Due to a very restrictive firewall at the CHPC, I need to run a VPN to get access to things like email, Jabber and SSH. This however degrades my web browsing experience, since that gets tunnelled as well. I therefore wanted a setup where only ports which are blocked get tunnelled through the VPN, while everything else goes out normally.
The routing part was fairly straightforward, which consists of an iptables
rule to mark certain packets, and an alternate routing table for these marked
packets. I first created a name for the new table by adding the following to
I then added a default route to the new table specifying the IP address of the VPN server and the VPN interface, and a rule to use this table for packets marked by iptables.
The following iptables rule will mark packets destined to the listed port
numbers. Note that this is for packets originating from the firewall host — if
you want this to apply to packets forwarded for other hosts it must be in the
The actual routing worked, but packets were being sent with the wrong source IP. I therefore needed to NAT packets going out on the VPN interface (the IP address is the local IP of the VPN connection).
I could then see packets going out on the VPN interface with the correct source
IP as well as the replies, but it still wasn't working. I eventually discovered
The one thing missing from my posting by email setup was support for images. The Mailsave module has finally been updated for Drupal 6, and so I can now submit attachments with email posts. The one shortcoming is that files are simply added to posts as normal attachments, and so images aren't automatically displayed. I therefore have to manually insert images in the body of the post, but I actually prefer this since it's a simpler system and gives me more control.
The [CHPC] installed a new network this past weekend as part of the [SANReN] project. The new network consists of [Cisco] equipment, including their [NAC] (or "Clean Access") system. This requires all clients to authenticate before they are allowed access to the network, and can also enforce a configured security policy (such as requiring operating system updates and anti-virus).
The system works as follows. By default, the ports on the switch are in an "unauthenticated" [VLAN]. When a client is connected, it is provided with an IP address (via [DHCP]) in an "unauthenticated" subnet. The system then presents a captive portal which requires the user to authenticate with a username and password using their browser. If the authentication is successful, the port is moved to a different VLAN (depending on the user's access level), and the switch briefly disconnects the link which causes the client to negotiate a new IP address (in a different subnet).
Before the portal presents the login page it requires that a [Java applet] be run on the client. The applet gathers various bits of information about the client (including the operating system) and submits this information to the portal. (I assume that the portal uses this information to determine what policies must be enforced. In our setup, Windows machines must have the Clean Access Client installed, while Linux and Mac OS X machines are simply allowed access.) The portal then presents the login page.
Being a geek, I wasn't very happy to go through this rigmarole everytime I connected to the network. (I also couldn't use my [normal browser][konq] since the applet didn't work in it.) So I set out to automate the process. Initially I tried to script everything (including the Java applet) but then I noticed that the output of the applet wasn't sent with the login form submission. The only other information the form contained was a session key and random string, both of which were present on the [HTML] page which contained the applet. A manual test confirmed that the login page could be submitted successfully as long as the session key and random string were correct — the applet could be bypassed.
I quickly scripted the login process using a
 script and [wget]. I then installed it in <code>/etc/network/if-up.d</code> after adding some logic to only execute if the current IP address was on the unauthenticated network. The result is that I can plug in the cable, and my machine automatically authenticates to the system. While searching for information about the Clean Access system, I came across this [Slashdot article] about a guy who was suspended from university for bypassing the Clean Access checks. I only realised last night that this is exactly what my script does![^1] I haven't tested it on Windows yet, but the only possible change I can think of is to change the [user agent]. Seriously Cisco, the fact that I managed to bypass the applet simply by submitting the login form programmatically is ridiculous. I have attached my script to this post. The way in which I have parsed the HTML page is rather ugly and likely to only work on this specific version of Clean Access. I plan to rewrite it in [Python] sometime. <strong>Update:</strong> I have rewritten the script in Python, which should be a bit more solid since it parses the HTML using a [DOM]. The script requires [libxml2dom] and [ipy]. After configuring the parameters it can be dropped in <code>/etc/network/if-up.d</code>[^2] where it should run automatically. [^1]: Note that it doesn't bypass the authentication: you still need a valid account in order to gain access. [^2]: Make sure not to use a dot in the filename though. <em>[CHPC]: Centre for High Performance Computing </em>[SANReN]: South African National Research Network <em>[NAC]: Network Admission Control </em>[VLAN]: Virtual LAN <em>[DHCP]: Dynamic Host Configuration Protocol </em>[HTML]: HyperText Markup Language *[DOM]: Document Object Model [chpc]: http://www.chpc.ac.za/ [sanren]: http://www.meraka.org.za/sanren.htm [cisco]: http://en.wikipedia.org/wiki/Cisco_Systems [vlan]: http://en.wikipedia.org/wiki/Virtual_LAN [dhcp]: http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol [nac]: http://en.wikipedia.org/wiki/Cisco_NAC_Appliance [java applet]: http://en.wikipedia.org/wiki/Java_applet [konq]: http://en.wikipedia.org/wiki/Konqueror [Slashdot article]: http://it.slashdot.org/article.pl?sid=07/04/27/203232 [user agent]: http://en.wikipedia.org/wiki/User_agent [python]: http://en.wikipedia.org/wiki/Python_(programming_language) [html]: http://en.wikipedia.org/wiki/HTML [wget]: http://en.wikipedia.org/wiki/Wget [bash]: http://en.wikipedia.org/wiki/Bash [dom]: http://en.wikipedia.org/wiki/Document_Object_Model [libxml2dom]: http://www.boddie.org.uk/python/libxml2dom.html [ipy]: http://russell.rucus.net/2008/ipy/
Unfortunately Windows is still a necessary evil sometimes: I keep a Windows virtual machine for times when it's absolutely necessary, and I still give my friends Windows tech support. I still like to do things properly, and so I wanted to create a Windows XP install CD with Service Pack 3 slipstreamed in1. I had two CDs to do, and slipstreamed the first one using a Windows VM, but then got curious and wondered if I could do it without Windows.
The answer is that it is possible using Wine to run the service pack installer. I followed this blog post (which was interesting since it's in French), but I then found another blog post which explains it in English. The steps are as follows:
It seems to be quite particular about the ISO9660 settings and the upper case filenames, so if it doesn't boot check the settings.
Vodacom4me and MyMTN allow you to send free SMSs from a computer. Unfortunately those sites are not accessible from a cellphone. I came across a site which provides a mobile interface for Vodacom4me and MyMTN1. This means that you can send SMSs from your cellphone for the cost of the GPRS/UMTS data required to access the site. I having been using this for quite a while, and it works fairly well.
However, there are a few aspects of the site which I don't like, and so I wrote my own version which performs the same function with the following extra features:
The site is available at http://m.mene.za.net/ (or with HTTPS). Obviously the restrictions enforced by Vodacom4me and MyMTN still apply. Vodacom4me allows 20 SMSs per day to Vodacom numbers for Vodacom subscribers only. MyMTN allows 5 SMSs per day to MTN numbers for anyone. The source code is available for anyone who is interested (and brave enough).
SSH Host Keys
The SSH client needs to be configured to check these records. Specifying "
To determine the name of the record to use, convert your email address into a domain name by replacing the ampersand with a dot1. To publish your entire public key, run the tool as follows.
The first parameter specifies the file containing your public key in binary format, and the second parameter specifies the domain name to use. To publish a reference to your public key, run the tool as follows.
The first parameter specifies the fingerprint of your key, and the second parameter the URL at which the public key can be found. It is also possible to only publish the fingerprint or only the URL. Simply add the record which the tool outputs to your zone file2.
There is also another method to publish GPG keys called PKA. The only documentation I can find is a specification in German linked from the blog post mentioned above. I still managed to set it up though. This method uses a
This specifies the fingerprint and URL, just as with the second
I discovered that OpenVPN supports connections through an HTTP proxy server. This makes it possible to establish a VPN from a completely firewalled network where the only external access is through a proxy server1. It takes advantage of the fact that SSL connections are simply tunnelled through the server and aren't interfered with like unencrypted connections.
The server setup is almost identical to a normal configuration, except that the tunnel must use TCP instead of UDP (since the proxy server will establish a TCP connection). Since most proxy servers only allow SSL connections to certain ports, you will also need to change the port number that the server listens on. The best is 443 since that is used for HTTPS, but if the server is also running a web server on port 443, then 563 is probably the next best choice. This port is assigned to NNTPS, and is allowed by the default Squid configuration. The following two lines enable TCP connections and change the port number.
The client configuration is also very similar. It simply needs to enable TCP connections, set the correct port number, and specify the proxy server.
OpenVPN can also authenticate to the proxy server using either Basic or NTLM authentication. To enable this add "
For my Masters project I need a method by which the user can specify which functions should be run on an SPE1. This method should be simple, clear and easy to turn on and off. I stumbled upon a blog post a little while ago (I think it was this one) which explained decorators in Python, which is the perfect tool for the job. Decorators are used to transform functions, but without changing the function itself or the calls to it.
Seeing that I've spent countless hours setting up my Drupal installation, I thought that I would share this with others and document it for future reference. Drupal is an extremely powerful CMS which can be used to create a wide variety of sites. The disadvantage of this is that it requires a fair amount of work to setup a straightforward blog, which involves installing and configuring numerous modules.
Since there is no Ubuntu package for Drupal 6, I created my own package based
Clean URLs allows one to have URLs like
Lighttpd does however have a module which allows one to add scripts to the
request process written in [Lua]. A script has already been
[developed][drupal.lua-devel] which implements the required rewriting for Drupal. The following
When Drupal is first installed, there is no mention of blogging as such. The first step is to enable the Blog core module1. This creates a blog content type and enables a blog for each user. (The module is designed for a multi-user blog, but can be used for a single user as well.) However, this doesn't give you all the functionality you expect from a blog engine.
Tagging is handled by the Taxonomy core module. You first need to create a vocabulary though, and enable it for blog posts. (This took me ages to discover.) In order to get nice URLs (including the date and post title, for example) you need to install the [Pathauto] module and configure a pattern for blog posts. You may also want to define a pattern for tags.
There is also no archive functionality. The best way that I can find is the
[Views] module. It includes a pre-defined "archive" view which can display
posts from a specific month, and links to the monthly pages. Even after much
investigation I couldn't get the archive to behave like typical blog archives
Other Blog Features
The [Trackback] and [Pingback] modules implement automatic linking with other blogs. (I haven't actually tested these yet.) The Blog API core module allows the blog to be managed with external clients. The [Markdown][markdown-mod] module allows you to write posts using [Markdown] syntax instead of HTML.
Drupal enables comments for blog posts by default. The [Akismet][akismet-mod] module implements spam filtering using the [Akismet] service. The [CAPTCHA][captcha-mod] and [reCAPTCHA][recaptcha-mod] modules allows you to require users to answer a [reCAPTCHA] when submitting comments. (I haven't actually enabled [CAPTCHAs][captcha] since I haven't gotten any comment spam yet. Or real comments for that matter...)
Posting by email
The [Mailhandler] module allows you to submit posts via email. The configuration is fairly straightforward, except for the available commands which can be found [here][commands]. These can be specified at the beginning of emails and in the configuration as defaults. I use the following commands.
This creates blog posts and tags them with the "mail" tag. Posts are published and promoted to the front page, and comments are enabled.
The one thing it doesn't handle is attachments (such as images). There are a couple of modules2 which support this, but they aren't available for Drupal 6 yet. ([Vhata] has also hacked together a [photo blogging][phoblog] system, but this isn't implemented as a Drupal module.) I don't really need this feature, so I'm going to wait until these modules are updated.
The [OpenID][openid-mod] module allows you to log into your site using [OpenID]. The [OpenID URL][openidurl] module allows you to delegate your Drupal site as an OpenID by specifying your provider and/or your [Yadis] document.
Yadis documents are advertised with a
The former method can be accomplished with the
The following lines in
The tag block is generated by the [Tagadelic] module. The "Recent Tracks" block is generated from my [LastFM] feed by the Aggregator core module, and the list of networks is simply a custom block. The [Atom] feed is generated by the [Atom][atom-mod] module. The contact form, search and file upload are all core modules.
The one thing I haven't sorted out is image handling. There are a couple ways to [handle images][drupal-images] in Drupal, but none of these appeal to me (they're too complicated). I will probably just upload images as attachments and insert them manually in the body.
I have been using Gmail for a while now, and really think that it's about the best email provider out there. I recently moved my mail over from Google Apps to my own server, but I wanted the major features that I liked. I've always used a desktop mail client and used POP3 and SMTP to receive and send mail.
These are the features I particularly like:
To automatically store sent messages on the server, I used Postfix's
To make POP3 access independent from IMAP, I first configured Dovecot to use a different mail location for each as follows.
I then used the following Procmail recipe to send incoming messages to both locations.
At the moment this is only setup for my user, but it should be possible to do it for all users by creating a global