So, I have been having some problems with my ISP again. However, I have a 3G modem (Option iCON 225) that works in Linux, but you cannot pass it to DomU directly by creating a bridge and attaching that. So I have a following setup:

Internet<->modem<->
                   Dom0
Internet<->DomU<->

There is several things I need to do:
0. Get DKMS
1. Get hso driver
1.1. Unpack it to /usr/src/hso
1.2. dkms add -m hso -v 1.9; dkms build -m hso -v 1.9; dkms install -m hso -v 1.9
2. Obtain some scripts
2.1. cp -f hso.udev /etc/udev/rules.d/z20_hso-udev.rules; cp -f rezero /usr/sbin/; /etc/init.d/udev restart
2.2. Stick the modem in
2.3. Modify the connect.sh script:
Find line “route add default dev $NETDEV". Modify it to following:

ip route add default dev $NETDEV table 10
ip route add $INTERNALRANGE dev $INTERNALBRIDGE table 10
iptables -t nat -A POSTROUTING -s $BACKUPIP -o hso0 -j SNAT --to-source $PIP
iptables -t nat -A PREROUTING -i $NETDEV -j DNAT --to-dest $BACKUPIP
ip rule add from $BACKUPIP/32 to any table 10

INTERNALRANGE=Your internal IP range, for example 10.49.2.0/24.
INTERNALBRIDGE=Your internal bridge device, for example xenbr0
BACKUPIP=Router’s IP which you will set as source for the packets that you want to pass thru the 3G modem

Find line “ifconfig $NETDEV down". Modify it to following:

ip route flush table 10
iptables -t nat -D POSTROUTING -s $BACKUPIP -o hso0 -j SNAT --to-source $PIP
iptables -t nat -D PREROUTING -i $NETDEV -j DNAT --to-dest $BACKUPIP
ip rule add from $BACKUPIP/32 to any table 10
ifconfig $NETDEV down

You also might to comment out the resolv.conf lines.
2.4. Modify conninfo.ini

Note! Dom0 should have IP routing enabled, so “echo 1 > /proc/sys/net/ipv4/ip_forward". Use sysctl to set it at the boot time

3. Set the DomU
3.1. Add $BACKUPIP to $INTERNALBRIDGE
3.2. Add to boot script (for example, /etc/rc.local):

ip route add $INTERNALRANGE dev $INTERNALBRIDGE
ip route add default via $DOM0IP dev $INTERNALBRIDGE
ip rule add from $BACKUPIP lookup 10

Test with:
traceroute -s $BACKUIP ping.funet.fi
haruhi:~# traceroute -s 10.2.255.1 ping.funet.fi
traceroute to ping.funet.fi (128.214.248.132), 30 hops max, 40 byte packets
1 nanoha.serv.azt (10.2.0.10) 0.000 ms 0.000 ms 0.000 ms
2 ge0-0-1-650.esptnl-pe1.fi.elisa.net (213.161.47.241) 1384.000 ms 1384.000 ms 1416.000 ms
3 ae2.heltli-gw1.fi.elisa.net (139.97.6.246) 1416.000 ms 1456.000 ms 1536.000 ms
4 csc.ficix1-ge.ficix.fi (193.110.226.14) 1616.000 ms 1616.000 ms 1692.000 ms
5 helsinki0-x4100-csc0.funet.fi (193.166.255.154) 1736.000 ms 1784.000 ms *
6 ns-secondary.funet.fi (128.214.248.132) 424.000 ms !X 504.000 ms !X 556.000 ms !X

Now everything sent to your modem will be redirected to DomU. Unfortunally the only way to detect them is to match everything but interal IPs, but you can improve this if you want (for example, by setting ToS or creating new bridge for DomU-Dom0 communication).

So, I wanted to create a completly virtualized lab enviroment, including virtualized network devices.

Read more! »

So, since my network is getting bigger, I decided to finally switch to LDAP authentication. However, I provide shell access to certain boxes for friends, so I had to make sure they will only get access to their current system and nothing else.

After a bit of searching, I found out about pam_groupdn attribute. It allows to specify a group that can access the selected PAM resource. Unfortunally it doesn’t support nested groups.

While configuring the ldap authentication, I ran into some problems. The biggest problem was the fact that the pam authentication wasn’t working. It was sending “[few non-printablechars]INCORRECT” to LDAP server. After a while, I discovered why: It was using SASL. And I couldn’t find any way to disable that (my ldap server is only accesiable within LAN and to VPN clients, so I don’t need to worry about encrypting the authentication).

Anyway, once I figured that out, rest was easy.

So, I finally got a reason to get into VOIP as it will be required for a certain thing I’m doing soon.

Read more! »