Monthly Archives: September 2012

Translate Domain Name via VPN

Posted on by
Reply

Server Side:

1. Install dnsmasq

2. setup tcp tunnel of openvpn

3. iptables -t nat -I POSTROUTING -s 10.x.x.x/24 -j SNAT –to x.x.x.x

Client Side:

1. Add DNSMASQ_OPTS=”–clear-on-reload” to /etc/default/dnsmasq

2. setup tcp tunnel client of openvpn

3. Add 0 5 * * * lynx -source https://smarthosts.googlecode.com/svn/trunk/dnsmasq.conf | grep address | awk -F / {‘print “server=/”$2″/10.9.0.1″‘} > /etc/dnsmasq.d/smart_host_domain;; /etc/init.d/dnsmasq restart to crontab

4. Modify /etc/resolv.conf to use “nameserver 127.0.0.1” only

Route https packets to VPN 2

Posted on by
Reply

ip route add default dev tun0 table 200
ip rule add fwmark 0x45 table 200
iptables -A INPUT -i tun0 -j ACCEPT

iptables -t nat -I POSTROUTING -o tun0 -j SNAT –to 10.8.0.6
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

# Add the marked packets
iptables -t mangle -I PREROUTING -p tcp –dport 443 -j MARK –set-mark 0x45
iptables -t mangle -I OUTPUT -s 10.8.0.6 -j MARK –set-mark 0x45

# Delete the marked packets

iptables -t mangle -D OUTPUT -p tcp –dport 443 -j MARK –set-mark 0x45
iptables -t mangle -D OUTPUT -s 10.8.0.6 -j MARK –set-mark 0x45

# re-enable ALL source-address verification filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i; done

Redirect 443 packets to VPN channel

Posted on by
Reply
  1. #!/sbin/runscript
  2. # Distributed under the terms of the GNU General Public License v2
  5. IFACE=$(netstat -rn | grep UG | awk ‘NR==1{print($8)}’)
  6. ITUN=”tun0″
  7. TBL=”VPN1″
  9. depend() {
  10.         use dnsmasq
  11. }
  13. start() {
  14.         # starting openVPN
  15.         /etc/init.d/openvpn.vpn1 start
  17.         # wait until VPN is fully operationnal [ route is built ]
  18.         while [ -z “$(route -n | awk ‘/'”$ITUN”‘/&&/255/ {print($1)}’)” ]; do sleep .25; done
  20.         # getting our VPN IP, range & mask
  21.         ITUNADDR=$(ifconfig $ITUN | awk ‘/dr:/ { gsub(/.*:/,””,$2); print($2); }’)
  22.         TUNRANGE=$(route -n | awk ‘/tun0/ && /255/ {print($1)}’)
  23.         TUNMASK=$(route -n | awk ‘/tun0/ && /255/ {print($3)}’)
  25.         # adding $TBL table if necessary
  26.         if [ ! -n “$(grep “200 $TBL” /etc/iproute2/rt_tables)” ]; then
  27.                 echo “200 $TBL” >> /etc/iproute2/rt_tables
  28.         fi
  30.         # re-add standard nameserver
  31.         echo “nameserver 127.0.0.1” > /etc/resolv.conf
  33.         # making route to VPN
  34.         ip route add default dev $ITUN table $TBL
  36.         # marked packets follows VPN route
  37.         ip rule add fwmark 0x45 table $TBL
  39.         # accept packets from VPN
  40.         iptables -A INPUT -i $ITUN -j ACCEPT
  42.         # some services are marked to follow the route
  43.         iptables -t mangle -A OUTPUT -p udp –dport 53 -j MARK –set-mark 0x45
  44.         iptables -t mangle -A OUTPUT -p tcp –dport 443 -j MARK –set-mark 0x45
  45.         iptables -t mangle -A OUTPUT -p tcp –dport 8080 -j MARK –set-mark 0x45
  47.         # binding tun’s ip to tun’s interface
  48.         iptables -t nat -A POSTROUTING -o $ITUN -j SNAT –to $ITUNADDR
  50.         # force output packets (from VPN) to go out through VPN too
  51.         iptables -t mangle -A OUTPUT -s $ITUNADDR -j MARK –set-mark 0x45
  53.         # disable ALL source-address verification filtering
  54.         for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i; done
  55. }
  57. stop() {
  58.         # getting our VPN IP, range & mask
  59.         #ITUNADDR=$(ifconfig $ITUN | awk ‘NR==2{print $2}’ | sed ‘s/adr://g’)
  60.         ITUNADDR=$(ifconfig $ITUN | awk ‘/dr:/ { gsub(/.*:/,””,$2); print($2); }’)
  61.         TUNRANGE=$(route -n | awk ‘/tun0/ && /255/ {print($1)}’)
  62.         TUNMASK=$(route -n | awk ‘/tun0/ && /255/ {print($3)}’)
  64.         # stoping openVPN
  65.         /etc/init.d/openvpn.vpn1 stop
  67.         # removing VPN route if is present
  68.         if [ ! -z “$(route -n | awk ‘/'”$ITUN”‘/&&/255/ {print($1)}’)” ]; then
  69.                 ip route del default dev $ITUN table $TBL
  70.         fi
  72.         # remove route for marked packets
  73.         ip rule del fwmark 0x45 table $TBL
  75.         # remove accept packets from VPN
  76.         iptables -D INPUT -i $ITUN -j ACCEPT
  78.         # remove iptables packet marking
  79.         iptables -t mangle -D OUTPUT -p udp –dport 53 -j MARK –set-mark 0x45
  80.         iptables -t mangle -D OUTPUT -p tcp –dport 443 -j MARK –set-mark 0x45
  81.         iptables -t mangle -D OUTPUT -p tcp –dport 8080 -j MARK –set-mark 0x45
  83.         # removing binding
  84.         iptables -t nat -D POSTROUTING -o $ITUN -j SNAT –to $ITUNADDR
  86.         # remove output packets to go out throuth VPN
  87.         iptables -t mangle -D OUTPUT -s $ITUNADDR -j MARK –set-mark 0x45
  89.         # re-enable ALL source-address verification filtering
  90.         for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $i; done
  91.         #echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
  92. }

Redirect traffic from one interface to another

Posted on by
Reply

VPS (10.8.0.0/24) <——> (tun0) Server (ppp1) <——> iPhone (172.16.31.0/24)

iptables -A INPUT -p tcp –dport 109 -j ACCEPT

iptables -A INPUT -i ppp1 -j ACCEPT
iptables -A FORWARD -i ppp1 -j ACCEPT
iptables -A FORWARD -o ppp1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -s 172.16.31.0/24 -o ppp0 -j MASQUERADE
ip route add default dev tun0 table 200
ip rule add priority 100 from 172.16.31.0/24 table 200

iptables -t nat -I POSTROUTING -o tun0 -j SNAT –to 10.8.0.6

Reference: http://forums.gentoo.org/viewtopic-t-843591.html

Execute Perl scripts as root (Method 2)

Posted on by
Reply

1. Download exec-wrapper at http://code.google.com/p/exec-wrapper/downloads/detail?name=exec-wrapper-1.0.1.tar.bz2 or  http://hkvms.com/~alfred/exec-wrapper.tar.xz

Then you need to tweak the Perl scripts a little to avaoid warnings. If you are using the suidperl program you should replace #!/usr/bin/perl with the suidperl program (i.e. #!/usr/bin/suidperl) and use -U tag to execute unsafe commands.

#!/usr/bin/perl -wU

system(“/sbin/iptables”, “-L”);

And finally, you need to set the suid bit and change permissions of commands such as poff, pon, squid and cp to allow the CGI script to be executed as root.

# chown root:root <command name>
# chmod ug+s <command name>
# chmod a+x <command name>

Setting up a Rails Email Server

Posted on by
Reply

1. Download rvm.tar.xz from http://hkvms.com/~alfred/rvm.tar.xz

2. Download hkuso.tar.xz from http://hkvms.com/~alfred/hkuso.tar.xz

2. cd /usr/local

3. tar Jxvf /tmp/rvm.tar.xz

4. unzip hkuso.tar.xz to /home

5. gem uninstall rails “>3.2”

6. apt-get install libmysqlclient-dev

7. apt-get install postfix

8. source /usr/local/rvm/scripts/rvm and add source /usr/local/rvm/scripts/rvm ~/.bashrc

9. rvm requirements

/usr/bin/apt-get install build-essential openssl libreadline6 libreadline6-dev curl git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev automake libtool bison subversion pkg-config

10. rvm reinstall 1.9.3

11. apt-get install vrfy

12. modify from email in /home/hkuso/mail3/app/models/mailer1.rb

13. add info: root into /etc/aliases

14. add LANG=”en_US.UTF-8″ into /etc/default/locale

15. locale-gen en_US.UTF-8

16. type command vigr and then add rvm:x:1000:

17. type command vigr -s and then add rvm:!::