Category Archives: Linux

Apache Proxy to Thin (ROR app server)

Posted on by
Reply

1. sudo a2enmod proxy
2. sudo a2enmod proxy_balancer
3. sudo a2enmod proxy_http
4. sudo a2enmod rewrite

5. sudo /etc/init.d/apache2 force-reload

6. sudo nano /etc/apache2/sites-available/domain.com

<VirtualHost *:80>
ServerName domain.com
ServerAlias www.domain.com

DocumentRoot /home/demo/public_html/railsapp/public

RewriteEngine On

<Proxy balancer://thinservers>
BalancerMember http://127.0.0.1:5000
BalancerMember http://127.0.0.1:5001
BalancerMember http://127.0.0.1:5002
</Proxy>

# Redirect all non-static requests to thin
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f

RewriteRule ^/http-bind(.*) http://127.0.0.1:5280%{REQUEST_URI} [P,QSA,L]
RewriteRule ^/(.*)$ balancer://thinservers%{REQUEST_URI} [P,QSA,L]

#ProxyPass / balancer://thinservers/
#ProxyPassReverse / balancer://thinservers/
#ProxyPreserveHost on

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

# Custom log file locations
ErrorLog /home/demo/public_html/railsapp/log/error.log
CustomLog /home/demo/public_html/railsapp/log/access.log combined

</VirtualHost>

Start ROR

Posted on by
Reply

source .bash_profile
rvm use 1.9.2 –default

sudo /etc/init.d/kannel stop
sudo -s
bearerbox -v 0
smsbox -v 0 &

rails runner script/send_sms.rb

rails runner script/xmpp4r_forwarder.rb
rails runner script/notifier.rb
bundle exec thin start –server 3

Translate Domain Name via VPN

Posted on by
Reply

Server Side:

1. Install dnsmasq

2. setup tcp tunnel of openvpn

3. iptables -t nat -I POSTROUTING -s 10.x.x.x/24 -j SNAT –to x.x.x.x

Client Side:

1. Add DNSMASQ_OPTS=”–clear-on-reload” to /etc/default/dnsmasq

2. setup tcp tunnel client of openvpn

3. Add 0 5 * * * lynx -source https://smarthosts.googlecode.com/svn/trunk/dnsmasq.conf | grep address | awk -F / {‘print “server=/”$2″/10.9.0.1″‘} > /etc/dnsmasq.d/smart_host_domain;; /etc/init.d/dnsmasq restart to crontab

4. Modify /etc/resolv.conf to use “nameserver 127.0.0.1” only

Route https packets to VPN 2

Posted on by
Reply

ip route add default dev tun0 table 200
ip rule add fwmark 0x45 table 200
iptables -A INPUT -i tun0 -j ACCEPT

iptables -t nat -I POSTROUTING -o tun0 -j SNAT –to 10.8.0.6
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

# Add the marked packets
iptables -t mangle -I PREROUTING -p tcp –dport 443 -j MARK –set-mark 0x45
iptables -t mangle -I OUTPUT -s 10.8.0.6 -j MARK –set-mark 0x45

# Delete the marked packets

iptables -t mangle -D OUTPUT -p tcp –dport 443 -j MARK –set-mark 0x45
iptables -t mangle -D OUTPUT -s 10.8.0.6 -j MARK –set-mark 0x45

# re-enable ALL source-address verification filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i; done

Redirect 443 packets to VPN channel

Posted on by
Reply
  1. #!/sbin/runscript
  2. # Distributed under the terms of the GNU General Public License v2
  5. IFACE=$(netstat -rn | grep UG | awk ‘NR==1{print($8)}’)
  6. ITUN=”tun0″
  7. TBL=”VPN1″
  9. depend() {
  10.         use dnsmasq
  11. }
  13. start() {
  14.         # starting openVPN
  15.         /etc/init.d/openvpn.vpn1 start
  17.         # wait until VPN is fully operationnal [ route is built ]
  18.         while [ -z “$(route -n | awk ‘/'”$ITUN”‘/&&/255/ {print($1)}’)” ]; do sleep .25; done
  20.         # getting our VPN IP, range & mask
  21.         ITUNADDR=$(ifconfig $ITUN | awk ‘/dr:/ { gsub(/.*:/,””,$2); print($2); }’)
  22.         TUNRANGE=$(route -n | awk ‘/tun0/ && /255/ {print($1)}’)
  23.         TUNMASK=$(route -n | awk ‘/tun0/ && /255/ {print($3)}’)
  25.         # adding $TBL table if necessary
  26.         if [ ! -n “$(grep “200 $TBL” /etc/iproute2/rt_tables)” ]; then
  27.                 echo “200 $TBL” >> /etc/iproute2/rt_tables
  28.         fi
  30.         # re-add standard nameserver
  31.         echo “nameserver 127.0.0.1” > /etc/resolv.conf
  33.         # making route to VPN
  34.         ip route add default dev $ITUN table $TBL
  36.         # marked packets follows VPN route
  37.         ip rule add fwmark 0x45 table $TBL
  39.         # accept packets from VPN
  40.         iptables -A INPUT -i $ITUN -j ACCEPT
  42.         # some services are marked to follow the route
  43.         iptables -t mangle -A OUTPUT -p udp –dport 53 -j MARK –set-mark 0x45
  44.         iptables -t mangle -A OUTPUT -p tcp –dport 443 -j MARK –set-mark 0x45
  45.         iptables -t mangle -A OUTPUT -p tcp –dport 8080 -j MARK –set-mark 0x45
  47.         # binding tun’s ip to tun’s interface
  48.         iptables -t nat -A POSTROUTING -o $ITUN -j SNAT –to $ITUNADDR
  50.         # force output packets (from VPN) to go out through VPN too
  51.         iptables -t mangle -A OUTPUT -s $ITUNADDR -j MARK –set-mark 0x45
  53.         # disable ALL source-address verification filtering
  54.         for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i; done
  55. }
  57. stop() {
  58.         # getting our VPN IP, range & mask
  59.         #ITUNADDR=$(ifconfig $ITUN | awk ‘NR==2{print $2}’ | sed ‘s/adr://g’)
  60.         ITUNADDR=$(ifconfig $ITUN | awk ‘/dr:/ { gsub(/.*:/,””,$2); print($2); }’)
  61.         TUNRANGE=$(route -n | awk ‘/tun0/ && /255/ {print($1)}’)
  62.         TUNMASK=$(route -n | awk ‘/tun0/ && /255/ {print($3)}’)
  64.         # stoping openVPN
  65.         /etc/init.d/openvpn.vpn1 stop
  67.         # removing VPN route if is present
  68.         if [ ! -z “$(route -n | awk ‘/'”$ITUN”‘/&&/255/ {print($1)}’)” ]; then
  69.                 ip route del default dev $ITUN table $TBL
  70.         fi
  72.         # remove route for marked packets
  73.         ip rule del fwmark 0x45 table $TBL
  75.         # remove accept packets from VPN
  76.         iptables -D INPUT -i $ITUN -j ACCEPT
  78.         # remove iptables packet marking
  79.         iptables -t mangle -D OUTPUT -p udp –dport 53 -j MARK –set-mark 0x45
  80.         iptables -t mangle -D OUTPUT -p tcp –dport 443 -j MARK –set-mark 0x45
  81.         iptables -t mangle -D OUTPUT -p tcp –dport 8080 -j MARK –set-mark 0x45
  83.         # removing binding
  84.         iptables -t nat -D POSTROUTING -o $ITUN -j SNAT –to $ITUNADDR
  86.         # remove output packets to go out throuth VPN
  87.         iptables -t mangle -D OUTPUT -s $ITUNADDR -j MARK –set-mark 0x45
  89.         # re-enable ALL source-address verification filtering
  90.         for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $i; done
  91.         #echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
  92. }

Redirect traffic from one interface to another

Posted on by
Reply

VPS (10.8.0.0/24) <——> (tun0) Server (ppp1) <——> iPhone (172.16.31.0/24)

iptables -A INPUT -p tcp –dport 109 -j ACCEPT

iptables -A INPUT -i ppp1 -j ACCEPT
iptables -A FORWARD -i ppp1 -j ACCEPT
iptables -A FORWARD -o ppp1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -s 172.16.31.0/24 -o ppp0 -j MASQUERADE
ip route add default dev tun0 table 200
ip rule add priority 100 from 172.16.31.0/24 table 200

iptables -t nat -I POSTROUTING -o tun0 -j SNAT –to 10.8.0.6

Reference: http://forums.gentoo.org/viewtopic-t-843591.html

Execute Perl scripts as root (Method 2)

Posted on by
Reply

1. Download exec-wrapper at http://code.google.com/p/exec-wrapper/downloads/detail?name=exec-wrapper-1.0.1.tar.bz2 or  http://hkvms.com/~alfred/exec-wrapper.tar.xz

Then you need to tweak the Perl scripts a little to avaoid warnings. If you are using the suidperl program you should replace #!/usr/bin/perl with the suidperl program (i.e. #!/usr/bin/suidperl) and use -U tag to execute unsafe commands.

#!/usr/bin/perl -wU

system(“/sbin/iptables”, “-L”);

And finally, you need to set the suid bit and change permissions of commands such as poff, pon, squid and cp to allow the CGI script to be executed as root.

# chown root:root <command name>
# chmod ug+s <command name>
# chmod a+x <command name>