[00:00] <X123> anyone else seeing weird tcp connection problem with 3.13+ kernel
[00:08] <bearface> define weird
[01:06] <X123> like..
[01:07] <X123> ssh to 127.0.0.1 and it hangs for anywhere from 10 seconds to minutes, sometimes connects and sometimes resets broken pipe etc
[01:07] <X123> same thing with curls and such
[01:07] <X123> starts happening about 10ish mins after reboot
[01:07] <X123> works fine until then
[01:07] <X123> almost like a memleak of some sort
[01:07] <X123> happens in every kernel 3.13+ i've tried
[01:07] <X123> seems fine in older ones
[01:09] <sarnold> I'm on 3.13.0-44-generic and "time ssh localhost date" takes 1.9 seconds for the 'first' run and 0.2 seconds for each additional run
[01:09] <sarnold> hangs with ssh often mean the server is trying to do a reverse DNS lookup on the client's IP address
[01:10] <X123> yeah i know but it's not that
[01:10] <sarnold> but that doesn't make sense re: ten minutes after reboot
[01:10] <X123> localhost is in the /etc/hosts
[01:10] <X123> plus it does it with curls (http request)
[01:10] <X123> and on top of that i can't open any listening sockets either
[01:10] <X123> like trying to start a service that listens on port 5000
[01:10] <X123> it won't listen on the port even though nothing else is there
[01:11] <X123> it's extremely weird problem
[01:11] <X123> ssh localhost is instant for some time
[01:11] <X123> it asks for password instantly every time
[01:11] <X123> and then hangs
[01:12] <sarnold> is there anything strange in dmesg? how do netstat or ss output look?
[01:12] <X123> nothing major, it's running several services
[01:12] <X123> Transport Total     IP        IPv6 *         2108      -         - RAW       0         0         0 UDP       11        8         3 TCP       107       104       3 INET      118       112       6 FRAG      0         0         0
[01:12] <X123> but not much connections
[01:12] <X123> sometimes ssh connects in 10-60 seconds
[01:12] <X123> and sometimes it broken pipe/reset by peer
[01:13] <X123> after a few mins
[01:13] <X123> but this is destroying the HTTP services running on the box
[01:13] <X123> even curl to 127.0.0.1 does same thing so as uc an imagine http doesn't work :)
[01:13] <X123> once a connection is established (ssh or whatever) it's fine
[01:14] <X123> nothign in dmesg
[01:14] <X123> was wondering if it had something to do with apparmor
[01:15] <sarnold> X123: apparmor would show up with DENIED messages in dmesg or auditd logs
[01:15] <X123> yeah, and it's not
[01:15] <X123> but u never know :0
[01:15] <X123> does same on 3.16
[01:16] <X123> and multiple servers are doing it
[01:16] <X123> not just one
[01:16] <X123> but then again we have a few more servers that aren't AS BAD
[01:16] <X123> like ssh takes 8-16s
[01:16] <X123> and always seems to connect
[01:17] <X123> and it's random that it does that, most of the time it's 1s or so
[01:17] <X123> but no matter what it should always be instant
[01:17] <X123> kind of driving a few of us nuts haha
[01:19] <X123> if you have any clue or direction to figure it out would be appreciated
[01:20] <X123> sniffing loopback and watching it shows interesting results sometimes
[01:21] <X123> sometimes it gets stuck retramsitting over and over, and sometimes it gets no response
[01:21] <X123> is very very odd
[01:21] <k2gremlin> Can someone help me with an iptable to redirect all traffic from an interface to a port?
[01:22] <X123> like what?
[01:22] <X123> i mean you can't redirect ALL traffic from a layer2 interface to a layer3 port
[01:22] <k2gremlin> all port 80 traffic to a Squid3 server
[01:22] <X123> so have to be more specific :)
[01:22] <k2gremlin> I know and iptables are very new to me lol
[01:23] <X123> so when someone connects to port 80 of the ip address on your interface
[01:23] <X123> u want it to go to some other ip on anothe rport
[01:23] <X123> or do u want all traffic that gets forwareded through like a router to be redirected
[01:23] <k2gremlin> Well the laptop or lan is connected to one port on my server which is vswitched to Eth1 of my Ubuntu serer
[01:23] <k2gremlin> server
[01:24] <X123> ok
[01:24] <k2gremlin> I need all of that web traffic redirected to Squid3 and then on the outside redirected from Squid3 to Eth0 which is Vswitch to another physical port on the server.
[01:24] <k2gremlin> All other traffic redirected straight from Eth1 to Eth0
[01:24] <X123> redirected.. as in?
[01:24] <X123> like NAT
[01:24] <X123> or routing ?
[01:25] <cyclob|work> is there an service available that can monitor bandwidth usage?
[01:25] <k2gremlin> That I am not sure of. Eth0 is on 192.168.1.0 net and Eth1 ison 192.168.2.0 net
[01:25] <k2gremlin> so a "static" NAT for all the other traffic maybe?
[01:25] <X123> cyclob|work: like a program you run on the command line, or what?
[01:26] <X123> you can nat any traffic leaving eth0
[01:26] <X123> to the ip of eth0
[01:26] <cyclob|work> yeah so i can stick a box between a switch and router and graph the bandwidth usage over a week
[01:26] <k2gremlin> X123, I tried this... http://pastebin.com/Lme2GAxU
[01:26] <X123> why not just graph the bandwidth usage on the router or switch port
[01:27] <cyclob|work> no snmp or router access sadly
[01:27] <X123> whaa
[01:27] <cyclob|work> yeah managed routers
[01:27] <X123> so you want to insert a server in between it and bridge the interfaces
[01:27] <cyclob|work> costs $$$$ to chagne anything on them. lol
[01:27] <sarnold> cyclob|work: check out iptraf or munin or similar
[01:27] <X123> just run SNMP on the server
[01:27] <X123> and use cacti or something to graph the interfaces
[01:27] <k2gremlin> Kind of... I want the Squid3 server to be directly behind my ISP modem and the Lan behind that
[01:28] <X123> works just like it's a router or switch
[01:28] <X123> what's the squid server for?
[01:28] <cyclob|work> cool i'll check them out
[01:28] <k2gremlin> its a proxy server...
[01:28] <k2gremlin> to allow or disallow based off of rules.
[01:28] <X123> yeah just apt-get install snmpd i think
[01:28] <k2gremlin> Which I then build Dilidele WS on top of that for content filtering
[01:29] <X123> so you want the squid server to transparent proxy
[01:29] <X123> everything coming from your lan
[01:29] <k2gremlin> Yes!
[01:29] <k2gremlin> And I am familiar with firewall rules and such on ASA's but iptables is a foriegn language to me
[01:29] <X123> that's easy enough
[01:30] <k2gremlin> X123, this is for home networking btw
[01:30] <X123> you really should specify interfaces in iptables
[01:30] <X123> like postrouting -o eth1
[01:30] <k2gremlin> and I would prefer that because the ISP side may change
[01:30] <X123> u don't want to nat everything on every interface
[01:30] <dts|pokeball> hey,,, if anyone can answer this i would be very appreciative https://askubuntu.com/questions/573904/setting-up-subdomains-for-ubuntu-server-14-04
[01:30] <k2gremlin> to give you a layout of what I have..
[01:31] <k2gremlin> Right now is it ISP>Router>Server>Laptop
[01:31] <k2gremlin> for testing
[01:31] <X123> server is acting as a switch
[01:31] <k2gremlin> for the laptop yes.
[01:31] <k2gremlin> And with NORMAL squid... IE...
[01:31] <X123> so laptop has an ip from router
[01:31] <k2gremlin> Directing the laptop to the squid it works
[01:31] <X123> like eth0 on router goes to ISP
[01:31] <X123> eth1 goes to server
[01:31] <k2gremlin> umm ...
[01:32] <k2gremlin> http://puu.sh/ew2LH/59f97f043e.png
[01:32] <k2gremlin> top is what I have now
[01:32] <k2gremlin> and I can't get it working
[01:32] <k2gremlin> Once I figure it out ill put the server between the IPS and the internal LAN router
[01:33] <X123> so the server is doing NAT also
[01:33] <X123> to the router, which is doing nat to the isp lol
[01:33] <k2gremlin> Server isnt yet...
[01:33] <k2gremlin> I just have the interfaces on the server configured for those IP's
[01:33] <X123> then how does the laptop get internet access
[01:33] <k2gremlin> static
[01:33] <k2gremlin> atm
[01:34] <k2gremlin> Ohh umm
[01:34] <k2gremlin> It doesn't
[01:34] <k2gremlin> UNLESS
[01:34] <k2gremlin> I manually put in the proxy info
[01:34] <k2gremlin> which I don't want to do
[01:34] <X123> oh so it has no internet at all
[01:34] <X123> you just want port 80 to work
[01:34] <X123> and ntohing else?
[01:34] <k2gremlin> well eventually 80 and 443 to the proxy...
[01:34] <k2gremlin> everything else straight out
[01:34] <k2gremlin> if that makes sense lol
[01:35] <X123> yeah
[01:35] <k2gremlin> Right now, anything that has a destination port 80
[01:36] <X123> http://www.tldp.org/HOWTO/TransparentProxy-6.html
[01:36] <X123> this 6.2 method is the best imo
[01:36] <k2gremlin> checking it out now
[01:37] <sarnold> hah, I read that HOWTO back in the ipfwadm days
[01:37] <sarnold> nice to see it's been updated since then :)
[01:37] <X123> haha
[01:37] <X123> it still works :)
[01:37] <k2gremlin> This sounds like the iptables is a seperate server..
[01:37] <X123> yeah the iptables is the router
[01:37] <X123> squid is separate
[01:38] <k2gremlin> can they be on one?
[01:38] <X123> sure
[01:38] <k2gremlin> squid-box = squid server ip right?
[01:38] <X123> yeah
[01:38] <X123> but you wouldn't need the extra routing
[01:39] <k2gremlin> -s near the end of the first command is source?
[01:40] <X123> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
[01:41] <X123> this should be easier to see for one device
[01:41] <k2gremlin> yea I tried that page
[01:41] <X123> of course i'd specify interfaces in iptables
[01:41] <X123> i dunno why they didn't
[01:42] <X123> i ALWAYS specify interface :)
[01:42] <X123> -o and -i
[01:42] <k2gremlin> Actually thats a different page
[01:42] <X123> masquerade is outbound nat
[01:42] <k2gremlin> 1 sec..
[01:43] <X123> it's ip unspecific is why they use it because if eth0 connects to the internet, the ip might change
[01:43] <X123> so masquade just picks whatever IP is on that interface
[01:43] <X123> and uses it
[01:43] <k2gremlin> I don't see an eth0 on that page
[01:44] <X123> there isn't :)
[01:44] <X123> there should be.. :)
[01:44] <X123> if eth0 is internet facing
[01:44] <X123> then you want -o eth0 for the masq
[01:44] <k2gremlin> this look good? http://pastebin.com/4PSmMVfw
[01:44] <X123> just so there's no confusion
[01:44] <k2gremlin> after masq
[01:45] <k2gremlin> iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
[01:45] <X123> before, but im sure it will move it
[01:45] <X123> basically means, anything exiting eth0, nat to the ip of eth0
[01:45] <k2gremlin> iptables -t nat -A POSTROUTING -j -o eth0 MASQUERADE ?
[01:46] <X123> -A POSTROUTING -o eth0 -j MASQUERADE
[01:46] <k2gremlin> k ill try
[01:46] <X123> then the prerouting ones
[01:46] <X123> u want -i
[01:46] <k2gremlin> ...
[01:46] <X123> input interface
[01:46] <X123> i mean it's not necessary
[01:46] <X123> i just don't like iptables doing things i don't want it to do
[01:47] <k2gremlin> on all prerouting?
[01:47] <X123> prerouting happens before any processing
[01:48] <k2gremlin> http://pastebin.com/vF5wSbfc
[01:48] <X123> like the first thing it does when a packet comes in an interface = prerouting
[01:48] <X123> postrouting happens after it processes the packet in routing table and decides what interface is is going to send the packet out
[01:48] <X123> i think the last prerouting is -i eth0
[01:48] <k2gremlin> ill try those commands
[01:48] <k2gremlin> right sorry
[01:48] <X123> because it's blokcing people on the internet from accessing the squid port
[01:49] <k2gremlin> So if the dport isnt 3128 drop it
[01:49] <X123> that drops everything going to 3128
[01:49] <X123> if it comes in eth0
[01:49] <X123> but it's not coming in eth0, it's coming in your lan eth1
[01:50] <k2gremlin> http://puu.sh/ex2wD/9242aef150.png
[01:50] <k2gremlin> ill try it
[01:52] <k2gremlin> nope... not even seeing access on the squid logs
[01:53] <k2gremlin> is there a way to view traffic on the iptables?
[01:53] <X123> u can see counters
[01:53] <k2gremlin> how? lol
[01:53] <X123> like iptables -t nat -L -vnx
[01:53] <X123> or whatever table u are using -t mangle -t filter
[01:54] <k2gremlin> postroute is only one with counters
[01:54] <X123> well you are accessing a real internet ip from the laptop?
[01:54] <k2gremlin> cnn.com
[01:54] <k2gremlin> google.com
[01:55] <k2gremlin> stuff like that
[01:55] <k2gremlin> wait
[01:55] <k2gremlin> Pings work
[01:55] <k2gremlin> so..........
[01:55] <k2gremlin> DNS not working
[01:55] <X123> you'd have to use DNAT for redirecting a real internet ip to the squid proxy
[01:56] <X123> because redirect of a port will just change the port
[01:56] <X123> but it will still end up going out
[01:56] <k2gremlin> ok well getting closer lol
[01:56] <k2gremlin> I havent been able to get that ping to work in 3 days trying this
[01:56] <k2gremlin> Sec... gotta change the squid config to intercept
[01:56] <k2gremlin> duh?
[01:57] <X123> ping will work because of masq
[01:57] <k2gremlin> gotcha.. and were not trying to intercept icmp
[01:57] <k2gremlin> trying to intercept port 80
[01:58] <X123> actually it intercepts 3128
[01:58] <k2gremlin> hmm nslookup.. laptop is able to resolve
[01:58] <X123> and you DNAT port 80 to 3128
[01:58] <k2gremlin> thats what udp 53?
[01:58] <X123> aye
[01:58] <k2gremlin> Ok so DNS is working
[01:59] <X123> do a tcpdump -n -i eth0
[01:59] <X123> and try access web site
[01:59] <X123> i bet you will see it trying to access 3128
[01:59] <k2gremlin> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:3128
[01:59] <k2gremlin> try this?
[01:59] <X123> yeah that's what u need
[01:59] <X123> that redirects connection attemps to 80 to that ip
[01:59] <k2gremlin> ok do I have to "restart" iptables?
[01:59] <X123> not if you typed that from the shell
[02:00] <X123> it puts it in instantly
[02:00] <X123> but it appends it to the end
[02:00] <X123> -A is append
[02:00] <X123> so u have to look at where you are inserting it
[02:00] <k2gremlin> ok it dropped it at the bottom.. top down is how it runs so how do I move it up?
[02:00] <X123> and then u have to redirect the REPLY
[02:01] <k2gremlin> I don't see anything like sequence numbers in here
[02:01] <X123> u can do --line-numbers
[02:01] <X123> to see the sequence #
[02:01] <X123> honestly i just edit a file
[02:01] <X123> i do iptables-save >file
[02:01] <X123> edit file
[02:01] <k2gremlin> Where is it stored?
[02:02] <X123> iptables-restore < file
[02:02] <X123> that's how i do it :)
[02:02] <X123> i don't even bother with it being saved anywhere
[02:02] <k2gremlin> so make a new file with what I want then run that command
[02:02] <X123> just type iptables-save
[02:02] <X123> u will see
[02:02] <X123> so u can > that to a file
[02:02] <X123> edit that file
[02:03] <X123> then iptables-restore < file
[02:03] <X123> and it puts in in the order in the file
[02:03] <X123> it's 100x easier
[02:03] <X123> imo
[02:03] <k2gremlin> ok... where did it save to?
[02:04] <k2gremlin> nvm.. I did iptables-save > iptables.txt
[02:05] <X123> you just need 2 rules
[02:05] <X123> in iptables
[02:05] <X123> plus the masq
[02:05] <k2gremlin> http://puu.sh/ex4vX/17d898e47b.png
[02:06] <X123> redirect rule should be lan
[02:06] <X123> like
[02:06] <X123> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
[02:06] <X123> if eth1 is your LAN int
[02:07] <X123> no wait
[02:07] <X123> should be eth0
[02:07] <k2gremlin> yea eth 1
[02:07] <X123> cuz it has to do it before it goes out eth0
[02:07] <k2gremlin> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
[02:07] <k2gremlin> is whats in there
[02:07] <X123> so you will have two rules like this
[02:07] <X123> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128                         iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
[02:07] <X123> or whatever your squid IP is
[02:07] <X123> in that order
[02:08] <X123> should work :)
[02:08] <X123> i never tried it like this tho
[02:08] <k2gremlin> so the DNAT is the outside
[02:08] <X123> and then you'll have the masq
[02:08] <X123> DNAT is LAN eth1
[02:08] <X123> it redirects anything on your LAN
[02:08] <X123> that tries to connect to anything on port 80
[02:08] <X123> routed though this server
[02:08] <X123> to that squid ip
[02:09] <k2gremlin> ok so LAN is 192.168.2.0, Squid Eth1 is 192.168.2.1 so use 2.1 on the DNAT
[02:11] <X123> squid server would be 192.168.1.1 in my example
[02:11] <k2gremlin> http://puu.sh/ex5cd/95196f94b4.png
[02:11] <X123> which is running on the local machine
[02:11] <X123> that's what the -j REDIRECT does
[02:11] <X123> redirects it to the local machine only
[02:13] <k2gremlin> that last pic I sent still isnt working :/ lol
[02:13] <k2gremlin> lemme check squid logs
[02:13] <k2gremlin> nope. Squid log shows 0 traffic
[02:14] <X123> http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
[02:14] <X123> check this
[02:14] <k2gremlin> so at this point, I need to get port 80 traffic to 3128 just to start
[02:14] <X123> that looks like it explains it better
[02:14] <X123> you can verify that with tcpdump
[02:14] <k2gremlin> but that 3rd rule under the NAT table should do it
[02:14] <X123> that's how i do it
[02:14] <X123> maybe rp_filter is on
[02:14] <X123> and the machine is being a @()#
[02:14] <X123> make sure rp_filter=0
[02:15] <X123> edit the /etc/sysctl.d/10-network-security.conf
[02:15] <X123> and make those 0
[02:15] <X123> that breaks so much stuff that they default to 1
[02:15] <X123> soooo much
[02:15] <X123> syncookie 0 too
[02:16] <k2gremlin> this looks like my exact setup
[02:16] <X123> yeah
[02:16] <X123> but make sure rp filter!
[02:16] <X123> is 0
[02:16] <sarnold> if you're going to turn off rp_filter, it's worth making sure your firewall rules enforce something sane
[02:16] <X123> since u are doing nat tricks
[02:16] <X123> i always turn it off, it causes more problems than anything
[02:17] <X123> much easier to iptables stuff
[02:17] <sarnold> X123: any luck with your problem?
[02:17] <X123> sarnold no :/
[02:17] <X123> unfortunately
[02:17] <sarnold> X123: dang ;(
[02:17] <X123> it doesn't do it on centos running same thing
[02:17] <X123> or previous kernels
[02:17] <sarnold> I hoped I had just missed it in the middle of the rest..
[02:17] <X123> just 3.13+ so far
[02:17] <X123> i'm dying to know what it is
[02:18] <sarnold> X123: please file a bug against "linux"
[02:18] <X123> well i've only tried the ubuntu kernels
[02:18] <X123> i might download and compile one myself
[02:18] <X123> and see
[02:18] <X123> that's a lot of work though lol
[02:19] <sarnold> X123: when you file one against linux, there's a robot that will ask you test some 'upstream kernels', all precompiled and ready to go
[02:19] <X123> ill get one of the techs to do it.. i'm the network engineer :P
[02:19] <X123> tested 3.16
[02:19] <X123> same stuff
[02:19] <X123> rp_filter is the most annoying thing ever
[02:19] <X123> it just silently discards packets
[02:19] <X123> wish it was default 0 in every dist
[02:31] <X123> k2gremlin u get it working
[02:31] <k2gremlin> X123 nope not yet. Crusing through the iptables to figure out why its not forwading 80 to 3128 :/
[02:32] <X123> did u disable rp filter
[02:32] <k2gremlin> That site is old... but I can sort of understand it lol
[02:32] <k2gremlin> Yes
[02:32] <k2gremlin> there were 2 commands wiht it
[02:32] <X123> tcpdump :)
[02:32] <X123> that is my friend
[02:32] <X123> there's a script on that site that sets it up
[02:32] <X123> check out the script, it has a bunch of iptables commands
[02:33] <k2gremlin> Yea I ran it...
[02:33] <X123> but some of the block a lot of stuff which u don't want
[02:33] <k2gremlin> but the config portion for squid is really ol
[02:33] <k2gremlin> old
[02:33] <k2gremlin> the squid commands are not valid anymore.
[02:33] <X123> ah
[02:33] <X123> never used squid :)
[02:33] <X123> i use nginx
[02:33] <k2gremlin> only traffic was ssh with my putty and an arp request
[02:33] <X123> use tcpdump to trace it
[02:33] <X123> see what's coming in the lan int
[02:33] <X123> see what's on lo
[02:33] <X123> and see what's going out
[02:34] <k2gremlin> can I grep an interface?
[02:34] <X123> u can put options on tcpdump
[02:34] <X123> like what do u want to do
[02:34] <k2gremlin> see whats coming in eth1
[02:36] <X123> just tcpdump -n -i eth1
[02:37] <k2gremlin> 20:36:52.028698 IP 192.168.2.1 > 192.168.2.10: ICMP 192.168.2.1 udp port 53 unreachable, length 65
[02:37] <k2gremlin> yea see I can't even ping using their rules
[02:37] <k2gremlin> lol
[02:37] <X123> yeah like i said
[02:38] <X123> it blocks pretty much everything
[02:38] <X123> so u can just edit out all the blocking stuff
[02:38] <sarnold> ping uses icmp, a different protocol than tcp...
[02:38] <X123> you should use tcpdump -n -i lo
[02:38] <X123> to see traffic on local machine
[02:38] <X123> sarnold, tcpdump shows everything
[02:39] <X123> even mpls, gre, layer2 info
[02:39] <X123> everything :)
[02:39] <X123> not sure why it's called tcpdump but it shows it all
[02:39] <sarnold> X123: hehe, I meant that more along the lines of "you can't ping because you're only forwarding tcp traffic" ...
[02:39] <X123> oh eheh
[02:39] <sarnold> X123: tcpdump and I have a love/hate relationship :)
[02:39] <k2gremlin> watching lo isnt generating anything
[02:39] <sarnold> X123: ... I love the stupid thing but hate the language, I have to use the manpage every. single. time.
[02:40] <X123> it's not tcpdump language
[02:40] <X123> it's pcap
[02:40] <X123> so, hate pcap :)
[02:40] <sarnold> oh I do :)
[02:40] <X123> hehe
[02:40] <sarnold> same story with wireshark
[02:40] <k2gremlin> but ill take another wack at this tomorrow. My eyes are starting to hurt lol
[02:40] <k2gremlin> Thanks for all of the info/help guys
[02:40] <X123> yw :)
[02:40] <sarnold> but why on earth they picked _C_ for the packet disectors...
[02:40] <X123> right now i have a hate relationship with cisco nexus 5xxx devices
[02:40] <k2gremlin> Im at the point where I open the server to someone.. they come in and set it up for me haha
[02:41] <X123> when you are forced to use these instead of a 7k
[02:41] <X123> grrrr
[02:41] <k2gremlin> so frustrated with it
[02:41] <sarnold> X123: heh, I've not heard much good about cisco gear :/
[02:41] <X123> I love cisco gear :)
[02:41] <X123> just not the nexus 5k lol
[02:41] <sarnold> ah :)
[02:41] <X123> 6500 platform and ASR
[02:41] <X123> are some of my favorite devices anywhere
[02:42] <k2gremlin> Well X123 I have another VM running Squid as a direct proxy and its working great. Just can't get this transparent thing working.. lol
[02:42] <k2gremlin> its even doing https inspection lol
[02:42] <k2gremlin> but ill be damned if I can get transparent :/
[02:42] <X123> yeah you can do that without transparent easy
[02:42] <k2gremlin> right lol
[02:43] <X123> transparent basically
[02:43] <X123> the proxy answers the connection
[02:43] <sarnold> k2gremlin: would it be sufficient to just prevent the clients from getting to the internet at all? i.e., undo the "transparent" bit?
[02:43] <X123> it checks out the host: header
[02:43] <k2gremlin> sarnold, its for my kids devices lol
[02:43] <X123> then connets to that and sends your request
[02:43] <sarnold> k2gremlin: ahhhh
[02:43] <sarnold> stuff that's unlikely to let you set http_proxy env variables correctly :)
[02:43] <k2gremlin> I have Squid3 with Diladele WS (content filter) running
[02:44] <k2gremlin> well the problem is... if they just turn off the proxy setting they go right around it lol
[02:44] <X123> which is why it won't work with some older http 1.0 requests
[02:44] <k2gremlin> Granted they may not be that smart yet.
[02:44] <k2gremlin> but I want to stay 2 steps ahead
[02:44] <X123> well, no u can block everything to port 80/443
[02:44] <X123> going to the tinernet
[02:44] <X123> except from the proxy
[02:44] <X123> so if they turn it off they get nothing
[02:44] <k2gremlin> Can I do that on my Asus router???????
[02:44] <X123> i'm sure you can
[02:45] <X123> it prob allows filter rules
[02:45] <k2gremlin> ill look into it
[02:45] <X123> most transparent proxies i set up are bridged
[02:45] <k2gremlin> the only other problem I need to solve.. is how to block changes to iOS WiFi settings lol
[02:45] <X123> ha
[02:45] <X123> they might have a kid mode on there
[02:45] <k2gremlin> Can kids are gonna be smart. They turn off wifi and boom they using their cell service lol
[02:45] <X123> some way to set an admin pass
[02:46] <X123> yeah
[02:46] <k2gremlin> There are a lot of restrictions..
[02:46] <X123> or they can just leave the house :)
[02:46] <k2gremlin> except wifi
[02:46] <X123> and go out of range of the wifi
[02:46] <k2gremlin> not much I can do there
[02:46] <X123> and use the cell service :)
[02:46] <X123> remove data from their account
[02:46] <X123> lol
[02:46] <sarnold> yank the SIM? :)
[02:46] <k2gremlin> I have iOS content filters enabled but yea.. :/
[02:46] <k2gremlin> And honestly.. this whole server thing is just fun for me lol
[02:46] <X123> apple could make some good bank
[02:46] <sarnold> lol
[02:46] <k2gremlin> kids are going to be kids
[02:47] <X123> if they integrated some sort of kid protection into the phone
[02:47] <X123> like forced it to use a proxy server they set up
[02:47] <X123> even on cell service
[02:47] <k2gremlin> I did the content filter more so that I can watch what they are doijng on the net
[02:47] <X123> i did that for my kids
[02:47] <X123> but i just broke down and bought a router with built in content filtering lol
[02:47] <k2gremlin> I know they are going to push the boundaries.. but I want to see the red flag so that I can be like oh hell no... lol
[02:48] <X123> don't have time to mess with all that
[02:48] <k2gremlin> fun for me.. I love VM's
[02:48] <X123> another love /hate relationship of mine
[02:48] <k2gremlin> and it took a week ish to get the proxy with https working lol
[02:48] <X123> VM's piss me off
[02:48] <k2gremlin> lol
[02:48] <X123> but they have such good functionality
[02:48] <k2gremlin> I have a Plex server and the content filter atm
[02:48] <k2gremlin> and a GNS3 IOU vm running as well
[02:49] <k2gremlin> Wanna hear something funny...
[02:49] <X123> right now im working on two nexus 5548
[02:49] <X123> want to throw them off the 50th floor
[02:49] <k2gremlin> I know all this server crap.. granted not well. I know Cisco big time.
[02:49] <k2gremlin> Networking and all that. Tunnels, ospf, bgp
[02:49] <X123> yeah me too :>
[02:49] <k2gremlin> I took ICND1 Monday
[02:49] <X123> that's what I do
[02:49] <k2gremlin> failed by 3 points lol
[02:49] <X123> damn heh
[02:49] <k2gremlin> fucking trick ass questions lol
[02:49] <k2gremlin> excuse my language
[02:50] <X123> i got cisco certs ages ago haha
[02:50] <k2gremlin> so the internet side of a router running NAT....
[02:50] <k2gremlin> Global or inside?
[02:50] <X123> and yes they are stupidly tricky questions
[02:50] <X123> and the thing that bugged me the most was they are all cisco way
[02:50] <k2gremlin> I know it as "Global Inside"
[02:50] <X123> i don't always do things the way cisco "SUGGESTS" them to be done
[02:50] <k2gremlin> they had a choice.. "Global" or "Inside"
[02:50] <k2gremlin> RIGHT!
[02:50] <X123> and all of their questions are based on how they want it done and not 20 other ways u can do it
[02:50] <k2gremlin> tell me about it
[02:51] <k2gremlin> trying to think of some other areas I messed up
[02:51] <k2gremlin> oh.. port security lol
[02:51] <k2gremlin> IDK how I messed that up
[02:51] <k2gremlin> was a question on sticky mac..
[02:51] <X123> lol to me that question would be outside :)
[02:51] <X123> or external/dmz
[02:51] <k2gremlin> stick puts the number of max devices mac address in the configs correct?
[02:52] <k2gremlin> pending the use of a timer
[02:52] <X123> if you put it there :)
[02:52] <X123> sticky mac puts the devices in the config on IOS :)
[02:52] <X123> but it doesn't on nexus 5548
[02:52] <X123> lol
[02:52] <k2gremlin> haha
[02:52] <k2gremlin> im re-taking on the 18th
[02:52] <X123> and max devices you have to set
[02:52] <X123> like
[02:53] <k2gremlin> max 5
[02:53] <X123> switchport port-security  switchport port-security maximum 8  switchport port-security aging time 60  switchport port-security violation restrict  switchport port-security aging type inactivity  switchport port-security mac-address sticky
[02:53] <X123> max is whatever you set it to
[02:53] <k2gremlin> puts first 5 in the config lol
[02:53] <k2gremlin> exactally.. not sure how I messed up network device security
[02:53] <X123> firs t 5? :)
[02:53] <k2gremlin> enable secret 34io5ih398fcfjq is encrypted en pass right? lol
[02:54] <X123> yeah
[02:54] <k2gremlin> enable pass cisco is un-encrypted en pass
[02:54] <k2gremlin> I mean its SO easy
[02:54] <k2gremlin> yet I failed lol
[02:54] <X123> hehe
[02:54] <k2gremlin> and most people would consider ip addressing the hardest part.
[02:54] <k2gremlin> got 100% on that
[02:54] <k2gremlin> lol
[02:54] <X123> it puts a lot more than first 5 :)
[02:54] <X123> i got some ports with like 20-30
[02:55] <X123> stickies on it
[02:55] <X123> for VMs lol
[02:55] <k2gremlin> someone in networking Saturday tested me..
[02:55] <k2gremlin> they said 3 offices running 500 pc's and 500 phones in each office. Once office is 2 floors with 500/500 as well.
[02:55] <X123> i stopped doing dynamic sticky mac and started specifying it
[02:55] <k2gremlin> so I made this in 15 mins
[02:55] <k2gremlin> http://puu.sh/emjcr/18d7274617.png
[02:56] <k2gremlin> I love networking but I hate testing
[02:56] <k2gremlin> but anyways, going to play some CoD for a bit
[02:56] <X123> heh
[02:56] <k2gremlin> thanks again
[02:56] <X123> did they like that diagram
[02:56] <X123> i love testing stuff :)
[02:56] <X123> i hate making diagrams haha
[02:57] <X123> making big mpls l3 vpns, and dmvpn and such is a nightmare of config
[02:57] <X123> lots of vrfs and such
[02:57] <X123> trying to keep track of all that is )!@(*!)
[02:57] <k2gremlin> right!
[02:57] <X123> plus all the BGP filters, the security filters, control plane policing
[02:57] <X123> if someone interrupts me
[02:57] <X123> or calls me or anything
[02:57] <X123> when im in the middle of a huge config
[02:57] <k2gremlin> I hate BGP
[02:58] <X123> i have to take like an hour to find where i was lol
[02:58] <k2gremlin> haha
[02:58] <X123> i do BGP and securityi all day
[02:58] <X123> and MPLS
[02:58] <X123> in theory, it's very simple
[02:58] <X123> in practice, the filters are a nightmare
[02:58] <collizion> used to work somewhere as a sysadmin where the net admin, who just renewed his CCNA, didn't know how to configure dynamic routing. Large campus, 32 buildings, statically routed.
[02:59] <X123> shoot if you have one /16 or something
[02:59] <X123> and just route huge chunks to a few routers
[02:59] <X123> i static rout a lot of stuff :)
[02:59] <X123> sometimes just OSPF for loopbacks/links
[02:59] <collizion>  /8, divided into /16s, /20s, /24s.
[03:00] <X123> and static rout to loopbacks
[03:00] <X123> and gg
[03:00] <X123> but BGP is fairly simple
[03:00] <X123> if I had more than 2-3 routers i'd prob set up bgp
[03:00] <X123> or carry the routes in ospf or isis or eigrp or something
[03:00] <collizion> yeah, we had a lot more.
[03:00] <X123> at the least
[03:00] <X123> yeah but with like 1k total routes
[03:01] <X123> ospf is ok :)
[03:01] <X123> or eigep
[03:01] <X123> but when got 500-600k routes in most of the core devices
[03:01] <X123> no choice have to use bgp :)
[03:02] <X123> got a bunch of extreme networks hardware too
[03:02] <X123> very good hardware
[03:02] <X123> worst CLI EVER
[03:02] <X123> EVER!
[03:02] <X123> i wrote scripts to configure it just because the cli is so bad
[04:28] <cyclob|work> sigh, for a program that's meant to use mysql you'd think they'd let you define your own hashing algorithm
[05:17] <Datz> Hi, samba server for some reason, is resetting users password after some length of time. I have to reset it every day. Anyone have any ideas about why, or how to fix this?
[08:56] <lordievader> Good morning.
[09:32] <cocoa117> with ubuntu preseed, is there any documentation for partman, partman-lvm, partman-auto, partman-* etc so I know all the avaliable variables to use?
[11:13] <AdventureTime> hi everyone. is there someone available to PM me? i need help with a server. it would be great if we can do teamviewer or something
[12:14] <jamespage> jacalvo, good morning
[12:14] <jamespage> jacalvo, not sure whether you saw but we're sprinting on the upstart -> systemd migration for ubuntu vivid today/tomorrow
[12:15] <jamespage> jacalvo, zentyal uses quite a bit of upstart only configuration; see http://pad.ubuntu.com/systemd-porting-sprint for impacted packages
[12:16] <jamespage> jacalvo, is this something your team can work on?  if not we'll probably drop the packages from vivid as zentyal has not really been touched in 2 years
[12:36] <jacalvo> jamespage, I don't think we can work in that in the short term, we're going to stick to the LTS (trusty) for some time...
[12:43] <rbasak> jacalvo: will you want zentyal packages in the next LTS?
[13:02] <jacalvo> rbasak, that decision is not made yet, I suppose the safest thing you can do now is drop them, better than leave them broken
[13:03] <jacalvo> those packages are from a very old zentyal version anyway, as james says they've been unmaintained for more than 2 years (the maintained zentyal packages are in archive.zentyal.org)
[13:05] <rbasak> jacalvo: OK, thanks. I understand the desire to care only really about LTSes. It's fairly common for server.
[13:07] <rbasak> jacalvo: the (lack of) maintenance in inter-LTS packages causes some conflict with this I think. It's a consequence of how our releases work - we'd expect or even effectively require the package to continue to be maintained in between, even though end-users may not necessarily care on server.
[13:07] <rbasak> I'm not sure what we can do about this. It's a dissonance I don't like, though.
[13:07] <rbasak> jamespage: ^^ - remove I guess then?
[13:07] <jacalvo> yes, the problem is that zentyal and ubuntu release cycles have never been synced
[13:08] <jacalvo> usually we have the stable packages ready when the LTS is already out and stable
[13:08] <jacalvo> it's difficult to have them before the freeze period
[13:08] <rbasak> I wonder if click packages are the future here.
[13:08] <rbasak> They're better suited to this I think, but maybe not quite ready for server use yet.
[13:09] <rbasak> (I don't know if that would require snappy or not - it'd be nice if non-transactional worked with click packages too)
[13:09] <jacalvo> anyway, for our users is no big deal to add an additional repository, and take into account that we also provide remastered ISOs, that's probably the most typical way to install zentyal :)
[13:10] <rbasak> Understood. Maybe that's the better model right now. If so, maybe even intentionally avoid having the packages in Ubuntu, so users don't get misguided to the less recommended and less well looked after path?
[13:10] <jacalvo> yes, I think it's better to remove them
[13:11] <jacalvo> otherwise the only thing they are going to cause is frustration probably
[13:13] <jacalvo> in fact some time ago I was already asked about this (because they were blocking some release as they were non-installable or something like that) and I said it was ok to remove them, but finally someone workardounded the issue and they remained there
[13:16] <sebastianlutter> I want to rate limit access to port 80/443 per IP to avoid simple DoS attacks. I think iptables rate limit is what I want, what do you use? Can someone provide some practical values or some tutorial link? Thanks for any hint
[13:17] <collizion> sebastianlutter: The answer to that is going to be determined by how much traffic you receive normally.
[13:19] <collizion> sebastianlutter: As a general resource: http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable
[13:22] <sebastianlutter> collizion, thanks for the general link. It is just medium business homepage that provide company and products infos (about 50 unique visits a day).
[13:28] <collizion> sebastianlutter: As a starting measure, you could try a bit of traffic analysis. Make a request to your web site. Surf around, etc. See how many concurrent connections are generated to a single client IP per request.
[13:29] <collizion> sebastianlutter: Multiply that by a reasonable buffer factor, and limit concurrent requests per IP address to that number.
[13:40] <sebastianlutter> collizion, I will, thanks
[14:21] <rcaskey> hey all, I've been playing with netbooting (https://github.com/robjcaskey/dotfiles/tree/master/pxeinstall-example/ansible) but... does the installer honor the proxy setting on url?
[16:08] <ApplesInArrays> I'm getting 100% of /dev/simfs in use. How would I go about resizing?
[16:15]  * X123 yawns
[16:27] <cbreak6> Hi when will constant updates stop?  Do the people who write all the programs know what they are doing or is it really that profoundly difficult?
[16:27] <ApplesInArrays> Don't yawn: I'm getting 100% of /dev/simfs in use. How would I go about resizing?
[16:29] <teward> cbreak6: define "constant updates"
[16:30] <cbreak6> like 3 times a week this and that, so and so found that...
[16:31] <teward> cbreak6: it's less a case of programmers *not* knowing what they're doing and instead security flaws being discovered - in the world of software and security there is always unending research into the stuff to determine vulnerabilities that need fixing
[16:31] <teward> but you can't assess it as "constant updates"
[16:31] <cbreak6> also why are updates released to the repos before we read about it?
[16:31] <teward> because constant updates would be like a git master branch.
[16:31] <cbreak6> its a pain in the ass :)
[16:31] <cbreak6> no mal intent
[16:32] <cbreak6> busy webserver admin here
[16:33] <cbreak6> teward agree on things being discovered
[16:33] <ApplesInArrays> cbreak6: How would you resize the said directory?
[16:33] <ApplesInArrays> If it were an auto-updating program.
[16:33] <cbreak6> do a fresh install after backup ;)
[16:33] <rberg-> cbreak6: it might be worth turning on unattended upgrades for the security repo.
[16:34] <cbreak6> ApplesInArrays resizing on a life site server is not recommended
[16:34] <cbreak6> live
[16:34] <ApplesInArrays> It's not really live right now
[16:34] <ApplesInArrays> It's all dead
[16:35] <ApplesInArrays> So a frest 14.04, then resize and reload.
[16:35] <ApplesInArrays> I can do that
[16:35] <ApplesInArrays> but how do I go about resizing?
[16:35] <cbreak6> rberg- ty for that, will check it out
[16:35] <ApplesInArrays> I keep searching, but I can't figure it out
[16:36] <ApplesInArrays> "resize /dev/simfs"
[16:36] <cbreak6> ApplesInArrays hire a expert
[16:36] <cbreak6> I am not
[16:37] <rberg-> and I dont know what /dev/simfs is
[16:37] <cbreak6> niether do I
[16:37] <ApplesInArrays> I don't know, but it's at 100% and I can't do anything because of it.
[16:37] <ApplesInArrays> I guess it's just a directory
[16:38] <rberg-> looks like its for openvz
[16:38] <cbreak6> be nice to see more experts offer services to fix things on the net
[16:38] <cbreak6> pretty hard to find
[16:39] <ApplesInArrays> It should be the same as resizing any other directory, no?
[16:39] <rberg-> ApplesInArrays: is the directory on the host thats providing that full?
[16:40] <ApplesInArrays> Yes.
[16:40] <cbreak6> ApplesInArrays your provider should have info
[16:41] <rberg-> it sounds like simfs is a "proxy-filesystem" provided by the host OS to a container, so I would think you need to expand the volume on the host
[16:43] <ApplesInArrays> I think I should move my MySQL then
[16:43] <ApplesInArrays> Since that's what's killing it. My scraper is grabing 20MB/day text
[16:44] <rberg-> nntp?
[16:48] <ApplesInArrays> What's nntp?
[16:50] <pmatulis> have you ever heard of usenet?
[16:51] <ApplesInArrays> for me?
[16:51] <bearface> nntp is used for newsgroups/usenet
[17:33] <collizion> sebastianlutter: Multiply that by a reasonable buffer factor, and limit concurrent requests per IP address to that number.
[17:33] <collizion> Oops. Stupid buffer.
[18:00] <teward> cbreak6: if I may make a suggestion?
[18:00] <teward> cbreak6: given that i too am a busy sysadmin and all :P:
[18:01] <teward> cbreak6: my suggestion is to perform your updates during regular maintenance periods - schedule the maintenance to occur regularly, and do it by that schedule
[18:01] <teward> monthly, twice a month, etc.
[21:24] <ChrisAnubis> Iam having an issue with apache2 on Ubuntu 14.04. I have setup the server and added my user to the /var/www/html group (via the sudo adduser myuser /var/www/html command) - I chmod the html dir to 775, but I still recvd an error when attempting to upload files to the server. Switching to chmod 777 allowed the file to upload.
[21:25] <ChrisAnubis> So the issue seems to be in my user being added to the group correctly. Can someone offer some guidance on how to do this correctly?
[21:31] <collizion> ChrisAnubis: There is no '/var/www/html' group. You might try the 'www-data' group instead. You also have to make sure that www-data is the owner user and group on /var/www/html and its subdirectories.
[21:31] <patdk-wk> as it shouldn't be by default
[21:32] <collizion> ChrisAnubis: As a rule, never (ever) set anything to 777 on permissions. That's not fixing anything, that's ignoring it.
[21:34] <ChrisAnubis> Thank you. I will make it the www-data group. Should I not have recvd an error when attempting to add myself to a group that does not exist?
[21:34] <collizion> ChrisAnubis: You should have, yes.
[21:36] <ChrisAnubis> collizion: I will check to see if it was the www-data group I added. Turned off the VM. If so, then it is most likely that the www-data group is not the current owner of /var/www/html, correct?
[21:38] <collizion> ChrisAnubis: It's not by default, because it is a security concession.
[21:39] <ChrisAnubis> collizion:ok. Thank you for the help.
[21:53] <ChrisAnubis> collizion:Thank you. That is what the issue was.
[22:51] <sarnold> will2: was it this security update? http://www.ubuntu.com/usn/usn-2455-1/
[22:53] <will2> woah... I'll never fully understand irc! that's a lot of text...
[22:53] <will2> sarnold - I am guessing it was, did a apt-get upgrade on the 11th, so, must be...
[22:53] <sarnold> will2: heh, that's part of a netsplit -- for a while there were two, three, or even more separate IRC networks; some clients try to compress it into "netsplit" messages, and some clients just show a few hundred quits and then joins...
[22:59] <wil3> I keep getting disconnected :/ sorry- hope you are not sending messages that I can't see :(
[23:00] <wil3> sarnold - thanks! and read through that... I don't really get the hack, but, I am guessing that is what it is... everywhere online it states that the correct way to do what I want is to do /usr/bin/mail -s "subject" "message" -- -f <address> -F <name> ... And, this worked for 2 years ... I don't understand the hack but need to find a way to fix this...
[23:00] <wil3> so...  I found using /usr/bin/mail -a from:address takes care of the -f, but, I can't find an alternative to the -F
[23:07] <wil2> just got kicked off :/