Squash-Beitrag aus der SR-Mediathek
URL der Seite
http://sr-mediathek.sr-online.de/beitrag.php?id=1540
URL aus Quelltext:
rtmp://gffstream.fcod.llnwd.net/a792/o16/MP4:sr/media/FS/SA/sportarena_20100523_M.mp4
Kommandozeile:
./rtmpdump -r "rtmp://gffstream.fcod.llnwd.net:1935/a792/o16/sr/media/FS/SA/sportarena_20100523_M.mp4" -o sportarena_20100523_M.mp4
init.d script for bridging two network cards
update-rc.d bridge defaults
Note that it takes 30s for the bridge to become active.
#!/bin/sh
# Script to start|stop|restart bridging of two network devices
# Written by Jochen Miroll 05/28/05
ADDRESS="10.10.0.10/24"
GATEWAY="10.10.0.1"
DEV1=eth0
DEV2=eth1
#ONSTOP is the device that gets the IP address when bridging is stopped
ONSTOP=$DEV1
BR=bridge
SYSPATH=/sys/class/net
#userspace tools
BRCTL=/usr/sbin/brctl
IP=/bin/ip
#bail out if our userspace tools are not installed
test -f $BRTCL || exit 0
test -f $IP || exit 0
case "$1" in
start)
echo -n "Bridging $DEV1 and $DEV2: "
if [ -d "$SYSPATH/$BR" ]; then
echo "$BR already exists."
exit 1
fi
if [ ! -d "$SYSPATH/$DEV1" ]; then
echo "$DEV1 does not exist."
exit 1
fi
if [ ! -d "$SYSPATH/$DEV2" ]; then
echo "$DEV2 does not exist."
exit 1
fi
$IP addr flush dev $DEV1
$IP addr flush dev $DEV2
$IP link set dev $DEV1 down
$IP link set dev $DEV2 down
sleep 1
$BRCTL addbr $BR
$BRCTL addif $BR $DEV1
$BRCTL addif $BR $DEV2
$IP addr add $ADDRESS brd + dev $BR
$IP link set dev $DEV1 up
$IP link set dev $DEV2 up
$IP link set dev $BR up
route add default gw $GATEWAY dev $BR
echo "$BR is now $ADDRESS."
;;
stop)
echo -n "Stopping bridge: "
if [ ! -d "$SYSPATH/$BR" ]; then
echo "$BR does not exist."
exit 0
fi
if [ ! -d "$SYSPATH/$ONSTOP" ]; then
echo "$ONSTOP does not exist."
exit 0
fi
$IP link set dev $DEV1 down
$IP link set dev $DEV2 down
$IP link set dev $BR down
sleep 1
$BRCTL delif $BR $DEV1
$BRCTL delif $BR $DEV2
$BRCTL delbr $BR
$IP addr flush dev $ONSTOP
$IP addr add $ADDRESS brd + dev $ONSTOP
$IP link set dev $ONSTOP up
echo "$ONSTOP is now $ADDRESS."
;;
restart)
$0 stop
sleep 2
$0 start
if [ "$?" != "0" ]; then
exit 1
fi
/etc/init.d/dhcp3-server restart
;;
*)
echo "Usage: /etc/init.d/bridge {start|stop|restart}"
exit 1
esac
exit 0
Samba authentication against Active Directory via LDAP
[global]
security = SERVER
obey pam restrictions = Yes
password server = name_or_ip # not sure if really needed
passdb backend = ldapsam:ldap://name_or_ip
passwd program = /usr/bin/passwd %u
log level = 3 passdb:10 auth:10 winbind:2 # set to zero if it works
domain master = No
ldap admin dn = user@domain.com
ldap group suffix = OU=company,DC=domain,DC=com
ldap suffix = DC=domain,DC=com
ldap ssl = no
ldap user suffix = OU=company,DC=domain,DC=com
If you find some redundancy you can keep it if you tell me where you found it.
HTTP authentication against Active Directory via LDAP with apache2
- debian testing (sarge)
- apache2
specialuserwith the password
specialpasswordand the domain that is considered is called
domain.comwhile the users are stored in the organisational unit (OU)
companythen the apache2 configuration might look as follows:
<location>Keep in mind that the special bind user can introduce a security risk if not properly restricted!
AuthType Basic
order allow,deny
allow from all
AuthName "Example apache2 LDAP auth with Active Directory on domain.com"
AuthLDAPURL ldap://name_or_ip:389/OU=company,DC=domain,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN "specialuser@domain.com"
AuthLDAPBindPassword specialpassword
require valid-user
</location>
Apache2 and subversion (DAV-SVN)
<Location /~joe/svn>
DAV svn
SVNParentPath /path/to/subversion
SVNIndexXSLT "/~joe/svnstyle.xsl"
AuthType Basic
AuthName "Joe's subversion repository"
AuthUserFile /path/to/htpasswd
Require user joe
</Location>
The code is pretty self-explanatory. First lines enable svn, last lines enable security.
Apache2 SSL
apache2-ssl-certificate
2. Create a new server configuration under apache2/sites-available
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
DocumentRoot /var/swww
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/apache.pem
ErrorLog /var/log/apache2/ssl_error.log
</VirtualHost>
3. Enable the new site
cd /etc/apache2/sites-enabled
ln -s ../sites-available/new-site-name
4. Restart apache2
/etc/init.d/apache2 restart
Full Nat on Linux with many connections
3.7 ip_conntrack: maximum limit of XXX entries exceeded
If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, ...).
You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!
To increase this limit to e.g. 8192, type:
echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
To optimize performance, please also raise the number of hash buckets by using the
hashsize
module loadtime parameter of theip_conntrack.o
module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.Example (with 1023 buckets):
modprobe ip_conntrack hashsize=1023
Note: the conntrack table gets congested by connections between other computers when the lan interface is in promiscuous mode (e.g. in a bridged configuration). Apply a filter.
Routing SSH from LAN to Dial-Up (Masquerade)
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -p tcp --dport 22 -o ppp0 -j MASQUERADE
iptables port forwarding on dial-up connection
- First thing to do is to enable IP-forwarding (obviously)
- Then we change the DESTINATION of packets coming in on ppp0
- Still the SOURCE of those packets points to some computer on the internet
#!/bin/sh
IF=ppp0
IPT=iptables
IPTNAT="$IPT -t nat -A"
PORT=63392
SERVER=insert_ip_here
GW=insert_ip_here
echo "Activating forwarding... beware!"
echo "1" > /proc/sys/net/ipv4/ip_forward
#$IPT --flush -t nat
# packets coming in from $IF are routed to $SERVER
$IPTNAT PREROUTING -p tcp --dport $PORT -i $IF -j DNAT --to $SERVER:$PORT
$IPTNAT PREROUTING -p udp --dport $PORT -i $IF -j DNAT --to $SERVER:$PORT
# before leaving those packets are modified to look as if they came
# from $GW, so the return packets from $SERVER find their way back to $GW
$IPTNAT POSTROUTING -p tcp --dport $PORT -d $SERVER -j SNAT --to $GW
$IPTNAT POSTROUTING -p udp --dport $PORT -d $SERVER -j SNAT --to $GW
$IPT -L -t nat -vn