June 14, 2010

Country based packet filtering in RHEL 5.x

Filed under: Messaging, Redhat/Fedora, Zimbra, linux — morgan @ 23:51

This is adapted from the Debian instructions found here:
http://www.debian-administration.org/articles/518

install redhat source repository and yum-utils
http://www.cyberciti.biz/faq/yum-download-source-packages-from-rhn

# vi /etc/yum.repos.d/srpm.repo
[rhel-src]
name=Red Hat Enterprise Linux $releasever - $basearch - Source
baseurl=ftp://ftp.redhat.com/pub/redhat/linux/enterprise/$releasever/en/os/SRPMS/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
# yum install yum-utils
# mkdir /usr/src/redhat

get kernel source.

# yumdownloader --source kernel-2.6.18
# tar xfj /usr/src/redhat/SOURCES/linux-2.6.18.tar.bz2 -C /usr/src

get iptables source

# yumdownloader --source iptables
# tar xfj /usr/src/redhat/SOURCES/iptables-1.3.5.tar.bz2 -C /usr/src

get patch-o-matic—we will use it to patch iptables and the kernel.

# wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070414.tar.bz2
# tar xjf patch-o-matic-ng-20070414.tar.bz2

get the geoip patchlet:

# wget http://people.netfilter.org/peejix/patchlets/geoip.tar.gz
# tar xfz geoip.tar.gz -C patch-o-matic-ng-20070414/patchlets

Apply the geoip patchlet

# cd patch-o-matic-ng-20070414
# KERNEL_DIR=/usr/src/linux-2.6.18/ IPTABLES_DIR=/usr/src/iptables-1.3.5/ ./runme geoip

Loading patchlet definitions.................. done

Welcome to Patch-o-matic ($Revision: 6736 $)!

Kernel:   2.6.18, /usr/src/linux-2.6.18/

Iptables: 1.3.5, /usr/src/iptables-1.3.5
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing geoip... not applied
The geoip patch:
   Author: Samuel Jean ; Nicolas Bouliane 
   Status: Stable

This patch makes possible to match a packet
by its source or destination country.

GeoIP options:
        [!]   --src-cc, --source-country country[,country,country,...]

                        Match packet coming from (one of)
                        the specified country(ies)

        [!]   --dst-cc, --destination-country country[,country,country,...]

                        Match packet going to (one of)
                        the specified country(ies)

           NOTE: The country is inputed by its ISO3166 code.

The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html
for a quick HOWTO.
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] ?
Answer one of the following:
  T to test that the patch will apply cleanly
  Y to apply patch
  N to skip this patch
  F to apply patch even if test fails
  A to restart patch-o-matic in apply mode
  R to restart patch-o-matic in REVERSE mode
  B to walk back one patch in the list
  W to walk forward one patch in the list
  Q to quit immediately
  ? for help
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] T
Patch geoip applies cleanly
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

Excellent! Source trees are ready for compilation.

Recompile the kernel image (if there are non-modular netfilter modules).
Recompile the netfilter kernel modules.
Recompile the iptables binaries.
#

Build the kernel module

# cd /usr/src/linux-2.6.18
# make oldconfig
…
    geoip match support (IP_NF_MATCH_GEOIP) [N/m/?] (NEW) m
…
# make modules_prepare


Compile just the netfilter modules

# make -C $(pwd) M=net/ipv4/netfilter/ modules
# cp -i net/ipv4/netfilter/ipt_geoip.ko /lib/modules/2.6.18-128.1.10.el5/kernel/net/ipv4/netfilter/

Build the iptables libipt_geoip.so library

# cd /usr/src/iptables-1.3.5
# make KERNEL_DIR=/usr/src/linux-2.6.18/ extensions/libipt_geoip.so
Making dependencies: please wait...
cc -O2 -Wall -Wunused -I/usr/src/linux-2.6.18//include -Iinclude/ -DIPTABLES_VERSION=\"1.3.5\"  -fPIC -o extensions/libipt_geoip_sh.o -c extensions/libipt_geoip.c
ld -shared  -o extensions/libipt_geoip.so extensions/libipt_geoip_sh.o
# cp extensions/libipt_geoip.so /lib64/iptables

Insert the module into the kernel

# depmod
# modprobe ipt_geoip


Todo: load the module on boot?

Create the IP-country mapping

# wget http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
# unzip  GeoIPCountryCSV.zip
# wget http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
# tar tzf csv2bin-20041103.tar.gz
# cd csv2bin
# make
# ./csv2bin ../GeoIPCountryWhois.csv
# mkdir /var/geoip
# mv geoipdb* /var/geoip

Test
World Cup mania means we happened to have a colleague in South Africa so we blocked the whole country on a test server and had him attempt to connect to https:

# /sbin/iptables -A INPUT -p tcp --dport 443 -m geoip --src-cc ZA -j REJECT

October 7, 2008

Slicehost: a first impression

Filed under: Redhat/Fedora, Web, linux — morgan @ 17:17

You are reading this post on my newly migrated slicehost xen virtual machine.

This is my first hosting experience: until now my web site was running off of a machine under my desk at home. This is obviously not ideal for bandwidth or reliability. Slicehost caters to a technical demographic that just wants a stripped down OS and little or no management tools. And it’s cheap to start.

Initially I installed mysql, apache2, php and various supporting packages. I loaded databases for Wordpress and Gallery2 and rsynced my data over. With a little tweaking everything was up and running.

As you may know Gallery2 generates thumbnails on the fly as users visit the site. I cleared the thumbnails during some troubleshooting so they had to all be regenerated on my slicehost. What I found was that on the 256mb slice the system spent an inordinate amount of time in iowait and in many cases Gallery pages would timeout. It took noticeably longer than the Pentium III 350mhz I just migrated from.

After added swap files without improvement I finally upgraded to a 512mb slice. Result: it screams. Ultimately the 256mb slice is just not enough to contain the OS and an application of any significant size.

My intial thoughts were that slicehost was a disaster and I should run but really their baseline packages is just *really* lean on memory. If you’re having problems you might want to try upgrading before any further troubleshooting: they bill pro-rated and will allow you to fall back at no charge if you don’t like the updated slice.

April 27, 2008

Zimbra LDAP Debugging

Filed under: Directory/LDAP, Messaging, Redhat/Fedora, Zimbra, linux — morgan @ 4:36

Multi-node Zimbra installs sometimes fail in mysterious ways.. We recently resolved what turned out to be a network problem but it was causing our Zimbra install to fail with what I originally suspected was an LDAP problem. I think the troubleshooting process may prove useful. This is Zimbra 5.0.4:

If a store doesn’t appear to be communicating with its ldap master, here’s how a I debugged it

On the ldap master:


# vi /etc/syslog.conf
    local4.debug          -/var/log/zimbra.log
# /sbin/service syslog reload
Reloading syslogd...                                       [  OK  ]
Reloading klogd...                                         [  OK  ]
# su - zimbra
$ zmlocalconfig -e ldap_log_level=800
$ zmcontrol stop && zmcontrol start

Now tail -f /var/log/zimbra.log for slapd logging

Now from the store:

yum install openldap-clients (RHEL5) or
up2date openldap-clients (RHEL4) if ldapsearch isn’t installed


$ ldapsearch -h zldap.morganjones.internal -W -x -LL -D cn=config
-b cn=zimbra objectclass=*
Enter LDAP Password:
version: 1 

dn: cn=zimbra
objectClass: organizationalRole
description: Zimbra Systems Application Data
cn: zimbra 

dn: cn=admins,cn=zimbra
objectClass: organizationalRole
description: admin accounts
cn: admins 

...

dn: cn=com_zimbra_convertd,cn=zimlets,cn=zimbra
zimbraZimletDescription: Convertd Extension for Admin UI
zimbraZimletVersion: 1.0
objectClass: zimbraZimletEntry
zimbraZimletIndexingEnabled: TRUE
zimbraZimletKeyword: com_zimbra_convertd
cn: com_zimbra_convertd
zimbraZimletIsExtension: TRUE
zimbraZimletPriority: 12
zimbraZimletEnabled: TRUE
$

side note: Zimbra users TLS for connections before stores and ldap servers. ‘-LL’ forces ldapsearch to use TLS, -x turns off ldaps.

Here’s the background that started me down this path:

Install ldap master with at least zimbra-ldap

Install a store, answer ‘n’ to zimbra-ldap and ‘y’ to zimbra-store. At the Main menu choose ‘1′ for Common Configuration.

Set Ldap master host and Ldap Admin password and when I typed ‘r’ it hung just like this:


Common configuration

   1) Hostname:                                store01.morganjones.internal
   2) Ldap master host:                      zldap.morganjones.internal
   3) Ldap port:                                389
   4) Ldap Admin password:                 set
   5) LDAP Base DN:                           cn=zimbra
   6) Require secure interprocess communications: yes
   7) TimeZone:
             (GMT-05.00) Easten Time (US & Canada)

Select, or 'r' for previous menu [r] r

A quick look at /tmp/zmsetup* revealed:


Couldn't bind to zldap.morganjones.internal as uid=zimbra,cn=admins,cn=zimbra
Checking ldap on zldap.morganjones.internal:389
Unable to startTLS: Resource temporarily unavailable
Couldn't bind to zldap.morganjones.internal as uid=zimbra,cn=admins,cn=zimbra
checking isEnabled zimbra-store

Aha.. an LDAP connectivity problem.

March 18, 2007

lighttpd and mailman

Filed under: Messaging, Redhat/Fedora, linux — morgan @ 23:07

There does not appear to be a how-to about integrating mailman with lighttpd. I’m relatively new to lighttpd and it’s pretty different from Apache. Please let me know if I am missing something significant.

I am using mailman 2.1.9 installed from rpm in Fedora Core 6 (fc6). There should not be much difference if you install it from the distribution.

If you install mailman from scratch it is important that you run the configure with –with-cgi-gid=lighttpd. Substitute ‘lighttpd’ with the group id you will be using to run lighttpd. lighttpd runs as group ‘lighttpd’ by default in fc6.


# mkdir /srv/www/lighttpd/images
# cp /usr/lib/mailman/icons/* /srv/www/lighttpd/images
# vi /usr/lib/mailman/Mailman/mm_cfg.py
    IMAGE_LOGOS = '/images/'
# vi /etc/lighttpd/lighttpd.conf


uncomment the following from "server.modules:"


    "mod_redirect",
    "mod_cgi",


If you're running lighttpd and mailman from the Fedora RPM:


    server.groupname            = "apache"


then


    # Exec        /mailman/*      $prefix/cgi-bin/* or
    # ScriptAlias /mailman/       $prefix/cgi-bin/
    alias.url = ( "/mailman" => "/usr/lib/mailman/cgi-bin",
        "/pipermail/" => "/var/lib/mailman/archives/public")
    $HTTP["url"] =~ "^/mailman" {
        cgi.assign = ( "" => "" )
    }

The Apache config directives are in comments above. In essence:
Alias /mailman to "/usr/lib/mailman/cgi-bin" on the filesystem
Tell lighttpd that any web path starting with /mailman contains executables.
cgi.assign = ("" => "") tells lighttpd that files without extensions should be run without an interpreter.

March 13, 2007

Zimbra install fails due to missing /usr/lib64/libstdc_++.so.5

Filed under: Messaging, Redhat/Fedora, Zimbra, linux — morgan @ 18:03

We are running Zimbra 4.5.3 Network Edition on Sun x4200s and x4100s with RHEL4. We’ve fully patched Redhat and I’m 99% sure certain Redhat was installed with full 64 bit support.


# gzip -dc zcs-NETWORK-4.5.3_GA_733.RHEL4_64.tgz |tar xf -
# cd zcs
# ./install.sh
...
Checking for prerequisites...
    NPTL...FOUND
    sudo...FOUND sudo-1.6.7p5-30.1.3
    libidn...FOUND libidn-0.5.6-1
libidn-0.5.6-1
    curl...FOUND curl-7.12.1-8
curl-7.12.1-8
    fetchmail...FOUND fetchmail-6.2.5-6
    gmp...FOUND gmp-4.1.4-3
gmp-4.1.4-3
    compat-libstdc++-296...FOUND compat-libstdc++-296-2.96-132.7.2
    compat-libstdc++-33...FOUND compat-libstdc++-33-3.2.3-47.3
    /usr/lib/libstdc++.so.5...FOUND
    /usr/lib64/libstdc++.so.5...MISSING

###ERROR###

One or more prerequisite packages are missing.
Please install them before running this installer.

Installation cancelled.

#

The solution is relatively simple:


# up2date --arch=x86_64 -i compat-libstdc++-33

Fetching Obsoletes list for channel: rhel-x86_64-es-4...

Fetching rpm headers...
########################################

Name                                    Version        Rel
----------------------------------------------------------
compat-libstdc++-33    3.2.3    47.3     x86_64

Testing package set / solving RPM inter-dependencies...
########################################
compat-libstdc++-33-3.2.3-4 ########################## Done.
Preparing              ######################################
##### [100%]

Installing...
   1:compat-libstdc++-33
########################################### [100%]
#

Redhat doesn't name their 64 libraries differently than their 32 bit libraries. I expect there's a way to tell the difference.

February 7, 2007

up2date looks for RHEL3(el3) packages in RHEL4 (el4)

Filed under: Redhat/Fedora, linux — morgan @ 20:20 

# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 4)
# up2date -i nagios-nrpe nagios-plugins nagios-plugins-nrpe
...
Name                                    Version        Rel
----------------------------------------------------------
nagios-nrpe                 2.5.2    1.el3.rf    i386
nagios-plugins            1.4.5    1.el3.rf    i386
nagios-plugins-nrpe    2.5.2    1.el3.rf     i386  

Testing package set / solving RPM inter-dependencies...
...
There was a package dependency problem. The message was:

Unresolvable chain of dependencies:
nagios  2.7-1.el3.rf                     requires libgd.so.1.8
...

The solution is simple:

vi /etc/sysconfig/rhn/sources

change
yum dag http://apt.sw.be/redhat/el3/en/$ARCH/dag
to
yum dag http://apt.sw.be/redhat/el4/en/$ARCH/dag

You need to clear out the incorrect RHEL3 (el3) headers. If you don't it will continue working with the RHEL3 headers it has stored in /var/spool/up2date:

cd /var/spool/up2date
# ls *el3*
3ddesktop-0.2.7-1.1.el3.dag.i386.hdr
4g8-1.0-1.1.el3.rf.i386.hdr
855resolution-0.4-4.el3.rf.i386.hdr
915resolution-0.5.2-2.el3.rf.i386.hdr
a52dec-0.7.4-8.el3.rf.i386.hdr
a52dec-devel-0.7.4-8.el3.rf.i386.hdr
aalib-1.4.0-5.1.el3.dag.i386.hdr
aalib-devel-1.4.0-5.1.el3.dag.i386.hdr
...
# cd /var/spool/up2date
# mkdir /tmp/old_el3_headers
# mv * /tmp/old_el3_headers

Now you're ready to download el4 packages:

# up2date -i nagios-nrpe nagios-plugins nagios-plugins-nrpe
...
Name Version Rel
----------------------------------------------------------
nagios-nrpe 2.5.2 1.el4.rf i386
nagios-plugins 1.4.5 1.el4.rf i386
nagios-plugins-nrpe 2.5.2 1.el4.rf i386
...

Preparing ########################################### [100%]

Installing...
1:perl-Digest-SHA1 ########################################### [100%]
2:perl-Digest-HMAC ########################################### [100%]
3:perl-Socket6 ########################################### [100%]
4:perl-Crypt-DES ########################################### [100%]
5:perl-Net-SNMP ########################################### [100%]
6:nagios warning: group apache does not exist - using root)
########################################### [100%]
7:fping ########################################### [100%]
8:nagios-plugins ########################################### [100%]
9:nagios-nrpe ########################################### [100%]
10:nagios-plugins-nrpe ########################################### [100%]
The following packages were added to your selection to satisfy dependencies:

Name Version Release
--------------------------------------------------------------
fping 2.4 1.b2.2.el4.rf
nagios 2.7 1.el4.rf
perl-Crypt-DES 2.05 3.2.el4.rf
perl-Net-SNMP 5.2.0 1.2.el4.rf
perl-Socket6 0.19 1.2.el4.rf
perl-Digest-HMAC 1.01 13
perl-Digest-SHA1 2.07 5

Powered by WordPress