Auto update iptables DDWRT

custom script:

wan=`nvram get wan_ipaddr`
last=`cat /tmp/last_wan_ipaddr`
echo "WAN IP: $wan" > /tmp/ipv6forward.log
echo "Last WAN IP: $last" >> /tmp/ipv6forward.log
# Check if IP is updated
if [ "$wan" != "$last" ]; then
  echo "New WAN IP detected." >> /tmp/ipv6forward.log
  # If this is the first time script is adding rules, add a FILTER rule that accept the DNAT FORWARD rule
  if [ -f /tmp/last_wan_ipaddr ]; then
    # Not first time, delete old DNAT
    iptables -t nat -D PREROUTING -j DNAT -d $last -p 41 --to-destination >> /tmp/ipv6forward.log    
    # First time, wait for router to settle (ddwrt will clear iptables on startup)
    sleep 30
    # Remove DROP policy
    iptables -t filter -D FORWARD -j DROP >> /tmp/ipv6forward.log
    # Add DNAT rule
    iptables -t filter -A FORWARD -j ACCEPT -p 41 -d >> /tmp/ipv6forward.log
    # Add DROP polocy (last place)
    iptables -t filter -A FORWARD -j DROP >> /tmp/ipv6forward.log
  iptables -t nat -A PREROUTING -j DNAT -p 41 -d $wan --to-destination >> /tmp/ipv6forward.log
  # write wan_ipaddr to tmp
  echo $wan > /tmp/last_wan_ipaddr

startup script:

nvram get rc_custom > /tmp/
chmod +x /tmp/


* * * * * root /tmp/

Roundcube and automatic addressbook

With automatic addressbook plugin on roundcube, I could not create the MYSQL table. I’m running Ubuntu 10.04 LTS, with mysql-server 5.1.41. Got error message:

ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '--!40008
)' at line 15

Found this solution at

Use this command to create table:

CREATE TABLE `collected_contacts` (
  `contact_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `changed` datetime NOT NULL DEFAULT '1000-01-01 00:00:00',
  `del` tinyint(1) NOT NULL DEFAULT '0',
  `name` varchar(128) NOT NULL,
  `email` varchar(128) NOT NULL,
  `firstname` varchar(128) NOT NULL,
  `surname` varchar(128) NOT NULL,
  `vcard` text,
  `user_id` int(10) unsigned NOT NULL DEFAULT '0',
  PRIMARY KEY (`contact_id`),
  KEY `user_collected_contacts_index` (`user_id`,`email`),
  CONSTRAINT `collected_contacts_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`user_id`) ON DELETE CASCADE ON UPDATE CASCADE

Upstart script with command in screen as specified user

My brother runs his own minecraft server. He would like to have it started after boot up, inside a screen, as his own user. The way, he can reattach the screen and do administration on the minecraft server. The server runs a minimal install of Debian.

Add this to rc.local

# Upstart for minecraft server
# change directory
cd /home/minecraft
# start server inside screen as user minecraft
su minecraft -c "screen -d -m java -Xms950M -Xmx950M -jar minecraft_server.jar nogui"

Make rc.local executable

chmod +x /etc/rc.local

If “-d -m” is omitted in the screen command, it will try to attach to a tty. This will fail, either because it does not have access to root’s tty, or because no tty exists.

NFS4, hard links and backintime

After a kernel update, I noticed my backups in backintime took very long time. The backups also didn’t increment, every single backup used the same space -> several GB. Incremental backups should only take some MB, the amount of data that have been changed.

First I thought this was a bug in BIT, then zfs-fuse, but the error was in NFS4. When logged in to the server, I could create hard links. NFS4 could not do hard links. If I changed mount options to NFS3, hard links worked. But I don’t want to use NFS3 since NFS4 got username/id linking, so you don’t need the same userids on all of your systems. Seems like this is also why hard links didn’t work. Not sure if the error is because the new kernel does not enable idmapd by default, or if /etc/default/nfs-common was changed in the update. Anyhow, be sure that NEED_IDMAPD equals to yes in /etc/default/nfs-common on both server and clients.


getmail, spamassasin and dovecot deliver(LDA)

Checking incoming mail from getmail for spam isn’t hard when you already have spamassasin configured. Here is a sample getmailrc.

type = SimplePOP3Retriever
server =
username = uname
password = pword

type = Filter_external
path = /usr/bin/spamc

type = MDA_external
path = /usr/lib/dovecot/deliver
arguments = ("-d", "")

delete = true
message_log = /var/log/getmail.log

LXC container and default route

After I installed a new switch, attached to my router, I got some bizarre network problem with my server. The server that host this website, was not available from the Internet. I could browse the website from LAN, but not from outside the router.

I tried taking away the new switch, changing the port forward, upgrading the router firmware. Nothing helped. By a lucky shot, I tried to reach the Internet with ping from inside the LXC host. “No route to host”.

I imagine I have restarted the server earlier, and I assume that something must have set the default route earlier. But now I was not able to find any of this setting inside the LXC host. “grep -i “default gw” /etc/*” did not find anything.

So, simple fix:
add "route add default gw x.x.x.x" to /etc/rc.local
chmod +x /etc/rc.local

monit – monitor your services

After I got my home server up running, I was looking for a easy way to monitor it services. Earlier I’ve used MRTG, Smokeping, Cacti and similar, but this time I was looking for something really easy and lightweight. The graphs in MRTG and similar is useful to have, but my main focus was to monitor the health of a service and alert if it’s not.

When I found Monit, I understood that monitor software with web front end, graphs and user management(Zabbix, Zenoss core, with more) was an total overkill for my task. Monit is easy to use, repairs the faulty service and have a nice web front end to see the current status.


Since Monit comes with Ubuntu, it’s easy:

apt-get install monit

Edit monit to start. Change startup=0 to startup=1

nano /etc/default/monit

Edit /etc/monit/monitrc. The file is self explainable and there is good documentation on My stripped file looks like this:

set daemon  120           # check services at 2-minute intervals
with start delay 60  # optional: delay the first check by 1 minute
set logfile syslog facility log_daemon
set mailserver localhost,               # primary mailserver
set mail-format { from: } # some mailservers bounce domains not found in DNS
set alert
set httpd port 2812 and
use address localhost  # only accept connection from localhost
allow localhost        # allow localhost to connect to the server and
allow monit:passwd   # allow user monit with password passwd
include /etc/monit/conf.d/* # include conf files

I then created files in /etc/monit/conf.d. Here is my localhost file.

check system localhost
if loadavg(5min) > 4 then alert
if loadavg(15min) > 2 then alert
# filesystems
check filesystem root with path /
if space usage > 80% then alert
check filesystem home with path /home
if space usage > 95% then alert
# cron
check process cron with pidfile /var/run/
start program = "/etc/init.d/cron start"
stop  program = "/etc/init.d/cron stop"
if 5 restarts within 5 cycles then timeout
# sshd
check process sshd with pidfile /var/run/
start program = "/etc/init.d/ssh start"
stop program = "/etc/init.d/ssh stop"
if failed port 22 protocol ssh then restart
if 5 restarts within 5 cycles then timeout
#  samba
check process smbd with pidfile /var/run/samba/
start program = "/etc/init.d/smbd start"
stop  program = "/etc/init.d/smbd stop"
if failed host port 139 type TCP  then restart
if 5 restarts within 5 cycles then timeout
#  nfs
check host server.lan with address
start = "/etc/init.d/nfs-kernel-server start"
stop = "/etc/init.d/nfs-kernel-server stop"
if failed port 2049 then restart

Services are automagically restarted and you are alerted by email if pid file does not exist, or there is no running service with that pid. If statements holds extra tests for services, and services without pid file can be watched by checking the service over network.

Also services on the network can be watched. Here is another server I’m watching:

check host with address
if failed port 143 proto imap with timeout 2 seconds then alert
if failed port 465 type tcpssl proto smtp with timeout 2 seconds then alert
if failed url with timeout 2 seconds then alert

Restart monit.

service monit restart

Look for errors.

tail /var/log/syslog

If you get error message /etc/monit/conf.d/host:12: Error: syntax error ‘=’, change all instances of ” with ".

Thats it!