William's random thoughts

General thoughts related to my various projects

Mon, 09 Apr 2012

How to make dhclient give the current hostname to the dhcp server automatically on Debian Squeeze


I recently started working on generating a headless squeeze and wheezy image forthe Efika MX smart top Similar to my headless maverick image.

I ran into a problem though: dhclient does not send the machine's hostname by default. Even worse on Squeeze dhclient has no config directive that will use the systems current hostname.

Thankfully testing and unstable use a version of dhclient that has the gethostname() function implemented. in order to use this feature on wheezy/sid just add send host-name = gethostname(); to the /etc/dhcp/dhclient.conf file.

If you want to do the same thing in Squeeze please read on

Using a hook to re-generate dhclient.conf

In order to make things work on squeeze I made the following hook


#!/bin//sh
HOSTNAME=`/bin/hostname`
export HOSTNAME
rm -f /etc/dhcp/dhclient.tmp
echo "cat >/etc/dhcp/dhclient.conf <<EOF" >/etc/dhcp/dhclient.tmp
cat /etc/dhcp/dhclient.conf.template >>/etc/dhcp/dhclient.tmp
echo EOF >>/etc/dhcp/dhclient.tmp
sh /etc/dhcp/dhclient.tmp >/etc/dhcp/dhclient.conf

In order to use that hook you will want to move dhclient.conf to dhclient.conf.template and then add a line that looks like send host-name "$HOSTNAME"; to that file.

Once that is done just add the hook listed above as a file called update inside of /etc/dhcp/dhclient-enter-hooks.d/ and it should start sending out your configured hostname in all dhcp lease requests from now on.

[/debian] permanent link RSS feed


Sat, 25 Feb 2012

An update to the ip6tables rules


I recently found out that I was screwing up outbound IPv6 connections from the gateway host itself. Also I was jsut dropping packets instead of sending a reset back for closed ports. This new rules6 file should fix that.

The changed bits are in bold

/etc/iptables/rules6:


*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#INPUT Chain
-A INPUT -p ipv6-icmp -j ACCEPT 
-A INPUT -i he-ipv6 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -m rt --rt-type 0 -j DROP 
-A INPUT -s fe80::/10 -j ACCEPT 
-A INPUT -s <Put your ULA here or just delete this part>/64 -j ACCEPT 
-A INPUT -d ff00::/8 -j ACCEPT 
-A INPUT -j REJECT
##Put all rules here for opening services on the firewall itself rather than 
##for other hosts on the internal network.
#Allow Web requests for HE.net certification tests.
#-A INPUT -d 2001:DB8:4242:93:: -i he-ipv6 -p tcp -m tcp --dport 80 -j ACCEPT
#All firewall/routing stuff goes here
#Don't use these rules to open ports on the local machine!
-A FORWARD -p ipv6-icmp -j ACCEPT 
#Reject source routing.
-A FORWARD -m rt --rt-type 0 -j DROP 
#Next two lines allow stateful filtering for anything thats started from inside our network
-A FORWARD -s 2001:DB8:4242:93::/64 -i eth1 -o he-ipv6 -m state --state NEW -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
#I don't think this one is needed
#-A FORWARD -i eth1 -o he-ipv6 -p icmpv6 -j ACCEPT
#Add anything here you want to allow through to various ports
#-A FORWARD -d 2001:DB8:4242:93::/64 -i he-ipv6 -p tcp -m tcp --dport 22 -j ACCEPT 
#-A FORWARD -d 2001:DB8:4242:93::/64 -i he-ipv6 -p tcp -m tcp --dport 33600:33604 -j ACCEPT 
#Log all dropped packets.
-A FORWARD -j LOG
-A FORWARD -j REJECT
#Output chain
-A OUTPUT -p ipv6-icmp -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o he-ipv6 -j ACCEPT 
-A OUTPUT -o eth1 -j ACCEPT 
-A OUTPUT -m rt --rt-type 0 -j DROP 
-A OUTPUT -s fe80::/10 -j ACCEPT 
-A OUTPUT -s <Put your ULA here or just delete this part>/64 -j ACCEPT 
-A OUTPUT -d ff00::/8 -j ACCEPT 
COMMIT

[/debian/ipv6] permanent link RSS feed


Sat, 18 Feb 2012

Quick update on my last blog post.


I just got done adding some minor changes to the last post on setting up IPv6 onm your LAN.

I also discovered today that using multicast DNS to look up link-local IPv6 addresses is broken on Linux because libnss-mdns does not implement the correct NSS callbacks needed to give a scope ID back for a link local IPv6 address.

See: http://www.avahi.org/ticket/174 and http://ensiwiki.ensimag.fr/index.php/Fixing_nss-mdns_for_IPv6_linklocal_scoped_addresses for details.

In the mean time I would recommend setting up radvd to set up a unique local address prefix, even if you don't connect out to the IPv6 internet. It's not a big deal since nearly everyone (including myself) uses IPv4 on their lan anyway but if you are testing a V6 only LAN and want it to be fully zero-conf capable this is a bit of a problem.

I've looked at glibc and the two URLs up above and I might see about making a patch for libnss-mdns and sending it in to the libnss-mdns maintainers. I don't know when I will have time for this though. This already works on MacOS X and FreeBSD (at least as far as I could find out researching this problem)

One of the edits I made to my origanal post is changing radvd.conf to advertise the unique local address prefix with an infinite lifetime. This will have the effect of causing (at least as far as I've been able to test on linux anyway) The ULA address to be the primary address on each computer's interface, and also ensuring that the ULA will never expire even if the v6 router goes down. This should cause all zeroconf .local addresses to resolve to the ULA address and keep the ULA addresses more reliable than the global prefix. (which will expire and dissapear off the interfaces after it hasn't been advertised in a while)

[/debian/ipv6] permanent link RSS feed


Wed, 15 Feb 2012

Setting up IPV6 on your LAN with Debian squeeze


I've been experimenting with IPv6 recently since ARIN has run out of IPv4 addresses and the RIRs will likely run out of their addresses rather soon.

I've made it my new years resolution to get my local network and my web/email services up and running on IPv6 by the end of the year. In order to get IPv6 connectivity up and also learn about IPv6 at the same time I've taken advantage of Hurricane Electric's free IPv6 certification program and tunnel broker service.

This blog is a short guide to setting up IPv6 on your own LAN using a Debian box as a router. (It should work on just about any Linux box out there)

Some notes before we begin

All of the addresses shown here are RFC3849 addresses that are meant for documentation only. Please use the actual addresses assigned to you, or in the case of the ULA address (should you decide to use a ULA at all) go use the tool at http://www.sixxs.net/tools/grh/ula/ to generate your own.

Enabling IPv6 on your LAN

If you are running Linux or a version of windows > XP you are already running IPV6 with a link local address space out of the box.

You still might want to install a couple of useful services though.

Multicast DNS

If you don't already have avahi-daemon installed go ahead and install it with apt-get install avahi-daemon. this should pull in everything you need to resolve local machines on your LAN as hostname.local. If you have MacOS X you are already running this service. This is optional but it really does help out on a LAN if you don't want to run your own local DNS.

On some older distros like lucid you may need to edit /etc/avahi/avahi-daemon.conf and make sure use-ipv6=yes.

By default /etc/nsswitch.conf is set to only resolve mDNS through IPv4. You can enable it to resolve mDNS with IPv6 also by changing the line:

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
to
hosts:          files mdns_minimal [NOTFOUND=return] dns

This will prefer resolving over IPv4 first but will still pick up a v6 only host.

Picking up DNS servers from Router Announcements

Stateless auto configuration works out of the box on Linux. As soon as a router announcement is sent over the LAN your interface will get an IPv6 address and route for each advertised prefix. However even though the RA can contain DNS server information Linux will not pick it up and use it unless you have a Daemon called rdnssd installed. (You could also set up dhcpv6 instead but since I did not decide to go that route I won't be covering that)

Just run apt-get install rdnssd on each linux machine on your LAN.

At this point you are now ready to go to the next step.

Getting IPv6 connectivity

You now have your local network ready to get on the IPv6 internet but first you have to get connected to the IPv6 internet to do much of anything useful with it. I recommend going to http://www.tunnelbroker.net and signing up for a free account.

Once you have your tunnel created click on the Example configurations Tab and select linux-route2. You will see a script that looks something like this:


modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 209.51.161.14 local yourpubliciphere ttl 255
ip link set he-ipv6 up
ip addr add 2001:DB8:0001:23::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

If you are behind NAT just replace your public IP address with your local behind the NAT address instead. (otherwise the tunnel wont work)

Protocol 41

If you have a NAT router that does not forward IP protocol 41 packets you may need to configure it to do so, or just get a better home router. Some people have had luck using the DMZ feature on a particular box running the tunnel but YMMV (and I don't recommend doing it that way in any case). I had an old WRT54G router that didn't forward Protocol 41 and so I just bought a router that runs tomato on eBay for cheap instead.

If you didn't get any errors after pasting in the script (after making changes mentioned above) you should be able to run ping6 ipv6.google.com successfully. If not See what I wrote above about Protocol 41 and check out the forums at tunnelbroker.net.

Setting up a Debian box as a router/firewall

If you successfully pinged ipv6.google.com you now are ready to set up a computer to be the router/firewall for your LAN.

required packages

run apt-get install iptables iptables-persistent radvd This should give you the ip6tables command which will allow us to filter IPv6 traffic. (IPv4 and IPv6 filtering use separate firewall rules. If we don't set this up first you will expose every IPv6 capable machine on your LAN to the global IPv6 internet with no protection. DON'T DO THIS!)

Firewall rules

iptables-persistent currently does not load ipv6 rules but it does create a nice /etc/iptables directory that we can put the rules6 file inside of that my init script uses. Make sure you edit the rules6 file given here to match your routed IPv6 /64 address range and your own ULA address range (just delete the ULA stuff if you aren't going to use a ULA) he-ipv6 is the external interface and eth1 is the internal interface.
/etc/iptables/rules6:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#INPUT Chain
-A INPUT -p ipv6-icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -m rt --rt-type 0 -j DROP 
-A INPUT -s fe80::/10 -j ACCEPT 
-A INPUT -s <Put your ULA address here>::/64 -j ACCEPT 
-A INPUT -d ff00::/8 -j ACCEPT 
##Put all rules here for opening services on the firewall itself rather than 
##for other hosts on the internal network.
#Allow Web requests for HE.net certification tests.
#-A INPUT -d 2001:DB8:4242:93:: -i he-ipv6 -p tcp -m tcp --dport 80 -j ACCEPT
#All firewall/routing stuff goes here
#Don't use these rules to open ports on the local machine!
-A FORWARD -p ipv6-icmp -j ACCEPT 
#Reject source routing.
-A FORWARD -m rt --rt-type 0 -j DROP 
#Next two lines allow stateful filtering for anything thats started from inside our network
-A FORWARD -s 2001:DB8:4242:93::/64 -i eth1 -o he-ipv6 -m state --state NEW -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
#I don't think this one is needed
#-A FORWARD -i eth1 -o he-ipv6 -p icmpv6 -j ACCEPT
#Add anything here you want to allow through to various ports
#-A FORWARD -d 2001:DB8:4242:93::/64 -i he-ipv6 -p tcp -m tcp --dport 22 -j ACCEPT 
#-A FORWARD -d 2001:DB8:4242:93::/64 -i he-ipv6 -p tcp -m tcp --dport 33600:33604 -j ACCEPT 
#Log all dropped packets.
-A FORWARD -j LOG
#Output chain
-A OUTPUT -p ipv6-icmp -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o he-ipv6 -j ACCEPT 
-A OUTPUT -o eth1 -j ACCEPT 
-A OUTPUT -m rt --rt-type 0 -j DROP 
-A OUTPUT -s fe80::/10 -j ACCEPT 
-A OUTPUT -s <put your ULA address here>::/64 -j ACCEPT 
-A OUTPUT -d ff00::/8 -j ACCEPT 
COMMIT

Setting up the router announcement daemon

The router announcement daemon is kind of similar to DHCP on an IPv4 network. It sends out multicast packets to the all-hosts multicast address periodically. it also responds to router solicitation requests on the all routers address when a machine wants to get a V6 address. It mainly advertises IPv6 address prefixes, routes and optionally DNS server addresses.

The following is an example /etc/radvd.conf configuration. Just replace the DB8 addresses with your own routed /64 that you obtained from tunnelbroker.net and use your own generated ULA (or just delete that part from the config file if you decided not to use a ULA)

/etc/radvd.conf:

interface eth1
{
   AdvSendAdvert on;
   prefix 2001:DB8:4242:93::/64 
   {
   };

   prefix <put your ULA here or just delete this part>/64 
   {
	AdvValidLifetime infinity;
	AdvPreferredLifetime infinity;
   };
   RDNSS 2620:0:ccc::2 2620:0:ccd::2 
   {
   };
};   

The init script

Finally I have created a simple init script to bring the tunnel up, load the ip6tables firewall rules in, assign the v6 routed address to the internal interface, assign the ULA to the internal interface and finally start up radvd to announce our prefixes/routes to the LAN. you can just make a link to it as /etc/rc2.d/S99ipv6 (or whatever your default runlevel is instead of rc.2) to make it run automatically. Or you can just start/stop it by hand like I'm doing for now.

/etc/init.d/ipv6:

#!/bin/sh
#This is the address of the he.net tunnel server
TUNNELSERVER=209.51.161.14
#this needs to be the local ipv4 address of this machine, if you are behind
#NAT it needs to be the RFC1918 address and not the NAT router's public IP
LOCALIP=192.168.93.111
#This is the local part of the point to point link that he.net gave you
TUNNELV6ADDR=2001:DB8:0001:23::2/64
#This is your actual routed /64 address space (This is different than the 
#TUNNELV6ADDR) Just copy this from your tunnel info on the tunnelbroker page
ROUTED64=2001:DB8:4242:93::/64
#This is optional but rather useful if you want your own local v6 address
#space beyond the link local addresses. DO NOT just put in any address
#Please generate your own using the tool at 
#http://http://www.sixxs.net/tools/grh/ula/
#ULA's are meant to be private but unique in order to avoid the problems
#encountered with RFC1918 addresses in IPv4.
ULA=<enter a /64 address allocated out of your /48 ULA here>
#This is the interface that is on your LAN.
#Used to assign the routed /64 address and the ULA address to)
LANIF=eth1
case "$1" in
start)
        ip6tables-restore </etc/iptables/rules6
	ip tunnel add he-ipv6 mode sit remote $TUNNELSERVER local $LOCALIP  ttl 255
	ip link set he-ipv6 up
	ip addr add $TUNNELV6ADDR dev he-ipv6
	ip addr add $ROUTED64 dev $LANIF
	ip addr add $ULA dev $LANIF
	ip route add ::/0 dev he-ipv6
	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
	service radvd start
    ;;
stop)
        ip link set he-ipv6 down
	ip tunnel del he-ipv6
	ip addr del $ROUTED64 dev eth1
	service radvd stop
        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding

    ;;
force-stop|restart|force-reload|status)
    ;;
*)
    echo "Usage: $0 {start|stop|force-stop|restart|force-reload|status}" >&2
    exit 1
    ;;
esac

exit 0

We're Done!

Once you have that init script edited and in place and run /etc/init.d/ipv6 start Your tunnel should come up and radvd should start and announce your prefixes to the LAN. If you go to a machine on your LAN and type ifconfig -a you should now see a 2001:* prefix inet6 address assigned to your network interface. Just type ping6 ipv6.google.com to see if everything is working.

Testing your IPv6 connectivity

You can go to http://test-ipv6.com/ to test your IPv6 connectivity and be sure you have your dual stack set up right.

[/debian/ipv6] permanent link RSS feed


Fri, 23 Dec 2011

Getting an old IBM 3151 terminal working with Debian Squeeze


I bring my laptop with me to St. Louis for Christmas every year. In St. Louis I have a big pile of obsolete equipment. One particular piece is an old IBM 3151 Terminal with Wyse 50 emulation card installed.

I like to hook up the IBM 3151 terminal to my laptop to give me an extra text only display and keyboard for editing text files and chatting on IRC etc.

Since this terminal (with the emulation card I have on hand at least) does not handle VT100 escapes it is a bit of a bear to set up so I figured I would write a blog post about how I get it working under Linux.

I like the nice crisp lime green display and the wonderful model M style buckling-sping keyboard.

Setting up the terminal

First plug the serial cable into the rear left hand port (left hand side with the front of the display facing you) the other port is for a serial printer if you have one.

Next type Ctrl-Setup to get to the setup screen. You will use the arrow keys to move around the menu and the space bar to choose the options, once you have selected everything you want on that screen press send to go to the next setup screen.

General Screen

Machine Mode: WYSE50/50+
Enhance Mode: ON
Screen: NORMAL
Row and Column: 25 x 80
Scroll: JUMP
Auto LF: OFF
CRT Saver: ON
Line Wrap: ON
Attribute: SCREEN
Return/Enter: CR/CR
Protect: HALF-INT

Communication Screen

Operating Mode: ECHO
Line Speed (bps) 9600
Word Length (bits) 8
Parity: NO
Stop Bit: 1
Parity Check: OFF
Line Control: PRTS
Pacing: OFF
Block End: US/CR
Edit Mode: DUPLEX
Keyboard Lock: ENABLE

Printer screen

Just ignore this screen if you don't have a printer, it only has the serial port setting for the printer on this screen anyway.

Function Screen

This is the screen that allows you to save your settings. Just press space over the desired function in order to perform it.

You will want to highlight save and press space and then highlight reset and press space on this screen.

The other functions are fairly obvious in what they do. you can search google for the 3151 manual to get full docs on this terminal.

Set up getty to talk to the terminal

Now that the terminal is set up you just have to get init to spawn a getty for the terminal and you will get a login prompt on the terminal. Once you have completed this step we are nearly finished.

Edit /etc/inittab

Add this line to your inittab and when you are finished type init q as root.
T0:23:respawn:/sbin/getty -L ttyUSB0 9600 wyse50

Once you have typed init q you should see a login prompt on the terminal. go a head and log in and you should have a shell. a lot of curses programs, including the pager will act funny though because they seem to assume that the whole world is a VT100 compatable terminal. The next section addresses how to fix this.

How to fix the terminal escapes

The siple answer to getting the terminal to behave as much as possible like a VT100 to applications that are poorly written is to simply use screen to translate those vt100 escapes into wyse50 escapes. just simply invoke screen -a -O once you log in and curses applications should start to behave normally.

I hope this helps someone else that has a similar Terminal that they want to use on a linux machine. I also have a nice AT&T 705 MT terminal I could have used that has excellent VT100 emulation, but I prefer the model M keyboard on my 3151. In the future I might find the DEC emulator card for it at a reasonable price and just simply use that instead and save the headache of using screen.

[/debian] permanent link RSS feed


Mon, 14 Nov 2011

Getting Suspend to disk working on Debian 6.0 Squeeze on the Thinkpad T41


A recent update to the 2.6.32 i486 kernel in Squeeze had the effect of making the kernel crash on resume from disk. I tracked things down to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607288

This basicaly boils down to adding acpi_sleep=s4_nohwsig to the kernel command line.

While I'm at it I thought I would describe how I have suspend to disk set up on my T41 since I had to do other things to get hibernate to work at all before this.

Step 1. pre/post suspend script

I crated a file named 20_deep13hibernate inside of /etc/pm/sleep.d/ it looks like this:


#!/bin/sh

# Action script ensure that unattended-upgrades is finished 
# before a hibernate 
#
# Copyright: Copyright (c) 2009 Michael Vogt
# License:   GPL-2
#

PATH=/sbin:/usr/sbin:/bin:/usr/bin


# pm-action(8) -  
#
# On suspend|hibernate, disconnect any wpa-roam managed interfaces,
# reconnect it on resume.

case "${1}" in
        hibernate)
         	echo removing wireless module
		modprobe -r ipw2200;
		pccardctl eject;       
                ;;
        resume|thaw)
		# nothing
		echo loading wireless module
		modprobe ipw2200;
		pccardctl insert;
                ;;
esac

Next Just edit /etc/default/grub and change the line that looks like:
GRUB_CMDLINE_LINUX_DEFAULT="" to
GRUB_CMDLINE_LINUX_DEFAULT="acpi_sleep=s4_nohwsig"

Finally just run update-grub and suspend to disk should work now. You may also want to add other modules into the sleep.d script (particularly if you have a different wifi card inside your Thinkpad T41) I hope this helps someone with a isimilar problem.

[/debian] permanent link RSS feed


Archives: