lfcode.ca notes compiled for future reference

nftables: redirect not working + fix

Recently, I made the somewhat-rash decision to switch to nftables from ufw-managed iptables on this VPS.

It's been a fun ride. The man page doesn't even document the redirect feature. It doesn't even acknowledge its existence, nor what it really does.

That's irrelevant however, because it does the same thing as the REDIRECT target in iptables, documented in the iptables-extensions man page. This allows the functionality of redirect in nftables to be inferred as "change destination address to localhost, and change the destination port to the one specified after to".

I, however, was a bit too dense to go looking through there and didn't read the wiki too well about redirection. I figured "hey, just need to put redirect at the start of the chain hooked into nat prerouting to enable it, then add a rule specifically redirecting the port". Later, I wondered why it wasn't working. After some tcpdump, copious quantities of counters everywhere, and netcat instances, I figured that out.

Note that you need to allow the packets with dport 11113 in your filter. Your filter table will never see any packets on port 113 unless something has gone horribly wrong, as all of them will have dport changed to 11113 in the nat table. If, for some reason, you want to drop these, you probably can do it in a chain with type mangle hook prerouting priority 0, but I have no idea why you would want to do that.

Here's the functional config:

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
    tcp dport 113 counter redirect to 11113
  }

  chain postrouting {
    type nat hook postrouting priority 0;
  }
}

table ip6 nat {
  chain prerouting {
    type nat hook prerouting priority 0;
    tcp dport 113 counter redirect to 11113
  }

  chain postrouting {
    type nat hook postrouting priority 0;
  }
}

Tags: nftables, linux

Introducing my new theme

Recently, I had enough of the Arabica theme for Ghost. Put simply, it was ancient, didn't look that great anyway, and was missing a bunch of newer Ghost features.

Its replacement is a fork of lanyon-ghost, itself a fork of lanyon (a theme for Jekyll).

Currently, all I've changed is the fonts, and I switched the homepage to display full posts, as it's quite irritating to have to click on each one to read it (while I'm at it, it would be great if Ghost allowed to put a mark where the fold in the page is, so that longer posts don't eat up all the space on the page).

The fonts in use are the beautiful Charter (main content), Fira Sans (headings, other text), and Source Code Pro (monospace/code).

There's also an author page that shows the author's description, image and such along with their posts.

Here's the code: https://github.com/lf-/lanyon-ghost

Tags: meta, ghost

How to have a functional dhcrelay

I'm dumb. Or ignorant. Or inexperienced. I haven't decided which.

dhcrelay only gets proper responses if it's listening on both the interface that it's actually listening on for requests and the one where it will get the responses.

My command line for it to forward dhcp requests to my Windows dhcp server in my virtual lab is:

/usr/bin/dhcrelay -4 -d -i eth1 -i eth2 10.x.x.x

eth1 is the interface with the Windows dhcp server on its subnet

eth2 is the interface with the clients on it

10.x.x.x is the address of the Windows dhcp server

This is run on my arch (yes, I know. Debian took longer than Windows to install. The only stuff on it is in base, vim, and dhcp) gateway VM. I could also stand up a Windows box and have it do NAT, but that doesn't use 512MB of RAM nearly as happily.

Tags: Windows Server, dhcp, linux, homelab

Swapping Back and Menu/Overview buttons on Android

I use a OnePlus One as my daily driver. Unfortunately, like nearly every phone on the market with capacitive buttons, they're backwards! I could enable software keys, but that's admitting defeat. CyanogenMod doesn't allow swapping the keys in the settings, because it would result in some pretty horrible user experience.

None of this is relevant however, because this is Android, and I have root:

In /system/usr/keylayout/Generic.kl, you can see the key mapping for all keys on the system. Simply swap the stuff in the rightmost column: BACK and MENU.

MENU is at key 139 and BACK is at key 158.

I use this on the latest Cyanogen OS based on Lollipop. It works perfectly. If you want to revert this, simply do the reverse of what's written.

A little note: my blog is just stuff I need to write down for easy reference later. It's on completely random themes, although centered around technology. I should probably make a wiki for this stuff.

Tags: android, cyanogenmod, oneplus

Setting up DHCP on a DC with secure dynamic DNS

So, in my virtual homelabbing, I decided I was going to get a Windows based network set up with more or less only PowerShell. In these efforts, I discovered a pretty poor pile of documentation (such as this insanity where they tell you to create credentials with netsh, restart the service, then delete the credentials and restart again [optional step: wonder why it doesn't work]).

Here's how I set it up:

Create AD account:
# Get username and password for the new account (remember to include your domain!)
$cred = Get-Credential

# Create the user (it needs no special permissions)
New-ADUser -Enabled $true -SamAccountName $cred.UserName -AccountPassword $cred.Password
Make the DHCP server use it:
# Set the credentials for the DHCP server
Set-DhcpServerDnsCredential $cred

# Restart the DHCP Server
Restart-Service DhcpServer

You're set!

Bonus:

Also remember to set the DNS server to only allow secure updates!

Set-DnsServerPrimaryZone -DynamicUpdate Secure

Tags: PowerShell, Active Directory, dhcp, dns

General Network Error when running Install-ADDSForest

When I was messing about with AD DS a bit on Windows Server 2016 TP 2, I encountered the error General Network Error, with error ID 54. This is obviously a very unhelpful error. In troubleshooting, I noticed that the VM was being assigned an address in 169.254.x.x. This wasn't part of my intended IP range, so I started investigating.

It turns out that 169.254.x.x is a reserved range for APIPA (Automatic Private IP Addressing), where an operating system automatically assigns an IP when there is no DHCP available (which there wasn't because I intended to set up Windows DHCP). After disabling this, the AD setup worked correctly.

You may be wondering how to disable this problematic system. Here's how you do it (in PowerShell):

# Disable DHCP
Get-NetAdapter | Set-NetIPInterface -Dhcp Disabled
# Disable APIPA
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -Name IPAutoconfigurationEnabled -Value 0 -Type DWord
# Reboot to apply
Restart-Computer

Tags: PowerShell, Windows Server, Active Directory

Vundle, y u do dis

Now to start off with, I apparently can't read and feel quite stupid for wasting 30 mins of my life messing with this problem.

Recently, I decided that vim was a good idea. So I commited to not avoiding it in favor of Sublime Text (I still need to fix the html stuff so that using Sublime isn't so damn tempting) and the editor-switching stuff has been going well.

When I decided to stop stealing someone else's vimrc, I also switched to using Vundle instead of Pathogen. This ended up throwing a slew of strange errors not even mentioning a shell such as Error detected while processing function vundle#installer#new..vundle#scripts#view:. Googling this gave me a seemingly completely unrelated issue from 2010 (typical as of late sadly). After trying a few things like deleting .vim/bundle, nothing was seeming to work. So I went off to read the docs. After messing with the GitHub wiki, I realised that I'm a derp and should read properly. There was a section clearly labeled I don't use a POSIX Shell (i.e. Bash/Sh) to read about this.

That being said, this isn't a totally useless I'm-an-idiot post, because gmarik could do something better. There could be detection of capabilities required, so that there's a pleasant error message stating what went wrong, rather than the current state of throwing a 20 line long error lacking entirely in description of what failed, and where. This is also partially vim's problem, because it could state that an error happened while executing shell code or similarly useful things.

Tags: vim

Hi

I'm lf. I mess around with code and occasionally it works. This is my blog.

Don't expect any degree of schedule. I'll post when I'm irritated at something or when I did an interesting thing.

Tags: