Tag Archives: Linux

building tmux 1.9a statically

At work, I use tmux on daily basis. Unfortunately, the version shipped in epel (extra packages for enterprise linux) is slightly dated, v1.6. I didn’t want to update tmux system wide as this would impact other users. A single statically linked library that I could store in my home area would be perfect.

I discovered the build process was bit of a challenge. Although I found answers to my problems, they were not in a centrally located. Therefore, I am documenting my steps below.

These steps allowed me to build tmux 1.9a. These same steps should work for newer versions, however at some point, these steps may break. Additionally, these steps were performed on RHEL6 – they should apply to nearly any distro.

  1. Install glibc-static:
    $ yum install glibc-static
  2. Download libevent-2.0.21-stable
    $ ./configure --prefix=/tmp/local --disable-shared
    $ make
    $ make install
  3. Download ncurse 5.9
    $ ./configure --prefix=/tmp/local --with-default-terminfo-dir=/usr/share/terminfo  --with-terminfo-dirs="/etc/terminfo:/lib/terminfo:/usr/share/terminfo"
    $ make
    $ make install
  4. Download Tmux Source
    $ ./configure --enable-static CFLAGS="-I/tmp/local/include -I/tmp/local/include/ncurses" LDFLAGS="-L/tmp/local/lib -L/tmp/local/include -L/tmp/local/include/ncurses" LIBEVENT_CFLAGS="-I/tmp/local/include" LIBEVENT_LIBS="-L/tmp/local/lib -levent"
    $ make -j5
    $ cp tmux /home/$USER/bin

 

Troubleshooting / Build Issues:
Continue reading

Configuring a Router with Comcast Business Class

For the last two months, I used NAT to make use of my 5 static ips. I wanted to do away with NAT and create another network for public ip space. My goal was simple; a router that was attached to two networks: a RFC1918 LAN and a LAN for my public ip block; however this would not be an easy task.

Desired Network Topology:

                       /-------------------\          ____Host A_____
                       +        LAN1       + ------> | 23.31.174.84 |
                       +  23.31.174.80/29  +         ----------------
                       \-------------------/
                                 ^
                                 |
                                eth1
+-----------------+          +--------+          /--------------------\
|      modem      | --> eth0 | router | eth2 --> + LAN2 (192.168.1.1) +
| 10.1.10.1/24    |          +--------+          \--------------------/
| 23.31.174.86/29 |
+-----------------+ 

router:
eth0: 10.1.10.2
eth1: 23.31.174.81
eth2: 192.168.1.1

Ideally, the modem would be configured as bridge, with a default route via eth0 to comcast’s gateway. The routing should be simple. Sadly, comcast made this way more difficult.

The modem, a SMCD3G (cable gateway), is a switch and router with modem functionality. In theory, it should be possible to disable the router/switch functionality and turn it into a bridge, however comcast refuses to provision the modems in this manner.

The modem has two interfaces, a coax interface and switched virtual interface (svi). The coax interface is provisioned automatically and is used to communicate with comcast’s gateway. The svi is configured with two network blocks: 10.1.10.1/24 (RFC1918) and 23.31.174.86/29 (static ip block). Unfortunately, it is not possible to see how the modem is configured, therefore the above is an educated guess, based on the network traffic I saw from the modem.

The modem’s configuration posed, a slight problem. The modem was configured with 23.31.174.86/29, but I wanted to assign 23.31.174.81/29 to the router. After some trial and error, I figured out how to make this configuration work. The secret: proxy arp.

General Configuration / Theory

Disable the firewall/router functionality on the modem. The modem configuration can be accessed via 10.1.10.1; the username is ‘cusadmin’ and the password is ‘highspeed’. Comcast follows similar steps when you request them to bridge your modem.
Note, this configuration will not disable the routing and switching functionality of the modem.

Under …

Firewall -> Firewall Options
  * [checked] Disable Firewall for True Static IP Subnet Only
  * [checked] Disable Gateway Smart Packet Detection
  * [unchecked] Disable Ping on WAN Interface

Firewall -> Port Configuration
  * [checked]  Disable all Port Forwarding rules

Firewall -> 1-to-1 Network Address Translation
  * [checked] Disable all

LAN -> IP Setup
  * [unchecked] Enable LAN DHCP

Insure there are no static routes configured on the modem; filtering is disabled; a dmz has not been configured; and website blocking is disabled.

Assign 23.31.174.81/29 to router:eth1 (lan1) and assign 192.168.1.1/24 (lan2) to router:eth2

To get traffic between the modem and router, router:eth0 needs to be configured. Assign 10.1.10.2/24 to router:eth0 and set the default gateway to 10.1.10.1 (the modem’s lan ip).

At this point, it should be possible to access the internet from the router. The src ip of packets going out eth0, will be 10.1.10.2. Since 10.1.10.1/24 is not routeable on the internet, the modem will SNAT 10.1.10.2 to 23.31.174.86. To fix this we need set the src ip of the default route, to match the ip that is configured on router:eth1 (23.31.174.81).

Example: ip route add default via 10.1.10.1 src 23.31.174.81

A tool such as ifconfig.me will show the external src ip of the host.
From your host run: curl http://ifconfig.me

23.31.174.86/29 lives on the modem, outside of LAN1, therefore a static route to 23.31.174.86 via 10.1.10.1 (modem) should be configured.
ip route add 23.31.174.86/32 via 10.1.10.1.
Note: overlapping network space is a poor configuration practice and should be avoided. In this case, it is the only way to configure the network.

The problem

Host A (23.31.174.84) tries to ping 8.8.8.8. Echo requests go out, but Host A never receives echo replies. A tcpdump of router:eth0, verifies the icmp traffic is leaving the router with the correct src/dst ips, but does not show any return/inbound traffic, except for the modem. From the tcpdump, one will see the modem is sending the following arp requests:

ARP, Request who-has 10.1.10.2 tell 10.1.10.1, length 28
ARP, Reply 10.1.10.1 is-at c4:39:3a:02:02:02 (oui Unknown), length 46
ARP, Request who-has 23.31.174.81 (Broadcast) tell 23.31.174.86, length 46
ARP, Request who-has 23.31.174.83 (Broadcast) tell 23.31.174.86, length 46
ARP, Request who-has 23.31.174.82 (Broadcast) tell 23.31.174.86, length 46
ARP, Request who-has 23.31.174.85 (Broadcast) tell 23.31.174.86, length 46
ARP, Request who-has 23.31.174.84 (Broadcast) tell 23.31.174.86, length 46

The router can reply to the request for 23.31.174.81 and 10.1.10.2. The router can not reply for addresses not configured. No other devices will respond to these arp requests, because the router and modem are the only devices on the layer 2 segment. Why does this happen? The modem’s svi has an ip address of 23.31.174.86/29. The 23.31.174.80/29 network is directly attached and is the final destination. Luckily, we can make use of proxy arp. Proxy arp will make the router respond to all arp requests.

Enable proxy arp on router:eth0.

Now, when HOST A (23.31.174.84) pings 8.8.8.8 icmp echo requests are sent and echo replies are received.

SNAT needs to be configured so hosts in LAN2 (192.168.1.1/24) can communicate on the internet. Keep in mind, the address used for SNAT can’t be the router gateway (23.31.174.81), modem gateway (23.31.174.86), or any host addresses in LAN1.

Applying the above configuration to a Linux router

Make sure the modem has been configured appropriately (see above).

Router Configuration

# set ip addresses
router$ ip addr add 10.1.10.2/24 dev eth0
router$ ip addr add 23.32.174.81/86 dev eth1
router$ ip addr add 192.168.1.1/24 dev eth2

# bring up interfaces
router$ ip link set eth0 up
router$ ip link set eth1 up
router$ ip link set eth2 up

# add routes
ip route add default via 10.1.10.1 src 23.31.174.81 # change src to the ip on eth1
ip route add 23.31.174.86/32 via 10.1.10.1 # route to the modem's IP

# enable proxy arp on eth0
sysctl net.ipv4.conf.eth0.proxy_arp=1

# NAT
iptables -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 23.31.174.85

nxt2004 firmware

I needed to obtain the firmware for my KWorld ATSC 115 which uses the nxt2004 demodulator. The kernel module saa7134 requires the nxt2004 firmware to operate correctly. In the past the process to obtain the firmware was easy, but now that avermedia-usa now longer makes available the driver, it was much harder to track down the need firmware file.

The problem:

m2n:~ $ /tmp/get_dvb_firmware nxt2004
--2012-07-06 22:51:22--  http://www.avermedia-usa.com/support/Drivers/AVerTVHD_MCE_A180_Drv_v1.2.2.16.zip
Resolving www.avermedia-usa.com... 66.85.153.58
Connecting to www.avermedia-usa.com|66.85.153.58|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2012-07-06 22:51:22 ERROR 404: Not Found.

wget failed - unable to download firmware at /tmp/get_dvb_firmware line 662.

I figured I could just search for AVerTVHD_MCE_A180_Drv_v1.2.2.16.zip or dvb-fe-nxt2004.fw and be in business. Unfortunately, it was not that easy as it took me over an hour to find the file.

I came across linux-firmware-nonfree_1.11_all.deb which contained nxt2004.fw

Since it was so hard to find the firmware file I decided to mirror it along with the original deb package that I got it from.

Files:

To Install:

  1. wget http://pyther.net/files/firmware/nxt2004/dvb-fe-nxt2004.fw
  2. cp dvb-fe-nxt2004.fw /lib/firmware
  3. reload appropriate module or reboot
  4. check out dmesg to confirm firmware was loaded

Hope this has helped someone…

Password Manager

Best practice states that passwords should contain letters (mixed case), numbers, and symbols, should be at least 8 characters in length, and should never be used twice. However, this isn’t very practical! How are you suppose to remember a different password for each site you have an account for?

I have been using 4 different password for my various accounts. This method has been working moderately well, but from a security standpoint, it’s suicide. I wanted to use a random password for each of my accounts. But, how would I ever remember all my passwords? A password manager, of course!

What I needed:

  • Passwords stored in an encrypted file
  • Master password to unlock the encrypted file
  • View passwords from the cli/ssh
  • Include additional information such as Security Questions and Answers
  • Integrated support for Firefox

What I used…

Vim Outliner

Vim Outliner is an outline processor. A screenshot is worth a thousand words.

Encryption

By default when you save the file it will be a simple tab delimited text file. Vim, however, supports encryption. First, you need to set the encryption method by typing :setlocal cm=blowfish. If you want Blowfish to be the default encryption method for vim add the setlocal command to ~/.vimrc. Next, to encrypt the file, type :X. You will be prompted to set a password. Finally, save the file. When you open the file, you will be prompted for the password. If you fail to enter the right password you will see garbage characters.

Firefox Integration  (Mozilla-gnome-keyring)

Mozilla-gnome-keyring allows Firefox to store passwords and form logins in gnome-keyring. Gnome-keyring is much more secure than the default password manager in Firefox. The mozilla keyring must be unlocked to add / retrieve passwords. You can define how long the keyring should remain unlocked for (never, 15 minutes, 60 minutes, etc…). On my desktop I unlock the keyring for 60 minutes, but on my laptop I only unlock it for 10. When logging into a site, Firefox still prompts to  “Remember the Password”.  If you let Firefox remember the password, the password automatically gets recorded in the keyring.

Conclusion

I have been using this solution for about a month and it has fit my needs perfectly. I updated most of my accounts so they each have an unique password such as Dmqngi8ZoPyO or XGVoBOmd7Gar. Passwords are being stored twice: in the password file and in gnome-keyring. Since mozilla-gnome-keyring takes care of adding the passwords into gnome-keyring when I login to a site, I only have to record/update my passwords in the encrypted text file. In the rare case that I’m not at my computer, and I need a password, I simply ssh into my server and open the password file in vim.

Although the password file and keyring is encrypted it is still subject to a brute force attack. Make sure to use a strong master password, the longer the better. I would suggest at least 20 characters. In 2009, it would take a super computer 1.5hrs to crack an 8 character (alpha only; lower-case) password, but it would take 631 Billion years to crack a 20 character (alpha only; lower-case) password. Remember, as computers advance these times will decrease. And of course, a key logger could compromise the master password nearly instantly.

http://www.lockdown.co.uk/?pg=combi&s=articles

Make Windows 7 USB installer in Linux

So for whatever reason you need to install Windows 7 from a flash drive that’s not a problem!

In Linux:

  1. Format flash drive: mkfs.vfat -F 32 /dev/sdx
  2. Set Label: mlabel -i /dev/sdd1 ::WIN7x64 (optional)
  3. Download Grub4Dos – http://download.gna.org/grub4dos/
  4. unzip grub4dos-0.4.4.zip
  5. Run ./bootlace.com /dev/sdx
  6. Copy grldr and menu.lst to the root of the flash drive
  7. Add to menu.lst
    title Install Windows 7
    root (hd0,0)
    chainloader (hd0,0)/bootmgr
  8. Copy Win 7 Install files to root of USB flash drive.
  9. Boot Flash Drive – Select Install Windows 7

TIP: To install any version of Windows 7 (Home Premium, Professional, Ultimate) remove ei.cfg from the sources directory. However, you still need a product key for the appropriate version.

In Windows:

  1. Format Drive as Fat32
  2. Copy Files from Install DVD to Flash drive

That’s it, boot from the flash drive you are all good.

Note: The windows disk formater writes code to the MBR and VBR. This obvisouly doesn’t happen in Linux therefore we need to use grub4dos as our bootloader.

DNS Conditional Forwarding – dnsmasq

Why would I want to use Conditional Forwarding?

In my case, my local dns server has entries for local hostnames such as m2n.ion.lan, mongo.ion.lan, and tux.ion.lan. If I am using the vpn dns, then these address lookups would fail. By using Conditional Forwarding I can do all lookups locally, except for ones that match the remote top level domain (example.local). Anything that matches example.local would be forwarded to the remote dns server.

Problem:

  1. Connect to remote vpn server and use local DNS server
  2. Ping server.remote.local (remote FQDN) – fail
  3. Ping server.ion.lan (local FQDN) – success

Of course the remote ping fails because the local DNS server knows nothing about the remote domain. If I was to configure my machine to use the remote DNS server the opposite would happen. I would be able to ping server.remote.local, but a ping to server.ion.lan would fail.

Solution: Use dnsmasq with conditional forwarding to forward *.work.local requests to the remote dns server.

1. Install dnsmasq using your local package manager

2. Edit /etc/dnsmasq.conf

# Tells dnsmasq to forward anything with the domain of remote.local to dns server 10.25.11.2
server=/remote.local/10.25.11.2

# Listen to requests only coming from the local machine
listen-address=127.0.0.1

# Do not cache anything
# A decent dns server will already cache for your local network
cache-size=0

3. Edit /etc/resolv.conf

# Local LAN Domain
domain ion.lan

# local dnsmasq server
nameserver 127.0.0.1

# Your main dns server (dnsmasq will forward all requests to this server)
nameserver 10.20.1.1

4. Start dnsmasq

5. Test – ping a local server and remote server using the FQDN

All dns requests will be forwarded to 10.20.1.1 except any matching *.remote.local. server.remote.local will be forwarded to 10.25.11.2

OpenVPN Client – DNS Script

The OpenVPN server can pass DNS servers and a domain name to the client. This gives the benefit of using the remote dns servers for local hostname lookups.

Finding a good script that worked to do this provide difficult…

In server.conf add:

push "dhcp-option DOMAIN ion.lan"
push "dhcp-option DNS 10.25.11.2"

Then save this script on the client in same location as the client config

#!/bin/bash

case "$1" in
    up)
	    mv /etc/resolv.conf /etc/resolv.conf.bak

		echo "# Generated by OpenVPN Client UP Script" > /etc/resolv.conf
		for opt in ${!foreign_option_*};
		do
	        echo ${!opt} | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /etc/resolv.conf
        done
        ;;
    down)
        mv /etc/resolv.conf.bak /etc/resolv.conf
        ;;
    *)
        echo "Pass either UP or DOWN"
        ;;
esac

In the client.conf add

script-security 2

up "./vpn_dns_update.sh up"
down "./vpn_dns_update.sh down"

Now connect and check /etc/resolv.conf to see if the VPN nameserver and domain is listed.

Use Keyboard to resume from standby

One of the things that would always irritate me, with Linux, was the fact that I could not resume my machine by hitting a key on the keyboard.  When I first searched for an answer, to this issue, many of the replies stated “look for an option in the BIOS.” To my dismay, I had no such option in the BIOS. After more searching I found /proc/acpi/wakeup!

/proc/acpi/wakeup looks like this:

Device	S-state	  Status   Sysfs node
UAR1	  S4	 disabled  pnp:00:08
SMB0	  S4	 disabled  pci:0000:00:01.1
USB0	  S4	 disabled  pci:0000:00:02.0
USB2	  S4	 disabled  pci:0000:00:02.1
US15	  S4	 disabled  pci:0000:00:04.0
US12	  S4	 disabled  pci:0000:00:04.1
NMAC	  S5	 disabled  pci:0000:00:0a.0
P0P1	  S4	 disabled  pci:0000:00:08.0
HDAC	  S4	 disabled
MXR0	  S4	 disabled  pci:0000:00:10.0
BR11	  S4	 disabled
BR12	  S4	 disabled  pci:0000:00:12.0
BR13	  S4	 disabled
BR14	  S4	 disabled
BR15	  S4	 disabled
BR16	  S4	 disabled
BR17	  S4	 disabled

Now this might be confusing, at first, but do not fear! We are interested in only two types of devices: USB and US

USB0	  S4	 disabled  pci:0000:00:02.0
USB2	  S4	 disabled  pci:0000:00:02.1
US15	  S4	 disabled  pci:0000:00:04.0
US12	  S4	 disabled  pci:0000:00:04.1

To figure out which device is which take the number after pci: and run grep on dmesg. Example for US15: dmesg | grep 0000:00:04.0

You will likely get a lot of output… you should look for something similar (Note: this differs by hardware, it likely won’t be the same)

[    6.164097] usb usb4: SerialNumber: 0000:00:04.0
[    7.284302] input: BTC USB Multimedia Keyboard as /devices/pci0000:00/0000:00:04.0/usb4/4-3/4-3:1.0/input/input2
[    7.284363] generic-usb 0003:046D:C312.0001: input,hidraw0: USB HID v1.10 Keyboard [BTC USB Multimedia Keyboard] on usb-0000:00:04.0-3/input0
[    7.300110] input: BTC USB Multimedia Keyboard as /devices/pci0000:00/0000:00:04.0/usb4/4-3/4-3:1.1/input/input3
[    7.300287] generic-usb 0003:046D:C312.0002: input,hiddev96,hidraw1: USB HID v1.10 Device [BTC USB Multimedia Keyboard] on usb-0000:00:04.0-3/input1

As you can see US15 is my USB keyboard so I will simply run echo "US15" > /proc/acpi/wakeup to allow US15 to wake up the computer.

USB0	  S4	 disabled  pci:0000:00:02.0
USB2	  S4	 disabled  pci:0000:00:02.1
US15	  S4	 enabled   pci:0000:00:04.0
US12	  S4	 disabled  pci:0000:00:04.1

If it is not appearant which devices are which there is always the trial and error process. Enable one, see if the desired device wakes up the machine and if it doesn’t, disable the device (by executing the echo command again) and try another.

Lastly just add the echo command to your startup script. On Arch /etc/rc.local is a good place.

PacketTracer 5.2.1 – Linux

There is a bug with PacketTracer which seems relatively minor but can cause a lot of frustration to users.

Take me for example: I am taking Cisco 3. It has been 2 years since I took Cisco 1 and 2. The first day in class we were given a review packet tracer file to work on. I forgot to save and when I finally remembered it bit me in the but! I went to save my work and PacketTracer crashed! I lost everything.

Issue: PacketTracer 5.2.1 crashes / segfaults on linux when saving files.

Reason: PacketTracer 5.2.1  is built against Qt 4.4.3.  However, it is using the system version of Qt which is likely newer. In my case, I’m using Qt 4.5.3. Many other distributions also use 4.5.3. It appears that there has been a code change between Qt 4.4.3 and 4.4.5; therefore, making 4.4.5 incompatible with PT 5.2.1.

Solution: Have PacketTracer use the qt libs that it ships with.
This  can be accomplished with the use of LD_LIBRARY_PATH and a shell script.

#!/bin/sh

export LD_LIBRARY_PATH="/opt/pt/lib"
/opt/pt/bin/PacketTracer5

Adjust the paths as necessary, save the file, and make it executable.
PT might not look as nice and pretty, but it won’t crash!

PAL to NTSC

I was asked to convert some European (PAL) dvds to the American (NTSC) format. With the help of a few linux tools, the process is pretty painless. A cautionary note: the process takes about 3 hours for one dvd using  my AMD X2 7750.

What you need:

  • vobcopy or dvdrip
  • projectx
  • avidemux
  • mplex (part of mjpegtools)
  • wine
  • dgpulldown.exe (windows app)
  • dvdauthor
  • dvdxchap (part of ogmtools)

First, we need to rip the DVD to the computer. We can do this by using dvdrip or vobcopy. Vobcoby is a simple command line utility that rips vob files straight from the dvd to the hard drive. dvdrip is a gui tool which is very easy to use. Load it up, create a new project, select the rip tab, and pick the title you want to rip. Ripping the dvd will probably take anywhere from 15-20 minutes.

Vobcopy Example: cd /home/pyther/dvdrip and vobcopy /dev/sr0

Next, we want demux (seperate) the audio and the video. ProjectX is very easy to use for this task and ProjectX insures the video and audio stay in sync.

To Demux the video:

  • Start projectx
  • File->Add
  • Select all the vob files that were just created
  • At the bottom where it says “recent output directories” select “output to same location as 1st file in collection”
  • Then click the Quick Start button on the side

This result in the following files being created:

  • *.m2v = mpeg 2 video file
  • *.ac3 = AC3 Audio File
  • *.sub = Subtitle Files

If there are multiple audio tracks you will see zorro-001.ac3, zorro-001[1].ac3, zorro-001[2].ac3
In my case:

  • zorro-001.ac3 == Hungarian
  • zorro-001[1].ac3 == English
  • zorro-oo1[2].ac3 == Directors Comments

Lets clean up the directory right now:

  • move *.vob files into a new folder called vob
  • move *.sub into a new folder called subs
  • Rename the audio files (ex. zorro-001.ac3 -> hu.ac3)
  • Remove any audio tracks that you do not want in your remastered dvd (ex. Directors Comments) Continue reading