Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
Corsi
Slides Corsi Linux Avanzati
Rete e Dintorni
Commits
87c9d271
Commit
87c9d271
authored
Apr 23, 2020
by
JackV
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fixes, add additional images
parent
5490dc28
Pipeline
#581
passed with stage
in 58 seconds
Changes
3
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
51 additions
and
39 deletions
+51
-39
assets/rockpro64.png
assets/rockpro64.png
+0
-0
assets/tinkerboard.png
assets/tinkerboard.png
+0
-0
slides/content.md
slides/content.md
+51
-39
No files found.
assets/rockpro64.png
0 → 100644
View file @
87c9d271
372 KB
assets/tinkerboard.png
0 → 100644
View file @
87c9d271
710 KB
slides/content.md
View file @
87c9d271
...
...
@@ -3,9 +3,9 @@
*
Networking & NFtables basics
*
How to debug network problems
*
Wireguard: easy to setup vpn
*
Ansible: how to mana
n
ge many computers
*
Ansible: how to manage many computers
*
Why have servers running at home
*
Internet connection
s
technologies
*
Internet connection technologies
*
How to build a linux home router
---
...
...
@@ -21,7 +21,7 @@ A lot of what we are going to
cover today has been done in depth
in previous Linux courses
(links in the relevant sections)
This talk focus
es
more on how
This talk
will
focus more on how
all these topics can come together
----
...
...
@@ -59,7 +59,7 @@ Software stack: `ip {address,route}`
## Transport Layer
Works to provide a usable implementation (socket) to the
program, provide important feature such as:
program,
it
provide
s
important feature such as:
*
Ports
*
Packet reliability
...
...
@@ -83,20 +83,20 @@ Main technologies: HTTP, HTTPS, IMAP, gRPC
other computers
*
IPs have a __subnet mask__ that indicates which other IPs
can be contacted directly through the link layer
*
Computer use ARP/NDP to have a
**IP <-> MAC**
translation
*
This also means that
there is a ARP/NDP record that tells us
*
Computer
s
use ARP/NDP to have a
**IP <-> MAC**
translation
*
Also
there is a ARP/NDP record that tells us
the
**MAC address**
relative to the IP we want to contact
---
##
What is important to remember /2
<h2
style=
"min-width: 110%"
>
What is important to remember /2
</h2>
*
For a
ll
other IP
s
(eg.
`176.31.102.216`
) we need to have
a
**default gateway**
where
we deliver our IP packets to have
*
For a
ny
other IP (eg.
`176.31.102.216`
) we need to have
a
**default gateway**
to which
we deliver our IP packets to have
them sent to the Internet
*
Computers that act as default gateways are called
**routers**
(since they
**route**
packets) and usually take the form of
those boxes that ISP give to you
those boxes that ISP
s
give to you
---
...
...
@@ -137,7 +137,7 @@ $ ip address show
## Important information
```
```
bash
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
```
...
...
@@ -148,6 +148,8 @@ $ ip address show
---
## Important information /2
```
bash
link
/ether 9c:b6:d0:06:87:35
```
...
...
@@ -163,6 +165,8 @@ Our interface's IP addresses
---
## Important information /3
```
bash
$
ip route show
default via 192.168.0.1 dev wlp2s0 <clipped>
...
...
@@ -187,11 +191,12 @@ packet filter (firewall) allowing us to block out unwanted traffic
---
##
NFtables vs IPtables vs firewalld (& co.)
<h2
style=
"min-width: 110%"
>
NFtables vs IPtables vs firewalld (& co.)
</h2>
*
**iptables**
: frontend for
`xt_*`
kernel modules, old (1998)
*
**nftables**
: frontend for
`nf_*`
kernel modules, "new" (2014)
*
**firewalld & co.**
: allow easier configuration, under the hood all use iptables
*
**firewalld & co.**
: allow easier configuration, under the hood
they all use iptables
---
...
...
@@ -226,7 +231,7 @@ Source: [Wikipedia](https://commons.wikimedia.org/wiki/File:Netfilter-packet-flo
2 separate interfaces (like a switch)
*
The
**routing decision**
step is also what decides the output interface,
the __forward__ hook is the first to know the output interface
*
There are
**4**
chains:
**filter**
and
**nat**
(common), mangle and raw (rarely used)
*
There are
**4**
chains:
**filter**
and
**nat**
(common),
`
mangle
`
and
`
raw
`
(rarely used)
*
There are
**5**
hooks:
*
filter:
**input**
,
**forward**
,
**output**
*
nat:
**prerouting**
,
**postrouting**
...
...
@@ -300,10 +305,10 @@ network configuration problems
### Network checklist
*
Does
the network
have working routing
?
*
Can
the network
route to another address
?
*
Does the network resolve domain names?
*
Are response packets coming back?
*
Are there problems
in upper layers?
*
Is everything ok
in upper layers?
---
...
...
@@ -322,7 +327,7 @@ network configuration problems
*
Again
**ping**
can be used to quickly check if DNS resolution
is working as intended,
`ping poul.org`
will return an ip
address i
s
DNS is working
address i
f
DNS is working
*
**dig**
can help to check more complex problems,
using
`dig poul.org`
will tell us if the system DNS
...
...
@@ -340,7 +345,7 @@ network configuration problems
*
Only have ssh but want to have a gui? No problem!
<br>
```
ssh root@<ip>
'
tcpdump -i eth0 -s0 -w -
'
| wireshark -k -i -
ssh root@<ip>
"
tcpdump -i eth0 -s0 -w -
'not port 22'"
| wireshark -k -i -
```
---
...
...
@@ -431,11 +436,11 @@ Endpoint = <server public ip>:51820
---
```
wg-quick server.conf
wg-quick
up
server.conf
```
```
wg-quick client.conf
wg-quick
up
client.conf
```
---
...
...
@@ -447,7 +452,8 @@ wg-quick client.conf
## Well not so fast
Due to the fail-open nature, it is sometimes difficult to debug
Some debugging techniques are shown in the previous sections.
Some debugging techniques are shown in the previous sections.
Ping tends to report an error if wireguard is misconfigured.
The linked slides offer a more in-depth explaination of the
configuration that might help to debug problems.
...
...
@@ -467,14 +473,15 @@ Strong points:
*
Only Python and SSH need to be installed to have a machine
be controlled by Ansible
*
Idempotent (multiple runs have the same result as one)
*
Declarative/Stateless - what is on the config files dictates the end result
*
Declarative/Stateless - what is on the config files dictates the end result,
not how to get there
---
## What can you do with ansible?
*
Maintain consistent configurations across machines
*
Have
all your machines have a
set of installed packages
*
Have set of installed packages
on all your machines
*
Manage installation/upgrade of services in a reproducible way
---
...
...
@@ -487,7 +494,7 @@ Strong points:
---
## Anato
n
y of an inventory
## Anato
m
y of an inventory
```
ini
[webservers]
...
...
@@ -522,7 +529,7 @@ apk:
remote_user: root
tasks:
-
name: install webserver
apk
:
package
:
name: lighthttpd
state: latest
-
name: start webserver
...
...
@@ -552,15 +559,15 @@ apk:
---
### Server
###
Cloud
Server
* Usually ha
ve
better uptime (much closer to 100%)
* Usually ha
s
better uptime (much closer to 100%)
* Storage has magic underneath
* Usually ha
ve
higher network bandwidth
* Usually ha
s
higher network bandwidth
---
### What to consider to do cost/benefit
### What to consider to do cost/benefit
-wise
* On cloud servers the entire infrastructure
is redundant, and if a component breaks the
...
...
@@ -589,11 +596,15 @@ apk:
## SBC ARM/Router
<img src="assets/rpi4.jpg" style="max-height: 30%">
<div style="display: block; margin: 0 auto">
<img src="assets/rpi4.jpg" style="max-width: 27%">
<img src="assets/tinkerboard.png" style="max-width: 30%">
<img src="assets/rockpro64.png" style="max-width: 25%">
</div>
* Cost: 20-100€
* Computing power: Medium-Low
* Storage: scarce
(eccetto usb 3)
* Storage: scarce
/decent
* Power consumption: > 10W
---
...
...
@@ -612,14 +623,15 @@ apk:
## Why you shouldn't buy a RPi
* 1-3 have usb ports behind a
n
hub
* 1-3 have usb ports behind a hub
* 1-3 have ethernet behind an usb adapter<br>(guess where it is attached?)
* Wifi tends to be very crappy without
an u.FL connector and a proper antenna
* Computing power is generally
poor
er than
* Computing power is generally
low
er than
competitors for the same price point
* RPi linux distributions tend to come with
a lot of propietary broadcom blobs
a lot of proprietary broadcom blobs
* Generally poor power supply circuitry
---
...
...
@@ -632,7 +644,7 @@ apk:
* Cost: 50-200€
* Computing power: Medium-High
* Storage: su
ffi
cent
* Storage:
u
su
ally quite de
cent
* Power consumption: 10-50W
---
...
...
@@ -646,9 +658,9 @@ apk:
* Cost: 100-2000€
* Computing power: High
* Storage: sufficent-plenty (
SAN
)
* Storage: sufficent-plenty (
NAS
)
* Power Consuption: 200-2000W
* Pros: no house heating costs
* Pros:
[
no house heating costs
](https://hardware.slashdot.org/story/17/09/13/002250/french-company-plans-to-heat-homes-offices-with-amd-ryzen-pro-processors)
---
...
...
@@ -735,7 +747,7 @@ AFAIK there is no ONT with OpenWRT support
<img src="assets/ethernet.jpg" style="max-height: 30%" />
Some provides (eg. Eolo) use alternative transmission mediums,
Some provide
r
s (eg. Eolo) use alternative transmission mediums,
usually these will have an ordinary ethernet cable attached
to a mundane wifi router
...
...
@@ -757,7 +769,7 @@ to a mundane wifi router
## Small digression: Modem Libero
At the end of 2018 the AGCOM (italian telecomunications agency) approved
a set of rules that force ISP to provide appropiate means to allow consumers
a set of rules that force
s
ISP
s
to provide appropiate means to allow consumers
to choose their own router (ONT are still part of the ISP's network)
Obtaining the various settings for connecting to the ISP's network varies
by difficulty and amount of call centers you have to contact based on the ISP you pick
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment