Add this code before
and this one right following the
The name of background image is
Sunday, March 2, 2008
Add this code before
o 10:59 PM
Wednesday, February 6, 2008
On the next video sequences you can see the result of three state of the art models of cancer growth.
- Spheric growth and the formation of necrotic core
- Mitosis of cancer cells
- Fractal growth of two neighboring cancer cell colonies
The author of computer simulations: Denis Horvath
o 2:35 PM
Friday, February 1, 2008
L7-filter is a classifier for Linux's Netfilter that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., regardless of port. It complements existing classifiers that match on IP address, port numbers and so on. L7 filter is usefull if you want to limit or monitor different network protocols in your network. This article assumes that you have the basic knowledge how to use the terminal and set up a linux router.
This how to describes the step by step installation of Userspace L7 filter on Ubuntu Linux.
Add my PPA to you repository
deb http://ppa.launchpad.net/kuscsik/ubuntu hardy mainand install l7-filter-userspace l7-protocols
deb-src http://ppa.launchpad.net/kuscsik/ubuntu hardy main
- Add the universe repositories to your sources list.
- Install some necessary packages
sudo apt-get install g++ build-essential
sudo apt-get install libnetfilter-conntrack-dev libnetfilter-conntrack1 libnetfilter-queue-dev libnetfilter-queue1
- Download the source package of userspace l7 filter and the archive of the protocol definitions.
- Unpack the protocol definitions and install it by
sudo make install
- Unpack the userspace l7 filter, compile and install it
# tar -xzf l7-filter-userspace-v0.10.tar.gz
# cd l7-filter-userspace-v0.10/
Download this patch
# wget http://kuscsik.com/download/patch_l7_Zoltan_Kuscsik.patch
l7-filter-userspace-v0.10# patch -p1 < ../patch_l7_Zoltan_Kuscsik.patch
- Load a necessary kernel module and add to the automatically loaded modules
# sudo modprobe ip_conntrack_netlink
# sudo bash -c "echo ip_conntrack_netlink >> /etc/modules"
Let assume that you have a Ubuntu server with two network devices with WAN device eth0 and LAN device eth1. With iptables we redirect forwarded packages to the userspace
# sudo iptables -A FORWARD -j NFQUEUE --queue-num 0
Create a l7 config file in your favorite editor
sudo vi /etc/l7_filter.conf
and add some protocols
The list of all supported protocols can be found here. From the config we can read that l7 filter will assign the mark 5 to the packets of ssh protocol and it will sign with mark 6 the bittorrent packets.
Start l7 filter in debuging mode
l7-filter -vv -f /etc/l7_filter.conf
On your LAN client run a bittorrent session or make an ssh connection to an external server. If everything goes fine l7-filter will recognize your traffic and inform you trough the standard output.
Now, we are able to mark the connections. The next step is to set up the traffic control. For this you can use the HTB packet sheduller.
[to be improved...]
You can set up the start of l7-filter automatically by adding a line to /etc/rc.local
nohup /usr/local/bin/l7-filter -f /etc/l7-filter.conf &
Warning! This is a dangerous solution on a production server. If the program terminates unexpectedly your users will be cut off from the internet. You should set up some kind of monitoring for the l7-filter process.
You will notice, that the filter uses significant amount of system resources. You can save some computation time and memory by improving the forwarding rule.
For example, if you plan to shape the outgoing peer-to-peer connections it is a good idea to add some port specific selection to the userspace redirection rule
sudo iptables -A FORWARD -i eth0 -p tcp --dport 1024: -j NFQUEUE --queue-num 0
which will pass to the filter only the packets targeting higher ports than 1024.
I will improve this article, so please subscribe to the feed. If
you have any question or comments don't hesitate to drop me a message.
Please read the home page of Layer 7 Userspace
Especially the section why it is a bad idea to use the packet filtering for service blocking.
o 7:50 AM
Sunday, January 27, 2008
This is a short guide how to set up a transparent cache proxy on Ubuntu Server. Basically, there are two reasons why you may be interested setting up a Squid proxy: speed up your web access and save your bandwidth. Let assume that you already set up a Linux gateway using iptables. It is possible to run squid also on Windows but unfortunately it is extremely hard to find a hardware on which Windows is able to survive more than one week. Other words, windows is out of scope of this article.
The first step is to install squid 3
apt-get install squid3
edit the squid 3 configuration file in your favorite editor
sudo vi /etc/squid3/squid.conf
and set the transparency and the allowed hosts
http_port 3128 transparent
acl our_networks src 192.168.0.0/24
acl localnet src 127.0.0.1/255.255.255.255
http_access allow our_networks
http_access allow localnetwhere
192.168.0.0/24 is the IP range of local network. Probably you need adjust the swap size
cache_dir ufs /var/spool/squid3 7000 16 256
where the first number denotes the size of cache in megabytes. Save you changes and restart the squid proxy by
sudo /etc/init.d/squid3 restart
For more detailed configuration read the manual of Squid or check the configuration examples on Squid wiki page.
Remember, the memory and processor usage of squid is a function of swap size.
Last but not the least we need to redirect the HTTP traffic to your new shiny proxy
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
where eth1, eth0 are the LAN, WAN devices and 192.168.0.1 is the IP address of your LAN device.
After all, probably you feel the need to monitor the performance of your proxy. Unfortunately, most of the squid log parsers in the Ubuntu repository are configured for Squid 2.x. Nevertheless, squid 3 uses the same log format, so you can change the log file path in your parser config file (sarg, calamaris, etd.) or simply link the log directory of squid 3 to the correct path
ln -s /var/log/squid3 /var/log/squid
o 11:53 AM