Networking

Networking

## ping errors
  $dpkg-reconfigure resolvconf

## forward ipv4
  ## check ipv4 settings
  $ sysctl -a | grep ip_forward
    # net.ipv4.ip_forward = 0
    # net.ipv4.ip_forward_use_pmtu = 0

  $ sudo nano /etc/sysctl.conf
    < /etc/sysctl.conf >
      net.ipv4.ip_forward=1
  ## -- alternative (temporary)
    # $ sysctl -w net.ipv4.ip_forward=1

    ## make changes to kernel
    # $ sudo sysctl -p

## show socket information
$ sudo ss -tula
  # Netid  State      Recv-Q Send-Q      Local Address:Port             Peer Address:Port

iptables:
  ## configure rules
  ## -- tcp/udp
  $ sudo iptables -t nat -I ${chain} -i eth0 -p ${protocol} -d ${localaddress} --dport ${port} -j ${target} --to-destination ${destaddress}
  ## -- masquerade
  $ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  ## -- forward
  $ sudo iptables -A FORWARD -s ${source} -o ${interface} -j ACCEPT
  $ sudo iptables -A FORWARD -d ${destination} -o ${interface} -j ACCEPT
  ## -- forward DNAT specific ports
  $ sudo iptables -t nat -I ${chain} -p ${protocol} -d ${localaddress} --dport ${port} -j DNAT --to ${address}
  ## -- forward specific ports
  $ sudo iptables -A ${chain} -p ${protocol} -d ${localaddress} --dport ${port} -j ACCEPT
  ## -- SNAT
  $ sudo iptables -t nat -A POSTROUTING -s ${source} -j SNAT --to-source ${newsource}

  ## show rules
  $ sudo iptables -t nat -L
    # target     prot opt source               destination
  ## -- numeric
    # $ sudo iptables -t nat -L -n
  ## -- line numbers
    # $ sudo iptables -t nat -L --line-numbers
    ## delete by chain and line-number
    # $ sudo iptables -t nat -D ${chain} ${line}
      # example: sudo iptables -t nat -D PREROUTING 2
  ## save rules
  $ sudo iptables-save > /etc/iptables.conf
  ## restore rules
  $ sudo iptables-restore < /etc/iptables.conf
  ## autoload on reboot
  startup:
    command: iptables-restore < /etc/iptables.conf

  ## flush
    $ iptables -F
    $ iptables -X
    $ iptables -t nat -F
    $ iptables -t nat -X
    $ iptables -t mangle -F
    $ iptables -t mangle -X
    $ iptables -P INPUT ACCEPT
    $ iptables -P FORWARD ACCEPT
    $ iptables -P OUTPUT ACCEPT

netstat:
  $ sudo apt-get install net-tools
  ## show network stats
  $ sudo netstat -pltun
    # Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

pptp:
  $ pptpsetup --create ${tunnelname} --server ${vpnserver} --username ${username} --password {password} --encrypt
  $ pon tunnel1 debug dump logfd 2 nodetach
  $ sudo ufw allow from ${vpnserver}

firewall:
  ports:
    SSH daemon: 22/tcp
    http web server: 80/tcp
    web server with ssl/tls enabled: 443/tcp
    email enabled: 25/tcp
    web server with ftp: www, 80/tcp and ftp, 21/tcp

  ## -- examples
  ##    -- service: ssh | OpenSSH
  ##    -- port: 80
  ##    -- portrange: 1000-2000
  ##    -- protocol: tcp | udp
  ##    -- ip: 192.168.0.1
  ##    -- direction: in | out
  ##    -- interface: eth0 | tun0
  ##    -- rule: allow ${portrange}/${protocol}

  ## default
    $ sudo ufw default deny incoming
    $ sudo ufw default allow outgoing

  ## allow
    $ sudo ufw allow ${service}
    $ sudo ufw allow ${port}/${protocol}
    $ sudo ufw allow ${portrange}/${protocol}
    $ sudo ufw allow from ${ip}/24
    $ sudo ufw allow ${direction} on ${interface}
    $ sudo ufw allow from 127.0.0.1 to 127.0.0.1 port 5901 proto tcp

  ## deny
    $ sudo ufw deny ${port}/${protocol}

  show:
    $ sudo ufw show added

  enable:
    $ sudo ufw enable

  disable:
    $ sudo ufw disable

  reload:
    $ sudo ufw reload

  ipv6:
  $ sudo vi /etc/default/ufw
    < /etc/default/ufw >
    IPV6=yes

  delete:
    $ sudo ufw delete ${rule}

    ## status and delete
    $ sudo ufw status numbered
    $ sudo ufw delete ${number}

tcpdump:
  ## see traffic coming from a tcp port
  $ sudo tcpdump port 5232

COMMON PORTS

1194: VPN
123: ntpd
22: SSH
53: dnsmasq, named
587: mail
80: HTTP
3000
443: HTTPS
5901: VNC
6397
Bind9
OpenSSH

DNS Problem Fix

$ ping google.com: Name or service not known
$ sudo cat /etc/resolv.conf
  ## nameserver 8.8.8.8
  ## nameserver 127.0.0.1
$ sudo vi /etc/systemd/resolved.conf
  DNS=8.8.8.8
$ sudo rm -rf /etc/resolv.conf
$ sudo ln -s /etc/systemd/resolved.conf /etc/resolv.conf
$ sudo service systemd-resolved restart

Double NAT

  nano /etc/sysctl.conf

  modify:
  net.ipv4.ip_forward = 1

  net.ipv6.conf.all.accept_ra=2
  net.ipv6.conf.eth0.accept_ra=2

  mkdir /etc/iptables/
  iptables-save > /etc/iptables/rules.v4

  nano /etc/iptables/rules.v4

  comment out these lines
  # -A FORWARD -j REJECT --reject-with icmp-host-prohibited
  # -A INPUT -j REJECT --reject-with icmp-host-prohibited

  iptables -F
  iptables-restore < /etc/iptables/rules.v4
  service iptables save
  service iptables reload

  echo "1" > /proc/sys/net/ipv4/ip_forward && sysctl net.ipv4.ip_forward=1

  on the local ip:
  iptables -t nat -A POSTROUTING -o eth0 -s z.z.z.z -j SNAT --to-source y.y.y.y
  iptables -t nat -A PREROUTING -i eth0 -d y.y.y.y -j DNAT --to-destination z.z.z.z
  iptables -A FORWARD -s y.y.y.y -j ACCEPT
  iptables -A FORWARD -d z.z.z.z -j ACCEPT
  service iptables save
  service iptables reload

  access server at http://y.y.y.y

Missing Drivers?

  # get network card information
  sudo lshw -C network
    # *-network
    #  description: Wireless interface
    #  product: BCM4360 802.11ac Wireless Network Adapter
    #  vendor: Broadcom Inc. and subsidiaries
    #  physical id: 0
    #  bus info: pci@0000:24:00.0
    #  logical name: wlp36s0
    #  version: 03
    #  serial: 98:48:27:c0:85:85
    #  width: 64 bits
    #  clock: 33MHz
    #  capabilities: pm msi pciexpress bus_master cap_list ethernet physical wireless
    #  configuration: broadcast=yes driver=wl0 driverversion=6.30.223.271 (r587334) ip=192.168.25.164 latency=0 multicast=yes wireless=IEEE 802.11
    #  resources: irq:38 memory:fc400000-fc407fff memory:fc200000-fc3fffff
  lspci -vnn | grep -i net
    # 24:00.0 Network controller [0280]: Broadcom Inc. and subsidiaries BCM4360 802.11ac Wireless Network Adapter [14e4:43a0] (rev 03)
    #   Subsystem: Broadcom Inc. and subsidiaries BCM4360 802.11ac Wireless Network Adapter [14e4:0619]
  sudo apt install broadcom-sta-dkm
  sudo modprobe wl
  lsmod | grep wl
    # Module                  Size  Used by
    # wl                   6471680  0
    # cfg80211              983040  1 wl

Table of Contents

Networking

COMMON PORTS

DNS Problem Fix

Double NAT

Missing Drivers?