Posts tagged networking

debian add another loopback address
posted on 2017-01-04 15:40

Add to /etc/network/interfaces:

auto lo:1
iface lo:1 inet static
address 127.0.0.2
netmask 255.0.0.0

then

ifup lo:1

and an ip a should show you the new ip being live.

linux bonding without ifenslave
posted on 2016-09-13 15:46

Sometimes you configured bonding on the switch and on the host itself. After a reboot, you figure out your server won't come up.

iKVM tells you, networking's not working.

Now the configuration can be fixed easily, but what if you simply forgot about the ifenslave package? Since your networking config is out of order, how do you get the files there?

  • boot livedisk?
  • manually plug the cable into another switchport and reconfigure unbonded networking?
  • use an USB stick plugged directly into the server and copy the missing package onto there so you can install it?

Heres another way:

#modprobe bond
# (the bonding module has to be present in the kernel)

echo "+bond0" >  /sys/class/net/bonding_masters

echo "+eth0" > /sys/class/net/bond0/bonding/slaves
echo "+eth1" > /sys/class/net/bond0/bonding/slaves

# Remove a slave interface from bond0

echo "-eth0" > /sys/class/net/bond0/bonding/slaves

# Delete a bond interface

echo "-bond0" >  /sys/class/net/bonding_masters

Official documentation can be found here.

throughput measurement with iperf
posted on 2016-09-12 13:32

In short:

  • iperf -s start the server on node 1
  • iperf -c <node2_ip_or_dns> connects node 2 to node 1 and starts the test

Example:

root@server1:~# iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[  4] local 188.64.57.149 port 5001 connected with 158.181.55.4 port 24169
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec   761 MBytes   636 Mbits/sec

and

sjas@server2~$ iperf -c server1
------------------------------------------------------------
Client connecting to server1, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 10.20.1.14 port 44928 connected with 188.64.57.149 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   761 MBytes   638 Mbits/sec
ipv6 adressing
posted on 2016-08-30 12:59

Since I forget this time after time, so here are some notes.

  • An ipv6 address has 128 bit max.
  • Eight field with 16 bits each.
  • Leading zeroes may be omitted.
  • One list of consecutive zeroes may be omitted.
  • Put them in square brackets when having to specify ports: [1:2:3:4:5:6:7:8]:443
  • Customers get /48 from their ISP.
  • Hosts use /64 networks, which is the subnet size to use for everything, don't go smaller or larger.
  • ::/0 eqals 0.0.0.0/0

Some prefix examples:

  16   32   48   64   80   96  112  128
0001:0002:0003:0004:0005:0006:0007:0008

0001:0002:0003:0004:0005:0006:0007:0008

0001::/16
0001:0002::/32
0001:0002:0003::/48
0001:0002:0003:0004::/64
0001:0002:0003:0004:0005:/80
0001:0002:0003:0004:0005:0006:/96
0001:0002:0003:0004:0005:0006:0007::/112
0001:0002:0003:0004:0005:0006:0007:0008/128

0001:0002:0003:0004:0005:0006:0007:0008 = 1:2:3:4:5:6:7:8

1000:2000:3000:4000:5000:6000:7000:8000 = 1000:2000:3000:4000:5000:6000:7000:8000
proxmox nat howto
posted on 2016-08-29 08:29

Network Adress Translation in combination with port forwarding lets you access a VM of a proxmox instance via the IP of the hypervisor itself. A second bridge is added for creating the internal network, and the hypervisor is configurated to forward packets destined to a certain port to the VM on the internal network. The added bridge is called vmbr1 here, and this was added to our networking config.

This is just an excerpt of the relevant part of the /etc/network/interfaces file there:

auto vmbr1
iface vmbr1 inet static
    address  10.0.2.1
    netmask  255.255.255.252
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s 10.0.2.0/30 -o eth0 -j MASQUERADE
    post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to 10.0.2.2:22

    post-down iptables -t nat -D POSTROUTING -s 10.0.2.0/30 -o eth0 -j MASQUERADE
    post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to 10.0.2.2:22 

This is the network configuration for the VM in question:

auto eth0
iface eth0 inet static
    address 10.0.2.2
    netmask 255.255.255.252
    gateway 10.0.2.1

As soon as the bridge on the HV is started, the masqerading and port forwarding rules are added, they are removed again when the interface gets disabled.

cisco sg300 setup
posted on 2016-08-13 17:52

These are the notes for setting up a cisco sg300 10 port switch with vlans via the cli. It's the best cheap switch with managing that happens to have a CLI that is similar to the ones on the bigger switches from cisco, and it comes with a serial interface.

standard ip

Use this IP for acessing SSH or the webgui in your browser:

192.168.1.254

standard password

user: cisco
pass: cisco

serial connection

In case you need it because you cannot access the switch via IP any longer (scanning 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 sure takes too much time to be feasible...), use its serial interface.

baud:      115200 (if not set otherwise)
bits:      8
parity:    N
stopbits:  1
no flow control

To use it, connect a USB-to-Serial computer with your laptop and use putty/screen/minicom, depending on the OS you use.

foreword

First, all commands are abbreviated here. Use ? in the CLI if you want to know what you type here, use it alone, after some characters or as a parameter on its own after a command.

cisco devices have different modes, and you edit the configuration in RAM after you logged in. To change all possible settings, you have to go into configure mode (conf), and to save it, the volatile configuration has to be copied back to the flash memory (copy run start or wr).

In normal mode there just are not so many options. To jump back, exit. More on the modes later on.

Sadly, ctrl+d doesn't work, but ctrl-z is its substitute.

first steps (after logging in and likely changing the password)

'backspace' key:

ctrl + h

delete current line;

ctrl + u
ctrl + k

disable/enable the output paging bullshit: (You know screen's copy mode via ctrl+a,[ so PGUP and PGDN work?')

terminal datadump
terminal no datadump

enable / disable command history / set its maximum size:

terminal history
terminal no history
terminal history size 206

show current configuration:

show run

show current access methods:

show line

save the changes up until now:

# choose 'yes', of course, when being prompted
copy run start

# this also works but is deprecated
wr t

configuration

For ease of use, when configure mode is needed, all the steps are shown. You can stay in configure mode if you want and perform several steps at once if you please.

hostname:

conf t
hostname <my_new_hostname>
ctrl-z
copy run start

search domain

conf t
ip domain name <your_search_domain>
ctrl-z
copy run start

create a new user and revoke admin rights from the standard 'cisco' user:

conf t username <new_user> privilege 15 password <new_password> username cisco privilege 1 password <doesnt_matter_you_dont_need_it_anymore> ctrl-z copy run start

What this was actually about was using the different privilege modes present on cisco switches.

privilege level 1      = user mode, '>' prompt
privilege level 2 - 15 = privileged EXEC mode, '#' prompt
configure              = configure mode, '(config)' prompt

You can do fine-grained access-levelling, with commands available only at different privilege modes (i.e. 3, 6, 10, 14, 15, however you see it fitting), but we want to disable the basic account and create a new one.

Level 15 can do everything. Regular workflow is logging in, and using the enable password to elevate to administrator levels if need be.

Via enable <number> and disable <number> you can enter higher or lower privilege modes, compared to your current one that can be looked up via show privilege.

While in configure mode, you can enter sub-modes for some of the commands, ex, end and ctrl-z will work there, too.

set default gateway

conf t
ip default-gateway <your_gw_ip>
do copy run start

The do keyword lets you run EXEC keywords from within configure mode.

set default ip

proxmox and VLANs
posted on 2016-07-15 13:07

This is a howto with a sample configuration on how to create a proxmox setup using vlans. No bonding is used.

  • network: 10.0.0.0/24
  • gateway ip: 10.0.0.1
  • proxmox ip: 10.0.0.2
  • VM ip: 10.0.0.3
  • vlan id: 222
  • physical NIC: eth0

proxmox

Physical NIC is set to manual, also the coresponding vlan device. Also the main bridge, only the specific bridge-vlan adapter is of type inet.

Main bridge uses physical NIC, vlan-bridge used the vlan-adapter the the physical NIC.

/etc/network/interfaces:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto eth0.222
iface eth0.222 inet manual
    vlan-raw-device eth0

auto vmbr0
    iface vmbr0 inet manual
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0

auto vmbr0v222
iface vmbr0v222 inet static
    address     10.0.0.2
    netmask     255.255.255.0
    gateway     10.0.0.1
    bridge_ports eth0.222
    bridge_stp off
    bridge_fd 0

Naming convention is ethX.VLAN for the physical NIC's VLAN adapter. For the bridge, do vmbrXvVLAN.

Set up more ethX.VLAN / vmbrXvVLAN couples for more VLANs.

VM

Setup the network as usual, as if no VLAN is in place:

auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
    address     10.0.0.3
    netmask     255.255.255.0
    network     10.0.0.0
    broadcast   10.0.0.255
    gateway     10.0.0.1

Also set the VLAN from withing the proxmox interface for your VM's desired adapter. (Tab Hardware in the VM's menu, double-click onto Network Device, select main bride, which is vmbr0 here, and add the VLAN id in the field VLAN Tag.)

switch

You have to have set up trunking on the physical switch's switchport that your proxmox hardware is using.

If you omit this, no vlan tagging will take place and you will have no connectivity even if your proxmox network config is solid.

ssh vpn howto
posted on 2016-05-29 12:38

To create a permanent tunnel via ssh between two hosts, some configuration has to be done on each side of the tunnel, so it gets automatically created once the tunnel interface is gotten up.

This tutorial is debian-specific.

overview

  • a keypair gets created on client side, for the sole purpose of activating the tunnel
  • server network config is extended by an additional tun interface and a routing rule
  • authorized_hosts on the server is modified to activate the tunnel and the tun interface on the server side
  • client network config gets added a tun interface and routing rule
  • once the client tun interface gets brought up, an ssh connection gets established to the server, the servers tun interface is brought up, too, and the tunnel is in place

setup

keygen

ssh-keygen -t rsa -b 4096 -f ~/.ssh/sshvpn

server side

Allow tunnelling in /etc/ssh/sshd_config:

PermitTunnel point-to-point

Save and exit, and service ssh restart.

Make ip forwarding available persistently, so it will be there across reboots:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf

Enable ip forwarding just for the current session:

sysctl net.ipv4.ip_forward=1

Add to /etc/network/interfaces:

manual tun99
iface tun99 inet static
    address 192.168.0.2/30
    pointtopoint 192.168.0.1
    up ip r a 10.0.0.0/24 via 192.168.0.1 dev tun0

client side

manual tun98
iface tun98 inet static
pre-up ssh -i /home/sjas/.ssh/sshvpn -M -S /var/run/sshvpn -f -w 98:99 sjas@10.20.1.14 true
    pre-up sleep 5
    address 192.168.0.1/30
pointtopoint 192.168.0.2
up ip r a 192.168.189.0/24 dev tun0

usage

Starting the tunnel, on client-side:

ifup tun0

Stopping the tunnel, on client-side:

ifdown tun0
windows: static routing
posted on 2016-05-20 19:08

Handling of static routes in windows can be easily done through the commandline.

Information is specified like this:

route COMMAND DEST-NETWORK-IP mask SUBNETMASK YOUR-GATEWAY

show

route print

add

# temporary
route add  10.0.0.0  mask 255.255.255.255  192.168.0.1
# permanent: just add the -p switch
route add  10.0.0.0  mask 255.255.255.255  192.168.0.1 -p

delete

# temporary
route delete  10.0.0.0  mask 255.255.255.255  192.168.0.1
# permanent: just add the -p switch
route delete  10.0.0.0  mask 255.255.255.255  192.168.0.1 -p
On troubleshooting load-balanced applications
posted on 2016-04-23 23:13

When running loadbalanced applications, in particular a redundant webserver, you have several approaches at your disposal.

In the following it is assumed, that you have a setup with a dedicated Firewall facing externally like this:

* ---FIREWALL --- LOADBALANCER --- WEB SERVER 1 | WEB SERVER 2

Add a custom HTTP Header via the Webserver

  • can be witnessed in browser dev console
  • can be seen in packetdumps like tcpdumps or in wireshark
  • SetEnvIf <custom-flag> in apache, i.e. use the origin IP in question

check timeouts

In case you have had a running setup, which stopped working some times after a while:

Especially, if your configuration were complexer, like the web servers were the front-ends for an application server backend which in turn fronts a database, you might as well check all your timeouts. Maybe you have longer running queries than you did when the application was freshly set up, and you now hit certain tresholds.

A good rule of thumb is have all timeouts set up with equal values. Of course it's a nice idea to change all timeouts when changing the front-end up front...

Turn one node off

  • simply deactivate one node in the loadbalancer and see if you can spot a difference

make all nodes directly reachable

Besides setting up your main ip onto the loadbalancer, give each of the webservers dedicated ips, too. So you can reach them directly, in case you need to test nodes indepently.

Since you usually don't want the web servers to be publicly reachable, they are within their own private subnetwork. Set up further public ips up onto the firewall, that all of these let you reach the firewall.

Beside the main IP which is 1:1 NAT-ted to the LOADBALANCER, do 1:1 NAT's towards the web servers with the other two IP's. Just make sure you restrict access by filtering all IP's besides your own on the firewall.

Now even when a server is removed from the loadbalancer and thus not publicly reachable anymore, for testing purposes it can still be accessed.

terminate SSL connections at the loadbalancer

If you can terminate your HTTPS encryption at the loadbalancer, do it. Besides lessening your server load, it also helps you with not having to decrypt packets when anaylzing packetdumps.

There are scenarios where you will not want that, but if you know that to be the case, you know the solution anyway, too.

clear your cache

If you wonder wether you can reach both web servers at all, and 'sticky' sessions are enabled on the loadbalancer, clear your browser cache. Cookies are then used to lead you always onto the same webserver.

Redo it several times, if you do not succeed at first. That however implicates you know the loadbalancing strategy to work somehow alternating both servers.

If the loadbalancer is using a somehow 'fixed' distribution algorithm, it may effectively create an active-passive setup: Thus you can only reach the second webserver, if the primary one is either removed or simply turned off.

packetdump

When wondering where you lose packets, to long-running packet dumps at the firewall as well as the loadbalancer and the webservers. So you can compare where the network eats your packets or which node is misconfigured.

Don't forget to filter the packets by your local workstation IP (or the ip of the gateway where it is behind), so you don't have to put up with visual information overload.

Special bonus tip here, if you want real time server debugging with wireshark:

  • set up an ssh tunnel, so you can stream data back to your workstation
  • create a FIFO queue file
  • start netcat server locally and pipe its output to the queue
  • open this file in wireshark
  • on the server start the tcpdump piped into netcat sending all data through the tunnel so it reaches your workstation

Happy debugging. I can't do a more detailed description as I am currently in a hurry, but I might do so once I need this again when a tcpdump -vvv -XXX does not suffice.

openvswitch: intro
posted on 2016-04-09 23:16

This is for debian testing branch, packages installed from the repository. openvswitch is used without a SDN controller.

prerequisites

Don't use regular linux bridges on your system, you will run into troubles, as far as I heard. (Didn't feel like testing this out myself.)

install packages

apt install openvswitch-switch

setup

# init database
ovs-vsctl init
# check if initialization worked
ovsdb-tool show-log
# find out db file
ovsdb-tool --help
# emergency reset in case you need it
ovs-vsctl emer-reset

# create your virtual switch
ovs-vsctl add-br ovs0
# show your virtual switch
ovs-vsctl list-br
ovs-vsctl add-port ovs0 ovs0eth0
# show your ports on the switch
ovs-vsctl list-ports ovs0

# show current configuration
ovs-vsctl show
arping: duplicate ip address detection
posted on 2016-03-31 22:50

Duplicate IP's within your subnet are a problem that you can detect via arping. It sends a layer2 ARP REQUEST to detect if an IP is already known within the network.

Usually only this is sufficient for usage from the shell:

arping -D <IP>`

When you simply receive a response on the commandline, the IP is in use already. If you use vlans, you have to specify your interface with -I, too.

If you want to use this from within scripts, you might want this:

arping -D -w2 -c2 -I <INTERFACE> <IP>
echo $?

arping returns zero if there's exists a duplicate IP.

One thing to keep in mind is that some linux distributions have several packages available, but only one it the arping. See on debian, for example, you got these two on jessie:

arping/stable 2.14-1 amd64
  sends IP and/or ARP pings (to the MAC address)

iputils-arping/stable,now 3:20121221-5+b2 amd64 [installed]
  Tool to send ICMP echo requests to an ARP address

You need the iputils-arping one, if you happen to use debian.

pfsense: traffic shaping
posted on 2016-03-20 18:12:20

why?

Over a small broadband connection, to a backend which is split physically into two networks, guarantee that one network can not eat up all the bandwidth. This shall be achieved by per-interface settings.

setup

On the PFSense, there are 3 port:

  • WAN
  • LAN
  • OPT1

LAN is the important network here, so the OPT1 interface shall be cut back.

how?

In the 2.x series, you have to do it like this:

  • Firewall >> Traffic Shaper
  • Click on OPT1 interface in the tree on the left
  • Checkbox 'enable', enter your available bandwidth (likely 1Gbit)
  • Button 'save'
  • Button 'apply new changes'
  • Button 'add new queue'
  • Enter a queue name (this is important to do before saving! Else you have to ssh into your PFS and fix the config via viconfig. Search for queue in there and remove the old setting. If you have trouble finding it, add another queue with a unique name and search for it then.)
  • Checkbox 'enable'
  • Checkbox 'default queue'
  • Bandwidth here is again '1 Gbit' then
  • Service Curve, checkbox 'upper limit' and enter your limit in the m2 field, i.e. '10Kb'
  • Button 'save'
  • Button 'apply new changes'

Then you should be done.

testing

On the main page of the PFS webgui, add the 'traffic graphs' to the front page dashboard. There you see your throughput easily.

Load a large HD video on youtube from a host on the limited subnet, to have a completely used connection. This will not work with mobile devices, since you cannot set the desired quality there. (!)

Changing the m2 value in a separate window (and applying the changes) should show its limiting capability rather nicely.

firewall: block DHCP traffic
posted on 2016-02-20 23:29:26

To block DHCP reqests as well as responses, block:

src port range 67 to 68
dst port range 67 to 68

Why?

[ jl@jl ~ ] 23:31:06 $ \grep -e '\s67/' -e '\s68/' /etc/services 
bootps          67/tcp                          # BOOTP server
bootps          67/udp
bootpc          68/tcp          dhcpc           # BOOTP client
bootpc          68/udp          dhcpc

Which means port 67->68 are DHCP responses, whereas 68->67 are DHCP requests.

pfsense: iphone ipsec roadwarrior configuration
posted on 2015-12-13 16:47:01

Since this took me a while, but this took me a while, here is an incomplete write-up. (...) If the stars are lucky I will eventually get around to finish this properly.

software versions

  • PFSense 2.2.5
  • IOS 9.2

ios settings for phase 1 + 2

This is straight from the pfsense logs:

# phase 1
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

# phase 2
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ

which translates to these alternatives for each phase:

# phase 1 (you should choose the second one :))
enc: aes cbc 128bit
hash: sha1
dh: 1024bit / group 2

enc: aes cbc 256bit
hash sha256
dh: 1536bit / group 3

enc: 3des cbc
hash: sha1
dh: 1024bit / group 2


# phase 2 (basically aes 256/128 / aes 128 / 3des with sha1 / md5, no PFS)
enc: aes cbc 256
hash: sha1

enc: aes cbc 256
hash: md5

enc: aes cbc 128
hash: sha1

enc: aes cbc 128
hash: md5

enc: 3des cbc
hash: sha1

enc: 3des cbc
hash: md5

According to apple documentation here PFS is possible, too.

networking: cut through vs. store and forward
posted on 2015-12-12 15:11:35

There are mainly two methods in how switches operate.

Either wait for a full ethernet frame to arrive, do checksumming (and dismiss the frame if it is borked) and then do the forwarding (or other decisions, depending on the switch's functions and configuration), which is called store & forward (duh).

Or just wait for like the first six bytes (in the past, at least) to arrive, to know where to pass the frame on to, without bothering to check the rest. Which is called cut through.

A lot of the functionalities of managed switches (ACL's, dynamic routes, policy-based routing, QoS) are not possible with that technique. Of course, broken frames could be sent on their way, too, when that is the switching method is the used one in your switch, but it is sure faster and provides higher throughput.

Lately i.e. Cisco use an evolved version of cut through, which waits for enough bytes (14 bytes without a 802.1Q / VLAN tag, 18 with one VLAN tag, 22 with double VLAN tagging, ...) so the EtherType of the frame can be discerned without doubt. So if a switch comes with specialized IP functions, and the EtherType identicates an encapsulated IP packet, the switch can keep on reading the frame's IP information and apply its logic and configuration. Whereas if the frame did not encapsulate IP traffic, the packet would then just be forwarded.

Some info on this stuff can be found here.

Debian: NIC bonding config
posted on 2015-12-02 22:14:55

Additionally to the bonding config, there is also a bridge setup, as this was for a proxmox setup.o

The needed packages:

apt-get install ifenslave bridge-utils

ifenslave is for bonding, bridge-utils for bridging.

The actual config: (replace the 10.0.0.x IP Stuff)

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# external bond
auto bond0
iface bond0 inet manual
    bond_mode 802.3ad
    bond_xmit_hash_policy layer2+3
        bond_lacp_rate fast

    slaves eth0 eth2
    bond_miimon 100
    bond_downdelay 200
    bond_updelay 200


# crosslink / internal bond
auto bond1
iface bond1 inet static
    address 192.168.100.2/24
    network 192.168.100.0
    broadcast 192.68.100.255

    slaves eth1 eth3
    bond_mode balance-rr
    bond_miimon 100
    bond_downdelay 200
    bond_updelay 200


# bridge extern
auto vmbr0
iface vmbr0 inet static
    address 10.0.0.2/24
    network 10.0.0.0
    broadcast 10.0.0.255
    gateway 10.0.0.1
    dns-nameservers 8.8.8.8

    bridge_ports bond0
    bridge_stp off
    bridge_fd 0
Juniper: bonding / LACP switchconfig
posted on 2015-12-01 08:28:56

This is a rough copy-paste howto, after having accessed the switch and having changed into configure mode via edit:

activate LACP

set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast

create the virtual bonding interface aeX

set interfaces ae1 unit 0 description <SERVER-NAME>
set interfaces ae1 unit 0 family ethernet-switching vlan members <VLAN-NAME>

unset via delete first, else just map physical nic to virtual interface

# for port 14 / 15
set interfaces ge-0/0/14 ether-options 802.3ad ae1
set interfaces ge-0/0/15 ether-options 802.3ad ae1

This assumes that the only existing ae / "aggregated ethernet" interface was ae0 prior. Thus ae1 was chosen.

amount of aggregated devices

Check how many are already configured:

admin@switch-01# show chassis 
aggregated-devices {
    ethernet {
        device-count 1;
    }
}
alarm {
    management-ethernet {
        link-down ignore;
    }
}
auto-image-upgrade;

{master:0}[edit]
admin@switch-01#

There you can see that only one ae interface existed prior.

Increase this counter:

set chassis aggregated-devices ethernet device-count 2

This should be everything, commit and-quit and your config is live.

Don't forget to put the VLAN onto your uplink (ae0?) interface, too, so it can get handed to your core.

cisco: factory reset a sg300 switch
posted on 2015-11-23 01:26:43

Resetting a SG300 is rather easy. Hold reset pressed until after like 10 seconds all port leds flash.

Login afterards is cisco:cisco.

openvswitch: installation for the impatient
posted on 2015-10-04 20:15:52

There is a lot of information out there concerning openvswitch, but a universal installer does not seem to exist.

For testing purposes, all this is done in a fresh virtualbox VM, with nothing else configured. Used virtualbox network type is NAT. Also these settings will not stick, unless you persist them in your network configuration afterwards. You have been warned.

install

Back to basics, openvswitch has a big download button.

cd ~/Downloads
mkdir ovs
mv openvswitch-2.4.0.tar.gz ovs
cd ovs
tar xzvf openvswitch-2.4.0.tar.gz
cd openvswitch-2.4.0
./configure
make -j4 # depends on the number of cores you have in your system
make install
rmmod bridge
modprobe openvswitch
modprobe brcompat

Then this suff will have been put to /usr/local hierarchy afterwards. Now make sure that /usr/local/bin and /usr/local/sbin are also part of your $PATH environment.

setup

Then:

ovsdb-tool create /usr/local/etc/openvswitch/conf.db vswitchd/vswitch.ovsschema
ovsdb-server -v --remote=punix:/usr/local/var/run/openvswitch/db.sock --remote=db:Open_vSwitch,Open_vSwitch,manager_options --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --pidfile --detach --log-file
# ovs-01 will be our switch name, its arbitrary and is the shown name of the network interface in linux
ovs-vsctl add-br ovs-01

Then you can add other interfaces to the switch. However, if you do things wrong, you might have no more network connectivity, so either first try this in a virtual machine, or have a notebook at hand so you can keep on googling.

configuration theory

First some notes on the IP's:

eth0 is our default interface, and it will usually have 10.0.2.15 which is the default ip for a single vbox VM. The hypervisor (the machine which runs your virtualbox) usually gets the 10.0.2.2 for whatever reason, it least from the virtual maching. You will not be able to see or ping this IP on the host itself.

Second on basic OVS switch usage:

Add all interfaces to your new OVS instance, wether they are virtual or physical. (It's all layer2, baby!) Then assign the switch the actual IP you'd have given your external NIC usually.

actual configuration

ip addr / ip link / ip route are abbreviated ip a / ip l / ip r for brevity. Also ovs-vsctl is better shortened to just ovs via alias ovs=ovs-vsctl, but that is a matter of taste. In the following I will use the complete command name, so noone gets confused more than needed.

Armed with that kind of knowledge, the configuration should work like this:

# take interface down (ssh tunnels will die!)
ip l s eth0 down
# clear ip from current interface
ip a d 10.0.2.15/24 dev eth0
# flush all routes
ip r f all

# add physical interface to the switch, it was created already above at 'setup'
ovs-vsctl add-port ovs-01 eth0

# add ip back to it and create default route with the hosts gateway
ip a a 10.0.2.15 dev ovs-01
ip r a default via 10.0.2.2

testing

Now you should be able to ping google.com.

troubleshooting

In case the test fails, try these steps:

  1. ping 10.0.2.2 to see if you can reach the gateway. (Else your vbox network is somehow broken.)
  2. ping 8.8.8.8 to see if you have internet connectivity.
  3. ping google.com to see if your DNS works. Else try setting a dns server.

Use echo nameserver 8.8.8.8 >> /etc/resolv.conf for testing purposes.

persisting

If all that works and you want to make your changes persistant, put these informations into your interface configuration:

Make your new interface ovs-01 get an ip via DHCP (instead of eth0) and set eth0 to manual. No need to fix the nameserver entry, as this should be handled automatically.

cisco: factory reset for ASA 5510
posted on 2015-09-20 19:30:59

For factory resetting an 'Adaptive Security Appliance', some CLI work has to be done. In the following no prior configuration knowledge is assumed.

get a serial connection

Cisco switches are shipped with a blue female DB9-to-RJ45 adapter cable. (A null modem will not help here, as you need a RJ45 plug at the end which you connect to the ASA's CONSOLE port.)

Such a cable has to be connected to your ASA, and either your serial port of your comp. Since most desktops/laptops do not ship with an rs232 interface anymore, get yourself an male-male USB-to-DB9 adapter.

If you do not have the original cisco cable, use a comparable one: Juniper i.e. ships regular RJ45 ethernet cables plus an female-female RJ45-to-DB9 adapter which works just the same.

In the following a linux operating system is assumed; on windows this works, too. However you have to plug in the adapter, and find out which COM port is used via the device manager, you need this information later when using PuTTy.

On linux you can either go along with minicom, or just use screen. (I have the slight feeling I have written down all this somewhere else already on the blog...)

#as root
screen /dev/ttyUSB0 9600

... and you are connected. Cisco devices in general use 9600 baud, 8bit, 1 stop bit, no flow control. Once I read on official docs about 2 stop bits, but it worked with 1, so go figure it out from the manual if you have trouble with these settings.

step by step

  1. power cycle - turn it off and on again, so it freshly boots after you have connected the serial cable

  2. press ESC here during boot:

    Evaluating BIOS Options ... Launch BIOS Extension to setup ROMMON

    Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005

    Platform ASA5510

    Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.

  3. confirm current configuration register, if promted if you wish to change anything, answer with 'no':

    rommon #0> confreg

    Current Configuration Register: 0x00000001 Configuration Summary: boot default image from Flash

    Do you wish to change this configuration? y/n [n]: n

    rommon #1>

  4. enter: confreg 0x41

  5. enter: boot

  6. after the appliance has rebooted, you should see this prompt: ciscoasa>

  7. enter privileged mode: enable

  8. erase startup config: write erase

  9. enter config mode: configure terminal

  10. config-register 0x01

  11. exit config mode: exit

  12. confirm via show version, see the end: Configuration register is 0x41 (will be 0x1 at next reload)

  13. save: write

  14. reboot: reload

Done. You now have a fresh ASA at your disposal.

cisco: factory reset a 2960G switch and initial configuration
posted on 2015-09-19 10:35:33

Factory resetting for a 2960G switch is rather easy:

Hold the button on the front panel, after like 3 seconds blinking, most lights should turn off. Keep the button pressed, after seven to ten more seconds, all lights will flash. Then switch is factory-resetted and will reboot.

Booting can take a while. Afterwards you are prompted for the initial installation.

This can either be done while being connected via a serial line (see next post here), or by using a pc connected via ethernet cable. Set the interface to DHCP and you should be able to access the switch in your browser via 10.0.0.1 through the web interface.

SSH: tunnel and port-forwarding howto
posted on 2015-07-10 07:56:07

To create ssh tunnels there are a lot of explanations out there, and the most are not worth much. Let's see if I can do better.

some facts against common misconceptions

one

A tunnel involves only two endpoints.

Ok, fair enough. But you need to specify minimum three host locations for a working tunnel.

Where two can point to the same machine, just from different views.

Which is your local host (or at least it's port), the gateway (the machine which will be the other tunnel endpoint) and the machine you are targetting. localhost, if the target/destination host is the same machine as the gateway host.

More on that later, if this does not make sense yet.

two

Another misconception which is often prevalent: "How do I get the server port so I can access it locally?"

Actually the direction may seem unnatural:
Things depend on the source host, where the request (of whichever protocol being used) will originate.

three

There exist directions, which is what the -L and -R flags are for.

four

The order in which the ssh arguments are specified can actually be changed. And changed it is quite easier to grok.

tunnel 101

This is basic tunnelling knowledge, where SSH tunnels differ from SSL/IPSEC VPNs comments will indicate so.

Tunnelling connects non-routable networks with each other. (This is the case when one or both sites are behind a NAT.)

A tunnel is created between two enpoints, often called gateways. Encrypted pipes are created for securing traffic by crypting packets between the endpoints.

On each side, other hosts can be reached. Depending on the tunnel type, you may or may not have access to the remote gateway. (SSH lets you access the remote gateway, with an IPSEC VPN (virtual private network) where application and endpoint run on the same box you are in for some trouble. It works, but is ugly to do so.)

You also have to specify the hosts behind the endpoint. This can happen via subnets, or you can specify single hosts. (With SSH we will specify only single hosts here, no networks. Further only one side behind the tunnel has to be specified, the other side's host 'behind' the tunnel endpoint, is always located on the same machine as the gateway in question. The tunnel, it being of local or remotely forwarded port type, lets you specify the host not being locate on the gateway. Don't worry, this will come later with a better explanation.)

On general VPN's:
If you would not specify the local and remote network, how could the remote party possibly know to which ip packets should have to be directed, after the data packets exit the tunnel? (For SSH as already stated, only one host, either remote or local, which is not located on a gateway, can be specified. The other 'end' outside of the tunnel endpoint, lies always on the the gateway.)

ssh tunneling howtos

preface

A regular ssh tunnel is like the above mentioned tunnels, except that the gatways and the networks after the ends (/32 networks to be exact) reside on the same host (read: the gateway). This guide assumes that you already know how to do this, its the basic ssh <hostname-or-ip> stuff.

chained tunnels

To connect to a remote host, but hopping over a few other hosts in the process, simply chain the tunnels:

ssh <host1> ssh <host2> ssh <host3>

Since you will want proper terminals, use the -t flag when doing so. And use -A if you need agent forwarding, when wanting to copy files between hosts directly.

ssh -t -A <host1> ssh -t -A <host2> ssh -A <host3>

This chaining stuff will also work for port forwardings described below, but you really have to watch your ports, so things fit together.

local tunnelling / port forwarding

-L will forward a port on your side of the tunnel to a host on the other one. That way you can reach over into the remote network.

The first use case here will be 'local' tunneling with the -L flag. The port specified on the local site will be forwarded to the remote site. This will be done so the webinterface of a remote NAS behind a router with NAT will be made externally accessible. NAS means Network Attached Storage, a small data server consuming not much energy providing file-level data.

For this to work, the router has to be configured such that it does port forwarding of requests on its port 12345 to the ssh host you want to connect to, by knowing its IP and the port on which the ssh server on this machine runs. (Usually on port 22.)

Usually you see specifications like this one:

ssh -L 1337:192.168.0.33:443 <user>@<domain-or-ip> -p12435

Easier to grasp should be this:

ssh <domain-or-ip> -l <user> -p 12345 -L localhost:1337:192.168.0.33:443

You ssh to the host at <domain-or-ip>, with the user specified by -l as <user> on port specified with -p which is 12345. The port only has to be specified if SSH is not running on standard port 22. This is the gateway part.

Then you pass the information from on the local and the remote host, connected via a :.

localhost is the bind address, on which the SSH server instance is running, and 1337 is the port which will be used for accessing the webinterface. Which is what you have to type into your browser. (https://localhost:1337) If it were running with a different bind address, you'd have to use this one here, but then I likely would not have to tell you that. :) localhost does not have to be specified, this is done just for illustration purposes.

What another bindaddress does, is allowing others to use the tunnel if GatewayPorts is enabled on the local SSH server. See man sshd_config for more info.

192.168.0.33:443 is the ip of the NAS system on the remote network behind the remote gateway and the port where the webserver is running on there.

remote tunneling / port forwarding

-R will forward a port from the remote site to your side of the tunnel. That way hosts from your network can be reached remotely.

Going along with the example above, from within the LAN where the NAS is located:

ssh <domain-or-ip> -l <user> -p 12345 -R localhost:1337:192.168.0.33:443

Here <domain-or-ip> -l <user> -p 12345 is again the gateway information for the remote machine. Depending on -L or -R the local or remote port (and bindaddress!) are specified.

localhost here talks about the bindaddress on the remote server. If it is explicitly set, ssh's GatewayPorts directive/option has to be enabled on the server's /etc/ssh/sshd_config.

192.168.0.33:443 is just the location of the NAS again.

tunnel chains with port forwardings

A local example:

ssh -t <host1> -L 1337:localhost:1337 ssh -t <host2> -L 1337:localhost:1337 ssh <host3> -L 1337:192.168.0.33:443

Local browser can reach the far far away NAS via https://localhost:1337, which is on the same network as <host3>. If the NAS were SSH accessible, the complete path could be encrypted. Since we can't (at least in my made up example), we will hop from <host3> to it at its IP 192.168.0.33, and this is the only part of the connection, that cannot be encrypted. (This is just provided for educational purposes, such complex setups are usually unlikely in sane reality.)

Use -t for all hops prior to the last one.

a tunnel in a tunnel - port forwarding for ssh to reach locally bound services

This is for services bound to the loopback / 127.0.0.1 interface, and which are thus only locally available:

ssh <host1> -L 1336:<host2>:22
ssh localhost -p 1336 -L 1337:localhost:3306

NAS is again a bad example here, as usually these boxes do not have ssh daemons installed/running.

What we did above was simply building a tunnel to the host we want to hop onto, and then creating the port forward by connecting to the locally existing SSH tunnel. This may be useful for remote connections to mysql instances that usually can just be reached locally.

Usually I have no use for this, but it might come in handy some day.

dynamic tunnelling

To create a SOCKS proxy via SSH:

ssh <domain-or-ip> -l <user> -p 12345 -D 192.168.0.2:1337

Here a specific bindaddress was used (192.168.0.2, which is our local ip within our LAN. Do you remember the Gatewayports thing?). Any host connecing to our ssh tunnel running on port 1337 will straight be forwarded to the remote gateway.

The application has to know how to handle SOCKS connections, else this will not work.

To keep up with our NAS example, I'd do:

ssh <domain-or-ip> -l <user> -p 12345 -D 1337

Then set up my web browser to use a SOCKS proxy, with address localhost (since no bindaddress was given, unlike in the prior example) and port 1337.

Afterwards https://192.168.0.33:433 can be entered into the adressbar and the NAS is reachable. Just keep in mind, that other Websites will not work.

PPP-over-SSH

When having to use software which is unaware of SOCKS proxies, the Point-to-Point Protocol (PPP) comes to help.

Also this is a poor man's VPN, when used to transfer all traffic through it and not just a sole host or network.

Since I have not had this put to use yet, I cannot write much about it.

So far:

  • Routing may be an issue and thus reaching DNS servers, when its just used to partially tunnel network connections.
  • When tunnelling everything, OSPF (open-shortest-path-first, a routing protocol) can be used to fix this, as I read, see the second link for more info.
  • Well, here are the links.

One link was on BSD, but I guess this helps with enlightenment. The shortest howto is the last one from the Arch wiki. Best may be the second one.

bash: check MTU
posted on 2015-06-29 17:30:20

To check which MTU works, here's a one-liner. Will have colored output

for (( i=1520; i>1400; i=i-2 )); do if ping -c 1 -M do -s "$i" 8.8.8.8 &>/dev/null; then echo $'\e[32m'; else echo $'\e[31m'; fi; echo "$i ($(( $i + 28 )))"; done

Or easier to read:

for (( i=1520; i>1400; i=i-2 ))
do
    if ping -c 1 -M do -s "$i" 8.8.8.8 &>/dev/null
        then echo $'\e[32m'
        else echo $'\e[31m'
    fi
    echo "$i ($(( $i + 28 )))"
done
Linux: Wake-On-LAN
posted on 2015-05-11 22:04:35

To get a computer to start via remote, without having someone to push the powerbutton, can easily be achieved via the NIC's wake-on-lan feature. Only prerequisites are access to a computer within the same LAN and a WOL able computer and proper setup.

NOTE: In some BIOSes or UEFIs the WOL / wake on lan feature has to be enabled explicitly.

First check if your NIC is able to do it, and which NIC you need.

Use ip a in shell, and look up your active NIC, the one containing an IP not being 127.0.0.1. :) This should be the cabled ethernet connection, as, aside from newer Mac's (Snow Leopard / OSX 10.6 and above) the trigger will not work via WIFI.

check for functionality

Then have a look at the capabilities and the current setting:

ethtool <NIC> | grep Wake

which may give you something like:

[root@jerrylee /home/jl]# ethtool eno1 | \grep Wake
        Supports Wake-on: pumbg
        Wake-on: g

If the line with Wake-on is set to d, WOL is disabled. From the manpage:

          p   Wake on PHY activity
          u   Wake on unicast messages
          m   Wake on multicast messages
          b   Wake on broadcast messages
          a   Wake on ARP
          g   Wake on MagicPacket™
          s   Enable SecureOn™ password for MagicPacket™
          d   Disable  (wake  on  nothing).  This option
              clears all previous options.

Here I have 'Wake on MagicPacket' already enabled.

enable it

ethtool --change <NIC> wol g

use it

At another host within your network, you only have to know the IP or MAC address of the machine in question, and have the wakeonlan package (debian via apt-get) or wol package (redhat derivates, via yum) installed.

Have a look at ip n, which is short for ip neigh, so you get the MAC:

root@pi:~# ip n
10.10.10.1 dev eth0 lladdr 34:31:c4:1b:1e:b7 REACHABLE
10.10.10.20 dev eth0 lladdr 70:71:bc:9d:bd:e1 STALE

You can also put a .txt file on the host, containing the MAC.

If I wanted to start the machine with the IP 10.10.10.20, I'd have to use:

wol 70:71:bc:9d:bd:e1

And the machine will boot.

This will also persist, even when using ifup / ifdown on the interface in question.

overview

To see what can trigger a boot of your machine, see here:

cat /proc/acpi/wakeup
DNS: subzone delegation for a subdomain for a dynamic ip
posted on 2015-05-01 01:16:37

As a sideproject I wanted a dynamical DNS, since seemingly all the free products out there all went out of business, started to charge money or have started having other bad habits like coercing you to periodically log into the service or your domain was turned off.

Since I already had a server plus a domain, an own DNS server was a nice idea. But changing the authorized nameserver for a domain leads to the need of having to update the settings of the domain at the registrar, which I did not want:

  • The primary DNS server for the main domain should stay with my hoster.

This is due to the server being a playground, and if something broke and the nameserver daemon would run on the server, the DNS would be out of order. Also I was kind of lazy to get my hoster to change the settings, and where would the fun be in the easy way anyway?

After looking around some time, I found out about subzone delegation, which needs some additional RR's/resource records in the config of the main domain, but no changes to the DNS Server which is authorative for it. Ain't that an idea? Just exactly what I needed.

So here a little howto on how to implement this, on an external CentOS server with a fixed IP, a Fritzbox router where a raspberry pi is behind, and a hosted domain at an ISP / Internet Service Provider. The raspberry is running a raspbian install as an OS / Operating System. Strictly speaking, the raspberry is not really necessary, but better 'for reasons'.

Example values in the following are:

  • mydomain.de for the domain, pointing to 10.10.10.1.
  • dyn.mydomain.de is the subzone, which will serve the dynamically changing ip.
  • the authorative nameserver for the main domain is at 10.20.20.1
  • 10.10.10.1, where the main domain is pointed at, will also be the secondary DNS server which serves the dynamic domain as subzone of the main domain.
  • the mailaddress which is usually used, is called email@domain.tld

The dynamic ip will be denoted as 999.999.999.999 in the following.

change RR's of main domain at your hoster

Add these two:

dyn.mydomain.de.             IN NS      ns.dyn.mydomain.de.
ns.dyn.mydomain.de.          IN A       10.10.10.1

Don't forget to increment the serial number (the first in the list of numbers after the line of the SOA definition), else your setting will not become public!

If you are lucky, you can add these two lines in a web interface that your domain hoster provides, else you have to tell the guys over there to change the settings for you.

install dns server on remote machine

On CentOS the bind9 dns server is referred as named, 'name daemon`.

yum install named -y

domain configuration of subdomain, on remote CentOS server

/var/named/master.dyn.mydomain.de:

; public zone master file
$TTL 1800
; provides minimal public visibility of external services
dyn.mydomain.de.  IN      SOA   ns.dyn.mydomain.de. email.domain.tld. (
                              2015042800    ; se = serial number
                              10800         ; ref = refresh
                              1800          ; ret = update retry
                              604800        ; ex = expiry
                              1800          ; min = minimum
                              )

dyn.mydomain.de.        IN NS      ns.dyn.mydomain.de.
;; next line is then domain name of the name server for mydomain.de
;; it also should have a FQDN, so you don't just pass the IP, but do a second A RR to the NS RR
dyn.mydomain.de.        IN NS      ns.mydomain-or-else.de.

ns.dyn.mydomain.de.     IN  A       10.10.10.1
ns.mydomain-or-else.de. IN  A       10.20.20.1

dyn.mydomain.de.        IN  A       999.999.999.999

Also, doing changes here, you have to increment the serial as well so that the changes become known. Usually this number is YYYYMMDDSS if I remember correctly. Does not matter, it just has to be bigger after each change you do to it.

On the values of the other numbers following the serial, I don't exactly know what they do. I just remember someone telling me that the RIPE would not be amused if TTL's are lower than 1800s (0,5h), so all these are bigger than that.

At the line defining the SOA RR / start of authority resource record the second

Never forget the dots at the end of domain names when specifying the absolute names (not just the string of hot the subdomain is called), these denote the end of the current domain name. Else the current domain name will be appended and you will have some fun time figuring out why things do not work. NOT.

bind configuration for the subzone name server

On the external server, make sure bind listens on public interface for DNS requests, so bind the listen port also to the NIC with the external ip:

/etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; 10.10.10.1; };

        ...
}

Also add the zone entry for your subzone:

zone "dyn.mydomain.de" IN {
        type master;
        file "master.dyn.mydomain.de";
        allow-query { any; };
};

On a sidenote, the dnsroot folder is at /var/named/, so you just pass the file or folders above to the file directive in the config, as shown above.

Enable logging:

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

And also create the file if it does not exist:

touch /var/named/data/named.run
chown -R named.named /var/named/data

With this configuration in place and a restart of the server, you already should be able to dig dyn.mydomain.de / nslookup dyn.mydomain.de / host dyn.mydomain.de. dig, the 'domain information groper' is the nicest one since it provides the most output, as long as you understand what you are doing. If you do, you know all this anyway.

troubleshooting

  • Do you have a firewall in place?
  • Port 53 is open?
  • What does tail -f /var/named/data/named.run tell you, right when you connect?
  • If you have fail2ban, is your ip currently banned?
  • Try a tcpdump on the external server on the IF / interface which holds the external ip.
  • Have a look at the log where the dropped packets are logged on your system, if there's anything like that.

Try a debugging script like this: (chmod a+x on the file may help.)

#!/bin/bash

## check if domains are globally available
## you can also ask the google DNS via @8.8.8.8
## should print both ips, else you have something broken in your configuration...
## ... or it takes the internet time, to get to know your DNS, maximum 30 minutes due to TTL 1800
echo GLOBAL
dig mydomain.de +short
echo dyn
dig dyn.mydomain.de +short
echo

## check if domains are available via your domainhosters nameserver
## this should only serve the main domain
echo DOMAIN NS
dig @ns1.your-server.de mydomain.de +short
echo dyn
dig @ns1.your-server.de dyn.mydomain.de +short
echo

## check if domains are available via your own nameserver
## this should only serve your subdomain in our setup
echo OWN NS
dig @mydomain.de mydomain.de +short
echo dyn
dig @mydomain.de dyn.mydomain.de +short

If all works as expected, congratulations. Else good luck troubleshooting this.

What is still missing now is the configuration so that the DNS will updated once your dynamic ip changes.

update DNS for the dynamic ip once it has changed in theory

Every 24 hours I have a forced disconnect from my telecommunications company, thats when my home ip changes. On the router a scheduled reconnect can be set so this happens at a known time, I set it to 4am.

Now on the update of the DNS for the dynamic domain:
This has to be done from a machine which is behind your router, or from your router. Usually you do not have a router with a fully fledged operating system, or you do not want to open it up from the outside of your network due to security reasons, this is why this is done via the raspberry behind it.

The raspberry installation and network configuration here will be skipped, it is assumed that you have a working ssh client and server installed on it and your network works so you can access the internet from (and your external server) from it.

Via curl icanhazip.com you can easily get the external ip your router currently has, another possibility is to get it somehow directly from your router. The former is just way easier and will be used in the following.

BIND nowadays has the nsupdate facility (since v8? v9?), which lets you update the DNS remotely. Doing it via shellscripts and SSH will not work as the zonefile will be locked. Running scripts as root via SUID will not work, as this is prohibited by the OS due to security reasons.

A workaround would be a compiled C binary wrapper for the bash script, but just because it works does not mean you have to use it. Stick with nsupdate.

dns update in actual practice

create keypair

On the machine from where you want to update the DNS, you have to create a keypair. Use a valid email, with a . instead of an @.

dnssec-keygen -a HMAC-SHA512 -b 512 -n USER email.domain.tld

make the key known to BIND

Put the public part onto your dns server, and integrate it into BIND. Easiest and cleanest this is done like this, after scp'ing the pubkey up onto your server and into /etc/named/:

Insert into /etc/named.conf:

include "/etc/named.keys.conf";

Create /etc/named.keys.conf, and insert:

key email.domain.tld {
    algorithm HMAC-MD5;
    secret "insert-last-two-random-part-from-your-generated-public-key-file-into-here";
}

You might try using another algorithm, as there are several others available. But I am not sure, if the setup will work then.

configure management rights for the new key on the nameserver

The key could be either given full access, which I did not need, so it was just given partial access:

/etc/named.conf, add to dyn.mydomain.de zone:

update-policy {
    grant email.domain.tld subdomain dyn.mydomain.de A;
}

The part after grant is the keyname. Highlevel it is:

grant <key> <type> <zone> <RR> [<RR>];

Restart the nameserver, even though this might be unnecessary, to be safe.

configure the update script, the helper file plus the cronjob on the updating host

There are two files needed:

  1. the acutual script, which is run through the cron job
  2. the dns statements which nsudpate will execute, located in a second file
  3. Plus, the cronjob, so stuff is actually run in the end.

On the raspberry, for simplified reasons this is done as the root user:

mkdir /root/bin
touch /root/bin/update-dns.sh
chmod a+x /root/bin/update-dns.sh
touch /root/bin/dns-update.statements

Contents dns-update.statements:

server mydomain.de
zone dyn.mydomain.de
update delete dyn.mydomain.de A
update add dyn.mydomain.de 1800 A
show
send

Contents update-dns.sh:

#!/bin/bash
CURRENT="$(curl icanhazip.com)"
DNS="$(dig @ns.dyn.mydomain.de dyn.mydomain.de +short)"
## next two lines used for testing
#echo $CURRENT
#echo $DNS
if [ "$CURRENT" == "$DNS" ]; then exit 0; 
else 
    /bin/sed -i "s/\(update add dyn.mydomain.de 1800 A\).*/\1 $CURRENT/" /root/bin/dns-update.statements
    /usr/bin/nsupdate -k /etc/dns/Kemail.domain.tld.+157+26336.private -v /root/bin/dns-update.statements
fi

When it's shown like this here, it should be obvious where you have to apply changes for your setup:

  • after the -k flag, where your private key's name has to be entered
  • generally where mydomain is in use

Take special care, so the sed command will work, remember to change the "statements" file, too.

Actual testing did take place through adding echo's in every branch of the if statement, and running it every 5 seconds via watch:

watch -n5 -d /root/bin/update-dns.sh

That way I could identify errors easily. Once the update works, it will tell you then as the ip got changed. No need to restart or reload the BIND server.

If all is working as expected, remove the show from the statements file, we just needed it during testing.

Also add the cron in /etc/crontab:

*/15 * * * * root /root/bin/update-dns.sh

Afterwards service cron restart and you should have an updated DNS tomorrow and the day after tomorrow. And the following ones, of course. :)

The cron job does the checking every 15 minutes, if the ip has changed. Usually it would suffice if the check was done and run when the router resets.

But what about power outages? Router resets because somebody had to use the power outlet for the vacuum cleaner?
Just kidding, but it actually makes sense to update this periodically.

For questions I can be reached via twitter, see link on top of the site.

emacs: remote editing of files
posted on 2015-05-01 01:00:25

emacs comes, just as vim, with the possibility to open remote files within your editor. Usual syntax is this:

/<protocol>:<user>@<host>#<port>:<path-to-file>

From the the emacs manual:

  1. If the host name starts with ‘ftp.’ (with dot), Emacs uses FTP.
  2. If the user name is ‘ftp’ or ‘anonymous’, Emacs uses FTP.
  3. If the variable tramp-default-method is set to ‘ftp’, Emacs uses FTP.
  4. If ssh-agent is running, Emacs uses scp.
  5. Otherwise, Emacs uses ssh.

Usually this is what you want, since it just works:

/ssh:username@host#port:/path/to/file.txt
ICMP types
posted on 2015-03-25 06:44:31

ICMP cheatsheet

In short, the most-needed stuff:

0 Echo reply
3 Destination unreachable
4 Source quench
5 Redirect (Change a Route)
8 Echo request
11 Time exceeded for a datagram
12 Parameter Problem on a datagram
13 Timestamp request
14 Timestamp reply
15 Information request
16 Information reply
17 Address mask request
18 Address mask reply 

complete overview

This is more or less copy-paste from here.

ICMP TYPE NUMBERS

The Internet Control Message Protocol (ICMP) has many messages that
are identified by a "type" field.

Type    Name                    Reference
----    -------------------------       ---------
  0 Echo Reply               [RFC792]
  1 Unassigned                  [JBP]
  2 Unassigned                  [JBP]
  3 Destination Unreachable          [RFC792]
  4 Source Quench                [RFC792]
  5 Redirect                 [RFC792]
  6 Alternate Host Address              [JBP]
  7 Unassigned                  [JBP]
  8 Echo                     [RFC792]
  9 Router Advertisement            [RFC1256]
 10 Router Selection            [RFC1256]
 11 Time Exceeded                [RFC792]
 12 Parameter Problem            [RFC792]
 13 Timestamp                [RFC792]
 14 Timestamp Reply              [RFC792]
 15 Information Request          [RFC792]
 16 Information Reply            [RFC792]
 17 Address Mask Request                     [RFC950]
 18 Address Mask Reply           [RFC950]
 19 Reserved (for Security)            [Solo]
 20-29  Reserved (for Robustness Experiment)        [ZSu]
 30 Traceroute              [RFC1393]
 31 Datagram Conversion Error       [RFC1475]
 32     Mobile Host Redirect              [David Johnson]
 33     IPv6 Where-Are-You                 [Bill Simpson]
 34     IPv6 I-Am-Here                     [Bill Simpson]
 35     Mobile Registration Request        [Bill Simpson]
 36     Mobile Registration Reply          [Bill Simpson]
 37     Domain Name Request                     [Simpson]
 38     Domain Name Reply                       [Simpson]
 39     SKIP                                    [Markson]
 40     Photuris                                [Simpson]
 41-255 Reserved                    [JBP]

Many of these ICMP types have a "code" field.  Here we list the types
again with their assigned code fields.

Type    Name                                    Reference
----    -------------------------               ---------
  0     Echo Reply                               [RFC792]
        Codes
            0  No Code
  1     Unassigned                                  [JBP]
  2     Unassigned                                  [JBP]
  3     Destination Unreachable                  [RFC792]
    Codes
        0  Net Unreachable
        1  Host Unreachable
            2  Protocol Unreachable
            3  Port Unreachable
            4  Fragmentation Needed and Don't Fragment was Set
            5  Source Route Failed
            6  Destination Network Unknown
            7  Destination Host Unknown
            8  Source Host Isolated
            9  Communication with Destination Network is
               Administratively Prohibited
           10  Communication with Destination Host is
               Administratively Prohibited
           11  Destination Network Unreachable for Type of Service
           12  Destination Host Unreachable for Type of Service
           13  Communication Administratively Prohibited      [RFC1812]
           14  Host Precedence Violation                      [RFC1812]
           15  Precedence cutoff in effect                    [RFC1812]
  4     Source Quench                            [RFC792]
        Codes
            0  No Code
  5     Redirect                                 [RFC792]
        Codes
            0  Redirect Datagram for the Network (or subnet)
            1  Redirect Datagram for the Host
            2  Redirect Datagram for the Type of Service and Network
            3  Redirect Datagram for the Type of Service and Host
  6     Alternate Host Address                      [JBP]
        Codes
            0  Alternate Address for Host
  7     Unassigned                                  [JBP]
  8     Echo                                     [RFC792]
        Codes
            0  No Code
  9     Router Advertisement                    [RFC1256]
        Codes
            0  No Code
 10     Router Selection                        [RFC1256]
        Codes
            0  No Code
 11     Time Exceeded                            [RFC792]
        Codes
            0  Time to Live exceeded in Transit
            1  Fragment Reassembly Time Exceeded
 12     Parameter Problem                        [RFC792]
        Codes
            0  Pointer indicates the error
            1  Missing a Required Option        [RFC1108]
            2  Bad Length
 13     Timestamp                                [RFC792]
        Codes
            0  No Code
 14     Timestamp Reply                          [RFC792]
        Codes
            0  No Code
 15     Information Request                      [RFC792]
        Codes
            0  No Code
 16     Information Reply                        [RFC792]
        Codes
            0  No Code
 17     Address Mask Request                     [RFC950]
        Codes
            0  No Code
 18     Address Mask Reply                       [RFC950]
        Codes
            0  No Code
 19     Reserved (for Security)                    [Solo]
 20-29  Reserved (for Robustness Experiment)        [ZSu]
 30     Traceroute                              [RFC1393]
 31     Datagram Conversion Error               [RFC1475]
 32     Mobile Host Redirect              [David Johnson]
 33     IPv6 Where-Are-You                 [Bill Simpson]
 34     IPv6 I-Am-Here                     [Bill Simpson]
 35     Mobile Registration Request        [Bill Simpson]
 36     Mobile Registration Reply          [Bill Simpson]
 39     SKIP                                    [Markson]
 40     Photuris                                [Simpson]

Code
0   Reserved
1   unknown security parameters index
2   valid security parameters, but authentication failed
3   valid security parameters, but decryption failed

===================================================================
RHEL: configure static ip
posted on 2015-03-24 01:13:02

From somewhere on the internet I found this handy gist, which got some improvements:

## Configure eth0
#
# vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"
NAME="eth0"
TYPE=Ethernet
ONBOOT=yes
HWADDR=A4:BA:DB:37:F1:04
IPADDR=192.168.1.44
PREFIX=24
BOOTPROTO=static
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03


## Configure Default Gateway
#
# vi /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=centos6
GATEWAY=192.168.1.1


## Restart Network Interface (as root)
#
### DONT!
/etc/init.d/network restart
### DO!
ifdown eth0; ifup eth0

## Configure DNS Server
#
# vi /etc/resolv.conf

nameserver 8.8.8.8 # Replace with your nameserver ip
nameserver 192.168.1.1 # Replace with your nameserver ip 

This may be expanded later on, this is just a quick post.

CentOS: dig? nslookup?
posted on 2015-01-22 01:28:44

If you are missing dig or host or nslookup on CentOS:

yum install -y bind-utils
OpenSSL Ciphers
posted on 2014-12-10 18:00:06

This will show you the currently availably secure ciphers:

openssl ciphers 'HIGH:MEDIUM:!MD5:!RC4:!aNULL:!eNULL:!EXPORT:!SEED:!PSK' | sed 's/:/\n/g'

The sed afterwards is just so you will have the output with one cipher per line.

The part after 'ciphers' and before the pipe is what you actually have to put into your apache config.

DNS Howto
posted on 2014-11-22 23:46:28

DNS entries, which are called RR's (Resource Records), come in may different flavours. This post is intended to bring the absolute minimum knowledge to the table.

For a usual DNS entry, you need a pair of an A record, and a PTR record, if you want to be able to do reverse lookups. That means, having an ip, being able to resolve it back to a domain.

For convenience, there also exist CNAME records. These just redirect a domain to another domain (not an ip!).

SOA, MX, TXT and others will not be part of this post here.

A

my_domain_name.tld           ---   A   ---> 10.0.0.1

PTR

1.0.0.10.in-addr.arpa        ---  PTR  ---> my_domain_name.tld

CNAME

subdomain.my_domain_name.tld --- CNAME ---> my_domain_name.tld
my_second_domain.tld         --- CNAME ---> my_domain_name.tld

The use case here ist, that you only have to change a single entry (the A record), when the IP changes, not all other (Sub-)Domains, too, as long as these are created as CNAME's.

This brings along a little increase in latency time, as technically looking up a domain will lead to two DNS lookups being processed.

On the other mentioned records some short words:

SOA = Start of Authority, this RR authorizes this nameserver being authorative for the given domain

TXT = i.e. can be used for SPF (Sender Policy Framework), to determine allowed foreign mailservers which may send mails

MX = tells the location of the mailserver of this domain. Several RR's can exist.

On how RR's are structured, what the timings are for and how to configure a bind9 server, another post will eventually come.

Ethernet standards, cable lengths, throughputs
posted on 2014-11-19 10:30:45

Nowadays commonly used networking cables are of Standards Cat5 to Cat7e.

This shall serve as a rough overview, and omits unneeded information on purpose (!):

Cat 5   100m  100Base-TX (1GBase-T in newer ones, too, no idea about the cable length)
Cat 5e  100m   1GBase-T
Cat 6   100m   1GBase-T
Cat 6e   55m  10GBase-T
Cat 7   100m  10GBase-T
Cat 7e   ??m  10GBase-T, 40GBase-T, 100GBase-T

Old Cat5 cables could not transmit data with 1G, for that later Cat5e (extended) came along. But later on during a revision of the standards (around 2002/2003), Cat5e disappeared and was called solely 'Cat5' again. So in old networks, use a cable tester to make sure your cable is gigabit-capable.

Also is to be kept in mind, that for a cable length of altogether 100m you should not use more than 10 meters of patch cabling.

Further, Cat7/7e Cables have new plugs, which are of the GG45 standard. This is due to the distance between the cable conductors being too small, if RJ45 plugs were used. Cat7/7e cables with regular RJ45 plugs do not exist: They are copycat material which will not live up to the Cat7/7e specifications!

In GG45 jacks regular RJ45 plugs can be put into, but the overall throughput will be limited by the cable. Vice versa it will not work, since the plug got additional protrusion. Also GG45 has four additional conductors in the edges of the plug, which are missing in the RJ45 products.

Static routing in linux
posted on 2014-10-07 10:46:49

All you need to know to understand for creating static routes:

ip route add {NETWORK} via {IP} dev {DEVICE}

Example when actually used:

ip route add 192.168.55.0/24 via 192.168.1.254 dev eth1

or the old way via the deprecated route command:

route add -net 192.168.55.0 netmask 255.255.255.0 gw 192.168.1.254 dev eth1
RedHat Networking Docs (Oracle Linux)
posted on 2014-10-01 12:22:53

Here is a short linklist, because Oracle's documentation is the best I have seen so far.

Oracle Linux Administrator's Guide for Release 6

Part II Networking and Network Services

Chapter 11 Network Configuration

Why is this fine for RedHat stuff?

RHEL / RedHat Enterprise Linux is the 'original' distribution from redhat. Fedora is the 'testing distribution' from the company redhat. Difference between Fedora and RHEL are the lifetimes (support, EOL, update frequencies, up-to-date packages), RHEL is focused on stability. redhat's sources for it's distributions are open to the public. CentOS, Oracle Linux and Scientific Linux are created from the redhat sources, but basically without all the RedHat logos.

Thus, the documentation of the one is sufficient for the other distributions.

CIDR by hand
posted on 2014-09-28 17:26:43

For calculating ipv4 subnetmasks for classless inter-domain routing, there exist calculators. I just grew tired of them.

the powers of 2

Since they are elemental:

2^0  = 1
2^1  = 2
2^2  = 4
2^3  = 8
2^4  = 16
2^5  = 32
2^6  = 64
2^7  = 128
2^8  = 256
2^9  = 512
2^10 = 1024
2^11 = 2048
2^12 = 4096
2^13 = 8192
2^14 = 16384
2^15 = 32768
2^16 = 65536

The tricky bit later is to remember that these are the possible values, but to not fall for the off-by-one errors later on.

ip adresses and subnet masks

Any IP address or subnet mask consists of 32 bits, or more to the point, four octetts. Lets look at some examples, for training reasons:

# in decimal
10.0.0.1
10.255.255.254
# in binary
00001010.00000000.00000000.00000000
00001010.11111111.11111111.11111110

# in decimal
192.168.0.1
192.168.255.254
# in binary
11000000.10101000.00000000.00000001
11000000.10101000.11111111.11111110

# in decimal
255.255.255.0
255.255.255.255
# in binary
11111111.11111111.11111111.00000000
11111111.11111111.11111111.11111111

So the subnets are numbered just by the count of 1's.

regular subnets

An overlook on the 'regualar' ones, the amount of hosts is explained later:

255.255.255.255 = 11111111.11111111.11111111.11111111
                = 32 x 1
                = /32 subnet (one single host)

255.255.255.0   = 11111111.11111111.11111111.00000000
                = 24 x 1
                = /24 subnet (254 hosts, class C net)

255.255.0.0     = 11111111.11111111.00000000.00000000
                = 16 x 1
                = /16 subnet (65.535 hosts, class B net)

255.0.0.0       = 11111111.00000000.00000000.00000000
                = 8 x 1
                = /8 subnet (16.777.216 hosts, class A net)

class c subnets in detail

And an in-depth look at the ones for splitting class C nets, and why hosts (and a whole subnet) seem to be missing:

11111111.11111111.11111111.11111111 = /32 = 2^0 IP's = 1 host

11111111.11111111.11111111.11111100 = /30 = 2^2-2 IP's = 2 hosts
11111111.11111111.11111111.11111000 = /29 = 2^3-2 IP's = 6 hosts
11111111.11111111.11111111.11110000 = /28 = 2^4-2 IP's = 14 hosts
11111111.11111111.11111111.11100000 = /27 = 2^5-2 IP's = 30 hosts
11111111.11111111.11111111.11000000 = /26 = 2^6-2 IP's = 63 hosts
11111111.11111111.11111111.10000000 = /25 = 2^7-2 IP's = 126 hosts
11111111.11111111.11111111.00000000 = /24 = 2^8-2 IP's = 254 hosts

and

11111111.11111111.11111111.11111111 = /32 = 255.255.255.255

11111111.11111111.11111111.11111100 = /30 = 255.255.255.252
11111111.11111111.11111111.11111000 = /29 = 255.255.255.248
11111111.11111111.11111111.11110000 = /28 = 255.255.255.240
11111111.11111111.11111111.11100000 = /27 = 255.255.255.224
11111111.11111111.11111111.11000000 = /26 = 255.255.255.192
11111111.11111111.11111111.10000000 = /25 = 255.255.255.128
11111111.11111111.11111111.00000000 = /24 = 255.255.255.0

no '/31' ?

Why is /31 'missing'? See here:

11111111.11111111.11111111.11111110 = /31 = 2^1-2 IP's = 0 hosts = NONSENSE
11111111.11111111.11111111.11111110 = /31 = NONSENSE

/32 is a network without a single host, and thus fine. But any network with more than one host needs a network base address and a broadcast adress. For the net the .0 is used, and .255 for broadcast, thus two IP's are already taken in every subnet.

linux: configure networking temporary from shell without ifup/ifdown
posted on 2014-09-09 13:00:21

In Debian-based distros, usually you change /etc/network/interfaces accordingly, then use ifdown and ifup to bring the changes into action. (Do not think of service networking restart or similar, these approaches will most likely NOT WORK PROPERLY!)

In general ip a is short for ip addr, ip l is short for ip link, ip r is short for ip route.

NOTE:
All which is done here, will only be temporary!
All settings will be gone after the next reboot.
These steps are presented here in case you have to debug a failing install process (You actually can get to a console during a Debian install!) or when troubleshooting network problems.

Only exception are the DNS settings, these should stick.

If you need the settings to stick, just edit the config files.

overview up front

  1. add IP to interface
  2. take interface down
  3. take interface up
  4. add gateway route
  5. fix dns if needed

setup

Use these settings, how you need them. Maybe you need to flush the interface first, maybe just remove a single ip, I do not know. Without further ado, these are what you most likely will need:

Check current settings:

ip a

To just test ip's on single NIC's, add them to the interface:

ip a a 10.0.0.2/24 dev eth0

To remove a single address:

ip a d 10.0.0.2/24 dev eth0

To remove all addresses:

ip a f dev eth0

deactivating / activating the interface

This means basically deactivating and reactivating the interface in question.

ip l s eth0 down
ip l s eth0 up

Check what happened:

ip a

# also maybe helpful: ('no carrier'!)
ip l

If there is written 'UP', the interface is in it's desired state. If however there is written 'NO CARRIER', there is no networking cable attached.

routing

Also a gateway is needed. Usually like this:

ip r add default via 10.0.0.1 dev eth0

dns

Now you should be set, maybe you are missing dns resolution, if no dns servers were set prior to this. Verify this: ping 8.8.8.8 will work in this case, whereas ping google.com will not.

echo 'nameserver 8.8.8.8' >> /etc/resolv.conf

lessons learned

Instead of using /etc/network/interfaces, where the configuration from above would look like this:

auto iface eth0
iface eth0 inet static
    address 10.0.0.2
    netmask 255.255.255.0
    network 10.0.0.0
    broadcast 10.0.0.255
    gateway 10.0.0.1

and where you'd have to follow up the editing with a ifdown eth0; wait; ifup eth0, or using the already-or-about-to-be-deprecated ifconfig, you do this, purely on the shell:

ip a f eth0
ip l s eth0 down
ip l s eth0 up
ip a a 10.0.0.2/24 dev eth0
ip r a default via 10.0.0.1 dev eth0
echo 'nameserver 8.8.8.8' >> /etc/resolv.conf

which is in long form: (if you prefer to type more and need detailed explanations)

# delete all addresses from interface eth0
ip addr flush eth0

# deactivate eth0
ip link set eth0 down

# activate eth0
ip link set eth0 up

# set ip address and netmask in interface eth0
# netmask is done by specifying the /24 subnet (...)
ip addr add 10.0.0.2/24 dev eth0

# add the gateway
ip route add default via 10.0.0.1 dev eth0

# fix dns, if needed, as root
echo 'nameserver 8.8.8.8' >> /etc/resolv.conf

A list for all this abbreviations is due, it seems. And thou shalt reread this here again and again. Seriously.

Network Stats on FreeBSD
posted on 2014-08-21 16:51:25

To see proper load and complete stats on a FreeBSD (i.e. a PFSense), use:

systat -ifstat 1

Which gives something like this:

                    /0   /1   /2   /3   /4   /5   /6   /7   /8   /9   /10
 Load Average

  Interface           Traffic               Peak                Total
     ovpns1  in      0.000 KB/s          1.714 KB/s           84.050 MB
             out     0.000 KB/s          3.965 KB/s          202.886 MB

        lo0  in      0.000 KB/s          0.000 KB/s          200.695 KB
             out     0.000 KB/s          0.000 KB/s          200.695 KB

       enc0  in      0.301 KB/s          0.618 KB/s          615.144 MB
             out     0.243 KB/s          0.483 KB/s          334.407 MB

        em2  in      0.095 KB/s          0.152 KB/s           28.847 MB
             out     0.095 KB/s          0.095 KB/s           28.016 MB

        em1  in    158.298 KB/s        206.448 KB/s          202.662 GB
             out    10.525 KB/s         71.434 KB/s           39.187 GB

        em0  in     11.428 KB/s         72.010 KB/s           41.853 GB
             out    49.342 KB/s         79.099 KB/s           88.548 GB
hosts
posted on 2014-08-19 17:33:31

To show migrated webpages, prior to an aktive DNS configuration, add such a line to your local hosts file:

10.0.0.1 mydomain.de www.mydomain.de

Domain and IP are examples, of course.

Depending on the operating system you use, there are different ways to achieve this:

Linux

Change the file /etc/hosts. Just append the line, leave everything else untouched.

Windows

italic is what you actually have to do:

  1. In Windows press Windowskey + r, type cmd, Enter
  2. type cd %SystemRoot%\system32\drivers\etc, Enter
  3. notepad hosts, Enter
  4. 10.0.0.1 mydomain.de www.mydomain.de is to be appended at the end
  5. Save file, close

Now you should be able to test the page from a browser of your choice by accessing the URL.

Once you are satisfied that all is working accordingly, don't forget to remove the entry you just made.

Apache, mod_proxy, tomcat, two ip's on Debian
posted on 2014-07-31 13:45:12

To get an apache running to serve different ip's and sites at once, all on port 80, plus handing requests through to tomcat, this guide tries to explain the neccesary steps.

networking

First, set up a second ip for proper networking:

/etc/network/interfaces:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

#allow-hotplug eth0
auto eth0 
iface eth0 inet static
        address 10.0.0.21
        netmask 255.255.255.0
        network 10.0.0.0
        broadcast 10.0.0.255
        gateway 10.0.0.1

auto eth0:1
iface eth0:1 inet static
        address 10.0.0.22
        netmask 255.255.255.0

For security reasons, the actual subnet used was exchanged to 10.0.0.. Use your own. :)

IP 1 is 10.0.0.21, IP 2 is 10.0.0.22 here.

Do not forget to take the interface up afterwards:

$ ifdown eth0
$ ifup eth0

Also do not use service networking restart, it is a deprecated command.
Do not use ip l set eth0 down and ip l set eth0 up for this. It will bring the link back up, but you won't have ip addresses assigned. For more information, the iproute2 tool suite is really mighty, but you may need some more in-depth-knowledge.

Then

$ ip a

should show you something like this:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:25:90:ea:45:ac brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.21/24 brd 10.0.0.255 scope global eth0
    inet 10.0.0.22/24 brd 10.0.0.255 scope global secondary eth0:1

Then eth0 has state UP (not DOWN) and you see both IP's properly assigned. If you do not use a syntax like eth0:1 for the second ip in /etc/network/interfaces, you will only see one ip shown by the deprecated ifconfig command!

tomcat

Tomcat setting should best be left untouched, so it uses localhost and port 8080 to listen on.

/etc/tomcat7/server.xml:

...

   <Connector port="8080" protocol="HTTP/1.1"
              connectionTimeout="20000"
              URIEncoding="UTF-8"
              redirectPort="8443" 
              address="localhost"/>

...

If apache's mod_proxy was not be used, here for address the second ip could be set (10.0.0.22), and port to 80. However you'd need a linux system account, if you want to use a port below 1024. If you do not want this, you have to use either mod_proxy, mod_proxy_ajp, or mod_jk. The latter is the fastest and has most setting, but sure is more complex, too. mod_proxy_ajp is in between both, speed-wise. mod_proxy however works with any backend, not just tomcat or other servlet containers.

apache

ports.conf

/etc/apache2/ports.conf

Listen 80
Listen 443
NameVirtualHost 10.0.0.21:80
NameVirtualHost 10.0.0.21:443

Note that, you may need to drop the 443 lines, if you do not use https. The NameVirtualHost directive tells apache, to enable name-based virtual host support. This is needed, since our apache serves several domains. If the directive were to be omitted, then apache would only ever serve the first domain it would have in it's loading process. (Can be shown via apache2ctl -S.)

Since Tomcat serves only one site, no name-based virtual hosting is needed for it, thus no entry is needed.

virtualhost configs

Further is assumed, that you already have two existing vhost files, which are properly structured, are enabled and work, for each domain. The sites are named firstsite.de, secondsite.de and tomcatsite.org and already reside in /etc/apache2/sites-available.

First IP: 10.0.0.21

/etc/apache2/sites-available/000-firstsite.de

<VirtualHost 10.0.0.21:80>
    ServerName firstsite.de
    ServerAlias www.firstsite.de
    ...

/etc/apache2/sites-available/001-secondsite.de

<VirtualHost 10.0.0.21:80>
    ServerName secondsite.de
    ServerAlias www.secondsite.de
    ...

Second IP: 10.0.0.22

/etc/apache2/sites-available/002-proxy-for-tomcat

<VirtualHost 10.0.0.22:80>
    ServerName tomcatsite.org
    ServerAlias www.tomcatsite.org
    ...

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    ...

The 000-, 001- and 002- are just prefixes, to ensure the order of the pages being loaded.

mod_proxy

Enable the apache proxy module.

$ a2enmod proxy
$ a2enmod proxy_http

finish

Enable the vhost configs and restart the web server.

$ a2ensite 000-firstsite.de
$ a2ensite 001-secondsite.de
$ a2ensite 002-proxy-for-tomcat
$ service apache2 restart
Autonegotiation and Parallel Detection
posted on 2014-07-28 14:57:51

Autonegotiation is the process of determining the duplex mode and speed of a connection between two network devices.

Possible values are:

Speed: 10Mbps, 100Mbps, 1000Mbps/1Gbps, 10Gbps
Duplex: Half-Duplex, Full-Duplex

Half duplex mode means, data can only flow in one direction at a given time.
Full duplex mode tells, data can be sent and received at the same time.

The process usually goes like this:

  • If the NIC is not set to a speed and transfer mode explicitly (i.e. 100Mbps Full-Duplex), autonegotiation is being tried.
  • In case of the other network tool being set to autonegotiation, too, auto negitiating is tried and will succeed.
  • If the other side is not running in autonegotiation mode, auto negotiating will fail.
  • Then parallel detection is tried. Problem here is, this will only determine the link speed, not the duplex mode.
  • So in case of both sides not running the same detection mode, the speed will be determined and duplex mode will be set to the default one for the connection speed.

Which is for 10Mbps and 100Mbps only half-duplex.

Most 10Base-T Ethernet devices do only support half-duplex mode, so be careful when using 'full'. Most 100Base-T hardware supports full-duplex, but default is also only half-duplex.

In other words, when troubleshooting 'slow' networks, double check the settings on both sides to be the same for speed and duplex mode. Because even when autonegotiate seems to work, it actually may be parallel detection kicking in and setting slower speeds/connections than actually be possible.

ip commands in linux
posted on 2014-06-23 17:28:11

The currently usually used tools and which ones will succeed these:

Purpose                        | Legacy net-tools | iproute2
-------------------------------+------------------+-----------------
Address and link configuration | ifconfig         | ip addr, ip link
Routing tables                 | route            | ip route
Neighbors                      | arp              | ip neigh
VLAN                           | vconfig          | ip link
Tunnels                        | iptunnel         | ip tunnel
Multicast                      | ipmaddr          | ip maddr
Statistics                     | netstat          | ss
Home networking and WLAN Routers
posted on 2014-05-10 12:38:52

This is the current setup I have at home, this is mainly for documentation purposes.

# main router, used for dial-up and DHCP
192.168.178.1
# WLAN
192.168.178.2
# my dlink
192.168.178.3
# printer
192.168.178.4

# DHCP range
192.168.178.10 to 254

DHCP has to run on the dial-up router! If it does not, the DHCP server will not know where the DNS can be found and will not be able to tell its clients about it.

But it is about time to test IPv6 at home... so this may be not too long in use.

TTL values
posted on 2014-05-08 09:50:18

A list of commonly used TTL values (i.e. in DNS) settings.

(  60         =     1 m  )
   1800       =    30 m
   3600       =     1 h
   10800      =     3 h
   14400      =     4 h
   21600      =     6 h
   43200      =    12 h
   86400      =     1 d
   259200     =     3 d
   604800     =     7 d
   31536000   =   365 d

Going below 0,5h is usually forbidden. Mostly 24h are used for RR's (resource records, like A / NS / MX), to reduce traffic for the DNS servers.

List of private networks
posted on 2014-05-07 14:57:30

private address spaces

IPv4

IP address ranges for private networks, as by RFC 1918.

10 . 0 . 0 . 0 / 8
172. 16. 0 . 0 / 12
192.168. 0 . 0 / 16

IPv6

Same as above, for IPv6. See RFC 4193.

fc00:: / 7

link-local address spaces

These are for private networks being on the same link. (Read: switch)

Will not work through routers (hosts on different subnets are on different links), but bridges will.

These are intended for address autoconfiguration, i.e. via DHCP.

IPv4

See RFC 6890 and RFC 3927.

169.254. 0 . 0 /16 - except the first and last /24-er subnet.

169.254.1.0 to 169.254.254.255 may be assigned pseudorandomly on ethernet networks, if an IP cannot be obtained.

IPv6

See RFC 4862 and RFC 4291.

fe80:: / 10

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pvecm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

View posts from 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10


Unless otherwise credited all material Creative Commons License by sjas