On Mon, May 15, 2017 09:53, wwp wrote:
> On Mon, 15 May 2017 09:22:54 +0200 "Walter H."
> <walter.h@xxxxxxxxxxxxxxxxx> wrote:
>
>> On Sun, May 14, 2017 11:00, wwp wrote:
>> > On Sat, 13 May 2017 13:08:17 +0200 "Walter H."
>> > <Walter.H@xxxxxxxxxxxxxxxxx> wrote:
>> >
>> > This might become off-topic with my reply, but I'm curious: is there
>> > any specific software you're running from CentOS on your zbox in order
>> > to manage the rooter features?
>> SSH?
>
> I think I've been unclear, sorry about that! I wanted to ask if you use
> something, any helper installed on this rooter box, on top of
> firewalld/iptables, in order to setup and administrate the NAT/rooting
> (and eventually proxy) rules?
I've configured it quite simple ...
/etc/sysconfig/network_scripts:
ifcfg-eth0 and ifcfg-wlan0 have this: BRIDGE=br0
ifcfg-br0 is LAN (Dual-Stack)
ifcfg-eth1 is WAN (IPv4only)
ifcfg-sit1 is an HE IPv6 tunnel (IPv6only)
/etc/hostapd/hostapd.conf has this:
interface=wlan0
bridge=br0
/etc/sysconfig/ip(6)tables have at the last lines this:
# Log all other
-A INPUT -j LOG --log-prefix "IP(v6)[IN]: " --log-level 7
-A FORWARD -j LOG --log-prefix "IP(v6)[FWD]: " --log-level 7
-A OUTPUT -j LOG --log-prefix "IP(v6)[OUT]: " --log-level 7
there runs a cronjob every hour, which sends an email
like this:
dmesg |grep -e "IP(v6)\[" |timefltr.pl
for DNS a BIND is configured as caching DNS, and as authoritative master for
my domain ...
an Apache is configured only for some status pages like output of
'ifconfig', 'df', 'free', 'ip(6)tables -L -n -v', 'uptime'
I programmed some simple network diagnostic:
- traceroute(6) and ping(6) to a given dns/ip-host
- nslookup of a given dns-name
this is only reachable from LAN side; as I have a VM that runs a squid
with SSL-interception, I made a mini-CA, the root is installed on my
computers,
one intermediate CA is used by squid, the other intermediate CA is used
for signing a SSL certificate which I use on LAN side of my zbox or on my
intranet (e.g. squirrel)
to reach my squirrel, the apache does proxying ...
when there is the need of changing firewall rules, I manually edit the
files and reload ip(6)tables ...
it is somewhat very individual, I'm thinking of sending SMS messages on
special situations, e.g. the WAN IP address has changed (this happens
about 2-3 times in a year)
that's all
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
