To change the name on a Linux device, you need to edit the hostname file
In the case of Linux, in order for the hostname to be applied, you need to reboot the device.To change the name to Eltex (in this example, HQ-RTR), run the following commands:
vesr# config
vesr(config)# hostname hq-rtr.au-team.irpo
vesr(config)# clock timezone gmt +5
vesr(config)# username net_admin
vesr(config-user)# password P@ssw0rd
vesr(config-user)# privilege 15
vesr(config-user)# exit
IPv4 must be configured on all devices
See the process of configuring the network on ALT Linux here On HQ-SW, re-view all interfaces from static to manual, like this:
HQ-RTR(config)# int gi 1/0/2
HQ-RTR(config-if-gi)# ip address 172.16.4.2/28
HQ-RTR(config-if-gi)# ip firewall disable
HQ-RTR(config-if-gi)# exit
HQ-RTR(config)# interface gi 1/0/1.100
HQ-RTR(config-sub-in)# ip firewall disable
HQ-RTR(config-sub-in)# ip address 192.168.10.1/26
HQ-RTR(config-if-gi)# exit
HQ-RTR(config)# interface gi 1/0/1.200
HQ-RTR(config-sub-in)# ip firewall disable
HQ-RTR(config-sub-in)# ip address 192.168.10.65/28
HQ-RTR(config-if-gi)# exit
HQ-RTR(config)# interface gi 1/0/1.999
HQ-RTR(config-sub-in)# ip firewall disable
HQ-RTR(config-sub-in)# ip address 192.168.10.81/29
HQ-RTR(config-if-gi)# exit
HQ-RTR(config)# ip route 0.0.0.0/0 172.16.4.1
Create an ssh user on the HQ-SRV and BR-SRV servers
To create an sshuser user with the password P@ssw0rd and ID 1010, use the following commands:
hq-rtr(config)# object-group network HQ
hq-rtr(config-object-group-network)# ip address-range 192.168.10.1-192.168.10.254
hq-rtr(config-object-group-network)# exit
hq-rtr(config)# nat sourсe
hq-rtr(config-snat)# pool WAN_POOL
hq-rtr(config-snat-pool)# ip address-range 172.16.4.2
hq-rtr(config-snat-pool)# exit
hq-rtr(config-snat)# ruleset SNAT
In order for him to perform sudo without entering a password, you need to edit the sudoers file or create a new one in the /etc/sudoers.d directory:
- hq-rtr(config-snat-ruleset)# to interface gi 1/0/2
- hq-rtr(config-snat-ruleset)# rule 1
- hq-rtr(config-snat-rule)# match source-address HQ
- hq-rtr(config-snat-rule)# action source-nat pool WAN_POOL
- hq-rtr(config-snat-rule)# enable
- hq-rtr(config-snat-rule)# exit
- hq-rtr(config-snat)# exit
Create a net_admin user using the following commands:
hq-rtr(config)# tunnel gre 1
hq-rtr(config-gre)# ip firewall disable
hq-rtr(config-gre)# local address 172.16.4.2
hq-rtr(config-gre)# remote address 172.16.5.2
hq-rtr(config-gre)# ip address 100.10.10.1/30
hq-rtr(config-gre)# ttl 16
hq-rtr(config-gre)# enable
hq-rtr(config-gre)# exit
hq-rtr(config)# ip route 192.168.20.0/24 tunnel gre 1
hq-rtr# commit
hq-rtr# confirm
The interface connected to the backbone provider receives the address via DHCP:
vesr# config
vesr(config)# hostname br-rtr.au-team.irpo
vesr(config)# clock timezone gmt +5
vesr(config)# username net_admin
vesr(config-user)# password P@ssw0rd
vesr(config-user)# privilege 15
vesr(config-user)# exit
On the ISP, set up a dynamic network broadcast towards HQ-LIKE and BR-LIKE for Internet access
To start enabling ip forwarding, you can do this by changing the string value from 0 to 1 in the /etc/net/sysctl.conf config.
After that, you need to install the iptables package, with which we will configure Source NAT:
R-RTR(config)# int gi 1/0/2
BR-RTR(config-if-gi)# description external
BR-RTR(config-if-gi)# ip address 172.16.5.2/28
BR-RTR(config-if-gi)# ip firewall disable
BR-RTR(config-if-gi)# exit
BR-RTR(config)# interface gi 1/0/1
BR-RTR(config-sub-in)# description internal
BR-RTR(config-sub-in)# ip firewall disable
BR-RTR(config-sub-in)# ip address 192.168.20.1/27
BR-RTR(config-if-gi)# exit
BR-RTR(config)# ip route 0.0.0.0/0 172.16.5.1
br-rtr(config)# object-group network BR
br-rtr(config-object-group-network)# ip address-range 192.168.20.1-192.168.20.254
br-rtr(config-object-group-network)# exit
br-rtr(config)# nat sourсe
br-rtr(config-snat)# pool WAN_POOL
br-rtr(config-snat-pool)# ip address-range 172.16.5.2
br-rtr(config-snat-pool)# exit
br-rtr(config-snat)# ruleset SNAT
br-rtr(config-snat-ruleset)# to interface gi 1/0/2
br-rtr(config-snat-ruleset)# rule 1
br-rtr(config-snat-rule)# match source-address BR
br-rtr(config-snat-rule)# action source-nat pool WAN_POOL
br-rtr(config-snat-rule)# enable
br-rtr(config-snat-rule)# exit
br-rtr(config-snat)# exit
Turning on SNAT
where ens 18 is your external interface, it was necessary to save the iptables configuration, usually this can be done using the netfilter-persistent package, but it is not in ALT, so we will do it manually:
br-rtr(config)# tunnel gre 1
br-rtr(config-gre)# description to_hq-rtr
br-rtr(config-gre)# ip firewall disable
br-rtr(config-gre)# local address 172.16.5.2
br-rtr(config-gre)# remote address 172.16.4.2
br-rtr(config-gre)# ip address 100.10.10.2/30
br-rtr(config-gre)# ttl 16
br-rtr(config-gre)# enable
br-rtr(config-gre)# exit
br-rtr(config)# ip route 192.168.10.0/24 tunnel gre 1
br-rtr# commit
br-rtr# confirm
We have added the mgmt logical interface to bridge, but it is not present in the system itself.In order for it to appear in it, we need to configure it as a regular interface in ALT
ISP
timedatectl set-timezone Asia/Yekaterinburg
vim /etc/net/ifaces/ens19/options
BOOTPROTO=dhcp
SYSTEMD_BOOTPROTO=dhcp4
vim /etc/net/ifaces/ens20/ipv4address
172.16.4.1/28
vim /etc/net/ifaces/ens21/ ipv4address
172.16.5.1/28
vim /etc/net/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
apt-get install iptables
iptables -t nat -A POSTROUTING -o ens19 -j MASQUERADE
iptables-save >> /etc/sysconfig/iptables
systemctl enable --now iptables
systemctl restart network
HQ-SW
timedatectl set-timezone Asia/Yekaterinburg
vim /etc/hostname
hq-sw.au-team.irpo
systemctl enable --now openvswitch
ovs-vsctl add-br br0
ovs-vsctl add-port br0 ens19 trunk=100,200,999
ovs-vsctl add-port br0 ens20 tag=100
ovs-vsctl add-port br0 ens21 tag=200
ovs-vsctl add-port br0 mgmt tag=999
ovs-vsctl set interface mgmt type=internal
mkdir /etc/net/ifaces/mgmt.
cp /etc/net/ifaces/ens19/options /etc/net/ifaces/mgmt/options
vim /etc/net/ifaces/mgmt/ipv4address
192.168.10.82/29
vim /etc/net/ifaces/mgmt/ipv4route
default via 192.168.10.81
vim /etc/net/ifaces/ens19/options
BOOTPROTO=manual
SYSTEMD_BOOTPROTO=manual
vim /etc/net/ifaces/ens20/options
BOOTPROTO=manual
SYSTEMD_BOOTPROTO=manual
vim /etc/net/ifaces/ens21/options
BOOTPROTO=manual
SYSTEMD_BOOTPROTO=manual
systemctl restart network
HQ-CLI
timedatectl set-timezone Asia/Yekaterinburg
vim /etc/hostname
hq-cli.au-team.irpo
vim /etc/net/ifaces/ens19/ipv4address
192.168.10.66/28
vim /etc/net/ifaces/ens19/ipv4route
default via 192.168.10.65
systemctl restart network
HQ-SRV
timedatectl set-timezone Asia/Yekaterinburg
vim /etc/hostname
hq-srv.au-team.irpo
useradd sshuser -u 1010
passwd sshuser
P@ssw0rd
vim /etc/sudoers.d/sshuser
sshuser ALL=(ALL) NOPASSWD: ALL
usermod -aG wheel sshuser
vim /etc/net/ifaces/ens19/ipv4address
192.168.10.2/26
vim /etc/net/ifaces/ens19/ipv4route
default via 192.168.10.1
vim /etc/openssh/sshd_config
Port 2024
AllowUsers sshuser
MaxAuthTries 2
Banner /etc/openssh/banner
echo "Authorized access only" > /etc/openssh/banner
systemctl restart sshd
systemctl restart network
BR-SRV
timedatectl set-timezone Asia/Yekaterinburg
vim /etc/hostname
br-srv.au-team.irpo
useradd sshuser -u 1010
passwd sshuser
P@ssw0rd
vim /etc/sudoers.d/sshuser
sshuser ALL=(ALL) NOPASSWD: ALL
usermod -aG wheel sshuser
vim /etc/net/ifaces/ens19/ipv4address
192.168.20.2/27
vim /etc/net/ifaces/ens19/ipv4route
default via 192.168.20.1
vim /etc/openssh/sshd_config
Port 2024
AllowUsers sshuser
MaxAuthTries 2
Banner /etc/openssh/banner
echo "Authorized access only" > /etc/openssh/banner
systemctl restart sshd
systemctl restart network