Advanced Networking: Difference between revisions
No edit summary |
(→NTP) |
||
(21 intermediate revisions by one other user not shown) | |||
Line 2: | Line 2: | ||
There are many thing that GWS(The Configuration Software for Telem-GW6) can't do. For instance NTP, VLAN and OpenVPN configuration. If something extra is needed then in general user's should create Linux scripts and copy them to Telem-GW6. Sometimes a change of an existing script is enough. Example scripts can be found from Telem-GW6 /usr/local/bin/ folder. | There are many thing that GWS(The Configuration Software for Telem-GW6) can't do. For instance NTP, VLAN and OpenVPN configuration. If something extra is needed then in general user's should create Linux scripts and copy them to Telem-GW6. Sometimes a change of an existing script is enough. Example scripts can be found from Telem-GW6 /usr/local/bin/ folder. | ||
</br> | |||
As of new firmware and gws.exe it is possible to configure NTP, VLANs and etc with gws.exe by using setup version 4 instead on setupt version 3. Setup version 4 is used by [[TELEM-GWM]]. | |||
== Location of Startup Scripts == | == Location of Startup Scripts == | ||
Line 14: | Line 17: | ||
=== /etc/ppp/ip-up or /etc/ppp/ip-down === | === /etc/ppp/ip-up or /etc/ppp/ip-down === | ||
Scripts in this folder are run when an PPP interface becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing. | Scripts in this folder are run when an PPP interface becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing. | ||
== Application Software == | |||
=== busybox === | |||
busybox [http://busybox.net/] The Swiss Army Knife of Embedded Linux | |||
<pre> | |||
root@telem-gw6-com8$ busybox | |||
BusyBox v1.17.4 (2011-10-17 18:03:09 EEST) multi-call binary. | |||
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko | |||
and others. Licensed under GPLv2. | |||
See source distribution for full notice. | |||
Usage: busybox [function] [arguments]... | |||
or: function [arguments]... | |||
BusyBox is a multi-call binary that combines many common Unix | |||
utilities into a single executable. Most people will create a | |||
link to busybox for each function they wish to use and BusyBox | |||
will act like whatever it was invoked as. | |||
Currently defined functions: | |||
[, [[, addgroup, adduser, ar, arping, ash, awk, basename, bunzip2, bzcat, cat, catv, chattr, chgrp, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc, dd, | |||
deallocvt, delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, echo, egrep, eject, env, ether-wake, expr, false, fdflush, fdformat, fgrep, find, fold, | |||
free, freeramdisk, fsck, fuser, getopt, getty, grep, gunzip, gzip, halt, hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifup, inetd, init, insmod, install, ip, ipaddr, ipcrm, | |||
ipcs, iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd, last, length, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, losetup, ls, lsattr, lsmod, | |||
lspci, lsusb, lzcat, lzma, makedevs, md5sum, mdev, mesg, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modprobe, more, mount, mountpoint, mt, mv, nameif, netstat, nice, nohup, nslookup, od, openvt, | |||
passwd, patch, pidof, ping, pipe_progress, pivot_root, poweroff, printenv, printf, ps, pwd, rdate, readlink, readprofile, realpath, reboot, renice, reset, resize, rm, rmdir, rmmod, route, run-parts, | |||
runlevel, sed, seq, setarch, setconsole, setkeycodes, setlogcons, setsid, sh, sha1sum, sha256sum, sha512sum, sleep, sort, start-stop-daemon, strings, stty, su, sulogin, swapoff, swapon, switch_root, | |||
sync, sysctl, syslogd, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, traceroute, true, tty, udhcpc, umount, uname, uniq, unix2dos, unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode, | |||
vconfig, vi, vlock, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcat | |||
</pre> | |||
For instance vconfig for creating VLAN's, iptunnel for configuring IPv4 tunnels. | |||
=== SSH === | |||
OpenSSH [http://www.openssh.com/] is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. | |||
<pre> | |||
root@telem-gw6-com8$ ssh -v | |||
OpenSSH_5.8p1, OpenSSL 1.0.0d 8 Feb 2011 | |||
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] | |||
[-D [bind_address:]port] [-e escape_char] [-F configfile] | |||
[-I pkcs11] [-i identity_file] | |||
[-L [bind_address:]port:host:hostport] | |||
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] | |||
[-R [bind_address:]port:host:hostport] [-S ctl_path] | |||
[-W host:port] [-w local_tun[:remote_tun]] | |||
[user@]hostname [command] | |||
</pre> | |||
=== iptables === | |||
iptables [http://www.netfilter.org/projects/iptables/index.html] is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. | |||
<pre> | |||
root@telem-gw6-com8$ iptables -V | |||
iptables v1.4.10 | |||
</pre> | |||
With filter, nat and mangle tables. | |||
=== OpenVPN === | |||
OpenVPN [http://openvpn.net/] providing SECURE ACCESS ANYWHERE in the World. | |||
<pre> | |||
root@telem-gw6-com8$ openvpn --version | |||
OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Oct 17 2011 | |||
Originally developed by James Yonan | |||
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> | |||
</pre> | |||
== Examples == | == Examples == | ||
A good example that is in use in production systems is NTP or PPP. Both are located at /usr/local/bin. | A good example that is in use in production systems is NTP or PPP. Both are located at /usr/local/bin. | ||
=== NTP for RTAA 501 === | |||
In order to enable NTP you need to be root. | |||
To start ntp daemon at boot add | |||
<pre> | |||
server IP-address-of-ntp-server burst iburst | |||
</pre> | |||
to /etc/ntp.conf using vi editor. | |||
'''Alternative''' | |||
Use the following command to write to /etc/ntp.conf | |||
<pre> | |||
echo "server IP-address-of-ntp-server burst iburst" > /etc/ntp.conf | |||
</pre> | |||
'''Example''' | |||
<pre> | |||
echo "server 10.0.0.1 burst iburst" > /etc/ntp.conf | |||
</pre> | |||
[[Kasutaja:MarkTomm|MarkTomm]] 23. september 2015, kell 14:36 (EEST) | |||
=== NTP DEPRECATED INFO === | |||
In order to enable NTP you need to be root, cd to /user/local/bin/ntp and invoke script install. | |||
<syntaxhighlight lang="bash"> | |||
su - | |||
cd /usr/local/bin/ntp | |||
./install | |||
</syntaxhighlight> | |||
At this point NTP will start after reboot. If you want to use NTP without reboot issue /etc/init.d/S49ntp start. Default configuration for NTP enables server only, clock is not syncronized from external sources. In order to sync from external servers add | |||
<pre> | |||
server IP-address-of-ntp-server burst iburst | |||
</pre> | |||
to /etc/ntp.conf. | |||
[[Kasutaja:MarkTomm|MarkTomm]] 23. september 2015, kell 14:36 (EEST) | |||
=== VLAN === | === VLAN === | ||
For instane a script like this | For instane a script like this: | ||
< | <syntaxhighlight lang="bash"> | ||
# Script to show creation of VLAN's | # Script to show creation of VLAN's | ||
# Copy it to /etc/network/if-up.d and change file permissions to make it executable. | # Copy it to /etc/network/if-up.d and change file permissions to make it executable. | ||
if [ "$IFACE" | if [ "$IFACE" = "eth0" ] | ||
then | then | ||
logger "vlan_enable for interface:$IFACE" | logger "vlan_enable for interface:$IFACE" | ||
Line 30: | Line 140: | ||
vconfig set_name_type VLAN_PLUS_VID_NO_PAD | vconfig set_name_type VLAN_PLUS_VID_NO_PAD | ||
# If vlan 30 exists remove it | |||
vconfig rem vlan30 | vconfig rem vlan30 | ||
# Create vlan 30, with vlan id of 30 | |||
vconfig add eth0 30 | vconfig add eth0 30 | ||
# Set ethernet priorities | |||
vconfig set_egress_map vlan30 0 7 | vconfig set_egress_map vlan30 0 7 | ||
vconfig set_ingress_map vlan30 0 7 | vconfig set_ingress_map vlan30 0 7 | ||
# Bring new network interface up, that is make it ready for new connections | |||
ifconfig vlan30 172.22.101.196 netmask 255.255.255.240 txqueuelen 1000 up | ifconfig vlan30 172.22.101.196 netmask 255.255.255.240 txqueuelen 1000 up | ||
# Add entry to routing table, 172.22.101.193 is router at vlan 30 | |||
route add default gw 172.22.101.193 vlan30 | route add default gw 172.22.101.193 vlan30 | ||
fi | fi | ||
</syntaxhighlight> | |||
makes a single VLAN called vlan30. | |||
=== IPv4 Tunneling === | |||
For instance at Ubuntu issue: | |||
<pre> | |||
sudo iptunnel add rtu_to_scada1 mode ipip remote 172.22.101.196 local 172.22.101.193 | |||
sudo ifconfig rtu_to_scada1 10.0.1.1 netmask 255.255.255.252 pointopoint 10.0.1.2 up | |||
</pre> | |||
and from Telem-GW6 issue: | |||
<pre> | |||
iptunnel add rtu_to_scada1 mode ipip remote 172.22.101.193 local 172.22.101.196 | |||
ifconfig rtu_to_scada1 10.0.1.2 netmask 255.255.255.252 pointopoint 10.0.1.1 up | |||
</pre> | |||
to get an tunnel from Telem-GW6 to host running Ubuntu. | |||
=== Securing SCADA Communication with SSH === | |||
For instance if executing: | |||
<pre> | |||
ssh -v -N -L 2404:localhost:2404 10.0.1.2 -l scada1 | |||
</pre> | |||
from Ubuntu host(probably any other "Unix like" machine) redirects Telem-GW6(located at 10.0.1.2) SCADA port 2404 over SSH. Provided that Telem-GW6 has an account scada1 and port 22 for SSH is open at substation and Telem-GW6 firewall. In the command: | |||
<pre> | |||
-v - verbouse, that is debug messages | |||
-N - no commands on remote machine | |||
-L - local port forwarding | |||
-l - which user to use at remote host | |||
</pre> | </pre> | ||
Latest revision as of 11:36, 23 September 2015
Overview
There are many thing that GWS(The Configuration Software for Telem-GW6) can't do. For instance NTP, VLAN and OpenVPN configuration. If something extra is needed then in general user's should create Linux scripts and copy them to Telem-GW6. Sometimes a change of an existing script is enough. Example scripts can be found from Telem-GW6 /usr/local/bin/ folder.
As of new firmware and gws.exe it is possible to configure NTP, VLANs and etc with gws.exe by using setup version 4 instead on setupt version 3. Setup version 4 is used by TELEM-GWM.
Location of Startup Scripts
/etc/init.d/
Scripts in this folder are run at system startup.
/etc/network/if-ud.d/ and /etc/network/if-down.d/
Scripts in this folder are run when an interface(for instance ethernet interface eth0) becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing.
/etc/ppp/ip-up or /etc/ppp/ip-down
Scripts in this folder are run when an PPP interface becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing.
Application Software
busybox
busybox [1] The Swiss Army Knife of Embedded Linux
root@telem-gw6-com8$ busybox BusyBox v1.17.4 (2011-10-17 18:03:09 EEST) multi-call binary. Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko and others. Licensed under GPLv2. See source distribution for full notice. Usage: busybox [function] [arguments]... or: function [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as. Currently defined functions: [, [[, addgroup, adduser, ar, arping, ash, awk, basename, bunzip2, bzcat, cat, catv, chattr, chgrp, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc, dd, deallocvt, delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, echo, egrep, eject, env, ether-wake, expr, false, fdflush, fdformat, fgrep, find, fold, free, freeramdisk, fsck, fuser, getopt, getty, grep, gunzip, gzip, halt, hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifup, inetd, init, insmod, install, ip, ipaddr, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd, last, length, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, losetup, ls, lsattr, lsmod, lspci, lsusb, lzcat, lzma, makedevs, md5sum, mdev, mesg, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modprobe, more, mount, mountpoint, mt, mv, nameif, netstat, nice, nohup, nslookup, od, openvt, passwd, patch, pidof, ping, pipe_progress, pivot_root, poweroff, printenv, printf, ps, pwd, rdate, readlink, readprofile, realpath, reboot, renice, reset, resize, rm, rmdir, rmmod, route, run-parts, runlevel, sed, seq, setarch, setconsole, setkeycodes, setlogcons, setsid, sh, sha1sum, sha256sum, sha512sum, sleep, sort, start-stop-daemon, strings, stty, su, sulogin, swapoff, swapon, switch_root, sync, sysctl, syslogd, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, traceroute, true, tty, udhcpc, umount, uname, uniq, unix2dos, unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, vlock, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcat
For instance vconfig for creating VLAN's, iptunnel for configuring IPv4 tunnels.
SSH
OpenSSH [2] is a FREE version of the SSH connectivity tools that technical users of the Internet rely on.
root@telem-gw6-com8$ ssh -v OpenSSH_5.8p1, OpenSSL 1.0.0d 8 Feb 2011 usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]
iptables
iptables [3] is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset.
root@telem-gw6-com8$ iptables -V iptables v1.4.10
With filter, nat and mangle tables.
OpenVPN
OpenVPN [4] providing SECURE ACCESS ANYWHERE in the World.
root@telem-gw6-com8$ openvpn --version OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Oct 17 2011 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Examples
A good example that is in use in production systems is NTP or PPP. Both are located at /usr/local/bin.
NTP for RTAA 501
In order to enable NTP you need to be root.
To start ntp daemon at boot add
server IP-address-of-ntp-server burst iburst
to /etc/ntp.conf using vi editor.
Alternative
Use the following command to write to /etc/ntp.conf
echo "server IP-address-of-ntp-server burst iburst" > /etc/ntp.conf
Example
echo "server 10.0.0.1 burst iburst" > /etc/ntp.conf
MarkTomm 23. september 2015, kell 14:36 (EEST)
NTP DEPRECATED INFO
In order to enable NTP you need to be root, cd to /user/local/bin/ntp and invoke script install.
su -
cd /usr/local/bin/ntp
./install
At this point NTP will start after reboot. If you want to use NTP without reboot issue /etc/init.d/S49ntp start. Default configuration for NTP enables server only, clock is not syncronized from external sources. In order to sync from external servers add
server IP-address-of-ntp-server burst iburst
to /etc/ntp.conf.
MarkTomm 23. september 2015, kell 14:36 (EEST)
VLAN
For instane a script like this:
# Script to show creation of VLAN's
# Copy it to /etc/network/if-up.d and change file permissions to make it executable.
if [ "$IFACE" = "eth0" ]
then
logger "vlan_enable for interface:$IFACE"
# So that from ifconfig we see vlan30 not eth0:30
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
# If vlan 30 exists remove it
vconfig rem vlan30
# Create vlan 30, with vlan id of 30
vconfig add eth0 30
# Set ethernet priorities
vconfig set_egress_map vlan30 0 7
vconfig set_ingress_map vlan30 0 7
# Bring new network interface up, that is make it ready for new connections
ifconfig vlan30 172.22.101.196 netmask 255.255.255.240 txqueuelen 1000 up
# Add entry to routing table, 172.22.101.193 is router at vlan 30
route add default gw 172.22.101.193 vlan30
fi
makes a single VLAN called vlan30.
IPv4 Tunneling
For instance at Ubuntu issue:
sudo iptunnel add rtu_to_scada1 mode ipip remote 172.22.101.196 local 172.22.101.193 sudo ifconfig rtu_to_scada1 10.0.1.1 netmask 255.255.255.252 pointopoint 10.0.1.2 up
and from Telem-GW6 issue:
iptunnel add rtu_to_scada1 mode ipip remote 172.22.101.193 local 172.22.101.196 ifconfig rtu_to_scada1 10.0.1.2 netmask 255.255.255.252 pointopoint 10.0.1.1 up
to get an tunnel from Telem-GW6 to host running Ubuntu.
Securing SCADA Communication with SSH
For instance if executing:
ssh -v -N -L 2404:localhost:2404 10.0.1.2 -l scada1
from Ubuntu host(probably any other "Unix like" machine) redirects Telem-GW6(located at 10.0.1.2) SCADA port 2404 over SSH. Provided that Telem-GW6 has an account scada1 and port 22 for SSH is open at substation and Telem-GW6 firewall. In the command:
-v - verbouse, that is debug messages -N - no commands on remote machine -L - local port forwarding -l - which user to use at remote host
Troubleshooting
For troubleshooting:
- tcpdump [5]: A powerful command-line packet analyzer.
root@telem-gw6-com8$ tcpdump --help tcpdump version 4.1.1 libpcap version 1.1.1 Usage: tcpdump [-aAbdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ expression ]
- netstat [6]: Is a command-line tool that displays network connections.
root@telem-gw6-com8$ netstat --help BusyBox v1.17.4 (2011-10-17 18:03:09 EEST) multi-call binary. Usage: netstat [-laentuwxr] Display networking information Options: -l Display listening server sockets -a Display all sockets (default: connected) -e Display other/more information -n Don't resolve names -t Tcp sockets -u Udp sockets -w Raw sockets -x Unix sockets -r Display routing table