HOWTOlabs Work in Progress
blather and noise until its suitable for posting posting elsewhere

These are work in progress HOWTO projects.  Beware, nothing below is certified to be correct in any way.

iptables, using multiple MAC addresses

Elsewhere [ edit ]

This iptables, ifconfig, and network from a reference Linux server

# iptables-save

  *filter
  :INPUT ACCEPT
  :FORWARD ACCEPT
  :OUTPUT ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
  -A INPUT -p icmp -j ACCEPT 
  -A INPUT -i lo -j ACCEPT 
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
  -A INPUT -j REJECT --reject-with icmp-host-prohibited 
  -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
  -A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
  -A FORWARD -d 10.10.10.89/32 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT 
  -A FORWARD -j REJECT --reject-with icmp-host-prohibited 
  COMMIT
  *nat
  :PREROUTING ACCEPT
  :POSTROUTING ACCEPT
  :OUTPUT ACCEPT
  -A PREROUTING -d 108.209.107.237/32 -i eth1 -j DNAT --to-destination 10.10.10.89 
  -A POSTROUTING -s 10.10.10.89/32 -o eth1 -j SNAT --to-source 108.209.107.237 
  COMMIT

# ifconfig

  eth0    Link encap:Ethernet  HWaddr 00:0C:29:AC:DC:6C  
          inet addr:10.10.10.87  Bcast:10.10.10.255  Mask:255.255.255.0

  eth1    Link encap:Ethernet  HWaddr 00:0C:29:AC:DC:76  
          inet addr:108.209.107.237  Bcast:108.209.107.239  Mask:255.255.255.248

  lo      Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0

# cat network

  NETWORKING=yes
  HOSTNAME=c6x2ip87.local.zaptech.org
  GATEWAY=108.209.107.238
  NETWORKING_IPV6=no
  IPV6INIT=no 

Okay, so here is what is now active on Linux firewall 108.209.107.235 -> 10.10.10.81.

# iptables-save

  [ not actually save, just dumps current iptables directives to stdout ]

  *nat
  :PREROUTING ACCEPT [161:13175]
  :POSTROUTING ACCEPT [6:368]
  :OUTPUT ACCEPT [1:108]
  -A PREROUTING -d 108.209.107.235/32 -i eth1 -j DNAT --to-destination 10.10.10.89
  -A POSTROUTING -s 10.10.10.89/32 -o eth1 -j SNAT --to-source 108.209.107.235
  COMMIT
  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [422:49938]
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p icmp -j ACCEPT
  -A INPUT -i lo -j ACCEPT
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  -A INPUT -j REJECT --reject-with icmp-host-prohibited
  -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
  -A FORWARD -d 10.10.10.89/32 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
  -A FORWARD -j REJECT --reject-with icmp-host-prohibited
  COMMIT 

Also disable IPv6, you don't want your firewall accepting anything except IPv4 with the config above.  Requires reboot just to be sure.

# cat /etc/modprobe.d/disable_ipv6.conf

  options ipv6 disable = 1 

More fun, VMware and CentOS screw up paravirtual network driver performance, some directives can address this.

# iptables-save

# cat notes.txt 

  http://wiki.centos.org/TipsAndTricks/IPForwarding
  /etc/sysctl.conf/net.ipv4.ip_forward = 1
  [ is this realtime, or requires reboot? ]

# ethtool -K eth0 gso off

# ethtool -k eth0

  Offload parameters for eth0:
  rx-checksumming: on
  tx-checksumming: on
  scatter-gather: on
  tcp-segmentation-offload: on
  udp-fragmentation-offload: off
  generic-segmentation-offload: on
  generic-receive-offload: off
  large-receive-offload: off

# ethtool -k eth1

  Offload parameters for eth1:
  rx-checksumming: on
  tx-checksumming: on
  scatter-gather: on
  tcp-segmentation-offload: on
  udp-fragmentation-offload: off
  generic-segmentation-offload: on
  generic-receive-offload: off
  large-receive-offload: off

Now for the internal sever 

# ifconfig

  eth0    Link encap:Ethernet  HWaddr 00:0C:29:9E:D6:DC  
          inet addr:10.10.10.89  Bcast:10.10.10.255  Mask:255.255.255.0

  lo      Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0

# ethtool -k eth0

  Offload parameters for eth0:
  rx-checksumming: on
  tx-checksumming: on
  scatter-gather: on
  tcp-segmentation-offload: on
  udp-fragmentation-offload: off
  generic-segmentation-offload: on
  generic-receive-offload: off
  large-receive-offload: on

NFTables?
Related [ edit ]

OS X, https

# apachectl stop                      

  launchctl: Error unloading: org.apache.httpd

  [ this means apachectl did not quietly launch https,
    perhaps if certificate was given a passphrase ]

# httpd         

  httpd: Could not reliably determine the server's fully qualified domain name,
  using mini.local.zaptech.org for ServerName
  (48)Address already in use: make_sock: could not bind to address [::]:80
  (48)Address already in use: make_sock: could not bind to address [::]:443
  Apache/2.2.22 mod_ssl/2.2.22 (Pass Phrase Dialog)
  Some of your private key files are encrypted for security reasons.
  In order to read them you have to provide the pass phrases.

  Server www.example.com:443 (RSA)
  Enter pass phrase:

  OK: Pass Phrase Dialog successful.

# ps ax | grep http

  88767  ??  Ss    0:00.25 httpd
  88768  ??  S     0:00.02 httpd
  88769  ??  S     0:00.02 httpd
  88770  ??  S     0:00.02 httpd

# kill 88767       

# ps ax | grep http

# pwd

  /var/root/ssl/apache2

# ssh-keygen -f server.key     

  Generating public/private rsa key pair.
  Enter passphrase (empty for no passphrase): 
  Enter same passphrase again: 
  Your identification has been saved in server.key.
  Your public key has been saved in server.key.pub.
  The key fingerprint is:
  58:a3:c7:38:7c:d9:d9:51:99:59:f0:10:31:62:c7:e7 root@mini.local.zaptech.org
  The key's randomart image is:
  +--[ RSA 2048]----+
  |            o.OO.|
  |           . +=+.|
  |        o   .  o.|
  |     . * + o .  E|
  |      * S o .    |
  |       +         |
  |                 |
  |                 |
  |                 |
  +-----------------+

# ls -lh

  -rw-------  1 root  wheel   1.6K Apr  7 00:42 server.key
  -rw-r--r--  1 root  wheel   409B Apr  7 00:42 server.key.pub

# openssl req -new -key server.key -out request.csr   

  Country Name (2 letter code) [AU]:US
  State or Province Name (full name) [Some-State]:CA
  Locality Name (eg, city) []:Cupertino
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:zap technologies
  Organizational Unit Name (eg, section) []:
  Common Name (eg, YOUR name) []:Rick Armstrong
  Email Address []:info@zaptech.com

  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:

# ls -lt

  -rw-r--r--  1 root  wheel  1041 Apr  7 00:44 request.csr
  -rw-------  1 root  wheel  1675 Apr  7 00:42 server.key
  -rw-r--r--  1 root  wheel   409 Apr  7 00:42 server.key.pub

# openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt               

  Signature ok
  subject=/C=US/ST=CA/L=Cupertino/O=zap technologies/CN=Rick Armstrong/emailAddress=info@zaptech.com
  Getting Private key

# ls -lh

  -rw-r--r--  1 root  wheel   1.0K Apr  7 00:44 request.csr
  -rw-r--r--  1 root  wheel   1.2K Apr  7 00:44 server.crt
  -rw-------  1 root  wheel   1.6K Apr  7 00:42 server.key
  -rw-r--r--  1 root  wheel   409B Apr  7 00:42 server.key.pub

# cd /etc/apache2

  [ in the past /etc/apache2/ssl was used ]

# cp ~/ssl/apache2/server.crt .

# cp ~/ssl/apache2/server.key .

# ls -lh

  -rw-r--r--  1 root  wheel   1.2K Apr  7 00:46 server.crt
  -rw-------  1 root  wheel   1.6K Apr  7 00:46 server.key

# httpd

  httpd: Could not reliably determine the server's fully qualified domain name,
  using mini.local.zaptech.org for ServerName

# ps ax | grep -i http         

  88828  ??  Rs    0:00.39 httpd
  88829  ??  S     0:00.01 httpd

# kill 88828

# ps ax | grep -i http

# rcsdiff /etc/apache2/httpd.conf

  161a162
  > ServerName mini.local.zaptech.org
  469c470
  < #Include /private/etc/apache2/extra/httpd-vhosts.conf
  ---
  > Include /private/etc/apache2/extra/httpd-vhosts.conf
  481c482
  < #Include /private/etc/apache2/extra/httpd-ssl.conf
  ---
  > Include /private/etc/apache2/extra/httpd-ssl.conf

# apachectl start     

# ps ax | grep -i http

  88865  ??  Ss    0:01.37 /usr/sbin/httpd -D FOREGROUND
  88866  ??  S     0:00.00 /usr/sbin/httpd -D FOREGROUND