Linux Multiple Network Interfaces (NICs) – One Interface with Static Public IP and One Interface with Private DHCP LAN IP Address – Routes and Routing

Friday, July 24th, 2020

Linux KVM:  Using Multiple NICs and Routing Traffic Properly Between Them

When setting up a KVM guest to use multiple network interface controllers (NICs), additional ip routes may be needed in order for the additional interfaces to work properly.  For example, if you configure a NIC with a public static IP address and a NIC with an internal private DHCP LAN IP address, you must create a route for any traffic that comes through the DHCP LAN IP address to respond via the interface from which the request originated.  Otherwise, forwarded NAT traffic from the main KVM host to the DHCP internal LAN IP will reach its destination, but no response will be sent back (because it will attempt to send the response via the configured static IP address interface which may NOT be the original destination of the senders request).

The Solution:

https://unix.stackexchange.com/questions/4420/reply-on-same-interface-as-incoming/23345#answer-23345

From the above link, the solution for me was to do the following in the KVM guest virtual machine:

Only needs to be done once:

sudo -i
echo 200 isp1 >> /etc/iproute2/rt_tables

Setting up the route (adjust variables as necessary):

sudo -i
ip rule add from <interface_IP> table isp1 priority 900
ip rule add from <interface_IP> dev <interface> table isp1
ip route add default via <gateway_IP> dev <interface> table isp

The command I used for my specific setup:

sudo -i
ip rule add from 192.168.122.10 table isp1 priority 900 
ip rule add from 192.168.122.10 dev ens9 table isp1 
ip route add default via 192.168.122.1 dev ens9 table isp1

Making it permanent (apply on system start up):

sudo -i
nano /etc/network/interfaces

I added the below post-up rules (adjust variables as necessary):

auto ens9
iface ens9 inet dhcp
        post-up ip rule add from <interface_IP> table isp1 priority 900
        post-up ip rule add from <interface_IP> dev <interface> table isp1
        post-up ip route add default via <gateway_IP> dev <interface> table isp1

The route is created whenever the dhcp interface is brought up.

Secure Linux Servers Using IPTables Rules and WonderShaper

Thursday, March 28th, 2013

Secure your Ubuntu Server from Flood and Other Attacks Using IPTables and WonderShaper

The following commands use IPTables to prevent common flooding and other miscellaneous malicious attacks. These commands can prevent a Linux server from lagging and spending resources on malformed packets.  Some of these attacks can cause DDoS attacks, so it is best to use these filters and rules.  Use at your own risk. A detailed explanation can be found here.

# Explanations here:
# http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html
sudo apt-get install iptables
sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
sudo iptables -A INPUT -f -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

If you want to drop ICMP ping requests, click here.

Limiting Download and Upload Speeds / Traffic Globally in Ubuntu

Limiting download and upload speeds globally does not make a server any more secure than before.  However, it can aleviate network lag, which in my opinion ensures availability enhancing security.  In Ubuntu, it's easy to limit the max download and upload speed that can be used on an interface.  It wasn't always this easy, but thanks to a tool called wondershaper, you don't have to worry about any of the complexities.  To install, run the following command:

sudo apt-get install wondershaper  

Now, we need to tell wondershaper to start limiting our max download and upload rate on our particular interface. To see a list of interfaces, type the following command:

ifconfig

To determine what your max download and max upload speed should be, use SpeedTest to run a couple of bandwidth tests using your connection.  With your results, convert the speeds from mbps to kilobits per second.  Use this bandwidth calculator / converter to help you out.  Then, I'd subtract 20-30% of each value, as you want to leave some room between your max speed so that bandwith will still be available to other computers / nodes on the network.

Once you have your speeds, start wondershaper (modifying the example below to fit your needs):

# wondershaper [interface] [max_download_speed_kilobits] [max_upload_speed_kilobits]
sudo wondershaper eth0 8192 2764

Make a backup of the /etc/network/interfaces file:

sudo cp /etc/network/interfaces /etc/network/interfaces.bakup
sudo nano /etc/network/interfaces

To run wondershaper upon boot or startup, edit the /etc/network/interfaces file, and add the following (modify to fit your needs if neccessary):

auto lo
iface lo inet loopback
up /sbin/wondershaper eth0 8192 2764
down /sbin/wondershaper clear eth0

Make sure you change your max download and upload speed in both of the examples.  Settings will now apply when the computer boots into Linux.

Exclude LAN from Speed Limits

WonderShaper does not differentiate between LAN traffic and external traffic by default.  To prevent WonderShaper from limiting LAN network download and upload speeds, install this updated WonderShaper script:

cd ~/Downloads
wget -O wondershaper_exclude_lan.tar.gz www.dinofly.com/files/wondershaper_exclude_lan.tar.gz
tar xzvf wondershaper_exclude_lan.tar.gz
sudo cp -f wondershaper /sbin/wondershaper
sudo chmod +x /sbin/wondershaper
sudo nano /sbin/wondershaper

Find:

#Local Network
LAN_SUBNET=192.168.0.0

Change it to your LAN's main IP address.  For example, if your LAN gateway is 192.168.1.X, change it to:

#Local Network
LAN_SUBNET=192.168.1.0

Another example, if your LAN gateway is 192.168.43.X, change it to:

#Local Network
LAN_SUBNET=192.168.43.0

Save the file and reboot.

Your local area network (LAN) traffic is not filtered, but external traffic is!  Enjoy lag free connections from both the outside and inside while running any type of web server. 

Windows XP x86 and x64 .NET 4.0 Post Installation Slow Startup Network LAN Devices Fix

Thursday, March 29th, 2012

Windows XP .NET 4.0 Post Slow Startup Fix

I've been running my main machines on Windows XP x64 for several years, and I am a .NET developer.  There came a day when I needed .NET 4.0 for my development projects.  After installing .NET 4.0 in Windows XP x64 SP2, I noticed a slow bootup despite the fact that I have a solid state drive.  Windows would always boot up and freeze for about a minute before the network LAN and Wireless LAN computer icons appeared in the system tray.  At first, I never realized the problem was caused directly from the install of .NET 4.0.  For over a year I tried troubleshooting the problem.  I noticed that I had this problem on all of my XP machines after installing .NET 4.0.  I suspected video drivers, LAN drivers, wireless LAN drivers, and even my BIOS.  Nothing fixed this issue.  After further searching, I finally found a thread describing the same issues I was having.  Save yourself the read, and just run this batch file I wrote after installing .NET 4.0 on ANY Windows XP x64 or x86 machine:

set I=%windir%\
%I:~0,2%
cd %windir%\Microsoft.NET\Framework\v1.1.4322
ngen update
cd \
cd %windir%\Microsoft.NET\Framework\v2.0.50727
ngen update
cd \
cd %windir%\Microsoft.NET\Framework\v4.0.30319\
ngen update
sc stop "clr_optimization_v4.0.30319_32"
sc stop "clr_optimization_v4.0.30319_64"
sc config "clr_optimization_v4.0.30319_32" start= disabled
sc config "clr_optimization_v4.0.30319_64" start= disabled
@echo off
echo.
echo. All operations have been completed successfully.  The .net 4.0 framework services were disabled, as they are no longer needed.  This will not affect .net 4.0 applications, and your startup boot time should be back to instant!
pause

I have not experienced the slow boot issue on Windows Vista or Windows 7 after installing .NET 4.0.  Thus, please run this batch file on your XP machines after .NET 4.0.  If you don't, I hope you enjoy headaches.