Advanced Networking

From Phobos Wiki
Revision as of 10:33, 31 October 2011 by Roland (talk | contribs)
Jump to navigation Jump to search

Overview

There are many thing that GWS(The Configuration Software for Telem-GW6) can't do. For instance NTP, VLAN and OpenVPN configuration. If something extra is needed then in general user's should create Linux scripts and copy them to Telem-GW6. Sometimes a change of an existing script is enough. Example scripts can be found from Telem-GW6 /usr/local/bin/ folder.

Location of Startup Scripts

/etc/init.d/

Scripts in this folder are run at system startup.

/etc/network/if-ud.d/ and /etc/network/if-down.d/

Scripts in this folder are run when an interface(for instance ethernet interface eth0) becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing.

/etc/ppp/ip-up or /etc/ppp/ip-down

Scripts in this folder are run when an PPP interface becomes available or unavailable. These scripts are needed(used) for instance for configuring the firewall or routing.

Application Software

busybox

busybox [1] The Swiss Army Knife of Embedded Linux

root@telem-gw6-com8$ busybox
BusyBox v1.17.4 (2011-10-17 18:03:09 EEST) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: function [arguments]...

	BusyBox is a multi-call binary that combines many common Unix
	utilities into a single executable.  Most people will create a
	link to busybox for each function they wish to use and BusyBox
	will act like whatever it was invoked as.

Currently defined functions:
	[, [[, addgroup, adduser, ar, arping, ash, awk, basename, bunzip2, bzcat, cat, catv, chattr, chgrp, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc, dd,
	deallocvt, delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, echo, egrep, eject, env, ether-wake, expr, false, fdflush, fdformat, fgrep, find, fold,
	free, freeramdisk, fsck, fuser, getopt, getty, grep, gunzip, gzip, halt, hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifup, inetd, init, insmod, install, ip, ipaddr, ipcrm,
	ipcs, iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd, last, length, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, losetup, ls, lsattr, lsmod,
	lspci, lsusb, lzcat, lzma, makedevs, md5sum, mdev, mesg, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modprobe, more, mount, mountpoint, mt, mv, nameif, netstat, nice, nohup, nslookup, od, openvt,
	passwd, patch, pidof, ping, pipe_progress, pivot_root, poweroff, printenv, printf, ps, pwd, rdate, readlink, readprofile, realpath, reboot, renice, reset, resize, rm, rmdir, rmmod, route, run-parts,
	runlevel, sed, seq, setarch, setconsole, setkeycodes, setlogcons, setsid, sh, sha1sum, sha256sum, sha512sum, sleep, sort, start-stop-daemon, strings, stty, su, sulogin, swapoff, swapon, switch_root,
	sync, sysctl, syslogd, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, traceroute, true, tty, udhcpc, umount, uname, uniq, unix2dos, unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode,
	vconfig, vi, vlock, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcat

For instance vconfig for creating VLAN's.

SSH

OpenSSH [2] is a FREE version of the SSH connectivity tools that technical users of the Internet rely on.

root@telem-gw6-com8$ ssh -v
OpenSSH_5.8p1, OpenSSL 1.0.0d 8 Feb 2011
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]

iptables

iptables [3] is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset.

root@telem-gw6-com8$ iptables -V
iptables v1.4.10

With filter, nat and mangle tables.

OpenVPN

OpenVPN [4] providing SECURE ACCESS ANYWHERE in the World.

root@telem-gw6-com8$ openvpn --version
OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Oct 17 2011
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

Examples

A good example that is in use in production systems is NTP or PPP. Both are located at /usr/local/bin.

VLAN

For instane a script like this:

# Script to show creation of VLAN's
# Copy it to /etc/network/if-up.d and change file permissions to make it executable.
if [ "$IFACE" == "eth0" ]
then
    logger "vlan_enable for interface:$IFACE"

    # So that from ifconfig we see vlan30 not eth0:30
    vconfig set_name_type VLAN_PLUS_VID_NO_PAD

    # If vlan 30 exists remove it
    vconfig rem vlan30

    # Create vlan 30, with vlan id of 30
    vconfig add eth0 30

    # Set ethernet priorities
    vconfig set_egress_map vlan30 0 7
    vconfig set_ingress_map vlan30 0 7

    # Bring new network interface up, that is make it ready for new connections
    ifconfig vlan30 172.22.101.196 netmask 255.255.255.240 txqueuelen 1000 up

    # Add entry to routing table, 172.22.101.193 is router at vlan 30
    route add default gw 172.22.101.193 vlan30
fi

makes a single VLAN called vlan30.

VPN with SSH

For instance if executing:

ssh -v -N -L 2404:localhost:2404 172.22.101.196 -l scada1

from Ubuntu host(probably any other "Unix like" machine) redirects Telem-GW6(located at 172.22.101.196) SCADA port 2404 over SSH. Provided that Telem-GW6 has an account scada1 and port 22 for SSH is open at substation and Telem-GW6 firewall. In the command:

  -v - verbouse, that is debug messages
  -N - no commands on remote machine
  -L - local port forwarding
  -l - which user to use at remote host

Troubleshooting

For troubleshooting:

  • tcpdump [5]: A powerful command-line packet analyzer.
root@telem-gw6-com8$ tcpdump --help
tcpdump version 4.1.1
libpcap version 1.1.1
Usage: tcpdump [-aAbdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -M secret ] [ -r file ]
		[ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ]
		[ -y datalinktype ] [ -z command ] [ -Z user ]
		[ expression ]
  • netstat [6]: Is a command-line tool that displays network connections.
root@telem-gw6-com8$ netstat --help
BusyBox v1.17.4 (2011-10-17 18:03:09 EEST) multi-call binary.

Usage: netstat [-laentuwxr]

Display networking information

Options:
	-l	Display listening server sockets
	-a	Display all sockets (default: connected)
	-e	Display other/more information
	-n	Don't resolve names
	-t	Tcp sockets
	-u	Udp sockets
	-w	Raw sockets
	-x	Unix sockets
	-r	Display routing table