Friday 8 October 2010

Network Management on Fedora 12

Recently I had to activate a second network interface on a Fedora 12 installation at work. The server has two interfaces (eth0 and eth1) but only one (eth0) was active and allowing connections from in-house only. The project wishes to provide a preview to the customer so I had to move the server to the DMZ. To avoid collisions between my work as system administrator and the development team I decided to activate the second interface(eth1) for the DMZ.

The last time I did this task was on Fedora 8 or 9; after adding the second interface as usual, nothing did happen. Using the command ifconfig -a I noticed that the adapter was NOT configured at all.

The Network Subsystem

The network subsystem I know is disabled (chkconfig --list | grep network) and down. So every network configuration and tool related to this subsystem doesn't change the network behaviour of Fedora anymore.

The Network Manager

The network manager replaces the network subsystem (chkconfig --list | grep NetworkManager). The network manager is great if you have direct access to the system console (Notebook, Workstation) and you know what you do. I'm accessing the server using an old fashioned TTY connection and I cannot use the Gnome applet.

The ncftool

The ncftool is a part of Netcf a cross platform  configuration library. It wasn't installed on the server but as soon as I did type the command Fedora asked me if I wish install the package.

How to add the adapter

First of all I had to put together all information I needed to configure the adapter:
  • The static IP address of the server
  • The network mask of the IP segment
  • The IP address of the gateway
  • The MAC address of the adapter (optional, but recommended)
  • The IP adresses of the DNS servers.
The next step was to put all the informations in a XML file which was used by the ncftool to configure the new adapter. 
<?xml version="1.0"?>
<interface type="ethernet" name="eth1">
  <start mode="onboot"/>
  <mac address="00:22:19:83:77:1B"/>
  <protocol family="ipv4">
    <ip address="192.168.1.111" prefix="24"/>
    <route gateway="192.168.1.1"/>
  </protocol>
</interface>
The example should be self-explanatory; the prefix is the network mask (24-bit or 255.255.255.0). The MAC address is delivered by the command ifconfig -a (HWaddr). I did store this XML structure into the file /tmp/eth1.xml. Some more interesting samples configurations are available at netcf.git.

At this point I did configure the network interface: 
[root@myserver] # ncftool
ncftool > define /tmp/eth1.xml
ncftool > ifup eth1
ncftool > quit
The interface did work but it couldn't resolve the domain names. I didn't find a way to configure the DNS servers using the ncftool so I had to edit the file /etc/sysconfig/network-scripts/ifcfg-eth1: 
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.1.111
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
TYPE=Ethernet
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
NAME="System eth1"
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
HWADDR=00:22:19:83:77:1B
DNS1=192.168.1.11
The last line was manually added. The syntax for a DNS entry is DNS(n)=xxx.xxx.xxx.xxx. Here it is necessary to restart the network mananger (/etc/init.d/NetworkManager restart). From remote I had to boot the entire server.

The new adapter started to work properly for outgoing connections, but some incoming connections were refused. The reason was the missing IP-tables configuration. I had to edit the file /etc/sysconfig/iptables:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp 7001 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
I added the lines 11,12 and 13 which enables connections on the ports 80 and 443 from everywhere to any interface and connections on the port 7001 from everywhere to the interface eth0. Since eth0 is reachable from in-house only, nobody can connect to the port 7001 from the Internet. After changing the rules it is necessary to restart the sub system (/etc/init.d/iptables restart).
Pubblicato da ShortFastGood a 16:12
Etichette: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)