Fedora Networking :: Preventing Host OS From Using A Specific NIC?
Aug 26, 2009
I have a virtualbox installation, and I need fairly high security separation between host and guest traffic. The university network the box hangs off uses statically-allocated ip addresses, allocated to fixed MAC addresses (i.e. it eats any traffic with mismatched ip and MAC addresses).
VBox: 3.0.4
Guest OS: Fedora 11 64bit
Hardware: dual NIC, Intel server
Bridged networking, with separate NICs for host and guest
I'm aiming for high-security separation between host and guest traffic. To do this, I would like to to run all host traffic through one NIC, H, and all guest traffic through the other, G. The host and guest have separate, statically allocated, IP addresses, IPH and IPG. The network forces these to be mapped to specific MAC addresses, MACH (the address of NIC H) and MACG (the address of NIC G). So it's not too hard to write host firewall rules to enforce this policy. The rules just have to state that traffic coming into H must have a destination compatible with IPH, and traffic going out must have IPH as source - and vv for G and IPG. There also don't seem to be any trouble telling the guest to only use NIC G. As a result, turning off NIC G (or equivalently, firewalling it off from host traffic) crashes the network, I have to reboot it to get networking working.
But I can't figure how to tell the host to _only_ use NIC H for anything else except the guest. Even though we don't see any IPH traffic coming into NIC G from outside, I don't seem to be able to stop the host from starting connections on NIC G. Does anyone know any way to do this - to tell the host that it can only use IPH as its IP address unless traffic is coming from a guest process, and that it can only use address MACH and NIC H? I've been reading route and arp manuals all day, but I can't seem to figure anything on this - mainly because arp and route don't know about host/guest processes, and I guess weren't designed with this in mind...
just a quick question: I have an external HD with 2 partitions, one ext3 and one FAT32.When I plug in the HD both partitions get automatically mounted, but as I only use I use the FAT32 partition to transfer data from/to Windows machines (which does not happen so often) I would like only the ext3 partition to be mounted automatically.
I like to set in iptables to allow access from one host to my server on any ports.Currently the iptables have been configured to deny all and to allow access only to those I've specified.
I have a linux router with 2 physical ISPs and a VPN tunnel that all my traffic passes through. I would like to setup a rule to redirect all traffic from one internal IP address (10.0.0.x) through the physical link only. My current script is as follows.
I have a virtualbox installation on top of CentOS, and I need fairly high security separation between host and guest traffic. The university network the box hangs off uses statically-allocated ip addresses, allocated to fixed MAC addresses (i.e. it eats any traffic with mismatched ip and MAC addresses).
Host OS: CentOS 5.3 64bit VBox: 3.0.4 Guest OS: Fedora 11 64bit Hardware: dual NIC, Intel server Bridged networking, with separate NICs for host and guest
I'm aiming for high-security separation between host and guest traffic. To do this, I would like to to run all host traffic through one NIC, H, and all guest traffic through the other, G. The host and guest have separate, statically allocated, IP addresses, IPH and IPG. The network forces these to be mapped to specific MAC addresses, MACH (the address of NIC H) and MACG (the address of NIC G).
So it's not too hard to write host firewall rules to enforce this policy. The rules just have to state that traffic coming into H must have a destination compatible with IPH, and traffic going out must have IPH as source - and vv for G and IPG. There also don't seem to be any trouble telling the guest to only use NIC G. As a result, turning off NIC G (or equivalently, firewalling it off from host traffic) crashes the network, I have to reboot it to get networking working.
But I can't figure how to tell the host (i.e. CentOS) to _only_ use NIC H for anything else except the guest. Even though we don't see any IPH traffic coming into NIC G from outside, I don't seem to be able to stop the host from starting connections on NIC G. Does anyone know any way to do this - to tell the host that it can only use IPH as its IP address unless traffic is coming from a guest process, and that it can only use address MACH and NIC H?
I am trying to lock down our application and server with iptables. Anybody have any idea how to prevent accesses to the application from another application? Basically I opened up the ports 80 and 443 for the application server. However, the application points to other apps (ie. database, ldap). I want to limit what it can connect to or who can connect to it. Bascially I can limit who connects to the server itself but the application can still get input from outside servers.
I am working on a cluster for a molecular dynamics class and I have to edit my FORTRAN code (only the newest and best for me!). In order to get through to the cluster I have to ssh in. The network on which the cluster resides is behind a firewall, so I have to ssh through the firewall into the network first.
this is fine, I can login and move files and folders as needed, including sftp-ing into host 1, then into the cluster so I can transfer files from cluster to host and then host to me. This gets rather tiresome, so it would be nice to edit the files in place.
The problem is that when I access my code with emacs it launches the emacs client on Host 1, with no mouse support. I know the purists will howl about how I should be using keyboard shortcuts, but I am a chemist and not a programmer, so the mouse is very nice for me. Is there any way I can perhaps mount the cluster using sshfs so that when I open my code it launches a local instance of emacs? Sorry if this is the wrong forum, but I thought it was network related.
I got a bunch of machines (~10) that I share with my co-workers. I have appropriate .ssh file(s) set up so I don't get prompt for password when I try to ssh.Currently I ssh into these hosts and then do a top to check the load before I start using the machine. Because I don't want to be on a busy host.Can someone show me how to write a script that find a least-busy host given a list of hosts to check? (hardcoded is fine)
The internal network is behind nat done by the PC Router.The TP Link is recieving wireless signal from outdoors and it has switching and basic routing capabilities. I'm using the PC router for better routing options.PC Router (or R for short) is a triple-booting machine - Linux, FreeBSD and Windows. It has two lan cards - external (ext_if) - 100Mbps Realtek 8139 and internal (int_if) - 1Gbps integrated Realtek 8169.The problem is that all traffic from R to the network is slow - about 5-20K, while the traffic in the oppoiste direction is all right - about 10MB that is fine for 100Mbps cables, NICs and switches. The problem persist no matter the OS the pc R is running.I've tried some debugging on the situation as follows:
- put another PC at the place of R - everything is fine. That exclude the possibility of damaged cables, RJ-45s, switches and etc. - connected both of the NICs to the Internet while the internal network is being disconnected and they both work fine (no delays) - traffic shaping is not running - there is nothing in firewalls except NATing the internal network (and it is working fine). Actually these firewall rules have been operational for more than months and everything was fine untill a week or two ago. - changed the internal NIC with another - connected the internal network directly to the TP and all of the PCs are getting good network performance. Then connected the R machine to the TP as well and there was good performance between the internal network PCs and R. - R has good performance to the TP. In fact everything has good performance directly to the TP (when not connecting trough R). - the problem persist only between R and machines from the internal network.
I'm using the Fedora Eee kernel for Fedora 12 (it's an unofficial kernel for the Eee PC), and want to update my system (I just set it up today). How can I update via command line and prevent an update to the default kernel?
eth0 192.168.2.100 (internal Web, Mail) eth1 192.168.3.100 (Default Gateway nic for clients) eth2 192.168.3.110 (should be default Gateway for all outgoing traffic not belonging to 192.168.2.100 and 192.168.3.100)
They are all on the same machine
i cannot set eth1 or eth2 as default gateway, as outside requests to eth0 would be handled in a false manner (somehow)
is there an easy iptables-rule to say, that outgoing traffic, not belonging to my networks can be redirected to a specific NIC (eth2)?
I'm running F13 with KDE 4.4.4 on my desktop PC. A few months ago I had occasion to run Kalarm (invoked via "Kickoff" app launcher). Ever since that time, the Kalarm icon appears in my KDE "system tray" after I login. I power down my PC when I'm finished using it for the day.In an effort to get rid of the Kalarm icon, I changed my KDE "session manager" (System settings -> Advanced -> Session Manager) settings to: "on login: start with an empty session". But the Kalarm icon still appears in my "system tray" after the next reboot/login.I've also tried right-clicking on the Kalarm icon and selecting "quit". The icon still re-appears after the next reboot/login.Why didn't the session manager setting: "on login: start with an empty session" get rid of the Kalarm icon?
I'm having trouble booting after a recent bunch of updates (haven't been able to boot F12 from hard disk for a couple of days). The boot process gets as far as "NetworkManager daemon [OK]", then just stops. I get this for all 3 kernels that I can choose from the grub menu (2.6.32.16-141, 2.6.32.14-127, 2.6.32.12-115)Mounting the hard drive with a liveUSB, a quick inspection of /var/log/messages reveals that things go smoothly until: etc. until I hit the power button.I ought to mention that I wireless card that requires the Realtek RTL8192SE driver, which requires
I have a 2 monitor configuration, with the second monitor uses exclusively for mythtv. When I'm not actually watching tv or a muvie or watching visualizations with music playing, I actually use the machine for more productive uses. As the result the second monitor is typically not turned on, might have something to do the the fact it's a crt design, consumes a fair bit of power and does a good job keeping the media room overly warm.
The question is, does Fedora 11 or newer have a means to prevent applications from opening on the second monitor? I've checked the obvious places and nothing jumps out .
btw: According to the nvidia x server settings control panel the second monitor is set up as in twinview mode. This mode was chosen to allow the gpu to do most of the video decoding tasks using vdupau or something as I recall.
is it possible to block an application from using the network? If yes, how? I read it's possible with iptables and with selinux... Also, what about creating a user who can't connect and run the application with that user?
I have a bootable utility toolset that I put together with Fedora 14, one of its primary functions is to map a user designated share via script and access information from it. The command that I used, that functioned perfectly, in Fedora 14 was:
Code: sudo mount -t cifs -o user=provided.account.name //file-server.mydomain.com/share/images /mnt/source
When I'm logged into my account, I can't shut down the computer if someone else is also logged in unless I supply the root password. However, if I log out, I can shut down from GDM without being challenged, even though another person is logged in, which could cause problems if that person is in the middle of some work. Is there a way to password-protect the gdm shutdown function if people are logged in?
My Windows guests see my VMware Host Only folders as \.hostShared Folders But when I try to see them from a Linux guest, all I get is frustrated. No permutation of that seems to work. Because the Windows guests see the shared folders I know the host is doing its part in providing them. After two days of not finding an answer on the VMware Workstation forum I finally figured out that the problem really is how to look for them with Linux. With Linux I can turn off all NICs accept the Host Only NIC, put smb://172.16.138.1 into the address bar and see all the shares on the host, but not the folder designated as the host only folder.
have fedora 10 and am having problems with ssh. For some reason I can't connect via a remote host to my ssh. Local network connections do work just fine. I have been looking for a log of what is going on but have not had luck seeing anything.Things I have tried:
-Modify hosts.allow to allow ssh to all -generated rsa1 key identity tryed specifying that with the -i option on the guest computer
I am trying to set up a nfs server on my Fedora 11 host machine so that my virtual machines on the same host can access files on the host.The ip address of my host machine is 192.168.1.132The ip address of my virtual machine is 192.168.122.180I can ping successfully from host to virtual machine and vice versa.On the host machine, I have the following :1) Edited /etc/exports to add this one line./home/stardust496/files 192.168.122.180(rw,nohide)2) service rpcbind restart3) service nfs startOn the irtual machine, I do the following:1) mkdir /mnt/files2) mount 192.168.1.132:/home/startdust496/files /mnt/filesBut the mount call does not succeed. (It hangs for a while and then returns saying that it did not succeed)
I have two system, an Intel Core2 Duo system running the 32-bit version of Fedora 12, and a MacBook Pro running the 64-bit version of Fedora 12. I'm using the Gnome desktop on each system. I have enabled all the services I believe are necessary to support NFS including nfs, rpcbind, rpcgssd, rpcidmapd, and rpcsvcgssd on each system. I have added an entry to my /etc/exports file to export my home on each system, and if I type this command:
$ showmount -e localhost
I get a result like this:
Export list for localhost:
/home/tron 192.168.200.101,192.168.200.100
However when I issue this type of command:
$ showmount -e <remote host name>
I get this kind of result: rpc mount export: RPC: Unable to receive; errno = No route to host Research on the Internet indicates this is usually due to a firewall problem. However, I use the Firewall Configuration application to the disable the firewall on both systems, and I continue to get the same result. What is needed so I can get this two machines to display their exported file shares remotely? It turns out I did not disable the firewall when I thought I had. Now that I'm certain the firewall is disabled on both systems, I'm able to get the showmount command to succeed.
setting my hostname in my machine. If I want to login to my machine that contains f14 I need to do
Code: ssh user_name@ipaddress
But I have set a host name for my machine. I need to login to my machine using
Code: login_name@host.domain_name
When I try to do that it says "Name or service not known"
This is needed very much for a laptop for example when I work with that between my office and home then the domain name changes. But I need to login remotely to that. Also this is needed as remembering an ip-address is painful.
I have a box (boell) running Fedora 10 sitting behind a firewall at school. I am able to freely ssh to and from this box to other computers (minion) within that lan. Outside of this network I cannot directly ssh to boell - I must ssh first to minion, then I can ssh to boell. I've spoken with the sysadmin and he's verified that the firewall permits ssh freely - i haven't had any issues like this with other boxes of mine there, so this isn't any surprise.
I have verified that the hosts.deny file is blank, iptables permits ports 22 (and 80) and I didn't see anything obvious in the sshd_config. I tried a tcp dump on the external host and boell while attempting to ssh from the former to boell. The packets appear to be acknowledged by boell, but this fails to lead to a connection. I've tried this process with external hosts in different locations with the same result. I have made few modifications to the default installation for F10, so perhaps there is some default somewhere I have to change. In any case, below I have attached excerpts of germane files.
======== ssh from boell ======= [root@boell log]# ssh -vvv 71.189.5.67 OpenSSH_5.1p1, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config
I have two system, an Intel Core2 Duo system running the 32-bit version of Fedora 12, and a MacBook Pro running the 64-bit version of Fedora 12.
I'm using the Gnome desktop on each system. I have enabled all the services I believe are necessary to support NFS including nfs, rpcbind, rpcgssd, rpcidmapd, and rpcsvcgssd on each system.
I have added an entry to my /etc/exports file to export my home on each system, and if I type this command: $ showmount -e localhost
I get a result like this: Export list for localhost: /home/tron 192.168.200.101,192.168.200.100
However when I issue this type of command: $ showmount -e <remote host name>
I get this kind of result: rpc mount export: RPC: Unable to receive; errno = No route to host
Research on the Internet indicates this is usually due to a firewall problem. However, I use the Firewall Configuration application to the disable the firewall on both systems, and I continue to get the same result.
What is needed so I can get this two machines to display their exported file shares remotely?
I am trying to design an application which violates the DHCP. Specifically the difficulty in writing this application is physically sending the raw packet. I need some documentation on either a library that supports this or where to look for support for raw packet creation. I am not trying to create a raw datagram, that doesn't meet my needs because a raw datagram is still at layer 3 I need to craft a raw layer 2 PDU.
Specifically I want to Send a very specific DHCPDISCOVER Receive a DHCPOFFER and pull apart the offer while never sending a DHCPREQUEST.
Specifically I am pulling apart various options that are sent in the DHCPOFFER. I have a raw DHCPDISCOVER already crafted and the formatted struct sockaddr_ll where I fault is I can't send the damn thing. Getting the file descriptor after calling socket is okay but what now? How would I write to that file descriptor and have it transmit?
Code: int connfd; struct sockaddr_ll bcast; bcast.sll_family = PF_PACKET; ... connfd = socket(PF_PACKET,SOCK_RAW,0); //now what
