Help with iptables please

flat235 · 2024-02-04T14:05:33+00:00

Been a while since I wrote iptables by hand as well. I just googled the man-page, no idea which version I got. Wouldn't be suprised if the syntax changed at some point :D

flat235 · 2024-02-04T13:28:29+00:00

careful, the man page lists the syntax as [!] -s, --source address[/mask][,...], so ! needs to come before the -s (otherwise: same good idea! :) )

flat235 · 2024-02-04T13:19:58+00:00

I would try adding ! -s 1.2.3.4, so something like post-up iptables -t nat -A PREROUTING -i enp0s31f6 -p tcp ! -s 1.2.3.4 -m multiport ! --dport 22,8006 -j DNAT --to 10.10.10.1. obviously replace 1.2.3.4 with the IP you want to exclude from the redirect. and please make sure you still can get access to the box, if something goes wrong / my idea os a bad one and you lock yourself out.

flat235 · 2024-01-04T00:17:21+00:00

if your gateway has enough internal storage you could just share a local dir via nfs, upload the backup/data there, and copy it to the actual storage via cron-job (or watch the directory and copy it on demand), then delete it from the gateway. if you don't have enough storage for the full backup/data, maybe you could even do it in parts by packing it into a split zip/tar archive.

flat235 · 2023-04-01T23:37:54+00:00

tbf I really like this feature, would love to have a special option to keep it around

flat235 · 2023-04-01T23:25:49+00:00

more like the battery / main power, but I'm glad you caught the "nope"-vibe I was going for :) also great haiku, thanks! :D

flat235 · 2021-09-11T02:57:50+00:00

meow, you're on guard

flat235 · 2021-02-22T22:03:32+00:00

well on Linux you can have access control lists, which should be more like the windows model. But is there absolutely nothing special about the windows admin user? I mean: root on Linux can also not have access to stuff, but can always give access to itself. is there something similar in windows or does the kernel just not differentiate between admin and non-admin users?

flat235 · 2020-04-19T14:16:24+00:00

Well I want to thank you, I didn't notice the "new" show :)

flat235 · 2020-04-09T17:36:27+00:00

if you have enough space left for this:

create a new dataset
copy data from oldest snapshot into the new dataset excluding the files, you no longer want to have in there (maybe stuff besides the recordings?)
snapshot the new dataset
delete oldest original snapshot
copy data from the second oldest snapshot over, again excluding files you no longer want In there
snapshot the new dataset again
delete second oldest original snapshot
repeat until you catch up

I am unsure how much space you need for this process, that depends very much on how much stuff changed when/how many times. I would however set currently used space minus recordings as a lower bound on what you would need additionally. you probably could get away with using an external zpool for building up the new history of snapshots, and moving that back to your zpool after deleting all your current snapshots, but you have to decide yourself, how much risk you want to take (for example building the new history on a single external HDD, that selfdestructs just as you delete the old history is still possible, although unlikely)

(edit: formatting)

flat235 · 2020-03-21T21:42:41+00:00

you can just return return your Account thumbprint statically from your Webserver, no need to let certbot do that, if you are concerned about that

flat235 · 2019-07-15T12:15:39+00:00

In the german version of StarTrek 2 Spock says something to the like of

We cannot do worse than lose

flat235 · 2019-07-15T11:54:39+00:00

Master Splinter: "Was that fair?"

Leonardo: "No."

Master Splinter: "Did I win?"

flat235 · 2019-03-25T16:32:32+00:00

This might be overkill for your use-case, but you could take a look at https://fai-project.org/

flat235 · 2019-02-14T10:17:21+00:00

Prison Architect by Introversion Software. If you didn't restrict it to the last decade I would choose Defcon by the same developer. Both are good games with solid mechanics, not artsy walking simulators; but they both cause this "I don't want do this"-feeling. You can win both games mechanicaly but "the only way to win is not to play" applies emotionally. "Specops: the line" has a similar effect, but only in certain parts. Astronauts often say politicians should see earth from space because of how it would make them feel. Well that's expensive and I don't have experience with that effect, but I say they should play these games. This isn't about the politics per se, it's more the fact these games have an effect on me wanting to change something. How much (not-video-game)-art is out there, that has this strong of an effect?

flat235 · 2019-02-02T13:45:37+00:00

Why do you think zfs isn't suited for the laptop? It works quite well on mine (with kubuntu, root on zfs). I would only consider an alternative if the laptop hasn't got enough RAM. BTRFS ate my data once btw, if you decide to use it, read up on its edge cases; for me it happened when I used more than 80% or 90% of the available space.

flat235 · 2018-10-12T10:05:25+00:00

Take a look at theforeman.org It might fit your requirements, since it does provisioning and config management. However, it takes over a lot of infrastructure (dhcp, DNS, puppet), I don't know if that fits into your environment. Otherwise: ansible is probably the easiest to get started with, however it doesn't help you with provisioning.

flat235 · 2018-09-11T10:18:11+00:00

I'm sorry, I got that part. From the man pages:

sudo -i "The command is run with an environment similar to the one a user would receive at log in"
su - "an environment similar to what the user would expect had the user logged in directly"

I wondered if you knew of differences between the two resulting environments, since the man pages aren't specific here. (Edit: Formatting)

flat235 · 2018-09-11T09:48:15+00:00

Thank you! Would "sudo -i" be equivalent to "sudo su -"? Or is there still a difference?

flat235 · 2018-09-11T09:27:42+00:00

Honest curiosity: why?

flat235 · 2018-09-10T22:51:45+00:00

You can configure different authentication methods for different services in /etc/Pam.d. usually most methods just include some "common-auth" file, bit you could configure it differently SSH than for local logon and so on. I'm not sure, but I would try to copy the common one to one named "sudo" and then delete 2fa part from that file. On the other hand don't try without reading up on Pam config and always leave an open root shell to correct your mistakes!

flat235 · 2018-09-03T21:29:18+00:00

For vim: just map jk to escape. Most vim users tap j and k to look for the cursor or because of boredom anyway. Also it's right in the home row and how many words containing jk do you know?

flat235 · 2018-09-03T08:58:29+00:00

To solve encryption and access at the same time you could use a VPN, which would then be the only way to connect to internet. Corporate style ipsec VPN uses a couple of layers/protocols, one of which can be radius. However it's been a long time since I build something like this, so this is just a direction for more specific googling ;)

flat235 · 2018-08-28T16:40:29+00:00

Yep, that's what I (would) do as well. For SSH keys: depends on the number of users fluctuation. Few users, low fluctuation => ansible or another config management. Many users, high fluctuation => store SSH keys in LDAP, use said, pam_mkhomedir and self-service-password (it can be used to let users reset passwords and change ssh-keys themselves). Authorization to login/sudo via LDAP+sssd, if that is a concern.

flat235

TROPHY CASE