These are work in progress HOWTO projects. Beware, nothing below is certified to be correct in any way.
iptables, using multiple MAC addresses
This iptables, ifconfig, and network from a reference Linux server
# iptables-save *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 10.10.10.89/32 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT -A PREROUTING -d 108.209.107.237/32 -i eth1 -j DNAT --to-destination 10.10.10.89 -A POSTROUTING -s 10.10.10.89/32 -o eth1 -j SNAT --to-source 108.209.107.237 COMMIT # ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:AC:DC:6C inet addr:10.10.10.87 Bcast:10.10.10.255 Mask:255.255.255.0 eth1 Link encap:Ethernet HWaddr 00:0C:29:AC:DC:76 inet addr:108.209.107.237 Bcast:108.209.107.239 Mask:255.255.255.248 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 # cat network NETWORKING=yes HOSTNAME=c6x2ip87.local.zaptech.org GATEWAY=108.209.107.238 NETWORKING_IPV6=no IPV6INIT=no
Okay, so here is what is now active on Linux firewall 108.209.107.235 -> 10.10.10.81.
# iptables-save [ not actually save, just dumps current iptables directives to stdout ] *nat :PREROUTING ACCEPT [161:13175] :POSTROUTING ACCEPT [6:368] :OUTPUT ACCEPT [1:108] -A PREROUTING -d 108.209.107.235/32 -i eth1 -j DNAT --to-destination 10.10.10.89 -A POSTROUTING -s 10.10.10.89/32 -o eth1 -j SNAT --to-source 108.209.107.235 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [422:49938] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 10.10.10.89/32 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Also disable IPv6, you don't want your firewall accepting anything except IPv4 with the config above. Requires reboot just to be sure.
# cat /etc/modprobe.d/disable_ipv6.conf options ipv6 disable = 1
More fun, VMware and CentOS screw up paravirtual network driver performance, some directives can address this.
# iptables-save # cat notes.txt http://wiki.centos.org/TipsAndTricks/IPForwarding /etc/sysctl.conf/net.ipv4.ip_forward = 1 [ is this realtime, or requires reboot? ] # ethtool -K eth0 gso off # ethtool -k eth0 Offload parameters for eth0: rx-checksumming: on tx-checksumming: on scatter-gather: on tcp-segmentation-offload: on udp-fragmentation-offload: off generic-segmentation-offload: on generic-receive-offload: off large-receive-offload: off # ethtool -k eth1 Offload parameters for eth1: rx-checksumming: on tx-checksumming: on scatter-gather: on tcp-segmentation-offload: on udp-fragmentation-offload: off generic-segmentation-offload: on generic-receive-offload: off large-receive-offload: off Now for the internal sever # ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:9E:D6:DC inet addr:10.10.10.89 Bcast:10.10.10.255 Mask:255.255.255.0 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 # ethtool -k eth0 Offload parameters for eth0: rx-checksumming: on tx-checksumming: on scatter-gather: on tcp-segmentation-offload: on udp-fragmentation-offload: off generic-segmentation-offload: on generic-receive-offload: off large-receive-offload: on NFTables?
OS X, https
# apachectl stop launchctl: Error unloading: org.apache.httpd [ this means apachectl did not quietly launch https, perhaps if certificate was given a passphrase ] # httpd httpd: Could not reliably determine the server's fully qualified domain name, using mini.local.zaptech.org for ServerName (48)Address already in use: make_sock: could not bind to address [::]:80 (48)Address already in use: make_sock: could not bind to address [::]:443 Apache/2.2.22 mod_ssl/2.2.22 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server www.example.com:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. # ps ax | grep http 88767 ?? Ss 0:00.25 httpd 88768 ?? S 0:00.02 httpd 88769 ?? S 0:00.02 httpd 88770 ?? S 0:00.02 httpd # kill 88767 # ps ax | grep http # pwd /var/root/ssl/apache2 # ssh-keygen -f server.key Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in server.key. Your public key has been saved in server.key.pub. The key fingerprint is: 58:a3:c7:38:7c:d9:d9:51:99:59:f0:10:31:62:c7:e7 root@mini.local.zaptech.org The key's randomart image is: +--[ RSA 2048]----+ | o.OO.| | . +=+.| | o . o.| | . * + o . E| | * S o . | | + | | | | | | | +-----------------+ # ls -lh -rw------- 1 root wheel 1.6K Apr 7 00:42 server.key -rw-r--r-- 1 root wheel 409B Apr 7 00:42 server.key.pub # openssl req -new -key server.key -out request.csr Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:Cupertino Organization Name (eg, company) [Internet Widgits Pty Ltd]:zap technologies Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Rick Armstrong Email Address []:info@zaptech.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # ls -lt -rw-r--r-- 1 root wheel 1041 Apr 7 00:44 request.csr -rw------- 1 root wheel 1675 Apr 7 00:42 server.key -rw-r--r-- 1 root wheel 409 Apr 7 00:42 server.key.pub # openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt Signature ok subject=/C=US/ST=CA/L=Cupertino/O=zap technologies/CN=Rick Armstrong/emailAddress=info@zaptech.com Getting Private key # ls -lh -rw-r--r-- 1 root wheel 1.0K Apr 7 00:44 request.csr -rw-r--r-- 1 root wheel 1.2K Apr 7 00:44 server.crt -rw------- 1 root wheel 1.6K Apr 7 00:42 server.key -rw-r--r-- 1 root wheel 409B Apr 7 00:42 server.key.pub # cd /etc/apache2 [ in the past /etc/apache2/ssl was used ] # cp ~/ssl/apache2/server.crt . # cp ~/ssl/apache2/server.key . # ls -lh -rw-r--r-- 1 root wheel 1.2K Apr 7 00:46 server.crt -rw------- 1 root wheel 1.6K Apr 7 00:46 server.key # httpd httpd: Could not reliably determine the server's fully qualified domain name, using mini.local.zaptech.org for ServerName # ps ax | grep -i http 88828 ?? Rs 0:00.39 httpd 88829 ?? S 0:00.01 httpd # kill 88828 # ps ax | grep -i http # rcsdiff /etc/apache2/httpd.conf 161a162 > ServerName mini.local.zaptech.org 469c470 < #Include /private/etc/apache2/extra/httpd-vhosts.conf --- > Include /private/etc/apache2/extra/httpd-vhosts.conf 481c482 < #Include /private/etc/apache2/extra/httpd-ssl.conf --- > Include /private/etc/apache2/extra/httpd-ssl.conf # apachectl start # ps ax | grep -i http 88865 ?? Ss 0:01.37 /usr/sbin/httpd -D FOREGROUND 88866 ?? S 0:00.00 /usr/sbin/httpd -D FOREGROUND