Tuesday, February 25, 2014

Channel bonding/ IP or Link redundancy in RHEL 6/ 5 or CentOS or Fedora

Configuration Steps (as root user):
1. cd /etc/sysconfig/network-scripts 
2. touch ifcfg-bond0 
3. Contents of /etc/sysconfig/network-scripts/ifcfg-bond0 file:

DEVICE=bond0 
BONDING_OPTS="mode=1 miimon=500" 
ONBOOT=yes 
BOOTPROTO=none 
IPADDR=192.168.7.196 
NETMASK=255.255.255.0 
GATEWAY=192.168.7.1 
USERCTL=no 
DNS1=192.168.7.4 
DNS2=182.16.156.5

**Details of bonding options (BONDING_OPTS) given below

4. Edit the existing configuration files for the two NIC that will conform the combined interface. Content of /etc/sysconfig/network-scripts/ifcfg-eth0 file:
DEVICE=eth0 
ONBOOT=yes 
BOOTPROTO=none 
MASTER=bond0 
SLAVE=yes

5. Content of /etc/sysconfig/network-scripts/ifcfg-eth1 file:
DEVICE=eth1 
ONBOOT=yes 
BOOTPROTO=none 
MASTER=bond0 
SLAVE=yes

6. Here we are using the MASTER and SLAVE and directive to configuring channel bonding. For both interfaces we will use bond0 as the master & each interface will act as slave for bond0 interface. After this point we are done with network configuration file modification. Now we have to add the following line to 

/etc/modprobe.d/dist.conf 
or, (depending on your distro, in my case, at RHEL6.4, I used above file) 
/etc/modprobe.conf 

Add the below line:
alias bond0 bonding

7. Then execute the following two commands:
modprobe bond0 
service network restart

DONE!!! 

*Please stop NetworkManager service before doing this, if required !!! 
service NetworkManager stop 
chkconfig NetworkManager off

** and also check iptables rules, if required

***BONDING_OPTS(Reference: https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s3-modules-bonding-directives.html )

The following is a list of available parameters for the bonding module:
  • mode= — Specifies one of four policies allowed for the bonding module. Acceptable values for this parameter are:
    0 — Sets a round-robin policy for fault tolerance and load balancing. Transmissions are received and sent out sequentially on each bonded slave interface beginning with the first one available.
    1 — Sets an active-backup policy for fault tolerance. Transmissions are received and sent out via the first available bonded slave interface. Another bonded slave interface is only used if the active bonded slave interface fails.
    2 — Sets an XOR (exclusive-or) policy for fault tolerance and load balancing. Using this method, the interface matches up the incoming request's MAC address with the MAC address for one of the slave NICs. Once this link is established, transmissions are sent out sequentially beginning with the first available interface.
    3 — Sets a broadcast policy for fault tolerance. All transmissions are sent on all slave interfaces.
    4 — Sets an IEEE 802.3ad dynamic link aggregation policy. Creates aggregation groups that share the same speed and duplex settings. Transmits and receives on all slaves in the active aggregator. Requires a switch that is 802.3ad compliant.
    5 — Sets a Transmit Load Balancing (TLB) policy for fault tolerance and load balancing. The outgoing traffic is distributed according to the current load on each slave interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed slave.
    6 — Sets an Active Load Balancing (ALB) policy for fault tolerance and load balancing. Includes transmit and receive load balancing for IPV4 traffic. Receive load balancing is achieved through ARP negotiation.
  • miimon= — Specifies (in milliseconds) how often MII link monitoring occurs. This is useful if high availability is required because MII is used to verify that the NIC is active. To verify that the driver for a particular NIC supports the MII tool, type the following command as root:
    ethtool | grep "Link detected:"
    In this command, replace with the name of the device interface, such as eth0, not the bond interface. If MII is supported, the command returns:
    Link detected: yes
    If using a bonded interface for high availability, the module for each NIC must support MII.
    Setting the value to 0 (the default), turns this feature off. When configuring this setting, a good starting point for this parameter is 100.
  • downdelay= — Specifies (in milliseconds) how long to wait after link failure before disabling the link. The value must be a multiple of the value specified in the miimon parameter. The value is set to 0 by default, which disables it.
  • updelay= — Specifies (in milliseconds) how long to wait before enabling a link. The value must be a multiple of the value specified in the miimon parameter. The value is set to 0 by default, which disables it.
  • arp_interval= — Specifies (in milliseconds) how often ARP monitoring occurs.
    If using this setting while in mode0 or 2 (the two load-balancing modes), the network switch must be configured to distribute packets evenly across the NICs. For more information on how to accomplish this, refer to
    /usr/share/doc/kernel-doc-/Documentation/networking/ bonding.txt
    The value is set to 0 by default, which disables it.
  • arp_ip_target= — Specifies the target IP address of ARP requests when the arp_interval parameter is enabled. Up to 16 IP addresses can be specified in a comma separated list.
  • arp_validate= — validate source/distribution of ARP probes; default is none. Other valid values are active, backup, and all.
  • lacp_rate= — Specifies the rate at which link partners should transmit LACPDU packets in 802.3ad mode. Possible values are:
    • slow or 0 — Default setting. This specifies that partners should transmit LACPDUs every 30 seconds.
    • fast or 1 — Specifies that partners should transmit LACPDUs every 1 second.
  • primary= — Specifies the interface name, such as eth0, of the primary device. The primary device is the first of the bonding interfaces to be used and is not abandoned unless it fails. This setting is particularly useful when one NIC in the bonding interface is faster and, therefore, able to handle a bigger load.
    This setting is only valid when the bonding interface is in active-backup mode. Refer to
    /usr/share/doc/kernel-doc-/Documentation/networking/ bonding.txt
    for more information.
  • use_carrier= — Specifies whether or not miimon should use MII/ETHTOOL ioctls or netif_carrier_ok() to determine the link state. The netif_carrier_ok() relies on the device driver to maintains its state with netif_carrier_on/off; most device drivers support this function.
    The MII/ETHROOL ioctls tools utilize a deprecated calling sequence within the kernel. However, this is still configurable in case your device driver does not support netif_carrier_on/off.
    Valid values are:
    • 1 — Default setting. Enables the use of netif_carrier_ok().
    • 0 — Enables the use of MII/ETHTOOL ioctls.

    Tip

    If bonding insists that the link is up when it should not be, it is possible that your network device driver does not support netif_carrier_on/off.
  • xmit_hash_policy — Selects the transmit hash policy used for slave selection in balance-xor and 802.3ad modes. Possible values are:
    • 0 or layer2 — Default setting. This option uses the XOR of hardware MAC addresses to generate the hash. The formula used is:
      (    ) 
      
      This algorithm will place all traffic to a particular network peer on the same slave, and is 802.3ad compliant.
    • 1 or layer3+4 — Uses upper layer protocol information (when available) to generate the hash. This allows for traffic to a particular network peer to span multiple slaves, although a single connection will not span multiple slaves.
      The formula for unfragmented TCP and UDP packets used is:
      ((   ) 
       ((    ) AND 0xffff)
        
      
      For fragmented TCP or UDP packets and all other IP protocol traffic, the source and destination port information is omitted. For non-IP traffic, the formula is the same as the layer2 transmit hash policy.
      This policy intends to mimic the behavior of certain switches; particularly, Cisco switches with PFC2 as well as some Foundry and IBM products.
      The algorithm used by this policy is not 802.3ad compliant. 


Sunday, March 27, 2011

Citycell Zoom Ultra in Linux / Ubuntu / Centos

Citycell  ZOOM ULTRA modem setup in linux ( ubuntu , rhel, centos )
1. Please ensure you have following packages install in your system
wvdial

using google you can find and install those packages easily.

2. Then plug in the Zoom Ultra modem in USB and open a terminal using root user. Then type
# lsusb

Output will be something like the following .

Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 002: ID 19d2:fff5 ONDA Communication S.p.A.

Look at the last line. If the modem detected by your laptop/desktop you can see a line similar to that. Note that 19d2:fff5 is not the product ID of the modem, rather it is the storage device ID integrated with the modem (Where program for WINDOWS reside)

3. Now type :
gedit /etc/usb_modeswitch.conf
This will open usb_modeswitch configuration file in editor.
Delete everything from the page and past the follwinf lines.

DefaultVendor= 0×19d2
DefaultProduct= 0xfff5
TargetVendor= 0×19d2
TargetProduct= 0xfff1
MessageContent=”5553424312345678c00000008000069f030000000000000000000000

4. Now save the page and run the following command:
# usb_modeswitch

5. Now check the device id by typing lsusb command again.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 005: ID 19d2:fff1 ONDA Communication S.p.A.

Product ID changed.

6. Now:
# gedit /etc/wvdial.conf
Delet everything from the page and past the following lines
[Dialer myzoom]
Username = waps
Stupid Mode = 1
Password = waps
Phone = #777

And save then exit.
7. Now type
# wvdialconf

8. Then type
#wvdial myzoom

 Last lines of output will be like this:
--> pppd: 5[18] @,[18]
^CCaught signal 2: Attempting to exit gracefully...
--> Terminating on signal 15
--> pppd:
5[18] @,[18]

Now you are connected. You have to keep open the terminal as long as you want to use the zoom modem. For disconnection simply close the terminal or Press CTRL+C.

For any help please leave a comment.

Monday, February 14, 2011

How to install nagios in RHEL 5 or FEDORA



Install Nagios on RHEL5
Dependencies
* Install Apache and PHP
* GCC
* GD development lib
Create User Account

/usr/sbin/useradd -m nagios
passwd nagios
/usr/sbin/groupadd nagcmd
/usr/sbin/usermod -a -G nagcmd nagios
/usr/sbin/usermod -a -G nagcmd apache

Build and Install Nagios Core

wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.0.tar.gz
tar zxf nagios-3.2.0.tar.gz
cd nagios-3.2.0
./configure --with-command-group=nagcmd

make all
make install
# Installs the init script in /etc/rc.d/init.d
make install-init
# Installs and configures permissions on the directory for holding the external command file
make install-config
# Installs sample config files in /usr/local/nagios/etc
make install-commandmode

# Set contact email
vi /usr/local/nagios/etc/objects/contacts.cfg

# Install web interface
make install-webconf
# Create web interface account
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

# Restart Apache
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start
# Or
/sbin/service httpd restart

Compile and Install Nagios Plugins

wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.14.tar.gz
tar zxf nagios-plugins-1.4.14.tar.gz
cd nagios-plugins-1.4.14
./configure --with-nagios-user=nagios --with-nagios-group=nagios
make
make install

AutoStart/Start/Stop Nagios
 # Auto start Nagios
/sbin/chkconfig --add nagios
/sbin/chkconfig nagios on
# Check config file
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
# Start/Stop Nagios
/etc/init.d/nagios stop
/etc/init.d/nagios start

Add host/router/switches to nagios
# To add node, uncomment respective cfg_file line in
/usr/local/nagios/etc/nagios.cfg

Example: if you want to monitor a switch then uncomment following line in nagios.cfg

cfg_file=/usr/local/nagios/etc/objects/switch.cfg

# Then go to /usr/local/nagios/etc/objects/
And open switch.cfg

vi /usr/local/nagios/etc/objects/ switch.cfg

There is an example of adding node. You can use that by copy/paste.

Access Web Interface
or

References

Sunday, October 3, 2010

Basic IPTABLES Understanding


Basic Commands
Typing
# iptables -L
lists your current rules in iptables. If you have just set up your server, you will have no rules, and you should see
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Basic Iptables Options
Here are explanations for some of the iptables options you will see in this tutorial. Don't worry about understanding everything here now, but remember to come back and look at this list as you encounter new options later on.
  • -A - Append this rule to a rule chain. Valid chains for what we're doing are INPUT, FORWARD and OUTPUT, but we mostly deal with INPUT in this tutorial, which affects only incoming traffic.
  • -L - List the current filter rules.
  • -m conntrack - Allow filter rules to match based on connection state. Permits the use of the --ctstate option.
  • --ctstate - Define the list of states for the rule to match on. Valid states are:
    • NEW - The connection has not yet been seen.
    • RELATED - The connection is new, but is related to another connection already permitted.
    • ESTABLISHED - The connection is already established.
    • INVALID - The traffic couldn't be identified for some reason.
  • -m limit - Require the rule to match only a limited number of times. Allows the use of the --limit option. Useful for limiting logging rules.
    • --limit - The maximum matching rate, given as a number followed by "/second", "/minute", "/hour", or "/day" depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is "3/hour".
  • -p - The connection protocol used.
  • --dport - The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive.
  • -j - Jump to the specified target. By default, iptables allows four targets:
    • ACCEPT - Accept the packet and stop processing rules in this chain.
    • REJECT - Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
    • DROP - Silently ignore the packet, and stop processing rules in this chain.
    • LOG - Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
  • --log-prefix - When logging, put this text before the log message. Use double quotes around the text to use.
  • --log-level - Log using the specified syslog level. 7 is a good choice unless you specifically need something else.
  • -i - Only match if the packet is coming in on the specified interface.
  • -I - Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.
    • -I INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.
  • -v - Display more information in the output. Useful for if you have rules that look similar without using -v.
  • -s --source - address[/mask] source specification
  • -d --destination - address[/mask] destination specification
  • -o --out-interface - output name[+] network interface name ([+] for wildcard)
Allowing Established Sessions
We can allow established sessions to receive traffic:
# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  • The above rule has no spaces either side of the comma in ESTABLISHED,RELATED
If the line above doesn't work, you may be on a VPS that uses OpenVZ or doesn't have some kernel extensions installed. In that case, try this line instead:
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allowing Incoming Traffic on Specific Ports
You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.
To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Referring back to the list above, you can see that this tells iptables:
  • append this rule to the input chain (-A INPUT) so we look at incoming traffic
  • check to see if it is TCP (-p tcp).
  • if so, check to see if the input goes to the SSH port (--dport ssh).
  • if so, accept the input (-j ACCEPT).
Lets check the rules: (only the first few lines shown, you will see more)
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
Now, let's allow all incoming web traffic
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Checking our rules, we have
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
We have specifically allowed tcp traffic to the ssh and web ports, but as we have not blocked anything, all traffic can still come in.
Blocking Traffic
Once a decision is made to accept a packet, no more rules affect it. As our rules allowing ssh and web traffic come first, as long as our rule to block all traffic comes after them, we can still accept the traffic we want. All we need to do is put the rule to block all traffic at the end.
# iptables -A INPUT -j DROP
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
DROP       all  --  anywhere             anywhere
Because we didn't specify an interface or a protocol, any traffic for any port on any interface is blocked, except for web and ssh.
Editing iptables
The only problem with our setup so far is that even the loopback port is blocked. We could have written the drop rule for just eth0 by specifying -i eth0, but we could also add a rule for the loopback. If we append this rule, it will come too late - after all the traffic has been dropped. We need to insert this rule before that. Since this is a lot of traffic, we'll insert it as the first rule so it's processed first.
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
DROP       all  --  anywhere             anywhere
The first and last lines look nearly the same, so we will list iptables in greater detail.

# iptables -L -v
Chain INPUT (policy ALLOW 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:www
    0     0 DROP       all  --  any    any     anywhere             anywhere

You can now see a lot more information. This rule is actually very important, since many programs use the loopback interface to communicate with each other. If you don't allow them to talk, you could break those programs!
Logging
In the above examples none of the traffic will be logged. If you would like to log dropped packets to syslog, this would be the quickest way:
# iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
See Tips section for more ideas on logging.
Saving iptables
If you were to reboot your machine right now, your iptables configuration would disappear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save and iptables-restore.

I will post more complex example with iptables later.
Thanks.