Riccardo Riva

Archive for the ‘Networking’ Category

This post will explain how to disable IPv6 in a system running Debian GNU/Linux or Ubuntu Linux.

You should want to disable IPv6 for compatibility reason or if you not plan to use it for speed up your system and/or to avoid loading of unuseful modules on system start up.

For disable the protocol you have to edit

/etc/modprobe.d/aliases

file and change two lines as follow :

#alias net-pf-10 ipv6
net-pf-10 off

You should also tell to your kernel to not load IPv6 module by blacklisting it at the boot, for doing so edit

/etc/modprobe.d/blacklist 

file adding the following line :

blacklist ipv6

Reboot your system and check with the following command if the module ipv6 is not present :

lsmod |grep ipv6

You’ve done

Hope this help

Bye
Riccardo

Bookmark It

This simple post will show how to configure Ethernet Bonding on two (or more) network interfaces on RHEL 5 or CentOS 5.
I’ve tested this configuration on a CentOS 5.2 with kernel 2.6.18-92.1.22.el5 as you could see below :

uname -a

Linux serverlab.riccardoriva.local 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/redhat-release
CentOS release 5.2 (Final)

If you want to create a bonding on two interface (i.e. eth0 and eth1) you should do the following :

Edit /etc/sysconfig/network-scripts/ifcfg-eth0

# Bonding eth0 to bond0
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=NO

Edit /etc/sysconfig/network-scripts/ifcfg-eth1

# Bonding eth1 to bond0
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=NO

Copy /etc/sysconfig/network-scripts/ifcfg-eth1 to /etc/sysconfig/network-scripts/ifcfg-bond0 to keep the same file permission by executing the following commands :

cd /etc/sysconfig/network-scripts
copy ifcfg-eth1 ifcfg-bond0

Edit /etc/sysconfig/network-scripts/ifcfg-bond0

ifcfg-bond0
DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
NETWORK=10.100.100.0
NETMASK=255.255.255.0
IPADDR=10.100.100.1
USERCTL=NO

Edit /etc/modprobe.conf adding the following line :

alias bond0 bonding

Reboot your system to let modules be loaded or load it manually with the following command :

insmod bond0 bonding

If you haven’t rebooted your system, restart your network with the following command :

/etc/init.d/network restart

You should check if bonding is working you should look at /proc/net/bonding/bond0 with the following command :

cat /proc/net/bonding/bond0

and you should see something similar to the following :

Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 0
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:15:17:88:5a:3c

Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:15:17:88:5a:3d

You’ve done

Hope this help

Bye
Riccardo

Bookmark It

Traditional network designs use routers to create broadcast domains and limit broadcasts between multiple subnets. This prevents broadcast floods in larger networks from consuming resources, or causing unintentional denials of service unnecessarily. Unfortunately, the traditional network design methodology has some flaws in design

* Geographic Focus – Traditional network designs focus on physical locations of equipment and personnel for addressing and LAN segment placement. Because of this there are a few significant drawbacks:
* Network segments for physically disjointed organizations cannot be part of the same address space. Each physical location must be addressed independently, and be part of its own broadcast domain. This can force personnel to be located in a central location, or to have additional latency or connectivity shortfalls.
* Relocations of personnel and departments can become difficult, especially if the original location retains its network segments. Relocated equipment will have to be reconfigured based on the new network configuration.
Read the rest of this entry »

Bookmark It

This post will explain how to configure a DHCP Server running on Ubuntu Server 9.04 (Jaunty Jackalope) for more than one interfaces and more than one network.
This post assume you have :
- A private network with 192.168.123.0/24
Three network on which you have to assign dinamic IP Addresses, for example a LAB network, an SUP Network (Support) and a WIFI network with the following subnet.
- 192.168.124.0/24 (sup)
- 192.168.125.0/24 (lab)
- 192.168.127.0/24 (wifi)

This post also assume you have a system running ubuntu (or debian) with four (4) NIC each one connected to one of the network above, and you will have the following configuration :
SUP network
Server IP Address : 192.168.124.1
DHCP Scope : 192.168.124.100 – 192.168.124.200
Gateway : 192.168.124.254

LAB network
Server IP Address : 192.168.125.1
DHCP Scope : 192.168.125.100 – 192.168.125.200
Gateway : 192.168.125.254

WIFI network
Server IP Address : 192.168.127.1
DHCP Scope : 192.168.127.100 – 192.168.127.200
Gateway : 192.168.127.254

The name server for all the networks will be a server in the internal network (192.168.123.2).

First of all you have to install DHCP server, for doing so, type :

sudo apt-get install dhcp3-server

Read the rest of this entry »

Bookmark It

This post will explain how to configure a quick and dirt RDP client, like a thin client, with an OLD Computer and Ubuntu.
You should use Ubuntu Desktop and even very old hardware.

I’ve tested on PC with Pentium3 Processor and 256 MB RAM with succesfull.

For this configuration I’ve created a simple shell script who establish the RDP connections and at the end of it shutdown the system.

For doing it do the following :

Install Ubuntu Desktop (from 7.04 to 9.10) on your system and configure networking.

Create a file with the folowing content and save it as /usr/local/bin/TS.sh

#!/bin/bash
rdesktop your.terminal.server.ip -u username -d yourADdomain -f -b -N -n localhostname -k it -a 16
/usr/bin/sudo /sbin/shutdown -h now

Assign it correct ownership and permission :

chown root:nobody /usr/local/bin/TS.sh
chmod 755 /usr/local/bin/TS.sh

Create a link in your /home/username/.config/autostart with the following command :

ln -s /usr/local/bin/TS.sh TSAutostart

Modify your /etc/sudoers as the following :

# User privilege specification
root ALL=(ALL) ALL
ubuntu ALL=NOPASSWD: ALL

Reboot you system and login with user “username”, you will see an RDP connections opened to your.terminal.server.ip and when you disconnect your machine from TS it will shutdown.

Hope this help

Bye
Riccardo

Bookmark It

This post will assume you just have a fully functional working mail server and you want do download all emails from some mailboxes located on another mail server, tipically located on your service provider’s one.
This post guide will guide you to install and configure fetchmail and use it with your RHEL 5 or newer, you should use all the following information also with CentOS without change any line, but you shoud adapt it to every Linux distribution.
Most likely you want to setup fetchmail to download your domain mailbox over pop3 and inject into Postfix (or whatever you use as MTA).

To install fetchmail use the following :

yum install fetchmail -y

You should decide how to use fetchmail :

* as a daemon
* as a cron scheduled task

Read the rest of this entry »

Bookmark It

This post will explain hot-to configure a unique IP Address on multiple NICs (Phisical or Virtual) on Debian GNU/Linux (with a 2.6 kernel).

This post assume you have a 192.168.0.0/24 network and that you want to assign 192.168.0.10/24 to your system.
Read the rest of this entry »

Bookmark It

Ethernet bonding refers to aggregate multiple ethernet channels together to form a single channel. This is primarily used for redundancy in ethernet paths or for load balancing. This page refers to ifenslave mode in particular to configure ethernet bonding on Linux systems, and so doesn’t limit itself to discussion of 802.3ad Trunk Aggregation.
I’ve used the following modes a lot of time under Debian or Ubuntu and on Open-E.

Read the rest of this entry »

Bookmark It

In some case, you could have more than one server connected to internet which is in Load Balancing.
To ensure that all machines area reachable from the internet you have to correctly configure your DNS entry.

In this case we will take an example of a webservers

To use round robin, each web server must have its own public IP address. A common scenario is to use network address translation and port forwarding at the firewall to assign each web server a public IP address while internally using a private address, usually an IP Address in a DMZ (DeMilitarized Zone).

This example from the DNS zone definition for yourdomain.net assigns the same name to each of the three web servers, but uses different IP addresses for each:

Note : in the HOSTS ADDRESS definition (A) I will use private IP address, but you MUST use public IPs.

;
; Domain database for yourdomain.net
;
yourdomain.net. IN SOA ns1.yourdomain.net. hostmaster.yourdomain.net. (
2009030101 ; serial
10800 ; refresh
3600 ; retry
86400 ; expire
86400 ; default_ttl
)
;
; Name servers
;
yourdomain.net. IN NS ns1.yourdomain.net.
yourdomain.net. IN NS ns2.yourdomain.net.
;
; Web servers
;
www IN A 192.168.1.1
www IN A 192.168.1.2
www IN A 192.168.1.3

When DNS gets a request to resolve the name www.yourdomain.net, it will return one IP address (assumimg the first one), then if a second request is coming, it will return the second one and so on.
Theoretically (in a perfect world), each web server will get one third of all the web traffic.
Due to DNS caching and because some requests may use more resources that others, the load will not be shared equally. However, over time it will come close.

This is a very good example of Load balancing using DNS server (Round Robin).

Hope this help

Bye
Riccardo

Bookmark It

This post will explain a quick and dirt method to block Skype for some user, but avoid to block access to https urls not defined as FQDN.

This post assume that your client have non direct Internet access and must pass trough your Squid Proxy Server to have an external connection.
This Post assume your local network is 192.168.1.0/24
This post assume you want to give SKYPE access to IPs from 192.168.1.100 to 192.168.1.200 and you want to give internet access to all your network.

Obviously you MUST change the IPs based on your REAL network configuration.

In the following configuration, I’m going to create some ACL to define my networks, the skype connection method, skype connections destinations and create a sort of WhiteList that could fill in with some exceptions to avoid https connection problems.

Read the rest of this entry »

Bookmark It

This post will explain some useful command on a fortigate firewall.
This post assume you have a Fortinet Fortigate device and want to use it to
connect your local network (192.168.1.0/24) to internet and you have an
internet connection.
This post also assume that you have a router with a pubblic IP address
111.222.111.1 and you have a pubblic subnet 111.222.111.0/29.
In this case I’ve used a point-to point device to detect the connection
failure with IP address 111.222.111.123.

Obviously you must change your private (INTERNAL) IP address to adapt it to
your network, and use your public subnet and not the one used here for the
example (111.222.111.0/29).

config system global
# Set the http admin port to 80/tcp
set admin-port 80

# Set the https admin port to 443/tcp
set admin-sport 443

# Set the ssh admin port to 22/tcp
set admin-ssh-port 22

# Set the telnet admin port to 23/tcp
set admin-telnet-port 23

# Set the hostname
set hostname “FGT50B-MAGAZZINO”

# Set the ntp server to “time.ien.it” and enable it
set ntpserver “time.ien.it”
set ntpsync enable

# Set to 43200 seconds the tcp-halfclose timer
set tcp-halfclose-timer 43200
end

# Set the telnet 23/tcp port timeout to 43200 seconds.
# This is very useful if you have an AS400 (iSeries) to avoid session
timeout.
config system session-ttl
set default 43200
config port
edit 23
set timeout 43200
next
end

# Set the IP address and administrative access options (ping https http) for
INTERNAL interface.
config system interface
edit “internal”
set ip 192.168.1.254 255.255.255.0
set allowaccess ping https http
set type physical
next

# Set the IP address and administrative access options (ping https) for WAN1
interface.
# Set “gateway Detect” option enable and set the “Ping Server” destination.
# Set the interface speed to 10 Mb/s Half Duplex, this is useful for some
connections like radio bridge.
edit “wan1″
set ip 111.222.111.2 255.255.255.248
set allowaccess ping https
set gwdetect enable
set detectserver “111.222.111.123″
set type physical
set speed 10half
next
end

# Set DNS Servers and DNS options
config system dns
set primary 192.168.1.3
set secondary 212.97.32.2
set domain ”
set autosvr disable
set dns-cache-limit 5000
set cache-notfound-responses disable
end

# Set a firewall policy to enable traffic from INTERNAL TO WAN1 using NAT
# Set a protection profile (a default one) called “scan”
config firewall policy
edit 1
set srcintf “internal”
set dstintf “wan1″
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set profile-status enable
set profile “scan”
set nat enable
next
end

# Set a default gateway on the WAN1 interface
config router static
edit 1
set device “wan1″
set gateway 111.222.111.2
end

Hope this help

Bye
Riccardo
 Print This Post

Bookmark It

This post will explain hot-to configure a unique IP Address on multiple NICs (Phisical or Virtual) on SuSE Linux Enterprise Server (9 or 10).

This post assume you have a 192.168.1.0/24 network and that you want to assign 192.168.1.1/24 to your system.

Read the rest of this entry »

Bookmark It

This post will explain hot-to configure a unique IP Address on multiple NICs (Phisical or Virtual) on RedHat Linux (or Fedora).

This post assume you have a 192.168.1.0/24 network and that you want to assign 192.168.1.1/24 to your system.

Read the rest of this entry »

Bookmark It

This post will explain hot-to configure multiple IP Address on ONE nic (Phisical or Virtual) on RedHat Linux (or Fedora).

This post assume you have a 192.168.1.0/24 network and that you want to assign 192.168.1.1/24 and 192.168.1.2/24 to your system.

Read the rest of this entry »

Bookmark It

Some times I had to use some tools to test the network to find some problems or simply to debug something not working fine.

Tcpdump is a popular computer network debugging and security tool which allows the user to intercept and display TCP/IP packets being transmitted or received over a network to which the computer is attached. Tcpdump allows to precisely see all the traffic and enables to create statistical monitoring scripts.

At an ethernet segment, tcpdump operates by putting the network card into promiscuous mode in order to capture all the packets going through the wire. Using tcpdump we have a view on any TCP/UDP connection establishment and termination.

Obviously, if you can mirror one or more port on the network devices to the port on which your computer is connected you’ll obtain a lot more data.

Some examples:

all packets arriving at or departing from 192.168.1.1
# tcpdump -n host 192.168.1.1

To print traffic between 192.168.1.1 and either 10.0.0.1 or 10.0.0.2:
# tcpdump -n host 192.168.1.1 and \( 10.0.0.1 or 10.0.0.2 \)

To print all IP packets between 192.168.1.1 and any host except 10.0.0.1:
# tcpdump ip -n host 192.168.1.1 and not 10.0.0.1

To print all traffic between local hosts and hosts at Berkeley:
# tcpdump net ucb-ether

To print all ftp traffic through internet gateway yyy:
# tcpdump ‘gateway yyy and (port ftp or ftp-data)’

To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).
# tcpdump ip and not net localnet

To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
# tcpdump ‘tcp[13] & 3 != 0 and not src and dst net localnet’

To print IP packets longer than 576 bytes sent through gateway yyy:
# tcpdump ‘gateway yyy and ip[2:2] > 576′

To print IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast:
# tcpdump ‘ether[0] & 1 = 0 and ip[16] >= 224′

To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):
# tcpdump ‘icmp[0] != 8 and icmp[0] != 0″

Hope this help

Bye
Riccardo

Bookmark It

Some days ago I’ve found some difficult to debug a strange message from a webserver for a customer who had to use an HomeBanking service trough a proxy server.

To find out the way to configure the browser I’ve must search all http response code from a webserver, so here to you :

Code     Description
100     Continue
101     Switching protocols
200     OK
201     Created
202     Accepted
203     Non-authoritative information
204     No content
205     Reset content
206     Partial content
300     Multiple choices
301     Moved permanently
302     Moved temporarily
303     See other
304     Not modified
305     Use proxy
307     Temporary redirect
400     Bad request
401     Unauthorized
402     Payment required
403     Forbidden
404     Not Found
405     Method not allowed
406     Not acceptable
407     Proxy authentication required
408     Request timeout
409     Conflict
410     Gone
411     Length required
412     Precondition failed
413     Request entity too large
414     Request URI too large
415     Unsupported media type
416     Requested range not satisfiable
417     Expectation failed
500     Internal server error
501     Not implemented
502     Bad gateway
503     Service unavailable
504     Gateway timeout
505     HTTP version not supported

Hoe this help someone

Bye
Riccardo

Bookmark It

This interesting Tips let you made a simple connectivity test for a lot of device in a subnet in a very little time:

It could be useful to look at all device reachable in a network.

I’m using the command “FOR” as you can see :

FOR /L %g IN (1,1,254) DO ping -n 2 192.168.0.%g

%g, seems that you want to “ping” devices in the range 1-254, this value is specified by the syntax (start,step,end).
Start is the initial value that you want to test.
Step is the incremental value from the different operation.
End is the last value you want to test.

The “-n 2″ option specifies the number of ICMP packet to send before pass to the next test.

You can run it unattended and redirect the output to a log file using the following syntax :

FOR /L %g IN (1,1,254) DO ping -n 2 192.168.0.%g >> your_output_file.log

Hope this help.

Bye
Riccardo

Bookmark It

The folowing is a simple telnet communications established by a telnet session to a pop3 server to check if the server is working properly or if the username/password combination is correct.

Assuming your pop3 server is “pop3.yourdomain.com”, your username is “yourname” and your password is “yourpassword” you will have the following :

# telnet pop3.yourdomain.com 110

+OK POP3 server ready

# user yourname

+OK

# password yourpassword

+OK yourname has X messages (XXX octects)

# list

+OK
1 3514
2 4421

At this point you could see you have 2 messages in your INBOX and you can execute some other commands to manage these messages :

# retr message_number

Will read to you the entire message, including smtp header and all the other information

# dele message_number

Will delete the message from your INBOX

Finally you must quit from the session using “quit”.

quit
+OK

The most used command are the following :

I principali comandi utilizzati dal protocollo POP3 sono i seguenti:

USER <nomeutente>: Identified the user;
PASS <password>: Send the password in clear text;
STAT: Show how many messages are in the INBOX and the disk space occupied;
LIST : Show all messages dimensions.
LIST <message number>: Show selected message dimension;
RETR <message number>: Read the selected message;
TOP <message number>: Show a predefined lines of the selected message from the top;
DELE <message number>: Delete the selected message;
NOOP: It’s a simple test to look for server response. Don’t perform any operation on your messages;
RSET: Clear the “DELE” operation previously sent to the server;
QUIT: Ends current POP3 session and disconnect from server;

Hope this help

Bye
Riccardo

Bookmark It

Suppose you have a layer 2 switch with support for 802.1q.
Suppose you want to route traffic from one VLAN to another VLAN.
Suppose you have two vlan with vlan_id 2 and 3.

You can use a linux box for that.

VLAN is Virtual Lan and it is created with equipments such as switches that support the 802.1q protocol
which manage to insert a ‘tag’ in the ethernet frame, this tag identifies the VLAN to which a packet belongs.

If you have two VLANs in a switch is like having physically two switches, as the packets from one does not pass
to the other, if you need to pass traffic from one to another VLAN you will have a layer 3 switch,
and enable the internal virtual router, but you can do that with a Linux Box, this way.

Configure a switch port to be member of both vlan (2 and 3).

#apt-get install vlan

– this is to install the vlan software –

#modprobe 8021q

– This is to load the 802.1q module –

#vconfig add eth0 2
#vconfig add eth0 3

– Creating two vlans over the eth0 interface –

#ifconfig eth0 0.0.0.0 up

– To make only the VLAN interfaces to have traffic, be sure you have the eth0 up or you will see no traffic at all –

#ifconfig eth0.2 10.1.1.1 broadcast 10.1.1.255 netmask 255.255.255.0 up
#ifconfig eth0.3 10.1.2.1 broadcast 10.1.2.255 netmask 255.255.255.0 up

– Asume you have this two VLANs 1 is 10.1.1.0/24 and the second is 10.1.2.0/24 and you want traffic between them –

Now you have this done, configure your one of your switch ports to belong to VLAN 2 and 3 at the same time, and connect your linux box to that port.

#echo 1 > /proc/sys/net/ipv4/ip_forward

– To enable packet forwarding on the linux router –

#route add -net 10.1.1.0 netmask 255.255.255.0 gw eth0.2
#route add -net 10.1.2.0 netmask 255.255.255.0 gw eth0.3

Connect your newly created linux box to the switch port configures to be member of both vlan.
That’s all.

Riccardo

Bookmark It

I am looking for a hardware solution that supports sharing USB over IP (aka USB Servers).
Here is information about 5 hardware devices, that I obtained from their websites:
Keyspan – model U2S-2A (2-port)
- supported OS: WinXP or Vista (32bit), MacOS X v10.3.9 or greater
- supports 8 connections???
- does not currently support attachment of USB hubs (expected in future firmware)
- PROS: claims it can support any USB device that is NOT an isochronous device or an ILOK dongle by PACE
CONS: Limited documentation for this model
Silex technology – model SX-2000U2 (1-port)
- supported OS: W2K, WinXP, Vista, MacOS X
- supports 15 connections (incl. hub)
- PROS: Frequent firmware updates, supports more connections
- CONS: only one port
Lantronix – model UBox 2100 (2-port)
- supported OS: W2K, WinXP
- supports 8 connections???
- Isochronous audio/video support
- PROS: First and currently only to claim to support isochronous transfers
- CONS: Limited documentation on this model
Belkin – model F5L009 (5-port)
- supported OS: WinXP,Vista (incl 64bit), MacOS 10.4 (beta)
- supports 16 connections
- PROS: Sexy looking, supports more connections, comes already with 5 ports, claims it may supported isochronous transfers in future update
- CONS: reports suggests poor performance with drives, but this may be a perception issue
IOGear – model GMFPSU22W6 (2-Port)
- supported OS: W2K, WinXP
- supports 5 connections
- PROS: supports a storage server mode, allowing multiple user access
- CONS: don’t have any info yet on this model
I am only comparing USB2.0 hi-speed (upto 480Mbps) models, even though most of these mfg have full-speed (upto 12 Mbps) models too. All seem to sell for approximately $130 and support common features like WLAN compatible, printer auto-connect share, 500mA power per port. Plus some mfg are looking to add more features in future firmware and driver releases. Early testing suggest that these units perform marginally better than USB1.1 devices, due to the network connection (latency), but I am curious about the performance of the Lantronix model that claims to support isochronous transfers.

Bookmark It