networking

You are currently browsing articles tagged networking.

Troubleshooting path MTU problems

2010-04-08 20:26 UTC | No comments

Not long ago we started having very unusual issues our email servers. Mail would be inexplicably held for delivery, bounce back, or fail to send for hours and then send without issue later. Some users couldn’t fetch email by POP until they restarted their mail client. We investigated the mail software, but weeks of investigation turned up nothing.

Around the same time, we also experienced intermittent problems logging in to MSN Messenger, and some users complained of issues accessing certain web pages, including a lot of HTTPS links. I began to suspect these were related.

Read the rest of this entry »

Tags: ,

iptables firewall templates

2010-03-29 18:39 UTC | No comments

I use iptables firewalls on every server I administer, including all of our core routers (which run Linux too). There are lots of tools to easily configure a firewall. For simple tasks, Ubuntu now installs ufw by default, which has both command-line and GUI tools. For servers, consider Webmin.

If you want to do something more complicated, or prefer editing iptables rules yourself, you’ll have to do it by hand. When I first started doing this I found a template online and edited it to suit my need. Over time I’ve learned a lot more about iptables, and my templates have evolved.

Read the rest of this entry »

Tags: , , ,

Flying without a net: safe techniques for working remotely

2010-02-28 22:16 UTC | No comments

I try to post a few times each month, but somehow January (and most of February) fell through the cracks. Lately I’ve been busy with operational tasks, which hasn’t left me much room for engineering. I haven’t solved any particularly hard or unusual problems, which is usually what I write about. Instead, I’ll write about a routine problem that is nonetheless tricky enough to warrant discussion.

Most of the time I’m not in the same country as the servers I administer. Which means I can’t just drive down and fix something when it goes wrong. It also means that making changes to the network is particularly dangerous. So is updating the kernel, initrd, or GRUB configuration. It is possible to leave a server in a state that requires you to be physically present to fix it. I call this kind of work “flying without a net”. Here are my techniques for safely working without console access.

Read the rest of this entry »

Tags: , ,

VLANs, bridges, and virtual machines

2010-02-20 12:44 UTC | No comments

We run several virtual machine host servers on a network with multiple VLANs. The virtual machines are members of different VLANs, but are not themselves aware of the VLAN. This is how we did it.

Read the rest of this entry »

Tags: , , , ,

Stopping spam botnets with fail2ban

2009-07-15 19:26 UTC | No comments

In the last 3 weeks our company mail servers have been slammed with a massive increase in spam relay attempts. Logs showed many failures like so.

Jul 12 14:15:26 mailserver.example.com postfix/smtpd[19885]: NOQUEUE: reject: RCPT from 206.12.0.10.in-addr.arpa[10.0.12.206]: 554 5.7.1 <symons@yahoo.co.uk>: Relay access denied; from=<yyjaqveh@lpsb.com> to=<symons@yahoo.co.uk> proto=ESMTP helo=<206.12.0.10.in-addr.arpa>

IP addresses have been obscured to protect the guilty (or ignorant, as this is certainly a botnet). Unfortunately, a large number of the IP addresses in question belonged to my own satellite customers. Mail servers for our other domains were almost entirely unaffected. Which tells me that some bastard has written a botnet spam client that looks up its own public IP, finds the reverse DNS entry, looks up the MX record of the corresponding domain, and then attempts to relay mail through that server. This is particularly mean, as it will encourage your own ISP to shut you down.

Read the rest of this entry »

Tags: ,

Reverse-path filter part 2: OpenVPN and traceroute

2009-07-14 21:59 UTC | 2 comments

After my recent adventure with reverse-path filtering, I didn’t expect to see it again so soon. And then I took another look at a long-standing annoyance in our OpenVPN network.

I set up OpenVPN so our offices and laptops could securely access internal resources. This lets me print documents directly to another office, for instance. Or access web-based applications that we don’t make available to the public. Or remotely SSH into a PC and fix a problem. Read the rest of this entry »

Tags: , ,

Disabling reverse-path filtering in complex networks

2009-07-13 21:25 UTC | No comments

I recently created a very complex network using routers running Ubuntu Hardy. These routers were configured with the following features:

  • failover shared IP addresses using heartbeat
  • routing announcements via Quagga BGPd
  • 802.1q VLAN tagging
  • multiple physical interfaces

During debugging of this network, I encountered an odd scenario whereby traffic coming in from the external interface (eth0) could not reach the IP address of the secondary (inactive) router’s internal interface (eth1, VLAN tagged).

dual-routers

Read the rest of this entry »

Tags: ,

Using host networking and NAT with VirtualBox

2009-03-05 17:03 UTC | 41 comments

I use VirtualBox every day. The satellite world is infested with bad Windows-based management tools that fail to run in Wine. So I often run those apps in a Windows virtual machine, safely sandboxed the way Windows belongs.

Note to hardware developers: if your network-based device does not have a standards-compliant HTTP interface, you lose. If it has a Windows-based management tool instead, you lose twice. I will buy your product only if I have no other choice.

I imagine running Windows apps is what 90% of VirtualBox users use it for, but it can do so much more than that. I also run several Linux-based VMs, and use them to test server configs, or even whole networks before rolling out the real thing. If you do this, you probably want to use more than the basic NAT networking that VirtualBox uses by default. For instance, wouldn’t it be nice to install an SSH server in the VM, minimise the VirtualBox GUI, and SSH in from a terminal just like you would a real server?

Read the rest of this entry »

Tags: ,

Identifying undersea fibre and satellite links with traceroute

2008-10-09 20:07 UTC | No comments

I frequently travel to the Middle East, which means I often find myself on the wrong end of a slow Internet link. Sometimes that is oversold undersea fibre, such as in Dubai. More often – because of my work – it is VSAT. I’m an engineer, which means I’m a curious monkey that takes everything apart just to understand how it works. Network topology is one of those things.

Read the rest of this entry »

Tags: , ,

All content © 2008-2010 Tyler J. Wagner