Advanced Networking: Difference between revisions

From Phobos Wiki
Jump to navigation Jump to search
No edit summary
 
(21 intermediate revisions by one other user not shown)
Line 2: Line 2:


There are many thing that GWS(The Configuration Software for Telem-GW6) can't do. For instance NTP, VLAN and OpenVPN configuration. If something extra is needed then in general user's should create Linux scripts and copy them to Telem-GW6. Sometimes a change of an existing script is enough. Example scripts can be found from Telem-GW6 /usr/local/bin/ folder.
There are many thing that GWS(The Configuration Software for Telem-GW6) can't do. For instance NTP, VLAN and OpenVPN configuration. If something extra is needed then in general user's should create Linux scripts and copy them to Telem-GW6. Sometimes a change of an existing script is enough. Example scripts can be found from Telem-GW6 /usr/local/bin/ folder.
</br>
As of new firmware and gws.exe it is possible to configure NTP, VLANs and etc with gws.exe by using setup version 4 instead on setupt version 3. Setup version 4 is used by [[TELEM-GWM]].


== Location of Startup Scripts ==
== Location of Startup Scripts ==
Line 14: Line 17:
=== /etc/ppp/ip-up or /etc/ppp/ip-down ===
=== /etc/ppp/ip-up or /etc/ppp/ip-down ===
Scripts in this folder are run when an PPP interface becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing.
Scripts in this folder are run when an PPP interface becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing.
== Application Software ==
=== busybox ===
busybox [http://busybox.net/] The Swiss Army Knife of Embedded Linux
<pre>
root@telem-gw6-com8$ busybox
BusyBox v1.17.4 (2011-10-17 18:03:09 EEST) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
  or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable.  Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, addgroup, adduser, ar, arping, ash, awk, basename, bunzip2, bzcat, cat, catv, chattr, chgrp, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc, dd,
deallocvt, delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, echo, egrep, eject, env, ether-wake, expr, false, fdflush, fdformat, fgrep, find, fold,
free, freeramdisk, fsck, fuser, getopt, getty, grep, gunzip, gzip, halt, hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifup, inetd, init, insmod, install, ip, ipaddr, ipcrm,
ipcs, iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd, last, length, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, losetup, ls, lsattr, lsmod,
lspci, lsusb, lzcat, lzma, makedevs, md5sum, mdev, mesg, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modprobe, more, mount, mountpoint, mt, mv, nameif, netstat, nice, nohup, nslookup, od, openvt,
passwd, patch, pidof, ping, pipe_progress, pivot_root, poweroff, printenv, printf, ps, pwd, rdate, readlink, readprofile, realpath, reboot, renice, reset, resize, rm, rmdir, rmmod, route, run-parts,
runlevel, sed, seq, setarch, setconsole, setkeycodes, setlogcons, setsid, sh, sha1sum, sha256sum, sha512sum, sleep, sort, start-stop-daemon, strings, stty, su, sulogin, swapoff, swapon, switch_root,
sync, sysctl, syslogd, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, traceroute, true, tty, udhcpc, umount, uname, uniq, unix2dos, unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode,
vconfig, vi, vlock, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcat
</pre>
For instance vconfig for creating VLAN's, iptunnel for configuring IPv4 tunnels.
=== SSH ===
OpenSSH [http://www.openssh.com/] is a FREE version of the SSH connectivity tools that technical users of the Internet rely on.
<pre>
root@telem-gw6-com8$ ssh -v
OpenSSH_5.8p1, OpenSSL 1.0.0d 8 Feb 2011
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
          [-D [bind_address:]port] [-e escape_char] [-F configfile]
          [-I pkcs11] [-i identity_file]
          [-L [bind_address:]port:host:hostport]
          [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
          [-R [bind_address:]port:host:hostport] [-S ctl_path]
          [-W host:port] [-w local_tun[:remote_tun]]
          [user@]hostname [command]
</pre>
=== iptables ===
iptables [http://www.netfilter.org/projects/iptables/index.html] is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset.
<pre>
root@telem-gw6-com8$ iptables -V
iptables v1.4.10
</pre>
With filter, nat and mangle tables.
=== OpenVPN ===
OpenVPN [http://openvpn.net/] providing SECURE ACCESS ANYWHERE in the World.
<pre>
root@telem-gw6-com8$ openvpn --version
OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Oct 17 2011
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
</pre>


== Examples ==
== Examples ==
A good example that is in use in production systems is NTP or PPP. Both are located at /usr/local/bin.
A good example that is in use in production systems is NTP or PPP. Both are located at /usr/local/bin.
=== NTP for RTAA 501 ===
In order to enable NTP you need to be root.
To start ntp daemon at boot add
<pre>
server IP-address-of-ntp-server burst iburst
</pre>
to /etc/ntp.conf using vi editor.
'''Alternative'''
Use the following command to write to /etc/ntp.conf
<pre>
echo "server IP-address-of-ntp-server burst iburst" > /etc/ntp.conf
</pre>
'''Example'''
<pre>
echo "server 10.0.0.1 burst iburst" > /etc/ntp.conf
</pre>
[[Kasutaja:MarkTomm|MarkTomm]] 23. september 2015, kell 14:36 (EEST)
=== NTP DEPRECATED INFO ===
In order to enable NTP you need to be root, cd to /user/local/bin/ntp and invoke script install.
<syntaxhighlight lang="bash">
su -
cd /usr/local/bin/ntp
./install
</syntaxhighlight>
At this point NTP will start after reboot. If you want to use NTP without reboot issue /etc/init.d/S49ntp start. Default configuration for NTP enables server only, clock is not syncronized from external sources. In order to sync from external servers add
<pre>
server IP-address-of-ntp-server burst iburst
</pre>
to /etc/ntp.conf.
[[Kasutaja:MarkTomm|MarkTomm]] 23. september 2015, kell 14:36 (EEST)


=== VLAN ===
=== VLAN ===
For instane a script like this makes a single VLAN called vlan30
For instane a script like this:
<pre>
<syntaxhighlight lang="bash">
# Script to show creation of VLAN's
# Script to show creation of VLAN's
# Copy it to /etc/network/if-up.d and change file permissions to make it executable.
# Copy it to /etc/network/if-up.d and change file permissions to make it executable.
if [ "$IFACE" == "eth0" ]
if [ "$IFACE" = "eth0" ]
then
then
     logger "vlan_enable for interface:$IFACE"
     logger "vlan_enable for interface:$IFACE"
Line 30: Line 140:
     vconfig set_name_type VLAN_PLUS_VID_NO_PAD
     vconfig set_name_type VLAN_PLUS_VID_NO_PAD


    # If vlan 30 exists remove it
     vconfig rem vlan30
     vconfig rem vlan30
    # Create vlan 30, with vlan id of 30
     vconfig add eth0 30
     vconfig add eth0 30
    # Set ethernet priorities
     vconfig set_egress_map vlan30 0 7
     vconfig set_egress_map vlan30 0 7
     vconfig set_ingress_map vlan30 0 7
     vconfig set_ingress_map vlan30 0 7
    # Bring new network interface up, that is make it ready for new connections
     ifconfig vlan30 172.22.101.196 netmask 255.255.255.240 txqueuelen 1000 up
     ifconfig vlan30 172.22.101.196 netmask 255.255.255.240 txqueuelen 1000 up
    # Add entry to routing table, 172.22.101.193 is router at vlan 30
     route add default gw 172.22.101.193 vlan30
     route add default gw 172.22.101.193 vlan30
fi
fi
</syntaxhighlight>
makes a single VLAN called vlan30.
=== IPv4 Tunneling ===
For instance at Ubuntu issue:
<pre>
sudo iptunnel add rtu_to_scada1 mode ipip remote 172.22.101.196 local 172.22.101.193
sudo ifconfig rtu_to_scada1 10.0.1.1 netmask 255.255.255.252 pointopoint 10.0.1.2 up
</pre>
and from Telem-GW6 issue:
<pre>
iptunnel add rtu_to_scada1 mode ipip remote 172.22.101.193 local 172.22.101.196
ifconfig rtu_to_scada1 10.0.1.2 netmask 255.255.255.252 pointopoint 10.0.1.1 up
</pre>
to get an tunnel from Telem-GW6 to host running Ubuntu.
=== Securing SCADA Communication with SSH ===
For instance if executing:
<pre>
ssh -v -N -L 2404:localhost:2404 10.0.1.2 -l scada1
</pre>
from Ubuntu host(probably any other "Unix like" machine) redirects Telem-GW6(located at 10.0.1.2) SCADA port 2404 over SSH. Provided that Telem-GW6 has an account scada1 and port 22 for SSH is open at substation and Telem-GW6 firewall. In the command:
<pre>
  -v - verbouse, that is debug messages
  -N - no commands on remote machine
  -L - local port forwarding
  -l - which user to use at remote host
</pre>
</pre>



Latest revision as of 11:36, 23 September 2015

Overview

There are many thing that GWS(The Configuration Software for Telem-GW6) can't do. For instance NTP, VLAN and OpenVPN configuration. If something extra is needed then in general user's should create Linux scripts and copy them to Telem-GW6. Sometimes a change of an existing script is enough. Example scripts can be found from Telem-GW6 /usr/local/bin/ folder.


As of new firmware and gws.exe it is possible to configure NTP, VLANs and etc with gws.exe by using setup version 4 instead on setupt version 3. Setup version 4 is used by TELEM-GWM.

Location of Startup Scripts

/etc/init.d/

Scripts in this folder are run at system startup.

/etc/network/if-ud.d/ and /etc/network/if-down.d/

Scripts in this folder are run when an interface(for instance ethernet interface eth0) becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing.

/etc/ppp/ip-up or /etc/ppp/ip-down

Scripts in this folder are run when an PPP interface becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing.

Application Software

busybox

busybox [1] The Swiss Army Knife of Embedded Linux

root@telem-gw6-com8$ busybox
BusyBox v1.17.4 (2011-10-17 18:03:09 EEST) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: function [arguments]...

	BusyBox is a multi-call binary that combines many common Unix
	utilities into a single executable.  Most people will create a
	link to busybox for each function they wish to use and BusyBox
	will act like whatever it was invoked as.

Currently defined functions:
	[, [[, addgroup, adduser, ar, arping, ash, awk, basename, bunzip2, bzcat, cat, catv, chattr, chgrp, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc, dd,
	deallocvt, delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, echo, egrep, eject, env, ether-wake, expr, false, fdflush, fdformat, fgrep, find, fold,
	free, freeramdisk, fsck, fuser, getopt, getty, grep, gunzip, gzip, halt, hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifup, inetd, init, insmod, install, ip, ipaddr, ipcrm,
	ipcs, iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd, last, length, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, losetup, ls, lsattr, lsmod,
	lspci, lsusb, lzcat, lzma, makedevs, md5sum, mdev, mesg, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modprobe, more, mount, mountpoint, mt, mv, nameif, netstat, nice, nohup, nslookup, od, openvt,
	passwd, patch, pidof, ping, pipe_progress, pivot_root, poweroff, printenv, printf, ps, pwd, rdate, readlink, readprofile, realpath, reboot, renice, reset, resize, rm, rmdir, rmmod, route, run-parts,
	runlevel, sed, seq, setarch, setconsole, setkeycodes, setlogcons, setsid, sh, sha1sum, sha256sum, sha512sum, sleep, sort, start-stop-daemon, strings, stty, su, sulogin, swapoff, swapon, switch_root,
	sync, sysctl, syslogd, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, traceroute, true, tty, udhcpc, umount, uname, uniq, unix2dos, unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode,
	vconfig, vi, vlock, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcat

For instance vconfig for creating VLAN's, iptunnel for configuring IPv4 tunnels.

SSH

OpenSSH [2] is a FREE version of the SSH connectivity tools that technical users of the Internet rely on.

root@telem-gw6-com8$ ssh -v
OpenSSH_5.8p1, OpenSSL 1.0.0d 8 Feb 2011
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]

iptables

iptables [3] is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset.

root@telem-gw6-com8$ iptables -V
iptables v1.4.10

With filter, nat and mangle tables.

OpenVPN

OpenVPN [4] providing SECURE ACCESS ANYWHERE in the World.

root@telem-gw6-com8$ openvpn --version
OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Oct 17 2011
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

Examples

A good example that is in use in production systems is NTP or PPP. Both are located at /usr/local/bin.

NTP for RTAA 501

In order to enable NTP you need to be root.

To start ntp daemon at boot add

server IP-address-of-ntp-server burst iburst

to /etc/ntp.conf using vi editor.

Alternative

Use the following command to write to /etc/ntp.conf

echo "server IP-address-of-ntp-server burst iburst" > /etc/ntp.conf

Example

echo "server 10.0.0.1 burst iburst" > /etc/ntp.conf

MarkTomm 23. september 2015, kell 14:36 (EEST)

NTP DEPRECATED INFO

In order to enable NTP you need to be root, cd to /user/local/bin/ntp and invoke script install.

su -
cd /usr/local/bin/ntp
./install

At this point NTP will start after reboot. If you want to use NTP without reboot issue /etc/init.d/S49ntp start. Default configuration for NTP enables server only, clock is not syncronized from external sources. In order to sync from external servers add

server IP-address-of-ntp-server burst iburst

to /etc/ntp.conf.

MarkTomm 23. september 2015, kell 14:36 (EEST)

VLAN

For instane a script like this:

# Script to show creation of VLAN's
# Copy it to /etc/network/if-up.d and change file permissions to make it executable.
if [ "$IFACE" = "eth0" ]
then
    logger "vlan_enable for interface:$IFACE"

    # So that from ifconfig we see vlan30 not eth0:30
    vconfig set_name_type VLAN_PLUS_VID_NO_PAD

    # If vlan 30 exists remove it
    vconfig rem vlan30

    # Create vlan 30, with vlan id of 30
    vconfig add eth0 30

    # Set ethernet priorities
    vconfig set_egress_map vlan30 0 7
    vconfig set_ingress_map vlan30 0 7

    # Bring new network interface up, that is make it ready for new connections
    ifconfig vlan30 172.22.101.196 netmask 255.255.255.240 txqueuelen 1000 up

    # Add entry to routing table, 172.22.101.193 is router at vlan 30
    route add default gw 172.22.101.193 vlan30
fi

makes a single VLAN called vlan30.

IPv4 Tunneling

For instance at Ubuntu issue:

sudo iptunnel add rtu_to_scada1 mode ipip remote 172.22.101.196 local 172.22.101.193
sudo ifconfig rtu_to_scada1 10.0.1.1 netmask 255.255.255.252 pointopoint 10.0.1.2 up

and from Telem-GW6 issue:

iptunnel add rtu_to_scada1 mode ipip remote 172.22.101.193 local 172.22.101.196
ifconfig rtu_to_scada1 10.0.1.2 netmask 255.255.255.252 pointopoint 10.0.1.1 up

to get an tunnel from Telem-GW6 to host running Ubuntu.

Securing SCADA Communication with SSH

For instance if executing:

ssh -v -N -L 2404:localhost:2404 10.0.1.2 -l scada1

from Ubuntu host(probably any other "Unix like" machine) redirects Telem-GW6(located at 10.0.1.2) SCADA port 2404 over SSH. Provided that Telem-GW6 has an account scada1 and port 22 for SSH is open at substation and Telem-GW6 firewall. In the command:

  -v - verbouse, that is debug messages
  -N - no commands on remote machine
  -L - local port forwarding
  -l - which user to use at remote host

Troubleshooting

For troubleshooting:

  • tcpdump [5]: A powerful command-line packet analyzer.
root@telem-gw6-com8$ tcpdump --help
tcpdump version 4.1.1
libpcap version 1.1.1
Usage: tcpdump [-aAbdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -M secret ] [ -r file ]
		[ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ]
		[ -y datalinktype ] [ -z command ] [ -Z user ]
		[ expression ]
  • netstat [6]: Is a command-line tool that displays network connections.
root@telem-gw6-com8$ netstat --help
BusyBox v1.17.4 (2011-10-17 18:03:09 EEST) multi-call binary.

Usage: netstat [-laentuwxr]

Display networking information

Options:
	-l	Display listening server sockets
	-a	Display all sockets (default: connected)
	-e	Display other/more information
	-n	Don't resolve names
	-t	Tcp sockets
	-u	Udp sockets
	-w	Raw sockets
	-x	Unix sockets
	-r	Display routing table