Re: [Server-devel] iptables generation (was Re: pppd restarting mysteriously)
On Mon, Aug 10, 2009 at 08:55:55PM +0200, Martin Langhoff wrote:
On Fri, Aug 7, 2009 at 2:15 PM, Joshua N Pritikinjpriti...@pobox.com wrote:
Here is the script I promised Martin.
Right - thanks for that! I assume it works well and it's been tested
for normal and ppp0 connectivity over there. How do you trigger it?
/etc/init.d/iptables sets IPTABLES_CONFIG to
/etc/sysconfig/iptables-config and runs it.
I'm not sure what /etc/sysconfig/iptables-config.in is for. It seems to
be ignored.
Can you load the ruleset even if ppp0 is down?
Yes.
I am wondering -- do we want local admins teams to be able to add
rules relatively easily, in normal iptables syntax (meaning they can
copy rules from books and howtos)? If so, a template to run through
'sed' might work better?
What do you think?
See my attempt, attached.
From 339584865b35531cb03f1b52feedb35a2dd1b4a3 Mon Sep 17 00:00:00 2001
From: root r...@schoolserver.nashik.xs.laptop.org
Date: Fri, 7 Aug 2009 10:26:23 +0530
Subject: [PATCH] Automate iptable rules generation
---
sysconfig/iptables-config |7 +
sysconfig/olpc-scripts/gen-iptables | 37 +
sysconfig/olpc-scripts/iptables-xs.in | 12 ++
sysconfig/xs_wan_device |1 +
4 files changed, 52 insertions(+), 5 deletions(-)
create mode 100755 sysconfig/olpc-scripts/gen-iptables
create mode 100644 sysconfig/olpc-scripts/iptables-xs.in
create mode 100644 sysconfig/xs_wan_device
diff --git a/sysconfig/iptables-config b/sysconfig/iptables-config
index 819d809..f22076e 100755
--- a/sysconfig/iptables-config
+++ b/sysconfig/iptables-config
@@ -7,11 +7,8 @@
## config settings
SERVER_NUM=`cat /etc/sysconfig/xs_server_number`
if [ $SERVER_NUM=1 ];then
-if [ -e /etc/sysconfig/xs_httpcache_on ]; then
- IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables.principal.cache
-else
- IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables.principal
-fi
+IPTABLES_DATA=/etc/sysconfig/olpc-scripts/iptables-xs
+/etc/sysconfig/olpc-scripts/gen-iptables $IPTABLES_DATA
fi
# Load additional iptables modules (nat helpers)
diff --git a/sysconfig/olpc-scripts/gen-iptables b/sysconfig/olpc-scripts/gen-iptables
new file mode 100755
index 000..a049b31
--- /dev/null
+++ b/sysconfig/olpc-scripts/gen-iptables
@@ -0,0 +1,37 @@
+#!/usr/bin/python
+
+import re;
+import os;
+import logging;
+
+#sysconfig = './' # for testing
+sysconfig = '/etc/sysconfig/'
+
+wan = 'eth0'
+try:
+ conf = sysconfig + 'xs_wan_device'
+ file = open(conf)
+ wan = file.readline()
+ wan = re.sub(r'\s$', '', wan)
+except IOError:
+ logging.warning(conf + not found, assuming +wan)
+
+try:
+ conf = sysconfig + 'xs_httpcache_on'
+ os.stat(conf)
+ squid = 1
+except OSError:
+ squid = 0
+
+#print(wan=+wan+ squid=%i % squid)
+
+template = open(sysconfig + 'olpc-scripts/iptables-xs.in')
+for line in template:
+ if re.match('@@MASQ@@', line):
+ print '-A POSTROUTING -o %s -j MASQUERADE' % wan
+ elif (re.match('@@SQUID@@', line)):
+ if squid:
+ for inf in ('lanbond0', 'mshbond0', 'mshbond1', 'mshbond2'):
+ print '-A PREROUTING -i %s -p tcp --dport 80 -j REDIRECT --to-ports 3128' % inf
+ else:
+ print(line.rstrip())
diff --git a/sysconfig/olpc-scripts/iptables-xs.in b/sysconfig/olpc-scripts/iptables-xs.in
new file mode 100644
index 000..11dfb9f
--- /dev/null
+++ b/sysconfig/olpc-scripts/iptables-xs.in
@@ -0,0 +1,12 @@
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+@@SQUID@@
+@@MASQ@@
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
diff --git a/sysconfig/xs_wan_device b/sysconfig/xs_wan_device
new file mode 100644
index 000..d4398d5
--- /dev/null
+++ b/sysconfig/xs_wan_device
@@ -0,0 +1 @@
+ppp0
--
1.6.0.6
___
Server-devel mailing list
Server-devel@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel
[Server-devel] Get Satisfaction
I spoke with Lane the founder of Get Satisfaction. He is turning on the community gardening upgrade for us now to explore. He is very interested in working with us and giving us whatever upgrades we want. One of their features is the ability to do single sign to gather more information about the user. F Here is my idea of how it might work. Once Sugar is registered with an XS we could create a single sign on that would let us know what name and XS-url a Sugar user is from (similar to how our single sign on with Moodle works). This should basically tell us what deployment we are getting feedback from without the user doing anything. It would be a win for Get Satisfaction if we did this because it would be a great case study for them to write up. Would this be enough of a win for us to be worth doing? Any volunteers to do it on our end? I asked about internationalization. They are working on it for Q4 and would like our help beta testing. I asked about changing Sugar Labs Employee to Sugar Labs Volunteer. That is hard coded and is a known bug on their to be fixed list. He didn't know when the fix would be out. I am not yet committed to this particular solution. I just took on the task of getting the upgrades donated so we could really understand what it can do. Everyone please evaluate it and lets decide if this a solution we want to partner with. Thanks, Caroline -- Caroline Meeks Solution Grove carol...@solutiongrove.com 617-500-3488 - Office 505-213-3268 - Fax ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] [IAEP] Get Satisfaction
On Tue, Aug 11, 2009 at 2:03 PM, Caroline Meekscarol...@solutiongrove.com wrote: One of their features is the ability to do single sign to gather more information about the user. F Here is my idea of how it might work. Once Sugar is registered with an XS we could create a single sign on that would let us know what name and XS-url a Sugar user is from (similar to how our single sign on with Moodle works). This should basically tell us what deployment we are getting feedback from without the user doing anything. It would be a win for Get Satisfaction if we did this because it would be a great case study for them to write up. Would this be enough of a win for us to be worth doing? Any volunteers to do it on our end? I would encourage support people working on XS-based HTTP proxies that can perhaps do SSO on behalf of the local user against specific preconfigured remote servers. Having an HTTP proxy that talks with our idmgr service is good for other reasons too -- we can say only allow internet access to registered users, and further that control into Moodle, so we can use Moodle's sophisticated and fine-grained rights system to allow/ban internet access. But I would keep meticulously away from setting things up for any specific service. It is up to every school to decide what to do. The protections FERPA related laws provide are valuable and important. The goal of preserving privacy is one of our goals. cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] Results of today's Jabber Testing
I worked with the RIT contingent and Dave Farning today to do some collaboration testing. We tested with 8 computers on a rarely used dev XS system hosted by Solution Grove. We had some UI challenges getting connected but once we were all connected there seemed to be no particular problems or strange behavior. We then switched the computers to jabber.sugarlabs.org (also hosted by Solution Grove). It had about 29 people on it. There were all sorts of problems, people appearing and disappearing, getting dropped, seeing a subset of people etc. The CPU load was quite high. Memory was not a problem. At this point the room we were in was closing so we had to quit. Our next test is to switch the DNS of jabber.sugarlabs.org to the rarely used XS instance and try again tomorrow. This is an easy test will help us answer the following questions. 1. Does the number of people that have used the jabber server and thus are in the roster have any effect on performance? 2. Is there any difference with this slightly newer XS install that matter? Assuming that there is no difference and that when we have 20 odd people connected we start to see failures, what tests should we do to try to isolate the problem? Thanks, Caroline -- Caroline Meeks Solution Grove carol...@solutiongrove.com 617-500-3488 - Office 505-213-3268 - Fax ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
