Creating user based firewalls on inbound pptp connections

There are certain security situations where you want to be able to allow a remote user to connect to your network using pptp, but you want to lock down what devices on the network they have access to.

Usually with the linux pptp system, once the user is connected, assuming ip forwarding is running on the host that is the pptp end point, they have access to anything on the local subnet.

What I've done to allow some control over this situation is create some custom scripts to go in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d

For the "up" version I have:

#!/bin/sh

PPP_USER=`/usr/bin/w | /bin/grep "$PPP_IFACE" | sed "s/ .*//"`

if [ -x "/etc/ppp/userfw/$PPP_USER" ]; then
 "/etc/ppp/userfw/$PPP_USER"
fi

exit 0

and for the down version I have

#!/bin/sh

PPP_RULE=`/sbin/iptables -L FORWARD -n -v --line-numbers | /bin/grep "$PPP_IFACE" | /usr/bin/head -1 | /bin/sed "s/ .*//"`
while [ "$PPP_RULE" != "" ]
do
       /sbin/iptables -D FORWARD "$PPP_RULE"
       PPP_RULE=`/sbin/iptables -L FORWARD -n -v --line-numbers | /bin/grep "$PPP_IFACE" | /usr/bin/head -1 | /bin/sed "s/ .*//"`
done

PPP_RULE=`/sbin/iptables -L INPUT -n -v --line-numbers | /bin/grep "$PPP_IFACE" | /usr/bin/head -1 | /bin/sed "s/ .*//"`
while [ "$PPP_RULE" != "" ]
do
       /sbin/iptables -D INPUT "$PPP_RULE"
       PPP_RULE=`/sbin/iptables -L INPUT -n -v --line-numbers | /bin/grep "$PPP_IFACE" | /usr/bin/head -1 | /bin/sed "s/ .*//"`
done

exit 0

Then create a directory /etc/ppp/userfw and put in there per user scripts

e.g.

#!/bin/sh
/sbin/iptables -A FORWARD -i "$PPP_IFACE" -j ACCEPT
/sbin/iptables -A INPUT -i "$PPP_IFACE" -j ACCEPT

(yes - that's a silly example as it just gives complete access - which they had anyway)

With this lot, you have a simple method to lock certain users down to only be able to access certain things on your network - within the flexibility of the iptables system. The important thing to do is to make sure that your user based rules all reference the interface with $PPP_IFACE so that they are attached to the right connection and they're deleted again with the down script when the interface is removed.

Bluetooth pairing on the command line

I use a debian linux box with the Gnokii SMS daemon to do computer based texting. Now normally on a server I wouldn't want to go to the bother of installing Gnome - after all, you don't sit at the server console. But, that can be an issue for doing the bluetooth pairing needed before you can use the phone with gnokii.

The answer is in /usr/share/doc/bluez-utils/examples. There's some C code in there called passkey-agent.c

Make sure you have build-essential and pkg-config and libdbus-1-dev installed then you can build it.

Then, in one terminal window run "passkey-agent 1234" and in another do "rfcomm connect rfcomm1 xx:xx:xx:xx:xx:xx" to connect to your device. The pairing will then be on the key 1234.

A useful trick to avoid installing a huge amount of stuff just to do a one off job.

Update:
Debian squeeze ships with a command "bluetooth-agent" which replaces the passkey-agent and is already complied, so you just need to do "bluetooth-agent 1234" in one terminal to set up the passkey.

Printing from SCO OpenServer to CUPS on Debian

Ah the joys of the hideous SCO OpenServer!

So here's the plan - print jobs from a SCO OpenServer machine printing via CUPS queues so that everything's in one place. Jobs are sent by lpd from one machine to the other with the cups lpd daemon receiving the jobs and putting them in the queues for formatting as appropriate.

Now SCO's printing system is trying to be clever and do all sorts of driver things and that somehow is getting passed through as the banner page option or something like that. Either way the error:

Unable to create job - Bad job-sheets value "standard"!

Was coming up in /var/log/syslog on the debian box.

The solution - get the SCO box to include "-o nobanner" in its lp command e.g.

lp -o nobanner -p printer file

Then it all passes through properly.

Extracting addresses from a Maildir folder

From time to time, one of our users wants to send an email to all the people who's addresses are in one of her mailboxes. Our IMAP setup uses Maildir folders as the back end, which have the very nice feature of each mail being a separate file.

With a little appropriate use of some linux command line tools, the following will give a list of the senders addresses that are found in the given Maildir folder:

grep Return-path ~username/Maildir/.mailboxname/cur/* | sed -e 's/^.*<//' | sed -e 's/>//' | sort -u > ~/email.addr

replace username with the user in question and mailboxname with the appropriate mailbox and you will have a list of addresses in email.addr

Kyocera FS2020 network printing

This is tentative post - as we're not sure this is solved yet.

A new Kyocera FS2020 was having trouble printing over the network. This appears to have been solved by setting up the host name on the printer's network interface to match the name set on the DNS.

Setting mailman user passwords

Been doing so stuff using a bunch of email addresses that are handled by scripts to customise various mailman behaviour - in particular a script that does a subscribe via email command, then reads the result and then mails the user to determine if they are already on the list or not.

However, to do this we needed to set all the users up with a pre-determined password, but the initial listing of mailing list recipients was done using the mass subscription which generates random passwords.

Some hunting on the internet didn't yield anything for resetting them - they could be seen using

/var/lib/mailman/bin/dumpdb /var/lib/mailman/lists//config.pck | less

but nothing poped out about changing them - then I looked in the bin directory and found reset_pw.py.

This is intented to be used to reset the passwords to new random ones - but a little edit to the script and you can use it to set the password to whatever you want running it with:

withlist -l -r reset_pw -v

Connecting to the Internet from Ubuntu using bluetooth to a Nokia E65

Having just set this up for about the 4th time, I thought it was about time to record what I actually do - rather than working it out each time!

First off, I get the phone and laptop paired - easy enough using the bluetooth icon on the gnome panel.

Then, edit /etc/bluetooth/rfcomm.conf to look like:

#
# RFCOMM configuration file.
#

rfcomm0 {
# # Automatically bind the device at startup
bind yes;
#
# # Bluetooth address of the device
device 00:AA:BB:CC:DD:EE;
#
# # RFCOMM channel for the connection
channel 2;
#
# # Description of the connection
comment "Nokia E65";

}

using the appropriate device MAC. If you don't know this then
hcitool scan

will reveal devices that are visible in your locality and then
sdptool browse

will let you find the channel number for Dialup Networking.

Restart bluetooth after this change.

Next create /etc/ppp/peers/orange

noauth
#change this if you move the path to your connect script
connect "/usr/sbin/chat -v -f /etc/chatscripts/orange-connect"
#change this if you move the path to your disconnect script
disconnect "/usr/sbin/chat -v -f /etc/chatscripts/orange-disconnect"
#I found that I needed this to remove problems with loopback on connecting
silent
#remove this if you don't want lots of information going to /var/log/messages
debug
#this is the device specified in your rfcomm.conf file
/dev/rfcomm0
#speed at which to connect - might be worth trying higher...
115200
#this is needed so that a default route is added to your routing table
defaultroute
#this is needed so that you pick up Orange's DNS settings
usepeerdns

lcp-echo-failure 0
lcp-echo-interval 0
nomagic
noccp

And /etc/chatscripts/orange-connect:

TIMEOUT 5
ECHO ON
ABORT '\nBUSY\r'
ABORT '\nERROR\r'
ABORT '\nNO ANSWER\r'
ABORT '\nNO CARRIER\r'
ABORT '\nNO DIALTONE\r'
ABORT '\nRINGING\r\n\r\nRINGING\r'
'' \rAT
TIMEOUT 12

OK ATE1
#here's the magic bit!
OK 'AT+CGDCONT=1,"IP","orangeinternet"'
OK ATD*99***1#
TIMEOUT 30
CONNECT ""

And /etc/chatscripts/orange-disconnect

ABORT "BUSY"
ABORT "ERROR"
ABORT "NO DIALTONE"
SAY "\nSending break to the modem\n"
"" "\K"
"" "\K"
"" "\K"
"" "+++ATH"
"" "+++ATH"
"" "+++ATH"
SAY "\nPDP context detached\n"

With all this in place, sudo pon orange should make the connection and sudo poff orange should break it.

Scanning documents using SANE and an ADF on a Fujitus M4097Ddm

Working on a document scanning project to sort out some paperless office systems, I came across an interesting problem while using the ADF on our Fujitsu M4097Ddm scanner.

The command scanimage -y 297 --source="ADF Front" resulted in a message back from sane of

scanimage: rounded value of br-y from 297 to 279.364

I.e. the page was getting truncated to US Letter length - not very helpful.

The solution is to change the order of the parameters and add an extra one:

scanimage --source="ADF Front" --pageheight=297 -y 297

Once the document source is specified then the list of available options changes and the pageheight and pagewidth options become available.

Permissions on USB devices on LTSP terminals

In our linux environment, all our users have the same primary group, rather than having a private group. For the vast majority of stuff this is fine and keeps things simpler. However the method that ltsp uses for mounting USB sticks (or other local media) creates a directory called /media/ on the server which is has the group set to the primary group of the user and the owner set to root with permissions of rwxr_x___

This, combined with the users all being in the same primary group leads to the devices that users plug in being shown on all users' desktops. They can't actually access the devices - those have different permissions - but they can see their existence which at the least is annoying and in the case of several people using CD drives, confusing.

My current solution is a little convoluted - but does the trick.

Firstly you need a program that can change ownership of a directory. This has to be installed as a suid program as the mounting script is run by the user who is logged into the terminal.

I just have a little piece of C to do the job:

#include
#include
#include

int main(int argc, char *argv[]) {

char buff[100];

if (argc != 2)
exit(1);

sprintf(buff, "/bin/chown %s:root /media/%s", argv[1], argv[1]);
system(buff);

return(0);
}

I call this program mediafix and have installed it in /usr/local/bin

Then, in /usr/sbin/ltspfsmounter, add a line saying

call(['mediafix'], username)

towards the end of the main function after the mounting has taken place.

This ensures that any time a device is mounted, the containing directory has it's ownership amended and keeps the icons hidden from other users.

Debian Lenny on a Poweredge 2600

Usually the Debian upgrade procedure is pretty straight forward, and my recent upgrade of a Poweredge 2600 from etch to lenny was no exception. Just change the sources and do an apt-get update; aptitude dist-upgrade and answer some questions along the way.

Occasionally there's a gotcha - and this one had an issue with our lvm based file system. Using the new kernel that comes with lenny (2.6.26), it failed to find the lvm and therefore wouldn't boot.

A little googling revealed a potential solution - add the option "rootdelay=9" to the kernel options for boot - and surely enough the machine was back to life.