nm-connection-editor/etc/init.d/network-manager restart
ls -l /sys/class/net/ # E.g.: ens3 -> ../../devices/pci0000:00/0000:00:03.0/virtio0/net/ens3ip addr show dev eth1ifconfig ens7 10.99.0.10/16 upip addr add 192.168.6.13/24 dev eth0 && ip link set eth0 upip addr flush dev eth0ifconfig eth0 0.0.0.0 0.0.0.0 && dhclientip route add default via 192.168.1.1ip route show table all
# netstat -lntup | grep 8888tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 5119/pythontcp6 0 0 :::8888 :::* LISTEN 5119/python# ss -lntup | grep 8888tcp LISTEN 0 128 0.0.0.0:8888 0.0.0.0:* users:(("jupyter-noteboo",pid=5119,fd=7))tcp LISTEN 0 128 [::]:8888 [::]:* users:(("jupyter-noteboo",pid=5119,fd=6))
tcpdump -i any port 27017nmap -sV -p6379 127.0.0.1
https://en.wikipedia.org/wiki/Netlink
https://github.com/shemminger/iproute2/blob/master/misc/ss.c
ip tuntap add mode tap dev tap1tap1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000link/ether a2:05:e8:7f:d9:e8 brd ff:ff:ff:ff:ff:ffip tuntap add mode tun dev tun1tun1: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 500link/none
ethtool -k ens3 | grep offload # list Featuresethtool -K ens3 gro off gso off tso off # set tcp-segmentation-offload, generic-segmentation/receive-offload
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.confsysctl -p
iptables -t nat -L # filter(default), nat, mangle, raw and securityiptables -t nat -F ... # empty chain rulesiptables -t nat -X ... # delete empty chainiptables -t nat -L -n -x -v # --numeric IP/Port --exact packet and byte counters --verboseiptables -L --line-numbersiptables -D INPUT 2iptables-save
iptables -I INPUT -i docker0 -j ACCEPTiptables -I INPUT -s localhost -j ACCEPTiptables -A INPUT --dport 81 -j DROPiptables -A INPUT -p tcp -m multiport --dport 3306,6379 -j DROPiptables -A INPUT -p udp --dport 161 -j ACCEPT
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-3.html
/ \ / \PREROUTING -->[Routing ]----------------->POSTROUTING----->\D-NAT/ [Decision] \S-NAT/| ^| |--------> Local Process ------
Masquerading is a specialized form of SNAT Port forwarding, load sharing, and transparent proxying are all forms of DNAT.
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html http://ipset.netfilter.org/iptables-extensions.man.html
http://backreference.org/2010/06/11/iptables-debugging/
modprobe nf_log_ipv4sysctl net.netfilter.nf_log.2=nf_log_ipv4iptables -t raw -A OUTPUT -p icmp -j TRACEiptables -t raw -A PREROUTING -p icmp -j TRACEvi /var/log/kern.log
http://www.microhowto.info/troubleshooting/troubleshooting_iptables.html
iptables_log_INPUT_DROP() {iptables -N LOGGINGiptables -A INPUT -j LOGGINGiptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4iptables -A LOGGING -j DROP}
iptables -t nat -N TPiptables -t nat -I TP -p tcp --dport 4433 -j RETURN # bypass Port# https://tools.ietf.org/html/rfc5735#page-6iptables -t nat -A TP -d 0.0.0.0/8 -j RETURNiptables -t nat -A TP -d 10.0.0.0/8 -j RETURNiptables -t nat -A TP -d 127.0.0.0/8 -j RETURNiptables -t nat -A TP -d 169.254.0.0/16 -j RETURNiptables -t nat -A TP -d 172.16.0.0/12 -j RETURNiptables -t nat -A TP -d 192.168.0.0/16 -j RETURNiptables -t nat -A TP -d 224.0.0.0/4 -j RETURNiptables -t nat -A TP -d 240.0.0.0/4 -j RETURN# Anything else should be redirected to Dokodemo-door's local portiptables -t nat -A TP -p tcp -j REDIRECT --to-ports 20088iptables -t nat -I OUTPUT -p tcp -j TPiptables -t nat -I PREROUTING -p tcp -j TP# Add any UDP rulesiptables -t mangle -N TPiptables -t mangle -A TP -p udp --dport 53 -j TPROXY --on-port 20088 --tproxy-mark 0x01/0x01iptables -t mangle -A PREROUTING -j TPiptables -t mangle -N TP_MARKiptables -t mangle -A TP_MARK -p udp --dport 53 -j MARK --set-mark 1iptables -t mangle -A OUTPUT -j TP_MARKip route add local default dev lo table 100ip rule add fwmark 1 lookup 100ip rule del fwmark 1 lookup 100 # disable UDP
firewall-cmd --permanent --zone=public \--add-rich-rule="rule family="ipv4" \source address="1.2.3.4/32" \port protocol="tcp" port="4567" accept"firewall-cmd --zone=public --add-port=4433/tcp --permanentfirewall-cmd --zone=public --add-port=4433/udp--permanentfirewall-cmd --reloadfirewall-cmd --list-allservice firewalld stop
sudo ufw allow 11200:11299/tcpsudo ufw status verbosesudo ufw disable
Priority: 0, Selector: match anything, Action: lookup routingtable local (ID 255). The local table is a special routingtable containing high priority control routes for local andbroadcast addresses.Priority: 32766, Selector: match anything, Action: lookuprouting table main (ID 254). The main table is the normalrouting table containing all non-policy routes. This rule maybe deleted and/or overridden with other ones by theadministrator.Priority: 32767, Selector: match anything, Action: lookuprouting table default (ID 253). The default table is empty.It is reserved for some post-processing if no previous defaultrules selected the packet. This rule may also be deleted.# cat /etc/iproute2/rt_tables## reserved values#255 local254 main253 default0 unspec## local##1 inr.ruhep
http://events.linuxfoundation.org/sites/events/files/slides/Linux_traffic_control.pdf
http://kb.linuxvirtualserver.org/wiki/IPVS https://github.com/torvalds/linux/tree/master/net/netfilter/ipvs IPVS - an advanced layer-4 load balancing solution, NAT/Direct Routing/IP Tunneling
https://docs.cumulusnetworks.com/display/DOCS/Virtual+Routing+and+Forwarding+-+VRF multiple independent routing tables working simultaneously on the same router or switch Think of this feature as VLAN for layer 3
https://www.kernel.org/doc/Documentation/networking/vrf.txt
/etc/nsswitch.conf#hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4hosts: files dns # fix nslookup works but ping not work