Sunday, March 2, 2008

How to background image in LaTeX

Add this code before
the \begin{document} part


and this one right following the \begin{document} :


The name of background image is background.png.

Wednesday, February 6, 2008

Animated computer simulation of in vitro cancer growth

On the next video sequences you can see the result of three state of the art models of cancer growth.

  • Spheric growth and the formation of necrotic core

  • Mitosis of cancer cells

  • Fractal growth of two neighboring cancer cell colonies

The author of computer simulations: Denis Horvath

Friday, February 1, 2008

How to userspace l7 filter on Ubuntu

L7-filter is a classifier for Linux's Netfilter that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., regardless of port. It complements existing classifiers that match on IP address, port numbers and so on. L7 filter is usefull if you want to limit or monitor different network protocols in your network. This article assumes that you have the basic knowledge how to use the terminal and set up a linux router.

This how to describes the step by step installation of Userspace L7 filter on Ubuntu Linux.


1. Method:

Add my PPA to you repository

deb hardy main
deb-src hardy main
and install l7-filter-userspace l7-protocols

2. Method:
  • Add the universe repositories to your sources list.
  • Install some necessary packages

    sudo apt-get install g++ build-essential
    sudo apt-get install libnetfilter-conntrack-dev libnetfilter-conntrack1 libnetfilter-queue-dev libnetfilter-queue1

  • Download the source package of userspace l7 filter and the archive of the protocol definitions.
  • Unpack the protocol definitions and install it by

    sudo make install

  • Unpack the userspace l7 filter, compile and install it

    # tar -xzf l7-filter-userspace-v0.10.tar.gz
    # cd l7-filter-userspace-v0.10/

  • Download this patch

    # wget

    # cd
    # patch -p1 < ../patch_l7_Zoltan_Kuscsik.patch
    # /configure
    # make

  • Load a necessary kernel module and add to the automatically loaded modules

    # sudo modprobe ip_conntrack_netlink
    # sudo bash -c "echo ip_conntrack_netlink >> /etc/modules"


Let assume that you have a Ubuntu server with two network devices with WAN device eth0 and LAN device eth1. With iptables we redirect forwarded packages to the userspace

# sudo iptables -A FORWARD -j NFQUEUE --queue-num 0

Create a l7 config file in your favorite editor

sudo vi /etc/l7_filter.conf

and add some protocols

ssh 5
bittorrent 6

The list of all supported protocols can be found here. From the config we can read that l7 filter will assign the mark 5 to the packets of ssh protocol and it will sign with mark 6 the bittorrent packets.

Start l7 filter in debuging mode

l7-filter -vv -f /etc/l7_filter.conf

On your LAN client run a bittorrent session or make an ssh connection to an external server. If everything goes fine l7-filter will recognize your traffic and inform you trough the standard output.


Now, we are able to mark the connections. The next step is to set up the traffic control. For this you can use the HTB packet sheduller.
[to be improved...]

You can set up the start of l7-filter automatically by adding a line to /etc/rc.local

nohup /usr/local/bin/l7-filter -f /etc/l7-filter.conf &

Warning! This is a dangerous solution on a production server. If the program terminates unexpectedly your users will be cut off from the internet. You should set up some kind of monitoring for the l7-filter process.
You will notice, that the filter uses significant amount of system resources. You can save some computation time and memory by improving the forwarding rule.
For example, if you plan to shape the outgoing peer-to-peer connections it is a good idea to add some port specific selection to the userspace redirection rule

sudo iptables -A FORWARD -i eth0 -p tcp --dport 1024: -j NFQUEUE --queue-num 0

which will pass to the filter only the packets targeting higher ports than 1024.

I will improve this article, so please subscribe to the feed. If
you have any question or comments don't hesitate to drop me a message.

Please read the home page of Layer 7 Userspace

Especially the section why it is a bad idea to use the packet filtering for service blocking.

Sunday, January 27, 2008

Transparent proxy with Squid 3 on Ubuntu server

This is a short guide how to set up a transparent cache proxy on Ubuntu Server. Basically, there are two reasons why you may be interested setting up a Squid proxy: speed up your web access and save your bandwidth. Let assume that you already set up a Linux gateway using iptables. It is possible to run squid also on Windows but unfortunately it is extremely hard to find a hardware on which Windows is able to survive more than one week. Other words, windows is out of scope of this article.
The first step is to install squid 3

apt-get install squid3

edit the squid 3 configuration file in your favorite editor

sudo vi /etc/squid3/squid.conf

and set the transparency and the allowed hosts

http_port 3128 transparent
acl our_networks src
acl localnet src
http_access allow our_networks
http_access allow localnet

where is the IP range of local network. Probably you need adjust the swap size

cache_dir ufs /var/spool/squid3 7000 16 256

where the first number denotes the size of cache in megabytes. Save you changes and restart the squid proxy by

sudo /etc/init.d/squid3 restart

For more detailed configuration read the manual of Squid or check the configuration examples on Squid wiki page.
Remember, the memory and processor usage of squid is a function of swap size.
Last but not the least we need to redirect the HTTP traffic to your new shiny proxy

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

where eth1, eth0 are the LAN, WAN devices and is the IP address of your LAN device.

After all, probably you feel the need to monitor the performance of your proxy. Unfortunately, most of the squid log parsers in the Ubuntu repository are configured for Squid 2.x. Nevertheless, squid 3 uses the same log format, so you can change the log file path in your parser config file (sarg, calamaris, etd.) or simply link the log directory of squid 3 to the correct path

ln -s /var/log/squid3 /var/log/squid

Good luck!