Squash-Beitrag aus der SR-Mediathek

SR-Mediathek stream rip:

URL der Seite
http://sr-mediathek.sr-online.de/beitrag.php?id=1540

URL aus Quelltext:
rtmp://gffstream.fcod.llnwd.net/a792/o16/MP4:sr/media/FS/SA/sportarena_20100523_M.mp4

Kommandozeile:
./rtmpdump -r "rtmp://gffstream.fcod.llnwd.net:1935/a792/o16/sr/media/FS/SA/sportarena_20100523_M.mp4" -o sportarena_20100523_M.mp4

// posted by Jo-Chen @ Tuesday, May 25, 2010 0 comments

init.d script for bridging two network cards

This is an init.d script I wrote some time ago that creates a virtual bridge adapter bridging two NICs. Of course you will need bridge-utils installed. To enable the script, copy the code below to a file /etc/init.d/bridge and (in debian/ubuntu) run:

update-rc.d bridge defaults

Note that it takes 30s for the bridge to become active.


#!/bin/sh
# Script to start|stop|restart bridging of two network devices
# Written by Jochen Miroll 05/28/05

ADDRESS="10.10.0.10/24"
GATEWAY="10.10.0.1"
DEV1=eth0
DEV2=eth1
#ONSTOP is the device that gets the IP address when bridging is stopped
ONSTOP=$DEV1
BR=bridge
SYSPATH=/sys/class/net
#userspace tools
BRCTL=/usr/sbin/brctl
IP=/bin/ip

#bail out if our userspace tools are not installed
test -f $BRTCL || exit 0
test -f $IP || exit 0

case "$1" in
        start)
                echo -n "Bridging $DEV1 and $DEV2: "

                if [ -d "$SYSPATH/$BR" ]; then
                        echo "$BR already exists."
                        exit 1
                fi
                if [ ! -d "$SYSPATH/$DEV1" ]; then
                        echo "$DEV1 does not exist."
                        exit 1
                fi
                if [ ! -d "$SYSPATH/$DEV2" ]; then
                        echo "$DEV2 does not exist."
                        exit 1
                fi

                $IP addr flush dev $DEV1
                $IP addr flush dev $DEV2
                $IP link set dev $DEV1 down
                $IP link set dev $DEV2 down
                sleep 1
                $BRCTL addbr $BR
                $BRCTL addif $BR $DEV1
                $BRCTL addif $BR $DEV2
                $IP addr add $ADDRESS brd + dev $BR
                $IP link set dev $DEV1 up
                $IP link set dev $DEV2 up
                $IP link set dev $BR up

                route add default gw $GATEWAY dev $BR
                echo "$BR is now $ADDRESS."
                ;;
        stop)
                echo -n "Stopping bridge: "
                if [ ! -d "$SYSPATH/$BR" ]; then
                        echo "$BR does not exist."
                        exit 0
                fi
                if [ ! -d "$SYSPATH/$ONSTOP" ]; then
                        echo "$ONSTOP does not exist."
                        exit 0
                fi

                $IP link set dev $DEV1 down
                $IP link set dev $DEV2 down
                $IP link set dev $BR down
                sleep 1
                $BRCTL delif $BR $DEV1
                $BRCTL delif $BR $DEV2
                $BRCTL delbr $BR
                $IP addr flush dev $ONSTOP
                $IP addr add $ADDRESS brd + dev $ONSTOP
                $IP link set dev $ONSTOP up

                echo "$ONSTOP is now $ADDRESS."
                ;;
        restart)
                $0 stop
                sleep 2
                $0 start
                if [ "$?" != "0" ]; then
                        exit 1
                fi
                /etc/init.d/dhcp3-server restart
                ;;
        *)
                echo "Usage: /etc/init.d/bridge {start|stop|restart}"
                exit 1
esac

exit 0

// posted by Jo-Chen @ Sunday, October 08, 2006 0 comments

Samba authentication against Active Directory via LDAP

As usual, samba only accepts usernames that also exist in the unix password database (/etc/passwd) . It is also necessary to have a dedicated "bind user" account as mentioned in my previous post. The following are the samba options that need to be tweaked.

[global]
   security = SERVER
   obey pam restrictions = Yes
   password server = name_or_ip # not sure if really needed
   passdb backend = ldapsam:ldap://name_or_ip
   passwd program = /usr/bin/passwd %u
   log level = 3 passdb:10 auth:10 winbind:2 # set to zero if it works
   domain master = No
   ldap admin dn = user@domain.com
   ldap group suffix = OU=company,DC=domain,DC=com
   ldap suffix = DC=domain,DC=com
   ldap ssl = no
   ldap user suffix = OU=company,DC=domain,DC=com

If you find some redundancy you can keep it if you tell me where you found it.

// posted by Jo-Chen @ Wednesday, December 14, 2005 0 comments

HTTP authentication against Active Directory via LDAP with apache2

Used on the "free" (as in beer) side:
The LDAP server that is to be queried here will be Microsoft's Active Directory (AD). AD has a particularity: To make a query to AD one needs to authenticate with AD first (this is called bind). Therefore it is necessary to create a user within AD with restricted rights (in particular, this user must not be able to log in or do anything serious) that is used to bind to AD prior to check the name/pw combination that is supplied via the http authentication. Let this user be called
specialuser
with the password
specialpassword
and the domain that is considered is called
domain.com
while the users are stored in the organisational unit (OU)
company
then the apache2 configuration might look as follows:
<location>
AuthType Basic
order allow,deny
allow from all
AuthName "Example apache2 LDAP auth with Active Directory on domain.com"
AuthLDAPURL ldap://name_or_ip:389/OU=company,DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN "specialuser@domain.com"
AuthLDAPBindPassword specialpassword
require valid-user
</location>
Keep in mind that the special bind user can introduce a security risk if not properly restricted!

// posted by Jo-Chen @ Monday, December 12, 2005 0 comments

Apache2 and subversion (DAV-SVN)

Insert this into your apache2 SSL config file to enable subversion. This is the most simple example with user-defined styles and password protection.
<Location /~joe/svn>
DAV svn
SVNParentPath /path/to/subversion
SVNIndexXSLT "/~joe/svnstyle.xsl"

AuthType Basic
AuthName "Joe's subversion repository"
AuthUserFile /path/to/htpasswd
Require user joe
</Location>

The code is pretty self-explanatory. First lines enable svn, last lines enable security.

// posted by Jo-Chen @ Wednesday, August 24, 2005 0 comments

Apache2 SSL

1. Create a self-signed certificate: Apache2 comes with the script
apache2-ssl-certificate

2. Create a new server configuration under apache2/sites-available
Listen 443

NameVirtualHost *:443

<VirtualHost *:443>
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

DocumentRoot /var/swww

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/apache.pem

ErrorLog /var/log/apache2/ssl_error.log
</VirtualHost>

3. Enable the new site
cd /etc/apache2/sites-enabled
ln -s ../sites-available/new-site-name

4. Restart apache2
/etc/init.d/apache2 restart

// posted by Jo-Chen @ Wednesday, August 24, 2005 0 comments

Full Nat on Linux with many connections

Using Linux ip_conntrack in an environment with many users/connections always check your syslog. Problem arose that the connection tracking table was too small. Quoted from netfilter FAQ:

3.7 ip_conntrack: maximum limit of XXX entries exceeded

If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, ...).

You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!

To increase this limit to e.g. 8192, type:

echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

To optimize performance, please also raise the number of hash buckets by using the hashsize module loadtime parameter of the ip_conntrack.o module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.

Example (with 1023 buckets): 

modprobe ip_conntrack hashsize=1023

Note: the conntrack table gets congested by connections between other computers when the lan interface is in promiscuous mode (e.g. in a bridged configuration). Apply a filter.

// posted by Jo-Chen @ Wednesday, August 24, 2005 0 comments

Routing SSH from LAN to Dial-Up (Masquerade)

This is useful if you want to route a service like ssh over a different link (e.g. one that has lower bandwidth but better pings than your main link)
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -p tcp --dport 22 -o ppp0 -j MASQUERADE

// posted by Jo-Chen @ Wednesday, August 24, 2005 0 comments

iptables port forwarding on dial-up connection

I have done this because I wanted to host a game of Live For Speed over a DSL-line. The following steps have to be applied:
  1. First thing to do is to enable IP-forwarding (obviously)
  2. Then we change the DESTINATION of packets coming in on ppp0
  3. Still the SOURCE of those packets points to some computer on the internet
This can be achieved with the following shell script (sh)
#!/bin/sh
IF=ppp0
IPT=iptables
IPTNAT="$IPT -t nat -A"
PORT=63392
SERVER=insert_ip_here
GW=insert_ip_here

echo "Activating forwarding... beware!"
echo "1" > /proc/sys/net/ipv4/ip_forward

#$IPT --flush -t nat

# packets coming in from $IF are routed to $SERVER
$IPTNAT PREROUTING -p tcp --dport $PORT -i $IF -j DNAT --to $SERVER:$PORT
$IPTNAT PREROUTING -p udp --dport $PORT -i $IF -j DNAT --to $SERVER:$PORT

# before leaving those packets are modified to look as if they came
# from $GW, so the return packets from $SERVER find their way back to $GW
$IPTNAT POSTROUTING -p tcp --dport $PORT -d $SERVER -j SNAT --to $GW
$IPTNAT POSTROUTING -p udp --dport $PORT -d $SERVER -j SNAT --to $GW

$IPT -L -t nat -vn



// posted by Jo-Chen @ Wednesday, August 24, 2005 4 comments

This page is powered by Blogger. Isn't yours?