Restrict certain internet traffic to VPN connection (Linux)

Posted by Matthew on October 1, 2013
Posted in: Uncategorized. Tagged: , , , . 3 comments

Update: Looks like Transmission sends traffic out the loopback (lo) interface, to the loopback interface. Seems kind of weird, but it should be harmless. These rules should permit traffic from the vpnroute gid to pass to the tun0 and lo interfaces, but everything else will be rejected. You can also duplicate the last rule with a LOG target if you want to see what is still being rejected.

sudo iptables -A OUTPUT -m owner --gid-owner vpnroute -o tun0 -j ACCEPT

sudo iptables -A OUTPUT -m owner --gid-owner vpnroute -o lo -j ACCEPT

sudo iptables -A OUTPUT -m owner --gid-owner vpnroute -j REJECT

We recently moved into a new home where we have a shared internet connection with the other occupants of the duplex. I didn’t want to use bittorrent directly, since any nastygrams would end up with the landlord and cause problems, so I signed up for the IPredator VPN service in Sweden. It allows you to make an encrypted and secure connection from your computer to their network, so all of your internet traffic is funneled through the secure connection, making it so that the neighbors, landlord, and internet service provider can’t tell what I’m up to. The VPN was really easy to set up in Ubuntu Linux with the graphical network manager (IPredator provides a visual guide to this process) and the speeds are certainly reasonable.

One downside of this is that if there is a connection hiccup that causes the VPN to drop, the bittorrent software will just fall back to sending data out the regular, unencrypted network interface, potentially exposing your naughty activities to the ISP. I wanted to find a way to effectively say, “only allow bittorrent traffic through the VPN connection” that would step up and protect things if the VPN connection dropped.

On Linux, the standard firewall is called “iptables”, and can do just what we need, in only three commands. But first, a couple of assumptions:

  • I am assuming that you are using the default Ubuntu Linux bittorrent client called “Transmission”, which is executed using the command “transmission-gtk”.
  • When the VPN is connected, it creates a new network interface called “tun0” (“tun” for “tunnel”).

The general plan is to somehow tag the bittorrent traffic so that the iptables firewall can identify the relevant packets, and reject them if they aren’t heading out the secure VPN interface tun0. An easy way is to run your bittorrent program using a different UNIX user or group.

Here, we add a new group called “vpnroute”:

sudo groupadd vpnroute

Then, we add the firewall rule that rejects all traffic from this group that is not heading out tun0:

sudo iptables -A OUTPUT -m owner --gid-owner vpnroute \! -o tun0 -j REJECT

Finally, we start up the bittorrent software with group ownership of vpnroute:

sudo -g vpnroute transmission-gtk

Your torrents should now only run when the VPN is connected. Try it out with some safe torrents, like the Ubuntu ISO files, and make sure that they only download when the VPN is connected, and they should stop right away when you disable the VPN.

If you want to confirm that the firewall rule is actually matching your traffic, you can add a similar rule that does the LOG operation instead of REJECT. You need to ensure that the LOG rule happens first, because after handling the LOG rule the packet keeps going, while a REJECT action won’t let the packet continue down the chain of rules. You can remove the output rule with “sudo iptables -F OUTPUT” (F for Flush), and then:

sudo iptables -A OUTPUT -m owner --gid-owner vpnroute \! -o tun0 -j LOG
sudo iptables -A OUTPUT -m owner --gid-owner vpnroute \! -o tun0 -j REJECT

Then you can check the output of “dmesg” to see when packets are logged (and then rejected) by the firewall.

A good route for driving through Chicago

Posted by Matthew on July 16, 2013
Posted in: Uncategorized. Tagged: , , , , , . 4 comments

Being from the Minnesota/Wisconsin area, but living in Pittsburgh, we tend to drive through Chicago 2-3 times each year. The GPS and online mapping services suggest taking I-90 all the way through Chicago, taking the Chicago Skyway to the Dan Ryan to the Chicago Circle to the Kennedy Expressway to Rockford. While that route is indeed the shortest highway route in terms of distance, it’s almost guaranteed to be very congested with lots of traffic, and ends up being slower in the end compared to other routes.

Over the past five years of driving through Chicago a few times per year, we’ve decided that taking I-290 and I-294 is the best way to bypass as much Chicago traffic as possible, without increasing the overall driving distance too much.

chicago_route_overview

Westbound Route Details – Heading from Indiana to Wisconsin, first you need to exit from the Indiana Toll Road (I-80W / I-90W) onto I-80W / I-94W, which is kind of a goofy right-exit-then-overpass-to-the-left sort of thing:

chicago_route_westbound_indiana

I-94W will peel off after a while and head North into Chicago. The transition from I-80W to I-294N is really easy, as I-80W has to exit and cross over to head further West, while you just stay in the center lanes for the curve toward the North.

The transition from I-294N to I-290W is somewhat tricky, and is usually the only place we encounter any traffic-based slowdown. It’s a silly right-exit loop-under, that sometimes gets backed-up a few hundred feet owing to the slow speeds on the tight loop. Merging with the I-290W traffic isn’t too bad.

chicago_route_westbound_294_to_290

After that, the transition from I-290W to I-90W is a standard cloverleaf loop, and it has some nice protected “feeder” lanes to make your merge really easy.

chicago_route_westbound_290_to_90

Eastbound Route Details – Heading from Wisconsin to Indiana, first you need to exit from I-90E to I-290E, which is a simple right exit, so there’s no picture here.

The transition from I-290E to I-294S is much simpler than the opposite-direction transition loop-around shown above, and is just a simple “keep right” sort of bump around the interchange.

chicago_route_eastbound_290_to_294

The transition from I-294S to I-80E is trivial, as is the interchange where I-94E merges into I-80E. The only tricky bit remaining is near the Indiana state line where you merge from I-80E / I-94E onto I-80E / I-90E, which has a silly cloverleaf bridge thing.

chicago_route_eastbound_indiana

Overall, a pretty easy route, usually with no significant traffic that would be easy to avoid.

There are definitely some tolls along the way, but I think all the Illinois toll plazas have open-road tolling, so get your EZ-Pass and save time and money. If you get your EZ-Pass from Pennsylvania (you don’t have to be a PA resident) and elect for paperless billing and connect your credit card for automatic reloading of funds, there are no monthly or yearly fees!

Quick introduction to homebrewing, written for a friend

Posted by Matthew on July 9, 2013
Posted in: Uncategorized. Tagged: , , , , . Leave a Comment

Last week a friend of mine mentioned that he was going to get started with the world of brewing your own beer, so I wrote up a quick little note to him about my perspective on homebrew. I thought that other people might be interested too, so here it is:

Hey there!

Good luck getting started with homebrewing, it’s a ton of fun! Forgive me if you know some or all of this already, but I thought I’d send you some general info from my perspective after a few years of reading up on and then actually brewing a bunch.

To make beer, you get sugar from barley and add it to some water, boil it for an hour or so, add hops during the boil, then cool it down, add yeast, and let it ferment for a few weeks. Then, either put it in a keg or bottles.

The two main categories of beer, at least from the homebrewing perspective, are ale and lager. Ale yeast ferments best at higher temperatures (65-76 degrees F). Lager yeast ferments best in the 45-55 range, so you need to keep it cooler in order to do lagers. Most homebrewers start by brewing ales, since the temperature requirements are more compatible with most houses. I have a basement storage area that’s pretty constantly 65 degrees that I use for fermenting. I haven’t done a lager yet, but I have had good success brewing an Oktoberfest using ale yeast, that has turned out pretty nice two years in a row. If you want to brew lager styles of beer, many homebrewers get an old chest freezer and an external controller to do that.

Most people who get into homebrewing start with Extract Brewing, where someone else did the hard work of extracting the fermentable sugars from the malted barley. Extract comes in both powder form (dry malt extract, DME) and thick syrupy form (liquid malt extract, LME), but they are functionally equivalent. More advanced brewers have extra equipment and can start from raw malted barley, and extract the sugars themselves, which can be cheaper, and there is a much wider variety of grains available (dozens) than malt extract (4-6 types). I don’t have room for doing all-grain, so I’m sticking with extract brewing until I have a larger home, and I’m perfectly happy with how my beer turns out.

Hops come in dried pellet form (vacuum packed in nitrogen for freshness) generally in increments of an ounce. Most styles will have 1-2 ounces for a 5 gallon batch, but strongly-hopped styles like IPA will have 4+ ounces of hops. Hops add two characteristics: bitterness and aroma. Hops that are added at the start of the boil have all their aroma boil off so they don’t contribute much aroma, but their alpha acids (which require heat and time to activate) add bitterness. Hops that are added at the end of the boil (or even after the boil) don’t have enough time in the heat to contribute much bitterness, but they contribute lots of aroma.

Yeast is either dried (in a packet, which lasts for years) or liquid (in a test tube or foil pouch, which needs refrigeration since it’s perishable). There are only a couple strains available in dried form, but dozens of strains available in liquid form. I like to order extract ingredient kits by mail order, and then pick up the suggested liquid yeast from the friendly local homebrew shop, but also have a couple packets of dry generic ale yeast on hand in case I forget to pick up liquid yeast. You add the yeast after cooling the beer down to room temperature. When I first started I would fill the kitchen sink with ice (or snow, yay winter) and set the pot of boiling wort in the ice, then stir the wort like crazy to cool it down. Last year for Christmas my parents got me a nice copper coil that I can hook up to the cold water tap, so I can chill my wort down from 212F to 80F in about 5 minutes, which is nice.

Fermentation takes 2 weeks or more, depending on the style, and how strong the beer is (how much sugar is in the water). Strong beers generally take more time to ferment. During the fermentation our yeast buddies convert sugar into CO2 and CH3CH2OH (plus other flavors), but we just vent the CO2 to the atmosphere with a one-way airlock. I usually use food-safe 5 gallon plastic pails, since they are cheap and won’t break, but many people like to use large glass 6.5 gallon carboys, since they don’t retain colors or odors from previous batches, and won’t get scratches in the sides (which can be difficult to clean and harbor mean bacteria), but I haven’t had trouble with plastic pails.

After fermentation is finished, you either keg or bottle the beer. I don’t have room for a kegging setup, so I bottle my beer, but I can’t wait until I have room for kegging. With kegs, you just transfer the fermented beer into a clean keg, then use the CO2 tank to force carbonate the beer, and it’s ready to drink within a day or two. With bottles, you need to wash and sanitize 50-some brown glass bottles, then mix in a controlled amount of sugar (called priming sugar) into the beer (which is consumed by the remaining yeast, but this time the CO2 is captured by the bottle cap and carbonates the liquid). Natural carbonation this way takes a week or two, so you have to wait longer to try your beer. Since it’s not pasteurized, homebrew is still “alive” and generally improves with age, like a fine wine. If your beer tastes weird when it’s fresh, give it a few weeks in the bottles to mellow out.

Altogether, homebrewing is fun and pretty easy. It takes about 3-4 hours on brew day, and 2-3 hours on bottle day. While there are several good books (notably the Palmer book and the Papazian book), you can really get away without knowing much about the process, and just following the directions in the extract kits. Sanitation is really the only critical thing in homebrewing, you need to ensure that you clean everything well, and use sanitizer (my friends and I like EZ-Clean and StarSan) on anything that will touch non-boiling beer or wort (that is, you don’t need to sanitize your brewing pot or stirring spoon, as they will have the heck boiled out of them by the end of the hour-long boil). Basically the warm, sweet sugary wort is very tasty for mean bacteria, and we want to make sure our awesome yeasties dominate the culture of the beer, so we need to try to remove as many other microbes from our tools as possible. I’ve never had a batch “go bad” but one of my friends in Pittsburgh had a batch get infected, and he had to toss that batch and really scrub all his equipment to get rid of that nasty microbe.

As far as equipment goes, I’d suggest picking up a starter set of equipment. I have this one: http://www.northernbrewer.com/shop/essential-brewing-starter-kit.html but I’ve added a few parts here and there over the years. I have a 5 gallon (20 quart) stainless steel pot, which works ok on my electric range. Gas ranges work best, since they can dump many joules into the pot (it’s surprisingly difficult to get 3+ gallons to a rolling boil). You can also pick up a float hydrometer, which measures the relative density of the wort, and enables you to estimate the alcohol content of your finished beer. Adding all the sugar at the start makes the wort denser than water (“starting gravity”), and you also measure the density after fermentation (“final gravity”). We assume that the difference in density is due to missing sugar, that the yeast converted into alcohol at a known rate, so we can estimate the % alcohol with this little expression: (SG – FG) * 131.25

I’ve been keeping pretty meticulous records, and in 3.5 years I’ve spent $963 on equipment and ingredients for 21 batches of 5 gallons, which is about 1000 bottles, so I’m below $1/bottle now. My friends and I like to do mail order from Northern Brewer, MoreBeer, and Austin Homebrew (but mostly Northern Brewer, woo Minnesota!). Some places offer flat rate $8-$10 shipping, or we get a bunch of people together to make a big order and split the shipping cost.

Bash script: PWD vs true script location, with symlinks

Posted by Matthew on June 28, 2013
Posted in: Uncategorized. Tagged: , , , , , . 3 comments

I recently needed to keep a Bash script in a centralized location, with many symbolic links to that script sprinkled throughout my repository. I wanted the script be able to determine both the user’s PWD, as well as the true location of the script. Based on all the different suggestions found online, I created a little test script to see how well each suggestion worked:

#!/bin/bash

echo "\$0"
echo $0
echo ""

echo "pwd -P"
pwd -P
echo ""

echo "pwd -L"
pwd -L
echo ""

echo "which \$0"
which $0
echo ""

echo "readlink -e \$0"
readlink -e $0
echo ""

echo "readlink -e \$BASH_SOURCE"
readlink -e $BASH_SOURCE
echo ""

I put this script (test.sh) in ~/ and then created a symlink to it in a different directory. Here are the results.

My friend JT left a comment below to say that using $BASH_SOURCE is probably the better choice than using $0, since $0 can be changed, and is only set equal to the file name by convention.

Directly calling the script from the same directory (/home/matthew/):

matthew@broderick:~$ ./test.sh
$0
./test.sh

pwd -P
/home/matthew

pwd -L
/home/matthew

which $0
./test.sh

readlink -e $0
/home/matthew/test.sh

Directly calling the script from some other directory (/some/other/directory/):

matthew@broderick:~/some/other/directory$ ~/test.sh
$0
/home/matthew/test.sh

pwd -P
/home/matthew/some/other/directory

pwd -L
/home/matthew/some/other/directory

which $0
/home/matthew/test.sh

readlink -e $0
/home/matthew/test.sh

Creating a symlink to ~/test.sh in ~/some/other/directory, and calling it directly (./test.sh):

matthew@broderick:~/some/other/directory$ ln -s ~/test.sh ./test.sh
matthew@broderick:~/some/other/directory$ ./test.sh
$0
./test.sh

pwd -P
/home/matthew/some/other/directory

pwd -L
/home/matthew/some/other/directory

which $0
./test.sh

readlink -e $0
/home/matthew/test.sh

Creating a symlink to ~/test.sh in ~/some/other/directory, and calling it from yet another location:

matthew@broderick:~/some/other/directory$ ln -s ~/test.sh ./test.sh
matthew@broderick:~/some/other/directory$ cd ~/somewhere/else
matthew@broderick:~/somewhere/else$ ~/some/other/directory/test.sh
$0
/home/matthew/some/other/directory/test.sh

pwd -P
/home/matthew/somewhere/else

pwd -L
/home/matthew/somewhere/else

which $0
/home/matthew/some/other/directory/test.sh

readlink -e $0
/home/matthew/test.sh

Conclusion:
So, it looks like “readlink -e $0” will always return the full, non-symlink, “physical” location of the script (regardless of whether or not symlinks are involved). Looks like “pwd” returns the user’s current working directory reliably.

Slides from “Intro to Inkscape” presentation

Posted by Matthew on May 31, 2013
Posted in: Uncategorized. Tagged: , , , , . Leave a Comment

One of my favorite pieces of open source software is the vector graphics editor called Inkscape. While traditional graphics editing programs such as Photoshop or The Gimp are merely manipulating a rectangular grid of colored pixels, vector graphics tools use complicated mathematical descriptions of the lines, points, and objects in an image, which allows for perfect scaling of the images to any zoom level (among other awesome features). Inkscape is pretty great, and is freely available for Windows, OSX, and Linux. I’ve given an “Introduction to Inkscape” presentation a few times, and thought I would post the “slides” here to the blog.

These aren’t like traditional powerpoint slides, be forewarned. Since the best way to learn how to use a program is, well, just to use it, I prepared a handful of Inkscape SVG documents, and just opened each one in Inkscape on the projector during the presentation. This allowed me to demonstrate each new feature introduced, which worked pretty well. The link below is a ZIP archive of 11 SVG files.

Download SVG slides (ZIP 118KB)

00_inkscape_tutorial

Slides from CMU ECE Build18 kick-off speech – Get Excited and Make Things!

Posted by Matthew on May 28, 2013
Posted in: Uncategorized. Tagged: , , , , . Leave a Comment

In the last few years, the Electrical and Computer Engineering department at CMU has worked to develop and improve the spirit of creativity and tinkering. The best example of this is the ever-growing Build 18 [1] program, which is described as:

Build18 is an annual engineering festival held by the Electrical and Computer Engineering (ECE) department at Carnegie Mellon University and run by the ECE SAC and IEEE student organizations.

Build18 was founded out of the belief that the ECE curriculum is too structured – there just isn’t enough room for simply tinkering with electronics and making cool stuff. It’s meant to give ECE students time to work on self-proposed, creative projects and to promote the fun and playful aspects of engineering.

Based on my experience being part of the maker and hacker communities and my membership with HackPittsburgh, I was invited to give a kick-off presentation to inform and inspire the students taking part in the Build 18 “Build Week” in January 2013. These are my slides from that presentation.

get_excited_and_make_things

Build 18: Get Excited and Make Things (PDF, 13MB)

[1] At CMU, each department is assigned a 2-digit number that is used as a prefix to that department’s course numbers in the course catalog; For the ECE department, our number is 18, hence the name Build 18.

High Performance Computing with Graphics Processing Units

Posted by Matthew on May 28, 2013
Posted in: Uncategorized. Tagged: , , , . Leave a Comment

During fall semester 2012 I took a class entitled How to Write Fast Code. Among other techniques and technologies, we learned a lot about using GPUs for solving highly-parallel problems. Since the material is quite interesting, I presented an overview of the subject matter at a HackPittsburgh Friday night talk in January 2013. The slides don’t fully “stand on their own” as I always try to just show images and then explain them in person during the talk, but they may be interesting to look at regardless.

screenshot

High Performance Computing with Graphics Processing Units (PDF, 2.2MB)

Integer division with round up

Posted by Matthew on April 24, 2013
Posted in: Uncategorized. Tagged: , . 2 comments

I’ve found this little function to be useful when dividing work across a fixed number of workers. It does integer division, but rounds up (unlike normal integer division which truncates). Written in python, but it would be easy to write in another language.

def divide_round_up(n, d):
    return (n + (d - 1))/d

For example, if we were distributing N jobs to 4 CPU threads, this function will tell us how many total iterations are required to process N threads:

>>> divide_round_up(0,4)
0
>>> divide_round_up(3,4)
1
>>> divide_round_up(4,4)
1
>>> divide_round_up(5,4)
2
>>> divide_round_up(7,4)
2
>>> divide_round_up(8,4)
2

Update: My friend Joe wrote in to say “That has overflow issues if n+d>int_max. How about (n/d)+(bool(n%d))”. For my needs, I’m not going to be anywhere close to int_max, but it’s a valid point.

Pretty printing a number of bytes in C/C++

Posted by Matthew on April 16, 2013
Posted in: Uncategorized. Tagged: , , . 7 comments

I spend a lot of time write and debugging command line scripts and programs. As much as I like looking at large numbers (millions, billions, trillions, etc) it can be difficult to read a big number and quickly parse how large it is, i.e. “is that 12 megabytes or 1.2 gigabytes?”.

A long time ago I wrote a small function that does pretty printing of a number of bytes. It can handle from bytes to exabytes, and properly handles integer numbers of a unit by printing it as an integer instead of float. Should be easy enough to adjust to your specific needs or style desires.

// Prints to the provided buffer a nice number of bytes (KB, MB, GB, etc)
void pretty_bytes(char* buf, uint bytes)
{
    const char* suffixes[7];
    suffixes[0] = "B";
    suffixes[1] = "KB";
    suffixes[2] = "MB";
    suffixes[3] = "GB";
    suffixes[4] = "TB";
    suffixes[5] = "PB";
    suffixes[6] = "EB";
    uint s = 0; // which suffix to use
    double count = bytes;
    while (count >= 1024 && s < 7)
    {
        s++;
        count /= 1024;
    }
    if (count - floor(count) == 0.0)
        sprintf(buf, "%d %s", (int)count, suffixes[s]);
    else
        sprintf(buf, "%.1f %s", count, suffixes[s]);
}