My son has computing needs So my son finally got a computer game which was something I could so see myself getting - Star Wars: Empire at War. And my wife hasn't been able to get to her computer. The other factor is at some point he will want to start playing against me online - which means I'll need to get a second copy of the software.
I've been waiting for this for a couple of years, she finally asked me if the Monster needed his own computer. I laughed. She said it didn't have to be much. I laughed some more - it is for gaming, right?
When I bought my wife an EasyShare z740 for her birthday, I took him with me to Staples. He was looking and asked, "Who would pay $1000 for a camera?" I replied, "Someone who liked to take nice pictures." I then asked him, "Who would pay a $1000 for a new computer?" Without blinking, he said, "You Daddy!"
Now, I didn't pay $1000 on the camera and I wouldn't pay $1000 on a new computer for him. But my wife has some vision of me spending $200 on something for him and that won't do. New parts would kill me and the budget.
I also don't think she was considering where we will get a monitor. I refuse to give him an analog, or something much less than DVI. I don't want to be paying that back in glasses prescriptions.
Yet another UPS delivery This time I missed getting the package by 30s - I had to run downstairs.
This was an extra 512M of RAM for my Ultra 10 Sparc. The contents were securely packaged. Another good buy on Ebay.
Sweet!
ok �Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 333MHz), No Keyboard
OpenBoot 3.19, 1024 MB (50 ns) memory installed, Serial #12676883.
Ethernet address 8:0:20:c1:6f:13, Host ID: 80c16f13.
So my router isn't just right I tried to copy some stuff onto adept from mrx. It didn't work. I can get to everything but the router box. If we look at a really neat example, we can see it must be the iptables rules:
[tdh@mrx ~]> ssh adept
tdh@adept's password:
Last login: Fri Mar 24 03:26:26 2006 from mrx.internal.excfb.com
[tdh@adept ~]> ping mrx
PING mrx.internal.excfb.com (192.168.2.101) 56(84) bytes of data.
--- mrx.internal.excfb.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1012ms
[tdh@adept ~]> ping kanigix
PING kanigix.internal.excfb.com (192.168.3.109) 56(84) bytes of data.
64 bytes from kanigix.internal.excfb.com (192.168.3.109): icmp_seq=0 ttl=255 time=0.711 ms
64 bytes from kanigix.internal.excfb.com (192.168.3.109): icmp_seq=1 ttl=255 time=0.299 ms
--- kanigix.internal.excfb.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.299/0.505/0.711/0.206 ms, pipe 2
[tdh@adept ~]>
So I can go out from mrx to adept with ssh, but once there I can't
get back. Further, I can ping kanigix, which means the FORWARD rules are
working. Okay, what do the rules look like?
[root@mrx ~]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Also, remember I said the rules could be easier. Well, lets do that. Get the defaults loaded:
[root@mrx ~]# iptables -F
[root@mrx ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
We need to accept all INPUT packets:
[root@mrx ~]# iptables -I INPUT -j ACCEPT
[root@mrx ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And now we need to do forwarding:
[root@mrx ~]# iptables -I FORWARD -j ACCEPT
[root@mrx ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And does it work?
[tdh@adept ~]> ping mrx
PING mrx.internal.excfb.com (192.168.2.101) 56(84) bytes of data.
64 bytes from mrx.internal.excfb.com (192.168.2.101): icmp_seq=0 ttl=64 time=0.144 ms
64 bytes from mrx.internal.excfb.com (192.168.2.101): icmp_seq=1 ttl=64 time=0.166 ms
--- mrx.internal.excfb.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1014ms
rtt min/avg/max/mdev = 0.144/0.155/0.166/0.011 ms, pipe 2
[tdh@adept ~]> ping kanigix
PING kanigix.internal.excfb.com (192.168.3.109) 56(84) bytes of data.
64 bytes from kanigix.internal.excfb.com (192.168.3.109): icmp_seq=0 ttl=255 time=1.87 ms
64 bytes from kanigix.internal.excfb.com (192.168.3.109): icmp_seq=1 ttl=255 time=0.283 ms
--- kanigix.internal.excfb.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.283/1.078/1.874/0.796 ms, pipe 2
[tdh@adept ~]>
Buyer beware, I have a very simple setup because this is not connected to the Internet. I want
a very simple rule of passing everything across. I don't do any of the tricks to throw out
malformed packets, ones to NetBIOS, etc. I want everything to go across for packet capturing
programs like snoop and ethereal to digest.
Lets commit the changes:
[root@mrx ~]# /sbin/iptables-save > /etc/sysconfig/iptables.rules
[root@mrx ~]# more /etc/sysconfig/iptables.rules
# Generated by iptables-save v1.3.5 on Fri Mar 24 11:09:35 2006
*filter
:INPUT DROP [3604:310506]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [13553:2085282]
-A INPUT -j ACCEPT
-A FORWARD -j ACCEPT
COMMIT
# Completed on Fri Mar 24 11:09:35 2006
[root@mrx ~]# cp /etc/sysconfig/iptables.rules /etc/sysconfig/iptables
For right now, I do this in two steps to see what I'm writing and also to keep a backup.
Technorati Tags:
Linux Routing iptables
Don't Argue by Cabaret Voltaire I've been really grooving on Bob Marley and the Wailers (Africa Unite: Singles Collection). I was slow to warm up to it, but the last tracks have been getting a lot of replay of late. On the iPod, when an album/artist is done, it shuts off. I had it hooked up to the laptop to recharge. On iTunes, you go to the next song on the list.
In this case it was Don't Argue by Cabaret Voltaire off of the Eurobeat collection CD I have (great deal, at least 3-4 one hit wonders). I was blown away by the style and presence. At first I thought it was a Marley track I missed or deleted, not because of the style or influence. I'd said more techno/house than anything else, but because of the political message. I've had to go through the entire CD again to see if there were any other unknown gems.
Adding the second network to my Sun boxes I'm going to avoid the configuration on the Linux gateway for now. It and the sole box off of its second ethernet can talk. It just can't route yet.
Okay, the first task was enabling the second ethernet interface on sandman, which is the Ultra 5 I'm going to use for testing. Lets tell it that it has a new interface:
# echo kanigix > /etc/hostname.hme1
# echo "192.168.3.109 kanigix" >> /etc/hosts
# ifconfig hme1 plumb
# reboot
I rebooted to make sure I came up clean.
Lets check the routing:
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.2.0 192.168.2.109 U 1 1 hme0
192.168.3.0 192.168.3.109 U 1 1 hme1
224.0.0.0 192.168.2.109 U 1 0 hme0
default 192.168.2.1 UG 1 0
127.0.0.1 127.0.0.1 UH 4 77 lo0
Okay, lets also tell another Sun box about the new network:
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.2.0 192.168.2.104 U 1 143 hme0
224.0.0.0 192.168.2.104 U 1 0 hme0
default 192.168.2.1 UG 1 2
127.0.0.1 127.0.0.1 UH 4 81 lo0
# route add 192.168.3.0/24 192.168.2.101
add net 192.168.3.0/24: gateway 192.168.2.101
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.2.0 192.168.2.104 U 1 143 hme0
192.168.3.0 192.168.2.101 UG 1 0
224.0.0.0 192.168.2.104 U 1 0 hme0
default 192.168.2.1 UG 1 2
127.0.0.1 127.0.0.1 UH 4 81 lo0
# ping kanigix
^C# traceroute kanigix
traceroute to kanigix (192.168.3.109), 30 hops max, 40 byte packets
1 mrx.internal.excfb.com (192.168.2.101) 0.508 ms 0.271 ms 0.244 ms
2 ^C#
Okay, ultralord knows that it has to tell mrx to send requests
to the 192.168.3.0/24. We need to make this persistent:
# route -p add 192.168.3.0/24 192.168.2.101
add net 192.168.3.0/24: gateway 192.168.2.101: entry exists
add persistent net 192.168.3.0/24: gateway 192.168.2.101
# reboot
Did it work? Yes.
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.2.0 192.168.2.104 U 1 1 hme0
192.168.3.0 192.168.2.101 UG 1 0
224.0.0.0 192.168.2.104 U 1 0 hme0
default 192.168.2.1 UG 1 0
127.0.0.1 127.0.0.1 UH 1 0 lo0
Now I just have to get the forwarding work on that mrx. Lets start.
First lets get it to a known good state:
[root@mrx ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@mrx ~]# iptables --flush
[root@mrx ~]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mrx ~]# iptables --append FORWARD --in-interface dev8278 -j ACCEPT
[root@mrx ~]# iptables --append FORWARD --in-interface eth0 -j ACCEPT
[root@mrx ~]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mrx ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@mrx ~]# iptables -A INPUT -i lo -j ACCEPT
[root@mrx ~]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I'll digest it after some sleep, but it works:
# ping kanigix
kanigix is alive
# traceroute kanigix
traceroute to kanigix (192.168.3.109), 30 hops max, 40 byte packets
1 mrx.internal.excfb.com (192.168.2.101) 0.191 ms 0.153 ms 0.146 ms
2 kanigix.internal.excfb.com (192.168.3.109) 0.339 ms 0.221 ms 0.205 ms
The big problem now is that I did some route commands on the box and I need
to make them simpler and persistent.
156 route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1 dev dev8278
157 neat
158 neat
159 route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1 dev dev8278
160 netstat -rn
161 ping www.sun.com
162 route del -net 192.168.3.0 netmask 255.255.255.0 gw 0.0.0.0 dev dev8278
163 netstat -rn
164 route del -net 192.168.3.0 netmask 255.255.255.0 gw 0.0.0.0 dev dev8278
165 netstat -rn
166 route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1 dev dev8278
Instead of rebooting, lets flush the routing table and see what we get:
[root@mrx ~]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.3.0 192.168.3.1 255.255.255.0 UG 0 0 0 dev8278
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 dev8278
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
[root@mrx ~]# service network restart
Shutting down interface dev8278: [ OK ]
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: net.ipv4.ip_forward = 0
[ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface dev8278: [ OK ]
Bringing up interface eth0: [ OK ]
[root@mrx ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@mrx ~]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 dev8278
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
I think that is exactly what I want. :-> Can we get outside, on the test
network, and to the internal subnet?
[root@mrx ~]# ping www.kanigix.org
PING www.kanigix.org (82.165.131.79) 56(84) bytes of data.
64 bytes from perfora.net (82.165.131.79): icmp_seq=1 ttl=53 time=64.1 ms
64 bytes from perfora.net (82.165.131.79): icmp_seq=2 ttl=53 time=62.3 ms
--- www.kanigix.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 62.376/63.259/64.143/0.918 ms
[root@mrx ~]# ping kanigix
PING kanigix.internal.excfb.com (192.168.3.109) 56(84) bytes of data.
64 bytes from kanigix.internal.excfb.com (192.168.3.109): icmp_seq=1 ttl=255 time=4.96 ms
64 bytes from kanigix.internal.excfb.com (192.168.3.109): icmp_seq=2 ttl=255 time=0.200 ms
--- kanigix.internal.excfb.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.200/2.581/4.963/2.382 ms
[root@mrx ~]# ping adept
PING adept.internal.excfb.com (192.168.2.108) 56(84) bytes of data.
64 bytes from adept.internal.excfb.com (192.168.2.108): icmp_seq=1 ttl=64 time=0.130 ms
--- adept.internal.excfb.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.130/0.130/0.130/0.000 ms
And can we still route?
# ping kanigix
kanigix is alive
# traceroute kanigix
traceroute to kanigix (192.168.3.109), 30 hops max, 40 byte packets
1 mrx.internal.excfb.com (192.168.2.101) 0.220 ms 0.151 ms 0.147 ms
2 kanigix.internal.excfb.com (192.168.3.109) 0.291 ms 0.219 ms 0.205 ms
So my remaining tasks, before I can make iptables randomly drop NFS requests, is:
- Make the persistent routing changes needed on my remaining linux box.
- Make the current iptable rules persistent.
The first is low priority - until the SETCLIENTID bug fix makes its way upstream with
the Linux code. And time to try the second:
[root@mrx ~]# /sbin/iptables-save > /etc/sysconfig/iptables.rules
[root@mrx ~]# more /etc/sysconfig/iptables.rules
# Generated by iptables-save v1.3.5 on Fri Mar 24 02:35:06 2006
*filter
:INPUT DROP [858:82989]
:FORWARD DROP [21:1280]
:OUTPUT ACCEPT [10389:977330]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -i dev8278 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
COMMIT
# Completed on Fri Mar 24 02:35:06 2006
[root@mrx ~]# cp /etc/sysconfig/iptables.rules /etc/sysconfig/iptables
One reboot later and that task is out of the way. I now have a Linux box which will service routing
requests for a test subnet. I will soon be able to control NFSv4 traffic going back and forth. Note
that the iptables rules above are probably more complex than what I need for right now. I.e., what if
I just changed the default behaviour to ACCEPT for both INPUT and FORWARD? No need for the other
rules, But seeing as how I am going to add more rules for NFS ports, I'm okay with it for right now.
You might think the correct answer is /etc/sysconfig/static-routes or /etc/rc.local,
but no, it is: /etc/sysconfig/network-scripts/route-eth0. Here is mine after the reboot:
[tdh@adept ~]> more /etc/sysconfig/network-scripts/route-eth0
192.168.3.0/24 via 192.168.2.101
[tdh@adept ~]> netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.3.0 192.168.2.101 255.255.255.0 UG 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
[tdh@adept ~]> ping kanigix
PING kanigix.internal.excfb.com (192.168.3.109) 56(84) bytes of data.
64 bytes from kanigix.internal.excfb.com (192.168.3.109): icmp_seq=0 ttl=255 time=4.48 ms
--- kanigix.internal.excfb.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.482/4.482/4.482/0.000 ms, pipe 2
[tdh@adept ~]> traceroute kanigix
traceroute to kanigix.internal.excfb.com (192.168.3.109), 30 hops max, 38 byte packets
1 mrx (192.168.2.101) 0.181 ms 0.120 ms 0.095 ms
2 kanigix (192.168.3.109) 0.330 ms 0.203 ms 0.188 ms
So my tasks are all done. I'm ready to reconfigure the iptable rules to randomly drop
NFSv4 packets. But that is for another day.
Technorati Tags:
Linux Routing iptables
