Fixing iPerf3 Permission Denied Problem on Windows

Installed iPerf3 on Windows (10) to c:\program files\iPerf.  When attempting to connect to a server, was receiving the error: “iperf3: error – unable to create a new stream: Permission denied”.

Couldn’t find anything Windows-related by searching.

The problem was that attempting to run in a protected location (“c:\program files”) blocked the program from being able to create temporary files.  Relocating and running from a non-protected location fixed the problem.

Squid3 Proxy Problems on Ubuntu Linux to Yahoo, Google, Facebook, YouTube and so on

I set up a Squid3 (Squid) proxy as part of my DansGuardian setup on Ubuntu to filter the kids’ web traffic.  Overall, the proxy worked fine … but I was getting strange connection failures to some of the largest web properties, such as Yahoo, Google, YouTube and Facebook, whereas all smaller properties worked just fine.

The general error I was receiving was “The system returned: (110) Connection timed out”.

It turned out the problem was that Squid was using IPv6 to access any site that returned a legitimate IPv6 address.  As my system wasn’t properly configured for IPv6, the request was failing.

The right answer, of course, is to get on board and configure properly for IPv6.  It’s the future, it’s faster, etc.

The short answer is to add to your squid.conf file:  dns_v4_first on

This will force Squid to check for a valid IPv4 DNS entry, and use that.  fixed a day-long problem for me like … snap!

Setting up Ubuntu Firewall (UFW) for NFS

I use ufw as my firewall in Ubuntu.  I was recently trying to hook two Ubuntu servers together with NFS, and running into firewall problems.  Here’s how to get it working, in case you’re encountering the same problem.

1.  Start by ensuring that you have the basic NFS ports open.  These are going to be 2049 (udp/tcp) for NFS, and 111 (udp/tcp) for “sunrpc”.  You can add both of these with a straightforward ufw rule, relying on /etc/services to identify the ports.  For example, assuming that you have LCL_NET set to your local network, and only want to allow access to machines in that network:

ufw allow from ${LCL_NET} to any port nfs

ufw allow from ${LCL_NET} to any port sunrpc

2.  The next problem you have is that the rpc.mountd port is assigned randomly, unless you fix it otherwise.  So, first, edit /etc/default/nfs-kernel-server and change the line for RPCMOUNTDOPTS to be:

RPCMOUNTDOPTS=”-p 4001 -g”

Then go back to ufw and allow this port for both udp and tcp.  (I’m not including the command, as there are a few different ways to do it, and I do it in a way that’s simpler in the end, but more complex to explain at the moment.)

Finally, of course, restart ufw and nfs.



Configuring ZoneMinder on Ubuntu – Buttons Don’t Work (Javascript Errors)

If you’re configuring ZoneMinder (a great IP camera control application) on Ubuntu, and the console doesn’t work (buttons aren’t active when you click them), your problem is probably that the Javascript path isn’t working.

To test this, view source on the console page, and check the path to MooTools.

MooTools should be installed in /usr/shared/javascript/mootools.  The configuration for shared javascript should be in /etc/apache2/conf-enabled.  For me, for whatever reason, conf-enabled wasn’t actually enabled.  Copying javascript-common.conf to /etc/apache2/conf.d and then restarting apache (/etc/init.d/apache2 force-reload) worked to fix the problem.

Tunneling SMTP (TCP port 25) through a VPN

I’ve recently switched providers (having moved countries), and am now reconstructing my services in a new location, using AT&T UVerse.  I continue to have an account with StrongVPN that I use (I originally acquired it to give me a US IP for use when out of the US … side note, I’m really happy with StrongVPN).

The problem is that UVerse blocks outbound SMTP (port 25) traffic, and doesn’t provide their own relay (or, more accurately, won’t relay mail that’s neither to nor from an AT&T address).  I don’t have much mail to send (just what the kids generate, and the occasional system alert), so I don’t feel that I’m much of a threat to anyone’s traffic.  It took me a while to figure this out (I’m not the world’s greatest IP routing guru), so I figured it might be of use to you.

Many thanks to Lekensteyn and the other contributors to the post “iptables – Target to Route Packet to Specific Interface” on for key pointers.

Objective:  Running a postfix SMTP server on Ubuntu Linux, route all outbound SMTP through a VPN tunnel.  We’re going to wind up not using a relay server, and just directly connecting to the target hosts.

We’ll assume that your tunnel interface is TUN0 … replace this below as you see fit.

1. Remove any relays from your postfix configuration

If you’re coming from a previous configuration, you were probably configured with a relay server.  You need to remove it, so that you’re directly connecting to your target hosts (if you had a relay server, you probably don’t need to force the traffic anywhere!  On the other hand, if you’re trying to route port 25 for some other reason, then skip this step.)

a. Edit /etc/postfix/

Edit this file to remove or comment out the line that established your relay host:

# relayhost =

2. Force SMTP Port 25 through the VPN

I have a very complex routing scheme, with a ton of subnets that I use for all sorts of things — for example, forcing a wifi AP out through the VPN (so that you can connect to a specific AP to auto-use the VPN), keeping the kids on a different subnet so that I can force them out a different Internet connection, and blackholing unknown devices so that the kids can’t hook anything up without me verifying the MAC address … drop me a comment if you’re interested in any of these things … so the long and short of it is that I already have a routing script that I use to set up all my routing tables.

If you already have such a script, just add the additions below to that script.  If not, then create a new script for these commands.  It’s a somewhat separate exercise to hook it up so that it’s properly invoked whenever you bring an interface up or down (which I leave as a Google exercise for you, as it’s not fresh on my mind) … but in the worst case, you can just run it manually whenever your routing tables get rebuilt.

Note that we’re going to use “7” as the mark for our rules.  This is arbitrary.

a.  If you haven’t already, create a routing table for the VPN

I already had a routing table set up … if you do then just use that routing table, below.  But if you don’t, here’s a quick and dirty routing table to push over your VPN (please note, I’m just typing this, and haven’t actually tested the exact lines below, as I don’t need them in my setup!!):

# For clarity, clear anything that might have accumulated there.  Ignore any error, here.
ip route flush table vpn_table
# Push all traffic that goes to this table out the VPN.  Substitute your VPN's gateway for below.
iproute add default via table vpn_table
# And be sure to flush to pick it up
iproute flush cache
b. Now mark all SMTP port 25 packets with 7
iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 7
c. Set the source IP to our ID on the VPN (substitute for rather than our local network ID.  Remember to use your correct interface if not TUN0, below.
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source
d. Send everything marked with 7 to the VPN table (to force out the VPN)
ip rule add fwmark 25 table vpn_table
e. Relax the reverse path source validation

(See the post for a discussion.)

sysctl -w net.ipv4.conf.tun0.rp_filter=2
f. And flush for good measure
ip route flush cache

That should do it!  Run your script, and all your port 25 traffic should be running out your VPN.  Obviously, you can adapt the concepts here for other applications.

Upgrading from Ubuntu 12.04 (Precise Pangolin) to 12.10 (Quantic Quetzal)

Just some notes on some of the issues I hit in updating from Ubuntu 12.04 (Precise Pangolin) to 12.10 (Quantic Quetzal), in the event they’re of use to someone.

Problems with PHP Initialization

I was receiving a ton of errors from cron, with the text:

PHP Warning:  PHP Startup: Unable to load dynamic library ‘/usr/lib/php5/20100525/’ – /usr/lib/php5/20100525/ cannot open shared object file: No such file or directory in Unknown on line 0

While there appears to be a line of thought (via Google) that one needs to install php5-auth-pam or php5-pam … I didn’t find either package with a simple apt-get install, and didn’t bother investigating further.

The actual fix was to check /etc/php5/conf.d.  In that folder was a legacy (few years old) pam_auth.ini file which was attempting to load  Removing this file enabled PHP to start.

WordPress Hiccough

WordPress sites didn’t want to start up for me,  claiming a missing wp-config.php.  When I checked /etc/wordpress, I found that my old wp-config.php has been copied to a typical wp-config.php.dpkg-bak … but no new file had been installed.  I just replaced back my old copy.


Firewall Port 9933 for My Singing Monsters

Just recording this, as I was only able to find an unconfirmed hint on a forum.

You need to open up port 9933 (not sure whether TCP or UDP … I opened both, and didn’t bother going back to experiment) on your firewall/router in order to enable the Big Blue Bubble iOS game My Singing Monsters to connect to its server. Otherwise, you’ll get the “Failed to Connect to Server” error from the game.

Hope this helps someone …

Holy cow … restore overwritten files!

I just had one of those “gulp!” moments … it’s 3am, and I’d been editing a PowerPoint for maybe 5-6 hours.  I’d used a previous deck as a template, and because I thought I might want to sample from some slides.  I clicked “save”.  Uh oh … I never remembered to change the name of the PPT to a new deck — I just overwrote what turned out to be my only copy of the previous deck!  And it was a critical deck.  This is not the first time this has happened to me.

Thanks to this post on restoring overwritten PowerPoint files, I found ShadowExplorer, an awesome utility … man, it’s my new best friend!  I was immediately able to go to the directory and find my previous copy of the file and restore it … sanity and hours of work saved!  Later, I determined that maybe I could have just gone in Windows Explorer to the directory, right-clicked on the file, and selected “Previous Versions”.

Fix for Windows 7 forgetting wireless security password

I’ve been going nuts on my new Dell notebook.  Every time I attempted to reconnect to many of my home access points, I would get re-prompted for the wireless security key (some WEP, some WPA).  Windows wasn’t remembering my wireless security key.  I couldn’t find any way to get them to save.  When I checked in the Wireless Center, only one connection was showing up (the one that saved the key information).  Googling wasn’t coming up with much, other than suggestions to turn off “IEEE authentication” (I think what was meant was the IEEE 802.11 service management — that is, the WLAN service) or run MSConfig and turn off the adapter service.

The last one gave me a clue.  The machine was installed (built by my IT support) with Intel PROSet/Wireless WiFi manager.  I’d always ignored it, and just used Windows wifi management.  Well … mistake.  It turns out that if you have Intel PROSet running, you need to use it to start and stop all connections — otherwise, even if you’re exclusively using the Windows manager to start/stop, it won’t save your connection information.  Switching to just using the Intel manager to start/stop solved my problem.

Fixing Facebook Chat (Messaging) on the iPad (iOS) by Opening port 8883 on the Firewall

My darling wife got a new iPad2 for the holidays.  Worked fine while we were out of the house … but as soon as we got home, the Facebook Chat (messaging) feature stopped working, and hung with a permanent “connecting”.  In case you’re not following, “chat” is what shows up in the right-hand column when you use Facebook for the iPad (latest version as of December 2011) in landscape mode (and only shows up in landscape mode).  To restate the problem (and help indexing <g>):  Facebook Chat (aka Facebook Messaging) on the iPad (right-most pane in landscape mode) hung with a “Connecting …” message due to firewall port blocking.

When I connected outside my firewall (directly to my DSL connection) it worked; it didn’t work from behind my firewall.  So … clearly a ports issue … but what ports?

Drove myself crazy trying to figure this out.  Nothing I could find by Googling.  Closest I could come was that Facebook Chat might be using XMPP (TCP ports 5222 and 5223), which makes sense … but opening those ports did nothing to solve the problem.

Eventually, I turned off the firewall (yikes) and turned on WireShark and ran the app.  Doing so, I saw a very strange pattern — connections to Facebook servers on port 8883, which is, technically, the “secure MQTT” port.  Long story short, I enabled TCP port 8883, and Facebook Chat suddenly started working.

Some additional notes:

  • I left XMPP (ports 5222 and 5223) enabled … so you might also need these ports, in addition to 8883.
  • 8883 is strange!  The only meaningful reference I could find was that SameTime, that old Lotus Notes IM app, used it.  Maybe someone at Facebook pilfered some old SameTime code?

If this helps you out, please leave a comment … I’m curious to know who else has encountered this, whether it’s something unique to me, or I just happened to stumble on it first!