David Ramsden – Network engineer, general geek, petrol + drum and bass head
10Jun/12

Editing Cisco IOS ACLs

If you've administered Cisco PIX or ASA security appliances, you'll know how easy editing ACLs is. If you want to insert a new rule in to an existing ACL you can easily insert it where you want. For example:

access-list outside_access_in line 12 permit tcp host 1.1.1.1 host 2.2.2.2 eq 80

 

This will insert the rule at position 12 of the outside_access_in ACL, pushing the existing rule at position 12 down to position 13 and re-ordering everything.

In Cisco IOS there's no obvious way to do this when working with ACLs. A lot of the time people will copy the ACL out, edit it in a text editor, "no access-list" the ACL and then paste in the modified ACL. Which does work but can be risky when working remotely as it's easy to lock yourself out of the IOS device. This can happen if you don't remove the ACL from interfaces before deleting the ACL.

But you can edit ACLs on the IOS device itself when using an extended ACL. Lets create an ACL:

(config)# access-list 100 permit host 1.1.1.1 host 2.2.2.2 eq 80
(config)# access-list 100 deny ip any any log

 

If you view this ACL you'll notice line numbers:

(config)#do sh access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    20 deny ip any any log

 

Lets say you need to add another rule before the deny (sequence number 20). Enter the extended ACL:

(config)# ip access-list extended 100

 

Now you can insert a new rule by specifying a sequence number less than the deny rule (which is sequence 20):

(config-ext-nacl)# 15 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
(config-ext-nacl)# exit

 

If you view the ACL you'll see the new rule:

(config)#do sh ip access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    15 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
    20 deny ip any any log

 

What you can now do is resequence the ACL so that all the sequence numbers are sequential. For example if you wanted the sequence numbers to start at 10 and go up in increments of 10:

(config)#ip access-list resequence 100 10 10
(config)#do sh ip access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    20 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
    30 deny ip any any log

 

If you want to delete a specific rule:

(config)#ip access-list extended 100
(config-ext-nacl)#no 20
(config-ext-nacl)#exit
(config)#ip access-list resequence 100 10 10
(config)#do sh ip access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    20 deny ip any any log

 

Tagged as: , No Comments
10Jun/12

Unable to Check Out Files, Create or Edit Pages in SharePoint

Recently had an issue with a SharePoint site where sometime over the weekend, the entire site broke and wouldn't let anyone check files out of document libraries, upload new files, edit or create pages etc.

The Check Out option on files was completely missing. Options under Site Settings were completely missing. When users opened Word and Excel documents from document libraries and tried the Check Out option from there, they'd be repeatedly prompted for authentication. I spent a long time checking permissions within SharePoint, checking service accounts, using Wireshark etc but couldn't find the cause.

Eventually I happened to noticed that the entire site was locked, in read-only mode. But how did it get like this? There's only four administrators that can do this and no one logged in over the weekend and made any changes. I then happened to read that as of WSS 3.0/MOSS 2007 SP2, when using the backup option of stsadm, the site is automatically locked. Previous to SP2 it was only recommended that you did this. It's now enforced.

The problem appears to be that if the backup fails for whatever reason, the site stays locked. To check if the site is locked:

stsadm -o getsitelock -url http://spsite

 

To unlock the site:

stsadm -o setsitelock -url http://spsite -lock none

 

If you read the Microsoft TechNet for the Setsitelock option for stsadm, you'll notice that it does mention that the backup now locks the site. You can force the backup to not lock the site. I've modified our backup routine so that a setsitelock operation is always run after a backup, regardless if the backup was successful or not.

Tagged as: No Comments
2Feb/12

Virtual Hosting With mod_proxy

The other day I had someone ask if there's a nice solution to the following problem:

Multiple web development virtual machines but only one external IP address.

The quick solution is to port forward on different ports to each virtual machine. For example 81 goes to VM1, 82 goes to VM2, 83 goes to VM3 etc. Which granted, would work, but isn't a "neat" solution.

Using mod_proxy under Apache is a much better solution to this problem.

Deploy a "front-end" server running Apache and mod_proxy. Create a virtual host for each virtual server and then using mod_proxy, reverse proxy to the virtual server. Port forward from the WAN to your front-end Apache server running mod_proxy.

Here's what an example config would look like on the front-end Apache server:

Requests for cust1.dev.domain.com would be reverse proxied to 192.168.0.100 and requests for cust2.dev.domain.com would be reverse proxied to 192.168.0.101. All with one external IP address and one port forward rule.

Just one of the many uses of mod_proxy. You can also use it for SSL bridging and SSL offloading. Neat!

2Jan/12

Creating a HA iSCSI Target Using Linux

Some time ago I created a High Availability iSCSI target using Ubuntu Linux, iscsi-target, DRBD and heartbeat. The HA cluster consisted of two nodes and the iSCSI initiators were Windows Server 2008. I was able to mount the LUN and copy a video to it, play it back and then pull the power from the primary iSCSI target. A few seconds later the second iSCSI target took over and video continued to play.

Pretty cool, huh?

Here is my guide if you want to try this. Although I've not gone back through the guide to make sure it's correct. But if you spot anything that's wrong or not very clear, please leave a comment.

Tagged as: , , 8 Comments
30Dec/11

Nitter 2.0.1 Available – Fixes DMs

A very quick (and rare) update on my blog!

Since 25th May 2011, my Nitter script has been broke due to a change with the Twitter API. OK, so the problem was actually Net::Twitter::Lite so the changes to my script have been minimal as I've switched over to Net::Twitter (3.18001), which supports the new way of requesting friend and followers IDs.

You can grab Nitter 2.0.1 from the usual place.

Happy New Year! Hopefully you won't update Nitter and then be bombarded with alerts from your NOC over the holidays.

Tagged as: , No Comments
1Feb/11

MySQL Multi-Master Replication Guide

I've created a new guide on how to configure multi-master replication for MySQL. The configuration should also be compatible with MySQL 6.0 as well.

You can find it here.

17Aug/10

VMware says “There are are no un-bridged host network adapters”

I needed a second bridged connection in VMware Workstation but kept getting the error "Cannot change network to bridged: There are no un-bridged host network adapters".

Looks like quite a few people have had this issue too but with no resolution, apart from hitting the "Restore Default" button, which didn't actually solve it anyway. The solution is very simple.

Open the Virtual Network Editor. The VMnet0 adapter by default will be Bridged and the external connection will be Auto-bridging. This is the problem. Change VMnet0 so that it uses a specific network interface. You can then create another bridged VMnet adapter.

Tagged as: 1 Comment
14Aug/10

Catching Up With An Old Friend, Ubuntu.

Since getting my iPhone some 18 months ago, I hardly turn on my desktop PC. I can do almost anything that I need to do on my iPhone. As a result my desktop PC had fallen in to a state of ruin. Last night I decided to try to tidy it up a little.

My desktop PC started out with Ubuntu 8.04 and I've upgraded each time a new release came out. As a result it had accumulated a lot of crap throughout the years. So I removed X and a lot of the CLI bits and bobs that I'd installed. Stripped it back to as much of a bare metal install as possible. Then used tasksel to install Ubuntu desktop and went from there.

It's all back up and running and I'm quite impressed with Ubuntu 10.04. I can't talk for other distributions but Ubuntu has made massive steps in the right direction over the years. I can now plug in my iPhone 4 and Rhythmbox will pop up and allow me to play my iTunes library. And the Gwibber social client is a great replacement for TweetDeck.

It's these simple things that will appeal to your average desktop user. Great work Ubuntu!

Tagged as: No Comments