Linux Networking

GUI tool

1
nm-connection-editor
2
/etc/init.d/network-manager restart
Copied!

Basic

https://access.redhat.com/sites/default/files/attachments/rh_ip_command_cheatsheet_1214_jcs_print.pdf
1
ls -l /sys/class/net/ # E.g.: ens3 -> ../../devices/pci0000:00/0000:00:03.0/virtio0/net/ens3
2
ip addr show dev eth1
3
4
ifconfig ens7 10.99.0.10/16 up
5
ip addr add 192.168.6.13/24 dev eth0 && ip link set eth0 up
6
7
ip addr flush dev eth0
8
ifconfig eth0 0.0.0.0 0.0.0.0 && dhclient
9
10
ip route add default via 192.168.1.1
11
ip route show table all
Copied!

/etc/network/interfaces

1
auto enp1s0
2
iface enp1s0 inet dhcp
Copied!

/etc/netplan/*.yaml

1
network:
2
version: 2
3
4
ethernets:
5
enp1s0: {}
6
enp2s0: {}
7
enp3s0: {}
8
enp4s0:
9
dhcp4: yes
10
11
bridges:
12
br0:
13
interfaces: [enp1s0,enp2s0,enp3s0]
14
dhcp4: yes
15
br1: {}
Copied!
netplan try

Port listening

1
# netstat -lntup | grep 8888
2
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 5119/python
3
tcp6 0 0 :::8888 :::* LISTEN 5119/python
4
5
# ss -lntup | grep 8888
6
tcp LISTEN 0 128 0.0.0.0:8888 0.0.0.0:* users:(("jupyter-noteboo",pid=5119,fd=7))
7
tcp LISTEN 0 128 [::]:8888 [::]:* users:(("jupyter-noteboo",pid=5119,fd=6))
Copied!

debug

1
tcpdump -i any port 27017
2
nmap -sV -p6379 127.0.0.1
Copied!
https://en.wikipedia.org/wiki/Netlink
https://github.com/shemminger/iproute2/blob/master/misc/ss.c

tuntap

1
ip tuntap add mode tap dev tap1
2
tap1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
3
link/ether a2:05:e8:7f:d9:e8 brd ff:ff:ff:ff:ff:ff
4
5
ip tuntap add mode tun dev tun1
6
tun1: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 500
7
link/none
Copied!

Features

1
ethtool -k ens3 | grep offload # list Features
2
ethtool -K ens3 gro off gso off tso off # set tcp-segmentation-offload, generic-segmentation/receive-offload
Copied!

disable ipv6

1
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.conf
2
sysctl -p
Copied!

nftables

  • https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
  • https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
  • https://openwrt.org/docs/guide-user/firewall/misc/nftables

iptables

table / chain

1
iptables -t nat -L # filter(default), nat, mangle, raw and security
2
iptables -t nat -F ... # empty chain rules
3
iptables -t nat -X ... # delete empty chain
4
5
iptables -t nat -L -n -x -v # --numeric IP/Port --exact packet and byte counters --verbose
6
iptables -L --line-numbers
7
iptables -D INPUT 2
8
9
iptables-save
Copied!

rules

1
iptables -I INPUT -i docker0 -j ACCEPT
2
iptables -I INPUT -s localhost -j ACCEPT
3
4
iptables -A INPUT --dport 81 -j DROP
5
iptables -A INPUT -p tcp -m multiport --dport 3306,6379 -j DROP
6
iptables -A INPUT -p udp --dport 161 -j ACCEPT
Copied!

NAT

http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-3.html
1
_____ _____
2
/ \ / \
3
PREROUTING -->[Routing ]----------------->POSTROUTING----->
4
\D-NAT/ [Decision] \S-NAT/
5
| ^
6
| |
7
--------> Local Process ------
Copied!
Masquerading is a specialized form of SNAT Port forwarding, load sharing, and transparent proxying are all forms of DNAT.
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html http://ipset.netfilter.org/iptables-extensions.man.html

Trace

http://backreference.org/2010/06/11/iptables-debugging/
1
modprobe nf_log_ipv4
2
sysctl net.netfilter.nf_log.2=nf_log_ipv4
3
iptables -t raw -A OUTPUT -p icmp -j TRACE
4
iptables -t raw -A PREROUTING -p icmp -j TRACE
5
vi /var/log/kern.log
Copied!

Log manually

http://www.microhowto.info/troubleshooting/troubleshooting_iptables.html
1
iptables_log_INPUT_DROP() {
2
iptables -N LOGGING
3
iptables -A INPUT -j LOGGING
4
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
5
iptables -A LOGGING -j DROP
6
}
Copied!

Transparent Proxy

1
iptables -t nat -N TP
2
iptables -t nat -I TP -p tcp --dport 4433 -j RETURN # bypass Port
3
4
# https://tools.ietf.org/html/rfc5735#page-6
5
iptables -t nat -A TP -d 0.0.0.0/8 -j RETURN
6
iptables -t nat -A TP -d 10.0.0.0/8 -j RETURN
7
iptables -t nat -A TP -d 127.0.0.0/8 -j RETURN
8
iptables -t nat -A TP -d 169.254.0.0/16 -j RETURN
9
iptables -t nat -A TP -d 172.16.0.0/12 -j RETURN
10
iptables -t nat -A TP -d 192.168.0.0/16 -j RETURN
11
iptables -t nat -A TP -d 224.0.0.0/4 -j RETURN
12
iptables -t nat -A TP -d 240.0.0.0/4 -j RETURN
13
14
# Anything else should be redirected to Dokodemo-door's local port
15
iptables -t nat -A TP -p tcp -j REDIRECT --to-ports 20088
16
iptables -t nat -I OUTPUT -p tcp -j TP
17
iptables -t nat -I PREROUTING -p tcp -j TP
18
19
# Add any UDP rules
20
iptables -t mangle -N TP
21
iptables -t mangle -A TP -p udp --dport 53 -j TPROXY --on-port 20088 --tproxy-mark 0x01/0x01
22
iptables -t mangle -A PREROUTING -j TP
23
24
iptables -t mangle -N TP_MARK
25
iptables -t mangle -A TP_MARK -p udp --dport 53 -j MARK --set-mark 1
26
iptables -t mangle -A OUTPUT -j TP_MARK
27
28
ip route add local default dev lo table 100
29
ip rule add fwmark 1 lookup 100
30
31
ip rule del fwmark 1 lookup 100 # disable UDP
Copied!

iptables frontend

CentOS firewall-cmd

1
firewall-cmd --permanent --zone=public \
2
--add-rich-rule="rule family="ipv4" \
3
source address="1.2.3.4/32" \
4
port protocol="tcp" port="4567" accept"
5
6
firewall-cmd --zone=public --add-port=4433/tcp --permanent
7
firewall-cmd --zone=public --add-port=4433/udp--permanent
8
firewall-cmd --reload
9
firewall-cmd --list-all
10
11
service firewalld stop
Copied!

Ubuntu - ufw

1
sudo ufw allow 11200:11299/tcp
2
sudo ufw status verbose
3
sudo ufw disable
Copied!

ip rule

1
Priority: 0, Selector: match anything, Action: lookup routing
2
table local (ID 255). The local table is a special routing
3
table containing high priority control routes for local and
4
broadcast addresses.
5
6
Priority: 32766, Selector: match anything, Action: lookup
7
routing table main (ID 254). The main table is the normal
8
routing table containing all non-policy routes. This rule may
9
be deleted and/or overridden with other ones by the
10
administrator.
11
12
Priority: 32767, Selector: match anything, Action: lookup
13
routing table default (ID 253). The default table is empty.
14
It is reserved for some post-processing if no previous default
15
rules selected the packet. This rule may also be deleted.
16
17
# cat /etc/iproute2/rt_tables
18
19
#
20
# reserved values
21
#
22
255 local
23
254 main
24
253 default
25
0 unspec
26
#
27
# local
28
#
29
#1 inr.ruhep
Copied!

tc

http://events.linuxfoundation.org/sites/events/files/slides/Linux_traffic_control.pdf

LVS

http://kb.linuxvirtualserver.org/wiki/IPVS https://github.com/torvalds/linux/tree/master/net/netfilter/ipvs IPVS - an advanced layer-4 load balancing solution, NAT/Direct Routing/IP Tunneling

Virtual routing and forwarding

https://docs.cumulusnetworks.com/display/DOCS/Virtual+Routing+and+Forwarding+-+VRF multiple independent routing tables working simultaneously on the same router or switch Think of this feature as VLAN for layer 3
https://www.kernel.org/doc/Documentation/networking/vrf.txt

DNS

1
/etc/nsswitch.conf
2
#hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
3
hosts: files dns # fix nslookup works but ping not work
Copied!
Last modified 5mo ago