vm-net

vm-net [firewall(iptables), nat, dhcp(isc), dns(bind/named) and ipv6 tunnel(6to4)]

Tasks

  • Firewall (either a direct iptables script or using ShoreWall) + portscan blocker(?)
  • Firewall / traffic shaper (network traffic prioroty for httpd, gaming & voip traffic)
  • NAT (allowing multiple computers on one internet connection, using the second public IP address I have available)
  • DHCP (handing out IP addresses, in the future with a LDAP backend
  • NAMED/BIND/DNS (dns server for locally hosted domains)
  • NAMED/BIND/DNS (banner blocker, redirects outgoing requests for doubleclick to localhost etc.)
  • IPv6 connectivity (possibly even handing out IPv6 addresses to clients with RADVD(?) )
  • Traffic shaping
  • Traffic counting (MRTG, rrdtool?)

/etc/network/interfaces

nano /etc/network/interfaces

from 'man interfaces': address and netmask are required, gateway optional [I need it however]

IPv6 connectivity

apt-get install iputils(?)
ping6 -I eth0 <ipv6_address>

http://www.shorewall.net/6to4.htm#id2672474 Dec 3 16:04:53 vm-mgr kernel: [ 375.333415] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=b6:5d:03:e9:5b:10:00:01:71:0b:85:9c:08:00 SRC=192.88.99.1 DST=Inet2_IP LEN=124 TOS=0x00 PREC=0x00 TTL=249 ID=0 DF PROTO=41

To ping all hosts in your lan, ping the whole link-local area http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x811.html:

ping6 -I eth0 ff02::1

/* ipv6 DONE IPv6: sgiebels@toad:~]$ ping6 www.pcprobleemloos.nl AAAA record

http://www.deepspace6.net/projects/initscripts-ipv6.html#id2851702 #6to4 relay tunnel router

http://tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html 9.4.1.1. Using "ip" and a dedicated tunnel device ipv4="145.99.246.40"; printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "` 2002:9163:f628::1[root@localhost network-scripts]# nano ../network

/sbin/ip tunnel add tun6to4 mode sit ttl 64 remote any local 145.99.246.40 /sbin/ip link set dev tun6to4 up[root@localhost network- /sbin/ip -6 addr add 2002:9163:f628::1/16 dev tun6to4 /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1 ping6 ipv6.google.com

[root@localhost sgiebels]# ifup eth0 Global IPv6 forwarding is enabled in configuration, but not currently enabled in kernel Please restart network with '/sbin/service network restart'

Example–Using nsloo

*/

Iptables firewall

Note: be careful when adjusting firewall settings on a remote computer, make sure you don't lock yourself out!

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

# iptables -F
# chmod 700 rc.firewall
# nano rc.firewall
# update-rc.d rc.firewall defaults 19
    update-rc.d: using dependency based boot sequencing
    insserv: warning: script 'rc.firewall' missing LSB tags and overrides

http://www.linuxtopia.org/Linux_Firewall_iptables/x5091.html http://www.google.nl/search?hl=nl&q=rc.firewall+simple+iptables&aq=f&aqi=&aql=&oq=&gs_rfai=

cd /etc/init.d http://electron.mit.edu/~gsteele/firewall/ wget http://electron.mit.edu/~gsteele/firewall/firewall script is broken, edit INTERFACES (br0 or eth0) testen firewall vm-mgr chmod ugo+x /etc/init.d/firewall update-rc.d firewall start 40 S . stop 89 0 6 .

cp firewall /lxc/vm-template/rootfs/etc/init.d/firewall

1a2,19
> ipt_LOG                 3570  6 
> xt_tcpudp               1743  59 
> iptable_raw             1471  0 
> xt_comment               599  33 
> iptable_nat             3551  1 
> nf_nat                 10568  1 iptable_nat
> ipt_REJECT              1517  4 
> ipt_addrtype            1345  3 
> xt_multiport            1775  4 
> xt_MARK                  617  1 
> iptable_mangle          2325  1 
> nf_conntrack_ipv4       7597  38 iptable_nat,nf_nat
> nf_defrag_ipv4           779  1 nf_conntrack_ipv4
> xt_conntrack            1955  35 
> nf_conntrack           38075  4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_conntrack
> iptable_filter          1790  1 
> ip_tables               7690  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
> x_tables                8327  10 ipt_LOG,xt_tcpudp,xt_comment,iptable_nat,ipt_REJECT,ipt_addrtype,xt_multiport,xt_MARK,xt_conntrack,ip_tables

Shorewall firewall

http://www.shorewall.net/ It uses iptables as back-end

Installation:

apt-get install shorewall shorewall6 make

will also install: bc libdb4.7 libgdbm3 libio-socket-inet6-perl libsocket6-perl perl perl-modules

Enable shorewall startup upon boot:

cat /etc/default/shorewall
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
startup=1

Do the same for '/etc/default/shorewall6'

root@vm-net:/etc/default# /etc/init.d/shorewall start
Starting "Shorewall firewall": not done (check /var/log/shorewall-init.log).
root@vm-net:/etc/default# tail /var/log/shorewall-init.log 
Compiling...
Processing /etc/shorewall/shorewall.conf...
Dec  2 01:06:49 Processing /etc/shorewall/shorewall.conf...
Dec  2 01:06:49    ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
   ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
root@vm-net:/etc/default# /etc/init.d/shorewall6 start
Starting "Shorewall6 firewall": not done (check /var/log/shorewall6-init.log).
root@vm-net:/etc/default# iptables -L
/etc/init.d/shorewall6 start
Starting "Shorewall6 firewall": not done (check /var/log/shorewall6-init.log).
root@vm-net:/etc/default# tail /var/log/shorewall6-init.log 
01:08:03 Shorewall configuration compiled to /var/lib/shorewall6/.start
   ERROR: IPSET=/usr/sbin/ipset does not exist or is not executable: Firewall state not changed
Dec 02 01:08:03   ERROR: IPSET=/usr/sbin/ipset does not exist or is not executable
Dec 02 01:08:03   ERROR:Shorewall6 restart failed:Firewall state not changed
Terminated
[: 167: -lt: unexpected operator
   ERROR: IPSET=/usr/sbin/ipset does not exist or is not executable: Firewall state not changed
Dec 02 01:08:03   ERROR: IPSET=/usr/sbin/ipset does not exist or is not executable
Dec 02 01:08:03   ERROR:Shorewall6 restart failed:Firewall state not changed
Terminated
root@vm-net:/etc/default# apt-get install ipset
root@vm-net:/etc/default# which ipset
/usr/sbin/ipset
/etc/init.d/shorewall6 start
Starting "Shorewall6 firewall": done.

I'm used to using 'ifconfig' but I know should read more about 'ip'. 'ip' is a program included in the iproute2 package. ip replaces ifconfig and route in modern Linux systems.

shorewall kernel state match support error

root@vm-net:/etc/shorewall# make
  Shorewall isn't started
  Compiling...
  ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

If you run 'iptables -L' on the vm-mgr, and retry this, it works ok. Still have to check if this happens more often, or if this problem returns after a reboot. It has something to do with the modules (loaded on the vm-mgr). Will have to debug with 'lsmod' before and after the 'iptables -L' action.

NAT'ting

/* iptables -t nat -I PREROUTING -s ! 10.76.0.0/24 -p tcp –dport 80 -j DNAT –to 10.76.0.80:80 iptables -t nat -A PREROUTING -p tcp -d 145.99.246.62 –dport 80 -j DNAT –to-destination 10.76.0.80 */ http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

Bind

apt-get install dnsutils bind9

DHCPd

Changing the logging file location

The last configuration I would like to demonstrate today is changing the default logging file. First, I'll change the logging line in /usr/local/etc/dhcpd.conf so that it looks like this: # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; Next, I'll create an empty log file called dhcpd.log: # touch /var/log/dhcpd.log Then, I'll create an entry for this logfile in /etc/syslog.conf by adding this line: local7.* /var/log/dhcpd.log

Installed packages

apt-get install whois
apt-get install dnsutils

dnsutils containes 'whois'?

LXC containers and netdiag, tcpflow, trafshow

These doesn't work, see pcap_findalldevs.txt

problem with pcap in lxc containers ('pcap_findalldevs')

eth0 / eth1 ?Possible cause: eth1 exists on vmmanager, not in vm-net??

root@vm-net:~# tcpflow tcpflow[1073]: SIOCGIFFLAGS: eth1: No such device root@vm-net:~# trafshow pcap_findalldevs: SIOCGIFFLAGS: eth1: No such device

Haven't tested wireshark, likely same issue.

apt-get install netdiag trafshow

SabNZBD

Free Newsserver on IPv6 at NewsXS! NewsXS, a great news service provider offers free access to it's newsserver and newgroups, as a stimulus to getting more people using IPv6 (instead of IPv4, which is very quickly nearing its end of life)

http://packages.debian.org/nl/squeeze/sabnzbdplus

Add 'contrib' and 'non-free' to the apt sources:

nano /etc/apt/sources.list
deb http://ftp.nl.debian.org/debian squeeze main 

to:

deb http://ftp.nl.debian.org/debian squeeze main contrib non-free

Install the software:

root@vm-net:/usr/src# apt-get install sabnzbdplus
The following NEW packages will be installed:
  file javascript-common libexpat1 libjs-excanvas libjs-mochikit libmagic1 libsqlite3-0 libtidy-0.99-0 mime-support par2 python python-chardet
  python-cheetah python-configobj python-feedparser python-libxml2 python-minimal python-openssl python-support python-utidylib python-yenc python2.5
  python2.5-minimal python2.6 python2.6-minimal sabnzbdplus sabnzbdplus-theme-classic sabnzbdplus-theme-plush sabnzbdplus-theme-smpl unrar unzip
  wwwconfig-common

https://addons.mozilla.org/en-US/firefox/addon/7617/?src=external-sabfront host = 0.0.0.0 #localhost

Edit sabnzbd.ini to allow other hosts than 'localhost' to access

https://<<public_ip>>:8080

follow the instructions

Configuring the firewall

SABnzbd+ 0.5.4 uses port 8080 for http traffic, and 9090 for https.

Open both ports in the firewall

SABnzbd+ plugin for Google Chrome

Check out sabconnect++, the best plugin for Chrome & SabNZBD

Test connection to an IPv6 newsserver

root@vm-net:/etc/shorewall6# telnet -6 reader.ipv6.xsnews.nl 119
Trying 2001:67c:174:101::2...
Connected to reader.ipv6.xsnews.nl.
Escape character is '^]'.
201 reader.ipv6.xsnews.nl NNRP Service Ready (no posting).

Press 'Ctrl-]' q <return> to exit telnet.

unsorted

root@vm-mgr:/var/log# modprobe ip6_tables root@vm-mgr:/var/log#

ping6 2a00:1450:8001::93

http://www.shorewall.net/MyNetwork.html#params /etc/shorewall/notrack #SOURCE DESTINATION PROTO DEST SOURCE USER/ # PORT(S) PORT(S) GROUP net:!192.88.99.1 - 41 dmz 206.124.146.255 udp dmz 255.255.255.255 udp loc 172.20.1.255 udp loc 255.255.255.255 udp $FW 255.255.255.255 udp $FW 172.20.1.255 udp $FW 206.124.146.255 udp This file omits the 6to4 traffic originating from 6to4 relays as well as broadcast traffic (which Netfilter doesn't handle).

na bind9: + copy configs http://www.matja.com/media/lessfsNotes.html http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00211.html dig hotelpart.com mx

IPv6 diagnostics

'AAAA' dns records are used for IPv6 addresses ('A' dns records for 'old style' IPv4) lookup ipv6 host nslookup dig

http://rollcage.bl.echidna.id.au/IPv6/sun/files/c0204.htm

 1. On the command line, type the following command.
    % nslookup
    The default server name and address display, followed by the nslookup command angle bracket prompt.
 2. To see information about a particular host, type the following commands at the angle bracket prompt.
    >set q=any
    >host-name
 3. To see only AAAA records, type the following command at the angle bracket prompt.
    >set q=AAAA
    
    

—- Please leave feedback or questions at the main page.

vm-net.txt · Last modified: 2017/01/19 00:50 (external edit)

Page Tools