Friday, July 9, 2010

Simple NAT Server

Introductions:

Hello folks, nice jotting again; I don't know if I would include this article until I needed it applications.How can I put external IP address with in my LAN so I must also have a local address.Simple NAT configurations will solve my problem with a little ease. It is because I am going to setup a live Asterisk VoIP Server one public and another one internal/private address.Public IP for WAN and Private address for my clients to get connected in the server.

A simple Network Address Translation will be doing the tweaking after I prepared a twon NIC (Ehternet) machine ofcourse running in CentOS -(common OS for Asterisk Telephony). I have encountered some issues with SIP to NAT but it can be done easy in SIP trunking configurations, and besides that IAX are much better in avoiding this NAT traversal configuration .

SO , I hope that there will be another applications yuo can use with NAT servering.

Objectives:

To use NAT in Asterisk WAN to LAN IP addressing
To be able to configure NAT traversal in some VoIP protocols (IAX,SIP,H323)
To learn NAT howto (NAT servering)

Methodology:
In doing this VoIP over NAT, we need to have Unix/Linux like OS that has a nat package in its kernel .We may also try to intall its software update if there is none in the OS software package-there are plenty files/program available for free download on the net.

Anyway,here is how to setup NAT with Linux and iptables; and I'll be mentioning a step-by-step tutorial to configure Network Address Translation (NAT) with Open Source Linux operating system and iptables. This will allow your system to act as gateway and to provide Internet access to multiple hosts in Local Area Network (LAN) using a single public IP address.

Requirements:

1. Hardware server with 2 (two) network interface cards (NICs).
2. Any Linux distribution (get more information at DistroWatch.com).
3. Linux kernel with networking and iptables support.
4. iptables package (you can find latest release at NetFilter's Download page).

Basic definitions

aa.aa.aa.aa is Wide Area Network (WAN) IP address (bb.bb.bb.bb is WAN netmask).
cc.cc.cc.cc is LAN IP address (e.g. 192.168.0.1 or 10.0.0.1), dd.dd.dd.dd is LAN netmask (e.g. 255.255.255.0).
ee.ee.ee.ee is default gateway for Internet connection.

eth0 is hardware name of the NIC connected to WAN base.
eth1 is name of LAN connected NIC.

Step-by-step set up

1. Apply two NICs to hardware server.
2. Verify that both NICs are recognized by Linux well and are fully workable:
# dmesg | grep eth0
# dmesg | grep eth1


the output may vary but in most cases it would be like following one:
#
eth1: RealTek RTL8139 at 0xe0830000, 00:30:4f:3b:af:45, IRQ 19
eth1: Identified 8139 chip type 'RTL-8100B/8139D'
eth0: link up, 100Mbps, full-duplex, lpa 0x41E1

Similar output should be for eth0 NIC.

To verify that NICs are recognized by Linux as networking devices use the following commands:
# ifconfig eth0
# ifconfig eth1

In case of success the output will be as follows:

# eth0 Link encap:Ethernet HWaddr 00:50:56:C0:00:08
inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

You can find full manual page for ifconfig command here.

3. Configure WAN interface (eth0) to get Internet connection:
ifconfig eth0 aa.aa.aa.aa netmask bb.bb.bb.bb

e.g.
# ifconfig eth0 123.45.67.89 netmask 255.255.255.248

WAN IP address and netmask should be provided by your ISP.

4. Set up WAN NIC settings to apply after server start up.
Configuration files containing NIC settings may have different syntax and location in various distributions. For such distributions as RedHat, Fedora, Centos and similar ones eth0 configuration file is at /etc/sysconfig/network-scripts/ifcfg-eth0. In Debian, Ubuntu NIC settings are located at single file /etc/network/interfaces.

To edit configuration files use any preferred text editor like vim, GNU nano or any other.

After editing /etc/sysconfig/network-scripts/ifcfg-eth0 should look as follows:

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=aa.aa.aa.aa # e.g. 123.45.67.89
NETMASK=bb.bb.bb.bb # e.g. 255.255.255.0
GATEWAY=ee.ee.ee.ee # e.g. 123.45.67.1
HWADDR=00:30:4f:3b:af:45 # MAC address (optional entry)

After making changes to /etc/network/interfaces section regarding eth0 NIC should looks like:

auto eth0
iface eth0 inet static
address aa.aa.aa.aa
netmask bb.bb.bb.bb
gateway ee.ee.ee.ee

Related links: detailed syntax description of /etc/sysconfig/network-scripts/ifcfg-ethN, manual page of /etc/network/interfaces.

5. Set up LAN NIC settings to apply after server start up. This step requires operations similar to previous step.

Edit /etc/sysconfig/network-scripts/ifcfg-eth1 and make sure that it looks like:

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=cc.cc.cc.cc # e.g. 192.168.0.1
NETMASK=dd.dd.dd.dd # e.g. 255.255.255.0
HWADDR=00:50:8d:d1:24:db # MAC address of LAN NIC (optional entry)

If you are using Debian or related Linux distribution, edit /etc/network/interfaces (see previous step):

auto eth1
iface eth1 inet static
address cc.cc.cc.cc
netmask dd.dd.dd.dd

6. Set up Domain Name System servers IP addresses by editing /etc/resolv.conf:

#nameserver 203.145.184.13
#nameserver 203.145.184.12

7. Enable IP Forwarding:

# echo 1 > /proc/sys/net/ipv4/ip_forward

8. Set up NAT with iptables:

To delete existing rules from every iptables table, execute the following commands:

#iptables -F
#iptables -t nat -F
#iptables -t mangle -F

Related links: official iptables documentation.

Enable NAT by commands:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth1 -j ACCEPT

8. Configure LAN clients to access Internet via described gateway:

Use clients' operating system tools to set up the following TCP/IP settings:

IP address: from the same network as cc.cc.cc.cc (you can use IP/Subnet calculator to get it)
Netmask: dd.dd.dd.dd
DNS: ff.ff.ff.ff
Gateway: cc.cc.cc.cc

Example:
#
IP address: 192.168.0.7
Netmask: 255.255.255.0
DNS: 209.160.67.13
Gateway: 192.168.0.1



Remarks:


Conclusions:
Posted by at No comments:
Labels:

MRTG (Multi Router Traffic Grapher) Server




Introductions:
Our discussion here is all about an Opensource network monitoring software, no other than MRTG (Multi Router Traffic Grapher) which is an application that allows us to observe the traffic of a network. It generates html pages with graphs which are refreshed according to our network’s current state. Its source is written in Perl and C which means that it can be installed in every Operating System we like. We will also need SNMP daemon (Simple Network Management Protocol) which gives us information for a network. The following installation was accomplished under Linux and specifically CentOS . With some little changes it can be used and under other distros.We will present also some simple trick on how to monitor multi services (domain,IP,host,etc) in a single output page.It is not different with polling all the packets either from udp or tcp tunnel and let the sequence or arrangemeng followed to simple network management protocol-SNMP

I hope that this doc is easy for every reader to follow the howtos of deploying the MRTG server.

Good Luck to all Parekoy!

Objectives:
1)Basically we need to setup a network monitoring software
2)To use an Opensource MRTG which is durable and tested
3) To be able to configure and setup MRTG
4)To Monitor multiple traffic activities of different servers running in the productions


Requirements:
Some of the nescessary files need to create a graphical multi router traffic analysis are the following
SNMP-protocol
GD-graphics
LibPNG -libraries to *.png format
Zlib- some addons to graphics
Wget- uploading/downloading programs

Methodology:

Installation of SNMP server
Initially we install the packets needed for SNMP. Yum makes this job a lot easier.Next we make snmpd service to start automatically for the runlevels we want.
# yum install net-snmp-utils net-snmp

And we start the server.

# chkconfig --level 345 snmp

We can see that it is running in port 199.

# service snmpd start

# netstat -natv | grep ':199'

tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN


SNMP Configuration
We run ‘snmpwalk’ which creates a “tree” of information for our network.
If you see an output like this one you may proceed with the MRTG installation. Else you should make some configuration first.

# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.127.0.0.1 = 1

ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.192.168.0.3 = 2

We keep a backup of snmpd.conf just in case anything goes wrong

# cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.origina

We open it

# nano /etc/snmp/snmpd.conf

find and change this line

com2sec notConfigUser default public

replace by

com2sec local localhost public

com2sec mynetwork 10.0.0.0/8 public
where 10.0.0.0/8 we put what our network is
find and change those lines
group notConfigGroup v1 notConfigUser

group notConfigGroup v2c notConfigUser
and replace by

group MyRWGroup v1 local

group MyRWGroup v2c local

group MyRWGroup usm local

group MyROGroup v1 mynetwork

group MyROGroup v2c mynetwork

group MyROGroup usm mynetwor
find and change this lines
view systemview included .1.3.6.1.2.1.1

view systemview included .1.3.6.1.2.1.25.1

and replace with this one

view all included .1 8

find and change this line

access notConfigGroup "" any noauth exact systemview none none

with those lines below

access MyROGroup "" any noauth exact all none none

access MyRWGroup "" any noauth exact all all none


Finally,find and change those lines
syslocation Unknown (edit /etc/snmp/snmpd.conf)

syscontact Root (configure /etc/snmp/snmp.local.conf)

with this one (but you can change those with your own settings)

syslocation Linux, CentOS

syscontact Your_name root@localhost

Running SNMP service

We restart the server to take affect of the notices

# service snmpd restart

And we run again

# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

Now we should see something like that

IP-MIB::ipAdEntIfIndex.10.X.Y.Z = INTEGER: 2

IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1

Where 10.X.Y.Z is your ip address.

Installing MRTG application

Using yum...

# yum install mrtg

Configuration of our MRTG

We create the folder in which our graphs and html pages will be kept

# mkdir /var/www/html/mrtg/

And we run ‘cfgmaker’ for the configuration file to be created.

# cfgmaker --global "workdir: /var/www/html/mrtg" -ifref=ip --output /etc/mrtg/mrtg.cfg --global 'options[_]: growright,bits' public@localhost

Here you should pay notice to --output /etc/mrtg/mrtg.cfg as long as to public@localhost. With this command we tell MRTG to create a configuration file with the name ‘mrtg.cfg’ for the traffic of our computer (localhost). Instead of localhost you may put the address of any computer you may monitor as long as it runs SNMP.

Next we create our default index page

# indexmaker --output=/var/www/html/mrtg/index.html /etc/mrtg/mrtg.cfg

Configuring Apache To Work With MRTG

MRTG is useful because it can provide a graphical representation of your server's performance statistics via a Web browser.With newer versions of Fedora, Apache automatically reads the add-on files in the /etc/httpd/conf.d/ directory. With Fedora Core 1, you have to specifically configure the Apache configuration file /etc/httpd/conf/httpd.conf to find it. You can do this yourself by inserting this line at the very bottom of the main Apache configuration file before restarting Apache for the change to take effect. With Fedora Core, MRTG creates an add-on configuration file named /etc/httpd/conf.d/mrtg.conf that includes all the necessary Apache commands for MRTG to work.

[root@localhost]# include " /etc/httpd/conf.d/mrtg.cfg

Some configuration may need to be done, because by default MRTG accepts Web requests from the Linux console only. You can add your home network to the file by inserting the network on the Allow from line, or you can allow universal access by commenting out that line along with the Deny from line. This example adds access from the 192.168.1.0 network.

#Alias /mrtg /var/www/mrtg

Order deny,allow
Deny from all
Allow from localhost 10.36.128.0/32

If you want to access MRTG from the Internet, then you'll have to comment out the Deny statement and allow from all IP addresses:

#Alias /mrtg /var/www/mrtg

Order deny,allow
Deny from all

Note:**
Remember to restart Apache once you have made these modifications in order for these changes to take effect.

Compling MRTG configurations

We run the following command

# mrtg /etc/mrtg/mrtg.cfg

ERROR: Mrtg will most likely not work properly when the environmentvariable LANG is set to UTF-8. Please run mrtg in an environmentwhere this is not the case. Try the following command to start:

env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg


In case you get an error like this;you have to run the above command more than once till it runs without any error. This is normal.
# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg

23-02-2007 17:28:53, Rateup WARNING: /usr/bin/rateup Can't remove localhost_2.old updating log file

# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg

Finally we open our browser and type

http://localhost/mrtg


Multiple MRTG clients

The Fedora Core MRTG installation process creates a cron file named /etc/cron.d/mrtg. This file tells the cron daemon to run MRTG using the /etc/mrtg/mrtg.cfg file every five minutes to poll your network devices. You can configure MRTG to poll multiple devices, each with a separate configuration file. Here's how:

1) Create a new configuration file using the steps from the previous section; choose a filename that is not mrtg.cfg.

2) Add a new MRTG line in /etc/cron.d/mrtg for each new configuration file you create.

[root@localhost]# vi /etc/cron.d /mrtg 

0-59/5 **** root env LANG=C /usr/bin/mrtg/  etc/mrtg/server1.cfg
0-59/5 **** root env LANG=C /usr/bin/mrtg/  etc/mrtg/server2.cfg
0-59/5 **** root env LANG=C /usr/bin/mrtg/  etc/mrtg/server3.cfg

3) Run the indexmaker command, and include all of your /etc/mrtg configuration files, to regenerate your Web index page.

[root@localhost]# indexmaker --output=/var/www/mrtg/index.html
/etc/mrtg/server1.cfg  /etc/mrtg/server2.cfg /etc/mrtg/server3.cfg

4) Other versions of Linux keep their MRTG cron entries inside the /etc/crontab file. Edit this file using the same syntax as the Fedora /etc/cron.d/mrtg file, and then restart the cron daemon to re-read the configuration:

[root@localhost]# service crond restart

You could also create a script with the /usr/bin/mrtg /etc/mrtg/device.cfg entries in it and make cron run it every five minutes. This way you can just edit the script each time you add a device without having to restart cron.

After the modification in our config, let's start snmp and apache

[root@localhost]# service snmpd restart

[root@localhost]# service httpd restart

Again, to see the multiple clients of our MRTG, we open our browser and type

http://localhost/mrtg



Detail(1) MRTG download site


Detail(2)MRTG Main page


Detail(3)MRTG Weekly Traffic Analysis


Detail(4)MRTG Annual Traffic Analysis


Remarks:


Conclusions:
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)