Nice aliases for working with iptables
I’ve been using a couple of nice shell aliases when working with ad-hoc iptables rules. You can spruce them up as a batch file, but they’re fine for me as a quick and dirty way to manipulate rules.
alias ips="/sbin/iptables --line-numbers -vn -L INPUT | grep -i" alias ipd="/sbin/iptables -D INPUT"
That’s all there is to it. You can then interrogate almost any aspect of the default INPUT filter with:
ips icmp ips 10.64.0 ips drop
to view all ICMP rules, any rules relating to the 10.64.0 subnet, or all rules that drop packets.
The way I use these together, and the reason that `ips` includes the –line-numbers argument, is that I like to add rules and then easily delete them with:
# ips 192 30 0 0 DROP all -- * * 192.0.2.0/24 0.0.0.0/0 # ipd 30
using the rule number as an easier way of deleting the rule without having to conjour up a matching rule specification.
Building and installing mod_proxy_html and mod_xml2enc
Introduction
The mod_proxy_html module from Webthing is to the body of an HTTP request what mod_proxy is to the headers. It is especially useful for frigging with the output of a site or application that is being proxied and has made the interesting decision to use absolute rather than relative URLs in its output and links. Of course, if you are proxying, say, an internal application to the outside world, your internal DNS namespace is not going to be resolvable to visitors, and the links will not work.
For the uninitiated the mod_proxy_html homepage doesn’t give much clue about how to build and install the module. Here is a quick, platform independent, guide.
Assumptions
- You have a working build environment (`which gcc`, `which make`, etc.)
- You have libxml2 and libxml2-devel installed, and the includes are present in /usr/include/libxml2
- You are using Apache 2.x and its base directory is /usr/local/apache
- You have unpacked the source into /usr/local/src/mod_proxy_html, and the two mod_xml2enc source files into /usr/local/src/mod_xml2enc [1][2].
Satisfying Dependencies
The module mod_xml2enc is required to build mod_proxy_html. You don’t have to use this module if you only want to parse ASCII, but it’ll log an anoying message on every restart if you don’t. Given both of these things you may as well build it and use it.
Building mod_xml2enc
Within /usr/local/apache/bin execute the command:
./apxs -aic -I/usr/include/libxml2 /usr/local/src/mod_xml2enc/mod_xml2enc.c
The ‘c’ option actually does the compiling, whilst ‘a’ activates the module by placing the configuration directive into your httpd.conf file, and ‘i’ installs the compiled DSO into your Apache’s ‘modules’ subdirectory. As we’ll see in a minute, just loading the modules with ‘LoadModule’ (as added by the ‘a’ option) isn’t enough to get going.
Providing you see no error messages you’re good to go.
Building mod_proxy_html
Within /usr/local/apache/bin execute the command:
./apxs -aic -I/usr/include/libxml2 -I/usr/local/src/mod_xml2enc /usr/local/src/mod_proxy_html/mod_proxy_html.c
Again, all being well you’ll have the module compiled installed and activated. Notice how we need to include the mod_xml2enc directory too, it’s not a typo. However do not restart your Apache instance just yet.
Loading libxml2 into Apache
Before you restart you Apache instance, as is good practice, test the syntax with the httpd -t command:
# /usr/local/apache/bin/httpd -t httpd: Syntax error on line 56 of /usr/local/www1/conf/httpd.conf: Cannot load /usr/local/www1/modules/mod_proxy_html.so into server: ld.so.1: httpd: fatal: relocation error: file /usr/local/www1/modules/mod_proxy_html.so: symbol htmlFreeParserCtxt: referenced symbol not found
This is because you need to also load the libxml2.so file into Apache. To do this, open up /usr/local/apache/conf/httpd.conf and locate the two LoadModule lines added by apxs:
LoadModule proxy_html_module modules/mod_proxy_html.so LoadModule xml2enc_module modules/mod_xml2enc.so
Immediately before the first of these two lines, add:
LoadFile /usr/lib/libxml2.so
Test as before:
/usr/local/apache/bin/httpd -t Syntax OK
You can now restart your Apache and follow the guides on the site to using the module.
Nothing works! - "No links configured: nothing for proxy-html filter to do"
If nothing seems to be rewritten on your site, try alerting the LogLevel statement in your httpd.conf to be ‘info’. If you then start seeing the above message in your logs you’d do well to take a look at this site, which will explain exactly why. Suffice to say, documentation in general is lacking for this module.
Openfire XMPP/Jabber Server with LDAP Authentication
Some quick notes on deploying the very impressive Openfire XMPP/Jabber server from Ignite Realtime/Jive Software.
If, like me, you’re primarily of a UNIX bent and have so-far managed to sucessfully avoid LDAP in any detail, you might want to download the trial version of LDAP Administrator from Softerra if you intend on getting your installation talking to a Microsoft Active Directory. The Openfire LDAP configuration procedure needs a couple of DNs to enable it to query the domain, and to locate the users. In theory, the DN is a simple little string. In the reality of an actual-live-working-I’ve-seen-two-admin-teams-come-and-go AD it’s often not. In my opinion Softerra’s tool is what the Microsoft AD tools should have been.
In terms of plugins, I think the Jive Software Monitoring Service plugin along with the built-in logging is almost mandatory in any company working in a level above informal/start-up. I’m very impressed with the ability to export a chat session, highlighed properly, as a PDF with all of the important information easily found. You really should take a look, even for the purposes of your own archives on a private server.
Finally, if you’re using the latest Ubuntu 9.10 release with the Empathy IM client, keep an eye on the various bug reports that are currently circulating, suggesting that the Empathy client causes a heap consuming memory leak in Openfire.
