HPE Community
Operating System - HP-UX
1820190 Members
3943 Online
109620 Solutions
New Discussion юеВ

multiple network cards / user info

 
Chas Kalsi_1
New Member

тАО09-14-2001 01:33 PM

тАО09-14-2001 01:33 PM

multiple network cards / user info

I have two network cards i.e. lan0 on ip address 171.192.1.1 & lan5 on 171.192.11.41 - What I want to go is restrict / allow certain users access on lan5 lan card to a special database enviroment. The cards are on the same subnet. I can use /etc/profile script to check if the user has access to lan5 but the problem I have is how do I tell which user has come from what card ? To do it a long way would be to look at info from netstat & who. Is there an easier way to do it ??

Thanks in advance



Chas Kalsi
0 Kudos
Reply
5 REPLIES 5
Sridhar Bhaskarla
Honored Contributor

тАО09-14-2001 01:40 PM

тАО09-14-2001 01:40 PM

Re: multiple network cards / user info

Did you try who -R command?. Get the IP address from it.. then do

netstat -an |grep ip_address

The destination IP (one of your IPs) should be listed with the telnet port 23.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО09-14-2001 01:51 PM

тАО09-14-2001 01:51 PM

Re: multiple network cards / user info

Simple way.hmmmm... Write a small script and pass the user as an argument.

#!/usr/bin/ksh
USER=$1

IPs=`who -R|grep $USER|awk '{FS="(";print $2}'|awk {FS=")";print $1}'`
for IP in $IPs
do
netstat -an |grep $IP |sed 's/\.23//'
done

Very raw. This will not work if who -mR returns the IP. You can write a small nslookup statement in for loop to get the IP addr.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
linuxfan
Honored Contributor

тАО09-14-2001 03:33 PM

тАО09-14-2001 03:33 PM

Re: multiple network cards / user info

Hi Chas,


One of the ways you could do this is,

Create a file called /etc/checkhost

#######Begin##
########
#!/sbin/sh
trap "" 1 2 3
tty -s

PATH=/bin:/sbin:/etc:/usr/local/bin
UID=$(/usr/bin/id -u)

who -mu | awk '{print $2, $NF}' | while read TTY host
do
MYPID=`ps -ef |egrep " $PPID "|egrep -v "$$|egrep" | awk '{print $2}'`

TO_HOST=`lsof -p $MYPID | grep ":telnet" |head -1 | awk '{print $9}'|cut -d: -f1`

echo "##################################"
echo "You logged in to host $TO_HOST"
# You can give additional access here if you want
echo "##################################"
sleep 4
done

########End########


Also modify your /etc/profile to include

#####Begin#########
if [ -f /etc/checkhost ]
then
. /etc/checkhost
fi
##### End #########


-HTH
Ramesh

They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
linuxfan
Honored Contributor

тАО09-14-2001 03:49 PM

тАО09-14-2001 03:49 PM

Re: multiple network cards / user info

Hi Chas,

I was using lsof in the earlier script, the reason being when you use netstat there is no way you can restrict it to that particular session.
If you don't have lsof, you can download it from

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/lsof-4.55/

Also Sri, in the example you gave you had a typo in the second awk, it should be
awk '{FS=")";print $1}'`

-Regards
Ramesh
They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
Peter Van Sant
Advisor

тАО09-14-2001 07:03 PM

тАО09-14-2001 07:03 PM

Re: multiple network cards / user info

Beware of two cards on the same subnet:

Why can't I have two network interfaces on the same IP subnet?

Since IP is a connection-less protocol, each IP datagram is routed separately from all other datagrams. This means that each outbound datagram is treated as unrelated to any other datagram so there is no such thing as a "reply".
The way IP routing works on hp-ux (and many other systems) can be called "interface based routing". When an interface is assigned an IP address and netmask, IP "figures out" what network we are attached to via that interface. This is sort of like saying that if the address on my front door is 100 Main St., then any address on Main Street must be out my front door.

Now when IP has an outbound datagram to deliver, it looks at the destination IP address and then looks in it's routing tables to find "the best" route to get to that destination. It searches in the following order:

An exact "host route" (exact match with the "H" flag set)
The most exact match for a network route
The default gateway.
Number two "most exact match" is currently defined as the destination that with the most bits. If I am sending to IP address 1.2.3.4 and I have two destinations listed such as:
Destination Gateway ... 1.2 xxx 1.2.3 xxx

I will find that "1.2.3" (24 bits match) is a better or more specific match than is "1.2" (16 bits match). So IP will always choose the second route for this particular destination.

Now, if I have two interfaces on the same subnet, then I have two identical destinations in the routing table and I will try to find the "best" match. In such a case, I have no way of knowing which interface is "better" since they both lead to exactly the same subnet. In such a case IP will always pick the same route and all traffic for the target network/IP will always use the same interface.

In early BSD implementations the IP code would actually keep a use count on routes and find all equal routes and then use the one with the lowest use count. This is NOT the case in versions of HP-UX after about version 8.0.

It is still possible to have two cards on the same network and different subnets or even to use different subnet masks. We just do not currently support two interfaces in the same subnet. Even if you do this, it may well not do what you expect since all outbound traffic will use the same interface.



0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.