Linux self-service firewall with Apache, Perl, IPtables, and UFW

I was recently in a situation where I was offering DNS service to some people. There just happened to be some records that were different from their ISPs DNS servers so I set up the server on my public IP address. I did not want to offer DNS to the world because last time I tried that, I got queries from all kinds of places for all kinds of records. I was initially opening up IP tables when people asked for the service and give me their IP address. After getting about 10 texts, I quickly got tired of collecting the IP addresses, so I made a webpage and with the perl script to write them to a list. With that, I would have a cron jobs go through the list and use UFW to update the IPTables to allow them access.

Here are the files inside of the directory where I’m creating the list.
dnsauth.tar

There’s a simple index.html file in the directory. It’s basically a form that asks for:
Name – who the person is. duh!
IP address – I want them to enter the IP address they want to authorize just in case they’re submitting someone else’s IP address.
Password – I don’t want just anyone to come in and get access to my DNS server.

The addip.cgi basically just writes all of those inputs and the IP address they’re coming in from into /tmp/iplist.txt in CSV format. I record the IP address they’re coming in from $ENV{‘REMOTE_ADDR’} just in case I get abuse or something.

The root user then has a cron job that runs through the iplist.txt file every 10 minutes. Here’s my file:

#!/bin/sh
if [ -f /tmp/iplist.txt ]; then
DATE=$(date +%Y%m%d)
cp /tmp/iplist.txt /home/alton/dnsservice/iplist.txt.$DATE
for i in `grep rice /tmp/iplist.txt | cut -f1 -d','`; do /usr/sbin/ufw insert 1 allow proto udp from $i to any port 53; done
grep rice /tmp/iplist.txt >> /home/alton/dnsservice/authorized_dns_ips.txt
grep -v rice /tmp/iplist.txt >> /home/alton/dnsservice/cheaters.txt
rm -rf /tmp/iplist.txt
sync
fi

Obviously, rice was my password. I just looped through the file and authorized anyone that used the right password. I also logged anyone that used the wrong password in /home/alton/dnsservice/cheaters.txt.

Hope this was useful! I welcome any comments. Obviously, this was quick and dirty. I’m sure there is a more secure way of doing this, but this is what came easy to me. Would love to hear your thoughts!

How to find and online all of your SteelFusion Core LUNs on a NetApp filer

Recently, I offlined a bunch of LUNs that had belonged to a SteelFusion Core in the lab that I had forgotten about. Needless to say, I had some unhappy users. The good news though is that I was able to get the LUNs back up and connected to the Core within minutes. This is how I did it.

The first thing I needed to do was find out which LUNs the Core was using. I did this by logging into the Core via SSH and running the following commands:

enable
conf t
terminal length 0
show storage luns iscsi

I output this to a file /tmp/core30luns.txt. An entry looks like this:

Total LUNs: 9
Locally Assigned Serial: P3PdB/-GFigd
Configuration status : Ready
Alias : avamar_restore
LUN Size : 150.00 GB
LUN Type : iscsi
Online : yes
IOPs acceleration : Enabled
Failover Enabled : yes
Prefetch : Enabled
Edge mapping : pod3-3100b
Target mapping : iqn.2003-10.com.riverbed:oh1mt0017065c.000
Origin portal : 10.33.192.174, 10.33.192.175
Origin target : iqn.1992-08.com.netapp:sn.135037602
Backend session status : Connected
Use iSCSI Reservation : Yes
LUN Edge data session : Connected
Client type : other
Original LUN vendor : NetApp
Original LUN serial : P3PdB/-GFigd
Pinned : no
Prepop : Disabled
Smart prepop : Enabled
Prepop status : N/A
MPIO policy : roundrobin
iSCSI Reservation status : LUN reserved

Prepop schedules:
Mapped igroups:
all

Mapped initiators:

The next thing was to find out what LUNs are on the NetApp to do some matching. You can do that by running this command:

lun show -v

I output this to a file /tmp/netapp_luns.txt. An entry looks like this:

/vol/NewYork_rvbd_d_e7cc5c29_f400_4c52_b1d4_f87da1b62652_1451278801/lun_RDM 10g (10737418240) (r/w, offline)
Serial#: P3PdB/9ytT31
Share: none
Space Reservation: disabled
Multiprotocol Type: vmware

Now with the 2 files, I could do some matching. I first want to extract the serial numbers from the LUNs. I do this by running:

grep serial /tmp/core30luns.txt | cut -f2 -d: > /tmp/core30lunlist.txt 

From that, I would just get a list of serial numbers like this:

P3PdB/-GFigd

Next, I will loop through my list of LUNs to find the volumes I will need to put back online. I do this by running:

for i in `cat /tmp/core30lunlist.txt`; do grep -2 $i /tmp/netapp_luns.txt >> /tmp/netappvolumes.txt; done

This would give me a list like this:

/vol/NewYork_rvbd_d_8f3a7b69_05f7_4be8_b3a6_14a689c2b3b0_1452834001/lunC11 60.0g (64445480960) (r/w, offline)
Comment: “Cdrive”
Serial#: P3PdB/-KWreM
Share: none
Space Reservation: disabled

With that list, I can cut the volumes out with the following command:

grep -v : /tmp/netappvolumes.txt | cut -f1 -d' ' > /tmp/volumes.txt

This would give me a list like this:

/vol/NewYork_rvbd_d_8f3a7b69_05f7_4be8_b3a6_14a689c2b3b0_1452834001/lunC11

Now that I have a list of volume names from the NetApp, I can just put them all online with a loop:

for i in `cat /tmp/volumes.txt`; do echo "lun online" $i >> /tmp/online_vols.txt ; done

You can just take the /tmp/online_vols.txt file now and just paste it into your NetApp SSH session and you’ll have all of your LUNs online again.

 

How to backup your iPhoto pictures and videos to a NAS w/ rsync

This is how I backup my iPhoto stuff. I know that Apple has tools to do this, but I don’t use TimeMachine and keep most of my backups on my NAS.

I also keep my iPhoto Library on an external drive (to save space on my local SSD drive).

This is the simple script that I run in the Terminal:

#!/bin/bash
    if [ -d /Volumes/Monster/Private/iphoto_pictures ]; then
    if [ -f lock ]; then
exit 1
    fi
      touch lock
rsync -av /Volumes/Fujin/iPhoto\ Library.photolibrary/ /Volumes/Monster/Private/iphoto_pictures/iPhoto\ Library
   rm -rf lock
     fi;

What I’m doing here is first off, checking to see if the NAS is mounted. In my case, my mount name is “Monster” and the directory were I put my pictures is /Private/iphoto_pictures, so I check to see if the directory exists. If it does, I proceed to check if a lock exists. The reason I create a lock is so that I don’t have more than 1 backup job running at once. I keep this script running in my crontab, so that if the NAS is mounted and there is no lock, it will call rsync to copy all of the files in my iPhoto library into the one on the NAS.

I’ve had no issues with restoring so far – to restore, just need to rsync the other way.

Hope this helps.

Wait … before you move to Tomato from DD-WRT!

If you’re reading this, it’s probably too late. You’re probably already running into this issue:

401

and it’s probably driving you nuts!

If you haven’t done the move yet, good. Telnet into the router and run:

nvram get http_username

and

nvram get http_passwd

The way that Tomato and DD-WRT store passwords usernames and passwords is different – DD-WRT stores them encrypted whereas Tomato doesn’t, so with this, you can use it to log into Tomato after you’ve done the move. I call it a move and would hate to call it an upgrade, because some hardcore DD-WRT users might be offended.

Now, if you haven’t done this already and are seeing the error, this will be interesting. With the ASUS router, I think I was able to just do a 30-30-30 reset and it took care of it. Unfortunately with Shibby’s implementation of Tomato, they don’t implement the reset button, so you can press the reset button until you’re blue in the face and it won’t do a thing. On other routers, you may need to press the SES/AOSS button. On the Netgear Nighthawk, it’s the WIFI on/off button. You can hold it down and it will start a password-less telnet daemon at port 233 if held for 20+ seconds. So, when you’re booted into Tomato (the web login will still say DD-WRT) and you can’t log in, hold the button down for 20+ seconds and then go to the command prompt and run:

telnet <router IP> 223

There, you should be able to run the 2 ‘nvram get’ commands and use that info to log into the router and do a reset from there.

Hope this helps!

Why I choose TomatoUSB over DD-WRT

I recently bought a Netgear Nighthawk R7000 for my home router. I figured it would be a good time to get a new router, so I was debating between this on and the ASUS (RT-AC68U). I chose the Nighthawk purely based on price. It was 10% off at Target. 🙂 When I shop for a router, I normally try to get open-source. The reason for this is so that I can hack it as I enjoy doing things like that and I like to use features that are not designed the original product. Why companies build routers and put their own firmware on it is beside me. I really wonder why they don’t just use the open-source stuff since it’s so good. If you look at my blog, you’ll see that I have run DD-WRT on my older routers as well.

The reason I decided to go with Tomato instead of DD-WRT is because of a couple of features that I like in Tomato. The first feature is the QOS transfer rates.

Screen Shot 2014-06-11 at 10.59.05 PM

I haven’t found where I can easily do this in DD-WRT. The reason I like this feature is because I can instantly know who is using up my bandwidth.

Another feature I like that unfortunately does not work on this router yet is A feature where I could see all of the URLs that I’ve visited and searches that I’ve done. I hope that Shibby fixes this in the 121 build.

Screen Shot 2014-06-11 at 11.01.41 PM

These are the two major reasons why I decided to use Tomato over DD-WRT. I’ve also run into issues with using the wireless bridge feature in DD-WRT where Tomato worked very easily.

I would love for some DD-WRT hardcore fans to debate with me. I’ve used DD-WRT firmware for a long time and just switched to Tomato very recently. The main reason I switched to Tomato was back in the days when I had the ASUS RT-N16 router. DD-WRT had Wi-Fi that kept dropping off almost daily and I had to find something better and Tomato was the answer at the time.

Please post your comments! Thanks!

 

 

NFS is better than CIFS (at least for streaming video) or How and why to use NFS instead of CIFS on Mac OS X

For the longest time, I thought that my wifi connection was just too slow. Trying to play a movie with VLC player was just painful! I was trying to play movies and it would buffer for a long time and while it was playing, would stop for a little while, pixelate, and play again. I just finished gave up on it for a long time. I bought a new router, a Netgear Nighthawk 802.11ac router that was supposed to be much faster. Unfortunately I didn’t look at my MacBook Pro specs and see that my wireless on the laptop didn’t support 802.11ac! No problem though – still keeping the router. The range on the router is much better than my old Belkin Play N600.

Just for the heck of it yesterday I decided that maybe NFS would be better than CIFS. I worked at Sun Microsystems for 4 1/2 years. I should’ve known this!

I think I tried using NFS on Mac a while back and it didn’t work and I just gave up. The error I got was this one:

Screen Shot 2014-06-09 at 12.35.19 PM

 

I’m glad I revisited this. Because of this error, I just figured that Finder didn’t mount NFS. Since Mac OS X does include showmount however, I thought maybe it does it via command line.

Doing a quick google search, I found that to mount NFS, because Linux wants the server to use ports <1024 and Mac OS X wants >1024, you need to use the ” -o resvport” option when doing the mount via command line.

sudo mount -t nfs -o resvport 192.168.0.11:/home/Monster /s

You don’t need to do it that way. Finder works just just fine. All you need to do is on the server side, add insecure as an option into /etc/exports like this:

/home/Monster *(rw,sync,no_subtree_check,insecure)

Then in Finder, you can use the familiar  ⌘K and give

nfs://192.168.0.11/home/Monster

Then, your network share should be mounted and you should have access to it. That said, you now are subject to POSIX file permissions.

Hope this helps!

Postfix queue management

Haven’t touched Postfix in a long time since I do very little administration work anymore, but recently found a server that had a ton of mail queued up.

The way I used to manage it was with qvmenu.pl. You could find it here – http://taz.net.au/postfix/scripts/qvmenu.pl – it shows a graphical (curses based) user interface that allows you to select messages, read them, delete them, etc.

What if I wanted to really delete a ton of messages though? I did a quick search and found http://www.howtoforge.com/delete-mails-to-or-from-a-specific-email-address-from-postfix-mail-queue and modified the command to work for me. I decided to run these commands:
mailq | tail +2 | awk ‘BEGIN { RS = “” } / MAILER-DAEMON*/ { print $1 }’ | tr -d ‘*!’ | postsuper -d –
mailq | tail +2 | awk ‘BEGIN { RS = “” } / [email protected]\.shocknetwork\.com$/ { print $1 }’ | tr -d ‘*!’ | postsuper -d –

This way, I’m getting rid of all of the bounce and double bounce messages and also the ones from root that probably aren’t important.