Monday, August 13, 2007

Homecase: smbclient vs cifs perma-mount 1 - 0

Smbclient and generally smb-browsers (either command-line or gui ones) are better for non-carrier-grade networks like home-LANs.

retrieved from: http://learn.clemsonlinux.org/wiki/Samba_client

If you just need to grab a file, or put a file on the server, but don't need a constant connection, it is best to either browse to the share using Gnome/KDE's built in Samba browser, or to use the command line client smbclient. This assumes you have the samba-client package installed provided by your distribution.

Using smbclient is very similar to using a command-line FTP client. Here are a few useful commands:

$ smbclient -L //hostname

Where hostname is the NetBIOS name of the machine you wish to connect to. After being prompted for a password (enter no password for anonymous login) this command will give you a list of available shares on the machine, plus some other information.

To connect to a share, you must specify the share name, in the format //hostname/sharename where sharename could be the name of a file share, or a printer, or anything else Samba can handle.

$ smbclient //joescomp/joe

After entering joe's password, you are given an smb: \> prompt where you may enter commands much like an FTP client. Some commands include ls, get, put, rm, help and quit. The help command will list all the commands, and help command will give help on a certain command.




Tuesday, August 7, 2007

Zyxel NAT loopback and dyndns in-lan access problems

retrieved from:
http://www.howforge.com/4-steps-to-turn-on-nat-loopback-in-zyxel-router

The problem:


I'm using Zyxel 650R-31 [...] ...

I try to access local web service using my DynDNS address from my PC, which is behind the router, and all I got was the router login page instead of the web page itself.

I asked many ppl that also use ADSL router and they keep telling me that this is normal T_T

Million thanks for the useful tips!




The solution:

Step #1:

My colleage used ZyXEL Prestige 650R-31 as the main ADSL router for his company. It works very well and so stable. Last week he asked me to help him setup a server placed behide the ADSL router to be accessible anywhere from Internet. The main service is e-mail so I just added port forwarding via web-based configuration. It was so easy and worked like a charm. However, the connection could not establish if he sat inside the NAT. The problem is so called "NAT loopback". I found this kind of problem in D-Link also.

Fortunately, ZyXEL allows to enable NAT loopback via commandline interface. What I do to solve this problem is just 4 steps.

  1. Telnet to the router and enter administrative password
  2. Go to menu 24 and then 8
  3. Run command "ip nat loopback on"
  4. Type "exit" and then 99 to quit from the management screen

Thanks ZyXEL and cpbotha for this very useful hidden command. It would be better if it can be altered via web interface.



Comment:

I also found the following tip about the "ip nat loopback on" bit


ras> ip nat loopback on

This will turn it on but if you reboot the setting will go back to default (i.e. `off').

To make the 660 keep the setting telnet in to 24 , 8

  • Type:

    sys edit autoexec.net

  • Press "i", then type "ip nat loopback on"

  • Press "x" to save the configuration.

To verify the changes took place correctly type:

sys view autoexec.net

Scroll up to the _first_ line displayed by the above command and you should be seeing the `ip nat loopback on' bit.



Step #2:

Double-check that port-forwarding is appropriately set in your router to forward the http-port to the lan-server you want (your pc or whatever).


In addition to the above it would also be useful to change the default http, ftp, telnet ports for remote management to something else than the default ones - theoretically there is no need for this but `just-in-case'. The port-changes can be done easily through the web-configuration interface.

Also note that the above is only _one_ of the issues one has to tackle in setting up a home-http-server.


The `blocked-ports' issue with some ISPs (including OteNET):

As of the time of this writting there are some problems with OteNET's policy regarding port 80. It seems it's only possible to run an http server only if it's binded to port number equal to or higher than 1023 (at least) - it appears that all ports from 1 up to and including 1022 are blocked for all services (http, ssh, ftp) by OteNET at least for costumers having dynamic IPs. Other ISPs are known to follow a similar policy.

Changing the default ports on servers behind the router to ports >= 1023 seems to be the only way over this second obstacle.

Userland http-servers: The `port < 1024'-problem vS hackers

Retrieved from:
http://it.newinstance.it/2005/06/23/how-to-do-port-redirection-with-debian-and-doing-so-securing-tomcat/

How to do port redirection with Debian (and doing so, securing Tomcat)

First of all, I have to precise that I'm not a sysadmin, and you may not assume that the things as explained here are best way to handle the problem, or just that this is a correct one. This worked for me yesterday night, and I share my notes here so that I'll find this easier next time, and hoping that someone will find this useful and time saving.

The problem

Why whould you want to do port redirection?

If you want to put a web server on internet it would be great to have it run on standard http port (80), as many company proxies just refuse to connect on other ports. You can think to just configure tomcat's server.xml to run on port 80 instead of the default one, at 8080. Using unix, this would work only if you run tomcat as priviledged user (root) because of common users cannot bind port under 1024.

"What's the problem?" could you say, but - believe me - leving a server online with tomcat running with root priviledges can be a very bad idea.

So, resuming, the problem is:

  1. you would like to bind tomcat on http port
  2. you want to run tomcat with a restricted user, to avoid hackers to gain root privileges
  3. ... but restricted users cannot bind http port (1 & 2 are in conflict)

Possible Solutions

There may be many solutions to this problem. Searching the net I've found an article titled "Running JSP Through Apache with mod_jk2" explaining how to work around this limtation. There are three possibilities:

  1. Accessing Tomcat on Port 80 (running tomcat as root)
  2. Forwarding Incoming Port 80 requests to Port 8080 using iptables
  3. Using Apache to forward incoming requests on http port to tomcat on port 8080 (mod_jk2)
The first possibility is the root of my problem, not a solution :-) . And also the mentioned article says that it's not a great idea. Using iptables (configuring unix firewall) could be a good solution. Also using apache can be good and I don't like to add useless software layers ("just forwarding" is useless, imho), as additional layers too often add complessity to systems. So I choosed to use iptables port forwarding.

Iptables howto

Being a windows user, and not knowing much about unix administration, the first thing I searched over the net was the command to be typed to do port forwarding. I ever didn't know anything about iptables.
After some tries I find this:

hal9000:~# iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
hal9000:~# iptables-save

I tried at command line and it worked: request on http port were forwarded to tomcat! So, iptables is the solution. But after a reboot those rules were lost: the problem now is "how to make those rules persistent thru reboots?". Before continuing the search over the net I tried
"man iptables" then looking on my own hard disk I found a little howto in

/usr/share/doc/iptables/README.Debian.gz.

Reading it (Chap "3. running iptables"), I've met a new utility: "The closest to standard is the
ipmasq package". I like to do things close to standards.
Things to do now:

  1. prepare a "self-written or acquired scripts to run at system startup" into /etc/init.d
  2. use update-rc.d to update the SysV run level processes
I tried to run ipmasq and I got a "command not found" error. This is a problem for apt-get :-) . I've installed ipmasq using the command "apt-get install ipmasq". After instal, the setup ask for some options and I just leaved the defaults. After an installation is always a good idea to run "mandb" command to update man databases.
Then I typed at command line:
hal9000:~# ipmasq -v
#: Interfaces found:
...ipmasq displayed lot of default settings here...

Good: ipmasq is there.
Now it's time for the scripts. To configure ipmasq you have to create a file .rul in /etc/ipmasq/rules path. Here's the mine:

hal9000:~# cat /etc/ipmasq/rules/F00chain.rul
#:
#: **********************************************************
#: *** FORWARD CHAIN ***
#: **********************************************************
#: $IPTABLES -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Now we've to configure SysV init system to run ipmasq on startup. Taking example from /etc/init.d/skeleton file, I've written following script:

hal9000:/etc/init.d# cat /etc/init.d/ipmasq
#! /bin/sh
#
# ipmasq.init Set up IP Masquerading for Debian systems
#

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="Firewall"
NAME=ipmasq
DAEMON=/usr/sbin/$NAME
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0

#
# Function that starts the daemon/service.
#
d_start() {
$DAEMON
}

case "$1" in
start|restart|force-reload)
echo -n "Starting $DESC: $NAME"
d_start
echo "."
;;
stop)
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac

exit 0

hal9000:/etc/init.d# chmod 755 /etc/init.d/ipmasq












Notice that you have to chmod 755 the file (as shown upon) as it needs to be executable.
Then we've to update SysV runlevels procedures with following command (and its output):

hal9000:/etc/init.d# update-rc.d ipmasq defaults 10
Adding system startup for /etc/init.d/ipmasq ...
/etc/rc0.d/K10ipmasq -> ../init.d/ipmasq
/etc/rc1.d/K10ipmasq -> ../init.d/ipmasq
/etc/rc6.d/K10ipmasq -> ../init.d/ipmasq
/etc/rc2.d/S10ipmasq -> ../init.d/ipmasq
/etc/rc3.d/S10ipmasq -> ../init.d/ipmasq
/etc/rc4.d/S10ipmasq -> ../init.d/ipmasq
/etc/rc5.d/S10ipmasq -> ../init.d/ipmasq

This command says to create links to /etc/init.d/ipmasq script for all runlevels at position 10: you see that created files contains "K10" and "S10" in their name, they are the startup and kill links for the service. Runlevels links are executing in order by their name, so 10 means that our script will be executed quite early.

We've done. At next reboot we should see "Starting Firewall: ipmasq" message before the login prompt. Now - if all went right - your firewall should forward http request to port 8080. And you can run tomcat on port 8080 with a restricted user, and access it from internet on standard http port.

...and now you know it :-)