Bad Sys Admin

I've already said that I love Tramp. Well, getting to use Carbon Emacs so transparently to edit my website has wet my appetite for more.

I spend most of my time on apostrophe (my local name for my webserver) running Emacs in -nw mode with Gnus. That was true before I found out how to use Tramp to edit my site. It is more true now. The only access I have to usenet is through my web hosting provider. The access is free, but it is IP authenticated. That means I can't just use it from anywhere. I have to be using an authorized IP.

Since SSH can do port forwarding, I wondered if I could do the job in a couple hops. That is, use SSH to port forward to apostrophe and then use apostrophe's firewall (iptables configured with shorewall) to re-forward the port to Verio's news server. It seems like such a simple thing to do, doesn't it?

Well my first problem is that I don't know a whole lot about networking right now. The basic stuff is configured just fine, but I'm not using any advanced features. And all the port forwarding stuff I found seemed to want to forward incoming connections to local ports. I want to go in the other direction. So far I have not figured out how to do that.

Another issue I found was that NAT wasn't enabled in my kernel. I don't know how I managed to overlook that rather important setting. I have two NICs in my server so that I have the ability to hook up any number of machines and have them access the internet via apostrophe. NAT is required to do that if I only want to use one IP address. Anyway, I found this oversight in shorewall's startup log file. This was after trying to add zones for the loop back and doing some other stuff. I think the technical term is Cargo Cult except that I had nothing to imitate.

Once I found I needed to enable NAT, I switched over to the linux source directory for my current kernel and ran make menuconfig as root to take care of the configuration. This didn't take me too long although I had to hunt a bit for the relevent network configuration settings. Once that was sorted, I used Debian's make-kpkg utility to build my kernel with and package it into a deb archive to take care of the niggling little details of installing a kernel (things like running lilo, etc).

One thing I forgot to do was restore my firewall configuration to what it was before. Can you see what's coming?

I installed the new kernel and rebooted apostrophe. In a local terminal I started ping to see if/when apostrophe was back on line. In a little while, ping packets started to be returned. Then they stopped. I only got six pings back in all. As the machine boots up, many things happen. What matters to the networking is that the network interfaces are brought up first, then the firewall. When the firewall came up, all network packets started being dropped. This is what a bad firewall configuration gets you. Or a very, very secure configuration, depending on your point of view. The thing is, I kind of like having ports 22 and 80 open. I also like to accept pings because I use that to test my connectivity.

I was locked out of my server. There's only one cure for such a lock out. I had to visit the server in person and fix the firewall settings locally. This wasn't all bad. I got to move apostrophe to a working UPS. Also the server is now in a cooler part of the building. I don't know if condensation will be a problem in the winter (I doubt it). But for summer time I think the machine will be much more comfortable.

I still haven't got things setup so that I can use Carbon Emacs and Gnus to access Verio's news server via apostrophe. I also haven't figured out how to setup SSH port forwarding from inside Emacs yet. There are two basic things I want to do with port forwarding. I want to connect to a running SBCL on apostrophe via SLIME and also have proper name translation working without breaking the use of local SBCL and OpenMCL. And I want Gnus to work from Carbon Emacs using the same basic SSH tunnel method. The last thing I need is to inadvertently open a back door to Verio's news server. That would be Bad(tm).

If anyone knows how I need to configure shorwall and Emacs to do what I want, please send me an e-mail with the incantations I need. Emacs Lisp is still a mystery to me and it seems that port forwarding is also.