bronze/mayfrost-guides
1
0
Fork 0
mirror of https://github.com/mayfrost/guides.git synced 2024-10-31 23:16:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
134a21631e
mayfrost-guides/NETWORKING.md
mayfrost 134a21631e
Update NETWORKING.md
2019-01-27 02:40:37 -03:00

7.9 KiB
Raw Blame History

NETWORKING

TOC

  1. SETUP
    1.1 /etc/network/interfaces
    1.2. WiFi
  2. FIREWALL
    2.1. ufw
    2.2. iptables
  3. SSH
    3.1. CLIENT
    3.2. SERVER
  4. TROUBLESHOOTING
    4.1. tcpdump
    4.2. netstat
    4.3. traceroute
    4.4. nmap

SETUP

/etc/network/interfaces

# use last 8 octets for hosts
255.255.255.0

WiFi

Use WiFi without a separate network manager with this simple guide. Needs "dhcpcd" or "dhcpclient", "net-tools" or "iproute2", "wpa_supplicant", and the WiFi drivers for your wireless card (like "iwlwifi" and its "ucode"), which in part can be installed from a package usually named "linux-firmware", but they may not be complete (this provides "ucode" but not "iwlwifi").
NOTE: The "<DEVICE_NAME>" can be either "wlp3s0" or "wlan0". Change accordingly the following commands to suit your needs.

  • Create the configuration file (as "root", not "sudo"):
    wpa_passphrase <NETWORK_NAME> <PASSWORD> > /etc/wpa_supplicant.conf
  • Delete non hashed password from "/etc/wpa_supplicant.conf", but not the hashed one.

Each time you need to connect type the following command (as "root" or with "sudo"):

  • EXAMPLE 1: With "net-tools" and "dhcpcd":
ifconfig <DEVICE_NAME> down
ifconfig <DEVICE_NAME> up
wpa_supplicant -B -i<DEVICE_NAME> -c /etc/wpa_supplicant.conf -Dwext
dhcpcd <DEVICE_NAME>
  • EXAMPLE 2: With "iproute2" and "dhclient":
ip link set <DEVICE_NAME> down
ip link set <DEVICE_NAME> up
wpa_supplicant -B -i<DEVICE_NAME> -c /etc/wpa_supplicant.conf -Dwext
dhclient <DEVICE_NAME>

You can save either example in a script to activate the Wi-Fi whenever you want.

  • Note: As an educational tip, the name of a network is also called "SSID" in other places.

FIREWALL

ufw

  • Show status
    sudo ufw status
  • Enable firewall
    sudo ufw enable
  • Disable firewall
    sudo ufw disable
  • Deny all by default
    sudo ufw default deny
  • Allow all by default
    sudo ufw default allow
  • Allow everything for specific port by default
    sudo ufw allow PORT_NUMBER
  • Delete a rule
    sudo ufw delete allow PORT_NUMBER
  • Allow everything for a specific address
    sudo ufw allow from IP_ADDRESS
  • Allow a specific port for a specific address
    sudo ufw allow from IP_ADDRESS to any port PORT_NUMBER

iptables

  • To list all rules:
    iptables -L
  • To flush all rules (reset to blank slate):
    iptables -F
  • To flush an specific rule:
    iptables -F <THE_RULE_TO_FLUSH>

BASICS

  • The rules are read in the order you give them and also their flags:
    -A: appends to previous list of rules.
    -I: inserts to previous list of rules.

  • The rules are followed according to their type which is a chain. The three types of chains are:
    INPUT: Comes from outside the firewall (commonly from another computer).
    OUTPUT: Comes from behind the firewall (commonly from the same computer).
    FORWARD: Goes to a third computer.

  • To select the interface (can be eth0, lo, wlan0, etc.):
    --in-interface <INTERFACE>

  • or also:
    -i <INTERFACE>

  • To make the rule match all but the requested interface add an exclamation between the interface flag and the interface name:
    -i ! <INTERFACE>

  • To select source of connection:
    -s <SOURCE_IP>

  • To select the protocol (can be tcp, udp, etc.):
    -p <PROTOCOL>

  • To select the port:
    --dport <PORT>

  • Match packet rules by state (can be used instead of ports):
    -m state

  • Types of state (ESTABLISHED, RELATED, etc.), more than one can be selected by using a comman with no spaces, for example:
    --state ESTABLISHED,RELATED

  • Match packet rules by IP range (can be used instead of ports):
    -m iprange

  • To choose a range set the start IP and the end IP separated by a dash:
    --src-range <FIRST_IP>-<LAST_IP>

  • The action to enforce (ACCEPT, DROP, etc.):
    -j <ACTION>

GENERAL POLICIES

  • Let pass all connections from inside the firewall:
    iptables -P OUTPUT ACCEPT

  • Drop all incoming connections by default:
    iptables -P INPUT DROP

  • Drop all forwarding connections by default:
    iptables -P FORWARD DROP

  • Allow all packets from loopback (your computer):
    iptables -A INPUT --in-interface lo -j ACCEPT

  • Allow connections from outisde to view your server:
    iptables -A INPUT -p tcp --dport <SERVER_PORT> -j ACCEPT

  • Allow connections to your computer through SSH (assuming the SSH server is running in port 22):
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT

  • Allow SSH only from local IP using IP range (to be used instead of the above):
    iptables -A INPUT -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 22 -j ACCEPT

  • Allow connections to receive a response from the same port, for the sake of the two-way connection as in the case of web browsers:
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  • Drop spoofed packets simulating as coming from the same computer:
    iptables -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP

CUSTOM POLICIES

  • To create a custom chain:
    -N <ANY_NAME>

  • Declaring the <ANY_NAME> chain will add the deployment of rules with this chain name where this chain is called:
    iptables -A INPUT -j <ANY_NAME>

  • Using the chain <ANY_NAME> for connections from outisde to your server:
    iptables -A <ANY_NAME> -p tcp --dport <SERVER_PORT> -j ACCEPT

  • Using the chain <ANY_NAME> for connections to the SSH server:
    iptables -A <ANY_NAME> -p tcp --dport 22 -j ACCEPT

PORT REDIRECTION

  • Redirect port 80 to port 8080 using the NAT table:
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

SSH

CLIENT

  • login to remote host
    ssh ADDRESS
  • login to remote host as user USER
    ssh USER@ADDRESS

SERVER

  • set ssh server configuration in /etc/ssh/sshd_config
Port 22 # default port is 22, can be changed
PermitRootLogin without-password # change "without-password" to "no" to forbid root login
AllowUsers USER_NAME # by allowing a specific user it restricts the others
  • restart "ssh" service to activate changes

TROUBLESHOOTING

tcpdump

  • dump all
    sudo tcpdump
  • dump 5 packets
    sudo tcpdump -c 5
  • dump in ASCii format
    sudo tcpdump -A
  • dump in hexadecimal format
    sudo tcpdump -xx
  • dump from an specific interface
    sudo tcpdump -i INTERFACE_NAME
  • dump from a specific port
    sudo tcpdump port PORT_NUMBER
  • dump 5 packets in hexadecimal from an specific interface and a specific port
    sudo tcpdump -c 5 -xx -i INTERFACE port PORT_NUMBER

netstat

  • show routing table, including gateway
    netstat -nr
  • show all ports
    netstat -tulpn
  • show network usage of devices
    netstat -i
  • show active connections
    netstat -ta
  • show active connections, but show ip addresses instead
    netstat -tan

traceroute

  • show which route your connection takes between your computer to the destination
    traceroute WEBNAME_OR_IP

nmap

  • scan a specific ip address (including devices)
    nmap IP_NUMBER
  • scan a specific website
    nmap WEBSITE_NAME
  • scan a specific ip address (including devices) with more information
    nmap -v IP_NUMBER
  • scan two ip address (including devices), 192.168.0.1 and 192.168.0.54
    nmap 192.168.0.1,54
  • scan a range of ip address (including devices), from 192.168.0.1 to 192.168.0.100
    nmap 192.168.0.1-100
  • scan all ip address (including devices) from network 192.168.0.0
    nmap 192.168.0.*
  • scan address from a file
    nmap -il <FILE>
  • scan address and identify OS and running services
    nmap -A IP_NUMBER
  • check if target is up
    nmap -sP IP_NUMBER
  • check reason for services states
    nmap --reason IP_NUMBER
  • show host interfaces
    nmap --iflist IP_NUMBER