iptables and more on Linux

GRE tünel nasıl oluşturulur

admin — Mon, 14 Jun 2010 16:35:44 +0000

Bu yazıda bir örnekle Linux altında nasıl GRE tünel oluşturacağımızı anlatmaya çalışacağım.

Birbirine Internet üzerinden erişebilen iki Linux cihaz düşünelim. (IP adresleri yine de Internet üzerinde kullanılmayan bloktan verilmiştir)

IP TANIMLARI

node1 (eth0 internet, eth1 iç ağa bakan kısım olsun)
eth0 : 192.168.200.150/24
eth1: 10.1.1.1/24
tunel arayuzu (tonode2): 172.16.151.1/30

node2 (eth0 internet, eth1 iç ağa bakan kısım olsun)
eth0: 10.10.10.150/24
eth1: 10.2.1.1/24
tunnel arayuzu (tonode1): 172.16.151.2/30

node1 ve node2 cihazlarının birbirlerine eth0 arayüzleri üzerinde Interneti kullanarak erişebildiğini düşünelim. Sırasıyla cihazları yapılandıralım.

TUNEL YAPILANDIRMASI

node1)

#modprobe ip_gre
#ip tunnel add tonode2 mode gre remote 10.10.10.150 local 192.168.200.150
#ip link set tonode2 up
#ip addr add 172.16.151.1/30 dev tonode2

node2)

#modprobe ip_gre
#ip tunnel add tonode1 mode gre remote 192.168.200.150 local 10.10.10.150
#ip link set tonode1 up
#ip addr add 172.16.151.1/30 dev tonode1

node1 üzerinde yaptıklarımızı anlatırsak:

ip_gre modülünü yükledik
tonode2 adında bir tünel arayüzü yaratıp uç noktaları (yerel ve uzaktaki adresler) belirledik
Tünel arayüzü ayağa kaldırdık
Tünelimize bir IP addresi verdik.

Fakat henüz iç ağımıza giden trafiği tünele yönlendirmedik. Bunun için :

node1)

#ip route add 10.2.1.0/24 dev tonode2

Bu komutla 10.2.1.0/24 ağını tünelin diğer tarafına yönlendirmiş oluyoruz.

node2)

#ip route add 10.1.1.0/24 dev tonode1

Şimdi node2 üzerinden 10.1.1.1 adresine ping attığınızda cevap almanız gerekiyor. Alamıyorsanız bir yerde bir hata yapmış olmalı yada aradaki bağlantılarda bir sorun olması gerek.

SSH timeout

admin — Tue, 04 May 2010 11:03:45 +0000

If you have a problem of frequent disconnection from your SSH server, you can enable the following setting in your sshd_config file and restart SSHD.

ClientAliveInterval 60

The exact description of what this does is

ClientAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the client, sshd will send a message through
the encrypted channel to request a response from the client.
The default is 0, indicating that these messages will not be
sent to the client. This option applies to protocol version 2
only.

SPBCHSW81

SPBCHSW82

SPBCHSW91

SPBCHSW92

vncserver configuration in redhat

admin — Tue, 19 Jan 2010 22:51:36 +0000

VNC server configuration is pretty straight forward in redhat. Here are the steps that you should complete in order to run a functional VNC server in a few minutes.

Our test user is : mert

1) Adjust /etc/sysconfig/vncservers config file as below:

VNCSERVERS=”2:mert”

2) Login to mert account and set vncpassword

[root@rh54-3 sysconfig]# su – mert
[mert@rh54-3 ~]$ vncpasswd
Password:
Verify:
[mert@rh54-3 ~]$

3) Start vnc service and add it into the startup.

[root@rh54-3 sysconfig]# /etc/init.d/vncserver start
Starting VNC server: 2:mert xauth: creating new authority file /home/mert/.Xauthority

New ‘rh54-3.penguen.com:2 (mert)’ desktop is rh54-3.penguen.com:2

Creating default startup script /home/mert/.vnc/xstartup
Starting applications specified in /home/mert/.vnc/xstartup
Log file is /home/mert/.vnc/rh54-3.penguen.com:2.log

[ OK ]

[root@rh54-3 .vnc]# chkconfig vncserver on

However if you connect via VNC client now, you won’t see default GNOME but twm instead.

Open the file /home/mert/.vnc/xstartup and uncomment the following lines (remove the hash in front)

#unset SESSION_MANAGER
#exec /etc/X11/xinit/xinitrc

Restart VNC server to have the new changes affected.

[root@rh54-3 .vnc]# /etc/init.d/vncserver restart
Shutting down VNC server: 2:mert [ OK ]
Starting VNC server: 2:mert
New ‘rh54-3.penguen.com:2 (mert)’ desktop is rh54-3.penguen.com:2

Starting applications specified in /home/mert/.vnc/xstartup
Log file is /home/mert/.vnc/rh54-3.penguen.com:2.log

[ OK ]

4) Below is a step by step login into VNC server from my windows OS

a) connection screen

b) Password screen

c) GNOME screen

Screen command

admin — Tue, 19 Jan 2010 21:53:09 +0000

I hadn’t used screen much in the past but I see that it is a very handy tool. I just would like to add some tips about screen command.

Ctrl-a c : creates a new screen shell
Ctrl-a TAB: switches focues between upper and lower split terminal
Ctrl-a “ : Display a list of managed windows. (This is the most I like:)

It is very useful to use the option “-t” in screen as it allows you to mark your instances. If you run a new screen sheel with the command;

screen -t /var/log/local6 1 tail -f /var/log/local6

Then when you run Ctrl-a “ to list the windows, you will recognize your tailing window with the title “/var/log/local6″

This is a very short article about screen. I hope on the way I use this tool, I may improve this it.

Interface bonding

admin — Tue, 19 Jan 2010 20:40:37 +0000

As network cards or links may fail, we may solve this problem by creating multiple links to our network devices. One way is interface bonding which we will configure one in our example. I assume that your linux have three interfaces eth0,eth1 and eth2. We will use two of the interfaces;

Slave Interfaces : eth1 and eth2
Bonding interface: bond0

1) First add the followings into /etc/modprobe.conf file to provide module paramaters:

alias bond0 bonding
options bond0 mode=active-backup miimon=100

With this configuration, we use active backup mode. By that, if the primary interface goes down for some reason, bonding system will fail over into the other interface. If you want to use round robin load balancing which will enable to use both interfaces actively use “balanced_rr” instead of “active-backup”

2) Configure slave and bonding interfaces.

/etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
HWADDR=00:0c:29:47:49:8d
MASTER=bond0
SLAVE=yes

/etc/sysconfig/network-scripts/ifcfg-eth2

DEVICE=eth2
BOOTPROTO=static
ONBOOT=yes
HWADDR=00:0c:29:47:49:97
MASTER=bond0
SLAVE=yes

/etc/sysconfig/network-scripts/ifcfg-bond0

DEVICE=bond0
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.0.0.230
NETMASK=255.255.255.0
BROADCAST=10.0.0.255

3) Now bring up the bonding interface and look at “ip addr” output

#ifup bond0

#ip addr

3: eth1: mtu 1500 qdisc pfifo_fast master bond0 qlen 1000
link/ether 00:0c:29:47:49:8d brd ff:ff:ff:ff:ff:ff
4: eth2: mtu 1500 qdisc pfifo_fast master bond0 qlen 1000
link/ether 00:0c:29:47:49:8d brd ff:ff:ff:ff:ff:ff
inet 10.0.10.129/24 brd 10.0.10.255 scope global eth3
9: bond0: mtu 1500 qdisc noqueue
link/ether 00:0c:29:47:49:8d brd ff:ff:ff:ff:ff:ff
inet 10.0.0.230/24 brd 10.0.0.255 scope global bond0

You might have noticed that both eth1 and eth2 use the same MAC address which actually what we expect and how it works.

In order to see the bonding status and current active slave interface, issue the following;

[root@rh54]# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.4.0 (October 7, 2008)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth2
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth1
MII Status: down
Link Failure Count: 1
Permanent HW addr: 00:0c:29:47:49:8d

Slave Interface: eth2
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:0c:29:47:49:97

Here you can see the real mac addresseses of the interfaces.

4) Fail over test

You can actually test how fail over works. In my vmware test system, I have disconnected eth1 and active slave (eth1) failed over into eth2 at around 3 secs. (I was pinging at the same time) It switches over quite fast but what I have realized is, system keeps the previous mac address even though the interface having that MAC failed. For example in my setup (according to the previous bond0 output), eth1 is failed and eth2 is active slave however other nodes in the network know my 10.0.0.230 IP of having 00:0c:29:47:49:8d MAC. It is quite reasonable indeed. We don’t have to change mac and send unnecessary gratitous arp requests. Once one of your interfaces goes down in your bonding you will see a similar output in your dmesg.

eth1: link down
bonding: bond0: link status definitely down for interface eth1, disabling it
bonding: bond0: making interface eth2 the new active one.

That is all for this article, please drop your comments if you have anything to add or questions.

You can find quite a lot of information about bonding at the following address. I recommend you to read it

http://www.linuxfoundation.org/collaborate/workgroups/networking/bonding

sysconfig.txt

admin — Sat, 09 Jan 2010 16:31:05 +0000

You can find quite a lot of files in /etc/sysconfig however in configuring them you may have trouble but there is a file that you can use to understand what attributes you can use for each file. It is sysconfig.txt. In my current Redhat 5.4 system the file is at the following location as it comes with the package initscripts.

/usr/share/doc/initscripts-8.45.30/sysconfig.txt

For example if you want to set ethernet options into your ifcfg-eth0 file below is the quote from this file;

ETHTOOL_OPTS=…
Any device-specific options supported by ethtool. For example,
if you wanted to force 100Mb full duplex:
ETHTOOL_OPTS=”speed 100 duplex full autoneg off”
Note that changing speed or duplex settings almost always
requires disabling autonegotiation with ‘autoneg off’.

Installing RPM file into a different root

admin — Sat, 09 Jan 2010 14:59:03 +0000

One day you may have to install an RPM file into a different root folder. For example under rescue mode though you can chroot as an option. Here is the handy option for you to do it.

#rpm -ivh zip-2.31-2.el5.i386.rpm –root /mnt/sysimage

MBR recovery and grub reinstall

admin — Sat, 09 Jan 2010 14:10:24 +0000

In the event that partition table is corrupted or boot loader has gone, here are some steps that you can take in order to boot the system as normal.

I hope that you have taken the backup of partition table previously with the command;

#sfdisk -d /dev/sda > /root/sda_partition_table.out

Or if you also want to backup the whole MBR to a file do this;

#dd if=/dev/sda of=/tmp/mbr_sda.out bs=512 count=1

From now on, I assume that you have booted the system in rescue mode with networking support.

1) The first thing is to paste this partition table back into its original space. Presumably, you have copied the partition table from network and put it under /tmp/sda_partition_table.out

#sfdisk /dev/sda < /tmp/sda_partition_table.out

This will fix your partition table. Now time to fix MBR

2) As the MBR has gone, we have to write MBR again. Do the followings;

#grub

grub> root (hd0,0)
grub>setup (hd0)
grub>quit

The root (hd0,0) command assumes that your boot partition is in /dev/sda1

After these commands, you should be able to boot your system as before.

How to use LVM in rescue mode

admin — Sat, 09 Jan 2010 13:55:30 +0000

One day it may happen to you that either MBR is corrupted or partition table has gone then you will need rescue mode. However there is one problem, what if you use LVM in your system. Because redhat does everything for us we don’t actually know what it does for initialization unless you have looked inside the init scripts.

In my rescue environment when I issue “lvm vgdisplay” , I was able to display the configuration but there was no device files under /dev. To overcome this problem do the followings:

#lvm vgscan
#lvm vgchange -ay

The first command “vgscan” scans all disks for volume groups and the second one “vgchange” makes the logical volumes known to the kernel. To deactivate you should but “n” instead of “y” on the command line.

Now you can access logical volumes.

SELinux tools

admin — Fri, 08 Jan 2010 18:34:05 +0000

As SELinux is a bit of complicated compared to the tools that we use currently, I have thought it is good to have some tips here.

1) seinfo: This is the selinux query tool to see statistics about your policy.

[root@rh54-3 ~]# seinfo

Statistics for policy file: /etc/selinux/targeted/policy/policy.21
Policy Version & Type: v.21 (binary, MLS)

Classes:            61    Permissions:       220
Types:            1710    Attributes:        161
Users:               3    Roles:               6
Booleans:          242    Cond. Expr.:       222
Sensitivities:       1    Categories:       1024
Allow:          116810    Neverallow:          0
Auditallow:         41    Dontaudit:        6778
Role allow:          5    Role trans:          0
Type_trans:       1886    Type_change:         0
Type_member:         0    Range_trans:       317
Constraints:        47    Validatetrans:       0
Fs_use:             18    Genfscon:           74
Portcon:           323    Netifcon:

2) sesearch: This is a very handy tool. When I started using SELinux, I was thinking that processes with a specific type are only allowed to make operations of the same type:) how stupid I am. Then I have seen by experience that policy can defines it and to see what a source can do, we can use sesearch. For example to search for httpd_t type source in order to see in which types it is associated with issue the following;

[root@rh54-3 ~]# sesearch -s httpd_t -c file –allow
Found 103 av rules:
allow httpd_t etc_runtime_t : file { ioctl read getattr lock };
allow httpd_t httpd_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t httpd_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
allow httpd_t public_content_rw_t : file { ioctl read getattr lock };
allow httpd_t httpd_bugzilla_htaccess_t : file { ioctl read getattr lock };
allow httpd_t mailman_data_t : file { ioctl read getattr lock };
allow httpd_t httpd_cvs_htaccess_t : file { ioctl read getattr lock };
allow httpd_t httpd_sys_htaccess_t : file { ioctl read getattr lock };
allow httpd_t squirrelmail_spool_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t httpd_prewikka_htaccess_t : file { ioctl read getattr lock };
allow httpd_t locale_t : file { ioctl read getattr lock };
allow httpd_t var_auth_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t etc_t : file { ioctl read getattr lock };
allow httpd_t fonts_t : file { ioctl read getattr lock };
allow httpd_t ld_so_t : file { ioctl read getattr lock execute };
allow httpd_t proc_t : file { ioctl read getattr lock };
allow httpd_t sysfs_t : file { ioctl read getattr lock };
allow httpd_t krb5_keytab_t : file { ioctl read getattr lock };
allow httpd_t httpd_config_t : file { ioctl read getattr lock };
allow httpd_t udev_tbl_t : file { ioctl read getattr lock };
allow httpd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t shell_exec_t : file { ioctl read getattr lock execute execute_no_trans };
allow httpd_t cvs_data_t : file { ioctl read getattr lock };
allow httpd_t httpd_helper_exec_t : file { read getattr execute };
allow httpd_t ld_so_cache_t : file { ioctl read getattr lock };
allow httpd_t httpd_squirrelmail_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t httpd_php_exec_t : file { read getattr execute };
allow httpd_t httpd_nagios_htaccess_t : file { ioctl read getattr lock };
allow httpd_t net_conf_t : file { ioctl read getattr lock };
…

…

3) Restorecon

This is a very useful utility that allows you to restore types configured statically in the system. The only thing you should do is

#restorecon -R -v /data

However if your type is in /etc/selinux/targeted/contexts/customizable_types file then you have to add “-F” flag into the command, if you don’t nothing happens:) As I have quoted text from Dan Walsh’s blog (RH engineer) , restorecon ignores these types and -F must be added.

customizable_types
- These are a list of file types that restorecon will ignore. So if you want to relabel your entire system using restorecon, and a file is labeled with a context in this file, the context will not be changed. This can be overridden with the -F flag. This allows you to specify special directories on your system as being readable by apache. So if you chcon -R -t httpd_sys_content_t /var/myhtml, a relabel will not change this directory tree back to var_t.

Selinux User Guide: http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/index.html