Hello Walter,
On Tue, 16 May 2017 09:47:47 +0200 "Walter H." walter.h@mathemainzel.info wrote:
On Mon, May 15, 2017 09:53, wwp wrote:
On Mon, 15 May 2017 09:22:54 +0200 "Walter H." walter.h@mathemainzel.info wrote:
On Sun, May 14, 2017 11:00, wwp wrote:
On Sat, 13 May 2017 13:08:17 +0200 "Walter H." Walter.H@mathemainzel.info wrote:
This might become off-topic with my reply, but I'm curious: is there any specific software you're running from CentOS on your zbox in order to manage the rooter features?
SSH?
I think I've been unclear, sorry about that! I wanted to ask if you use something, any helper installed on this rooter box, on top of firewalld/iptables, in order to setup and administrate the NAT/rooting (and eventually proxy) rules?
I've configured it quite simple ...
/etc/sysconfig/network_scripts: ifcfg-eth0 and ifcfg-wlan0 have this: BRIDGE=br0 ifcfg-br0 is LAN (Dual-Stack) ifcfg-eth1 is WAN (IPv4only) ifcfg-sit1 is an HE IPv6 tunnel (IPv6only)
/etc/hostapd/hostapd.conf has this: interface=wlan0 bridge=br0
/etc/sysconfig/ip(6)tables have at the last lines this:
# Log all other -A INPUT -j LOG --log-prefix "IP(v6)[IN]: " --log-level 7 -A FORWARD -j LOG --log-prefix "IP(v6)[FWD]: " --log-level 7 -A OUTPUT -j LOG --log-prefix "IP(v6)[OUT]: " --log-level 7
there runs a cronjob every hour, which sends an email like this: dmesg |grep -e "IP(v6)[" |timefltr.pl
for DNS a BIND is configured as caching DNS, and as authoritative master for my domain ...
an Apache is configured only for some status pages like output of 'ifconfig', 'df', 'free', 'ip(6)tables -L -n -v', 'uptime'
I programmed some simple network diagnostic:
- traceroute(6) and ping(6) to a given dns/ip-host
- nslookup of a given dns-name
this is only reachable from LAN side; as I have a VM that runs a squid with SSL-interception, I made a mini-CA, the root is installed on my computers, one intermediate CA is used by squid, the other intermediate CA is used for signing a SSL certificate which I use on LAN side of my zbox or on my intranet (e.g. squirrel)
to reach my squirrel, the apache does proxying ...
when there is the need of changing firewall rules, I manually edit the files and reload ip(6)tables ...
it is somewhat very individual, I'm thinking of sending SMS messages on special situations, e.g. the WAN IP address has changed (this happens about 2-3 times in a year)
that's all
Thanks for all this! That will help for sure :-)!
Regards,