System configuration and management part 1

Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux systems

## same whether teaming for Load balancing or aggregating multiple links ## config in json format ## check your ethernet devices and identify 2 that are currently not used in any connection [root@rhel7mgmt1 ~]# nmcli device status DEVICE TYPE STATE CONNECTION enp0s3 ethernet connected enp0s3 virbr0 bridge connected virbr0 enp0s8 ethernet disconnected -- enp0s9 ethernet disconnected -- lo loopback unmanaged -- virbr0-nic tun unmanaged -- ## create your teaming connection nmcli con add type team con-name lateam0 ifname lateam0 config '{"runner": {"name":"activebackup" }}' ## assign ip manually to lateam0 nmcli con mod lateam0 ipv4.addresses '192.168.0.10/24' nmcli con mod lateam0 ipv4.method manual teamdctl lateam0 state

output setup: runner: activebackup runner: active port:## start add ports to the team nmcli con add type team-slave con-name lateam0-port1 ifname enp0s8 master lateam0 nmcli con add type team-slave con-name lateam0-port2 ifname enp0s9 master lateam0 ## activate nmcli con up lateam0-port1 nmcli con up lateam0-port2 nmcli con up lateam0 teamdctl lateam0 stateoutput

setup: runner: activebackup ports: enp0s8 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up down count: 0 enp0s9 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up down count: 0 runner:## test down one interface## take note active port fail over to other slave port if that port is brought down
nmcli con down lateam0-port1 ## check state teamdctl lateam0 state

output

setup: runner: activebackup ports: enp0s9 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up down count: 0 runner: active port: enp0s9

## to delete the teamingnmcli con down lateam0-port2 nmcli con down lateam0-port1
nmcli con delete lateam0-port1 nmcli con delete lateam0-port2 nmcli con delete lateam0

back to Objectives

Configure IPv6 addresses and perform basic IPv6 troubleshooting

# after adding a new ethernet interface, eg enp0s9 shown in ifconfig ifconfig

# but not shown in nmclinmcli con show

# add new connection for that interfacenmcli con add con-name enp0s9 type ethernet ifname enp0s9 nmcli con show

# add statically assigned ip4 and ipv6 addresses and up the connection nmcli con mod enp0s9 ipv4.addresses "192.168.0.10/24" nmcli con mod enp0s9 ipv4.method manual nmcli con mod enp0s9 ipv6.addresses "fddb:fe2a:ab1e::c0a8:64/64"nmcli con mod enp0s9 ipv6.method manualnmcli con up enp0s9 nmcli con show ifconfig ## NOTE:: If you encounter following error Error: Failed to modify connection 'enp0s9': ipv6.addresses: this property is not allowed for 'method=ignore'
can be resolved by putting both ipv6.method and ipv6.addresses in the same line
nmcli con mod enp0s9 ipv6.method manual ipv6.addresses "fddb:fe2a:ab1e::c0a8:64/64" # ping locally via that interfaceping 192.168.0.10 ping6 -I enp0s9 fddb:fe2a:ab1e::c0a8:64

# repeat the ping from another machine on the same networkping 192.168.0.10 ping6 fddb:fe2a:ab1e::c0a8:64

# alternatively can use nmtui for text menu based configuration

# or the Network Manager GUI

back to Objectives

Route IP traffic and create static routes

## to check your route the legacy way[root@rhel7server1 ~]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 enp0s3 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s8 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 ## or the new way [root@rhel7server1 ~]# ip route list default via 10.0.2.2 dev enp0s3 proto dhcp metric 100 10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100 192.168.0.0/24 dev enp0s8 proto kernel scope link src 192.168.0.10 metric 101 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

[root@rhel7server1 ~]# ping www.google.com PING www.google.com (74.125.24.103) 56(84) bytes of data. 64 bytes from 74.125.24.103 (74.125.24.103): icmp_seq=1 ttl=51 time=5.14 ms 64 bytes from 74.125.24.103 (74.125.24.103): icmp_seq=2 ttl=51 time=6.14 ms ## test add static route [root@rhel7server1 ~]# ip route add 172.125.24.0/24 via 10.0.2.2 dev enp0s3 ## display the routes [root@rhel7server1 ~]# ip route list default via 10.0.2.2 dev enp0s3 proto dhcp metric 100 10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100 172.125.24.0/24 via 10.0.2.2 dev enp0s3 192.168.0.0/24 dev enp0s8 proto kernel scope link src 192.168.0.10 metric 101 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 # to delete the static route [root@rhel7server1 ~]# ip route del 172.125.24.0/24 via 10.0.2.2 dev enp0s3 # display new route[root@rhel7server1 ~]# ip route list efault via 10.0.2.2 dev enp0s3 proto dhcp metric 100 10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100 192.168.0.0/24 dev enp0s8 proto kernel scope link src 192.168.0.10 metric 101 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 ## to create persistent static route, either ## (1) Add the routes into /etc/sysconfig/static-routes ## we know this because the network service is started by /etc/rc.d/init.d/network script ## that script checks for presence of /etc/sysconfig/static-routes [root@rhel7server1 ~]# systemctl status network ● network.service - LSB: Bring up/down networking Loaded: loaded (/etc/rc.d/init.d/network; bad; vendor preset: disabled) Active: active (running) since Tue 2020-03-03 03:37:23 UTC; 28min ago [root@rhel7server1 ~]# grep static /etc/rc.d/init.d/network # Add non interface-specific static-routes. if [ -f /etc/sysconfig/static-routes ]; then grep "^any" /etc/sysconfig/static-routes | while read ignore args ; do net_log $"Legacy static-route support not available: /sbin/route not found" ## edit the static route file[root@rhel7server1 ~]# vi /etc/sysconfig/static-routes ## add the following and save any net 74.125.24.0 netmask 255.255.255.0 gw 10.0.2.2 dev enp0s3 ## or (2) edit interface specific static route file in /etc/sysconfig/network-scripts/route-interface [root@rhel7server1 ~]# vi /etc/sysconfig/network-scripts/route-enp0s3 ## add the route eg. the following74.125.25.0/24 via 10.0.2.2

## restart network service and re-check routing table [root@rhel7server1 sysconfig]# systemctl restart network [root@rhel7server1 sysconfig]# ip route listdefault via 10.0.2.2 dev enp0s3 proto dhcp metric 100 10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100 74.125.24.0/24 via 10.0.2.2 dev enp0s3 <=== added by /etc/sysconfig/static-routes 74.125.25.0/24 via 10.0.2.2 dev enp0s3 proto static metric 100 <== added by /etc/sysconfig/network-scripts/route-enp0s3 192.168.0.0/24 dev enp0s8 proto kernel scope link src 192.168.0.10 metric 101 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

back to Objectives

Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)

### TO ENABLE A http SERVICE IN THE DEFAULT ZONE## before enabling, list currently enabled services [root@rhel7server1 ~]# firewall-cmd --list-service ssh dhcpv6-client dns nfs ## enable http [root@rhel7server1 ~]# firewall-cmd --permanent --add-service=http success ## reload firewalld [root@rhel7server1 ~]# firewall-cmd --reload success ## list enabled services now [root@rhel7server1 ~]# firewall-cmd --list-service ssh dhcpv6-client dns nfs http

### TO USE THE GRAPHICAL USER INTERFACE OF FIREWALL-CMD [root@rhel7server1 ~]# firewall-config ### CHECK THAT FIREWALLD IS RUNNING [root@rhel7server1 ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2020-03-03 10:03:07 EST; 25min ago ## or [root@rhel7server1 ~]# firewall-cmd --state running ## Note: if the server is multi homed and you want to allow routing traffic to different interface, you must enable ip forwarding ## i.e. set kernel parameter net.ipv4.ip_forward=1 permanently by adding into /etc/sysctl.conf ### LIST AVAILABLE ZONES [root@rhel7server1 ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work ### GET THE DEFAULT ZONE [root@rhel7server1 ~]# firewall-cmd --get-default-zone public ### LIST ACTIVE ZONES [root@rhel7server1 ~]# firewall-cmd --get-active-zones public interfaces: enp0s3 enp0s8 ### CHANGE DEFAULT ZONE [root@rhel7server1 ~]# firewall-cmd --set-default-zone=home success [root@rhel7server1 ~]# firewall-cmd --get-default-zone home [root@rhel7server1 ~]# grep DefaultZone /etc/firewalld/firewalld.conf DefaultZone=home ### CHECK INTERFACES ASSOCIATED TO WHICH ZONE [root@rhel7server1 ~]# nmcli device status EVICE TYPE STATE CONNECTION enp0s3 ethernet connected enp0s3 enp0s8 ethernet connected enp0s8 enp0s9 ethernet connected enp0s9 lo loopback unmanaged -- ## get zones for each interface [root@rhel7server1 ~]# firewall-cmd --get-zone-of-interface=enp0s3 public [root@rhel7server1 ~]# firewall-cmd --get-zone-of-interface=enp0s8 no zone [root@rhel7server1 ~]# firewall-cmd --get-zone-of-interface=enp0s9 public## change zone for an interface

[root@rhel7mgmt1 ~]# firewall-cmd --change-zone=enp0s9 --zone=internal success [root@rhel7mgmt1 ~]# firewall-cmd --reload success [root@rhel7mgmt1 ~]# firewall-cmd --get-zone-of-interface=enp0s9 internal ### GET THE PERMANENT CONFIG OF THE public ZONE [root@rhel7server1 ~]# firewall-cmd --permanent --zone=public --list-all public target: default icmp-block-inversion: no

interfaces: sources: services: ssh dhcpv6-client dns nfs ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: ### CREATE NEW ZONE [root@rhel7server1 ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work [root@rhel7server1 ~]# firewall-cmd --permanent --new-zone=TEST success [root@rhel7server1 ~]# firewall-cmd --reload success [root@rhel7server1 ~]# firewall-cmd --get-zones TEST block dmz drop external home internal public trusted work ### GET ALL KNOWN SERVICES [root@rhel7server1 ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client .... http .... xmpp-bosh xmpp-client xmpp-local xmpp-server ### GET HELP ON FIREWALLD RICH RULES SYNTAX [root@rhel7server1 ~]# man firewalld.richlanguage ### ADD / REMOVE RICH RULES ## add [root@rhel7server1 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.1.1" log accept' success ## verify [root@rhel7server1 ~]# firewall-cmd --list-rich-rules rule family="ipv4" source address="192.168.1.1" log accept ## remove [root@rhel7server1 ~]# firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="192.168.1.1" log accept' success ## re-list

[root@rhel7server1 ~]# firewall-cmd --list-rich-rules

### ANOTHER EXAMPLE OF RICH RULES## add[root@rhel7server1 html]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.0.20 service name="http" log level=notice prefix="[HTTP RULE] " limit value="20/s" accept' success ## apply [root@rhel7server1 html]# firewall-cmd --reload success ## test from the source [root@rhel7client1 html]# for i in {1..100};do curl http://rhel7server1;done; <html><body>rhel7server1 web server</body></html> ... <html><body>rhel7server1 web server</body></html> ## tail the log at the destination [root@rhel7server1 html]#tail /var/log/messages | grep HTTP.RULE ... ## to remove the rich rules[root@rhel7server1 html]# firewall-cmd --permanent --zone=public --remove-rich-rule='rule family=ipv4 source address=192.168.0.20 service name="http" log level=notice prefix="[HTTP RULE] " limit value="20/s" accept'success[root@rhel7server1 html]# firewall-cmd --reload success### LISTING RICH RULES

[root@rhel7server1 ~]# firewall-cmd --list-rich-rules 

            rule family="ipv4" source address="192.168.0.20" forward-port port="8022" protocol="tcp" to-port="22"

### ADD A SOURCE TO A ZONE[root@rhel7server1 ~]# firewall-cmd --permanent --zone=work --add-source=172.31.1.1 success [root@rhel7server1 ~]# firewall-cmd --reload success ### GET DETAILED INFO FOR A ZONE [root@rhel7server1 ~]# firewall-cmd --info-zone=work work (active) target: default icmp-block-inversion: no interfaces: sources: 172.31.1.1 services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: ### NAT ### Type 1: IP masquerading ### Type 2: Port redirection ### NAT - PORT REDIRECTION ## test before : direct ssh to port 22 allowed, ssh to port 8022 not allowed [root@rhel7client1 ~]# ssh user1@rhel7server1 user1@rhel7server1's password: ******* [root@rhel7client1 ~]# ssh -p 8022 user1@rhel7server1 ssh: connect to host rhel7server1 port 8022: No route to host ## configure the rules : (1) redirect port 8022 to 22 (2) deny direct access to port 22 ## note these addresses are on enp0s9 which is in zone public in our example [root@rhel7server1 ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.0.20 forward-port port=8022 protocol=tcp to-port=22' success## alternative way without using rich rules : firewall-cmd --add-forward-port=port=8022:proto=tcp:toport=22 ## the same as above using firewall-config GUI

## launch firewall configuration GUI

[root@rhel7server1 ~]# firewall-config

                        

                        

                        ## Drop down "Configuration" and select Permanent

                        

                        

                        

                        

                        ## at Zones tab, select public

                        

                        

                        

                        

                        ## scroll the options until Port Forwarding



                        

                        

                        ## click Add button



                        

                        

                        ## add the port forwarding options accordingly and then click OK

                        

                        

                        

                        

                        ## activate the new rules

[root@rhel7server1 ~]# firewall-cmd --reload

[root@rhel7server1 ~]# firewall-cmd --permanent --zone=public --remove-service=ssh success [root@rhel7server1 ~]# firewall-cmd --reload success ## test after : direct ssh to port 22 NOT allowed, ssh to port 8022 allowed [root@rhel7client1 ~]# ssh user1@rhel7server1 ssh: connect to host rhel7server1 port 22: No route to host [root@rhel7client1 ~]# ssh -p 8022 user1@rhel7server1 user1@rhel7server1's password: *******

## remove the rules [root@rhel7server1 ~]# firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=192.168.0.20 forward-port port=8022 protocol=tcp to-port=22' success ### NAT - IP MASQUERADE ## see examples here Masquerading With Firewalld Masquerading will forward packets that are not directed to an IP address associated to the system itself onto the intended destination. The source IP address of the packets that are sent through our system will be changed to the IP address of our system, rather than the IP address of the original traffic source. Responses to these packets will then go through our system and the destination address will be modified so that the traffic will be sent back to the original host that initiated the traffic

back to Objectives

Use /proc/sys and sysctl to modify and set kernel runtime parameters