SSTP + DST NAT NGINX APACHE share tcp 443

Взято вот туть:

https://forum.mikrotik.com/viewtopic.php?f=9&t=134358#

/interface sstp-server server set certificate=vpn.company.com.crt_0 enabled=yes port=10443
# добавим в список sstp-conn пакеты пришедшие на порт 443 для tls-host

/ip firewall mangle add \

action=add-src-to-address-list \

address-list=sstp-conn \
address-list-timeout=5s \

chain=prerouting \
dst-address-type=local \

dst-port=443 \

protocol=tcp \
tls-host=vpn.company.com

#отправим все пакеты заменим порт назначения 443 на порт 10443 в пакетах пришедших с адресов из списка sstp-vpn
/ip firewall nat add \

action=dst-nat \

chain=dstnat \

dst-address-type=local \
dst-port=443 \

protocol=tcp \

src-address-list=sstp-conn \
to-ports=10443

# правило для публикации веб сервера

/ip firewall nat add \

action=dst-nat \

chain=dstnat \

dst-address-type=local \
dst-port=80,443 \

protocol=tcp \

to-addresses=192.168.88.2

# чтобы наше правило в таблице mangle работало каждый раз, надо модифицировать fasttrack

# отключим fasttrack для пакетов идущих на адрес 443 (правило должно быть выше в списке чем правило fasttrack

/ip firewall filter add chain=forward dst-port=443 connection-state=established,related
# или будем fasttrack только те соединения которые уже набрали хотя бы 10 килобайт, тогда надо заменить правло с fasttrack

/ip firewall filter add action=fasttrack-connection chain=forward connection-bytes=10240-0 connection-state=established,related

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Добавить открытый ssh ключ пользователю на микротике

#add ssh pub key to user
:local username "aratner";
:local userpubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8z/rBphuDpGKHpcDtWDISCZFWybdH3fSKzVxWouLG0JuEhqZSpJT9Hd+16teA8daRPb1gY+l9+mRnCqTVDKxpnMq7jkjlfNKQPunDHhr3u7JDjeBel2JrgXs/GANMSbxyC5aRNP7XYs4TooRDUFr0XXvdglcYyP+34I0M+p9m94taK1q5FtL+JrpRXXGnhYzQn/GaV0rM9Qj21GFVWPfuqqG8wWwhaYPkeibJNhMcBy+qKRK0fIiklv68fWmIwd0Os9qEAJ4XTuVP8yfKR/Cu1hXPm/4+9JfXaw3Lh9e/J54NkRcyeT3wb0BgOpXMXnexl6HTUK59EcMaLGEaU+4F aratner@croc.ru";
#create file
/file print file="$username_sshpubkey";
#create file with key
/file set "$username_sshpubkey.txt" contents="$userpubkey";
#set key for user
/user ssh-keys import user="$username" public-key-file="$username_sshpubkey.txt";

#mkirotik #ssh

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

gnome chrome dock

Создаём для каждого профиля "ярлык"

chrome-profile-name=gmail-chrome

cat > $HOME/Desktop/$chrome-profile-name.desktop << EOF
[Desktop Entry]
Version=1.0
Name=$chrome-profile-name
GenericName=$chrome-profile-name
Exec=/usr/bin/google-chrome --user-data-dir=$HOME/$chrome-profile-name  --class="$chrome-profile-name"
Icon=$HOME/$chrome-profile-name/icon.png
StartupWMClass=$chrome-profile-name
Comment=Chromium Alternate
Terminal=false
X-MultipleArgs=false
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml_xml;x-scheme-handler/http;x-scheme-handler/https;
StartupNotify=true
Actions=NewWindow;Incognito;TempProfile;
X-AppInstall-Package=chromium-browser
EOF

Это нужно, чтобы хромы запущенные с разными профилями вели себя как разные приложения в доке.

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

netboot.xyz podman

storage="/rpool/containers"
newpodname="netbootxyz"
newpodlocalpath="$storage/$newpodname"

mkdir -p $newpodlocalpath/{config,assets}

podman run -d \
  --name=$newpodname-app \
  -p 3000:3000                       `# sets webapp port` \
  -p 69:69/udp                       `# sets tftp port` \
  -p 8069:80                         `# optional` \
  -v $newpodlocalpath/config:/config   `# optional` \
  -v $newpodlocalpath/assets:/assets   `# optional` \
  --restart unless-stopped \
  docker.io/netbootxyz/netbootxyz

cd /etc/systemd/system
podman generate systemd --files --name ${ $newpodname}-app
systemctl daemon-reload
systemctl enable container-${newpodname}-app
systemctl stop  container-${newpodname}-app
systemctl start  container-${newpodname}-app

#    -e MENU_VERSION=2.0.59             `# optional` \
#  --pod=$newpodname \

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

nexus podman

storage="/rpool/containers"
newpodname="nexus"
newpodlocalpath="$storage/$newpodname"

podman pod create \
  --name $newpodname \
  -p 8081:8081

mkdir -p "$newpodlocalpath/data"
chown -R 200:200 "$newpodlocalpath/data"
podman run -d \
  --pod $newpodname \
  --name $newpodname-app \
  -v $newpodlocalpath/data:/nexus-data \
  docker.io/sonatype/nexus3

cd /etc/systemd/system
podman generate systemd --files --name ${newpodname}
systemctl daemon-reload
systemctl enable pod-${newpodname}
systemctl stop pod-${newpodname}
systemctl start pod-${newpodname}

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Nginx Proxy Manager podman

storage="/rpool/containers"
newpodname="npm"
newpodlocalpath="$storage/$newpodname"
newpodmysqldb="npmdb"
newpodmysqluser="npmuser"
newpodmysqlpass="FdGawCetmok4"

podman pod create \
  --name $newpodname \
  -p 80:80 \
  -p 443:443 \
  -p 81:81

mkdir -p "$newpodlocalpath/data"
mkdir -p "$newpodlocalpath/letsencrypt"
podman run -d \
  --name=${newpodname}-npm \
  --pod=${newpodname} \
  -e DB_SQLITE_FILE=/data/database.sqlite \
  -e DISABLE_IPV6='true' \
  -v $newpodlocalpath/data:/data \
  -v $newpodlocalpath/letsencrypt:/etc/letsencrypt \
  docker.io/jc21/nginx-proxy-manager:latest

cd /etc/systemd/system
podman generate systemd --files --name ${newpodname}
systemctl daemon-reload
systemctl enable pod-${newpodname}
systemctl stop pod-${newpodname}
systemctl start pod-${newpodname}

version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    # environment:
      # Uncomment this if you want to change the location of
      # the SQLite DB file within the container
      # DB_SQLITE_FILE: "/data/database.sqlite"

      # Uncomment this if IPv6 is not enabled on your host
      # DISABLE_IPV6: 'true'

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Почему "геймерские" клавы не работают с КВМ свичом

Ответ нашёлся тут:

https://superuser.com/questions/1558951/why-dont-gaming-keyboards-typically-work-with-kvm-switches

USB keyboard protocol is limited to 6 keys pressed simultaneously + 3 modifier keys. To bypass this limitation, some keyboards report to the computer as a USB hub with multiple keyboards connected to it.

If your KVM switch was just directly passing through its USB port to the active computer, it would work fine, but this approach has two disadvantages:

You can't switch computers using keyboard shortcuts because the KVM doesn't interact with the keyboard, or whatever else is connected to USB.
Switching between computers disconnects USB device from one computer and connects it to the other. This will trigger USB (dis)connection sounds and may cause a short delay until devices start working after the switch.
To solve these problems, switches take over keyboard communication and pretend to be a permanently connected keyboard for each computer. Keystrokes are passed through to active computer or intercepted if they're recognized by the KVM as a special command.

For this feature to work, the connected device must actually be a keyboard - KVM doesn't implement complete USB protocol including hub support. So if the keyboard reports as a hub, the KVM may not know what to do with it.

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

samba-tool delegation

Делегировать группе полные права на OU

OUDN="OU=_OU3,DC=alt,DC=aratner,DC=ru"

GROUPSID=""

samba-tool dsacl set --objectdn=$OUDN --sddl="(OA;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;$GROUPSID)"

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Делегирование АД

https://blog.stevecoinc.com/2017/04/delegating-domain-join-privileges-in.html?m=1

Delegating domain join privileges in Samba 4 from the command line (or not)

I'm trying to solve a bit of a mystery. I'd like to set up Samba 4 without using Windows. Most things seem to be possible, but I can't figure out how to delegate domain join privileges. Unfortunately, even the official documentation specifically references ADUC.

So I did some digging into what it would take to delegate domain join privileges without a Windows system. After several dead ends, I ran across this page: https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=48

The important bit of that page is this script that uses the Windows command-line tool dsacls:

$user = 'gps\SCCM Client Computer Joiners'  $ou = 'OU=SCCM Test Clients,OU=SCCM,OU=Service,OU=Company,DC=gopas,DC=virtual'    DSACLS $ou /R $user    DSACLS $ou /I:S /G "$($user):GR;;computer"  DSACLS $ou /I:S /G "$($user):CA;Reset Password;computer"  DSACLS $ou /I:S /G "$($user):WP;pwdLastSet;computer"  DSACLS $ou /I:S /G "$($user):WP;Logon Information;computer"  DSACLS $ou /I:S /G "$($user):WP;description;computer"  DSACLS $ou /I:S /G "$($user):WP;displayName;computer"  DSACLS $ou /I:S /G "$($user):WP;sAMAccountName;computer"  DSACLS $ou /I:S /G "$($user):WP;DNS Host Name Attributes;computer"  DSACLS $ou /I:S /G "$($user):WP;Account Restrictions;computer"  DSACLS $ou /I:S /G "$($user):WP;servicePrincipalName;computer"  DSACLS $ou /I:S /G "$($user):CC;computer;organizationalUnit"

samba-tool has a subcommand dsacl set that I thought might be able to accomplish the same task. After a lot of work trying to get the arguments correct, I got to this point:

[root@dc1 ~]# samba-tool dsacl set --action=allow --objectdn='cn=Computers,dc=samba4,dc=local' --trusteedn='cn=Domain Join,cn=Users,dc=samba4,dc=local' --sddl='GR;;computer' --realm=SAMBA4.LOCAL -U administrator --password="$( cat /root/.password )"
new descriptor for cn=Computers,dc=samba4,dc=local:
O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse SDDL
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dsacl.py", line 174, in run
    self.add_ace(samdb, objectdn, new_ace)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dsacl.py", line 129, in add_ace
    desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))

So... I think the arguments to dsacls are some kind of "friendly" names that resolve to UUIDs or SIDs or something on the back end, but I can't figure out how to do the mapping.

Appreciating you putting your thoughts out there. This helped me get started on the problem and I think I figured it out. I ended up using the Windows GUI to make the delegation per Samba's instructions and compared the changes before/after to get this:

SID="GroupSIDHere"
samba-tool dsacl set --action=allow --objectdn='cn=Computers,dc=directory,dc=example,dc=com' --sddl="(OA;CI;CCDC;BF967A86-0DE6-11D0-A285-00AA003049E2;;$SID)(OA;CIIO;SWWP;F3A64788-5306-11D1-A9C5-0000F80367C1;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)(OA;CIIO;SWRPWP;72E39547-7B18-11D1-ADEF-00C04FD8D5CD;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)(OA;CIIO;RPWP;4C164200-20C0-11D0-A768-00AA006E0529;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)(OA;CIIO;CR;00299570-246D-11D0-A768-00AA006E0529;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)"

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

letsencrypt mikrotik

:local dnsName vpn.dom.ru
:local certName "$dnsName.cer"
:local certFullChain "$certName,1_.cer,0_.cer"
:local ipsecIdentityComment $dnsName
:local Comment letsencrypt

log info "[LE] enable www"
/ip/service/enable www
/ip/firewall/filter/enable [ find where comment="letsencrypt" ]

log info "[LE] updating cert for $dnsName"
/certificate enable-ssl-certificate dns-name=$dnsName

:log info "[LE] disable www"
/ip/service/disable www
/ip/firewall/filter/disable [ find where comment="letsencrypt" ]

:log info "[LE] rename cert to $certName "
/certificate/set numbers=[/certificate/find where common-name=$dnsName] name="$certName"
:log info "[LE] setup cert for sstp server"
/interface/sstp-server/server/set certificate="$certName"
:log info "[LE] setup cert for ipsec identity"
/ip/ipsec/identity/set numbers=[find where comment=$ipsecIdentityComment] certificate=$certFullChain

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090