Software >> OS >> Unix >> Linux >> RHEL >> 7 >> RHCE >> System configuration and management part 1

 

Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux systems

## same whether teaming for Load balancing or aggregating multiple links
## config in json format


## check your ethernet devices and identify 2 that are currently not used in any connection

[root@rhel7mgmt1 ~]# nmcli device status
DEVICE      TYPE      STATE         CONNECTION
enp0s3      ethernet  connected     enp0s3    
virbr0      bridge    connected     virbr0    
enp0s8      ethernet  disconnected  --        
enp0s9      ethernet  disconnected  --  
      
lo          loopback  unmanaged     --        
virbr0-nic  tun       unmanaged     -- 


## create your teaming connection

nmcli con add type team con-name lateam0 ifname lateam0 config '{"runner": {"name":"activebackup" }}'


## assign ip manually to lateam0

nmcli con mod lateam0 ipv4.addresses '192.168.0.10/24'
nmcli con mod lateam0 ipv4.method manual
teamdctl lateam0 state

output
setup:
  runner: activebackup
runner:
  active port:


## start add ports to the team

nmcli con add type team-slave con-name lateam0-port1 ifname enp0s8 master lateam0
nmcli con add type team-slave con-name lateam0-port2 ifname enp0s9 master lateam0


## activate

nmcli con up lateam0-port1
nmcli con up lateam0-port2
nmcli con up lateam0
teamdctl lateam0 state


output

setup:
  runner: activebackup
ports:
  enp0s8
    link watches:
      link summary: up
      instance[link_watch_0]:
        name: ethtool
        link: up
        down count: 0
  enp0s9
    link watches:
      link summary: up
      instance[link_watch_0]:
        name: ethtool
        link: up
        down count: 0
runner:


## test down one interface
## take note active port fail over to other slave port if that port is brought down

nmcli con down lateam0-port1


## check state

teamdctl lateam0 state

output

setup:
  runner: activebackup
ports:
  enp0s9
    link watches:
      link summary: up
      instance[link_watch_0]:
        name: ethtool
        link: up
        down count: 0
runner:
  active port: enp0s9



## to delete the teaming

nmcli con down lateam0-port2
nmcli con down lateam0-port1

nmcli con delete lateam0-port1
nmcli con delete lateam0-port2
nmcli con delete lateam0

 

back to Objectives

 

Configure IPv6 addresses and perform basic IPv6 troubleshooting

# after adding a new ethernet interface, eg enp0s9 shown in ifconfig

ifconfig

# but not shown in nmcli

nmcli con show

# add new connection for that interface

nmcli con add con-name enp0s9 type ethernet ifname enp0s9
nmcli con show

# add statically assigned ip4 and ipv6 addresses and up the connection

nmcli con mod enp0s9 ipv4.addresses "192.168.0.10/24"
nmcli con mod enp0s9 ipv4.method manual
nmcli con mod enp0s9 ipv6.addresses "fddb:fe2a:ab1e::c0a8:64/64"
nmcli con mod enp0s9 ipv6.method manual
nmcli con up enp0s9
nmcli con show
ifconfig


## NOTE:: If you encounter following error

Error: Failed to modify connection 'enp0s9': ipv6.addresses: this property is not allowed for 'method=ignore'

can be resolved by putting both ipv6.method and ipv6.addresses in the same line

nmcli con mod enp0s9 ipv6.method manual ipv6.addresses "fddb:fe2a:ab1e::c0a8:64/64"


# ping locally via that interface

ping 192.168.0.10
ping6 -I enp0s9 fddb:fe2a:ab1e::c0a8:64

# repeat the ping from another machine on the same network
ping 192.168.0.10
ping6 fddb:fe2a:ab1e::c0a8:64

# alternatively can use nmtui for text menu based configuration

# or the Network Manager GUI

back to Objectives

 

Route IP traffic and create static routes

## to check your route the legacy way

[root@rhel7server1 ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.2.2        0.0.0.0         UG        0 0          0 enp0s3
10.0.2.0        0.0.0.0         255.255.255.0   U         0 0          0 enp0s3
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 enp0s8
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0



## or the new way

[root@rhel7server1 ~]# ip route list
default via 10.0.2.2 dev enp0s3 proto dhcp metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
192.168.0.0/24 dev enp0s8 proto kernel scope link src 192.168.0.10 metric 101
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1


[root@rhel7server1 ~]# ping www.google.com
PING www.google.com (74.125.24.103) 56(84) bytes of data.
64 bytes from 74.125.24.103 (74.125.24.103): icmp_seq=1 ttl=51 time=5.14 ms
64 bytes from 74.125.24.103 (74.125.24.103): icmp_seq=2 ttl=51 time=6.14 ms


## test add static route

[root@rhel7server1 ~]# ip route add 172.125.24.0/24 via 10.0.2.2 dev enp0s3


## display the routes

[root@rhel7server1 ~]# ip route list
default via 10.0.2.2 dev enp0s3 proto dhcp metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
172.125.24.0/24 via 10.0.2.2 dev enp0s3
192.168.0.0/24 dev enp0s8 proto kernel scope link src 192.168.0.10 metric 101
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1


# to delete the static route

[root@rhel7server1 ~]# ip route del 172.125.24.0/24 via 10.0.2.2 dev enp0s3


# display new route


[root@rhel7server1 ~]# ip route list
efault via 10.0.2.2 dev enp0s3 proto dhcp metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
192.168.0.0/24 dev enp0s8 proto kernel scope link src 192.168.0.10 metric 101
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1


## to create persistent static route, either
## (1) Add the routes into /etc/sysconfig/static-routes
## we know this because the network service is started by /etc/rc.d/init.d/network script
## that script checks for presence of /etc/sysconfig/static-routes

[root@rhel7server1 ~]# systemctl status network
● network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network; bad; vendor preset: disabled)
   Active: active (running) since Tue 2020-03-03 03:37:23 UTC; 28min ago

[root@rhel7server1 ~]# grep static /etc/rc.d/init.d/network
    # Add non interface-specific static-routes.
    if [ -f /etc/sysconfig/static-routes ]; then
            grep "^any" /etc/sysconfig/static-routes | while read ignore args ; do
            net_log $"Legacy static-route support not available: /sbin/route not found"

## edit the static route file

[root@rhel7server1 ~]# vi /etc/sysconfig/static-routes


## add the following and save

any net 74.125.24.0 netmask 255.255.255.0  gw 10.0.2.2 dev enp0s3



## or (2) edit interface specific static route file in /etc/sysconfig/network-scripts/route-interface

[root@rhel7server1 ~]# vi /etc/sysconfig/network-scripts/route-enp0s3


## add the route eg. the following


74.125.25.0/24 via 10.0.2.2


## restart network service and re-check routing table

[root@rhel7server1 sysconfig]# systemctl restart network

[root@rhel7server1 sysconfig]# ip route list
default via 10.0.2.2 dev enp0s3 proto dhcp metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
74.125.24.0/24 via 10.0.2.2 dev enp0s3     <=== added by /etc/sysconfig/static-routes
74.125.25.0/24 via 10.0.2.2 dev enp0s3 proto static metric 100   <== added by /etc/sysconfig/network-scripts/route-enp0s3
192.168.0.0/24 dev enp0s8 proto kernel scope link src 192.168.0.10 metric 101
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

 

back to Objectives

 

Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)

### TO ENABLE A http SERVICE IN THE DEFAULT ZONE

## before enabling, list currently enabled services

[root@rhel7server1 ~]# firewall-cmd --list-service
ssh dhcpv6-client dns nfs

## enable http

[root@rhel7server1 ~]# firewall-cmd --permanent --add-service=http
success

## reload firewalld

[root@rhel7server1 ~]# firewall-cmd --reload
success

## list enabled services now

[root@rhel7server1 ~]# firewall-cmd --list-service
ssh dhcpv6-client dns nfs http


### TO USE THE GRAPHICAL USER INTERFACE OF FIREWALL-CMD

[root@rhel7server1 ~]# firewall-config




### CHECK THAT FIREWALLD IS RUNNING

[root@rhel7server1 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-03-03 10:03:07 EST; 25min ago

## or

[root@rhel7server1 ~]# firewall-cmd --state
running

## Note: if the server is multi homed and you want to allow routing traffic to different interface, you must enable ip forwarding
## i.e. set kernel parameter net.ipv4.ip_forward=1 permanently by adding into /etc/sysctl.conf

### LIST AVAILABLE ZONES

[root@rhel7server1 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

### GET THE DEFAULT ZONE

[root@rhel7server1 ~]# firewall-cmd --get-default-zone
public

### LIST ACTIVE ZONES

[root@rhel7server1 ~]# firewall-cmd --get-active-zones
public
  interfaces: enp0s3 enp0s8

### CHANGE DEFAULT ZONE

[root@rhel7server1 ~]# firewall-cmd --set-default-zone=home
success

[root@rhel7server1 ~]# firewall-cmd --get-default-zone
home

[root@rhel7server1 ~]# grep DefaultZone /etc/firewalld/firewalld.conf
DefaultZone=home

### CHECK INTERFACES ASSOCIATED TO WHICH ZONE

[root@rhel7server1 ~]# nmcli device status
EVICE       TYPE      STATE      CONNECTION
enp0s3      ethernet  connected  enp0s3    
enp0s8      ethernet  connected  enp0s8    
enp0s9      ethernet  connected  enp0s9    
lo          loopback  unmanaged  --    


## get zones for each interface

[root@rhel7server1 ~]# firewall-cmd --get-zone-of-interface=enp0s3
public

[root@rhel7server1 ~]# firewall-cmd --get-zone-of-interface=enp0s8
no zone

[root@rhel7server1 ~]# firewall-cmd --get-zone-of-interface=enp0s9
public


## change zone for an interface

[root@rhel7mgmt1 ~]# firewall-cmd --change-zone=enp0s9 --zone=internal
success

[root@rhel7mgmt1 ~]# firewall-cmd --reload
success

[root@rhel7mgmt1 ~]# firewall-cmd --get-zone-of-interface=enp0s9
internal



### GET THE PERMANENT CONFIG OF THE public ZONE


[root@rhel7server1 ~]# firewall-cmd --permanent --zone=public --list-all
public
  target: default
  icmp-block-inversion: no


  interfaces:
  sources:
  services: ssh dhcpv6-client dns nfs
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

### CREATE NEW ZONE

[root@rhel7server1 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

[root@rhel7server1 ~]# firewall-cmd --permanent --new-zone=TEST
success

[root@rhel7server1 ~]# firewall-cmd --reload
success

[root@rhel7server1 ~]# firewall-cmd --get-zones
TEST block dmz drop external home internal public trusted work


### GET ALL KNOWN SERVICES

[root@rhel7server1 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client
.... http ....
xmpp-bosh xmpp-client xmpp-local xmpp-server

### GET HELP ON FIREWALLD RICH RULES SYNTAX

[root@rhel7server1 ~]# man firewalld.richlanguage

### ADD / REMOVE RICH RULES

## add

[root@rhel7server1 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.1.1" log accept'
success

## verify

[root@rhel7server1 ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="192.168.1.1" log accept

## remove

[root@rhel7server1 ~]# firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="192.168.1.1" log accept'
success

## re-list

[root@rhel7server1 ~]# firewall-cmd --list-rich-rules


### ANOTHER EXAMPLE OF RICH RULES


## add

[root@rhel7server1 html]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.0.20 service name="http" log level=notice prefix="[HTTP RULE]  " limit value="20/s" accept'
success

## apply

[root@rhel7server1 html]# firewall-cmd --reload
success

## test from the source

[root@rhel7client1 html]# for i in {1..100};do curl http://rhel7server1;done;
<html><body>rhel7server1 web server</body></html>
...
<html><body>rhel7server1 web server</body></html>

## tail the log at the destination

[root@rhel7server1 html]#
tail /var/log/messages | grep HTTP.RULE
...

## to remove the rich rules

[root@rhel7server1 html]# firewall-cmd --permanent --zone=public --remove-rich-rule='rule family=ipv4 source address=192.168.0.20 service name="http" log level=notice prefix="[HTTP RULE]  " limit value="20/s" accept'
success

[root@rhel7server1 html]# firewall-cmd --reload
success

### LISTING RICH RULES

[root@rhel7server1 ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="192.168.0.20" forward-port port="8022" protocol="tcp" to-port="22"

### ADD A SOURCE TO A ZONE

[root@rhel7server1 ~]# firewall-cmd --permanent --zone=work --add-source=172.31.1.1
success

[root@rhel7server1 ~]# firewall-cmd --reload
success

### GET DETAILED INFO FOR A ZONE

[root@rhel7server1 ~]# firewall-cmd --info-zone=work
work (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 172.31.1.1
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


### NAT
### Type 1: IP masquerading
### Type 2: Port redirection

### NAT - PORT REDIRECTION

## test before : direct ssh to port 22 allowed, ssh to port 8022 not allowed

[root@rhel7client1 ~]# ssh user1@rhel7server1
user1@rhel7server1's password: *******

[root@rhel7client1 ~]# ssh -p 8022 user1@rhel7server1
ssh: connect to host rhel7server1 port 8022: No route to host

## configure the rules : (1) redirect port 8022 to 22 (2) deny direct access to port 22
## note these addresses are on enp0s9 which is in zone public in our example

[root@rhel7server1 ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.0.20 forward-port port=8022 protocol=tcp to-port=22'
success


## alternative way without using rich rules :

firewall-cmd --add-forward-port=port=8022:proto=tcp:toport=22


## the same as above using firewall-config GUI

## launch firewall configuration GUI


[root@rhel7server1 ~]# firewall-config


#
# Drop down "Configuration" and select Permanent




## at Zones tab, select public




## scroll the options until Port Forwarding






## click Add button




## add the port forwarding options accordingly and then click OK




## activate the new rules



[root@rhel7server1 ~]# firewall-cmd --reload

 



[root@rhel7server1 ~]# firewall-cmd --permanent --zone=public --remove-service=ssh
success

[root@rhel7server1 ~]# firewall-cmd --reload
success

## test after : direct ssh to port 22 NOT allowed, ssh to port 8022 allowed

[root@rhel7client1 ~]# ssh user1@rhel7server1
ssh: connect to host rhel7server1 port 22: No route to host

[root@rhel7client1 ~]# ssh -p 8022 user1@rhel7server1
user1@rhel7server1's password: *******

## remove the rules

[root@rhel7server1 ~]# firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=192.168.0.20 forward-port port=8022 protocol=tcp to-port=22'
success

### NAT - IP MASQUERADE

## see examples here

Masquerading With Firewalld

Masquerading will forward packets that are not directed to an IP address associated to the system itself onto the intended destination. The source IP address of the packets that are sent through our system will be changed to the IP address of our system, rather than the IP address of the original traffic source. Responses to these packets will then go through our system and the destination address will be modified so that the traffic will be sent back to the original host that initiated the traffic


 

back to Objectives

 

Use /proc/sys and sysctl to modify and set kernel runtime parameters