Configure Linux VLAN

LAN is an acronym for Virtual Local Area Network. Several VLANs can co-exist on a single physical switch, which are configured via software (Linux commands and configuration files) and not through hardware interface (you still need to configure switch)

.

Hubs or switch connects all nodes in a LAN and node can communicate without a router. For example, all nodes in LAN A can communicate with each other without the need for a router. If a node from LAN A wants to communicate with LAN B node, you need to use a router. Therefore, each LAN (A, B, C and so on) are separated using a router.

VLAN as a name suggest combine multiple LANs at once. But what are the advantages of VLAN?

  • Performance
  • Ease of management
  • Security
  • Trunks
  • You don't have to configure any hardware device, when physically moving server computer to another location etc.

VLAN concepts and fundamental discussion is beyond the scope of this article. I am reading following textbooks. I found these textbooks extremely useful and highly recommended:

  • Cisco CNNA ICND books (part I and II)
  • Andrew S. Tanenbaum, Computer Networks book

Linux VLAN Configuration Issue

I am lucky enough to get couple of hints from our internal wiki docs :D.

  • Not all network drivers support VLAN. You may need to patch your driver.
  • MTU may be another problem. It works by tagging each frame i.e. an Ethernet header extension that enlarges the header from 14 to 18 bytes. The VLAN tag contains the VLAN ID and priority. See Linux VLAN site for patches and other information.
  • Do not use VLAN ID 1 as it may be used for admin purpose.

Linux VLAN How To

My VLAN ID is 5. So I need to copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.5

# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.5

 

Now, I've one network card (eth0) and it needs to use tagged network traffic for VLAN ID 5.

  • eth0 - Your regular network interface
  • eth0.5 - Your virtual interface that use untagged frames

Do not modify /etc/sysconfig/network-scripts/ifcfg-eth0 file. Now open file /etc/sysconfig/network-scripts/ifcfg-eth0.5 using vi text editor:

# vi /etc/sysconfig/network-scripts/ifcfg-eth0.5

 

Find DEVICE=ifcfg-eth0line and replace with:

DEVICE=ifcfg-eth0.5

 

Append line:

VLAN=yes

 

Also make sure you assign correct IP address using DHCP or static IP. Save the file. Remove gateway entry from all other network config files. Only add gateway to /etc/sysconfig/network file. Save and close the file. Restart network:

# /etc/init.d/network restart

 

Please note that if you need to configure for VLAN ID 2 then copy the copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.2 and do the above procedure again.

Using vconfig command

Above method is perfect and works with Red hat Enterprise Linux / CentOS / Fedora Linux without any problem. However, you will notice that there is a command called vconfig. The vconfig program allows you to create and remove vlan-devices on a vlan enabled kernel. Vlan-devices are virtual ethernet devices which represents the virtual lans on the physical lan.

Please note that this is yet another method of configuring VLAN. If you are happy with above method no need to read below.

Add VLAN ID 5 with follwing command for eth0:

# vconfig add eth0 5

 

The vconfig add command creates a vlan-device on eth0 which result into eth0.5 interface. You can use normal ifconfig command to see device information:

# ifconfig eth0.5

 

Use ifconfig to assign IP address to vlan interfere :

# ifconfig eth0.5 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 up

 

Get detailed information about VLAN interface:

# cat /proc/net/vlan/eth0.5

 

If you wish to delete VLAN interface delete command:

# ifconfig eth0.5 down
# vconfig rem eth0.5

Reference: Clickhere

0 comments
Labels:

pf.conf untuk warnet

contoh pf.conf untuk warnet Setelah lama gak sempet bikin artikel apa-apa, akhirnya sekarang “tidak bikin artikel apa-apa juga hehehe”… Sekarang ini cuman mau nyimpen contoh pf.conf yang biasa dipake di warnet. Biar kalo lupa tinggal copy paste dari sini. Kalau anda perlu silahkan saja kalau mau dipakai tapi jangan asal copy paste sesuaikan dengan keperluan anda :D. Ok disini mulai nya 1. ### macros 2. # internal and external interfaces (ketikan 'ifconfig' buat lihat interface) 3. int_if = "vr0" 4. ext_if = "rl0" 5. 6. # Port Yang Boleh Diakses dari Luar Box silahkan sesuaikan 7. 8. tcp_services = "{ 80, 110, 25, 53, 113, 21}" 9. udp_services = "{ 53, 1194 }" 10. 11. # ping requests 12. icmp_types = "echoreq" 13. 14. # Private Network, Yg Mau di Blok Traffiknya 15. priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" 16. 17. ### options 18. set block-policy return 19. set loginterface $ext_if 20. set skip on lo0 21. 22. ### Scrub 23. scrub in all 24. 25. ### nat/rdr 26. # NAT traffic dari Internal Ke External 27. nat on $ext_if from $int_if:network to any -> ($ext_if) 28. 29. # Port Redirector untuk Transparent Proxy & Transparent FTP 30. rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 31. rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 32. 33. ### filter rules 34. block all 35. 36. # Blok Traffik Dari Luar Yang Pake IP Private 37. block drop in quick on $ext_if from $priv_nets to any 38. 39. # Blok Trafik dari Luar ke Internal 40. block drop out quick on $ext_if from any to $priv_nets 41. 42. # Perbolehkan Akses ke TCP port tertentu 43. pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state 44. 45. # Perbolehkan Akses ke UDP port tertentu 46. pass in on $ext_if proto udp to any port $udp_services keep state 47. 48. # Perbolehkan Akses FTP 49. pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state 50. 51. # Ping Reply OK 52. pass in inet proto icmp all icmp-type $icmp_types keep state 53. 54. # Perbolehkan Traffik dari Internal ke Internal Interface 55. pass in on $int_if from $int_if:network to any keep state 56. pass out on $int_if from any to $int_if:network keep state 57. 58. # Perbolehkan Traffik keluar melalui External Interface 59. pass out on $ext_if proto tcp all modulate state flags S/SA 60. pass out on $ext_if proto { udp, icmp } all keep state Kalau udah silahkan restart dengan command 1. pfctl -NORf /etc/pf.conf pfctl -NORf /etc/pf.conf Gitu saja kok artikel lengkapnya disini
0 comments
Labels:

Spam Filter Exim + Cpanel

Spam Filter Exim + Cpanel Bagi anda yang pernah mengelola shared hosting pasti pernah atau sering dijengkelkan dengan ulah spammer yang terus menerus menguras bandwidth dan resource server kita dengan mail-mail sampah. Cpanel sebetulnya sudah memberikan kebebasan untuk user nya melakukan editing config exim (mail server) tapi buat jadiin supaya sedikit lebih tahan spam itu perlu trik tertentu yang mungkin gak semua orang tahu :D (termasuk saya). Setelah beberapa lama keliling akhirnya nemu salah satu trik untuk memasang spam Filter di mail server Exim + Cpanel. Trik ini sudah di test pada CPanel Versi terbaru saat ini (WHM 10.8.0 cPanel 10.9.0-C117 pada FreeBSD 4.11 Stable i386 dan FreeBSD 6.1 Stable dan menurut sumber asli nya Trik ini juga sukses di test pada RH Enterprise dan RH 7.3) Pertama yang harus kita lakukan adalam membuat 3 file berikut ini /etc/rblblacklist /etc/rblbypass /etc/rblwhitelist untuk membuat file itu perintah nya adalah 1. touch /etc/rblblacklist; touch /etc/rblbypass; touch /etc/rblwhitelist touch /etc/rblblacklist; touch /etc/rblbypass; touch /etc/rblwhitelist sementara untuk isi dari file-file tersebut sepertinya sudah cukup bisa dimengerti dimana rblblacklist adalah daftar domain yang harus di block, rblbypass adalah untuk membypass test yang dilakukan oleh rbl terhadap domain-domain tertentu (biasanya local) dan rblwhitelist tentu sudah jelas yaitu daftar domain yang tidak akan pernah di blacklist. Selanjutnya buka WHM, kemudian pilih Exim configuration editor lalu klik advanced editor button untuk masuk ke Configuration Editor. Kemudian silahkan masukan code berikut ini dengan urutan dan lokasi yang benar. Pada kotak pertama (paling atas) dibawah tulisan berikut masukan: #!!# cPanel Exim 4 Config 1. domainlist rbl_blacklist = lsearch;/etc/rblblacklist 2. domainlist rbl_bypass = lsearch;/etc/rblbypass 3. hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist domainlist rbl_blacklist = lsearch;/etc/rblblacklist domainlist rbl_bypass = lsearch;/etc/rblbypass hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist Selanjutnya pada kolom nomor 3 dari atas (3 kolom berderet kolom yang di isi adalah yang tengah) tepat dibawah tulisan berikut ini silahkan masukan: accept hosts = : ·········10········20········30········40········50········60········70········80········90········100·······110·······120·······130·······140·······150 1. #**# 2. #**# RBL List #**# 3. # 4. # Selalu terima mail untuk postmaster & abuse untuk semua domain local 5. # 6. accept domains = +local_domains 7. local_parts = postmaster:abuse 8. # 9. # Check sending hosts apakah termasuk dalam DNS black lists. 10. # Terima semua mssages yang dari local 11. # Reject mail apabila ada dalam daftar blacklist. (pesan dibawah bisa diganti sesuaikan saja dengan keinginan anda) 12. deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text : 13. !hosts = +relay_hosts 14. !authenticated = * 15. 16. #List dari domain filter kayaknya segini juga cukup bikin spam kapok 17. dnslists = dnsbl.njabl.org : bl.spamcop.net : sbl.spamhaus.org : list.dsbl.org : cbl.abuseat.org : relays.ordb.org : 18. # RBL Bypass Local Domain List 19. !domains = +rbl_bypass 20. # RBL Whitelist incoming hosts 21. !hosts = +rbl_whitelist 22. #**# 23. #**# RBL List End 24. #**# #**# #**# RBL List #**# # # Selalu terima mail untuk postmaster & abuse untuk semua domain local # accept domains = +local_domains local_parts = postmaster:abuse # # Check sending hosts apakah termasuk dalam DNS black lists. # Terima semua mssages yang dari local # Reject mail apabila ada dalam daftar blacklist. (pesan dibawah bisa diganti sesuaikan saja dengan keinginan anda) deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text : !hosts = +relay_hosts !authenticated = * #List dari domain filter kayaknya segini juga cukup bikin spam kapok dnslists = dnsbl.njabl.org : bl.spamcop.net : sbl.spamhaus.org : list.dsbl.org : cbl.abuseat.org : relays.ordb.org : # RBL Bypass Local Domain List !domains = +rbl_bypass # RBL Whitelist incoming hosts !hosts = +rbl_whitelist #**# #**# RBL List End #**# Selanjutnya adalah memasukan entry berikut pada kolom ke Tujuh (ROUTERS CONFIGURATION) ·········10········20········30········40········50········60········70········80········90········100·······110·······120·······130·······140·······150 1. # Deny and send notice to list of rejected domains. 2. reject_domains: 3. driver = redirect 4. # RBL Blacklist incoming hosts 5. domains = +rbl_blacklist 6. allow_fail 7. data = :fail: Connection rejected: SPAM source $domain is manually blacklisted. # Deny and send notice to list of rejected domains. reject_domains: driver = redirect # RBL Blacklist incoming hosts domains = +rbl_blacklist allow_fail data = :fail: Connection rejected: SPAM source $domain is manually blacklisted. ok kalo udah sampe sana berarti kira-kira udah beres yaa silahkan di save configurasi nya dan restart exim mau lewat whm atau lewat shell terserah sama saja :). Selanjutnya silahkan buka panic log dari mail server anda dengan mengetikan perintah berikut ini: FreeBSD 1. tail -50 /var/log/exim/paniclog tail -50 /var/log/exim/paniclog Linux 1. tail -50 /var/log/exim_paniclog tail -50 /var/log/exim_paniclog dan analisa apakah ada error yang terjadi disana apabila kelihatan ada error anda bisa balikin lagi config nya atau perbaiki kesalahan yang ditampilkan tersebut. Kemudian lihat apakah Filter kita sudah aktif atau belum dengan melihat rejectlog dengan perintah berikut ini: FreeBSD 1. tail -50 /var/log/exim/rejectlog tail -50 /var/log/exim/rejectlog Linux 1. tail -50 /var/log/exim_rejectlog tail -50 /var/log/exim_rejectlog Apabila semuanya ok sekarang kita test dengan mengirimkan mail kosong ke nelson-sbl-test@crynwr.com (hanya berlaku apabila anda mempergunakan rbl filter dari sbl.spamhaus.org) yang kemudian akan dijawab dengan mail hasil cek mail server kita yang kira-kira isinya seperti ini. ·········10········20········30········40········50········60········70········80········90········100·······110·······120·······130·······140·······150 1. Testing your SBL block. See http://www.crynwr.com/spam/ for more info. 2. Please note that this test will not tell you if your server is open for 3. relaying. Instead, it tests to see if your server blocks email from IP 4. addresses listed in various blocking lists; in this case, the SBL list. 5. 6. Here's how the conversation looked from sbl.crynwr.com. 7. Note that some sites don't apply the SBL block to postmaster, so 8. I use your envelope sender as the To: address. 9. 10. I connected to 202.149.86.114 and here's the conversation I had: 11. 12. 220-server2.nusantaraonline.info ESMTP Exim 4.64 #0 Fri, 05 Jan 2007 08:46:12 +0700 13. 220-We do not authorize the use of this system to transport unsolicited, 14. 220 and/or bulk e-mail. 15. helo sbl.crynwr.com 16. 250 mail.giest.or.id Hello nelson at sbl.crynwr.com [192.203.178.107] 17. mail from:<> 18. 250 OK 19. rcpt to: 20. 550-Message rejected because sbl.crynwr.com [192.203.178.107] is blacklisted at 21. 550 sbl.spamhaus.org see http://www.spamhaus.org/SBL/sbl.lasso?query=SBL230 : 22. Terminating conversation Testing your SBL block. See http://www.crynwr.com/spam/ for more info. Please note that this test will not tell you if your server is open for relaying. Instead, it tests to see if your server blocks email from IP addresses listed in various blocking lists; in this case, the SBL list. Here's how the conversation looked from sbl.crynwr.com. Note that some sites don't apply the SBL block to postmaster, so I use your envelope sender as the To: address. I connected to 202.149.86.114 and here's the conversation I had: 220-server2.nusantaraonline.info ESMTP Exim 4.64 #0 Fri, 05 Jan 2007 08:46:12 +0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. helo sbl.crynwr.com 250 mail.giest.or.id Hello nelson at sbl.crynwr.com [192.203.178.107] mail from:<> 250 OK rcpt to: 550-Message rejected because sbl.crynwr.com [192.203.178.107] is blacklisted at 550 sbl.spamhaus.org see http://www.spamhaus.org/SBL/sbl.lasso?query=SBL230 : Terminating conversation Apabila anda mendapat mail seperti itu berarti anda sudah sukses dan mail server anda sekarang sudah lumayan terproteksi oleh sbl.spamhaus.org beserta beberapa rbl yang lainnya. Ok kalo udah semuanya sekarang ada satu contoh script untuk menghitung berapa banyak spam yang berhasil di blok (cuman tambahan aja) siapa tahu iseng pengen lihat dalam satu bulan berapa ribu spam yang kena. Script berikut untuk FreeBSD ·········10········20········30········40········50········60········70········80········90········100·······110·······120·······130·······140·······150 1. grep "blacklisted" /var/log/exim/mainlog -i > kilme 2. tail -100 kilme 3. tail /var/log/exim/paniclog 4. printf "n" 5. printf "Spam Count = " 6. grep "blacklisted" kilme -c -i 7. printf "njabl.org = " 8. grep "njabl.org" kilme -c 9. printf "spamcop = " 10. grep "bl.spamcop" kilme -c 11. printf "spamhaus = " 12. grep "sbl.spamhaus" kilme -c 13. printf "dsbl.org = " 14. grep "dsbl" kilme -c 15. printf "abuseat = " 16. grep "abuseat.org" kilme -c 17. printf "ordb.org = " 18. grep "ordb" kilme -c 19. printf "Manual = " 20. grep "manual" kilme -c 21. printf "verify fail= " 22. grep "verify fail" /var/log/exim/mainlog -c 23. printf "No Relay = " 24. grep "not permitted" /var/log/exim/mainlog -c 25. printf "n" 26. printf "All Spam: n" 27. zgrep -ci "blacklisted" /var/log/exim/mainlog* 28. printf "n" grep "blacklisted" /var/log/exim/mainlog -i > kilme tail -100 kilme tail /var/log/exim/paniclog printf "n" printf "Spam Count = " grep "blacklisted" kilme -c -i printf "njabl.org = " grep "njabl.org" kilme -c printf "spamcop = " grep "bl.spamcop" kilme -c printf "spamhaus = " grep "sbl.spamhaus" kilme -c printf "dsbl.org = " grep "dsbl" kilme -c printf "abuseat = " grep "abuseat.org" kilme -c printf "ordb.org = " grep "ordb" kilme -c printf "Manual = " grep "manual" kilme -c printf "verify fail= " grep "verify fail" /var/log/exim/mainlog -c printf "No Relay = " grep "not permitted" /var/log/exim/mainlog -c printf "n" printf "All Spam: n" zgrep -ci "blacklisted" /var/log/exim/mainlog* printf "n" Dan yang berikut ini buat Linux ·········10········20········30········40········50········60········70········80········90········100·······110·······120·······130·······140·······150 1. grep "blacklisted" /var/log/exim_mainlog -i > kilme 2. tail -100 kilme 3. tail /var/log/exim_paniclog 4. printf "n" 5. printf "Spam Count = " 6. grep "blacklisted" kilme -c -i 7. printf "njabl.org = " 8. grep "njabl.org" kilme -c 9. printf "spamcop = " 10. grep "bl.spamcop" kilme -c 11. printf "spamhaus = " 12. grep "sbl.spamhaus" kilme -c 13. printf "dsbl.org = " 14. grep "dsbl" kilme -c 15. printf "abuseat = " 16. grep "abuseat.org" kilme -c 17. printf "ordb.org = " 18. grep "ordb" kilme -c 19. printf "Manual = " 20. grep "manual" kilme -c 21. printf "verify fail= " 22. grep "verify fail" /var/log/exim_mainlog -c 23. printf "No Relay = " 24. grep "not permitted" /var/log/exim_mainlog -c 25. printf "n" 26. printf "All Spam: n" 27. zgrep -ci "blacklisted" /var/log/exim_mainlog* 28. printf "n" grep "blacklisted" /var/log/exim_mainlog -i > kilme tail -100 kilme tail /var/log/exim_paniclog printf "n" printf "Spam Count = " grep "blacklisted" kilme -c -i printf "njabl.org = " grep "njabl.org" kilme -c printf "spamcop = " grep "bl.spamcop" kilme -c printf "spamhaus = " grep "sbl.spamhaus" kilme -c printf "dsbl.org = " grep "dsbl" kilme -c printf "abuseat = " grep "abuseat.org" kilme -c printf "ordb.org = " grep "ordb" kilme -c printf "Manual = " grep "manual" kilme -c printf "verify fail= " grep "verify fail" /var/log/exim_mainlog -c printf "No Relay = " grep "not permitted" /var/log/exim_mainlog -c printf "n" printf "All Spam: n" zgrep -ci "blacklisted" /var/log/exim_mainlog* printf "n" Ok deh lengkap sudah semuanya semoga tidak membuat server anda jadi error :P. Oh iya Artikel ini asli nya orang lain yang bikin maaf bukan gak mau ngasih kredit dan link ke URL asli nya cuman udah lupa yang asli nya dari mana tapi bener koq saya cuman nerjemahin, nambahin kanan kiri, edit kanan kiri tapi walaupun udah gak terlalu mirip sama yang asli nya tetep aja kredit buat pembuat yang pertama artikel lengkap disini
1 comments
Labels:
Subscribe to: Posts (Atom)