Networking
(→IPv4 Allocations) |
m (Reverted edits by Jdhutchin@ugcs.caltech.edu (Talk); changed back to last version by Elizabeth@ugcs.caltech.edu) |
||
| Line 1: | Line 1: | ||
==Static IPs in UGCS== | ==Static IPs in UGCS== | ||
| − | Note the MTU - because we use VLANs, we have 4 less bytes to work with. | + | Within UGCS, we get only part of the subnet, and the gateway isn't in that part. As a result, the following wonky config snippet is recommended by Maurer (and Liz, the bridging will work fine with this config). Note the MTU - because we use VLANs, we have 4 less bytes to work with. |
allow-hotplug eth0 | allow-hotplug eth0 | ||
| Line 7: | Line 7: | ||
broadcast 131.215.176.127 | broadcast 131.215.176.127 | ||
netmask 255.255.255.192 | netmask 255.255.255.192 | ||
| − | |||
mtu 1496 | mtu 1496 | ||
| + | # Route the Gateway | ||
| + | post-up route add 131.215.176.254 eth0 | ||
| + | post-up route add default gw 131.215.176.254 | ||
==VLANs== | ==VLANs== | ||
| Line 56: | Line 58: | ||
** 88 lenin (owned by Dabney comptrollers) | ** 88 lenin (owned by Dabney comptrollers) | ||
** 89 donut (owned by Devteam) | ** 89 donut (owned by Devteam) | ||
| + | ** 90 metatron (owned by Matt Maurer) | ||
** 91 white.caltech.edu (owned by Mike White) | ** 91 white.caltech.edu (owned by Mike White) | ||
** 92 philemon.gelide.org (owned by Jon Dama) | ** 92 philemon.gelide.org (owned by Jon Dama) | ||
| Line 66: | Line 69: | ||
** 101 eternity.ugcs.caltech.edu (Alex Roper, username alexr) | ** 101 eternity.ugcs.caltech.edu (Alex Roper, username alexr) | ||
** 102 vitamin-s.ugcs.caltech.edu (owned by David DiCato) | ** 102 vitamin-s.ugcs.caltech.edu (owned by David DiCato) | ||
| + | ** 103 (name not known yet) ( owned by Pat Cahalan ) | ||
| + | ** 104 (name not known yet) ( owned by Alex Rasmussen ) | ||
* 105-124: Shellserver | * 105-124: Shellserver | ||
** 105 lara.ugcs.caltech.edu. | ** 105 lara.ugcs.caltech.edu. | ||
| Line 71: | Line 76: | ||
** 107 minthe.ugcs.caltech.edu. | ** 107 minthe.ugcs.caltech.edu. | ||
** 108 lethe.ugcs.caltech.edu. | ** 108 lethe.ugcs.caltech.edu. | ||
| − | ** 109 calliope.ugcs.caltech.edu. | + | ** 109 calliope.ugcs.caltech.edu. |
** 110 clio.ugcs.caltech.edu. | ** 110 clio.ugcs.caltech.edu. | ||
** 111 achilles.ugcs.caltech.edu (mortal) | ** 111 achilles.ugcs.caltech.edu (mortal) | ||
| Line 80: | Line 85: | ||
** 116 thalia.ugcs.caltech.edu. | ** 116 thalia.ugcs.caltech.edu. | ||
** 117 urania.ugcs.caltech.edu. | ** 117 urania.ugcs.caltech.edu. | ||
| − | ** 118 jason.ugcs.caltech.edu (mortal | + | ** 118 jason.ugcs.caltech.edu (mortal) |
** 119 midas.ugcs.caltech.edu (mortal) | ** 119 midas.ugcs.caltech.edu (mortal) | ||
** 120 medusa.ugcs.caltech.edu (mortal) | ** 120 medusa.ugcs.caltech.edu (mortal) | ||
| − | ** 121 dictys.ugcs.caltech.edu (mortal | + | ** 121 dictys.ugcs.caltech.edu (mortal) |
* 125: printer | * 125: printer | ||
* 126: charon | * 126: charon | ||
| Line 91: | Line 96: | ||
* We should get some (independent of Caltech even), if at all remotely possible. | * We should get some (independent of Caltech even), if at all remotely possible. | ||
| − | |||
| − | |||
| − | |||
[[Category:Sysadmin_Documentation]] | [[Category:Sysadmin_Documentation]] | ||
Revision as of 05:27, 19 March 2010
Contents |
Static IPs in UGCS
Within UGCS, we get only part of the subnet, and the gateway isn't in that part. As a result, the following wonky config snippet is recommended by Maurer (and Liz, the bridging will work fine with this config). Note the MTU - because we use VLANs, we have 4 less bytes to work with.
allow-hotplug eth0 iface eth0 inet static address 131.215.176.num broadcast 131.215.176.127 netmask 255.255.255.192 mtu 1496 # Route the Gateway post-up route add 131.215.176.254 eth0 post-up route add default gw 131.215.176.254
VLANs
- Vlan 1: default (outside world/ITS) - 131.215.176.0/26 131.215.176.128/25
- Vlan 2: management - 192.168.1.0/24
- Vlan 3: core servers - 131.215.176.65-131.215.176.85
- Vlan 4: shell servers - 131.215.176.96-131.215.176.125
- Vlan 5: hosted servers - 131.215.176.86-131.215.176.95
All Vlans except for management fall within the same basic subnet; traffic can be routed without use of a gateway and thus subnetting is not required. However, traffic is passed between Vlans by a transparent bridge which performs packet filtering using IPTables and Snort in order to segregate traffic (for example, not allowing DHCP server responses to cross from Vlan 1 to inside or outward from Vlans 3-5 to Vlan 1). There is no access to Vlan2 except from the bridge itself. The bridge has IP 131.215.176.126
All servers must be registered with the bridge in order to receive a UGCS-internal Vlan assignment using VMPS and therefore a DHCP allocation from the UGCS DNS server; otherwise, they will be on Vlan 1 and be on the main Winnett network and get a DHCP address from the Winnett pool.
Network Security
Charon bridges the VLAN's, so any traffic that flows across a vlan barrier is subject to firewall rules. By default, coreserver ports are filtered, and shellserver ports are open.
Charon also runs snort, but nothing is done with the alerts yet. Its rules are auto-updated daily from bleedingthreats.net.
If you need to block a host, add it to the "for" loop in charon:/usr/local/sbin/blocked_machines. This script is called from bridge_forward, so make sure to re-run it after you updated blocked_machines.
IPv4 Allocations
kabta: 131.215.172.59
- 64: Netblock
- 65-75: Coreserver
- 64 netblock.ugcs.caltech.edu.
- 65 hermes.ugcs.caltech.edu.
- 66 demeter.ugcs.caltech.edu.
- 67 apollo.ugcs.caltech.edu.
- 68 athena.ugcs.caltech.edu.
- 69 persephone.ugcs.caltech.edu
- 70 hera.ugcs.caltech.edu.
- 71 poseidon.ugcs.caltech.edu.
- 72 zeus.ugcs.caltech.edu.
- 73 hestia.ugcs.caltech.edu.
- 74 hephaestus.ugcs.caltech.edu.
- 75 dionysus.ugcs.caltech.edu.
- 76 nfs.ugcs.caltech.edu ( Failover NFS server between athena and hestia )
- 75-85: Hosted servers that will be moved
- 78 fo.ugcs.caltech.edu - Testing IP for failover stuff
- 80 doldnut.ugcs.caltech.edu. (owned by devteam/Jon Dama)
- 81: afs-a.ugcs.caltech.edu: AFS database server (current zeus uses this IP)
- 82: afsmail.ugcs.caltech.edu: AFS file server that houses mail partitions (currently failover between hermes and athena)
- 86-105: Hosted servers
- 86 averyfs.ugcs.caltech.edu. (Owned by Avery IMSS)
- 87 bsi-la.ugcs.caltech.edu. (owned by Bo Adler)
- 88 lenin (owned by Dabney comptrollers)
- 89 donut (owned by Devteam)
- 90 metatron (owned by Matt Maurer)
- 91 white.caltech.edu (owned by Mike White)
- 92 philemon.gelide.org (owned by Jon Dama)
- 93 daisy.ugcs.caltech.edu (Elizabeth Fong)
- 94 ballroom (Ballroom dance club, )
- 95 hiro.ugcs.caltech.edu ( Silas's machine )
- 98 azkaban.ugcs.caltech.edu ( Owned by Eugeniu Plamadeala, username eugeniu)
- 99 fisheye.ugcs.caltech.edu (owned by Keegan McAllister, username keegan)
- 100 kukulza.ugcs.caltech.edu (Patrick Xia, username patrick)
- 101 eternity.ugcs.caltech.edu (Alex Roper, username alexr)
- 102 vitamin-s.ugcs.caltech.edu (owned by David DiCato)
- 103 (name not known yet) ( owned by Pat Cahalan )
- 104 (name not known yet) ( owned by Alex Rasmussen )
- 105-124: Shellserver
- 105 lara.ugcs.caltech.edu.
- 106 styx.ugcs.caltech.edu.
- 107 minthe.ugcs.caltech.edu.
- 108 lethe.ugcs.caltech.edu.
- 109 calliope.ugcs.caltech.edu.
- 110 clio.ugcs.caltech.edu.
- 111 achilles.ugcs.caltech.edu (mortal)
- 112 helen.ugcs.caltech.edu (mortal)
- 113 melpomene.ugcs.caltech.edu.
- 114 polyhymnia.ugcs.caltech.edu.
- 115 terpsichore.ugcs.caltech.edu.
- 116 thalia.ugcs.caltech.edu.
- 117 urania.ugcs.caltech.edu.
- 118 jason.ugcs.caltech.edu (mortal)
- 119 midas.ugcs.caltech.edu (mortal)
- 120 medusa.ugcs.caltech.edu (mortal)
- 121 dictys.ugcs.caltech.edu (mortal)
- 125: printer
- 126: charon
- 127: broadcast
IPv6 Allocations
- We should get some (independent of Caltech even), if at all remotely possible.
