2012-04-14

Adding 802.1Q Trunking to Debian GNU/Linux

Here's a quick guide to setting up 802.1Q trunking for VLANs on a Debian GNU/Linux box connected to one or more Cisco Catalyst switches, which could then be used as a cheap router replacement.


Configuration on the Debian box:

Add 8021q to /etc/modules so 802.1Q support is enabled at startup. To install it immediately:

# modprobe 8021q

Use vconfig to add the VLANs to the interface you'll be using (if vconfig is missing, run apt-get install vlan):

# vconfig add eth0 2

(In the above, eth0 is the physical interface and 2 is the ID of the VLAN)

Give the interface an IP. Choose an address in the range you've set aside for that particular VLAN. In this example, VLAN 2 is using 192.168.2.0/24.

# ifconfig eth0.2 192.168.2.201 netmask 255.255.255.0


2012-04-11

Netfilter long forgotten


I was lamenting that I'd forgotten far too much about netfilter/iptables so, to jog my memory, I sat down to put together a quick network in VirtualBox. I setup a router/NAT box with one card bridged to my physical network and two cards in two separate Virtual Host-only networks. To keep things nice and distinct, the networks chosen used were 10.0.0.0/24, 172.16.0.0/16 and 192.168.0.0/24.

The simple routing script is below (with all firewall rules removed for brevity):


#!/bin/bash

WAN=eth1
LAN1=eth2
LAN2=eth3

echo 1 > /proc/sys/net/ipv4/ip_forward

# flush everything to being with
/sbin/iptables -F

# setup NAT via $WAN for the two LANs
/sbin/iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
/sbin/iptables -A FORWARD -i $WAN -o $LAN1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i $WAN -o $LAN2 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i $LAN1 -o $WAN -j ACCEPT
/sbin/iptables -A FORWARD -i $LAN2 -o $WAN -j ACCEPT

# inter-LAN routing
/sbin/iptables -A FORWARD -i $LAN1 -o $LAN2 -j ACCEPT
/sbin/iptables -A FORWARD -i $LAN2 -o $LAN1 -j ACCEPT

# make it a policy to drop any traffic not specifically accepted
/sbin/iptables -P FORWARD DROP





When client2 (192.168.0.31) pings a host in the 10.0.0.0 network... :
root@client2:~# ping 10.0.0.210
PING 10.0.0.210 (10.0.0.210) 56(84) bytes of data.
64 bytes from 10.0.0.210: icmp_req=1 ttl=127 time=0.724 ms
64 bytes from 10.0.0.210: icmp_req=2 ttl=127 time=1.05 ms
 

... IPTraf (running on the router) shows traffic being sent/received (10.0.0.55 is the router):
ICMP echo req (84 bytes) from 192.168.0.31 to 10.0.0.210 on eth3
ICMP echo req (84 bytes) from 10.0.0.55 to 10.0.0.210 on eth1
ICMP echo rply (84 bytes) from 10.0.0.210 to 10.0.0.55 on eth1
ICMP echo rply (84 bytes) from 10.0.0.210 to 192.168.0.31 on eth3





Removing the NAT section from the script and adding lines for eth1 has the effect of just routing between the three networks if NAT is undesirable:
/sbin/iptables -A FORWARD -i $LAN1 -o $WAN -j ACCEPT
/sbin/iptables -A FORWARD -i $WAN -o $LAN1 -j ACCEPT
/sbin/iptables -A FORWARD -i $LAN2 -o $WAN -j ACCEPT
/sbin/iptables -A FORWARD -i $WAN -o $LAN2 -j ACCEPT
 



As an additional exercise, I setup Squid on the router and changed the maximum_object_size to 1048576 KB then had the two clients and then the router do an apt-get upgrade one after the other. This saves re-downloading packages that have recently been picked up by the other client. Even with just the three boxes it's a decent download saver, but on a larger network it would be essential. I'll probably switch this over to something like app-cacher-ng as it's actually designed with this in mind. Below is the connections shown in IPTraf (top), Squid's access log (left) and the result of running apt-get upgrade (right):

2012-04-07

Delicious Hunger Games

I finally got around to picking up the Hunger Games books yesterday and then managed to knock over the first volume in an evening. I ended up really loving it, even though most of the suspense was gone due to me having seen the movie adaptation first (silly, backwards me). The first-person perspective really worked, with the reader being as in the dark as Katniss when it came to the twists and machinations of the Gamekeepers. This, coupled with her suspicious view of the motivations of just about everyone around her, make for some thoughtful moments.


Thankfully, I've remained relatively free of spoilers regarding the other two books, so I look forward to getting stuck into them presently.

2012-04-01

Of paper worlds and the mysteries within

I've found myself drawn back into reading great, chunky novels of late - I'd eased off for a while, which made me feel strangely like I was missing out on something (perhaps I was). I followed up my re-reading of Pratchett's Witches Abroad beginning The Lord of the Rings, which has since been partially interrupted by my beginning A Game of Thrones (finally).

In an attempt to keep things a little more cheery, I'm also going through The Dilbert Principle on the side but I must admit it isn't tickling my funny bone as consistently as I would like.

A Game of Thrones has pretty much met my expectations thus far - my only previous exposure to it was watching the first episode of the TV series but I really wanted to read the book before embarking down that path and I'm glad I did so. Martin uses some rather nice descriptive prose throughout and the quality dialogue is also worth mentioning.

On a side note, I've been mini-marathoning my way through Daria lately, a show I only saw bits of when it was airing. There are some top lines and, to my mind at least, Jane and Trent really do steal the show.