Posted by admin on April 6, 2009 under Tech Tips |
Line wrapping text from the command line is easy with the fold utility, which of course is provided by the Free Software Foundation. By default, the fold command will wrap text at 80 characters, but you can of course specify the width manually. I prefer using the -s option, which will break only on spaces, making sure not to break in the middle of a word.
For example, the following command will concatenate a text file to standard output, adding line breaks only at spaces or at 72 characters, whichever comes first.
fold -s -w 72 textfile.txt
This can also be useful if you want to clearsign a message with Gnupg, but wish to line wrap it beforehand.
fold -s -w 72 textfile.txt | gpg --clearsign -u [email protected]
Add redirection if you wish to output the results to a file.
fold -s -w 72 textfile.txt > newfile.txt
As mentioned here, the fmt command also provides the same primary features of fold, but is much better. Not only does it wrap long lines, but it also fills out short lines as well. There are additional options that are worth looking into. Be sure to check out the man page!
man fmt
Posted by admin on November 26, 2008 under Tech Tips |
When backing up data to a CD or DVD, you may find it useful to encrypt the entire disc just in case the media falls into the wrong hands. Some people may advise compressing your files within tar/gzip archive and use PGP to encrypt the data, burning the resulting data to disc. The challenge, however, is how easy it is to work with the data after the burn process. You are typically required to decrypt and extract the archive to your hard disk if you wish to access the files within.
A much more flexible method for Linux users is to encrypt the entire CD or DVD with an AES symmetric key, and work with the data by simply mounting the disc. This means you don’t have to copy the files, they are simply presented to you as you would expect with an unencrypted disc.
Prerequisites
Prerequisites include loading the Cryptoloop kernel module and the installation of the Loop-AEStoolset. Installing these packages in Ubuntu/Debian and loading the cryptoloop module is a snap.
sudo apt-get install aespipe loop-aes-utils
sudo modprobe cryptoloop
Verify that cryptoloop and AES kernel modules are loaded with lsmod.
lsmod | grep cryptoloop
cryptoloop 10880 0
loop 23180 1 cryptoloop
lsmod | grep aes
aes_i586 15744 2
aes_generic 35880 1 aes_i586
If you had to load these modules by hand, make sure to add them to /etc/modules so that they are loaded on boot up.
Create, burn and mount encrypted images
To create a standard CD image, use genisofs (formally known as mkisofs), pipe the output to aespipe, and redirect the final output to an ISO file. Notice that we have specified that aespipe will use AES256 encryption, and it will has you to enter a password twice. Don’t lose it! ?
genisoimage -quiet -r Documents/ | aespipe -T -e aes256 > documents.iso
Password: (enter password)
Retype password: (enter password)
Mount the image using the encryption option. The mounting process will ask you for the passphrase.
sudo mount -o loop,encryption=aes256 documents.iso /mnt
Password: (enter password)
Burn the disc image, replacing /dev/dvdrw with the appropriate value for your system. wodim was formerly known as cdrecord, so feel free to replace it with any command you are familiar with.
wodim dev=/dev/dvdrw documents.iso
Mount the CD/DVD using the same mount options as previously demonstrated.
sudo mount -o loop,encryption=aes256 /dev/dvdrw /mnt
Password: (enter password)
Work with your files as you would with any normal CD or DVD.
ls -l /mnt/
total 0
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile1.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile2.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile3.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile4.txt
Posted by admin on under Tech Tips |
When backing up data to a CD or DVD, you may find it useful to encrypt the entire disc just in case the media falls into the wrong hands. Some people may advise compressing your files within tar/gzip archive and use PGP to encrypt the data, burning the resulting data to disc. The challenge, however, is how easy it is to work with the data after the burn process. You are typically required to decrypt and extract the archive to your hard disk if you wish to access the files within.
A much more flexible method for Linux users is to encrypt the entire CD or DVD with an AES symmetric key, and work with the data by simply mounting the disc. This means you don’t have to copy the files, they are simply presented to you as you would expect with an unencrypted disc.
Prerequisites
Prerequisites include loading the Cryptoloop kernel module and the installation of the Loop-AEStoolset. Installing these packages in Ubuntu/Debian and loading the cryptoloop module is a snap.
sudo apt-get install aespipe loop-aes-utils
sudo modprobe cryptoloop
Verify that cryptoloop and AES kernel modules are loaded with lsmod.
lsmod | grep cryptoloop
cryptoloop 10880 0
loop 23180 1 cryptoloop
lsmod | grep aes
aes_i586 15744 2
aes_generic 35880 1 aes_i586
If you had to load these modules by hand, make sure to add them to /etc/modules so that they are loaded on boot up.
Create, burn and mount encrypted images
To create a standard CD image, use genisofs (formally known as mkisofs), pipe the output to aespipe, and redirect the final output to an ISO file. Notice that we have specified that aespipe will use AES256 encryption, and it will has you to enter a password twice. Don’t lose it! ?
genisoimage -quiet -r Documents/ | aespipe -T -e aes256 > documents.iso
Password: (enter password)
Retype password: (enter password)
Mount the image using the encryption option. The mounting process will ask you for the passphrase.
sudo mount -o loop,encryption=aes256 documents.iso /mnt
Password: (enter password)
Burn the disc image, replacing /dev/dvdrw with the appropriate value for your system. wodim was formerly known as cdrecord, so feel free to replace it with any command you are familiar with.
wodim dev=/dev/dvdrw documents.iso
Mount the CD/DVD using the same mount options as previously demonstrated.
sudo mount -o loop,encryption=aes256 /dev/dvdrw /mnt
Password: (enter password)
Work with your files as you would with any normal CD or DVD.
ls -l /mnt/
total 0
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile1.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile2.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile3.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile4.txt
Posted by admin on October 19, 2008 under Tech Tips |
Here’s a simple tutorial on how to backup a list of all your installed repository applications, and restore them to another machine, perhaps even the same machine after a clean installation. This can save you an incredible amount of time, especially when this task must be repeated often. Of course, being that Ubuntu is based on Debian, this will work for any Debian based platform.
First, from a computer with all the applications preinstalled, retrieve your installed package list and redirect the output to a file called packages.txt. Save this package list somewhere so that you can use it for the restore process.
sudo dpkg --get-selections > packages.txt
To restore all the applications from your list, you must follow a three step process very carefully.
sudo dpkg --clear-selections
sudo dpkg --set-selections < packages.txt
sudo aptitude install
You will be prompted to install all the new applications in the list.
Another example of what this process allows you to do is create a baseline of all the applications after a clean installation of Ubuntu. Let’s say you would like to remove any applications installed since the clean install, perform the exact same process, and any package not defined in that list will be removed.
sudo dpkg --get-selections > clean-install-package-list.txt
sudo dpkg --clear-selections
sudo dpkg --set-selections < clean-install-package-list.txt
sudo aptitude install
The very first command of “–clear-selections” marks all currently installed packages to the state “deinstall”. When you restore the list of applications using “–set-selections”, only packages ommited from the list will remain in the “deinstall” state. Aptitude will honor the deinstall state and remove the extra packages, leaving you only with packages from the list. Most excellent.
Posted by admin on September 21, 2008 under Tech Tips |
WARNING! THIS POST HAS BEEN MARKED AS OUTDATED!
While there may be useful information still contained within the article, there may be other more relevant articles out on the Internet. Please pay close attention to version numbers of software that this article refers to. If you’re not careful, you could break your system if you do not understand what you are doing. If you would like to see this article updated, please contact the site administrator using the Contact page. Thanks!
UPDATE (12/13/2009):The latest versions of VirtualBox 3 have made great improvements in their guest networking options. It is now possible to natively bridge and NAT multiple guests behind a single virtual interface. The suggestions on this post still work fairly well, so I will leave it up as there is a great deal of useful information that come in handy in some scenarios. Please refer to the latest VirtualBox documentation for more help on using their native networking options.
ORIGINAL: Here’s a detailed tutorial on VirtualBox host interface networking with NAT for multiple guests. I typically run a number of guests simultaneously for labs and product testing, so they all need internet access through my host, as well as full communication directly with each other.
The built in NAT interface of VirtualBox isn’t very flexible for what we want to do, so here’s a summary what what we will do. We’ll create three TAP interfaces, one for each guest, since TAP interfaces cannot be shared by multiple guests. These interfaces will serve as each guest’s default gateway, but all of the guests will use the same address space and subnet mask. For full communication between the guests, we’ll add appropriate host routes and enable proxy ARP on the host. Nothing will need to be configured on the guests accept for their IP address, subnet mask, default gateway, and DNS if needed.
Here’s a diagram of the virtual topology, which hopefully will make things a little more clear.
VirtualBox Host Interface NAT Topology
Getting Started
You’ll need to install the User Mode Linux utilities first, if you have done so already.
sudo apt-get install uml-utilities
TAP interfaces
Let’s create three TAP interfaces.
sudo tunctl -u $USER
sudo tunctl -u $USER
sudo tunctl -u $USER
Assign IP addresses to the TAP interfaces.
sudo ip addr add 192.168.20.1/32 dev tap0
sudo ip addr add 192.168.20.2/32 dev tap1
sudo ip addr add 192.168.20.3/32 dev tap2
sudo ip link set tap0 up
sudo ip link set tap1 up
sudo ip link set tap2 up
Routing Requirements
Enable routing and add host routes for each of the guest IP addresses.
sudo sysctl net.ipv4.ip_forward=1
sudo route add -host 192.168.20.201 dev tap0
sudo route add -host 192.168.20.202 dev tap1
sudo route add -host 192.168.20.203 dev tap2
Proxy ARP
Enable proxy ARP on all TAP interfaces so that all the guests can communicate with each other.
sudo sysctl net.ipv4.conf.tap0.proxy_arp=1
sudo sysctl net.ipv4.conf.tap1.proxy_arp=1
sudo sysctl net.ipv4.conf.tap2.proxy_arp=1
Notice, it is NOT necessary to enable proxy ARP on the public interface, since we will be using NAT for guests to access the public network and internet.
NAT Configuration
First flush all iptables rules and enable NAT on the public interface.
sudo iptables --flush
sudo iptables -t nat --flush
sudo iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
sudo iptables -A FORWARD --in-interface tap0 -j ACCEPT
sudo iptables -A FORWARD --in-interface tap1 -j ACCEPT
sudo iptables -A FORWARD --in-interface tap2 -j ACCEPT
Now it’s just a matter of configuring each of your guests to use the appropriate host interface as shown in the screenshot below.
After assigning the guest to an interface, configure the guest operating system with the appropriate IP address and routing information. The following list will show the IP address configuration each guest should use for this example.
Guest 1
Host interface: tap0
IP Address: 192.168.20.201
Subnet Mask: 255.255.255.0
Gateway: 192.168.20.1
DNS: Any reachable DNS server.
Guest 2
Host interface: tap1
IP Address: 192.168.20.202
Subnet Mask: 255.255.255.0
Gateway: 192.168.20.2
DNS: Any reachable DNS server.
Guest 3
Host interface: tap2
IP Address: 192.168.20.203
Subnet Mask: 255.255.255.0
Gateway: 192.168.20.3
DNS: Any reachable DNS server.
And that’s it. Your guests should all be able to ping each other, and access the internet!
To make things easy, I have also created the following Bash shell script that creates and tears down the environment with ease. Modify settings to your liking.
#!/bin/bash
# tap-setup.sh
# By Gilbert Mendoza
# Change username accordingly
USER="gmendoza"
PROXY="tap0 tap1 tap2"
TAPS="tap0 tap1 tap2"
NAT_OUT="eth0 wlan0"
ip_setup(){
ip addr add 192.168.20.1/32 dev tap0
ip addr add 192.168.20.2/32 dev tap1
ip addr add 192.168.20.3/32 dev tap2
route add -host 192.168.20.201 dev tap0
route add -host 192.168.20.202 dev tap1
route add -host 192.168.20.203 dev tap2
}
nat_setup(){
iptables --flush
iptables -t nat --flush
for i in $NAT_OUT
do
iptables -t nat -A POSTROUTING --out-interface $i -j MASQUERADE
done
for i in $TAPS
do
iptables -A FORWARD --in-interface $i -j ACCEPT
done
}
tap_up(){
tunctl -u $USER
tunctl -u $USER
tunctl -u $USER
sysctl net.ipv4.ip_forward=1
for i in $PROXY
do
sysctl net.ipv4.conf.$i.proxy_arp=1
done
for i in $TAPS
do
ip link set $i up
done
}
tap_down(){
sysctl net.ipv4.ip_forward=0
iptables --flush
iptables -t nat --flush
for i in $PROXY
do
sysctl net.ipv4.conf.$i.proxy_arp=0
done
for i in $TAPS
do
tunctl -d $i
done
}
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
else
case "$1" in
start)
tap_up
ip_setup
nat_setup
;;
stop)
tap_down
;;
*)
echo "Usage: $0 {start|stop}"
;;
esac
fi
exit 0
|
Using it is as simple as the following.
sudo tap-setup.sh start
sudo tap-setup.sh stop
Posted by admin on September 12, 2008 under Tech Tips |
WARNING! THIS POST HAS BEEN MARKED AS OUTDATED!
While there may be useful information still contained within the article, there may be other more relevant articles out on the Internet. Please pay close attention to version numbers of software that this article refers to. If you’re not careful, you could break your system if you do not understand what you are doing. If you would like to see this article updated, please contact the site administrator using the Contact page. Thanks!
UPDATE (12/13/2009): The latest versions of VirtualBox 3 have made great improvements in their guest networking options. It is possible to natively bridge guests over your hosts wireless connection “out of the box”, even allowing guests bridge over wireless with DHCP. The suggestions on this post still work fairly well, and will be left up as it has bits of information that is still useful in some scenarios. Please refer to the latest VirtualBox documentation for more help.
ORIGINAL: In the following instructions, we’ll explore a couple of methods on how to let your VirtualBox guest use the DHCP services of your host’s wireless network.
In a previous post, I outlined how to bridge a VirtualBox guest across the wireless connection of your host. But the process involved using static IP’s for your guest, because unlike a true bridge, your host is actually acting as a router, forwarding only unicast packets between the two networks. This complicates your guests ability to use DHCP, since broadcasts are typically not forwarded by routers. I’m going to demonstrate two methods that work around this limitation. For the first method, we’ll be using two different DHCP relay agents. For the second method, we’ll simply use a Broadcast Relay Agent.
Network Assumptions
I’m going to assume we’re using a very simple setup typical to most small networks and wireless routers. Feel free to adjust the following values according to your own requirements.
Wireless Network ID: 192.168.1.0/24
Wireless Network DHCP Range: 192.168.1.2-100
Wireless Network DHCP Server: 192.168.1.1
Host Computer Wireless Interface: wlan0 (change accordingly)
Host Computer Wireless IP: Any IP (Doesn’t matter; You can use DHCP or static)
Host Computer TAP Interface IP: 192.168.1.150/32 (choose something outside DHCP range)
Guest Computer IP: DHCP/Dynamic
Getting Started
Enable IP forwarding on your host.
sudo sysctl net.ipv4.ip_forward=1
Install the User Mode Linux utilities, for the tunctl application.
sudo apt-get install uml-utilities
Create a TAP interface and give it a static IP address in the same address space as your wireless network.
sudo tunctl -u $USER
sudo ip addr add 192.168.1.150/32 dev tap0
sudo ip link set tap0 up
The IP address you choose for the TAP interface should be outside the DHCP range to prevent conflicts with other hosts. It’s very important that you don’t use the same subnet mask as your wireless interface, because you can run into unpredictable routing behavior on your host. I recommend using a 32-bit subnet mask as it is very clean and efficient. I like to use the ipcommand, but feel free to use ifconfig to accomplish the same thing.
Proxy ARP Required
Unlike in the previous post, unless you are reserving an IP address for your guest on the DHCP server, you may not know what IP address your guest will receive. In order for kernel based proxy ARP to work, you would need to manually add the assigned IP address to your routing table.
So to make things easy for you, parprouted comes to the rescue.
sudo apt-get install parprouted
When you run parprouted, it inspects ARP traffic on both sides of the network and adds IP addresses as host routes in the routing table. Run this command in one terminal so you can check out what’s happening in the background.
sudo parprouted -d wlan0 tap0
Method 1: DHCP Relay Agent
DHCP Relay Agents are commonly used on routed networks with centralized DHCP services. The relay agent is a service that is typically configured on a router and converts DHCP broadcasts into unicast messages directed at the DHCP servers IP address. For more detailed explanations on the matter, check out RFC 3046 and 1542.
Simon Kelley’s DHCP Helper (Option A)
I selected to discuss Simon Kelley’s DHCP Helper first because it really is a brilliantly simple and intuitive application. The primary advantage it has over ISC’s DHCP Relay is that you do not have to configure the application with the IP address of the DHCP server. You simply tell dhcp-helperwhich interface on which you want it to automatically discover the dhcp server via broadcast, and it does the rest for you!
Install dhcp-helper from your repositories, or download the latest source code here.
sudo apt-get install dhcp-helper
The service starts on installation automatically, listening on interface eth0. You’ll want to configure it in the file /etc/default/dhcp-helper. I am adding “-i wlan0” because by default it will listen on all other interfaces as well. This way, we limit the test to your VirtualBox guest.
DHCPHELPER_OPTS="-b wlan0 -i tap0"
Restart the service.
sudo /etc/init.d/dhcp-helper restart
Configure your VirtualBox guest to use tap0 as it’s network interface, and watch it pull an IP address from your DHCP server!
ISC’s DHCP Relay (Option B)
First of all, if you would rather use ISC’s DHCP Relay, you must remove dhcp-helper discussed in the previous section. It’s not as transparent as dhcp-helper, so I’m just mentioning it here for the sake of completeness.
Ubuntu and Debian repositories provide ISC’s DHCP relay agent in the dhcp3-relay package. For other distros, check your repositories accordingly.
sudo apt-get install dhcp3-relay
The installer will prompt you to add the IP address of your DHCP server and the interface you wish to listen on, etc. Simply leave them blank for now, as for this example, we’ll be testing things out from a command line. To test things out, run the following command from a separate terminal window, where the IP address is that of your DHCP server.
sudo dhcrelay3 -d -i wlan0 -i tap0 192.168.1.1
Configure your VirtualBox guest to use tap0 as it’s network interface, and watch it pull an IP address from your DHCP server!
Method 2: Broadcast Relay
Okay, so I’d love to take the credit for this one, but a reader from a previous post, Nick Knight, pointed me to a utility called bcrelay. Now this application is cool! It totally mitigates the need for a DHCP relay agent (so kill that process if you are running it), as bcrelay simply rewrites the layer-2 header and forwards broadcast messages between network interfaces. In the case of DHCP, the source MAC address of the packet is changed to your host machines address, but the DHCP header is untouched. So the DHCP server will still offer a brand new IP address to the guest.
Install and run the application from a separate terminal window. As a reminder, you still need to use parprouted though in another window.
sudo apt-get install bcrelay
sudo bcrelay -i tap0 -o wlan0
Configure your VirtualBox guest to use tap0 as it’s network interface, and watch it pull an IP address from your DHCP server!
Troubleshooting
If you really want to see all the action, use wireshark or tcpdump to inspect traffic. The following capture filter works well, in two separate terminals of course.
sudo tcpdump -eni tap0 udp port 67 or udp port 68 or arp or icmp
sudo tcpdump -eni wlan0 udp port 67 or udp port 68 or arp or icmp
Also, these commands are useful as well.
watch -n1 route -n
watch -n1 arp -an
If you need to figure out what is going wrong, be sure to stop all the components of the appropriate method and run them in the foreground in separate terminals. e.g. parprouted, bcrelay, dhcp-helper, dhcp3-relay. Most will give you clues as to what is failing.
Now.. I should mention, I ran into all sorts of issues when trying to get all of this to work. The methods that gave me the most trouble were the DHCP relay agents.
I have an Actiontec MI424WR router that royally screws up my DHCP relay agent’s packet exchange. I wasn’t getting any DHCP offers with unicast packets sent to the router. Apparently, during a typical non-relayed DHCP exchange, I was able to see that the router’s source MAC address was completely different in broadcast DHCP offer packets than what it’s IP address is actually associated with, so my unicast packets were probably being dropped by the router. I’m assuming this is some type of internal bridge interface dedicated for DHCP services or something, so I ended up having to install a separate DHCP server for this to work. ISC’s DHCP server worked completely normal, and I suspect this is entirely the routers fault.
Conclusion
If you do want to use this configuration regularly, I recommend the combination of parprouted and bcrelay or dhcp-helper. Both can be run in the background easily, and requires almost zero configuration if traveling between multiple networks.
However, as you have probably gathered, both methods described above are a bit complicated, and I don’t necessarily recommend it for every day use. I did it because I’m a geek, and I wanted to prove it could be done. While the process of setting up the entire environment could be made simpler with scripts, the challenges you will face on each wireless network might make the process of troubleshooting counterproductive. Many of the headaches you will face will be related to the wireless network hardware, such as centralized wireless solutions that restrict the number of MAC to IP addresses in order to prevent MITM attacks, and of course in some cases, charge you appropriately.
The best solution for public hostspots and corporate networks is still good old fashioned NAT. But this way sure is is a lot of fun and a good way to waste your weekend to impress all your other nerd buddies.
Posted by admin on August 9, 2008 under Tech Tips |
As described by the author, Word War Vi is “a retro styled side scrolling shoot’em up arcade game for linux”. The game play is fast paced, complemented by superb audio and very addictive.
At the time of this writing, there was no Ubuntu/Debian package, but compiling the game is a snap.
To get the latest version, please visit the Word War Vi site and download the source code.
Install Prerequisites and Dependencies
sudo apt-get install build-essential gnome-core-devel portaudio19-dev libvorbis-dev
Extract, Compile and Install
Replace x.xx in the file name with the current version number of the file downloaded. It shouldn’t need to be mentioned, but just in case.
tar zxfv wordwarvi-x.xx.tar.gz
cd wordwarvi*
make && sudo make install
Execute and Have fun
wordwarvi
I noticed when running the game, my audio sounded a bit garbled. Changing the Sound Device seemed to clear it up, although the number varied depending on the sound card of each of the machines I’ve tested it on. Try incrementing the number until one sounds normal.
wordwarvi --sounddevice 0
wordwarvi --sounddevice 1
wordwarvi --sounddevice 2
Posted by admin on July 27, 2008 under Tech Tips |
WARNING! THIS POST HAS BEEN MARKED AS OUTDATED!
While there may be useful information still contained within the article, there may be other more relevant articles out on the Internet. Please pay close attention to version numbers of software that this article refers to. If you’re not careful, you could break your system if you do not understand what you are doing. If you would like to see this article updated, please contact the site administrator using the Contact page. Thanks!
UPDATE (12/13/2009):The latest versions of VirtualBox 3 have made great improvements in their guest networking options. It is possible to natively bridge guests over your hosts wireless connection “out of the box”, even allowing guests bridge over wireless with DHCP. The suggestions on this post still work fairly well, and will be left up as it has bits of information that is still useful in some scenarios. Please refer to the latest VirtualBox documentation for more help.
ORIGINAL: Here’s a straight forward explanation on how to bridge (well, technically route) your VirtualBox (VB) guest network interface through your host machines wireless network connection. The guest machine will be configured to use a static IP address that is on the same subnet as the wireless network, and will also be able to communicate directly with any device on the network.
First things first, make sure you have a working VB installation and that your guest operating system is configured with a static IP address outside of your DHCP scope. You also need to install the User Mode Linux utilities. In Ubuntu/Debian, they are found in the uml-utilities package.
sudo apt-get install uml-utilities
You also need to ensure your /dev/net/tun interface has the appropriate permissions for the vboxusers group. You can set the permissions manually and should modify the udev rules to have them apllied at boot up.
sudo chown root.vboxusers /dev/net/tun
sudo chmod g+rw /dev/net/tun
Add the following line of code to /etc/udev/rules.d/20-names.rules:
KERNEL=="tun", NAME="net/%k", GROUP="vboxusers", MODE="0660"
Verify /dev/net/tun permissions:
ls -l /dev/net/tun
crw-rw---- 1 root vboxusers 10, 200 2008-04-24 16:34 /dev/net/tun
How does this all work?
The magic of this process is achieved through a technique called “Proxy ARP”. This technique allows a router, in this case your Linux host computer, to intercept Layer-2 ARP packets, and forward them through the host computer and into adjacent networks. Long story short, to the external network, your guest computers MAC address is masked behind the host computers MAC address. The IP address of your guests remain unique to the network and all devices on either side of the host can communicate directly with each other.
Network Assumptions:
I’m going to assume we’re using a very simple setup typical to most small networks and wireless routers. Feel free to adjust the following values according to your own requirements.
Wireless Network ID: 192.168.1.0/24
Wireless Network DHCP Range: 192.168.1.2-100
Wireless Network Default Gateway: 192.168.1.1
Host Computer Wireless Interface: wlan0 (change accordingly)
Host Computer IP: Any IP (Doesn’t matter; You can use DHCP or static)
Guest Computer IP: 192.168.1.200 (Static IP outside DHCP range to avoid conflicts)
Guest Computer DNS: Any DNS server
Guest Default Gateway: 192.168.1.1 (Same value that other devices on the network use)
Quick scripts for the impatient:
To bring up the the tap interface and apply appropriate settings. Run them with root privileges.
sudo tunctl -u $USER
sudo sysctl net.ipv4.ip_forward=1
sudo sysctl net.ipv4.conf.wlan0.proxy_arp=1
sudo sysctl net.ipv4.conf.tap0.proxy_arp=1
sudo ip link set tap0 up
sudo route add -host 192.168.1.200 dev tap0
To tear down the interface and configuration.
sudo sysctl net.ipv4.ip_forward=0
sudo sysctl net.ipv4.conf.wlan0.proxy_arp=0
sudo sysctl net.ipv4.conf.tap0.proxy_arp=0
sudo tunctl -d tap0
Explanation of steps:
Create TAP interface on the host computer (tap0):
sudo tunctl -u $USER
The $USER variable typically maps to your own user account. If not, simply replace $USER with the account that will be running your guest machine; typically your own username.
Enable IP forwarding, which turns your host computer into a router.
sudo sysctl net.ipv4.ip_forward=1
Enable proxy ARP on both the TAP and wireless interfaces.
sudo sysctl net.ipv4.conf.wlan0.proxy_arp=1
sudo sysctl net.ipv4.conf.tap0.proxy_arp=1
Enable the TAP interface.
sudo ifconfig tap0 up
Add a static host route that points to your guest computer via the tap0 interface.
sudo route add -host 192.168.1.200 dev tap0
This is required for your host computer to be able to know how to forward packets to your guest. Ultimately, this is what allows the kernels proxy ARP feature to work.
Edit the VB guest network settings so that Adapter 0 is attached to the Host Interface, and that the Interface Name is set to tap0. The screenshot below is an example of such a configuration.
Finally, turn on the guest system, and if you have already configured it’s IP address, you should be able to ping it. The guest should also be able to ping every other device on the network. Provided you have used the correct DNS and default gateway for your network, you will also have internet access available.
Some community documents claim that you need to use an application called parprouted to accomplish this, but that is not the case. Linux has native proxy ARP support, and as demonstrated here, using it couldn’t be easier. Parprouted provides the same service, however it runs as a daemon and adds host routes for every IP involved in a proxy ARP exchange. Depending on the network size, your routing table can become large very quickly. In addition to your increased routing table entries, the service also sends ARP queries to refresh the addresses every 50 seconds, adding senseless clutter to your network as well. While it’s a useful tool for certain applications, you don’t need it if you’re doing light VB bridging.
Full Script Example: tap-setup.sh
Save the following script to somewhere in your path and modify the appropriate values accordingly. You must run the script with root privileges and supply the appropriate start and stop variable to bring up and tear down the TAP interface.
#!/bin/bash
# tap-setup.sh
# Change username accordingly
USER="username_here"
tap_up(){
tunctl -u $USER
sysctl net.ipv4.ip_forward=1
sysctl net.ipv4.conf.wlan0.proxy_arp=1
sysctl net.ipv4.conf.tap0.proxy_arp=1
ip link set tap0 up
route add -host 192.168.1.200 dev tap0
}
tap_down(){
sysctl net.ipv4.ip_forward=0
sysctl net.ipv4.conf.wlan0.proxy_arp=0
sysctl net.ipv4.conf.tap0.proxy_arp=0
tunctl -d tap0
}
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
else
case "$1" in
start)
tap_up
;;
stop)
tap_down
;;
*)
echo "Usage: $0 {start|stop}"
;;
esac
fi
exit 0
|
Multiple Virtual Guest Machines:
More than likely, you will be running more than just one virtual machine. All that is required for this to work is to add an additional static host route for each guest IP address. Add these manually, or simply modify the script to add them for you. Make sure you are choosing IP addresses outside your DHCP address pool to avoid conflicts.
sudo route add -host 192.168.1.200 dev tap0
sudo route add -host 192.168.1.201 dev tap0
sudo route add -host 192.168.1.202 dev tap0
sudo route add -host 192.168.1.203 dev tap0
You can also use a subnet instead of lots of host routes, but you need to be careful in doing so. Adding the entire subnet of your host network (in this case a 24 bit mask) can cause unpredeictable routing behavior. If you know your DHCP pool never extends above the first 100 addresses, you can simply choose to use a smaller subnet matching the higher IP addresses. This way you dedicate these addresses for your guests, and avoid weird routing issues. The following static route example will allow you to use host addresses between .129 and .254.
sudo route add -net 192.168.1.128 netmask 255.255.255.128 dev tap0
Here’s an example of the routing table. Notice that the output is minimal and extremely clean.
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.128 0.0.0.0 255.255.255.128 U 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
You do NOT have to modify your guest or host subnet masks. Leave them to their respective values. The static route is used simply to help keep your host computer organized and routing appropriately to each side of the network.
Additional FAQ’s:
Q: Does my tap0 interface require it’s own IP address?
A: No. The static route to your guests as shown in the above examples use the tap0 interface as the destination. Packets are simply forwarded out the tap0 interface, and layer-3 information is unaltered.
Q: How does my host computer communicate directly with the guest machine?
A: If your wlan0 interface has an IP address, your host computers routing table will take care of everything for you. You will communicate directly with the guest using the wlan0 IP as the source address.
Q: Does my host computer even require an IP address?
A: No. Your wlan0 interface doesn’t need an IP address for any of this to work. Your host computer won’t be able to communicate directly with anything on the network via layer-3, but will act as a transparent bridge. If you just want your guest on the network, remove all IP addresses and routes from your host, then simply create appropriate static routes for both sides of the host directing traffic out each interface. Using the same strategy of splitting your network in half to avoid DHCP scope conflicts, we add two /25 bit routes, the lower half of the block out wlan0, and the upper half out tap0. You also need a default gateway defined if your guests need internet access.
sudo route add -net 192.168.1.0 netmask 255.255.255.128 dev wlan0
sudo route add -net 192.168.1.128 netmask 255.255.255.128 dev tap0
sudo route add default gw 192.168.1.1
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.128 U 0 0 0 wlan0
192.168.1.128 0.0.0.0 255.255.255.128 U 0 0 0 tap0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
If you run tcpdump to inspect the magic taking place, you’ll notice ARP exchanges are proxied from a 0.0.0.0 address on your host computer, which is completely acceptable and works well. However, this represents a highly irregular configuration, and if you have multiple host computers doing the same thing you will run into layer-2 issues. Think layer-2 man in the middle attack… but on accident. This example is simply for educational purposes.
Q: Okay, so I know I don’t need it, but what if I want my tap0 interface to have an IP address?
A: You just want to be careful about the subnet mask you assign to the tap0 interface. I really don’t recommend assigning the same subnet mask as your physical interface, because doing so automatically adds a second route for that subnet, and you can run into routing decision and interface selection issues. I recommend using a 32 bit mask host address.
sudo ip addr add 192.168.1.150/32 dev tap0
This is the cleanest way, because the routing table is only adjusted for that single IP address. Proxy ARP again will work perfectly with that address since the host computer has the route. Also, 32 bit mask address assignments on the host will not show ip in the routing table, so don’t worry if you don’t see it with the route command.
Q: I was messing around with the tunctl commands, and now VirtualBox complains and I can’t start the guest machine.
A: You may have created multiple TAP interfaces inadvertently. If you run “tunctl -u $USER” and the output tells you that it has set a TAP interface with a higher numerical value than tap0 (e.g. tap2, tap3, etc), then you simply need to remove them all, and start over.
sudo tunctl -d tap2
sudo tunctl -d tap1
sudo tunctl -d tap0
sudo tunctl -u $USER
If your tunctl output shows you creating tap0, then you should be good to go.
Set ‘tap0’ persistent and owned by uid 1000
Q: Can I use DHCP on my guest computers?
A: Sure! It is possible, and I will cover this in an upcoming article. You simply need to use a DHCP relay utility that converts your DHCP broadcast messages into unicast messages directed to your networks DHCP server. dhcp3-relay is the tool for the job. However, using DHCP complicates things a bit because now your static route will need to be added dynamically. Now THAT sounds like a job for parprouted! Stay tuned.
Posted by admin on July 20, 2008 under Tech Tips |
If you are writing your latest and greatest Bash shell script that requires careful user input, then you are probably looking for a way to validate or sanitize the input before using the data in commands or subroutines. Here’s an example shell script that reads user input into a variable, which we in turn echo and sanitize into a new variable. The new variable will then be used to perform whatever function is required, in this case displaying the new value.
#!/bin/bash
read -p "Enter variable: " VAR_INPUT
# Sanitize input and assign to new variable
export VAR_CLEAN="`echo "${VAR_INPUT}" | tr -cd '[:alnum:] [:space:]'`"
echo "New Variable: ${VAR_CLEAN}"
|
Notice, we use the tr command to delete everything except alphanumeric and space characters. You can also perform further manipulation with any other command that comes to mind. For example, if you would like to also limit the number of characters to 10, use the cut command.
export VAR_CLEAN="`echo "${VAR_INPUT}" | tr -cd '[:alnum:] [:space:]' | cut -c -10`"
|
I like using tr in this fashion, because instead of trying to exclude specific characters, you have the option to enforce a deny all policy, making it easier for you to allow only what you want.
As one of our readers mentioned, there is an even simpler method using only Bash search and replace! This eliminates the need for the execution of tr. In the following example, we sanitize the input allowing for only alphanumeric characters and spaces. I also show how to trim the string length to a maximum character limit of 10.
#!/bin/bash
read -p "Enter variable: " VAR_INPUT
# Sanitize input and assign to new variable
export VAR_CLEAN_1="${VAR_INPUT//[^a-zA-Z0-9 ]/}"
echo "New Variable 1: ${VAR_CLEAN_1}"
# Sanitize input, assign to new variable but limit it to 10 characters
export VAR_CLEAN_2="`echo "${VAR_INPUT//[^a-zA-Z0-9 ]/}" | cut -c -10`"
echo "New Variable 2: ${VAR_CLEAN_2}"
|
For more information, be sure to check out the man pages for tr and take a look at the Advanced Bash-Scripting Guide. Additional comments and ideas welcome!
Posted by admin on under Tech Tips |
Nautilus, the default file manager used by Gnome desktop environment, sports many features that make every day use a real joy. Here’s a brief look at the different file selection options available in Nautilus as of version 2.22.3.
Multiple File Selections:
You can select multiple file ranges with multiple “shift+click” combinations. Other less advanced file managers typically lose focus on previously selected objects if you try to “shift+click” another set of files, but Nautilus handles this quite well. The following screenshot demonstrates the feature.
Pattern Selection:
You can select files by patterns in their naming convention. For example, if you would like to select only files with a particular extension, go to “Edit… Select Pattern“, or use the keyboard shortcut of “Ctrl+S“. Type in a search pattern such as “*.ogg” and click OK. The following screenshot shows the pattern select dialog.
Type-Ahead Search:
Simply typing text while focused in a Nautilus window will highlight the first matching file or folder name. Taking this simple concept one step further, if you hit the keyboard Up or Down arrows, Nautilus will focus the next matching object. Again, this is quite intuitive, since other file managers simply move the focus from the currently selected object to one that is immediately adjacent. Keep hitting the Up and Down arrows to jump between matching objects.
Standard File Search:
Of course, when you just want to perform a standard file search, you can hit the Search button, or use the “Ctrl+F” keyboard shortcut. The dialog is pretty simple to understand, and gives you a decent set of options to choose from.
Be sure to keep a lookout for many more exciting features from the Nautilus developers as they continue the trend of inovation at its finest. Hope you found these quick tips useful for your daily Nautilus usage routine.