Iptables comments

When working as a team, sharing information is critical. Nothing beats inline comments for this, as programmers and *nix admins will appreciate. For years I've been frustrated with the lack of comments in our *nix iptables files. What is this rule? Who put this here? Is it still valid? One could put helpful comments in the /etc/sysconfig/iptables file, but they'd be overwritten if anyone ran "iptables-save" or "service iptables save" (the latter being recent and pleasant discovery).

Like most things *nix, the answer has been there all along I just never looked in the right place for it. Strangely, i found this one in the man page for iptables. Fancy that! Simply add an additional packet patching module, in this case the comment module, in your rule definition. Rules and caveats:

• It can be anywhwere in the rule _before_ the -j or "jump" bit.
• It is limited to 245 characters.
• There is only one directive used by the comment module: --comment ""
• Remember to wrap your comment in _double_ quotes

[root@localhost]#iptables -I INPUT 1 -d 10.10.10.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "This is a comment" -j ACCEPT


results in:
[root@localhost]#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.10.10.0/24 anywhere state NEW tcp dpt:ssh /* this is a comment */

Remember to run "service iptables save". Enjoy!

Cisco ASA 5505 licensing caveats

While the Cisco ASA firewall appliance is a nice piece of work, it is a bit like a British sports car: it's great when it's working and not so great when it's not. In addition to the usual code-based caveats to watch out for there are also a few licensing issues to be aware of on the ASA5505. The output of the "show ver" command will quickly display the limitations of your ASA:

Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10       
Failover                    : Disabled
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 10       
WebVPN Peers                : 2        
Dual ISPs                   : Disabled 
VLAN Trunk Ports            : 0        

This platform has a Base license.

Here is an example of the Security Plus License feature set:

Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 20, DMZ Unrestricted
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 25       
WebVPN Peers                : 2        
Dual ISPs                   : Enabled  
VLAN Trunk Ports            : 8        

This platform has an ASA 5505 Security Plus license.

A brief explanation of the items highlighted in red:

1. Only 10 hosts from the DMZ and LAN combined may communicated with the Outside interface at any one time.  
2. Only 2 fully-functional VLANs (inside and outside usually) are permitted.  The 3rd VLAN, typically a DMZ can only be activated with the "no forward vlan n" command which prevents it from initiating connections to one of the other VLANs, usually the inside. 
   
   
   
   
   interface Vlan3
    description DMZ
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address
   
   
   
     Fortunately, it still permits replies from connections initiated from the inside to the DMZ.  ***Use caution here and think it through***  This means that:
   
   • You cannot host your DNS server (frequently also your Windows Domain Controller) on your inside vlan.  
   • Your backup strategy may fail.  If your backup server is on the inside vlan, you won't be able to SSH (and by extension SCP, RSYNC, etc.) to it.  You can still SSH from the inside to the DMZ of course...
   •  An SMTP server on the DMZ cannot initiate LDAP queries (or other methods of recipient verification) to an inside host.
   
   
   

    It would appear that only the 5505 (e.g. not the 5510, nor the 5520 etc.) offers this DMZ limitation. See Cisco's Comparison Chart for more details.  So before you think you've just gotten a great deal on a refurbished firewall from Brian at Network Liquidators (hint hint), make sure you've asked yourself, and your vendor, the right questions.

Increasing your swap file

The rule of thumb (I really need to stop using that phrase) is that your swap file size should be equal to the size of your physical RAM.  If you increase your RAM, you may want to increase your swap file size as well.  If you're using an LVM partition as swap, then it's pretty easy:

First find your swap file:

fdisk -l | grep swap

Then:

swapoff  /dev/VolGroup00/LogVol01
lvresize /dev/VolGroup00/LogVol01 -L 768M
mkswap   /dev/VolGroup00/LogVol01
swapon   /dev/VolGroup00/LogVol01

This is based mostly on Ben Stokes' article.  In fact except for the omission of the mkswap command, his is the superior post.  For a more terse treatment from RedHat see http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Deployment_Guide/s1-swap-adding.html

Schedule BASH commands

Much like Cisco IOS's "at" command, BASH supports a command-line scheduler.  This is handy when a cron job is just too much trouble:

echo "/path/to/script" | at 22:00

or

echo "/path/to/script" | at now +1 hour

Recursively Search & Replace with grep and sed

The following tidbit recursively searches the current directory for files containing a string, and replaces the string, in place, with a new string,. 

grep -rl original ./* | xargs sed -i 's/original/replacement/g' 

By default sed and vi will only replace the first instance of a string on a line.  The /g will ensure that all instances of on every line is replaced. 

PE-CE BGP dual-homed with backup

This document details the configurations necessary to connect an MPLS customer to an MPLS Service Provider via two separate link terminating on two separate PE Routers. In this case the customer has a 10mpbs Ethernet circuit, which is to be used as the primary link, and an ADSL line which is to be used when the Ethernet circuit is not functioning.

This configuration uses standard, default BGP timers and therefore the failover takes approximately 180 seconds. It will revert back to the primary significantly faster once connectivity has been re-established.


!!PE-01 - Ethernet PE
!
!!Enter the PE's BGP configuration
router bgp
!! Enter the customer's PE-CE BGP configuration 
 address-family ipv4 vrf CustomerVRF
 no synchronization
 !! use this to send a default route to all other PE routers in this VRF, not the cusotmer's PE routers.
 default-information originate
 !! replace this with the customer's BGP AS.  Must be >=65000
 neighbor 192.168.2.2 remote-as 65nnn 
 neighbor 192.168.2.2 update-source GigabitEthernet0/1
 !! Always set a password
 neighbor 192.168.2.2 password  
 neighbor 192.168.2.2 next-hop-self
 !! (optional) send a default route
 neighbor 192.168.2.2 default-originate
 !! Always limit the number of routes accepted
 neighbor 192.168.2.2 maximum-prefix 250 80
 !! don't use classful summaries
 no auto-summary 
 neighbor 192.168.2.2 activate
 exit-address-family


!PE-02 - ADSL RAS PE
!
route-map CustomerVRFSetLocalIn permit 10
 set local-preference 50
!
route-map CustomerVRFSetLocalIn permit 20
!
!!Enter the PE's BGP configuration
router bgp
!! Enter the customer's PE-CE BGP configuration
 address-family ipv4 vrf CustomerVRF    
 no synchronization
 !! (optional) send a default route
 default-information originate
 !! replace this with the customer's BGP AS.  Must be >=65000  
 neighbor 192.168.1.2 remote-as 65nnn
 !! Change this to whatever the PE's connected interface on their VRF is 
 neighbor 192.168.1.2 update-source Loopbackn
 !! Always set a password
 neighbor 192.168.1.2 password   
 neighbor 192.168.1.2 next-hop-self
 !! (optional) send a default route
 neighbor 192.168.1.2 default-originate 
 !! set route map which will lower the LocalPref (and thereby the chances of being entered into the Provider's LFIB table).  When the preferred route is
 !! removed from BGP as a result of the neighbor going down on the primary link, this route will be entered into the LFIB on next BGP Scan.
 neighbor 192.168.1.2 route-map setlocalin in 
 !! Always limit the number of routes accepted
 neighbor 192.168.1.2 maximum-prefix 250 80 
 !! don't use classful summaries
 no auto-summary 
 neighbor 192.168.1.2 activate
 exit-address-family


!!CPE
!
route-map setlocalin permit 10
 set local-preference 50
!
route-map setlocalin permit 20
!
router bgp 65004
 no synchronization
 bgp log-neighbor-changes
 neighbor 192.168.1.1 remote-as
 !! Always set a password
 neighbor 192.168.2.1 password  
 neighbor 192.168.1.1 remote-as
 !! Always set a password
 neighbor 192.168.2.1 password  
 neighbor 192.168.1.1 route-map setlocalin in
 no auto-summary