iptables and more on Linux » networking

GRE tünel nasıl oluşturulur

admin — Mon, 14 Jun 2010 16:35:44 +0000

Bu yazıda bir örnekle Linux altında nasıl GRE tünel oluşturacağımızı anlatmaya çalışacağım.

Birbirine Internet üzerinden erişebilen iki Linux cihaz düşünelim. (IP adresleri yine de Internet üzerinde kullanılmayan bloktan verilmiştir)

IP TANIMLARI

node1 (eth0 internet, eth1 iç ağa bakan kısım olsun)
eth0 : 192.168.200.150/24
eth1: 10.1.1.1/24
tunel arayuzu (tonode2): 172.16.151.1/30

node2 (eth0 internet, eth1 iç ağa bakan kısım olsun)
eth0: 10.10.10.150/24
eth1: 10.2.1.1/24
tunnel arayuzu (tonode1): 172.16.151.2/30

node1 ve node2 cihazlarının birbirlerine eth0 arayüzleri üzerinde Interneti kullanarak erişebildiğini düşünelim. Sırasıyla cihazları yapılandıralım.

TUNEL YAPILANDIRMASI

node1)

#modprobe ip_gre
#ip tunnel add tonode2 mode gre remote 10.10.10.150 local 192.168.200.150
#ip link set tonode2 up
#ip addr add 172.16.151.1/30 dev tonode2

node2)

#modprobe ip_gre
#ip tunnel add tonode1 mode gre remote 192.168.200.150 local 10.10.10.150
#ip link set tonode1 up
#ip addr add 172.16.151.1/30 dev tonode1

node1 üzerinde yaptıklarımızı anlatırsak:

ip_gre modülünü yükledik
tonode2 adında bir tünel arayüzü yaratıp uç noktaları (yerel ve uzaktaki adresler) belirledik
Tünel arayüzü ayağa kaldırdık
Tünelimize bir IP addresi verdik.

Fakat henüz iç ağımıza giden trafiği tünele yönlendirmedik. Bunun için :

node1)

#ip route add 10.2.1.0/24 dev tonode2

Bu komutla 10.2.1.0/24 ağını tünelin diğer tarafına yönlendirmiş oluyoruz.

node2)

#ip route add 10.1.1.0/24 dev tonode1

Şimdi node2 üzerinden 10.1.1.1 adresine ping attığınızda cevap almanız gerekiyor. Alamıyorsanız bir yerde bir hata yapmış olmalı yada aradaki bağlantılarda bir sorun olması gerek.

vncserver configuration in redhat

admin — Tue, 19 Jan 2010 22:51:36 +0000

VNC server configuration is pretty straight forward in redhat. Here are the steps that you should complete in order to run a functional VNC server in a few minutes.

Our test user is : mert

1) Adjust /etc/sysconfig/vncservers config file as below:

VNCSERVERS=”2:mert”

2) Login to mert account and set vncpassword

[root@rh54-3 sysconfig]# su – mert
[mert@rh54-3 ~]$ vncpasswd
Password:
Verify:
[mert@rh54-3 ~]$

3) Start vnc service and add it into the startup.

[root@rh54-3 sysconfig]# /etc/init.d/vncserver start
Starting VNC server: 2:mert xauth: creating new authority file /home/mert/.Xauthority

New ‘rh54-3.penguen.com:2 (mert)’ desktop is rh54-3.penguen.com:2

Creating default startup script /home/mert/.vnc/xstartup
Starting applications specified in /home/mert/.vnc/xstartup
Log file is /home/mert/.vnc/rh54-3.penguen.com:2.log

[ OK ]

[root@rh54-3 .vnc]# chkconfig vncserver on

However if you connect via VNC client now, you won’t see default GNOME but twm instead.

Open the file /home/mert/.vnc/xstartup and uncomment the following lines (remove the hash in front)

#unset SESSION_MANAGER
#exec /etc/X11/xinit/xinitrc

Restart VNC server to have the new changes affected.

[root@rh54-3 .vnc]# /etc/init.d/vncserver restart
Shutting down VNC server: 2:mert [ OK ]
Starting VNC server: 2:mert
New ‘rh54-3.penguen.com:2 (mert)’ desktop is rh54-3.penguen.com:2

Starting applications specified in /home/mert/.vnc/xstartup
Log file is /home/mert/.vnc/rh54-3.penguen.com:2.log

[ OK ]

4) Below is a step by step login into VNC server from my windows OS

a) connection screen

b) Password screen

c) GNOME screen

Interface bonding

admin — Tue, 19 Jan 2010 20:40:37 +0000

As network cards or links may fail, we may solve this problem by creating multiple links to our network devices. One way is interface bonding which we will configure one in our example. I assume that your linux have three interfaces eth0,eth1 and eth2. We will use two of the interfaces;

Slave Interfaces : eth1 and eth2
Bonding interface: bond0

1) First add the followings into /etc/modprobe.conf file to provide module paramaters:

alias bond0 bonding
options bond0 mode=active-backup miimon=100

With this configuration, we use active backup mode. By that, if the primary interface goes down for some reason, bonding system will fail over into the other interface. If you want to use round robin load balancing which will enable to use both interfaces actively use “balanced_rr” instead of “active-backup”

2) Configure slave and bonding interfaces.

/etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
HWADDR=00:0c:29:47:49:8d
MASTER=bond0
SLAVE=yes

/etc/sysconfig/network-scripts/ifcfg-eth2

DEVICE=eth2
BOOTPROTO=static
ONBOOT=yes
HWADDR=00:0c:29:47:49:97
MASTER=bond0
SLAVE=yes

/etc/sysconfig/network-scripts/ifcfg-bond0

DEVICE=bond0
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.0.0.230
NETMASK=255.255.255.0
BROADCAST=10.0.0.255

3) Now bring up the bonding interface and look at “ip addr” output

#ifup bond0

#ip addr

3: eth1: mtu 1500 qdisc pfifo_fast master bond0 qlen 1000
link/ether 00:0c:29:47:49:8d brd ff:ff:ff:ff:ff:ff
4: eth2: mtu 1500 qdisc pfifo_fast master bond0 qlen 1000
link/ether 00:0c:29:47:49:8d brd ff:ff:ff:ff:ff:ff
inet 10.0.10.129/24 brd 10.0.10.255 scope global eth3
9: bond0: mtu 1500 qdisc noqueue
link/ether 00:0c:29:47:49:8d brd ff:ff:ff:ff:ff:ff
inet 10.0.0.230/24 brd 10.0.0.255 scope global bond0

You might have noticed that both eth1 and eth2 use the same MAC address which actually what we expect and how it works.

In order to see the bonding status and current active slave interface, issue the following;

[root@rh54]# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.4.0 (October 7, 2008)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth2
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth1
MII Status: down
Link Failure Count: 1
Permanent HW addr: 00:0c:29:47:49:8d

Slave Interface: eth2
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:0c:29:47:49:97

Here you can see the real mac addresseses of the interfaces.

4) Fail over test

You can actually test how fail over works. In my vmware test system, I have disconnected eth1 and active slave (eth1) failed over into eth2 at around 3 secs. (I was pinging at the same time) It switches over quite fast but what I have realized is, system keeps the previous mac address even though the interface having that MAC failed. For example in my setup (according to the previous bond0 output), eth1 is failed and eth2 is active slave however other nodes in the network know my 10.0.0.230 IP of having 00:0c:29:47:49:8d MAC. It is quite reasonable indeed. We don’t have to change mac and send unnecessary gratitous arp requests. Once one of your interfaces goes down in your bonding you will see a similar output in your dmesg.

eth1: link down
bonding: bond0: link status definitely down for interface eth1, disabling it
bonding: bond0: making interface eth2 the new active one.

That is all for this article, please drop your comments if you have anything to add or questions.

You can find quite a lot of information about bonding at the following address. I recommend you to read it

http://www.linuxfoundation.org/collaborate/workgroups/networking/bonding

Permanent routes in Redhat

admin — Fri, 08 Jan 2010 11:31:31 +0000

I was trying to find out how I can add a permanent route into Redhat so that after the reboot routes should persist. I have found the way but I must say that I really didn’t like it:( I liked the way Gentoo does it or Slackware but Redhat’s way seems to be too simplistic but it causes more work. Here is how it works;

It is sufficient to add your routes into the file /etc/sysconfig/network-scripts/route-ethX. Replace X with your interface number. For example;

In /etc/sysconfig/network-scripts/route-eth0, I have added the following routes to make them permanent.

ADDRESS0=10.0.0.222
NETMASK0=255.255.255.255
GATEWAY0=192.168.200.81

ADDRESS1=10.0.0.223
NETMASK1=255.255.255.255
GATEWAY1=192.168.200.79

Each time you need another route, you must just increment each variable by one, then route will stay in routing table after the reboot.

You may be asking why we don’t/can’t add the route into rc.local or somewhere else. IMHO, it is best practice to use the tools provided by the distribution so that if another engineer needs to take a look into the system, he will know for sure where to look.