[CentOS] Mini PCs

Wed May 31 10:09:05 UTC 2017
wwp <subscript at free.fr>

Hello Walter,


On Tue, 16 May 2017 09:47:47 +0200 "Walter H." <walter.h at mathemainzel.info> wrote:

> On Mon, May 15, 2017 09:53, wwp wrote:
> 
> > On Mon, 15 May 2017 09:22:54 +0200 "Walter H."
> > <walter.h at mathemainzel.info> wrote:
> >  
> >> On Sun, May 14, 2017 11:00, wwp wrote:  
> >> > On Sat, 13 May 2017 13:08:17 +0200 "Walter H."
> >> > <Walter.H at mathemainzel.info> wrote:
> >> >
> >> > This might become off-topic with my reply, but I'm curious: is there
> >> > any specific software you're running from CentOS on your zbox in order
> >> > to manage the rooter features?  
> >> SSH?  
> >
> > I think I've been unclear, sorry about that! I wanted to ask if you use
> > something, any helper installed on this rooter box, on top of
> > firewalld/iptables, in order to setup and administrate the NAT/rooting
> > (and eventually proxy) rules?  
> 
> I've configured it quite simple ...
> 
> /etc/sysconfig/network_scripts:
> ifcfg-eth0 and ifcfg-wlan0 have this: BRIDGE=br0
> ifcfg-br0 is LAN (Dual-Stack)
> ifcfg-eth1 is WAN (IPv4only)
> ifcfg-sit1 is an HE IPv6 tunnel (IPv6only)
> 
> /etc/hostapd/hostapd.conf has this:
> interface=wlan0
> bridge=br0
> 
> /etc/sysconfig/ip(6)tables have at the last lines this:
> 
> # Log all other
> -A INPUT -j LOG --log-prefix "IP(v6)[IN]: " --log-level 7
> -A FORWARD -j LOG --log-prefix "IP(v6)[FWD]: " --log-level 7
> -A OUTPUT -j LOG --log-prefix "IP(v6)[OUT]: " --log-level 7
> 
> there runs a cronjob every hour, which sends an email
> like this:
> dmesg |grep -e "IP(v6)\[" |timefltr.pl
> 
> for DNS a BIND is configured as caching DNS, and as authoritative master for
> my domain ...
> 
> an Apache is configured only for some status pages like output of
> 'ifconfig', 'df', 'free', 'ip(6)tables -L -n -v', 'uptime'
> 
> I programmed some simple network diagnostic:
> - traceroute(6) and ping(6) to a given dns/ip-host
> - nslookup of a given dns-name
> 
> this is only reachable from LAN side; as I have a VM that runs a squid
> with SSL-interception, I made a mini-CA, the root is installed on my
> computers,
> one intermediate CA is used by squid, the other intermediate CA is used
> for signing a SSL certificate which I use on LAN side of my zbox or on my
> intranet (e.g. squirrel)
> 
> to reach my squirrel, the apache does proxying ...
> 
> when there is the need of changing firewall rules, I manually edit the
> files and reload ip(6)tables ...
> 
> it is somewhat very individual, I'm thinking of sending SMS messages on
> special situations, e.g. the WAN IP address has changed (this happens
> about 2-3 times in a year)
> 
> that's all

Thanks for all this! That will help for sure :-)!


Regards,

-- 
wwp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20170531/46911a61/attachment-0005.sig>