Category Archives: Network

Network documentation and installation

CentOS and VirtualBox NAT Port Forwarding

In my recent experiments, and while preparing for my next post, I stumbled on problems when trying to forward ports of my CentOS Guest VM to my Mac OS based browser. For some reason, even if Port forwarding was properly configured, like so :

Virtual Box Port NAT port forwarding on CentOS
Virtual Box Port NAT port forwarding on CentOS

…my Host system browser could not connect to services on my VM, with the exception of SSH. The solution was simple, CentOS comes with default netfilters rules built-in. These rules allow outgoing trafic, and incoming SSH requests only. The firewall configuration needed to be changed. The simplest way to do so is to disable the firewall completely:

# Run as root !
# Flush (discard) all rules
iptables -F
# Save configuration permanently
/sbin/service iptables save

While this may be very good for VM usage, I don’t like to disable a whole firewall (I feel unclean afterwards when I do). Here is a more sensible solution, that could be a starting point for a more solid security setup :

#Again... as root !
#See config
iptables -L
#save config
iptables-save > /root/iptables-save.txt
#edit config (see below for example)
vim /root/iptable-save.txt
# flush + load config
iptables-restore < /root/iptables-save.txt
# Validate
iptables -L
# Save for good
/sbin/service iptables save

For reference, here is my iptable-save.txt file:

# Generated by iptables-save v1.4.7 on Thu Jul 24 08:28:03 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [471:1082248]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 7222 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8777 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Thu Jul 24 08:28:03 2014

It should work immediately, but to test the “iptables-restore”, you should reboot. Main reference: https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-iptables-saving.html http://wiki.centos.org/HowTos/Network/IPTables

Favorite Crunchbang admin commands

I found this script and made a menu shortcut to shutdown my netbook screen and fix the resolution for my external monitor. Here are both commands:

# Close my netbook screen and adjust resolution of ext. monitor
# Labels can be taken from "grandr" command
xrandr --output LVDS1 --off &
xrandr --output VGA1 --mode "1680x1050" &

Also, I often need to administrate the network connections as root (ex : to add a permanent static configuration to the wired card).

sudo nm-connection-editor


Simple Debian/Gmail configuration for sending mail from CLI

Sometimes we need to use the mail command (instead of a rich MUA) . A central mail server is not always available and there may be a need for simpler solutions. This article demonstrate a direct link from exim4 (Debian/Squeeze) to Gmail.

Directions

  • On a newly installed Debian, type :
    # dpkg-reconfigure exim4-config
  • Choose “mail sent by smarthost; no local mail
  • Choose all default values until the “smarthost” configuration
  • “Smarthost” is smtp.gmail.com::587
  • Edit the password file:
    # vim /etc/exim4/passwd.client
  • Add a line like this one:
    *.google.com:[your-gmailusername]@gmail.com:[your-gmailpasswd]
  • Run : # update-exim4.conf
  • Test the mail command

References

Debian wiki
Debian documentation
Another guide on the subject

Small business network – Part1 – Requirements

Hi, welcome to this first post of the “Small business network” series.

Introduction

My girlfriend’ small business is moving to new headquarters. Yay.
She needs a whole new network. Great.

This entreprise is specialized in education services for early childhood. As one might imagine, such type of entreprise, especially since it existed for only five years, does NOT have the budget for a “professional” network (read : >10 thousand $ of hardware network products, expensive wiring and and automatic workstation management). This series of articles are about the next best thing, a “home made” network installation, built out of some FOSS, commercial software, hardware and (a little bit of) duck tape.

This first article is aimed at specifying the business needs. We then document the requirements and draw a plan of the network installation.

Needs – a short list

  • Server(s) : File sharing (internal), File sharing (secured extranet), Incremental backup, Authentication and Authorization, Accounting software service deployment
  • Workstations: 4-5 Desktops and 2-3 Laptops (all wired to the network). Theses are already belonging to the company. Typical usage include : email, productivity applications, web browsing.
  • Network printer/fax
  • 7 multi-line telephones (4 Lines). The technology implied is “normal” telephone lines. (see “VoIP shopping” bellow)

VoIP Shopping

In prevention of the “You should go with VoIP” argument, I should tell you that it was considered. The main problem, in the case of this company, is that it as an ongoing agreement with their current telephone provider (a local cable company). Cancelling would imply cost that VoIP savings just don’t cover.

Aside from this, the company had already invested in pretty good “4 lines” phones from RCA.  Those phones include some “telephone system” features like transfers and conference. Those feature are currently sufficient for the company. Software phones (for working from home), dynamic redirections and other features could be useful, but are not necessary.

More than half the number of phone needed were already bought in the years before, and this added to the cost of changing as well (the difference between buying 7 new phones or only 3).

That said, and considering all I just wrote, the VoIP offer from one of the provider we consulted represented almost enough savings to convince us.

VoIP, see you in 2 to 3 years 😉

In the meantime, it is important to state as a requirement that wiring *must* be forward-compatible to a time where the whole telephone network is going to be passing trough Ethernet.

Requirements

Since needs can be pretty basic when you don’t have anything in place, I have a preference for documenting the requirements as the checklist that I am going to use over the course of the whole project. Here it is.

New Headquarters network infrastructure list

  • Deploy a wired network for Workstations and telephone (see part 2)
    • Make it forward compatible for future VoIP. The 4 current lines will be carried by the same CAT5 cable that could be used for VoIP in the future.
    • Make the Workstation wiring CAT6 for new Gigabit Ethernet workstations
    • We need 13 identical faceplates with 1 Ethernet and 2 RJ-45 jacks (each holding two lines on the 4 central pins). Those 2 last should have been RJ-11 jacks, but my RJ-45 jacks were available and will do fine (even if 2 pairs of pins are going to be unused).
    • And one special faceplate with one Ethernet connector and the fax line
    • The closet (as in: replacement of a network rack) will include the following:
      • A 24 ports patch panel for each outlet (for only 13 outlets)
      • A distribution box of at least 49 output pairs (lines). I found a model with 50.
      • A router (generic Linksys 4 ports)
      • A 16 ports Gigabit switch (not intelligent. no budget for VLANs)
      • 2 cable company modems, for the 5 telephone lines (including fax)
      • A KVM for two servers
      • A monitor, keyboard and a mouse
      • Ventilation
  • Deploy servers (see part 3)
    • Install file sharing solutions including authentication and authorization of both local and external personnel
    • Install simply accounting (server mode)
    • Configure a incremental backup solution
  • Configure workstations (see part 4)
    • Install software (Productivity)
    • Establish a good way to to remote control of specific workstations from the outside

Documentation – Wiring plan

Wiring plan preview
Don’t you just love a useful document ?

The first “deliverable” in this series is a plan of the network drawn before the beginning of the wiring effort. This document is useful for many reasons:

  • It will serve as a guide for wiring (from the basement of the building)
  • It visually document the layouts of the different connectors. This will be useful in the future for managing the network closet (the plan should be as display in the closet)
  • The corresponding numbers can be used for workstation ID, phone ID or any other relevant purpose

I hope it will inspire you in your projects and encourage you to read on.

The plan is OpenOffice/LibreOffice compatible. I also provide the PDF version.
SBN-Part1-WiringPlan.odg
SBN-Part1-WiringPlan.pdf