********** Networking ********** .. contents:: SSH === - simple :ref:`installation` - remote shell - file transfer - secure - `standard `_ - http://en.wikipedia.org/wiki/Secure_Shell .. _installation: Installation ------------ The client is already installed. To install the server:: wajig install openssh-server Configuration ------------- Check out `~/.ssh/config`. Do it! It's worth it. The command `ssh -p 2345 -i /var/some_key some_user@some_weird_host_name` becomes `ssh foo` with the following entry:: Host foo Hostname some_weird_host_name User some_user IdentityFile /var/some_key Port 2345 Usage ----- Connect to host ``notebook``:: ssh notebook File Transfer ------------- In :ref:`Krusader`'s/Dolphin's/ address bar, type:: sftp://notebook To merely copy a file:: scp notebook:myfile . # copies /home/me/myfile on notebook to current working directory scp notebook:/etc/passwd . # copies /etc/passwd on notebook to current working directory Authentication -------------- Either with username/password or through public key encryption. The latter is very easy to setup and even lets you skip the password prompt (if you choose an empty password). Assumption: working on *desktop*, connecting to *notebook*:: ssh-keygen # only if you haven't done it already # leave default ssh-copy-id notebook ssh notebook If you chose an empty password and *desktop* gets compromised, then *notebook* will be too. Mounting SSH ------------ Prerequisites:: sshfs Mounting:: sshfs remotehost: /local/dir/ Unmounting:: fusermount -u /local/dir/ See `this Ubuntu wiki page `__ for more details. List Open Ports =============== ... excluding sockets:: netstat --numeric-hosts --protocol=inet We use `--numeric-hosts` because dns lookups can be quite slow. Netstat Lines Explained ======================= I'm usually interested in all (-a) numeric (-n) TCP (-t) connections and the corresponding processes (-p). 'pant' sounds nicer than 'atnp'. :: netstat -pant Just nginx listening on all addresses (0.0.0.0) on port 80:: tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9111/nginx -g daemo nginx. What's rpcbind? Basically a multiplexer for kernel-based services like NFS:: tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 31994/rpcbind needed for nfs No pid? Dafuq? `rpcinfo -p` tells us more:: tcp 0 0 0.0.0.0:48660 0.0.0.0:* LISTEN - `rpcinfo -p`:: program vers proto port service 100021 3 tcp 48660 nlockmgr 100021 4 tcp 48660 nlockmgr 100021 1 tcp 48660 nlockmgr [...] Lab Setup with NAT, DHCP, DNS ============================= .. highlight:: bash Using Virtualbox to set up multiple boxes in a LAN. When adding a new box to the network and setting ``hostname newbee``, then newbee should be reachable by hostname and fqdn, e.g.:: ping newbee ping newbee.athome Domain name is "athome". NAT, DHCP and DNS ----------------- Both on the same box via dnsmasq. NAT:: iptables -t nat -I POSTROUTING -j MASQUERADE iptables-save > /etc/iptables.rules cat < /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp iface rename3 inet static address 10.2.2.254 netmask 255.255.255.0 pre-up iptables-restore < /etc/iptables.rules EOF echo 1 > /proc/sys/net/ipv4/ip_forward DHCP, DNS:: apt-get install dnsmasq cp /etc/dnsmasq.conf /etc/dnsmasq.conf.bak cat < /etc/dnsmasq.conf interface=rename3 dhcp-authoritative dhcp-range=10.2.2.1,10.2.2.240,255.255.255.0,10m local=/athome/ domain=athome address=/nat.athome/10.2.2.254 expand-hosts EOF service dnsmasq restart Forward connections to port 80 on NAT to port 80 on ``10.2.2.223``:: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.2.2.223:80 Rsyslog ------- - http://lists.adiscon.net/pipermail/rsyslog/2010-February/003431.html - http://www.rsyslog.com/doc/rsyslog_conf_templates.html - http://www.rsyslog.com/doc/rsyslog_conf_actions.html - http://www.rsyslog.com/doc/rsyslog_conf_filter.html On ``logging.athome``:: mkdir /var/log/hosts chown syslog\: /var/log/hosts cat <<'EOF' > /etc/rsyslog.d/60-per-host.conf $template DynFile,"/var/log/hosts/%HOSTNAME%.log" # question mark: use file template # minus: don't sync after every write (faster at expense of data integrity) #*.* -?DynFile *.* ?DynFile EOF service rsyslog restart tail -F /var/log/hosts/nat.log On ``nat.athome``:: cat <<'EOF' > /etc/rsyslog.d/70-centralized.conf *.* @logging.athome EOF service rsyslog restart logger 'Hello world from nat!' From my OpenWRT Config ---------------------- :: root@wrt:~# cat /etc/config/dhcp config 'dnsmasq' option 'domainneeded' '1' option 'boguspriv' '1' option 'localise_queries' '1' option 'local' '/lan/' option 'domain' 'lan' option 'expandhosts' '1' option 'authoritative' '1' option 'readethers' '1' option 'leasefile' '/tmp/dhcp.leases' option 'resolvfile' '/tmp/resolv.conf.auto' option 'rebind_protection' '0' list 'server' '10.1.1.1' config 'dhcp' 'lan' option 'interface' 'lan' option 'netmask' '255.255.255.0' option 'start' '10' option 'limit' '90' option 'leasetime' '168h' list 'dhcp_option' '3,10.1.1.1' config 'dhcp' 'wan' option 'interface' 'wan' option 'ignore' '1' config 'host' option 'name' 'enterprise' option 'mac' 'XX:XX:XX:XX:XX:XX' option 'ip' '10.1.1.3' config 'host' option 'name' 'nas' option 'mac' 'XX:XX:XX:XX:XX:XX' option 'ip' '10.1.1.4' config 'host' option 'name' 'fiddlers' option 'mac' 'XX:XX:XX:XX:XX:XX' option 'ip' '10.1.1.6' config 'host' option 'name' 'locutus' option 'mac' 'XX:XX:XX:XX:XX:XX' option 'ip' '10.1.1.5' ``list 'dhcp_option' '3,10.1.1.1'`` means use router 10.1.1.1 http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_options. Could have used option name here instead... Sources ------- http://askubuntu.com/questions/224982/isc-dhcp-battling-to-get-the-host-name-from-the-dhcp-script Sure, if you want to make something simple with the right tool complex with a tool that's made to do something slightly different. http://superuser.com/questions/410053/how-can-i-set-up-a-local-domain-so-that-everyone-on-my-local-network-can-view Not needed. See comment about IGNORE_RESOLVCONF in ``/etc/default/dnsmasq`` http://askubuntu.com/questions/140126/how-do-i-configure-a-dhcp-server Dnsmasq fulfills all my DHCP needs, i.e. a subnet on a specific interface. It even can do PXE and other funny stuff. :> iptables ======== Enable port forwarding:: sudo vim /etc/sysctl.conf # set net.ipv4.ip_forward = 1 sudo sysctl -p /etc/sysctl.conf Local port redirect (listen on privileged port 80 and redirect to unprevileged port 9080):: from_port=80 to_port=9080 sudo iptables -t nat -A PREROUTING -p tcp --dport $from_port -j REDIRECT --to-ports $to_port # so we can connect from localhost in the same way sudo iptables -t nat -A OUTPUT -p tcp -d 127.0.0.0/8 --dport $from_port -j REDIRECT --to-port $to_port Remember to save those:: sudo iptables-save > /etc/iptables.rules Add them to your interface in ``/etc/network/interfaces``, e.g.:: auto eth0 iface eth0 inet static address ... netmask ... gateway ... dns-nameservers ... pre-up iptables-restore < /etc/iptables.rules Sources: - https://wiki.debian.org/Firewalls-local-port-redirection - http://www.ridinglinux.org/2008/05/21/simple-port-forwarding-with-iptables-in-linux/ - http://pierre.palatin.fr/entries/iptables-port-redirect Remote Port-Forwarding ---------------------- :: internet --eth0--> [4444]me --eth1--> [80]target :: my_port=4444 target_ip=192.168.56.2 target_port=80 # accept forwarding for $target_ip in both directions iptables -I FORWARD -s $target_ip -m tcp -p tcp --sport $target_port -j ACCEPT iptables -I FORWARD -d $target_ip -m tcp -p tcp --dport $target_port -j ACCEPT iptables -L FORWARD --line-numbers iptables -t nat -I PREROUTING -m tcp -p tcp --dport $my_port -j DNAT --to-destination $target_ip:$target_port iptables -t nat -I PREROUTING -L iptables -t nat -I POSTROUTING -d $target_ip -o eth1 -j MASQUERADE iptables -t nat -I POSTROUTING -L Burn all Bridges ---------------- After playing with virt-manager I had many bridge devices. Get rid of them:: for b in $(ls /sys/devices/virtual/net/ | grep ^br); do sudo ip link delete $b; done