Firefox 3 and howtoforge.com

There is currently a bug in firefox 3 which causes it to crash with an XError BadAloc when you go to any page hosted on howtoforge.

This seems to be related to the image at http://howtoforge.com/themes/htf_glass/images/bg_header_bottom_left15.png. I suggest you don’t click on that link ๐Ÿ™‚

Apparently this image is 10,000 pixels wide. It looks like this is probably a GTK issue since the same problem happended when I opened the image with evince!

I tried writing a greasemonkey script to get around this problem but it loads too late to avert the crash. So iptables to the rescue.

iptables -I OUTPUT -d howtoforge.com -m string –algo bm –to 70 –string “GET /themes/htf_glass/images/bg_header_bottom_left15.png” -j DROP

iptables  
    -I OUTPUT  # Match packets levaing my laptop
    -d howtoforge.com   # Only packets going to howtoforge
    -m string  # Invoke the string matcher
    --algo bm  # Pick a matching algorithm
    --to 70  # Only check the first 70 bytes of each packet
    --string "GET /themes/htf_glass/images/bg_header_bottom_left15.png"  
    -j DROP # Drop the sucker

iptables evilness

Matt came to me with an interesting problem at Bulletproof this week. We have a dedicated hosting customer who talks to an external application for e-commerce. The IP for this was going to change but they needed to do to some testing before the switch. As usual with most enterprise applications, the hostname was hard coded. ๐Ÿ™

Matt suggested we do some DNS poisoning or do some transparent proxying using squid or similar. While these would have worked they required firewall changes through three levels of firewalls and extra infrastructure.

So I turned to an evil solution, iptables. ๐Ÿ™‚ Most people use DNAT on the inbound connection from the Internet to their internal private network to port forward to internal servers, or perform one-to-one NAT mappings. There is nothing stopping you using it the other way around.

Lets say that every time someone browses to http://bulletproof.net we want them to hit http://inodes.org instead. All you need to do is use DNAT to translate one IP address into the other.
[code]
animal:~ johnf$ host bulletproof.net
bulletproof.net has address 202.44.98.174
animal:~ johnf$ host inodes.org
inodes.org has address 202.125.41.97
animal:~ johnf$ sudo iptables -t nat -A PREROUTING -d 202.44.98.174 -j DNAT –to 202.125.41.97

[/code]

Now for some testing, a ping looks normal

[code]

animal:~johnf$ ping www.bulletproof.net
PING www.bulletproof.net.au (202.44.98.174) 56(84) bytes of data.
64 bytes from 202.44.98.174: icmp_seq=1 ttl=241 time=198 ms

[/code]

but a tcpdump looks like

[code]

animal:~johnf$ sudo tcpdump -ni eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:35:25.099510 IP 211.30.227.143 > 202.125.41.97: icmp 64: echo request seq 1
16:35:25.301712 IP 202.125.41.97 > 211.30.227.143: icmp 64: echo reply seq 1

[/code]

Of course if anyone needs to try and debug this they are going to have a really fun time working out what is going on. ๐Ÿ™‚

If you want to test this yourself you can do it on your own machine using the OUTPUT chain instead of PREROUTING.