I am trying to set up a traffic control server between the network and the firewall-router.
The server has two network devices:
Firewall <--> Server <---> NETWORK
It is running CentOS 6.4 x64 and I would like to use Etherape.
My idea is to have eth0 connected directly to our router and eth1 to our network.
eth1 would have two virtual interfaces, one with an IP to ssh the server and the other just forwarding with IPTables to eth0 with no IP. Of course, eth0 would not have any IP (we don't want to change the Gateway).
Any suggestion or better way to do this?
Thank you very much!!
Ok, finally it was quite easy. Install brctl and etherape, then:
brctl addbr br0
brctl stp br0 off
brctl addif br0 eth0
brctl addif br0 eth1
echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig eth0 up
ifconfig eth1 up
ifconfig br0 up
service network restart
ifconfig br0 XX.YY.ZZ.AA
That is a temporal configuration. If you reboot you have to re-do it. Here is a way to make it persistent:
http://www.tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO.html#toc3.3
Finally, (installing if you are in a Windows Box, Xming and Putty and) connecting as root to XX.YY.ZZ.AA with X11 redirection, execute etherape and you will have you remote traffic control.
To make it easier, I will recommend to add the filter:
ip and not ((src net XX.YY.ZZ.AA) or dst net XX.YY.ZZ.AA)
To avoid the X11 traffic between the server and your box.
Related
I found most of the configuration is for giving static or private network. But I want it to act as a different machine so it will get a separate IP address from the DHCP and I want to do it through nmcli.
Thanks in advance.
If you are using docker as tagged, rather than LXC, use pipework to map the wlan interface from the host to the container
pipework eth2 $CONTAINERID 10.10.9.9/24
or alternatively let the container do the dhcp negotiation for you
pipework eth1 $CONTAINERID dhclient
This setup is based on a macvlan interface so the same concept should work with LXC you just won't get the easy front end.
I'm confused if this is a docker question or an LXC question.
EDIT: as per the comments, wlan interface support in a bridge depends on the wlan vendor. It may work, or it may not work at all.
In any case, you should be able to create a bridge, add your wlan0 interface to the bridge, and then have your LXC container connect to this bridge directly. Then, when you run your DHCP client in the container, it will grab it from the wlan0 interface.
Configure bridge (manually for now)
# ifconfig wlan0 up
# brctl addbr br0
# brctl addif br0 wlan0
# ifconfig br0 up
# dhclient br0
Configure LXC configuration
If using traditional priviliged LXC, edit the container's config file at /var/lib/lxc/$NAME/config,
and update this value to point to your new bridge.
lxc.network.link = br0
Run DHCP in container
# lxc-attach -n $NAME
# dhclient eth0
# ip a
If the output to ip a shows the desired IP, you're all set!
If you want to make the configuration persistent, you'll have to add the bridge to your /etc/network/interfaces file.
IEEE 802.11 doesn’t like multiple MAC addresses on a single client, so bridge and macvlans are not the right solution here.
Use ipvlan in L2 mode.
I want to set up multiple virtual machines to run webserver, postfix, etc.
I have a few public IP-Adresses from my ISP. My host system is running Centos 7 and my virtual machines are running Debian Wheezy. Since my hoster restrict access to the switch based on MAC Address, I cannot use a "full" bridge.
Instead I configured a routed bridge (see http://wiki.hetzner.de/index.php/Proxmox_VE)
I have successfully set up both machines, but the vm cannot connect to the internet if my firewall on my host machine is active. If my firewall is active I can ping machines on the internet from my vm, but nothing else.
How can I configure my firewall under Centos 7 to give the VMs on br0 acces to internet?
Any help is appreciated. Thank you very much.
Network Config Host Machine
Host-Machine: /etc/sysconfig/network-scripts/ifcfg-enp2s0
BOOTPROTO=none
DEVICE=enp2s0
ONBOOT=yes
IPADDR=A.A.A.42
NETMASK=255.255.255.255
SCOPE="peer A.A.A.1"
Host-Machine: /etc/sysconfig/network-scripts/route-enp2s0
ADDRESS0=0.0.0.0
NETMASK0=0.0.0.0
GATEWAY0=A.A.A.1
Host-Machine: /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE="Bridge"
ONBOOT=yes
BOOTPROTO=none
IPADDR=A.A.A.42
NETMASK=255.255.255.255
STP=off
DELAY=0
Host Machine: /etc/sysconfig/network-scripts/route-br0
ADDRESS0=B.B.B.160
NETMASK0=255.255.255.255
Network Config Virtual machine
Virtual machine: /etc/network/interfaces
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static
address B.B.B.160
netmask 255.255.255.255
pointopoint A.A.A.42
gateway A.A.A.42
Firewall settings Host machine
firewall-cmd --list-all
public (default, active)
interfaces: br0 enp2s0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Thank you very much in advance.
To accomplish, you have two options.
Option1:(from a security perspective this method is recommended)
Disable netfilter on the configured bridge
# vi /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
Check the values before/after.
# sysctl -p /etc/sysctl.conf
Option2:
Add direct firewall rule
firewall-cmd --direct --add-chain ipv4 filter FORWARD 0 -m physdev --physdev-is-bridged -j ACCEPT
On CentOS 8 (and probably CentOS 7) with firewalld, there's a much easier way to get all routed bridged KVM virtual machines full unrestricted internet access without dealing with firewall rules.
By default, all interfaces are bound to the public firewall zone.
But there are multiple zones, ie firewall-cmd --list-all-zones of which one is called trusted, which is an unfiltered firewall zone that accepts all packets by default.
So you can just bind the bridge interface to that zone.
firewall-cmd --remove-interface br0 --zone=public --permanent
firewall-cmd --add-interface br0 --zone=trusted --permanent
firewall-cmd --reload
Hope this helps.
I am developing a kernel feature, using User-Mode-Linux.
I compiled 3.12.38 from source and downloaded a Debian fs.
However, I am not able to seet-up networking using following options here.
Are there any good source or info to go with this.
I have internet on wlan0.
EDIT:
I start with eth0=tuntap,,,192.168.0.254
and then inside UML UML# ifconfig eth0 192.168.0.253 up
I only get the output as:
modprobe tun
ifconfig tap0 192.168.0.252 netmask 255.255.255.255 up
route add -host 192.168.0.253 dev tap0
As mentioned, output is lacking a bit and more over a ping to 192.168.0.254 doesn't seems to work, with 100% packet loss.
Let us follow the steps to establish the following Topology:
VM-tap0(192.168.6.6)-------------(192.168.6.8)eth0-UML1-eth1(192.168.20.1)----------------eth1-(192.168.20.2)UML2
here, UML1 and UML2 are two UML instances running on VM as a host.
All uml_console commands are suppose to run on VM host.
Tun/Tap config:
VM <------>UML1 (ley us first establish the connection between VM host and UML1)
#host as root :
chmod 777 /dev/net/tun
tunctl -u vm -t tap0 (here vm is the VM user name)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp
ifconfig tap0 192.168.6.6 up
./linux ubda=CentOS6.x-x86-root_fs umid=debian1 [separate terminal]
uml_mconsole debian1 config eth0=tuntap,tap0
route add -host 192.168.6.8 dev tap0
route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.6.8 dev tap0
#uml1
eth0=tuntap,tap0
ifconfig eth0 192.168.6.8 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
Now UML1<-------------->UML2
./linux ubda=CentOS6.x-x86-root_fs2 umid=debian2 [separate terminal]
uml_mconsole debian1 config eth1=mcast (if these commands fails, it means you have not compile the UML kernel with multicast ineterface enabled in )
uml_mconsole debian2 config eth1=mcast
again #uml1
ifconfig eth1 192.168.20.1 up
#uml2
ifconfig eth1 192.168.20.2 up
route add -net 192.168.6.0 netmask 255.255.255.0 gw 192.168.20.1 dev eth1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
Try ping UML2 from VM and vice versa. You should be able to ping in both directions.
I am new to openstack and I followed the installation guide of icehouse for ubuntu 12.04/14.04
I chose 3 node architecture. Controller, Nova, Neutron.
The 3 nodes are installed in VM's. I used nested KVM. Inside VM's kvm is supported so nova will use virt_type=kvm. In controller I created 2 nics. eth0 is a NAT interface with ip 203.0.113.94 and eth1 a host only interface with ip 10.0.0.11.
In nova there are 3 nics. eth0 NAT - 203.0.113.23, eth1 host only 10.0.0.31 and eth2 another host only 10.0.1.31
In neutron 3 nics. eth0 NAT 203.0.113.234, eth1 host only 10.0.0.21 and eth2 another hosty only 10.0.1.21 (during installation guide in neutron node i created a br-ex (and a port to eth0) which took the settings of eth0 and eth0 settings are:
auto eth0 iface eth0 inet manual up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down)
Everything seemed fine. I can create networks, routers etc, boot instances but I have this error.
When I launch an instance it takes a fixed ip but when I log in into instance (cirros) can't ping anything. ifconfig with no ip.
I noticed that in demo-net (tenant network) properties under subnet in the ports field it has 3 ports. 172.16.1.1 network:router_interface active 172.16.1.3 network:dhcp active 172.16.1.6 compute:nova down
I searched for solutions over the net but couldn't find anything!
Any help?
Ask me if you want specific logs because I don't know which ones to post!
Thanks anyway!
Looks like you are using Fixed IP to ping..If so please assign floating IP to your instance, and then try to ping..
If you have already assigned floating IP and you are pinging using that IP..please upload log of your instance
I am experimenting with openflow on a setup on emulab. Emulab is a testbed for network experimentation.
I have the following topology. I have 4 regular PC machines, hosta, hostb, switch, and controller.
hosta, hostb, and controller are connected by a gigabit lan to switch. Switch has eth0 for internet connectivity and eth4-6 for all the other hosts. IP addresses follow this sort of pattern, eth4 10.10.1.x, eth5 10.10.2.x and so on.
I am basically following this guide http://geni-app-developer-documentation.readthedocs.org/en/latest/examples/example-3.html
Here is my problem, the guide says that i should create two diffrent bridge interfaces using openvswitch br-int and br-int1. Then procedes to set br-int to request flows from the controller. This makes no sense to me for three reasons.
1) br-int1 should also be requesting from the controller.
2) It seems to me that a bridge interface in this guide is really a swtich, and there should only be one switch and hence only be one bridge interface that includes all the eth4-6 as ports.
3) If the switch really is just "one" switch rather than multiple switches, Than endhosta and endhostb should have IP adresses of this sort, 10.10.a.1 and 10.10.a.2 where a is the same.
I figured it out,
The correct method is this.
ovs-vsctl add-br br0
ovs-vsctl add-port br0 eth4
ovs-vsctl add-port br0 eth5
ovs-vsctl add-port br0 eth6
ifconfig eth4 0
ifconfig eth5 0
ifconfig eth6 0
ifconfig br0 10.10.10.1 netmask 255.255.255.0
route add -net 10.10.10.0 netmask 255.255.255.0 dev br0
now in each of the three remaining nodes run the following command.
ifconfig eth 10.10.10.a
Where is the and a is a unique number.