Translate Domain Name via VPN

Server Side:

1. Install dnsmasq

2. setup tcp tunnel of openvpn

3. iptables -t nat -I POSTROUTING -s 10.x.x.x/24 -j SNAT –to x.x.x.x

Client Side:

1. Add DNSMASQ_OPTS=”–clear-on-reload” to /etc/default/dnsmasq

2. setup tcp tunnel client of openvpn

3. Add 0 5 * * * lynx -source https://smarthosts.googlecode.com/svn/trunk/dnsmasq.conf | grep address | awk -F / {‘print “server=/”$2″/10.9.0.1″‘} > /etc/dnsmasq.d/smart_host_domain;; /etc/init.d/dnsmasq restart to crontab

4. Modify /etc/resolv.conf to use “nameserver 127.0.0.1” only

Route https packets to VPN 2

ip route add default dev tun0 table 200
ip rule add fwmark 0×45 table 200
iptables -A INPUT -i tun0 -j ACCEPT

iptables -t nat -I POSTROUTING -o tun0 -j SNAT –to 10.8.0.6
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

# Add the marked packets
iptables -t mangle -I PREROUTING -p tcp –dport 443 -j MARK –set-mark 0×45
iptables -t mangle -I OUTPUT -s 10.8.0.6 -j MARK –set-mark 0×45

# Delete the marked packets

iptables -t mangle -D OUTPUT -p tcp –dport 443 -j MARK –set-mark 0×45
iptables -t mangle -D OUTPUT -s 10.8.0.6 -j MARK –set-mark 0×45

# re-enable ALL source-address verification filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i; done

Redirect 443 packets to VPN channel

  1. #!/sbin/runscript
  2. # Distributed under the terms of the GNU General Public License v2
  3. IFACE=$(netstat -rn | grep UG | awk ’NR==1{print($8)}’)
  4. ITUN=”tun0″
  5. TBL=”VPN1″
  6. depend() {
  7.         use dnsmasq
  8. }
  9. start() {
  10.         # starting openVPN
  11.         /etc/init.d/openvpn.vpn1 start
  12.         # wait until VPN is fully operationnal [ route is built ]
  13.         while [ -z "$(route -n | awk '/'"$ITUN"'/&&/255/ {print($1)}')" ]; do sleep .25; done
  14.         # getting our VPN IP, range & mask
  15.         ITUNADDR=$(ifconfig $ITUN | awk ’/dr:/ { gsub(/.*:/,”",$2); print($2); }’)
  16.         TUNRANGE=$(route -n | awk ’/tun0/ && /255/ {print($1)}’)
  17.         TUNMASK=$(route -n | awk ’/tun0/ && /255/ {print($3)}’)
  18.         # adding $TBL table if necessary
  19.         if [ ! -n "$(grep "200 $TBL" /etc/iproute2/rt_tables)" ]; then
  20.                 echo ”200 $TBL” >> /etc/iproute2/rt_tables
  21.         fi
  22.         # re-add standard nameserver
  23.         echo ”nameserver 127.0.0.1″ > /etc/resolv.conf
  24.         # making route to VPN
  25.         ip route add default dev $ITUN table $TBL
  26.         # marked packets follows VPN route
  27.         ip rule add fwmark 0×45 table $TBL
  28.         # accept packets from VPN
  29.         iptables -A INPUT -i $ITUN -j ACCEPT
  30.         # some services are marked to follow the route
  31.         iptables -t mangle -A OUTPUT -p udp –dport 53 -j MARK –set-mark 0×45
  32.         iptables -t mangle -A OUTPUT -p tcp –dport 443 -j MARK –set-mark 0×45
  33.         iptables -t mangle -A OUTPUT -p tcp –dport 8080 -j MARK –set-mark 0×45
  34.         # binding tun’s ip to tun’s interface
  35.         iptables -t nat -A POSTROUTING -o $ITUN -j SNAT –to $ITUNADDR
  36.         # force output packets (from VPN) to go out through VPN too
  37.         iptables -t mangle -A OUTPUT -s $ITUNADDR -j MARK –set-mark 0×45
  38.         # disable ALL source-address verification filtering
  39.         for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i; done
  40. }
  41. stop() {
  42.         # getting our VPN IP, range & mask
  43.         #ITUNADDR=$(ifconfig $ITUN | awk ‘NR==2{print $2}’ | sed ‘s/adr://g’)
  44.         ITUNADDR=$(ifconfig $ITUN | awk ’/dr:/ { gsub(/.*:/,”",$2); print($2); }’)
  45.         TUNRANGE=$(route -n | awk ’/tun0/ && /255/ {print($1)}’)
  46.         TUNMASK=$(route -n | awk ’/tun0/ && /255/ {print($3)}’)
  47.         # stoping openVPN
  48.         /etc/init.d/openvpn.vpn1 stop
  49.         # removing VPN route if is present
  50.         if [ ! -z "$(route -n | awk '/'"$ITUN"'/&&/255/ {print($1)}')" ]; then
  51.                 ip route del default dev $ITUN table $TBL
  52.         fi
  53.         # remove route for marked packets
  54.         ip rule del fwmark 0×45 table $TBL
  55.         # remove accept packets from VPN
  56.         iptables -D INPUT -i $ITUN -j ACCEPT
  57.         # remove iptables packet marking
  58.         iptables -t mangle -D OUTPUT -p udp –dport 53 -j MARK –set-mark 0×45
  59.         iptables -t mangle -D OUTPUT -p tcp –dport 443 -j MARK –set-mark 0×45
  60.         iptables -t mangle -D OUTPUT -p tcp –dport 8080 -j MARK –set-mark 0×45
  61.         # removing binding
  62.         iptables -t nat -D POSTROUTING -o $ITUN -j SNAT –to $ITUNADDR
  63.         # remove output packets to go out throuth VPN
  64.         iptables -t mangle -D OUTPUT -s $ITUNADDR -j MARK –set-mark 0×45
  65.         # re-enable ALL source-address verification filtering
  66.         for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $i; done
  67.         #echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
  68. }

Redirect traffic from one interface to another

VPS (10.8.0.0/24) <——> (tun0) Server (ppp1) <——> iPhone (172.16.31.0/24)

iptables -A INPUT -p tcp –dport 109 -j ACCEPT

iptables -A INPUT -i ppp1 -j ACCEPT
iptables -A FORWARD -i ppp1 -j ACCEPT
iptables -A FORWARD -o ppp1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -s 172.16.31.0/24 -o ppp0 -j MASQUERADE
ip route add default dev tun0 table 200
ip rule add priority 100 from 172.16.31.0/24 table 200

iptables -t nat -I POSTROUTING -o tun0 -j SNAT –to 10.8.0.6

Reference: http://forums.gentoo.org/viewtopic-t-843591.html

Execute Perl scripts as root (Method 2)

1. Download exec-wrapper at http://code.google.com/p/exec-wrapper/downloads/detail?name=exec-wrapper-1.0.1.tar.bz2 or  http://hkvms.com/~alfred/exec-wrapper.tar.xz

Then you need to tweak the Perl scripts a little to avaoid warnings. If you are using the suidperl program you should replace #!/usr/bin/perl with the suidperl program (i.e. #!/usr/bin/suidperl) and use -U tag to execute unsafe commands.

#!/usr/bin/perl -wU

system(“/sbin/iptables”, “-L”);

And finally, you need to set the suid bit and change permissions of commands such as poff, pon, squid and cp to allow the CGI script to be executed as root.

# chown root:root <command name>
# chmod ug+s <command name>
# chmod a+x <command name>

Setting up a Rails Email Server

1. Download rvm.tar.xz from http://hkvms.com/~alfred/rvm.tar.xz

2. Download hkuso.tar.xz from http://hkvms.com/~alfred/hkuso.tar.xz

2. cd /usr/local

3. tar Jxvf /tmp/rvm.tar.xz

4. unzip hkuso.tar.xz to /home

5. gem uninstall rails “>3.2″

6. apt-get install libmysqlclient-dev

7. apt-get install postfix

8. source /usr/local/rvm/scripts/rvm and add source /usr/local/rvm/scripts/rvm ~/.bashrc

9. rvm requirements

/usr/bin/apt-get install build-essential openssl libreadline6 libreadline6-dev curl git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev automake libtool bison subversion pkg-config

10. rvm reinstall 1.9.3

11. apt-get install vrfy

12. modify from email in /home/hkuso/mail3/app/models/mailer1.rb

13. add info: root into /etc/aliases

14. add LANG=”en_US.UTF-8″ into /etc/default/locale

15. locale-gen en_US.UTF-8

16. type command vigr and then add rvm:x:1000:

17. type command vigr -s and then add rvm:!::