Networking » Mochabomb

Archive for the ‘Networking’ Category

Dual NIC setup with CentOS – public and local interfaces

May 7th, 2008

I learned again the value of this configuration – rebooted and my public interface did not come up, but the local one was fine. Simply telnet’d in from another local machine, fixed the issue and rebooted and now all is well. My configs worked for a year – not nor more.. in /etc/sysconfig/networking/devices/ifcfg-eth1 – the issue was the BOOTPROTO – was either giving the mac as 00:00:00:00:00:00 or nothing at all.

GATEWAY=192.168.1.100
TYPE=Ethernet
DEVICE=eth0
HWADDR=00:11:f7:77:34:9e
BOOTPROTO=none     < -------- changed to static
NETMASK=255.255.255.0
IPADDR=192.168.1.12
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes

changed BOOTPROTO=static:

GATEWAY=192.168.1.100
TYPE=Ethernet
DEVICE=eth0
HWADDR=00:11:f7:77:34:9e
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=192.168.1.12
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes

.. then rebooted and all is well again. It seems a good test is if something survives 2 reboots, its golden. After one reboot the kernel/kudzu/other/undo its still “new” to the system for that boot (hey look, a new card! Lets autoconfigure…), after the second its no longer “new”, then it breaks on the second reboot (say the card did not configure, might be skipped). If some change survives a reboot, great – I test, and if successful reboot right away. If something survives 2 reboots, I generally consider the the fix reliable and can relax.

So why do this? If you have to servers, its easy, what about only one colocated server? What if do not have an IP KVM? Get a $69 Mikrotik router to use as a secondary local access device (LAD)- they use 5W of power and are the size of a small switch – just will need an extra power outlet – I am sure if you explain to your ISP how service calls will be avoided, they’ll let you use an extra outlet. I use this as a backup to the backup LAD – works well. Set 2 ports in bridged mode and it will act like a switch, the assign an IP to the bridge (not the individual interfaces).

The config tool system-config-network is good for a single port system – for dual/triple NIC for local, DMZ and advanced networking, you need to do this by hand. The key entry is the GATEWAYDEV – this sets up the routing correctly – as seen in netstat -r

Here is a configuration for dual NIC with eth0 local and eth1 private – your names may be different – tweak as necessary.
/etc/sysconfig/network

NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=host.example.com
GATEWAYDEV=eth1
MOUNTD_PORT=4002

/etc/sysconfig/networking/devices/eth0 - local network card

# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
GATEWAY=192.168.10.1
TYPE=Ethernet
DEVICE=eth0
HWADDR=00:98:c7:16:77:43
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.10.2
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes

/etc/sysconfig/networking/devices/eth1 - public network card

# nVidia Corporation MCP51 Ethernet Controller
DEVICE=eth1
BROADCAST=1.1.1.15
HWADDR=00:47:e1:6f:3e:27
IPADDR=1.1.1.4
NETMASK=255.255.255.240
NETWORK=1.1.1.0
ONBOOT=yes
TYPE=Ethernet
GATEWAY=1.1.1.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes

Reboot your system – though a restart is nice service networking restart; service [firewall software] restart, if your changes survive a couple reboots you can be sure its correct. If this is for a live system in a far away datacenter, test it at home first, then one more time, get some coffee, then test again.

[root@host devices]# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
1.1.1.0    *               255.255.255.240 U         0 0          0 eth1
192.168.10.0    *               255.255.255.0   U         0 0          0 eth0
169.254.0.0     *               255.255.0.0     U         0 0          0 eth1
default         1.1.1.1    0.0.0.0         UG        0 0          0 eth1

Leave your comment »

Posted in Cygwin Linux, Linux, Networking, Subversion

Tags: centos network nics routing

NFS with Shorewall & SELinux – CentOS

October 22nd, 2007

These are my notes from what I got working for a CentOS NFS with Shorewall and SELinux. Here are the following:
* Server called “server” (192.168.1.10) exporting /opt/goodies for machine “client” (192.168.1.15) to use in /usr/local/goodies
* Both are running *nix with Shorewall firewall
* This config works for CentOS – others may need tweaking. On Windows get a VMware server running with 2 instances of CentOS if you’d like to play along.

Server
1. Add this to /etc/init.d/nfslock after a line with daemon rpc.statd before the start() function

STATD_PORT=4000

2. run the following commands:

[root@server]# echo "MOUNTD_PORT=4002" >> /etc/sysconfig/network
[root@server]# echo "options lockd nlm_udpport=4001 nlm_tcpport=4001" >> /etc/modprobe.conf
[root@server]# echo "rquotad 4003/tcp" >> /etc/services

3. portmap, nfs and nfslock need to be running ..

[root@server]# chkconfig --list | egrep 'nfs|nfslock|portmap'
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfslock         0:off   1:off   2:off   3:off   4:off   5:off   6:off
portmap         0:off   1:off   2:off   3:off   4:off   5:off   6:off

To autostart any services, run the following:

[root@server]# chkconfig --levels 235 nfs on

4. Create the /etc/shorewall/macro.NFS file

#
# Shorewall version 3.4 - NFS Macro
#
# /usr/share/shorewall/macro.NFS
#
#       This macro handles NFS traffic. You need to invoke
#       this macro in both directions.  Beware!  This rule opens a lot
#       of ports, and could possibly be used to compromise your firewall
#       if not used with care.  You should only allow NFS traffic
#       between hosts you fully trust.
#
###############################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
#                               PORT    PORT(S) DEST            LIMIT   GROUP
PARAM   -       -       udp     111,2049
PARAM   -       -       tcp     111,2049
PARAM   -       -       udp     4000:4003
PARAM   -       -       tcp     4000:4003
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5. Allow NFS traffic through the IPtables or Shorewall firewall, edit /etc/shorewall/rules; here we allow traffic only between the server and two other systems. Be aware that NFS is IP based – ensure your network is secure..

NFS/ACCEPT      net:192.168.1.15,192.168.1.17     $FW
NFS/ACCEPT      $FW     net:192.168.1.15,192.168.1.17

Alternatively if you are running iptables manually, you can enter these rules: here I made a script to make life easier. That last rule is needed to end the firewall. I prefer to use Shorewall because as it says, “IPtables made easy” and its -really- easy to typo these commands and lose time trying to get this working.
The name of my firewall was RH-Firewall-1, substitute as needed.

#!/bin/sh
echo "nfs & iptables setup"
echo "Network IP (eg; 192.168.1.0): \c"
read networkip
echo "Subnet mask without the slash (eg; /24 is entered as 24): \c"
read subnet
iptables -A -INPUT -f -j ACCEPT -s $networkip/$subnet
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 111 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 2049 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4000 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4001 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4002 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4003 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4002 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4003 -j ACCEPT
iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited; iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

If you used shorewall, it will require a restart”

[root@server]# shorewall check

If the check passed, you are safe to restart:

[root@server]# shorewall restart

6. With services and firewall running properly, we can export a directory; edit /etc/exports
(More on this topic can be found at http://nfs.sourceforge.net)

#
# format example:
# /dir/of/sharedfiles  192.168.1.30(ro,root_squash,sync)
#
/opt/goodies      192.168.1.15(ro,sync)       # share read-only
/opt/goodies      192.168.1.17(rw,root_squash,sync)   # share read write, root squash

Client
1. Repeat steps 1-5 to setup the client

2. Create directories to mount the share, for this example its /usr/local/goodies. The file /opt/goodies/sometool.sh will show on the client as /usr/local/goodies/sometool.sh

[root@server]# mkdir /usr/local/goodies; chmod 755 /usr/local/goodies

3. edit /etc/fstab – here we are mounting as read-only

192.168.1.10:/opt/goodies      /usr/local/goodies     nfs     ro,sync         0 0

4. mount the nfs share:

[root@server]# mount /usr/local/goodies

5. Test it out – you should be able to read files from here. If not, re-check your work and check /var/log/messages for error messages.

Troubleshooting
Server: try these commands -

[root@server]#  service nfs reload

Client:

[root@server]# service netfs restart

SELinux
If you got this far – awesome – next step is SELinux. There are many opinions about it, mine is I want to use it – I like its idealogy.

So, both the server and client in this case can be running SELinux in enforcing mode and work with NFS.

1. Server and client:

[root@server]# setsebool -P use_nfs_home_dirs 1
[root@client]# setsebool -P use_nfs_home_dirs 1

2. To turn on and off SELinux ( 0 = off, 1 = on):

[root@server]# echo "0" >/selinux/enforce

At this you could reboot both systems and if SELinux has been activate, might as well to ensure all works after a reboot.

This should get NFS working – next is tuning. NFS is a deep topic and some study will result in a secure and useful setup.

Gregg [aaattt] mochabomb [dot] com

Leave your comment »

Posted in Linux, Networking

Do subnet math in your head

April 12th, 2007

Subnets are a necessary part of networking and while there are a lot of websites with charts out there. You can print out one of many such charts really small, then laminate it, or better, use our God-given noggen and memorize it! We learned multiplication tables as a kid – learning subnetting is about as easy you work with me on this… Take 20 minutes now and you’ll know this for life.

At first, subnets were hard for me to understand – until my brother Hans somegeek explained it in a really simple way.

Update Nov 9, 2010 : Take the quiz

Definition
A subnet is a portion of the full net – and every network we use is part of a subnet. As geeks we mostly deal with class C or smaller.

Lets work with an example. You just started working at RARPAnet and have lots of computers to set up. You were assigned the entire 10.0.0.0 network for address space. Since the 10 network is designated for use on private networks (its not routed on the public internet) you have lots of addresses.

Class – amount of address space you have:
Class A: The entire 10 network – any address where the first number is the same
Class B: The 10.1, or the 10.2 network – up to the 10.255 network – any address where the first 2 numbers are the same
Class C: 10.0.1, or 10.0.2, up to the 10.0.255 network – any address where the first 3 numbers are the same

Examples of subnets from the 10 network: Class A: 10.0.0.0 to 10.255.255.255 Class B: 10.1.0.0 to 10.1.255.255 Class C: 10.1.0.0 to 10.1.0.255

Every Subnet has 4 parts to it:

Network – this is the first address on the network – designates the starting address
Hosts – addresses that can be used for hosts (routers, computers, etc)
Broadcast – the last address of the network – for ‘yelling’ at everyone at the same time.
Netmask – used to get the network – put as a mask over the address

Example 1: Break down the 192.168.1 network

For the 192.168.1 subnet:
192.168.1.0 network 192.168.1.1 - 254 hosts 192.168.1.255 broadcast 255.255.255.0 netmask

Every IP address is made up of 32 bits in 4 chunks of 8 bits.

To count in binary is really simple – use the table below to make the number – a sum of its parts.

Basic table for counting up to 255 in binary: first row of 1′s, second row powers of 2 starting with 1:

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1

Conversion of regular numbers to binary:

1 in binary:

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1
                                        1

2 in binary: 2 + 0

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1
                                   2    0 = 2
                                   1    0

5 binary: 4 + 1

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1
                              4    0    1 = 5
                              1    0    1

18 binary: 16 + 2

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1
                  16     0    0    2    0 = 18
                   1     0    0    1    0

187 in binary: 128 + 32 + 16 + 8 + 2 + 1

1      1     1     1     1    1    1    1
128   64    32    16     8    4    2    1
128    0    32    16     8    0    2    1 = 187 
1      0     1     1     1    0    1    1

Convert Binary to Decimal
Convert 10110 to a decimal number:

First 10110 is 5 bits, you biggest number in the count set will always be 2^(n-1).
Another way to remember is the largest number will be half of 2^n;
2^5 = 32; half is 16.

The mathematical way is:
n = 5; so 2^(5-1) = 16 That’s your biggest number, so count set is “16 8 4 2 1″

1*16 + 0*8 + 1*4 + 1*2 + 0*1 = 22 – convert 22 back to binary above – it can be done in your head.
Takes some practice but like counting change when working a cash register, it’ll flow after a while.

With the binary-decimal conversion understood, lets look at IP’s – v4 that is. The binary for the full IPv4 address is: 1111111.1111111.1111111.1111111

Detailed breakdown

Now, for a host with ip of 192.168.1.12, the IP and subnet are often denoted together in one of two ways:
192.168.1.12 255.255.255.0
or more often used and shorter to write:
192.168.1.12/24

The /24 means of the 32 bits for the address, use first 24 bit to denote the network, last 8 bits for address space:

For a /24: There 8 bits for address space:
Subtract the slash number from 32: in the case of /24:
32 – 24 = 8 bits;
Then the number of IP addresses used is 2^8bits = 256;

256 addresses: first address is network, last is broadcast; 254 in the middle are for hosts.
192.168.1.0 network 192.168.1.1 to 192.168.0.254 hosts 192.168.1.255 broadcast 255.255.255.0 subnet mask 1111111.1111111.1111111.00000000 Last 8 bits are zero's

How to easily remember this:
Mentally I think this: I see 192.168.1/24 – then
1. an IP address has 32 bits for address
2. 32 – 24 = 8; 2^8 = 256;
3. 256 addresses – first one is network; last one is broadcast, the rest in the middle are hosts.

Example: You are given an address of 192.168.1.16/29 for your network:
For a /29: There are 3 bits for address space:
1. 32 bits – 29 bits = 3 bits for address space;
2. 2^3 = 8 – the number of addresses in this network
3. Since my first address is 192.168.1.16, 192.168.1.23 is my last address

Summary:
8 addresses: First is network, 6 in the middle for hosts, last is the broadcast address:

192.168.1.16                       network
192.168.1.17 to 192.168.1.22       hosts
192.168.1.23                       broadcast
255.255.255.248                    subnet mask     

1111111.1111111.1111111.1111000  Last 3 bits are zero's

… and since this subnet is most like subdivided into groups of 8 ip’s, there is a new network every 8 IP addreses on this 192.168.1 subnet – a good way to segment a network for security, etc.

192.168.1.0-7
192.168.1.8-15
192.168.1.16-23               (your network)
192.168.1.24-31
192.168.1.32-39
...and so on up to
192.168.1.248-255

So there it is – binary math, subnets and now no chart to carry in your pocket. This website has a subnet calculator – good for refence and checking your work.

Update Nov 9, 2010 : Test your knowledge – take the quiz

17 Comments »

Posted in Linux, Networking, Unix, Windows

Killl spyware apps – can’t phone home

November 16th, 2006

This fix is quite simple in approach – lie about the true location of websites – how?

Every domain name is mapped to a number – its called domain name service – DNS. The internet equivalent of the phone book which maps a name to a phone number. The internet equivalent is to map a domain name to an Internet Protocol (IP) address – now imagine this:

Imagine I get a spyware/virus and it tricked my computer so instead of getting the right IP address for google or yahoo, I got an intentionally wrong answer – see below:

Correct addresses: