https://995facee.rickylin.pages.dev/categories/iptables/Recent content in Iptables on RickyHugo -- gohugo.ioenWed, 10 Jun 2026 10:59:53 +0800https://995facee.rickylin.pages.dev/posts/2026/20260610-articles/Wed, 10 Jun 2026 10:59:53 +0800https://995facee.rickylin.pages.dev/posts/2026/20260610-articles/<ul> <li><a href="https://pokeemerald.com/" target="_blank" rel="noopener">Pokemon Emerald in WebAssembly(https://github.com/tripplyons/pokeemerald-wasm)</a></li> <li><strong>Github</strong> <ul> <li><a href="https://github.com/wxt-dev/wxt" target="_blank" rel="noopener">wxt: Next-gen Web Extension Framework</a></li> <li><a href="https://github.com/anthropics/defending-code-reference-harness" target="_blank" rel="noopener">Skills for threat modeling, scanning, triage, patching, plus an autonomous scanning harness you can <code>/customize</code></a></li> <li><a href="https://github.com/ad-si/awesome-3d-printing" target="_blank" rel="noopener">A curated list of awesome 3D printing resources</a></li> <li><a href="https://github.com/NousResearch/hermes-agent" target="_blank" rel="noopener">hermes-agent: It&rsquo;s the only agent with a built-in learning loop - it creates skills from experience, improves them during use, nudges itself to persist knowledge, searches its own past conversations, and builds a deepening model of who you are across sessions. Run it on a $5 VPS, a GPU cluster, or serverless infrastructure that costs nearly nothing when idle. It&rsquo;s not tied to your laptop - talk to it from Telegram while it works on a cloud VM.</a></li> <li><a href="https://github.com/mysk-research/loupe" target="_blank" rel="noopener">loupe: A privacy-focused iOS app that raises awareness about what native apps can see(https://apps.apple.com/cn/app/loupe-app%E8%83%BD%E7%9C%8B%E5%88%B0%E4%BB%80%E4%B9%88/id6766152470)</a></li> <li><a href="https://github.com/RoversX/LaunchNext" target="_blank" rel="noopener">LaunchNext: Bring your Launchpad back in MacOS26+ ,highly customizable, powerful, free.</a></li> <li><a href="https://github.com/skeeto/endlessh" target="_blank" rel="noopener">endlessh: SSH tarpit that slowly sends an endless banner</a></li> <li><a href="https://github.com/akerouanton/iptables-tracer" target="_blank" rel="noopener">iptables-tracer: Trace packets as they go through iptables chains</a></li> <li><a href="https://github.com/serverless-dns/serverless-dns" target="_blank" rel="noopener">serverless-dns: The RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io</a></li> <li><a href="https://github.com/ouch-org/ouch" target="_blank" rel="noopener">ouch: stands for Obvious Unified Compression Helper. It&rsquo;s a CLI tool for compressing and decompressing various formats.(https://github.com/ouch-org/ouch#supported-formats)</a></li> <li><a href="https://github.com/shell-pool/shpool" target="_blank" rel="noopener">shpool: shpool is a service that enables session persistence by allowing the creation of named shell sessions owned by shpool so that the session is not lost if the connection drops. shpool can be thought of as a lighter weight alternative to tmux or GNU screen. While tmux and screen take over the whole terminal and provide window splitting and tiling features, shpool only provides persistent sessions. The biggest advantage of this approach is that shpool does not break native scrollback or copy-paste.</a></li> <li><a href="https://github.com/google/capslock" target="_blank" rel="noopener">capslock: is a capability analysis CLI for Go packages that informs users of which privileged operations a given package can access. This works by classifying the capabilities of Go packages by following transitive calls to privileged standard library operations.</a></li> <li><a href="https://github.com/psviderski/unregistry" target="_blank" rel="noopener">unregistry: Push docker images directly to remote servers without an external registry</a></li> <li><a href="https://github.com/Ranchero-Software/NetNewsWire" target="_blank" rel="noopener">NetNewsWire is a free and open-source feed reader for macOS and iOS. It supports RSS, Atom, JSON Feed, and RSS-in-JSON formats.</a></li> <li><a href="https://github.com/k4yt3x/sysctl" target="_blank" rel="noopener">K4YT3X&rsquo;s Hardened &amp; Optimized Linux Kernel Parameters</a></li> <li><a href="https://github.com/tursodatabase/turso" target="_blank" rel="noopener">Turso is an in-process SQL database, compatible with SQLite.</a></li> <li><a href="https://github.com/zizmorcore/zizmor" target="_blank" rel="noopener">zizmor is a static analysis tool for GitHub Actions.</a></li> <li><a href="https://github.com/rustfs/rustfs" target="_blank" rel="noopener">RustFS is a high-performance, distributed object storage system built in Rust.</a></li> <li><a href="https://github.com/jdx/usage" target="_blank" rel="noopener">Usage: is a spec and CLI for defining CLI tools. Arguments, flags, environment variables, and config files can all be defined in a Usage spec. It can be thought of like OpenAPI (swagger) for CLIs.</a></li> <li><a href="https://github.com/MODSetter/SurfSense" target="_blank" rel="noopener">SurfSense: An open source, privacy focused alternative to NotebookLM for teams with no data limits.</a></li> <li><a href="https://github.com/icann/icann-rdap" target="_blank" rel="noopener">ICANN implementation of the Registry Data Access Protocol (RDAP)</a></li> <li><a href="https://github.com/openrdap/rdap" target="_blank" rel="noopener">OpenRDAP is a command line RDAP client implementation in Go.</a></li> </ul> </li> <li><strong>Article</strong> <ul> <li><a href="https://blog.ammaraskar.com/github-token-stealing/" target="_blank" rel="noopener">1-Click GitHub Token Stealing via a VSCode Bug</a></li> <li><a href="https://www.zhihu.com/question/590661860" target="_blank" rel="noopener">Linux 系统误将 chmod 权限改成 了 000，如何恢复?</a></li> <li><a href="https://ahelwer.ca/post/2026-05-08-builtin-u2f/" target="_blank" rel="noopener">Laptops all have built-in security tokens these days</a></li> <li><a href="https://tailscale.com/blog/tailscale-rustdesk-remote-desktop-access" target="_blank" rel="noopener">Tailscale and RustDesk: Secure remote access to all your desktops</a></li> <li><a href="https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/" target="_blank" rel="noopener">Unexpected security footguns in Go&rsquo;s parsers</a></li> <li><a href="https://marvin.yabi.me/misc/junzishendoo.htm" target="_blank" rel="noopener">君子慎讀</a></li> <li><a href="https://marvin.yabi.me/misc/wenbai.htm" target="_blank" rel="noopener">辭典中標注的「讀音」和「語音」是什麼？</a></li> <li><a href="https://marvin.yabi.me/misc/AND.htm" target="_blank" rel="noopener">拜託別再「我汗你」了！</a></li> </ul> </li> </ul> <hr> <h2 id="linux-系统误将-chmod-权限改成-了-000如何恢复">Linux 系统误将 chmod 权限改成 了 000，如何恢复?</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#75715e">#include</span> <span style="color:#75715e">&lt;sys/stat.h&gt;</span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">int</span> <span style="color:#a6e22e">main</span>() { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">chmod</span>(<span style="color:#e6db74">&#34;/usr/bin/chmod&#34;</span>, <span style="color:#ae81ff">0755</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>ubuntu@ubuntu:~$ which chmod </span></span><span style="display:flex;"><span>/usr/bin/chmod </span></span><span style="display:flex;"><span>ubuntu@ubuntu:~$ ls -lh /usr/bin/chmod </span></span><span style="display:flex;"><span>lrwxrwxrwx <span style="color:#ae81ff">1</span> root root <span style="color:#ae81ff">8</span> Sep <span style="color:#ae81ff">27</span> <span style="color:#ae81ff">2025</span> /usr/bin/chmod -&gt; gnuchmod </span></span><span style="display:flex;"><span>ubuntu@ubuntu:~$ ls -lh /usr/bin/gnuchmod </span></span><span style="display:flex;"><span>-rwxr-xr-x <span style="color:#ae81ff">1</span> root root 67K Jan <span style="color:#ae81ff">23</span> 21:34 /usr/bin/gnuchmod </span></span><span style="display:flex;"><span>ubuntu@ubuntu:~$ sudo chmod <span style="color:#ae81ff">000</span> /usr/bin/chmod </span></span><span style="display:flex;"><span>ubuntu@ubuntu:~$ ls -lh /usr/bin/chmod </span></span><span style="display:flex;"><span>lrwxrwxrwx <span style="color:#ae81ff">1</span> root root <span style="color:#ae81ff">8</span> Sep <span style="color:#ae81ff">27</span> <span style="color:#ae81ff">2025</span> /usr/bin/chmod -&gt; gnuchmod </span></span><span style="display:flex;"><span>ubuntu@ubuntu:~$ ls -lh /usr/bin/gnuchmod </span></span><span style="display:flex;"><span>---------- <span style="color:#ae81ff">1</span> root root 67K Jan <span style="color:#ae81ff">23</span> 21:34 /usr/bin/gnuchmod </span></span><span style="display:flex;"><span>ubuntu@ubuntu:~$ cat main.c </span></span><span style="display:flex;"><span><span style="color:#75715e">#include &lt;sys/stat.h&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>int main<span style="color:#f92672">()</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> chmod<span style="color:#f92672">(</span><span style="color:#e6db74">&#34;/usr/bin/chmod&#34;</span>, 0755<span style="color:#f92672">)</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> 0; </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ubuntu@ubuntu:~$ gcc ./main.c </span></span><span style="display:flex;"><span>ubuntu@ubuntu:~$ sudo ./a.out </span></span><span style="display:flex;"><span>ubuntu@ubuntu:~$ ls -lh /usr/bin/chmod </span></span><span style="display:flex;"><span>lrwxrwxrwx <span style="color:#ae81ff">1</span> root root <span style="color:#ae81ff">8</span> Sep <span style="color:#ae81ff">27</span> <span style="color:#ae81ff">2025</span> /usr/bin/chmod -&gt; gnuchmod </span></span><span style="display:flex;"><span>ubuntu@ubuntu:~$ ls -lh /usr/bin/gnuchmod </span></span><span style="display:flex;"><span>-rwxr-xr-x <span style="color:#ae81ff">1</span> root root 67K Jan <span style="color:#ae81ff">23</span> 21:34 /usr/bin/gnuchmod </span></span></code></pre></div><hr> <h2 id="laptops-all-have-built-in-security-tokens-these-days">Laptops all have built-in security tokens these days</h2> <h3 id="macos">macOS</h3> <blockquote> <p><a href="https://github.com/yubico/libfido2" target="_blank" rel="noopener">https://github.com/yubico/libfido2</a></p>https://995facee.rickylin.pages.dev/posts/2019/20191204-ip-tables-rule-load-balance/Wed, 04 Dec 2019 11:08:04 +0800https://995facee.rickylin.pages.dev/posts/2019/20191204-ip-tables-rule-load-balance/<ul> <li><a href="https://blog.outv.im/2019/ip-tables-rule-load-balance/" target="_blank" rel="noopener">Load Balancing with iptables and ip rule</a></li> </ul> <h4 id="steps">Steps</h4> <p>This example uses an Arch Linux device with two Internet uplinks: eth0 and eth1. The mapping is:</p> <ul> <li>Mark 10 (0xa) - Routing table #110 - use eth0</li> <li>Mark 11 (0xb) - Routing table #111 - use eth1</li> </ul> <p>We decide which uplink to use based on the packet mark. First, use ip rule to map each mark to its routing table.</p> <p>The default routing table priority is 32768. To ensure our tables are used, set a higher priority (for example 31000).</p>https://995facee.rickylin.pages.dev/posts/2019/20191007-fuck-cmcc/Mon, 07 Oct 2019 10:41:08 +0800https://995facee.rickylin.pages.dev/posts/2019/20191007-fuck-cmcc/<ul> <li><a href="https://v2c.tech/Article/FUCK-CMCC" target="_blank" rel="noopener">Fighting ISP Cache Hijacking Again with iptables</a></li> </ul> <h5 id="cause">Cause</h5> <p>The fight against the carrier cache problem started two years ago. The carrier even cached cnpm data. Worse, their cache servers were not only slow like a turtle in a marathon, they also crashed frequently, so I just wanted to write code but had to face a wall of red errors.</p> <h5 id="fix">Fix</h5> <p><code>iptables -I FORWARD -p tcp -m tcp -m ttl --ttl-gt 20 -m ttl --ttl-lt 30 -j DROP</code></p>