LDAP authentication with Squid

December 14th, 2011

A snippet from squid.conf allowing LDAP authentication from Mon-Fri business hours. Done on Ubuntu 10.04.2 (lucid) and Squid 2.7.STABLE7.

  1. # Configure LDAP auth helper
  2. auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b "ou=Int,ou=People,dc=domain,dc=org" -u "uid" -h ldaps.domain.org
  3.  
  4. acl int-lan src 192.168.11.0/24
  5. acl daytime time M T W H F 08:30-12:30
  6. acl evening time M T W H F 13:30-17:30
  7.  
  8. http_access allow ldapauth int-lan daytime evening

Tags: , , , , ,
Posted in ldap, tech, ubuntu | No Comments »

fprobe with ipsec running

August 30th, 2011

We’re using fprobe to collect and send NetFlow data to our NetFlow collector in HQ. The collector is configured with the private IP (192.168.11.252) and NetFlow traffic is supposed to be sent via IPSEC tunnel.

Here is the issue: once the remote site is restarted no flows are received anymore. IPSEC tunnel is up and we can access the remote server without any issues. fprobe daemon is up and running as well and we can ping the IP of NetFlow collector. Everything looks normal with no flows received though.

  1. netstat -an | grep 5067
  2. udp        0      0 10.8.81.1:53264         192.168.11.252:5067        ESTABLISHED

There is one thing worth mentioning: once the remote server is up and I restart fprobe daemon we start getting flows alright until the next system restart. So that leaded me to the question of services boot order in Ubuntu. fprobe is obviously started prior to ipsec — what if this is the cause? It came out that it was indeed related to the boot order and moving fprobe to be started as the last service fixed the whole thing! Here is how you change the service boot order in Ubuntu:

  1. update-rc.d -f fprobe remove
  2. update-rc.d fprobe defaults 99

this will modify all runlevels of fprobe to be executed (started/stopped) with the lowest priority (99).

I think changing fprobe to be started after ipsec would probably be enough, however to be on a safe side, I fire fprobe as the last service.

Tags: , ,
Posted in ipsec, tech, ubuntu | No Comments »

Forwarding outgoing http requests to another server

August 7th, 2011

In this article I’ll show iptables rule to forward outgoing http requests from one server to another. Both servers are single connected, in the same subnet and running Ubuntu with iptables. In my case I needed to forward or reroute outgoing http requests from one server to a server running Squid.

In the net you’ll find a lot of articles for dual connected servers (read gateways) on how to forward incoming traffic to the internal servers, or how to do port rewriting (forwarding a local port to another local port on the same server), or how to do transparent proxying and so on. My case is trivial: all outgoing http request should be forwarded to the server with Squid running in transparent mode. Nothing needs to be rewrited or changed in terms of source/destination/port.

  1. iptables -t nat -A OUTPUT -p tcp — dport 80 -j DNAT — to-destination 1.2.3.4:3128

where 1.2.3.4 is the server running Squid and 3128 is the port it’s listening on.

On the server running Squid make sure that it’s in transparent mode:

  1. #cat /etc/squid/squid.conf | grep transparent
  2. http_port 3128 transparent

I didn’t realize OUTPUT could be used with DNAT, but guess what — it works!

Tags: , ,
Posted in iptables, tech, ubuntu | No Comments »

LDAP authentication with Apache

January 10th, 2011

A snippet from httpd.conf allowing LDAP authentication. Done on Ubuntu.

  1. AuthType Basic
  2. AuthBasicProvider ldap
  3. AuthName "LDAP Secure Area"
  4. Require valid-user
  5. AuthLDAPBindDN "cn=username,ou=People,dc=domain,dc=org"
  6. AuthLDAPBindPassword XXXXXXXX
  7. AuthzLDAPAuthoritative off
  8. AuthLDAPCompareDNOnServer On
  9. AuthLDAPURL ldaps://ldaps.domain.org/ou=Internal,ou=People,dc=domain,dc=org?uid

Tags: , , , ,
Posted in ldap, tech, ubuntu | No Comments »

Selective NAT with iptables

January 6th, 2011

Here is a quick note on how to exclude one particular network from the NAT while the rest to be remained NATed. Done on Ubuntu with iptables running.

  1. iptables -t nat -A POSTROUTING -o eth0 ! -d 10.0.0.0/8 -j MASQUERADE

In case you need one more network to be excluded:

  1. iptables -t nat -A POSTROUTING -o eth0 -d 192.168.0.0/16 -j RETURN
  2. iptables -t nat -A POSTROUTING -o eth0 ! -d 10.0.0.0/8 -j MASQUERADE

Tags: , , , ,
Posted in iptables, tech, ubuntu | No Comments »

Injecting multiple networks into VPN tunnel

January 5th, 2011

We have a number of IPSec tunnels running on Linux Ubuntu with Openswan installed. Here is the typical configuration for a site:

Read the rest of this entry »

Tags: , , , ,
Posted in ipsec, tech, ubuntu | No Comments »

Back!

January 4th, 2011

My blog is finally back. There were a lot of things happening during this two years — from now on I will try to keep it updated on a regular basis. And yes, I moved to godaddy hosting, let me know whether you noticed a difference.

Tags:
Posted in personal | No Comments »

Policy routing with IP Filter on FreeBSD

January 3rd, 2009

In this post I’ll write about implementation of policy routing with IP Filter on FreeBSD. Policy routing is a process of forcing packets to follow a particular route not necessary through default gateway. This is very useful in a multihomed environment when your FreeBSD server acts as a router and you want different networks to be routed differently based on a source network or interface.

Read the rest of this entry »

Tags: , ,
Posted in freebsd, networking, tech | No Comments »

Opening OpenOffice (odt) files without OO installed

October 8th, 2008

Got odt file and don’t want to install OpenOffice just to open it? Here is a nice piece of software that could allow you to open, view and print odt files (and many more!). It’s called TextMaker Viewer and it’s free. Here is the current list of supported file formats:

.doc (Microsoft Word 6.0 up to Word 2007), .rtf (Rich Text Format), .dot (Microsoft Word templates 6.0 up to 2007), .psw (Pocket Word (Pocket PC)), .tmd (TextMaker 6.0 up to 2008, .pwd (Pocket Word (Handheld PC)), .odt (OpenDocument Text), .htm/html (HTML documents), .sxw (OpenOffice.org/StarOffice Text), .txt (Text files (DOS, Windows, Unicode, UTF-8)).

Niiiice!

Tags: , ,
Posted in m$, software, tech | No Comments »

make buildworld & Asus P5KPL-VM

September 16th, 2008

Upgrade from 7.0-RELEASE to 7.1-PRERELEASE

Brand: N/A
Motherboard: Asus P5KPL-VM

Processor: Intel Core 2 Duo E6550 2.33Ghz
Memory: 2GB DDR2 800
HDD: 250GB 7200rpm SATA150

Softupdates: ON
SMPON

  1. CPU: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz (2331.01-MHz 686-class CPU)
  2. real memory = 2147090432 (2047 MB)
  3. avail memory = 2091548672 (1994 MB)
  4. ad4: 238475MB <MAXTOR STM3250310AS 3.AAC> at ata2-master SATA150

make -j4 buildworld: 17mm 55ss
make -j4 buildkernel: 07mm 56ss
make installkernel: 12ss
make installworld: 01mm 39ss

Tags: , , , , ,
Posted in bencmarking, freebsd, tech | No Comments »

« Older Entries