Advanced Networking
Overview
There are many thing that GWS(The Configuration Software for Telem-GW6) can't do. For instance NTP, VLAN and OpenVPN configuration. If something extra is needed then in general user's should create Linux scripts and copy them to Telem-GW6. Sometimes a change of an existing script is enough. Example scripts can be found from Telem-GW6 /usr/local/bin/ folder.
Location of Startup Scripts
/etc/init.d/
Scripts in this folder are run at system startup.
/etc/network/if-ud.d/ and /etc/network/if-down.d/
Scripts in this folder are run when an interface(for instance ethernet interface eth0) becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing.
/etc/ppp/ip-up or /etc/ppp/ip-down
Scripts in this folder are run when an PPP interface becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing.
Application Software
busybox
busybox [1] The Swiss Army Knife of Embedded Linux
root@telem-gw6-com8$ busybox BusyBox v1.17.4 (2011-10-17 18:03:09 EEST) multi-call binary. Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko and others. Licensed under GPLv2. See source distribution for full notice. Usage: busybox [function] [arguments]... or: function [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as. Currently defined functions: [, [[, addgroup, adduser, ar, arping, ash, awk, basename, bunzip2, bzcat, cat, catv, chattr, chgrp, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc, dd, deallocvt, delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, echo, egrep, eject, env, ether-wake, expr, false, fdflush, fdformat, fgrep, find, fold, free, freeramdisk, fsck, fuser, getopt, getty, grep, gunzip, gzip, halt, hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifup, inetd, init, insmod, install, ip, ipaddr, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd, last, length, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, losetup, ls, lsattr, lsmod, lspci, lsusb, lzcat, lzma, makedevs, md5sum, mdev, mesg, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modprobe, more, mount, mountpoint, mt, mv, nameif, netstat, nice, nohup, nslookup, od, openvt, passwd, patch, pidof, ping, pipe_progress, pivot_root, poweroff, printenv, printf, ps, pwd, rdate, readlink, readprofile, realpath, reboot, renice, reset, resize, rm, rmdir, rmmod, route, run-parts, runlevel, sed, seq, setarch, setconsole, setkeycodes, setlogcons, setsid, sh, sha1sum, sha256sum, sha512sum, sleep, sort, start-stop-daemon, strings, stty, su, sulogin, swapoff, swapon, switch_root, sync, sysctl, syslogd, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, traceroute, true, tty, udhcpc, umount, uname, uniq, unix2dos, unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, vlock, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcat
For instance vconfig for creating VLAN's, iptunnel for configuring IPv4 tunnels.
SSH
OpenSSH [2] is a FREE version of the SSH connectivity tools that technical users of the Internet rely on.
root@telem-gw6-com8$ ssh -v
OpenSSH_5.8p1, OpenSSL 1.0.0d 8 Feb 2011
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile]
[-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-R [bind_address:]port:host:hostport] [-S ctl_path]
[-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]
iptables
iptables [3] is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset.
root@telem-gw6-com8$ iptables -V iptables v1.4.10
With filter, nat and mangle tables.
OpenVPN
OpenVPN [4] providing SECURE ACCESS ANYWHERE in the World.
root@telem-gw6-com8$ openvpn --version OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Oct 17 2011 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Examples
A good example that is in use in production systems is NTP or PPP. Both are located at /usr/local/bin.
NTP
In order to enable NTP you need to be root, cd to /user/local/bin/ntp and invoke script install.
su -
cd /usr/local/bin/ntp
./install
At this point NTP will start after reboot. If you want to use NTP without reboot issue /etc/init.d/S49ntp start. Default configuration for NTP enables server only, clock is not syncronized from external sources.
VLAN
For instane a script like this:
# Script to show creation of VLAN's
# Copy it to /etc/network/if-up.d and change file permissions to make it executable.
if [ "$IFACE" == "eth0" ]
then
logger "vlan_enable for interface:$IFACE"
# So that from ifconfig we see vlan30 not eth0:30
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
# If vlan 30 exists remove it
vconfig rem vlan30
# Create vlan 30, with vlan id of 30
vconfig add eth0 30
# Set ethernet priorities
vconfig set_egress_map vlan30 0 7
vconfig set_ingress_map vlan30 0 7
# Bring new network interface up, that is make it ready for new connections
ifconfig vlan30 172.22.101.196 netmask 255.255.255.240 txqueuelen 1000 up
# Add entry to routing table, 172.22.101.193 is router at vlan 30
route add default gw 172.22.101.193 vlan30
fi
makes a single VLAN called vlan30.
IPv4 Tunneling
For instance at Ubuntu issue:
sudo iptunnel add rtu_to_scada1 mode ipip remote 172.22.101.196 local 172.22.101.193 sudo ifconfig rtu_to_scada1 10.0.1.1 netmask 255.255.255.252 pointopoint 10.0.1.2 up
and from Telem-GW6 issue:
iptunnel add rtu_to_scada1 mode ipip remote 172.22.101.193 local 172.22.101.196 ifconfig rtu_to_scada1 10.0.1.2 netmask 255.255.255.252 pointopoint 10.0.1.1 up
to get an tunnel from Telem-GW6 to host running Ubuntu.
Securing SCADA Communication with SSH
For instance if executing:
ssh -v -N -L 2404:localhost:2404 10.0.1.2 -l scada1
from Ubuntu host(probably any other "Unix like" machine) redirects Telem-GW6(located at 10.0.1.2) SCADA port 2404 over SSH. Provided that Telem-GW6 has an account scada1 and port 22 for SSH is open at substation and Telem-GW6 firewall. In the command:
-v - verbouse, that is debug messages -N - no commands on remote machine -L - local port forwarding -l - which user to use at remote host
Troubleshooting
For troubleshooting:
- tcpdump [5]: A powerful command-line packet analyzer.
root@telem-gw6-com8$ tcpdump --help tcpdump version 4.1.1 libpcap version 1.1.1 Usage: tcpdump [-aAbdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ expression ]
- netstat [6]: Is a command-line tool that displays network connections.
root@telem-gw6-com8$ netstat --help BusyBox v1.17.4 (2011-10-17 18:03:09 EEST) multi-call binary. Usage: netstat [-laentuwxr] Display networking information Options: -l Display listening server sockets -a Display all sockets (default: connected) -e Display other/more information -n Don't resolve names -t Tcp sockets -u Udp sockets -w Raw sockets -x Unix sockets -r Display routing table