IPtables Tarpit Support in Karmic

Edit: If you’re using Ubuntu 10.04 or higher this is no longer needed. The xtables-addons in the repositories compiles just fine.

IPtables has a nifty feature called Tarpit. In terms of IPtables a tarpit

“captures and holds incoming TCP connections using no local per-connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes.” source

This basically means that it will be impossible for the person initiating the connection to close it until it times out, wasting their resources. 😈 Great for those pesky spammers that won’t leave your server alone. However, this feature is not considered stable so it is not included in the standard version of IPtables and therefore, Ubuntu does not have this functionality. However, Karmic offers a simple way to install it.

Karmic has a package in the repos called “netfilter-extensions-source” which contains the source to the Tarpit module as well as some other additions to IPtables, however according to upstream this package is deprecated. It’s also broken. So the package we need to use is called “xtables-addons-source”. However that’s also broken in Karmic. Fun fun. 🙄 So we’ll need to steal the version from Lucid.

wget http://archive.ubuntu.com/ubuntu/pool/universe/x/xtables-addons/xtables-addons-source_1.21-1_all.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/x/xtables-addons/xtables-addons-common_1.21-1_i386.deb
# For 64bit:
wget http://archive.ubuntu.com/ubuntu/pool/universe/x/xtables-addons/xtables-addons-common_1.21-1_amd64.deb

Now install them. If you’re doing this on a server I recommend using the command line  version of gdebi since it will help with dependencies. We’ll also need Quilt so that it can apply some patches when it gets compiled.

sudo apt-get install gdebi-core quilt
sudo gdebi xtables-addons-source_1.21-1_all.deb
sudo gdebi xtables-addons-common_1.21-1_i386.deb
# 64bit:
sudo gdebi xtables-addons-common_1.21-1_amd64.deb

Now just run the following command to compile and install it

sudo module-assistant --verbose --text-mode auto-install xtables-addons

Say yes to any additional packages it wants to install and then it will automatically compile it, package it into a deb and install it.

Now you can create some rules using the Tarpit module.

sudo iptables -A INPUT -p tcp -m tcp -dport 80 -j TARPIT

This will create a tarpit on port 80. Heads up if you’re actually running something on that port as it will become inaccessible.

Or perhaps you want to target a specific IP

sudo iptables -A INPUT -s x.x.x.x -p tcp -j TARPIT

Where x.x.x.x is the IP address.

These are only a couple basic examples. There’s a lot more things you can do with IPtables and Tarpitting which are beyond the scope of this post but a quick Googling will reveal a lot of good info on IPtables. For a basic intro to IPtables I recommend reading this.

Update: If you get a kernel update that bumps the ABI (e.g. 2.6.31-15-generic to 2.6.31-16-generic) then you will have to rebuild the xtables package after rebooting into the new kernel. To do this just rerun the module-assistant command

sudo module-assistant --verbose --text-mode auto-install xtables-addons

Actually I’ve found out this is better since you can recompile it before rebooting thus eliminating any period of time without a firewall.

sudo module-assistant --verbose --text-mode -l <kernel-version> auto-install xtables-addons

Replace <kernel-version> with the new kernel such as “2.6.31-17-generic”

So Much Potential

I was doing some thinking and I realized there’s a few pieces of technology in Linux that have so much potential but are extremely under-utilized.

PolicyKit

PolicyKit is an awesome piece of software. It allows for a finer grained permission system. Instead of launching an entire application as root, you can elevate your privileges in a seamless manner. However, PolicyKit is so under used. For example, when Gnome deprecated gnome-vfs and moved to gio/gvfs, Nautilus supposedly got a framework in place that would allow PolicyKit integration. So if you needed root permissions to makes changes to the file system you would be able to basically click a button and elevate your privileges through PolicyKit. Synaptic could also benefit from some PolicyKit integration. Why isn’t PolicyKit used more?

Tracker

Tracker is a great metadata indexer that crawls your files system and indexes metadata from files. Instead of only searching by file name, you can use Tracker to search ID3 tags or search for text in a OpenOffice or Word document. The problem is, no one has integrated this great search functionality into applications. Once again, there’s an opportunity for some integration with Nautilus. If Nautilus could use Tracker as a backend for searching and have the ability to add tags to files, it would really add some great functionality.

There’s so much potential here. It’s a shame it’s not being used.

Iomega Prestige HDD and Karmic

Just a little heads up. If you have an Iomega Prestige USB hard drive and you use suspend a lot and you are planning to upgrade to Ubuntu 9.10 or already have, there’s an annoying bug that makes the drive go in to an unresponsive state until power cycled. The symptoms include

  • Takes a long time to actually suspend, waiting at a blank screen
  • Drive doesn’t automatically power off like it should when it detects the computer has been suspended
  • Drive is no longer visible to the system after resuming, even after unplugging it and plugging it back in
  • Must be power cycled before it functions properly again

 

Here’s the bug report

Update: HP LaserJet p1505 on Ubuntu

I am happy to announce that the HP LaserJet p1505 printer works out of the box on Ubuntu 9.10. 😀 No more hacking around that was required for Ubuntu 9.04. If you followed my other post to compile the drivers and you are going to upgrade to Karmic it would be best to uninstall the compiled version of foo2zjs. Hopefully you’ve kept the source directory around. If so all you need to do is “cd”  into the directory and run

sudo make uninstall

Then you can upgrade and then reinstall the Ubuntu foo2zjs package

sudo apt-get install foo2zjs

When you plug the printer in system-config-printer may prompt you if you want to install a plugin for the printer. Accept and follow the instructions. Afterwards you will probably need to open hp-toolbox and click the “download firmware” button in the main window. Afterwards the printer should be working. That said, after I upgraded and plugged in the printer it “just worked” and I didn’t have to do any of that stuff. As much as I was disappointed that this printer didn’t work in Jaunty, I am equally happy that it is working perfectly in Karmic. 😀

HP LaserJet p1505 on Ubuntu

Update: See here if you’re using Ubuntu 9.10 (Karmic)

 

Recently an HP LaserJet p1505 printer came into my possession and I was eager to set it up with Ubuntu.  Unfortunately, (and disappointingly so considering how well other HP printers that I have work 😦 ) this printer does not work out of the box.  There seems to be a number of factors in play as well.  For one thing, this printer requires firmware to be loaded.  That seems to spell trouble all by itself.  Another thing is that if you try to install this printer though hp-toolbox, it will offer to automatically download and install a plugin that is required for the printer.  If you try to do it this way, it will appear to have successfully downloaded and installed it.  However this is not the case.  It doesn’t do anything at all.  Some have reported success by running

sudo hp-setup

manually.  For me, this did actually successfully download and install the plugin.  However, the printer was still not working.  Here is what I had to do to get this printer working.  If you’re having trouble with this printer, this may be worth a try.

If you haven’t already, install hp-toolbox

sudo apt-get install hp-gui

Remove the foo2zjs if it happens to be installed

sudo apt-get remove --purge foo2zjs

Make sure to delete the printer from System → Administration → Printing if you’ve already tried adding it.

We’re going to need build-essential for this.  So install the build-essential package

sudo apt-get install build-essential

Now get the source for foo2zjs

wget -O foo2zjs.tar.gz http://foo2zjs.rkkda.com/foo2zjs.tar.gz

Unpack it and enter the directory

tar -xzvf foo2zjs.tar.gz
cd foo2zjs

Now to compile it. Just run

make

After it’s done compiling, we need to download the firmware. So run

./getweb P1505

Now to install everything.  Run

sudo make install
sudo make install-hotplug

And finally to restart CUPS

sudo make cups

Now you can add the printer with System → Administration → Printing.  Be sure to select the Foomatic/foo2xqx driver.  The printer should now be working.  The only quirk that seems to be present is that hp-toolbox thinks there is some kind of error with the printer that says “service request please correct the problem and try again.” Yet there’s nothing wrong with the printer.

error

Resources:

http://foo2xqx.rkkda.com/

https://bugs.launchpad.net/ubuntu/+source/hal-cups-utils/+bug/289410

Upgrades

Every time around a new Ubuntu release the topic of upgrade vs. fresh install always comes up.  I’ve noticed that there seems to be a general hate towards upgrades.  The most common thing I hear is that the upgrade totally breaks your system, it will make you lose all your money, and it will burn your house down.  Ok, well maybe not the last two things, but there seems to be a lot of “OMG upgrades are bad!!!!” out there.  Now I may be going out on a limb here, but I think a lot of people just repeat what others say about upgrades.  I’d be willing to say that a lot of the people that say the upgrade breaks the system have never actually done an upgrade, they just get suckered in by all the other people saying upgrades break your system.  And then it just goes in circles.

Now I’m not saying that Ubuntu’s upgrade process has never broken someone’s system, I’m sure it has, more than a few too.  Nothing is perfect.  What I’m saying is that the upgrade breakage is being blown way out of proportion.  Personally, I have upgraded 5 computers multiple times and I have never had a single thing break due to the upgrade.  My desktop machine has not seen a reinstall since Ubuntu 7.10 was released.  It’s been upgraded three times and it’s still running strong, never had anything break on it due to an upgrade.  So either I’ve been extremely lucky or it’s not as bad as everyone makes it out to be.  I’m thinking the latter.

</rant>

A place for my tips and thoughts