This post is meant to be the sequel of the one I wrote one month ago about CentOS as router, transparent proxy, and much more. A big chunk of the precedent article is on how configure squid and squidGuard to act as a transparent proxy with URLs filtering capabilities. But there’s a problem with that: nowadays many sites (f4c3b00k.c0m just to name the most annoying one) are HTTPS. With HTTP one can really easily intercept a packet and read the payload (which contains the URL) but with HTTPS this is not possible anymore since the payload is encrypted. The only way to be able to read the payload of an HTTPS packet is doing a man-in-the-middle attack with a fake certificate, but that’s not advisable and you really don’t wanna do it. If, like in my case, we are not interested in what the users are doing but we just want them to not be able to access some sites/services/whatever ipset (combined with iptables) are the right tools for the job. iptables is a pretty powerful tool, the only real issue is that it doesn’t scale pretty well if the number of the rules is very big, and this is not a good thing since we probably want to blacklist thousands of IPs. And here comes ipset: with it it’s possible to manage huge blacklists without iptables slowing down. …

I got a new TV for the living room (a Panasonic Viera TX-L39E6E) which is DLNA capable. To be honest I’m also planning to build some kind of media center, maybe a really low power one, based on some kind of raspeberry-pi lookalike device. Anyway, for now I’m using my workstation (Fedora 19 x86_64) to stream video contents using miniDLNA. First of all, let’s install it with the usual: $ sudo yum install minidlna Then, edit the following file: …

As usual, long story short: I’ve to setup a firewall to log traffic, block some stuff and do some other things. – epel repo is required – The system is made of a single CentOS machine with 2 physical network adapters: eth0, connected to WAN, static IP address 192.168.0.3 eth1, connected to LAN, static IP address 10.0.0.1/24 .:. Network adapters configuration WAN network adapter: [root@CentOS ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="none" HWADDR="**:**:**:**:**:**" IPADDR=192.168.0.3 NETMASK=255.255.255.0 GATEWAY=192.168.0.1 DNS=192.168.0.1 IPV6INIT="yes" IPV6_AUTOCONF="yes" NM_CONTROLLED="yes" ONBOOT="yes" TYPE="Ethernet" UUID="***" LAN network adapter: …

Ok, I know I fucked up, I know everyone who knows me just a little bit would never expect this, but I got my first mobile phone or, like they call them nowadays: a smartphone. I don’t like the smartphone buzzword since I think the only smart ones here are the guys who are able to sell this stuff for hundreds of bucks to billions of people, so I’ll stick with the old and almost forgotten mobile phone name. Anyway, I got this brand new Nexus 4, played with it a couple of days and then, following the official guide on CyanogenMod site, I installed the latest stable release of it (based on Android 4.2.2). – Why the Nexus 4? Because Nexus devices are the only Android phones worth to be bought. – CyanogenMod works great and with some programs (don’t fucking call them apps, seriously, don’t do it) installed (k-9 Mail, OpenVPN, BusyBox and JuiceSSH) I’m almost able to perform all the tasks I usually do with my workstation or Thinkpad. The only real issue is the process, or whatever it is, called Google Services using an enormous amount of network resources without any apparent good reason. Luckily I’ve a friend called DuckDuckGo which in a bunch of seconds was able to tell me how to solve the issue. The problem seems to be connected to the Google Play Store which is completely retarded and keeps downloading some kind of system updates which obviously is not able to install since I’m not using the stock Android operating system provided by Google. The solution is pretty simple: …

It’s summer, it’s hot as hell, I am back home from mountains and I’ve plenty of free time. Between a barbecue and the next one I spend my time playing with and learning new stuff: this week new stuff is called QEMU-KVM. Yesterday I also tried XenServer but to be honest I wasn’t impressed, it just look like to be an old version of CentOS minimal install with some custom repos and a fancy GUI. I played with it for just a bunch of hours, but the thing that just performing an installation on a software RAID-1 turned out to be a PITA to say the least is a clear sign that it’s not the best tool for my needs. I swapped a couple of HDDs and in 2 minutes I went back to the already installed CentOS 6.4 with QEMU+KVM. The client machine, for what it matters, is my Fedora 19 x86_64 workstation, virsh and virt-manager the tools I use for remote administration tasks. Installing QEMU-KVM is just a matter of typing yum install libvirtd qemu-kvm bla bla bla, chkconfig libvirtd on and doing a system reboot (better safe than sorry). The tricky part at least for me was setting up a damn bridged network interface, luckily I found this great writeup. I am going to report here what I did to setup a couple of bridged network interfaces on my setup. …

Given that SSL and TLS, especially v1.0, suffer from serious security issues (e.g. https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS) I thought it would be a good idea to use the latest and more secure version of it: v1.2. On CentOS 6.4 the openssl version included is quite old and doesn’t support TLS v1.1 and 1.2. So, first of all we have to install the latest version 1.0.1e, it can be done compiling from sources or by adding a third party repository; I chose the latter. …

Let’s say we have a WordPress blog and we would like to encrypt our login pages and the whole back-end of the site. There are many ways to do it, but since I already have a nginx instance configured as reverse proxy running in front of Apache I’ll use it to protect my admin pages and logins. In this page I’ll not cover Apache’s configuration, which, by the way, is trivial to say the least, so please refer to this other post: Apache + nginx as reverse proxy. Using the configuration posted in the above’s link as starting point, to add SSL encryption to admin pages we should add a couple more bunch of lines of code. First of all, we must create our own Certificate Authority and issue a SSL certificate. Another option is buying a certificate, but I don’t trust CA (certificate forgery anyone?) and I don’t mind having a properly signed certificate for a page I am the only one accessing to. Follows a brief explanation on how to create a CA and issue a certificate. …

A new Linux kernel version is released and guess what: VMware Workstation fucked up once again. The fix posted on the Arch Linux wiki is applicable also to Fedora 19, I’ll post it here for future reference. $ cd /tmp $ curl -O http://pkgbuild.com/git/aur-mirror.git/plain/vmware-patch/vmblock-9.0.2-5.0.2-3.10.patch $ curl -O http://pkgbuild.com/git/aur-mirror.git/plain/vmware-patch/vmnet-9.0.2-5.0.2-3.10.patch $ cd /usr/lib/vmware/modules/source # tar -xvf vmblock.tar # tar -xvf vmnet.tar # patch -p0 -i /tmp/vmblock-9.0.2-5.0.2-3.10.patch # patch -p0 -i /tmp/vmnet-9.0.2-5.0.2-3.10.patch # tar -cf vmblock.tar vmblock-only # tar -cf vmnet.tar vmnet-only # rm -r vmblock-only # rm -r vmnet-only # vmware-modconfig --console --install-all For more information: https://wiki.archlinux.org/index.php/VMware#3.10_kernels …