Sown-gw

From SOWNWiki
Jump to: navigation, search

Sown-gw is SOWN's Gateway server.

It has a Intel(R) Xeon(R) CPU X3360 @ 2.83GHz processor with 4GiB4,096 MiB
4,194,304 KiB
0.00391 TiB
of memory and a 149GiB152,576 MiB
156,237,824 KiB
0.146 TiB
Western Digital SATA hard disk. It has 2x Broadcom NetXtreme BCM5721 Gigabit Ethernet and 4x Intel 82575GB Gigabit Ethernet network interfaces. It is housed within a 1U Rackmount case located in 59/1245 (50° 56' 15", -1° 23' 52").

The server has a power consumption of ?W at boot, ?W idle and ?W when turned off.

Installed Software

The server's operating system is Ubuntu 18.04 LTS (64-bit) running on Linux Kernel 4.15.0-xx (x86_64).

The server also has the following software installed on it:

Services Provisioned

  • Firewall
  • Routing
  • DNS slave



Network

This server is connected to the SOWN VLAN, with the IP addresses:

  • 10.5.0.252
  • 2001:630:d0:f700::252

Its DNS name is:

  • gw.sown.org.uk
  • ns1.sown.org.uk
  • it also has the following cnames
  • backup1.sown.org.uk

Its MAC address is 00:22:19:d5:9e:3a on its eth0 interface and is connected to port b59-l1-cat1/GigabitEthernet5/0/30 with a yellow network cable.


This server is also connected to an ECS DMZ VLAN, with the IP addresses:

  • 152.78.189.44

Its DNS name is:

  • sown-gw.ecs.soton.ac.uk

Its MAC address is 00:22:19:d5:9e:3b on its eth1 interface and is connected to port b59-l1-cat1/GigabitEthernet5/0/29 with a yellow network cable.


This server is connected to the SOWN uplink VLAN with the IP addresses:

  • 152.78.103.236
  • 2001:630:d0:505;:1:5032

Its MAC address is 00:1b:21:38:d8:18 on its eth2 interface and connected to port b59-l1-cat1/GigabitEthernet5/0/18 with a network cable of unknown colour. The DNS name on uplink is:

  • hfc-sown-gw.net.soton.ac.uk


This server has its DRAC connected over IPMI with the IP address:

  • 10.5.0.188

It has the DNS name: Its MAC address is 00:22:19:d5:9e:3a on its eth0:ipmi interface and connected to port b32-l3-sown/GigabitEthernet/0/30 with a white network cable. The DNS name for its DRAC is:

  • gw-ipmi.sown.org.uk

The WakeOnLAN capability of this server is supported on eth0 and eth1 but not enabled on either.


Installing the Firewall

From the backup, restore /etc/default/firewall4, /etc/default/firewall6 and /etc/init.d/firewall

Ensure that references to iptables and ip6tables in the code have the correct path in /etc/init.d/firewall

To test the v4 firewall run: iptables-restore --test /etc/default/firewall4

To test the v6 firewall run: ip6tables-restore --test /etc/default/firewall6

Ensure the firewall will start on boot: update-rc.d firewall defaults

To start the firewall run: /etc/init.d/firewall


Bespoke Service Checks

CONNTRACK4 
This checks that the IPv6 firewall allows requests from SOWN VLAN only servers, in this case Sown-monitor-new can make an http request to www.google.co.uk. If it cannot or the page returned does not contain the word 'Google' it returns CRITICAL.
CONNTRACK6 
This checks that the IPv4 firewall allows requests from SOWN VLAN only servers, in this case Sown-monitor-new can make an http request to www.google.co.uk. If it cannot or the page returned does not contain the word 'Google' it returns CRITICAL.
FIREWALL4 
This checks the IPv4 firewall is running. The firewall has canary check that blocks any TCP traffic being sent from Sown-monitor-new to 152.78.189.252 (skoll.ecs.soton.ac.uk). If it can make a successful IPv4 HTTP request to skoll.ecs.soton.ac.uk, then this check returns CRITICAL.
FIREWALL6 
This checks the IPv6 firewall is running. The firewall has canary check that blocks any TCP traffic being sent from Sown-monitor-new to 2001:630:d0:f104::80f (skoll.ecs.soton.ac.uk). If it can make a successful IPv6 HTTP request to skoll.ecs.soton.ac.uk, then this check returns CRITICAL.
FORWARD4 
This checks that the IPv4 firewall allows ping requests from SOWN VLAN only servers, in this case Sown-monitor-new can ping 193.63.94.20 (ns0.ja.net). This reports CRITICAL if it cannot or latency is greater than 5 seconds and WARNING if packet loss is greater than or equal to 80% or latency is greater than 3 seconds.
FORWARD6 
This checks that the IPv6 firewall allows ping requests from SOWN VLAN only servers, in this case Sown-monitor-new can ping 2001:630:0:9::14 (ns0.ja.net). This reports CRITICAL if it cannot or latency is greater than 5 seconds and WARNING if packet loss is greater than or equal to 80% or latency is greater than 3 seconds.
... more about "Sown-gw"
1U Rackmount +
50° 56' 15", -1° 23' 52"Latitude: 50.937488888889
Longitude: -1.3977805555556
+
Intel(R) Xeon(R) CPU X3360 @ 2.83GHz +
sown-gw.ecs.soton.ac.uk +
152.78.189.44 +
00:22:19:d5:9e:3b +
b59-l1-cat1/GigabitEthernet5/0/29 +
149 GiB (152,576 MiB, 156,237,824 KiB, 0.146 TiB) +
backup1.sown.org.uk +
gw-ipmi.sown.org.uk +
eth0:ipmi +
10.5.0.188 +
00:22:19:d5:9e:3a +
b32-l3-sown/GigabitEthernet/0/30 +
Linux Kernel 4.15.0-xx (x86_64) +
59/1245 +
4 GiB (4,096 MiB, 4,194,304 KiB, 0.00391 TiB) +
2x Broadcom NetXtreme BCM5721 Gigabit Ethernet and 4x Intel 82575GB Gigabit Ethernet +
Ubuntu 18.04 LTS (64-bit) +
Firewall +, Routing +  and DNS slave +
gw.sown.org.uk +  and ns1.sown.org.uk +
10.5.0.252 +
2001:630:d0:f700::252 +
00:22:19:d5:9e:3a +
b59-l1-cat1/GigabitEthernet5/0/30 +
hfc-sown-gw.net.soton.ac.uk +
152.78.103.236 +
2001:630:d0:505;:1:5032 +
00:1b:21:38:d8:18 +
b59-l1-cat1/GigabitEthernet5/0/18 +
supported on eth0 and eth1 but not enabled on either +