| Services | Software | Commentary | Design | Astral Musings |
blather and noise until its suitable for posting posting elsewhere
|
|
||||||||||||
| Work in Progress
blather and noise until its suitable for posting posting elsewhere |
These are work in progress HOWTO projects. Beware, nothing below is certified to be correct in any way.
iptables, using multiple MAC addresses
This iptables, ifconfig, and network from a reference Linux server
# iptables-save
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.10.89/32 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -d 108.209.107.237/32 -i eth1 -j DNAT --to-destination 10.10.10.89
-A POSTROUTING -s 10.10.10.89/32 -o eth1 -j SNAT --to-source 108.209.107.237
COMMIT
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:AC:DC:6C
inet addr:10.10.10.87 Bcast:10.10.10.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr 00:0C:29:AC:DC:76
inet addr:108.209.107.237 Bcast:108.209.107.239 Mask:255.255.255.248
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
# cat network
NETWORKING=yes
HOSTNAME=c6x2ip87.local.zaptech.org
GATEWAY=108.209.107.238
NETWORKING_IPV6=no
IPV6INIT=no Okay, so here is what is now active on Linux firewall 108.209.107.235 -> 10.10.10.81.
# iptables-save [ not actually save, just dumps current iptables directives to stdout ] *nat :PREROUTING ACCEPT [161:13175] :POSTROUTING ACCEPT [6:368] :OUTPUT ACCEPT [1:108] -A PREROUTING -d 108.209.107.235/32 -i eth1 -j DNAT --to-destination 10.10.10.89 -A POSTROUTING -s 10.10.10.89/32 -o eth1 -j SNAT --to-source 108.209.107.235 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [422:49938] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 10.10.10.89/32 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Also disable IPv6, you don't want your firewall accepting anything except IPv4 with the config above. Requires reboot just to be sure.
# cat /etc/modprobe.d/disable_ipv6.conf options ipv6 disable = 1
More fun, VMware and CentOS screw up paravirtual network driver performance, some directives can address this.
# iptables-save
# cat notes.txt
http://wiki.centos.org/TipsAndTricks/IPForwarding
/etc/sysctl.conf/net.ipv4.ip_forward = 1
[ is this realtime, or requires reboot? ]
# ethtool -K eth0 gso off
# ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off
# ethtool -k eth1
Offload parameters for eth1:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off
Now for the internal sever
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:9E:D6:DC
inet addr:10.10.10.89 Bcast:10.10.10.255 Mask:255.255.255.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
# ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: on
NFTables?
OS X, https
# apachectl stop
launchctl: Error unloading: org.apache.httpd
[ this means apachectl did not quietly launch https,
perhaps if certificate was given a passphrase ]
# httpd
httpd: Could not reliably determine the server's fully qualified domain name,
using mini.local.zaptech.org for ServerName
(48)Address already in use: make_sock: could not bind to address [::]:80
(48)Address already in use: make_sock: could not bind to address [::]:443
Apache/2.2.22 mod_ssl/2.2.22 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.example.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
# ps ax | grep http
88767 ?? Ss 0:00.25 httpd
88768 ?? S 0:00.02 httpd
88769 ?? S 0:00.02 httpd
88770 ?? S 0:00.02 httpd
# kill 88767
# ps ax | grep http
# pwd
/var/root/ssl/apache2
# ssh-keygen -f server.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in server.key.
Your public key has been saved in server.key.pub.
The key fingerprint is:
58:a3:c7:38:7c:d9:d9:51:99:59:f0:10:31:62:c7:e7 root@mini.local.zaptech.org
The key's randomart image is:
+--[ RSA 2048]----+
| o.OO.|
| . +=+.|
| o . o.|
| . * + o . E|
| * S o . |
| + |
| |
| |
| |
+-----------------+
# ls -lh
-rw------- 1 root wheel 1.6K Apr 7 00:42 server.key
-rw-r--r-- 1 root wheel 409B Apr 7 00:42 server.key.pub
# openssl req -new -key server.key -out request.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Cupertino
Organization Name (eg, company) [Internet Widgits Pty Ltd]:zap technologies
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Rick Armstrong
Email Address []:info@zaptech.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ls -lt
-rw-r--r-- 1 root wheel 1041 Apr 7 00:44 request.csr
-rw------- 1 root wheel 1675 Apr 7 00:42 server.key
-rw-r--r-- 1 root wheel 409 Apr 7 00:42 server.key.pub
# openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=CA/L=Cupertino/O=zap technologies/CN=Rick Armstrong/emailAddress=info@zaptech.com
Getting Private key
# ls -lh
-rw-r--r-- 1 root wheel 1.0K Apr 7 00:44 request.csr
-rw-r--r-- 1 root wheel 1.2K Apr 7 00:44 server.crt
-rw------- 1 root wheel 1.6K Apr 7 00:42 server.key
-rw-r--r-- 1 root wheel 409B Apr 7 00:42 server.key.pub
# cd /etc/apache2
[ in the past /etc/apache2/ssl was used ]
# cp ~/ssl/apache2/server.crt .
# cp ~/ssl/apache2/server.key .
# ls -lh
-rw-r--r-- 1 root wheel 1.2K Apr 7 00:46 server.crt
-rw------- 1 root wheel 1.6K Apr 7 00:46 server.key
# httpd
httpd: Could not reliably determine the server's fully qualified domain name,
using mini.local.zaptech.org for ServerName
# ps ax | grep -i http
88828 ?? Rs 0:00.39 httpd
88829 ?? S 0:00.01 httpd
# kill 88828
# ps ax | grep -i http
# rcsdiff /etc/apache2/httpd.conf
161a162
> ServerName mini.local.zaptech.org
469c470
< #Include /private/etc/apache2/extra/httpd-vhosts.conf
---
> Include /private/etc/apache2/extra/httpd-vhosts.conf
481c482
< #Include /private/etc/apache2/extra/httpd-ssl.conf
---
> Include /private/etc/apache2/extra/httpd-ssl.conf
# apachectl start
# ps ax | grep -i http
88865 ?? Ss 0:01.37 /usr/sbin/httpd -D FOREGROUND
88866 ?? S 0:00.00 /usr/sbin/httpd -D FOREGROUND