Blog Archives

Oracle Enterprise Linux 6.x networking

Lately I got many questions regarding the network configuration of Oracle Enterprise Linux 6 (Red Hat Enterprise Linux 6).
Enough to write a little article about it.

It seems that some of the network configuration was altered in OEL6. The reason as far as I know is the implementation of the NetworkManager daemon. I don’t know why they are using CamelCase for the daemon name, but mind that. Even though the NetworkManager should make the configuration as painless as possible (at least thats what the manual page said), it seems to actually make the configuration more of a pain for some.

Below I will cover some topics in an effort to get you going and remove the pain ūüôā

Configuring eth0 for manual operation

  • Step 1: disable the NetworkManager daemon
    service NetworkManager stop
  • Step 2: remove the NetworkManager from Init (start-up)
    chkconfig --level 2345 NetworkManager off
  • Step 3: open the ifcfg-eth0 config file (alter the suffix ‘eth0’ to match the adapter of your choice)
    vi /etc/sysconfig/network-scripts/ifcfg-eth0
  • Step 4: Alter the following to match your environment…
    DEVICE=eth0
    TYPE=Ethernet
    HWADDR={Your MAC address here}
    ONBOOT=yes
    NM_CONTROLLED=no
    BOOTPROTO=static
    IPADDR=192.168.1.10
    #PREFIX=24    [can be used alternativly to NETMASK=]
    NETMASK=255.255.255.0
    NETWORK=192.168.1.0
    BROADCAST=192.168.1.255
    GATEWAY=192.168.1.1
    
  • Step 5: Write/close the configuration file¬†(:wq in vi)
  • Step 6: Restart the network service
    service network restart
  • TIP 0: Obviously match the configuration above to match your home network.
  • TIP 1: NetworkManager is not always present in which case you can obviously skip step 1 – 2.
  • TIP 2: There are reports that NETMASK=xxx.xxx.xxx.xxx is actually more stable then PREFIX=xx notation.
    My advice, use NETMASK= which is also better understood by non networking guys.
  • TIP 3: Not sure about the correct NETWORK, NETMASK, BROADCAST or PREFIX¬†settings, give ipcalc a try:
    ipcalc --netmask {IPADDR}
    ipcalc --prefix {IPADDR} {NETMASK}
    ipcalc --broadcast {IPADDR} {NETMASK}
    ipcalc --network {IPADDR} {NETMASK}
    

Configuring DNS

DNS always seems to be a bugger and a hard one to understand. Do note that DNS is JUST A IP PHONEBOOK. Nothing fancy there. Also there are various ways of configuring DNS. One way is by adding the DNS configuration in the ifcfg-suffix configuration file with the DNS1=ip.ip.ip.ip DNS2=ip.ip.ip.ip keywords.¬†As an¬†effect, the networking service will update the appropriate¬†configuration files.¬†To¬†be frank,¬†I find this to be confusing and do not like duplicate configurations everywhere in my -has to be clean- environment. My advice is to configure the DNS is the appropriate files directly like this…

  • Step 1: Edit¬†the¬†resolve.conf where DNS is configured.
    vi /etc/resolv.conf
  • Step 2: Add or Alter the following to match your environment
    search mydomain.home
    nameserver 192.168.1.1
    nameserver 8.8.8.8
    
  • Step 3: Test to see if name resolution works
    nslookup
    set debug
    www.google.com
    
  • TIP 1: Linux actually tries to find the ip in the /etc/hosts file first. If you know the hostnamename and FQDN to an certain IP and it can be classified as static. Consider using the hostsfile instead of a centralized DNS. This will boost performance if the name is resolved often. If multiple systems use and depend on a machine reference, use centralized DNS in order to lighten the administrative tasks.
    vi /etc/hosts
  • TIP 2: Experiencing slow log on times or slow application performance? A faulty DNS configuration might just be the¬†cause. A quick way to test this is by¬†temp. disabling DNS all together. This can be done by editing the /etc/nsswitch.conf file.
    vi /etc/nsswitch.conf
    • alter the line
      hosts:     files dns
    • to the line
      hosts: files
    • write the file and test if the performance has improved.
  • The reason for this is that DNS is often used to register user logon or session information based on the visitors IP address. Examples are the ssh daemon, ftp servers, webservers, linux logon, etc.

STATIC ROUTES

In some case you want linux to use alternative routes to access certain Linux resources. The way to go in these cases are creating routes. In most cases you want these to be presistant in which case ‘route add –‘ wont suffice. In our example we will create two new routes. On describing a route to a specific host, the other describing the route to a specific network. Alter the example to match your needs.

  • STEP 1: Create a new file called static-routes in the¬†/etc/sysconfig/ directory
    vi /etc/sysconfig/static-routes
  • STEP 2: Add the following, obviously matching your specific needs
    any net 192.168.2.0/24 gw 192.168.1.254 metric 1
    any host 192.168.2.254 gw 192.168.1.254 metric 1
  • STEP 3: Restart the network service
    service network restart
  • TIP 1: SIOCADDRT: No such process means the designated gateway doesnt exsist on any known interface. (typo?)
  • TIP 2: view the route information usint the route command
  • TIP 3: use the ipcalc –prefix {IPADDR} {NETMASK} command to determin the right /prefix for your environment.
  • TIP 4: In older environments the ifup-routes is used, this shscript still exsists in the /etc/sysconfig/network-scripts/ifup-routes

Locate my mac address

The ifcfg-eth# config allows you to configure the specific mac address to guarantee the IP is bound to the right adapter. In virtualized environments this might save you a lot of trouble in the situation where the virtualized domain is altered. On the other hand it might cause trouble when the staticly configured MAC is migrated in virtual environments. Either case, you might want to know the MAC linux sees belonging to an certain adapter. You can find the MAC address in the following location:

 cat /sys/class/net/eth0/address

Obviously you need to alter eth0 in the path to match the adapter you are looking for. Not sure? The change directory to /sys/class/net and perform a list to see all discovered and registered adapters.

IPTables (Linux firewall)

By default IPtables (which is the linux firewall) is enabled. You can view the running configuration by checking the service status like this.

 service iptables status

You can simply turn the firewall off by modifying and applying steps 1-2 of the first configuring eth0 instruction. This will reduce the security of your linux platform significantly. My advice, add the ports you need for your services and let IPtables protect you. The easiest way is by simply editing the iptables configuration file.

 vi /etc/sysconfig/iptables 

Adding a port is as easy as copy/pasting the always present firewall rule that allowes port 22 (ssh). Copy past it and alter the -p (protocol) -dport (destination port) to match your needs. For example, allowing HTTP/HTTPS.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

afterward restart iptables

service iptables restart

TIP: If you are experimenting with IPv6 (then your Instant COOL!), mind that the ipv6 firewall is called ip6tables and the configuration is called the same. The basic iptables doesnt handle ipv6 at all.

TIP: If you are using ipv6 code your IPv4 ip to ease administration. Example:

ipv4: 192.168.10.1/32
ipv6: 2001::0192:0168:0010:0001/64
Then route on the nibble of choice.

Additional questions?

Just post it below and maybe ill respond in due time ūüôā

Advertisements

Elevation and altering hosts / system files in windows7

In the past days we started to roll out the first of many windows 7 clients we noticed that some of my collegues where having trouble altering system configuration files. One of the files that was most discussed was the local hosts file that allows you to configure name to ip mappings on the local machine.

The reason this file can`t be edited on the fly is because you need to ‘elevate’ the editor or command prompt to gain write permissions inside the windows folder. Even though you ‘might’ be part of the local administrators groep doesnt mean these priviledges are available on the fly as was the case in XP. Disabling the UAC in this matter will only remove the ‘warnings’ from your screen but still doesnt mean the ‘elevation’ can be skipped for administrative tasks.

In some cases windows 7 will run an program as administrator (elevated) by default, in these cases a ‘small bleu/yellow shield’ will be displayed near the link. In all other cases elevation should be done by ‘you’ or progamatically by the program itself.

But how to elevate in windows 7?

Run single command as administrator
1. open the start menu and locate the ‘search programs and files’ field.
2. In the field type the following command:
notepad c:\%systemroot%\system32\drivers\etc\hosts
3. Next execute this command using the following key combination:
press-hold ‘control + shift’ and hit enter.
4. confirm the UAC message warning you for the elevation.

Step 4 can be used with alternative executables as well but only works (could be a bug) in the ‘search programs and files’ field. Using the ‘windows-key + r’ to open the ‘run dialog’ wont allow you to elevate using the ‘control + shift’ combination.

Shortcut manually as administrator
In XP there was a somewhat ‘hidden’ feature called the ‘run as’ option that appeared when a shortcut was rightclicked while holding the left shift key. In windows 7 microsoft now shows a ‘run as administrator’ option by default (thanks for that ūüôā ). This means that ‘any’ shortcut can be ran as administrator (elevated) by simply right-clicking it and selecting the ‘run as administrator’ option.

Set shortcut to allways run as administrator
If you like to run programs as administrator by default you will need to create a shortcut on your desktop. Next edit the properties of the shortcut and locate the ‘compatibility’ tab. In the bottom there should be an option called ‘privilege level’ that allows you to set the ‘magic switch’ called ‘run this program ad an administrator’.

Scripts as administrator?
Scripts are always a fun part when it comes to elevation. One thing to take notice about is that non-functioning login scripts are usualy caused by default policies that are in place inside the windows7 host. In other words ‘Configuration errors’. Please refference the microsoft documentation about this.

For all other ‘scripting’ tasks if elevation is required from within your script, have a look at the powertoys ‘elevation’ found here,
http://technet.microsoft.com/en-us/magazine/2008.06.elevation.aspx

Other ‘tricks’ that i have seen used where executing ‘other’ vb scripts from the initial script using a ‘runas wscript’ shell command. Downside is that you might need to hardcode passwords in there wich i think is a ‘worst’ practise in any situation and shouldnt be used. I leave the choice to you on this subject.

Hope this helps.
Rgrds,