From Openitware
Jump to: navigation, search

System Description

Network Bridge

Speech recognition tools are awesomely powerful but are also dependent upon software updates and patches. These updates and patches are needed to run the software effectively and properly. Most software relies on an internet connection in order to fetch updates, browse the internet and work remotely. The network team proposed a design in which the UNIX host machine Caesar will be connected to the internet, working as a bridge to allow the drone Dell PowerEdge servers to have access to the internet.

This poses a problem: Caesar is being used in an environment which only allows one Ethernet connection and is prohibited from using a switch on the UNH Telecom line. The solution that was proposed was to make Caesar work as a bridge and a router. Under this configuration, a switch with a 192.168.X.X environment could be used to provide internet access to the other servers using Sphinx tools. This theory has been proven with a Windows XP networking service. Other problems to consider are; whether Caesars operating system will take two NIC's (Network Interface Card) and make a bridge, and also if Caesar can act as a router implementing NAT service.

In order for this process to be successful, a wired internet connection is needed. To accomplish this one incoming line from UNH Telecom will connect to Caesar's first NIC and out of Caesar via a second NIC to a switch network environment running 192.168.X.X. Utilizing the Masquerading technique, we should be able to create a network bridge that should implement NAT, but more testing will be needed.

Firewall Procedure: Open a port

Before your begin
Watch a youtube video on Iptables to understand the nat and filter tables. Lookup SELinux.
Step 1
  • Determine where things are and how to run them
For the purposes of this procedure, I will use Rome as the example, however this procedure should be applicable to all the servers. Lets first identify where the configuration files live. -- Navigate to cd /etc/sysconfig here, you will see the confusion which is two firewalls. If you were to do an 'ls' in the 'sysconfig' directory, you will see a number of 'iptables' or 'ip6tables' which you would think is all you need. Unfortunately, there will also be a 'system-config-firewall' file in here also. Thankfully, easily editable but lots of fun when you don't know its there. Additionally, while there is no symbolic link back to Caesar you will need to run iptables as: sudo /sbin/iptables [command].
Rome /etc/sysconfig]# ls
acpid         httpd                        kernel           pluto          smartmontools
atd           i18n                         keyboard         prelink        snmpd
auditd        init                         modules          quota_nld      snmptrapd
authconfig    ip6tables                    netconsole       raid-check     sshd
autofs        ip6tables-config             network          readahead      sysstat
cbq           ip6tables.old                networking       readonly-root  sysstat.ioconf
clock         iptables                     network-scripts  rhn            system-config-firewall
console       iptables-config              nfs              rngd           system-config-firewall.old
cpuspeed      iptables_LoadCurrent_config  nginx            rsyslog        system-config-users
crond         iptables.old                 nginx-debug      samba          udev
firstboot     iptables.save                nspluginwrapper  sandbox        wpa_supplicant
grub          irqbalance                   ntpd             saslauthd      xinetd
htcacheclean  kdump                        ntpdate          selinux 
Step 2
let us start by making a copy of the CurrentConfig of iptables, which we will then edit. cp iptables iptables_032018Config. You will see mine above with the poorly named 'iptables_LoadCurrent_config'. Next, lets edit this file, I would recommend using the text editor nano with the switchs '-S -c such that it reads: nano -Sc iptables_032018Config . This will appear as:
# Generated by iptables-save v1.4.7 on Sat Mar  3 17:29:35 2018
:OUTPUT ACCEPT [590:112218]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8022 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8020 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# Completed on Sat Mar  3 17:29:35 2018
# Generated by iptables-save v1.4.7 on Sat Mar  3 17:29:35 2018
-A PREROUTING -p tcp --dport 8022 -j REDIRECT --to-ports 8020
# Completed on Sat Mar  3 17:29:35 2018
Here, we will mostly be working with the *filter section. Where you can then infer that the system is accepting input via tcp to destination port 22, 8022 and 8020 with a 'jump' of accept (could also deny). You should look up commands or youtube videos on iptables to understand this better.
The *nat section, is currently redirecting any traffic that enters port 8022 to port 8020. This is specifically configured for the above Nginx software install. Presuming that I am successful and you have an SSH Load Balance while reading this, please don't touch that redirect.
Now, Add your own port by copying the preceding line and adjusting the number: -A INPUT -p tcp -m state --state NEW -m tcp --dport ## -j ACCEPT where ## is your port.

Note: ports below 1024 are privileged and may throw a hissy fit

Step 3
Next, let us update the other firewall. While in /etc/sysconfig run the following nano -Sc system-config-firewall. Editing should be self explanatory:
# Configuration file for system-config-firewall

Step 4
Now load your config file, into iptables. sudo /sbin/iptables-restore < iptables_032018Config - You're config file should now be active. You can confirm by running sudo /sbin/iptables -nL and sudo /sbin/iptables -t nat -nL.

Note: The Capital 'L' in -nL is important.

Additionally, you should run netstat -tapln and see them there. Once you are confident in your configuration, run sudo service iptables save then run sudo service iptables restart and then recheck your config sudo/sbin/iptables -nL. If your config is still there, you're good.
Step 5
Log out of Rome and then either from Caesar or another drone, run nmap rome -Pn this will checks the common 1,000 ports. the -Pn switch is there to basically say 'I don't care if you think rome is offline, run the nmap command anyway'. This is because ICMP is blocked. Note you may have to add the port number if you are above the 1024 mark, such as: nmap rome -p8022 -Pn. This should now confirm for you that the port has been opened and you should be all set.

Step 6
You're Done! -- however, if you have issues with SELinux policies, check out my (Camden Marble's) log for March 3rd 2018.

Hope that's helpful,

RedHat Solution

Network Bridge Setup: Server

Do not do any work on the network bridge remotely, as the steps involved will sever your connection to Caesar

Red Hat documentation regarding the creation of a network bridge can be found here


the first step in creation of the network bridge is to create a new interface (br0):

navigate to /etc/sysconfig/network-scripts

cd /etc/sysconfig/network-scripts

Once you are in the network scripts folder, use a text editor to create a new interface configuration named br0:

vi ifcfg-br0

Add the following to your newly created interface:


Once the bridge interface is configured, backup the existing eth1 config file by copying its contents to a new file:

cp -i ifcfg-eth1 ifcfg-eth1.old

once your file is backed up, edit the eth1 file (not the .old) as follows:


at this point, it is very important that nothing is running on the drone servers, as the next step is restarting network services.

I cannot stress hard enough that NOTHING SHOULD BE RUNNING ON THE DRONES when network services get restarted, as this will sever ALL NFS CONNECTIONS which will lead to a corruption on any running trains/decodes.

service network restart

After the network service has been restarted, backup the bridge interface in the same manner as earlier

cp -i ifcfg-br0 ifcfg-br0.old

Reverting The Network Bridge

Do not do any work on the network bridge remotely, as the steps involved will sever your connection to Caesar


Since the network bridge should only be active when strictly necessary, turning off the network bridge is vital information.

Change directory to your network-scripts

cd /etc/sysconfig/network-scripts

Use the ls command to make sure your network-scripts directory contains both ifcfg-eth1.old and ifcfg-br0.old

If both files are in place, use rm to remove the bridge interface (DO NOT REMOVE THE ifcfg-br0.old CONFIG FILE, AS THIS IS YOUR BACKUP)

rm -i ifcfg-br0

since there are two eth1 files that need to be saved, copy the contents of the current eth1 config file to a text file, then copy eth1.old to eth1, and end the carousel by copying eth1.txt to eth1.old

cp -i ifcfg-eth1 ifcfg-eth1.txt
cp -i ifcfg-eth1.old ifcfg-eth1
cp -i ifcfg-eth1.txt ifcfg-eth1.old

this sequence will backup the ethernet bridge-configured interface in the ifcfg-eth1.old file, while re-configuring eth1 back to pre-bridge settings.

your next step is to restart network services.

I cannot stress hard enough that NOTHING SHOULD BE RUNNING ON THE DRONES when network services get restarted, as this will sever ALL NFS CONNECTIONS which will lead to a corruption on any running trains/decodes.

service network restart

OpenSUSE Solution (outdated)

Network Bridge Setup: Server

This was successfully implemented on a test system via the following steps:

  • First: Ensure the correct hardware configuration is in place; one machine with two NIC ports, and one machine (or a switch) with one NIC port.
  • Second: Ensure the internet connection on the server machine is working.

1. On the main machine which will serve the internet connection to the rest, open up YAST, select the NIC which will be used to share the connection. NOT THE ONE THAT CONNECTS THE COMPUTER TO THE INTERNET and enter network settings editor.

2. Now modify the settings for this Ethernet device (most likely eth1) to mirror the following settings: (See Figure 1) PAY ATTENTION TO THE SUBNET! The same subnet will have to be used for the client machine.

Figure 1

3. Next, go back to YAST and enter security settings area. Open up firewall settings. Configure the ACTIVE INTERNET connection (probably eth0) as the EXTERNAL FIREWALL ZONE. The "Sharing" interface (probably eth1) should be set to INTERNAL ZONE (See Figure 2).

Figure 2

4. Next, enable IP masquerading, which is in the same area as setting the firewall zones (See Figure 3).

Figure 3

Network Bridge Setup: Client

  • On the client machine, the set up is a little bit simpler:
  1. Set up a static IP and subnet as done in step 1 for the server. The IP must be different, and the subnet must be the same.
  2. Enter the routing tab, and set the IP of the server as the default gateway. This will be the Static IP set up for eth1 on the server. (NOT the IP of the active internet connection on the server).
  3. The last step will be to set up the DNS servers to use. The DNS server used by eth0 needs to be used on the server (check the settings of eth0 on the server to get the DNS address).