Show pageBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Networking ====== ## ping errors $dpkg-reconfigure resolvconf ## forward ipv4 ## check ipv4 settings $ sysctl -a | grep ip_forward # net.ipv4.ip_forward = 0 # net.ipv4.ip_forward_use_pmtu = 0 $ sudo nano /etc/sysctl.conf < /etc/sysctl.conf > net.ipv4.ip_forward=1 ## -- alternative (temporary) # $ sysctl -w net.ipv4.ip_forward=1 ## make changes to kernel # $ sudo sysctl -p ## show socket information $ sudo ss -tula # Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port iptables: ## configure rules ## -- tcp/udp $ sudo iptables -t nat -I ${chain} -i eth0 -p ${protocol} -d ${localaddress} --dport ${port} -j ${target} --to-destination ${destaddress} ## -- masquerade $ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ## -- forward $ sudo iptables -A FORWARD -s ${source} -o ${interface} -j ACCEPT $ sudo iptables -A FORWARD -d ${destination} -o ${interface} -j ACCEPT ## -- forward DNAT specific ports $ sudo iptables -t nat -I ${chain} -p ${protocol} -d ${localaddress} --dport ${port} -j DNAT --to ${address} ## -- forward specific ports $ sudo iptables -A ${chain} -p ${protocol} -d ${localaddress} --dport ${port} -j ACCEPT ## -- SNAT $ sudo iptables -t nat -A POSTROUTING -s ${source} -j SNAT --to-source ${newsource} ## show rules $ sudo iptables -t nat -L # target prot opt source destination ## -- numeric # $ sudo iptables -t nat -L -n ## -- line numbers # $ sudo iptables -t nat -L --line-numbers ## delete by chain and line-number # $ sudo iptables -t nat -D ${chain} ${line} # example: sudo iptables -t nat -D PREROUTING 2 ## save rules $ sudo iptables-save > /etc/iptables.conf ## restore rules $ sudo iptables-restore < /etc/iptables.conf ## autoload on reboot startup: command: iptables-restore < /etc/iptables.conf ## flush $ iptables -F $ iptables -X $ iptables -t nat -F $ iptables -t nat -X $ iptables -t mangle -F $ iptables -t mangle -X $ iptables -P INPUT ACCEPT $ iptables -P FORWARD ACCEPT $ iptables -P OUTPUT ACCEPT netstat: $ sudo apt-get install net-tools ## show network stats $ sudo netstat -pltun # Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name pptp: $ pptpsetup --create ${tunnelname} --server ${vpnserver} --username ${username} --password {password} --encrypt $ pon tunnel1 debug dump logfd 2 nodetach $ sudo ufw allow from ${vpnserver} firewall: ports: SSH daemon: 22/tcp http web server: 80/tcp web server with ssl/tls enabled: 443/tcp email enabled: 25/tcp web server with ftp: www, 80/tcp and ftp, 21/tcp ## -- examples ## -- service: ssh | OpenSSH ## -- port: 80 ## -- portrange: 1000-2000 ## -- protocol: tcp | udp ## -- ip: 192.168.0.1 ## -- direction: in | out ## -- interface: eth0 | tun0 ## -- rule: allow ${portrange}/${protocol} ## default $ sudo ufw default deny incoming $ sudo ufw default allow outgoing ## allow $ sudo ufw allow ${service} $ sudo ufw allow ${port}/${protocol} $ sudo ufw allow ${portrange}/${protocol} $ sudo ufw allow from ${ip}/24 $ sudo ufw allow ${direction} on ${interface} $ sudo ufw allow from 127.0.0.1 to 127.0.0.1 port 5901 proto tcp ## deny $ sudo ufw deny ${port}/${protocol} show: $ sudo ufw show added enable: $ sudo ufw enable disable: $ sudo ufw disable reload: $ sudo ufw reload ipv6: $ sudo vi /etc/default/ufw < /etc/default/ufw > IPV6=yes delete: $ sudo ufw delete ${rule} ## status and delete $ sudo ufw status numbered $ sudo ufw delete ${number} tcpdump: ## see traffic coming from a tcp port $ sudo tcpdump port 5232 ===== COMMON PORTS ===== 1194: VPN 123: ntpd 22: SSH 53: dnsmasq, named 587: mail 80: HTTP 3000 443: HTTPS 5901: VNC 6397 Bind9 OpenSSH ===== DNS Problem Fix ===== $ ping google.com: Name or service not known $ sudo cat /etc/resolv.conf ## nameserver 8.8.8.8 ## nameserver 127.0.0.1 $ sudo vi /etc/systemd/resolved.conf DNS=8.8.8.8 $ sudo rm -rf /etc/resolv.conf $ sudo ln -s /etc/systemd/resolved.conf /etc/resolv.conf $ sudo service systemd-resolved restart ===== Double NAT ===== nano /etc/sysctl.conf modify: net.ipv4.ip_forward = 1 net.ipv6.conf.all.accept_ra=2 net.ipv6.conf.eth0.accept_ra=2 mkdir /etc/iptables/ iptables-save > /etc/iptables/rules.v4 nano /etc/iptables/rules.v4 comment out these lines # -A FORWARD -j REJECT --reject-with icmp-host-prohibited # -A INPUT -j REJECT --reject-with icmp-host-prohibited iptables -F iptables-restore < /etc/iptables/rules.v4 service iptables save service iptables reload echo "1" > /proc/sys/net/ipv4/ip_forward && sysctl net.ipv4.ip_forward=1 on the local ip: iptables -t nat -A POSTROUTING -o eth0 -s z.z.z.z -j SNAT --to-source y.y.y.y iptables -t nat -A PREROUTING -i eth0 -d y.y.y.y -j DNAT --to-destination z.z.z.z iptables -A FORWARD -s y.y.y.y -j ACCEPT iptables -A FORWARD -d z.z.z.z -j ACCEPT service iptables save service iptables reload access server at http://y.y.y.y ===== Missing Drivers? ===== # get network card information sudo lshw -C network # *-network # description: Wireless interface # product: BCM4360 802.11ac Wireless Network Adapter # vendor: Broadcom Inc. and subsidiaries # physical id: 0 # bus info: pci@0000:24:00.0 # logical name: wlp36s0 # version: 03 # serial: 98:48:27:c0:85:85 # width: 64 bits # clock: 33MHz # capabilities: pm msi pciexpress bus_master cap_list ethernet physical wireless # configuration: broadcast=yes driver=wl0 driverversion=6.30.223.271 (r587334) ip=192.168.25.164 latency=0 multicast=yes wireless=IEEE 802.11 # resources: irq:38 memory:fc400000-fc407fff memory:fc200000-fc3fffff lspci -vnn | grep -i net # 24:00.0 Network controller [0280]: Broadcom Inc. and subsidiaries BCM4360 802.11ac Wireless Network Adapter [14e4:43a0] (rev 03) # Subsystem: Broadcom Inc. and subsidiaries BCM4360 802.11ac Wireless Network Adapter [14e4:0619] sudo apt install broadcom-sta-dkm sudo modprobe wl lsmod | grep wl # Module Size Used by # wl 6471680 0 # cfg80211 983040 1 wl linux/networking.txt Last modified: 2023/11/15 01:00by hli