# Network
# Command
# Common packages
for those binaries
ifconfig, netstat, rarp, route, ip, dig
1
from those packages
apt install net-tools iproute2 dnsutils
1
# Ip, arp, route
| Command | meaning |
|---|---|
| ip a | get IP of the system |
| ip r | get routes of the system |
| ip route change default via 99.99.99.99 dev ens8 proto dhcp metric 100 | modify default route |
| ip addr add 88.88.88.88/32 dev ens4 | add (failover) IP to a NIC |
ip route add default via 10.20.30.40 src 88.88.88.88
1
ip route add default scope global src 88.88.88.88 \
nexthop via 10.20.30.40 dev ens224 weight 1 \
nexthop via 10.20.30.41 dev ens224 weight 1
1
2
3
2
3
# netplan
new ubuntu network manager
cat /{lib,etc,run}/netplan/*.yaml
1
# Netstat
Warning : Netstat is considered deprecated and not optimized. It's prefered to use ss instead
Show network connections, listening process
| command | specification |
|---|---|
| netstat -t | list tcp connections |
| netstat -lt | list listening tcp socket |
| netstat -lu | list listening udp socket |
| netstat -ltu | list listening udp + tcp socket |
| netstat -lx | list listening unix socket |
| netstat -ltup | same as above, with info on process |
| netstat -ltupn | p(PID), l(LISTEN), t(tcp), n(Convert names) |
| netstat -ltpa | all = ESTABLISHED (default) LISTEN |
| netstat -lapute | classic useful usage |
| netstat -salope | same |
| netstat -tupac | same |
# ss
(new quicker way).
More info on listening process.
ss -tlpn
ss -tulipe
ss -lapute
ss -laputen
1
2
3
4
2
3
4
ss -ltpn sport eq 2377
ss -t '( sport = :ssh )'
ss -ltn sport gt 500
ss -ltn sport le 500
1
2
3
4
2
3
4
# tcpdump
### Tcp Real time, just see what’s going on, by looking at all interfaces. ccze is for colorized output
tcpdump -i any -w capturefile.pcap
tcpdump port 80 -w capture_file
tcpdump 'tcp[32:4] = 0x47455420'
tcpdump -n dst host ip
tcpdump -i any -XXXvvv dst host 35.227.35.254
tcpdump -i any -XXXvvv dst host registry.gitlab.com
tcpdump -i any -XXXvvv dst host registry.gitlab.com and port 443
tcpdump -vv -i any port 514
tcpdump -i any -XXXvvv src net 10.0.0.0/8 and dst port 1234 or dst port 4321 | ccze -A
tcpdump -i any port not ssh and port not domain and port not zabbix-agent | ccze -A
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
https://danielmiessler.com/study/tcpdump/
# udp
tcpdump -i lo udp port 123 -vv -X
tcpdump -vv -x -X -s 1500 -i any 'port 25' | ccze -A
1
2
3
2
3
https://danielmiessler.com/study/tcpdump/#source-destination
# tcpflow
Print much better payload
tcpflow -c port 443
tcpflow port 80
tcpflow -i eth0 port 80
tcpflow -c host www.google.com
1
2
3
4
5
6
7
2
3
4
5
6
7
# List ports a process PID is listening on
lsof -Pan -p $PID -i
# ss version
ss -l -p -n | grep ",1234,"
1
2
3
2
3
# systemd-networkd
debian 9 new network management style
vim /etc/systemd/network/50-default.network
systemctl status systemd-networkd
systemctl restart systemd-networkd
1
2
3
2
3
# ENI
old fashioned network management style
# vlan
vlan tagging and route add
auto enp61s0f1.3200
iface enp61s0f1.3200 inet static
address 10.10.10.20/22
vlan-raw-device enp61s0f1
post-up ip route add 10.0.0.0/8 via 10.10.10.254
# with package "ifupdown"
auto eth0
iface eth0 inet static
address 192.0.2.7/30
gateway 192.0.2.254
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
# NAT
Activate NAT (Network Address Translation)
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
1
# VPN
# OpenVpn
# Client
apt install openvpn resolvconf
sudo openvpn --config /home/baptiste/.openvpn/b_dauphin@vpn.domain.com.ovpn
1
2
3
2
3
To get /etc/resolv.conf automatically managed by your vpn client. You have to add the following lines
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
1
2
3
2
3
# Netcat
Netcat (network catch) TCP/IP swiss army knife
# Listen
nc -l 127.0.0.1 -p 80
nc -lvup 514
# listen all ip on tcp port 443
nc -lvtp 443
1
2
3
4
5
2
3
4
5
# Check port opening
only for TCP (obviously), UDP is not connected protocol
nc -znv 10.10.10.10 3306
1
# manually write tcp packet
echo '<187>Apr 29 15:26:16 qwarch plop[12458]: baptiste' | nc -u 10.10.10.10 1514
1
# Internet Exchange Point
# BGP
Bord Gateway Protocol.
- i-bgp (Internal BGP)
- e-bgp (External BGP)
Internal = Relations in the same AS External = Relation between various AS
# Best practises
# Bird
BGP Open bird console
birdc
1
Once inside bird console.
show routes
show route
1
# Config example
/etc/bird/bird.conf
Setup the source address for outgoing interface (krt_prefsrc)
# Config example for bird 1.6
#debug protocols all;
router id 169.254.2.2;
# Watch interface up/down events
protocol device {
scan time 10;
}
# Import interface routes (Connected)
# (Not required in this example as kernel import all is used here to workaround the /32 on eth0 GCE VM setup)
#protocol direct {
# interface "*";
#}
# Sync routes to kernel
protocol kernel {
learn;
merge paths on; # For ECMP
export filter {
krt_prefsrc = 10.164.0.6; # Internal IP Address of the strongSwan VM.
accept; # Sync all routes to kernel
};
import all; # Required due to /32 on GCE VMs for the static route below
}
# Configure a static route to make sure route exists
protocol static {
# Network connected to eth0
route 10.164.0.0/20 recursive 10.164.0.1; # Network connected to eth0
# Or blackhole the aggregate
# route 10.164.0.0/20 blackhole;
}
# Prefix lists for routing security
# (Accept /24 as the most specific route)
define GCP_VPC_A_PREFIXES = [ 192.168.0.0/16{16,24} ]; # VPC A address space
define LOCAL_PREFIXES = [ 10.164.0.0/16{16,24} ]; # Local address space
# Filter received prefixes
filter gcp_vpc_a_in
{
if (net ~ GCP_VPC_A_PREFIXES) then accept;
else reject;
}
# Filter advertised prefixes
filter gcp_vpc_a_out
{
if (net ~ LOCAL_PREFIXES) then accept;
else reject;
}
template bgp gcp_vpc_a {
keepalive time 20;
hold time 60;
graceful restart aware; # Cloud Router uses GR during maintenance
#multihop 3; # Required for Dedicated/Partner Interconnect
import filter gcp_vpc_a_in;
import limit 10 action warn; # restart | block | disable
export filter gcp_vpc_a_out;
export limit 10 action warn; # restart | block | disable
}
protocol bgp gcp_vpc_a_tun1 from gcp_vpc_a
{
local 169.254.2.2 as 65002;
neighbor 169.254.2.1 as 65000;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# NetworkManager
# Fortinet Vpn connexion handling
Instead of install a dirty vendor client. You can setup your vpn client by the magnificnet NetworkManager.
You need to install the module.
Example for gnome
dnf search fortisslvpn ─╯
Last metadata expiration check: 7 days, 18:32:25 ago on Mon 28 Dec 2020 02:34:03 PM CET.
================================================================================= Name Matched: fortisslvpn ==================================================================================
NetworkManager-fortisslvpn.x86_64 : NetworkManager VPN plugin for Fortinet compatible SSLVPN
NetworkManager-fortisslvpn-gnome.x86_64 : NetworkManager VPN plugin for SSLVPN - GNOME files
plasma-nm-fortisslvpn.x86_64 : Fortigate SSL VPN support for plasma-nm
1
2
3
4
5
6
2
3
4
5
6
dnf install NetworkManager-fortisslvpn-gnome
1
And then you're now able to configure a new vpn connection type in networkmanager gui.
# dns-search
nmcli connection modify <vpn-settings-name> ipv4.dns-search '<domain>,<domain>,<domain>'
1
Ensure it's take into account
resolvectl status ppp0
resolvectl status
1
2
2