When the world turns a blind eye to the use of prohibited weapons

Gaza and (the so-called) Israel’s right to defend itself

Gaza, Palestine, or the so-called (State of Israel), atrocities and crimes against humanity, crimes that US officials say about:

“I understand Israel’s desire to protect itself” George W. Bush – Jan 5 2009, the Oval Office in the White House.

“Israel has a right to defend itself” U.S. National Security Council spokesman Gordon Johndroe told reporters in a press conference, Jan 3 2009.

Defend itself against who? Against unarmed civilians, Against childen? Against women? Against UN offices? More than 1133 deaths (as of Jan 16th 13:00UTC) most of them women and children (more than 370 children and 100 women) and more than 5200 heavy injuries (more than 50% women and children, 450 near death).

Targeting UN Offices in Gaza

Even when UN offices bombarded and turned into rubble [BBC: Strike at Gaza school kills 40] [HRW: Israeli Attack on School Needs Full UN Investigation], no official response was heard from the International Community condemning those acts. There were more than 100 women and children took shelter in the UNRWA complex school, Israel knows the exact position of that complex, and still, cold-blooded, bombarded it with prohibited weapons, White Phosphorus (WP) incendiary bombs [Wikipedia: White phosphorus], as it did in south Lebanon summer of 2006, causing more than 50 casualties [Global Security: Convention on Certain Conventional Weapons Protocol III Protocol on Prohibitions or Restrictions on the Use of Incendiary Weapons. Geneva, 10 October 1980] [Israel Uses Internationally Prohibited Weapons].

Use of US-supplied Weapons against Civilians

Most – if not all – of Israel’s weapons is US-supplied under US Foreign Assistance Act. Furthermore, any US weapons agreement states clearly that “the use of US-supplied weapons is controlled, particularly not to be used against civilians, under any circumstance”. Every time Israel is conducting offensive acts against the Palestinians, use of US-made heavy weaponry (F-16s, AH-64 Apaches, cluster shells, white phosphorus shells, depleted uranium, etc…) against civilians and civilian-populated areas is documented [HRW: Israel/Lebanon: End Indiscriminate Strikes on Civilians] [HRW: Israel/Lebanon: Israel Responsible for Qana Attack] [Information Clearing House: Human Rights Watch Accuses Israel of War Crimes] [HRW: Fatal Strikes]. So Israel is violating its own agreement with the US regarding the use of the US-supplied weapons against civilians, and on the other hand, the US is turning a blind eye to the well documented violations [amynaonline.org: Israel’s Violations of the US Foreign Assistance Act]. While Iraq was accused of manufacturing and using of Weapons of Mass Destruction (WMD), and then after the US illegal invasion, CIA declared that the reports were “Wrong” [CNN: No WMD stockpiles in Iraq] about the accusation made against Iraq [Bush: invading Iraq was a mistake] [Aljazeera.net: Bush regrets Iraq war intelligence].

The Media is Targeted

Targeting civilians is a story by itself, and targeting media personnel is another story. Why would any (so-called) honest and justice-seeking army target media personnel and journalists while they (Israelis) know the exact location of their building? If anybody could answer this question. On the other hand, external media journalists are banned from the Israeli side to enter Gaza [The Guardian: Ban on foreign journalists skews coverage of conflict] [Haaretz: Top media executives protest Israel’s ban on journalists’ entry to Gaza], why? Are they trying to block the coverage of the holocaust they are committing against the civilians in Gaza? Is there anything Israel is trying to block the world from seeing? Are they trying to block the coverage of the killing of women and children in Gaza?, block the coverage of killing of journalists? block the coverage of bombarding UN offices there?
Israel has a long history of targeting journalists while they are doing their job unbiased and professionally. Any honest journalist who tries to deliver the truth to the world is killed or injured. Israel knows the exact location of the building which has most of the news agencies offices in Gaza, and intentionally bombarded it, injuring 2 Abudhabi channel correspondents with others and damaging electronic and photography equipment.

Demolition of Medical Locations

Overall the unjust and barbaric crimes against humanity, ambulances are attacked while they are on the move, several hospitals and RedCross medical complexes have been destroyed by the Israeli air and ground attacks [MAP: Gaza Hospitals Under Attack] [Scoop.co.nz: Israeli Missiles destroy Gaza Health Care Centre]. Hospitals, ambulances, medical personnel, clinics, and medical complexes are all targeted and destroyed intentionally and purposely. What is this? Another blind eye to what is happening.

Use of Prohibited Weaponry

Cluster shells, White Phosphorus shells, and depleted Uranium use against civilians and civilian areas in Gaza. While a single bullet kills a person, use of heavy and prohibited weaponry to mass-murder innocent civilian people is a crime against humanity [Information Clearing House: Human Rights Watch Accuses Israel of War Crimes]. Human Rights Watch is accusing Israel of committing crimes against humanity in their unjust, brutal, and criminal acts of war.

Double-Faced World

While all of the killings and mass-murder actions done by the Israelis are documented, still the (so-called) Free World is turning a blind eye to what is happening in Gaza. One question would be asked here, are Gazan people sub-human? In the meanwhile, if any Israeli hurt, the whole world would stand still in condemnation and anger for that. The security council just (after a long debate) equalized the butcher, the mass-murderer and the victim in their latest resolution (1860). Instead of demanding a full, unconditional stop of all Israeli criminal activities, the resolution demanded a cease fire, and the difference is obvious, a cease fire equalizes both parties as an equal war parties, which is totally wrong in case of Gaza. What is happening there is a war crime, genocide, holocaust, crimes against humanity done by the Israelis.

Quotes from some Israeli War Criminals and Terrorists

Ben-Gurion commented on the proposed Peel Commission Partition plan as follows in 1937 (Note the premeditated plan to ethnically cleanse the Negev and Transjordan which were not allocated to the Jewish State by the Peel Commission):

"We must EXPEL ARABS and take their places .... and, if we have to use force-not to dispossess the Arabs of the Negev and Transjordan, but to guarantee our own right to settle in those places-then we have force at our disposal."

(Expulsion Of The Palestinians, p. 66)
Ariel Sharon:

"Even today I am willing to volunteer to do the dirty work for Israel, to kill as many Arabs as necessary, to deport them, to expel and burn them, to have everyone hate us, to pull the rug from underneath the feet of the Diaspora Jews, so that they will be forced to run to us crying. Even if it means blowing up one or two synagogues here and there, I don't care."

Who are the real terrorists? Would you open your eyes widely to what is happening in Palestine?
Do yourself a favor, read what really happening in Gaza at: Aljazeera.net: War on Gaza

Updating Dynamic DNS accounts using a script on Linux

Introduction

One of the requirements for having a domain name (typically) is to have a static IP, one that does not change frequently. Ordinary people face a problem, most (if not all) residential Internet services have dynamic IP addresses which change once a day (like what I have).
Companies like dyndns.com, changeip.com, no-ip.com, to name a few, have a service that you can use to have a domain name, either dedicated or shared, which can accept this kind of frequent change. All what is needed is either a router that support DDNS, or an application that is installed on a PC.

A Linux Script

Most, if not all, DDNS companies use APIs for their service, thus this article is about API and scripting.
Steps:

• Create a directory in /etc, let’s say cron.2min (2min refer to the cron timing):

cd /etc
mkdir cron.2min
chmod 755 cron.2min

• Add a new line in /etc/crontab:

0-59/2 * * * * root run-parts /etc/cron.2min

instructing the crontab to run anything in /etc/cron.2min every 2 minutes continuously everyday.

• Created a file called externalip.txt in /root directory and insert dummy data in it:

touch /root/externalip.txt
echo "2" > /root/externalip.txt
chmod 644 /root/externalip.txt

This file will be used to store the discovered external IP address by the next script below.

• In /etc/cron.2min, created a file called dynip.sh, with the contents as follows:

a=`cat /root/externalip.txt`
b=`wget -q -O - http://ip.changeip.com:8245 | cut -f 2 -d "=" | cut -f 1 -d "-" -s | grep -m 1 ^`
if [ $a != $b ]
then
# dyndns
wget --delete-after https://user:pass@members.dyndns.org/nic/update?hostname=yourhost >/dev/null 2>&1
# no-ip
wget --delete-after https://user:pass@dynupdate.no-ip.com/nic/update?hostname=yourhost >/dev/null 2>&1
# changeip
wget --delete-after https://nic.changeip.com/nic/update?hostname=*1&u=user&p=pass >/dev/null 2>&1
# opendns
wget --delete-after https://user:pass@updates.opendns.com/nic/update >/dev/null 2>&1
# update externalip.txt file
echo $b > /root/externalip.txt
fi

• Issue the following command:

chmod 755 /etc/cron.2min/dynip.sh

To make it executable.

What is Done

The script does the following:

1. grab the content of externalip.txt,
2. get the output of the link ip.changeip.com and extract the IP address only,
3. compare them, if not equal, do the updates, and then put the new IP address in externalip.txt
4. if equal, just quit

Configuring Squid to query other cache servers for content

Introduction

If there are more than one cache server available at the same place, there is a way for any server to query the others for cached content. An example of this would be if a company has two buildings each with its own cache, e.g. building1-cache and building2-cache, where both are configured as [cache siblings], a mean to share cached contents.

What is ICP

As RFC 2186 indicates:

“ICP is a lightweight message format used for communicating among Web caches. ICP is used to exchange hints about the existence of URLs in neighbor caches. Caches exchange ICP queries and replies to gather information to use in selecting the most appropriate location from which to retrieve an object.”

and

“ICP is a message format used for communicating between Web caches. Although Web caches use HTTP for the transfer of object data, caches benefit from a simpler, lighter communication protocol. ICP is primarily used in a cache mesh to locate specific Web objects in neighboring caches. One cache sends an ICP query to its neighbors. The neighbors send back ICP replies indicating a (HIT) or a (MISS)”

So, if the content is available at one of the cache siblings (HIT), it serves the requester directly instead of going to the origin server -on Internet- to download it.

Configuring Squid

Make sure that the following line exists in /etc/squid/squid.conf and is not commented:

icp_port 3130

As this line enables Squid’s ICP to serve other cache servers.
Next is to have the following line:

cache_host x.x.x.x sibling yyyy 3130 proxy-only

Where x.x.x.x is the other cache IP address, yyyy is the cache HTTP port (squid default is 3128), and proxy-only tells Squid to load content directly and not save it locally. If you have more servers, just list them accordingly.
Issue the Squid reload command to apply the updated config:

#/etc/init.d/squid reload

Do the same steps for the rest of servers.

Testing The Settings

If the service is reloaded, a new entry will be there in /var/log/squid/cache.log:

Configuring Sibling x.x.x.x/3128/3130

If after a while (ICP timeout), an entry like:

Detected DEAD Sibling: x.x.x.x

is there, double check for any network related problem as Squid service had failed to contact the other cache server, otherwise, cache exchange is working.

Configuring Squid to block ad sites

Introduction

Basic network is operational now, with a gateway and cache/proxy, and it is configured transparently with WCCP. Now, blocking some sites (mainly ads) is the next step.

Configuring Squid

First, beginning with an ACL that contains URLs/domains to be blocked, edit /etc/squid/squid.conf to add the following at the right place:

acl blocked_domains dstdomain .clicksor.com
acl blocked_domains dstdomain .paypopup.com
acl blocked_domains dstdomain .bidvertiser.com
acl blocked_domains dstdomain .zedo.com
acl blocked_domains dstdomain .quantserve.com
acl blocked_domains dstdomain .quantcast.com
acl blocked_domains dstdomain .dmoglobal.net
acl blocked_domains dstdomain ads.mininova.org
acl blocked_domains dstdomain .yieldmanager.com
acl blocked_domains dstdomain .bluelithium.com
acl blocked_domains dstdomain .pubmatic.com
acl blocked_domains dstdomain .adbrite.com
acl blocked_domains dstdomain .advertising.com
acl blocked_domains dstdomain .imvu.com
acl blocked_domains dstdomain .games888.com
acl blocked_domains dstdomain .firstperson.nl
acl blocked_domains dstdomain .mario-sonic.com
acl blocked_domains dstdomain .yahwroom.org
acl blocked_domains dstdomain .yieldmanager.edgesuite.net
acl blocked_domains dstdomain .z5x.net

Where blocked_domains is the ACL name, .domain.com (notice the dot in the beginning) is the domain (and all sub-domains) contained within.
Next is to tell Squid what to do with the ACL created, the following line has to be at the right place:

http_access deny blocked_domains

Here, Squid engine is told to deny access to any domain contained within the ACL blocked_domains.
With these steps indicated above, any domain can be denied access.Finally, the next command has to be issued every time after finishing:

#/etc/init.d/squid reload

Where Squid is instructed to reload its config file without restarting the full service.

Using Squid as a transparent proxy/cache with Cisco Routers

Introduction

When I was planning my home network, I wanted to have basic components available, e.g. local DNS, local proxy/cache, etc… I started by having a Cisco 1750 router as my home ADSL device, as it has a wide range of configuration capabilities.
One item was in my home networking to-do list, a proxy/cache service. Having such a service in any multiuser environment is a must, at least for common Internet related activities (e.g. Windows update, antivirus updates, etc…) which have the same files downloaded again and again for each and every PC you have connected. Another thing by the way, from time to time, I bring several PCs/Laptops home for maintenance or reinstallation of Windows, so the need is obvious, having these files locally save both the Internet bandwidth (download it once – have it locally then) and time.
Besides saving bandwidth, tricks can be done with schedule downloads, most of my family members read newspapers online (PDF version), by having a schedule task to download all PDF files from all newspapers we read, I would have them all saved locally in the central cache, thus ready for local access from all PCs/Laptops in my local network.

The Hardware

Any PC with at least 128MB of RAM can do the required job efficiently. Squid runs under Linux (mainly) operating system.

The Software

Linux as an operating system.

Preparing the Software

I am not going into details on how to install the Linux OS. One thing I would like to mention, usually I install Linux Command-Prompt only, as I never use the graphical interface.
After installing Linux (by the way, I use the latest CentOS Linux distro), I make sure that I use yum to install Squid and any dependencies automatically. After installing Squid, I configure it directly with the following (do a search in /etc/squid/squid.conf file and edit accordingly):

http_port xxx.xxx.xxx.xxx:3128 transparent
icp_port 0
maximum_object_size 71680 KB
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
cache_dir diskd /dir ssss 16 256
acl localnet src nnn.nnn.nnn.0/24
wccp2_router rrr.rrr.rrr.rrr

Where:

• xxx.xxx.xxx.xxx is the IP address you want Squid to bind to,
• transparent instructs Squid to run in transparent mode (a mode which does not need enduser configuration, it transparently redirects http traffic),
• maximum_object_size is the maximum file size stored in the disk cache (here I allow up to 70MB filesize to be stored),
• /dir is the cache directory on disk,
• ssss is the total size (in MB) of the cache directory (the maximum size of which if reached a replacement policy is performed),
• nnn.nnn.nnn.0 is the network number you are using,
• rrr.rrr.rrr.rrr is the IP address of your Cisco router.

I use a general rule for the total cache size based upon the link speed you have, for example, I have a 1Mbps ADSL line to the Internet, multiply this by 60 and then by 60 to have the maximum size downloaded (theoretically of course in megabits) per hour, 1*60*60 = 3600Mbph, multiply the result by 24 to have it for a full day, 3600*24=86400Mbpd, then divide this result by 8 (remember, it is still in bits not bytes) and the final result is 86400/8=10800MBpd. So you have around 10GBs of Internet traffic if it is 100% utilized for 24 hours (neglecting the effect of TCP and other headers to simplify the calculation). Then, based on the total disk size you have (nowdays, disks are cheap, so getting a 160GB one is easy), you can decide how many days worth of cache wanted (under 100% utilization). My choice was 40GB of cache so ssss in my case is 40960.

Other Linux Settings

A GRE network interface configuration is needed in the Linux box, so do the following:

• In /etc/rc.local add the following lines:

iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -P INPUT ACCEPT
iptables -t nat -A PREROUTING -s nnn.nnn.nnn.0/255.255.255.0 -d ! nnn.nnn.nnn.0/255.255.255.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.xxx.xxx.xxx:3128

Where: nnn.nnn.nnn.0 is the network number you are using, xxx.xxx.xxx.xxx is the IP address of the Linux box which Squid is bind to. Keep in mind that the third line is continuous with the forth and fifth lines. What these line do is to redirect any port 80 request (HTTP) coming from the router through GRE0 interface to port 3128 (SQUID) to have it processed by Squid.

• In /etc/modprobe.conf add the following in a separate line:

alias gre0 ip_gre

• Make a new file in /etc/sysconfig/network-scripts named ifcfg-gre0 with the following lines:

DEVICE=gre0
BOOTPROTO=static
IPADDR=10.190.19.19
NETMASK=255.255.255.252
ONBOOT=yes

First addition is to enable the GRE interface module in Linux Kernel, second addition is to configure it with a static IP address (any private IP will do the trick, make sure that it is not the same range used locally).

Now you can bring the GRE interface up using:

#ifup gre0

If everything is going smooth, you should have it up without any error, for checking, issue this command:

#ifconfig gre0

and you should have an output similar to this:

gre0 Link encap:UNSPEC HWaddr 00-00-05-08-60-FC-00-00-00-00-00-00-00-00
inet addr:10.190.19.19 Mask:255.255.255.252
UP RUNNING NOARP MTU:1476 Metric:1
RX packets:14168479 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1707102933 (1.5 GiB) TX bytes:3611 (3.5 KiB)

Here, our Linux settings are finished.

Configuring the Router

Configuring the router is a straight forward job, do the following:

router1#conf t
router1(config)#ip wccp web-cache
router1(config)#int f0
router1(config-if)#ip wccp web-cache redirect in
router1(config-if)#exit
router1(config)#exit

Here, router configuration is finished.

Cache is Working

A simple way to findout whether cache redirection is working or not, issue this command in the router:

router1#show ip wccp

The output should be similar to this:

Global WCCP information:
Router information:
Router Identifier: xxx.xxx.xxx.xxx
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 2967084
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 22
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0

Where xxx.xxx.xxx.xxx is your router IP address. Another thing you will notice in the router console output if you stop Squid (#/etc/init.d/squid stop):

.Dec 16 2008 12:54:17: %WCCP-1-CACHELOST: Web Cache ccc.ccc.ccc.ccc lost

And when you start Squid (#/etc/init.d/squid start):

.Dec 16 2008 12:55:14: %WCCP-5-CACHEFOUND: Web Cache ccc.ccc.ccc.ccc acquired

Where ccc.ccc.ccc.ccc is your Squid IP address.
Now browse the Internet for a while, then issue this command in the Linux box:

#tail /var/log/squid/access.log

If you have some output with your PC IP address and some sites you visited, your cache and router redirection are working perfectly.

Deploying a Cisco router with WIC-1ADSL card for Internet connectivity

Why?

The main reason of having all of this is: to have a small operational lab at home, so I can practice various configuration and situations (on a smaller scale of course).

The Hardware

I have purchased two Cisco 1750 routers from eBay, having 16MB of flash and 48MB of RAM each. Included in the purchase were two WIC-1ADSL WIC cards, Cisco’s ADSLoPSTN interface.

The Software

As a minimum requirement for the WIC card, the IOS version must be at least 12.2 and the IOS feature set must be of the type C1700-Y7-MZ as number 7 in this notation means that the IOS has the ADSL feature set (c1700 = Cisco 1700 image, Y = IP feature set, 7 = ADSL feature set). Additional feature sets are available (e.g. S = IP Plus feature set, V3 = voice feature set, and more). For more information please refer to router product page.

The Network Plan

A simple home network found in any household constructed with a single switch, a wireless access point, PCs, etc…

Basic Cisco Setup

The setup is basically simple; a cable from the telco wall socket is coming through an ADSL filter and then directly connected to the WIC-1ADSL port. From services point-of-view, all I need is pure NATing (all network services like DHCP, DNS, etc… are running in my internal Compaq server). So the configuration is pretty simple, do ADSL connectivity, do NATing, and that’s all.
Note: for initial configuration to be done (assuming the router is not configured previously, a serial console cable is needed and the entire configuration is done through it).

IOS Configuration

Let’s begin with the configuration; entering global configuration area is straight forward command:

router1#conf t

In my situation, DHCP service is not needed in the router, this command is issued in the global configuration area:

router1(config)#no service dhcp

Then as I have DNS service up and running on my Compaq server, the following command points the router to the default DNS I am using:

router1(config)#ip name-server xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx is the IP address of my Compaq server.
Now it is the time to configure the ATM port (my provider has PPPoA 8.35 ADSL connectivity so change this according to your provider’s values), these commands are issued:

router1(config)#int atm0
router1(config-if)#no ip address
router1(config-if)#no ip mroute-cache
router1(config-if)#no atm ilmi-keepalive
router1(config-if)#dsl operating-mode auto
router1(config-if)#hold-queue 244 in
router1(config-if)#pvc 8/35

Notice that after issuing the last command – pvc 8/35 – the prompt changes to:

router1(config-if-atm-vc)#

Then, continuing with the following commands:

router1(config-if-atm-vc)#encapsulation aal5mux ppp dialer
router1(config-if-atm-vc)#dialer pool-member 1
router1(config-if-atm-vc)#exit
router1(config-if)#exit

Issuing exit command twice will return back to the global configuration area and the prompt will return back to:

router1(config)#

FastEthernet interface needs an entry for NATing, the following commands are issued:

router1(config)#int f0
router1(config-if)#ip nat inside
router1(config-if)#exit
router1(config)#

Now Dialer1 interface has to be configured, these commands will configure it:

router1(config)#int dialer1
router1(config-if)#ip address negotiated
router1(config-if)#ip access-group dialer-in in
router1(config-if)#ip nat outside
router1(config-if)#encapsulation ppp
router1(config-if)#dialer pool 1
router1(config-if)#no cdp enable
router1(config-if)#ppp pap sent-username your-username password your-password
router1(config-if)#exit
router1(config)#

your-username and your-password here represent the actual credentials given by the service provider, replacing them directly. Again, after issuing exit command the prompt returns to the global configuration area.
Now, continuing with the following commands in the global configuration area:

router1(config)#ip nat inside source list 1 interface Dialer1 overload
router1(config)#access-list 1 permit xxx.xxx.xxx.0 0.0.0.255
router1(config)#access-list 1 deny any
router1(config)#dialer-list 1 protocol ip permit
router1(config)#ip route 0.0.0.0 0.0.0.0 Dialer1
router1(config)#ip access-list extended dialer-in
router1(config-ext-nacl)#deny ip host 0.0.0.0 any
router1(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any
router1(config-ext-nacl)#deny ip 127.0.0.0 0.255.255.255 any
router1(config-ext-nacl)#deny ip 169.254.0.0 0.0.255.255 any
router1(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any
router1(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any
router1(config-ext-nacl)#deny ip 224.0.0.0 31.255.255.255 any
router1(config-ext-nacl)#permit ip any any
router1(config-ext-nacl)#exit
router1(config)#exit
router1#

The xxx.xxx.xxx.0 is the network address being used internally.

By now, the router should be negotiating ADSL, once it is up, the Internet is connected within seconds (provided that everything is correct including username & password). A test contecting to the Internet is done using any PC directly connected to the internal network.

Conclusion

As this part is done without any problems, my internal network enjoying the Internet by all means.