j SNAT --to-source a.b.c.d buz On Mit, 2003-05-28 at 23:02, Stefan Neufeind wrote: > Hi, > > when I request a file from a linux box using lynx the source ip of my > request is the ip of eth0. But how can I change the source ip to > other ips which are also bound to eth0 (via eth0:0 etc.)? Do I need > to change the default gate from eth0 to eth0:0 for example? Isn't > there a way to just change the source ip for all programs I will > execute in my current environment / bash without affecting other > programs / tasks? > > Yours sincerely, > Stefan >
Re: VPN gateway
hello, i think you are using the ipsec.exe on http://vpn.ebootis.de on win2k/xp side to generate the policies. in this case you should also take a look on http://vpn.ebootis.de/ipsec-conf.htm for the windoze ipsec.conf buz On Son, 2003-05-25 at 17:53, Craig wrote: > Hi Guys > > Having a few problems with setting up a VPN gateway on Linux, > specifically a debian firewall box and having windows 2000 > boxes authenticate using certs. > > I have generated a cert for the gateway machine using the openssl packages > and installed it. I have also configured freeswan to the best of my > knowledge and then generated a cert for a test windows 2000 machine and > afaik they are not authenticating. > > Here is a copy of the freeswan config file on the VPN gateway: > > > > # /etc/ipsec.conf - FreeS/WAN IPsec configuration file > > # More elaborate and more varied sample configurations can be found > # in FreeS/WAN's doc/examples file, and in the HTML documentation. > > > > # basic configuration > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > plutoload=%search > plutostart=%search > uniqueids=yes > > > > # defaults for subsequent connection descriptions > # (mostly to fix internal defaults which, in retrospect, were badly chosen) > conn %default > keyingtries=2 > compress=yes > disablearrivalcheck=no > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > > > > conn roadwarrior-net > leftsubnet=10.3.0.0/23 > also=roadwarrior > > > > conn roadwarrior > right=%any > left=%defaultroute > leftcert=gateway.pem > auto=add > pfs=yes > > And here is a copy of the ipsec.conf file on the windows 2000 box: > > # /etc/ipsec.conf - FreeS/WAN IPsec configuration file > > # More elaborate and more varied sample configurations can be found > # in FreeS/WAN's doc/examples file, and in the HTML documentation. > > > > # basic configuration > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > plutoload=%search > plutostart=%search > uniqueids=yes > > > > # defaults for subsequent connection descriptions > # (mostly to fix internal defaults which, in retrospect, were badly chosen) > conn %default > keyingtries=2 > compress=yes > disablearrivalcheck=no > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > > > > conn roadwarrior-net > leftsubnet=10.3.0.0/23 > also=roadwarrior > > > > conn roadwarrior > right=%any > left=%defaultroute > leftcert=gw.frame.co.za.pem > auto=add > pfs=yes > > Any help would be appreciated. > > ..c >
Re: Multiple ISP's and traffic shaping
hi, it should work if you if you use iproute and iptables. add ISP0 and ISP1 to /etc/iproute2/rt_tables make a default route for each table: ip route add default via $ISP0 table ISP0 ip route add default via $ISP1 table ISP1 then let your linux-box know when to use the tables: ip rule add fwmark 1 table ISP0 ip rule add fwmark 2 table ISP1 now it should route packages marked with '1' through ISP0 and packages marked with '2' through ISP1. you can mark packages with iptables now. e.g. iptables -t mangle -s $DMZ -j MARK --set-mark 2 note: in some cases i had to use additional SNAT with iptables to send the packages with the correct sourceip. iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $ISP1-IP perhaps it helps for you. buz On Don, 2003-05-22 at 15:48, mslucas wrote: > Hi, > > > > What do I have to install to get the following situation working? > > Except iptables as the firewall. > > I tried it with iptables and then NATing and with "ip route" but it isn't > working > > > > Caution a lot of "is allowed" and "is not allowed" detected > > > >Internet Internet >ISP 0 ISP 1 > | | > vv > Private LAN <-> this server <-> Office LAN > ^ > | > DMZ > > > > Traffic from my private LAN must go to ISP0, and is allowed to go to ISP1 > only if ISP0 is down (bandwidth must be limited) > > > > Traffic from my Office LAN must go to ISP1, and is allowed to go to ISP0 if > ISP1 is down or if there is more traffic than ISP1 can accept. > > > > Traffic from my DMZ must go to ISP1, and is allowed to go to ISP0 only if > ISP1 is down.. > > > > Traffic from my private LAN is not allowed to go to my Office LAN but > traffic from Office to private is allowed. > > > > Can somebody give me a hint which program is able to make my situation work. > > > > Thanks in advance, > > > > Maurice Lucas > > TAOS-IT >