udev and cloning a linux vm: Network not working…

Have you ever stumbled upon a cloned Linux system, in my case CentOS 6.5, where eth0 does not exist and eth1 isn’t started automatically?

When VMware clones a VM it gives its network card a new MAC address, ensuring that you don’t end up with several VMs with the same MAC. If your distro uses udev and it discoveres the new NIC, it gives it a different UUID, thus creating eth1 in the process, since it can’t match the MAC addresses and UUIDs of the NICs. This might break all sorts of scripts or configs.

Here is how to fix it:

  • First we need to remove the discovered and assigned UUIDs from udev:

rm -f /etc/udev/rules.d/70-persistent-net.rules

  • Secondly we need to edit the networking script for eth0:

vi /etc/sysconfig/networking/devices/ifcfg-eth0

Here you should change the old MAC address to the new one the VM got after cloning.

  • Reboot.

Thats it. eth0 should work as it used to on the parent VM.

 

thanks to William: http://www.envision-systems.com.au/blog/2012/09/21/fix-eth0-network-interface-when-cloning-redhat-centos-or-scientific-virtual-machines-using-oracle-virtualbox-or-vmware/

Advertisements

Site-to-Site VPN, or: IPSec via IPv6

Hey there,

more and more IPv6 addresses are assigned, and since we are using IPSec-tunnels to encrypt the traffic between our branch-offices, I was wondering ‘how far has the support for IPSec via IPv6 come’?

So, I checked it out, using our Astaro (now Sophos) Firewall at work and my M0n0wall at home.

First of all, you of course need IPv6 activated on both ends and need an active connection. Wether you get that native from your provider or, for example, through https://www.sixxs.net is up to you. If you see fe80:… addresses: These are the link local addresses and do not work for us here.

Setup on the Astaro (Sophos UTM):

  • Go to ‘Site-to-Site VPN’ -> ‘IPSec’, create a ‘Remote Gateway’. We use a Preshared Key for our test setup now, in a real setup you might want to use RSA or a certificate. For the gateway you use the IPv6 WAN address of the m0n0wall. Oh, and don’t forget to add the remote networks. (This can be the whole /48 for example, no need to use several /64).
  • Then go to ‘Connections’ and create a new connection, using our just created gateway. I use TrippleDES for a policy here.
  • If you hit ‘automatic firewall rules’ your remote network gets full access to your local network. If this is unwanted, don’t do it! You can create the rules you like under ‘Network Security’ -> ‘Firewall’

All done here!

Setup on the M0n0wall:

  • Go to ‘VPN’ -> ‘IPSec’ and click the + symbol to create a new tunnel
  • For the interface chose ‘WAN’, unless you are routing internal or something (the interface should have the same IP that you chose for the remote gateway on the Astaro).
  • Enter your local subnet, I chose my /48 here.
  • Enter remote gateway (again, WAN IPv6 from the astaro)
  • Phase 1: Use 3DES, MD5, DH Keygroup 5, Lifetime 7800, PreShared Key
  • Phase 2: 3DES, MD5, Lifetime 3600

These are the values taken from the pre-existing definition for 3DES on the Astaro. You could change that, but do it on both sides.

Now just create rules what traffic you want to allow through the tunnel and which not. Remember: Both sides must fit in order for traffic to go through.

All save, all encrypted, all IPv6.

Voilà: Enjoy your Site-to-Site IPv6 tunnel.

managing iptables on linux

hey there,

as you manage more and more linux servers, you might stumble upon iptables firewalls. Especially with newer distros that happens more and more often, for example Fedora 17 and CentOS 6.3 have their iptables switched on by default.

If you now start to install services and server software, you might want to disable your firewall to test if the server responds, right? wrong!

The firewall is there for a reason, and should not just be switched off. One little trick I picked up is to always have a little shell script on hand that contains all the rules you want on your server and blocks everything else.

That way you can easily add an open port or close one, can rearrange the rules to your like and then run the script and have the firewall in place exactly as you want it to be.

This is especially helpful in case you mess up your rules or something goes wrong. You are up and running with your set of rules again in no time.

So, here goes a little basic firewall file on one of my test servers that runs a media wiki and for test purposes webmin on port 4444. It even takes into account ipv6 (same rules as for ipv4) and dumps the rules to the screen for you to see whats in place now.

all the best,

maybe

#!/bin/bash

#flush all rules
iptables -F
ip6tables -F

#allow 22 (ssh)
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp –dport 22 -j ACCEPT

#allow 80 (http, the wiki)
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp –dport 80 -j ACCEPT

#allow 4444 (webmin)
ip6tables -A INPUT -p tcp –dport 4444 -j ACCEPT
iptables -A INPUT -p tcp –dport 4444 -j ACCEPT

#set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT

#set access for localhost
iptables -A INPUT -i -lo -j ACCEPT
ip6tables -A INPUT -i -lo -j ACCEPT

#accept packets belonging to established connections
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

#save settings
/sbin/service iptables save
/sbin/service ip6tables save

#list rules
iptables -L -v
ip6tables -L -v