Commit 87c9d271 authored by JackV's avatar JackV
Browse files

Fixes, add additional images

parent 5490dc28
Pipeline #581 passed with stage
in 58 seconds
...@@ -3,9 +3,9 @@ ...@@ -3,9 +3,9 @@
* Networking & NFtables basics * Networking & NFtables basics
* How to debug network problems * How to debug network problems
* Wireguard: easy to setup vpn * Wireguard: easy to setup vpn
* Ansible: how to manange many computers * Ansible: how to manage many computers
* Why have servers running at home * Why have servers running at home
* Internet connections technologies * Internet connection technologies
* How to build a linux home router * How to build a linux home router
--- ---
...@@ -21,7 +21,7 @@ A lot of what we are going to ...@@ -21,7 +21,7 @@ A lot of what we are going to
cover today has been done in depth cover today has been done in depth
in previous Linux courses in previous Linux courses
(links in the relevant sections) (links in the relevant sections)
This talk focuses more on how This talk will focus more on how
all these topics can come together all these topics can come together
---- ----
...@@ -59,7 +59,7 @@ Software stack: `ip {address,route}` ...@@ -59,7 +59,7 @@ Software stack: `ip {address,route}`
## Transport Layer ## Transport Layer
Works to provide a usable implementation (socket) to the Works to provide a usable implementation (socket) to the
program, provide important feature such as: program, it provides important feature such as:
* Ports * Ports
* Packet reliability * Packet reliability
...@@ -83,20 +83,20 @@ Main technologies: HTTP, HTTPS, IMAP, gRPC ...@@ -83,20 +83,20 @@ Main technologies: HTTP, HTTPS, IMAP, gRPC
other computers other computers
* IPs have a __subnet mask__ that indicates which other IPs * IPs have a __subnet mask__ that indicates which other IPs
can be contacted directly through the link layer can be contacted directly through the link layer
* Computer use ARP/NDP to have a **IP <-> MAC** translation * Computers use ARP/NDP to have a **IP <-> MAC** translation
* This also means that there is a ARP/NDP record that tells us * Also there is a ARP/NDP record that tells us
the **MAC address** relative to the IP we want to contact the **MAC address** relative to the IP we want to contact
--- ---
## What is important to remember /2 <h2 style="min-width: 110%">What is important to remember /2</h2>
* For all other IPs (eg. `176.31.102.216`) we need to have * For any other IP (eg. `176.31.102.216`) we need to have
a **default gateway** where we deliver our IP packets to have a **default gateway** to which we deliver our IP packets to have
them sent to the Internet them sent to the Internet
* Computers that act as default gateways are called **routers** * Computers that act as default gateways are called **routers**
(since they **route** packets) and usually take the form of (since they **route** packets) and usually take the form of
those boxes that ISP give to you those boxes that ISPs give to you
--- ---
...@@ -137,7 +137,7 @@ $ ip address show ...@@ -137,7 +137,7 @@ $ ip address show
## Important information ## Important information
``` ```bash
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
``` ```
...@@ -148,6 +148,8 @@ $ ip address show ...@@ -148,6 +148,8 @@ $ ip address show
--- ---
## Important information /2
```bash ```bash
link/ether 9c:b6:d0:06:87:35 link/ether 9c:b6:d0:06:87:35
``` ```
...@@ -163,6 +165,8 @@ Our interface's IP addresses ...@@ -163,6 +165,8 @@ Our interface's IP addresses
--- ---
## Important information /3
```bash ```bash
$ ip route show $ ip route show
default via 192.168.0.1 dev wlp2s0 <clipped> default via 192.168.0.1 dev wlp2s0 <clipped>
...@@ -187,11 +191,12 @@ packet filter (firewall) allowing us to block out unwanted traffic ...@@ -187,11 +191,12 @@ packet filter (firewall) allowing us to block out unwanted traffic
--- ---
## NFtables vs IPtables vs firewalld (& co.) <h2 style="min-width: 110%">NFtables vs IPtables vs firewalld (& co.)</h2>
* **iptables**: frontend for `xt_*` kernel modules, old (1998) * **iptables**: frontend for `xt_*` kernel modules, old (1998)
* **nftables**: frontend for `nf_*` kernel modules, "new" (2014) * **nftables**: frontend for `nf_*` kernel modules, "new" (2014)
* **firewalld & co.**: allow easier configuration, under the hood all use iptables * **firewalld & co.**: allow easier configuration, under the hood
they all use iptables
--- ---
...@@ -226,7 +231,7 @@ Source: [Wikipedia](https://commons.wikimedia.org/wiki/File:Netfilter-packet-flo ...@@ -226,7 +231,7 @@ Source: [Wikipedia](https://commons.wikimedia.org/wiki/File:Netfilter-packet-flo
2 separate interfaces (like a switch) 2 separate interfaces (like a switch)
* The **routing decision** step is also what decides the output interface, * The **routing decision** step is also what decides the output interface,
the __forward__ hook is the first to know the output interface the __forward__ hook is the first to know the output interface
* There are **4** chains: **filter** and **nat** (common), mangle and raw (rarely used) * There are **4** chains: **filter** and **nat** (common), `mangle` and `raw` (rarely used)
* There are **5** hooks: * There are **5** hooks:
* filter: **input**, **forward**, **output** * filter: **input**, **forward**, **output**
* nat: **prerouting**, **postrouting** * nat: **prerouting**, **postrouting**
...@@ -300,10 +305,10 @@ network configuration problems ...@@ -300,10 +305,10 @@ network configuration problems
### Network checklist ### Network checklist
* Does the network have working routing? * Can the network route to another address?
* Does the network resolve domain names? * Does the network resolve domain names?
* Are response packets coming back? * Are response packets coming back?
* Are there problems in upper layers? * Is everything ok in upper layers?
--- ---
...@@ -322,7 +327,7 @@ network configuration problems ...@@ -322,7 +327,7 @@ network configuration problems
* Again **ping** can be used to quickly check if DNS resolution * Again **ping** can be used to quickly check if DNS resolution
is working as intended, `ping poul.org` will return an ip is working as intended, `ping poul.org` will return an ip
address is DNS is working address if DNS is working
* **dig** can help to check more complex problems, * **dig** can help to check more complex problems,
using `dig poul.org` will tell us if the system DNS using `dig poul.org` will tell us if the system DNS
...@@ -340,7 +345,7 @@ network configuration problems ...@@ -340,7 +345,7 @@ network configuration problems
* Only have ssh but want to have a gui? No problem!<br> * Only have ssh but want to have a gui? No problem!<br>
``` ```
ssh root@<ip> 'tcpdump -i eth0 -s0 -w -' | wireshark -k -i - ssh root@<ip> "tcpdump -i eth0 -s0 -w - 'not port 22'" | wireshark -k -i -
``` ```
--- ---
...@@ -431,11 +436,11 @@ Endpoint = <server public ip>:51820 ...@@ -431,11 +436,11 @@ Endpoint = <server public ip>:51820
--- ---
``` ```
wg-quick server.conf wg-quick up server.conf
``` ```
``` ```
wg-quick client.conf wg-quick up client.conf
``` ```
--- ---
...@@ -447,7 +452,8 @@ wg-quick client.conf ...@@ -447,7 +452,8 @@ wg-quick client.conf
## Well not so fast ## Well not so fast
Due to the fail-open nature, it is sometimes difficult to debug Due to the fail-open nature, it is sometimes difficult to debug
Some debugging techniques are shown in the previous sections. Some debugging techniques are shown in the previous sections.
Ping tends to report an error if wireguard is misconfigured.
The linked slides offer a more in-depth explaination of the The linked slides offer a more in-depth explaination of the
configuration that might help to debug problems. configuration that might help to debug problems.
...@@ -467,14 +473,15 @@ Strong points: ...@@ -467,14 +473,15 @@ Strong points:
* Only Python and SSH need to be installed to have a machine * Only Python and SSH need to be installed to have a machine
be controlled by Ansible be controlled by Ansible
* Idempotent (multiple runs have the same result as one) * Idempotent (multiple runs have the same result as one)
* Declarative/Stateless - what is on the config files dictates the end result * Declarative/Stateless - what is on the config files dictates the end result,
not how to get there
--- ---
## What can you do with ansible? ## What can you do with ansible?
* Maintain consistent configurations across machines * Maintain consistent configurations across machines
* Have all your machines have a set of installed packages * Have set of installed packages on all your machines
* Manage installation/upgrade of services in a reproducible way * Manage installation/upgrade of services in a reproducible way
--- ---
...@@ -487,7 +494,7 @@ Strong points: ...@@ -487,7 +494,7 @@ Strong points:
--- ---
## Anatony of an inventory ## Anatomy of an inventory
```ini ```ini
[webservers] [webservers]
...@@ -522,7 +529,7 @@ apk: ...@@ -522,7 +529,7 @@ apk:
remote_user: root remote_user: root
tasks: tasks:
- name: install webserver - name: install webserver
apk: package:
name: lighthttpd name: lighthttpd
state: latest state: latest
- name: start webserver - name: start webserver
...@@ -552,15 +559,15 @@ apk: ...@@ -552,15 +559,15 @@ apk:
--- ---
### Server ### Cloud Server
* Usually have better uptime (much closer to 100%) * Usually has better uptime (much closer to 100%)
* Storage has magic underneath * Storage has magic underneath
* Usually have higher network bandwidth * Usually has higher network bandwidth
--- ---
### What to consider to do cost/benefit ### What to consider to do cost/benefit-wise
* On cloud servers the entire infrastructure * On cloud servers the entire infrastructure
is redundant, and if a component breaks the is redundant, and if a component breaks the
...@@ -589,11 +596,15 @@ apk: ...@@ -589,11 +596,15 @@ apk:
## SBC ARM/Router ## SBC ARM/Router
<img src="assets/rpi4.jpg" style="max-height: 30%"> <div style="display: block; margin: 0 auto">
<img src="assets/rpi4.jpg" style="max-width: 27%">
<img src="assets/tinkerboard.png" style="max-width: 30%">
<img src="assets/rockpro64.png" style="max-width: 25%">
</div>
* Cost: 20-100€ * Cost: 20-100€
* Computing power: Medium-Low * Computing power: Medium-Low
* Storage: scarce (eccetto usb 3) * Storage: scarce/decent
* Power consumption: > 10W * Power consumption: > 10W
--- ---
...@@ -612,14 +623,15 @@ apk: ...@@ -612,14 +623,15 @@ apk:
## Why you shouldn't buy a RPi ## Why you shouldn't buy a RPi
* 1-3 have usb ports behind an hub * 1-3 have usb ports behind a hub
* 1-3 have ethernet behind an usb adapter<br>(guess where it is attached?) * 1-3 have ethernet behind an usb adapter<br>(guess where it is attached?)
* Wifi tends to be very crappy without * Wifi tends to be very crappy without
an u.FL connector and a proper antenna an u.FL connector and a proper antenna
* Computing power is generally poorer than * Computing power is generally lower than
competitors for the same price point competitors for the same price point
* RPi linux distributions tend to come with * RPi linux distributions tend to come with
a lot of propietary broadcom blobs a lot of proprietary broadcom blobs
* Generally poor power supply circuitry
--- ---
...@@ -632,7 +644,7 @@ apk: ...@@ -632,7 +644,7 @@ apk:
* Cost: 50-200€ * Cost: 50-200€
* Computing power: Medium-High * Computing power: Medium-High
* Storage: sufficent * Storage: usually quite decent
* Power consumption: 10-50W * Power consumption: 10-50W
--- ---
...@@ -646,9 +658,9 @@ apk: ...@@ -646,9 +658,9 @@ apk:
* Cost: 100-2000€ * Cost: 100-2000€
* Computing power: High * Computing power: High
* Storage: sufficent-plenty (SAN) * Storage: sufficent-plenty (NAS)
* Power Consuption: 200-2000W * Power Consuption: 200-2000W
* Pros: no house heating costs * Pros: [no house heating costs](https://hardware.slashdot.org/story/17/09/13/002250/french-company-plans-to-heat-homes-offices-with-amd-ryzen-pro-processors)
--- ---
...@@ -735,7 +747,7 @@ AFAIK there is no ONT with OpenWRT support ...@@ -735,7 +747,7 @@ AFAIK there is no ONT with OpenWRT support
<img src="assets/ethernet.jpg" style="max-height: 30%" /> <img src="assets/ethernet.jpg" style="max-height: 30%" />
Some provides (eg. Eolo) use alternative transmission mediums, Some providers (eg. Eolo) use alternative transmission mediums,
usually these will have an ordinary ethernet cable attached usually these will have an ordinary ethernet cable attached
to a mundane wifi router to a mundane wifi router
...@@ -757,7 +769,7 @@ to a mundane wifi router ...@@ -757,7 +769,7 @@ to a mundane wifi router
## Small digression: Modem Libero ## Small digression: Modem Libero
At the end of 2018 the AGCOM (italian telecomunications agency) approved At the end of 2018 the AGCOM (italian telecomunications agency) approved
a set of rules that force ISP to provide appropiate means to allow consumers a set of rules that forces ISPs to provide appropiate means to allow consumers
to choose their own router (ONT are still part of the ISP's network) to choose their own router (ONT are still part of the ISP's network)
Obtaining the various settings for connecting to the ISP's network varies Obtaining the various settings for connecting to the ISP's network varies
by difficulty and amount of call centers you have to contact based on the ISP you pick by difficulty and amount of call centers you have to contact based on the ISP you pick
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment