Work in Progress
These are work in progress HOWTO projects. Beware, nothing below is certified to be correct in any way.
iptables, using multiple MAC addresses
This iptables, ifconfig, and network from a reference Linux server
# iptables-save
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.10.89/32 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -d 108.209.107.237/32 -i eth1 -j DNAT --to-destination 10.10.10.89
-A POSTROUTING -s 10.10.10.89/32 -o eth1 -j SNAT --to-source 108.209.107.237
COMMIT
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:AC:DC:6C
inet addr:10.10.10.87 Bcast:10.10.10.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr 00:0C:29:AC:DC:76
inet addr:108.209.107.237 Bcast:108.209.107.239 Mask:255.255.255.248
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
# cat network
NETWORKING=yes
HOSTNAME=c6x2ip87.local.zaptech.org
GATEWAY=108.209.107.238
NETWORKING_IPV6=no
IPV6INIT=no Okay, so here is what is now active on Linux firewall 108.209.107.235 -> 10.10.10.81.
# iptables-save [ not actually save, just dumps current iptables directives to stdout ] *nat :PREROUTING ACCEPT [161:13175] :POSTROUTING ACCEPT [6:368] :OUTPUT ACCEPT [1:108] -A PREROUTING -d 108.209.107.235/32 -i eth1 -j DNAT --to-destination 10.10.10.89 -A POSTROUTING -s 10.10.10.89/32 -o eth1 -j SNAT --to-source 108.209.107.235 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [422:49938] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 10.10.10.89/32 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Also disable IPv6, you don't want your firewall accepting anything except IPv4 with the config above. Requires reboot just to be sure.
# cat /etc/modprobe.d/disable_ipv6.conf options ipv6 disable = 1
More fun, VMware and CentOS screw up paravirtual network driver performance, some directives can address this.
# iptables-save
# cat notes.txt
http://wiki.centos.org/TipsAndTricks/IPForwarding
/etc/sysctl.conf/net.ipv4.ip_forward = 1
[ is this realtime, or requires reboot? ]
# ethtool -K eth0 gso off
# ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off
# ethtool -k eth1
Offload parameters for eth1:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off
Now for the internal sever
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:9E:D6:DC
inet addr:10.10.10.89 Bcast:10.10.10.255 Mask:255.255.255.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
# ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: on
NFTables?
OS X, https
# apachectl stop
launchctl: Error unloading: org.apache.httpd
[ this means apachectl did not quietly launch https,
perhaps if certificate was given a passphrase ]
# httpd
httpd: Could not reliably determine the server's fully qualified domain name,
using mini.local.zaptech.org for ServerName
(48)Address already in use: make_sock: could not bind to address [::]:80
(48)Address already in use: make_sock: could not bind to address [::]:443
Apache/2.2.22 mod_ssl/2.2.22 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.example.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
# ps ax | grep http
88767 ?? Ss 0:00.25 httpd
88768 ?? S 0:00.02 httpd
88769 ?? S 0:00.02 httpd
88770 ?? S 0:00.02 httpd
# kill 88767
# ps ax | grep http
# pwd
/var/root/ssl/apache2
# ssh-keygen -f server.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in server.key.
Your public key has been saved in server.key.pub.
The key fingerprint is:
58:a3:c7:38:7c:d9:d9:51:99:59:f0:10:31:62:c7:e7 root@mini.local.zaptech.org
The key's randomart image is:
+--[ RSA 2048]----+
| o.OO.|
| . +=+.|
| o . o.|
| . * + o . E|
| * S o . |
| + |
| |
| |
| |
+-----------------+
# ls -lh
-rw------- 1 root wheel 1.6K Apr 7 00:42 server.key
-rw-r--r-- 1 root wheel 409B Apr 7 00:42 server.key.pub
# openssl req -new -key server.key -out request.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Cupertino
Organization Name (eg, company) [Internet Widgits Pty Ltd]:zap technologies
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Rick Armstrong
Email Address []:info@zaptech.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ls -lt
-rw-r--r-- 1 root wheel 1041 Apr 7 00:44 request.csr
-rw------- 1 root wheel 1675 Apr 7 00:42 server.key
-rw-r--r-- 1 root wheel 409 Apr 7 00:42 server.key.pub
# openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=CA/L=Cupertino/O=zap technologies/CN=Rick Armstrong/emailAddress=info@zaptech.com
Getting Private key
# ls -lh
-rw-r--r-- 1 root wheel 1.0K Apr 7 00:44 request.csr
-rw-r--r-- 1 root wheel 1.2K Apr 7 00:44 server.crt
-rw------- 1 root wheel 1.6K Apr 7 00:42 server.key
-rw-r--r-- 1 root wheel 409B Apr 7 00:42 server.key.pub
# cd /etc/apache2
[ in the past /etc/apache2/ssl was used ]
# cp ~/ssl/apache2/server.crt .
# cp ~/ssl/apache2/server.key .
# ls -lh
-rw-r--r-- 1 root wheel 1.2K Apr 7 00:46 server.crt
-rw------- 1 root wheel 1.6K Apr 7 00:46 server.key
# httpd
httpd: Could not reliably determine the server's fully qualified domain name,
using mini.local.zaptech.org for ServerName
# ps ax | grep -i http
88828 ?? Rs 0:00.39 httpd
88829 ?? S 0:00.01 httpd
# kill 88828
# ps ax | grep -i http
# rcsdiff /etc/apache2/httpd.conf
161a162
> ServerName mini.local.zaptech.org
469c470
< #Include /private/etc/apache2/extra/httpd-vhosts.conf
---
> Include /private/etc/apache2/extra/httpd-vhosts.conf
481c482
< #Include /private/etc/apache2/extra/httpd-ssl.conf
---
> Include /private/etc/apache2/extra/httpd-ssl.conf
# apachectl start
# ps ax | grep -i http
88865 ?? Ss 0:01.37 /usr/sbin/httpd -D FOREGROUND
88866 ?? S 0:00.00 /usr/sbin/httpd -D FOREGROUND