Sown-gw

From SOWNWiki
Jump to: navigation, search

Sown-gw is SOWN's Gateway server.

It has a Intel(R) Xeon(R) CPU X3360 @ 2.83GHz processor with 4GiB4,096 MiB
4,194,304 KiB
0.00391 TiB
of memory and a 149GiB152,576 MiB
156,237,824 KiB
0.146 TiB
Western Digital SATA hard disk. It has 2x Broadcom NetXtreme BCM5721 Gigabit Ethernet and 4x Intel 82575GB Gigabit Ethernet network interfaces. It is housed within a 1U Rackmount case located in 59/1245 (50° 56' 15", -1° 23' 52").

The server has a power consumption of ?W at boot, ?W idle and ?W when turned off.

Installed Software

The server's operating system is Ubuntu 18.04 LTS (64-bit) running on Linux Kernel 4.15.0-xx (x86_64).

The server also has the following software installed on it:

Services Provisioned

  • Firewall
  • Routing
  • DNS slave



Network

This server is connected to the SOWN VLAN, with the IP addresses:

  • 10.5.0.252
  • 2001:630:d0:f700::252

Its DNS name is:

  • gw.sown.org.uk
  • ns1.sown.org.uk
  • it also has the following cnames
  • backup1.sown.org.uk

Its MAC address is 00:22:19:d5:9e:3a on its eth0 interface and is connected to port b59-l1-cat1/GigabitEthernet5/0/30 with a yellow network cable.


This server is also connected to an ECS DMZ VLAN, with the IP addresses:

  • 152.78.189.44

Its DNS name is:

  • sown-gw.ecs.soton.ac.uk

Its MAC address is 00:22:19:d5:9e:3b on its eth1 interface and is connected to port b59-l1-cat1/GigabitEthernet5/0/29 with a yellow network cable.


This server is connected to the SOWN uplink VLAN with the IP addresses:

  • 152.78.103.236
  • 2001:630:d0:505;:1:5032

Its MAC address is 00:1b:21:38:d8:18 on its eth2 interface and connected to port b59-l1-cat1/GigabitEthernet5/0/18 with a network cable of unknown colour. The DNS name on uplink is:

  • hfc-sown-gw.net.soton.ac.uk


This server has its DRAC connected over IPMI with the IP address:

  • 10.5.0.188

It has the DNS name: Its MAC address is 00:22:19:d5:9e:3a on its eth0:ipmi interface and connected to port b32-l3-sown/GigabitEthernet/0/30 with a white network cable. The DNS name for its DRAC is:

  • gw-ipmi.sown.org.uk

The WakeOnLAN capability of this server is supported on eth0 and eth1 but not enabled on either.


Installing the Firewall

From the backup, restore /etc/default/firewall4, /etc/default/firewall6 and /etc/init.d/firewall

Ensure that references to iptables and ip6tables in the code have the correct path in /etc/init.d/firewall

To test the v4 firewall run: iptables-restore --test /etc/default/firewall4

To test the v6 firewall run: ip6tables-restore --test /etc/default/firewall6

Ensure the firewall will start on boot: update-rc.d firewall defaults

To start the firewall run: /etc/init.d/firewall


Bespoke Service Checks

CONNTRACK4 
This checks that the IPv6 firewall allows requests from SOWN VLAN only servers, in this case Sown-monitor-new can make an http request to www.google.co.uk. If it cannot or the page returned does not contain the word 'Google' it returns CRITICAL.
CONNTRACK6 
This checks that the IPv4 firewall allows requests from SOWN VLAN only servers, in this case Sown-monitor-new can make an http request to www.google.co.uk. If it cannot or the page returned does not contain the word 'Google' it returns CRITICAL.
FIREWALL4 
This checks the IPv4 firewall is running. The firewall has canary check that blocks any TCP traffic being sent from Sown-monitor-new to 152.78.189.252 (skoll.ecs.soton.ac.uk). If it can make a successful IPv4 HTTP request to skoll.ecs.soton.ac.uk, then this check returns CRITICAL.
FIREWALL6 
This checks the IPv6 firewall is running. The firewall has canary check that blocks any TCP traffic being sent from Sown-monitor-new to 2001:630:d0:f104::80f (skoll.ecs.soton.ac.uk). If it can make a successful IPv6 HTTP request to skoll.ecs.soton.ac.uk, then this check returns CRITICAL.
FORWARD4 
This checks that the IPv4 firewall allows ping requests from SOWN VLAN only servers, in this case Sown-monitor-new can ping 193.63.94.20 (ns0.ja.net). This reports CRITICAL if it cannot or latency is greater than 5 seconds and WARNING if packet loss is greater than or equal to 80% or latency is greater than 3 seconds.
FORWARD6 
This checks that the IPv6 firewall allows ping requests from SOWN VLAN only servers, in this case Sown-monitor-new can ping 2001:630:0:9::14 (ns0.ja.net). This reports CRITICAL if it cannot or latency is greater than 5 seconds and WARNING if packet loss is greater than or equal to 80% or latency is greater than 3 seconds.
Retrieved from ‘https://www.sown.org.uk/w/index.php?title=Sown-gw&oldid=13300
... more about "Sown-gw"
RDF feed
Case
1U Rackmount +
Coordinates
50° 56' 15", -1° 23' 52"Latitude: 50.937488888889
Longitude: -1.3977805555556 +
Cpu
Intel(R) Xeon(R) CPU X3360 @ 2.83GHz +
Ecsdns
sown-gw.ecs.soton.ac.uk +
Ecsinterface
eth1 +
Ecsipv4
152.78.189.44 +
Ecsmac
00:22:19:d5:9e:3b +
Ecsport
b59-l1-cat1/GigabitEthernet5/0/29 +
Harddrive
149 GiB (152,576 MiB, 156,237,824 KiB, 0.146 TiB) +
Has cname
backup1.sown.org.uk +
Ipmidns
gw-ipmi.sown.org.uk +
Ipmiinterface
eth0:ipmi +
Ipmiipv4
10.5.0.188 +
Ipmimac
00:22:19:d5:9e:3a +
Ipmiport
b32-l3-sown/GigabitEthernet/0/30 +
Kernel
Linux Kernel 4.15.0-xx (x86_64) +
Location
59/1245 +
Memory
4 GiB (4,096 MiB, 4,194,304 KiB, 0.00391 TiB) +
Networkinterfaces
2x Broadcom NetXtreme BCM5721 Gigabit Ethernet and 4x Intel 82575GB Gigabit Ethernet +
Operating system
Ubuntu 18.04 LTS (64-bit) +
Provisions service
Firewall +, Routing +  and DNS slave +
Sowndns
gw.sown.org.uk +  and ns1.sown.org.uk +
Sowninterface
eth0 +
Sownipv4
10.5.0.252 +
Sownipv6
2001:630:d0:f700::252 +
Sownmac
00:22:19:d5:9e:3a +
Sownport
b59-l1-cat1/GigabitEthernet5/0/30 +
Uplinkdns
hfc-sown-gw.net.soton.ac.uk +
Uplinkinterface
eth2 +
Uplinkipv4
152.78.103.236 +
Uplinkipv6
2001:630:d0:505;:1:5032 +
Uplinkmac
00:1b:21:38:d8:18 +
Uplinkport
b59-l1-cat1/GigabitEthernet5/0/18 +
WakeOnLAN
supported on eth0 and eth1 but not enabled on either +