Networking#

SSH#

Installation#

The client is already installed. To install the server:

wajig install openssh-server

Configuration#

Check out ~/.ssh/config. Do it! It’s worth it.

The command ssh -p 2345 -i /var/some_key some_user@some_weird_host_name becomes ssh foo with the following entry:

Host foo
  Hostname some_weird_host_name
  User some_user
  IdentityFile /var/some_key
  Port 2345

Usage#

Connect to host notebook:

ssh notebook

File Transfer#

In Krusader (File Manager)’s/Dolphin’s/<your-graphical-filemanager-name-here> address bar, type:

sftp://notebook

To merely copy a file:

scp notebook:myfile .  # copies /home/me/myfile on notebook to current working directory
scp notebook:/etc/passwd .  # copies /etc/passwd on notebook to current working directory

Authentication#

Either with username/password or through public key encryption. The latter is very easy to setup and even lets you skip the password prompt (if you choose an empty password).

Assumption: working on desktop, connecting to notebook:

ssh-keygen  # only if you haven't done it already
            # leave default
ssh-copy-id notebook
ssh notebook

If you chose an empty password and desktop gets compromised, then notebook will be too.

Mounting SSH#

Prerequisites:

sshfs

Mounting:

sshfs remotehost: /local/dir/

Unmounting:

fusermount -u /local/dir/

See this Ubuntu wiki page for more details.

List Open Ports#

… excluding sockets:

netstat --numeric-hosts --protocol=inet

We use --numeric-hosts because dns lookups can be quite slow.

Netstat Lines Explained#

I’m usually interested in all (-a) numeric (-n) TCP (-t) connections and the corresponding processes (-p). ‘pant’ sounds nicer than ‘atnp’.

netstat -pant

Just nginx listening on all addresses (0.0.0.0) on port 80:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      9111/nginx -g daemo     nginx.

What’s rpcbind? Basically a multiplexer for kernel-based services like NFS:

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      31994/rpcbind           needed for nfs

No pid? Dafuq? rpcinfo -p tells us more:

tcp        0      0 0.0.0.0:48660           0.0.0.0:*               LISTEN      -

rpcinfo -p:

program vers proto   port  service

100021    3   tcp  48660  nlockmgr
100021    4   tcp  48660  nlockmgr
100021    1   tcp  48660  nlockmgr
[...]

Lab Setup with NAT, DHCP, DNS#

Using Virtualbox to set up multiple boxes in a LAN.

When adding a new box to the network and setting hostname newbee, then newbee should be reachable by hostname and fqdn, e.g.:

ping newbee
ping newbee.athome

Domain name is “athome”.

NAT, DHCP and DNS#

Both on the same box via dnsmasq.

NAT:

iptables -t nat -I POSTROUTING -j MASQUERADE
iptables-save > /etc/iptables.rules

cat <<EOF > /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

iface rename3 inet static
address 10.2.2.254
netmask 255.255.255.0
pre-up iptables-restore < /etc/iptables.rules
EOF

echo 1 > /proc/sys/net/ipv4/ip_forward

DHCP, DNS:

apt-get install dnsmasq

cp /etc/dnsmasq.conf /etc/dnsmasq.conf.bak

cat <<EOF > /etc/dnsmasq.conf
interface=rename3
dhcp-authoritative
dhcp-range=10.2.2.1,10.2.2.240,255.255.255.0,10m
local=/athome/
domain=athome
address=/nat.athome/10.2.2.254
expand-hosts
EOF

service dnsmasq restart

Forward connections to port 80 on NAT to port 80 on 10.2.2.223:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.2.2.223:80

Rsyslog#

On logging.athome:

mkdir /var/log/hosts
chown syslog\: /var/log/hosts

cat <<'EOF' > /etc/rsyslog.d/60-per-host.conf
$template DynFile,"/var/log/hosts/%HOSTNAME%.log"

# question mark: use file template
# minus: don't sync after every write (faster at expense of data integrity)
#*.* -?DynFile
*.* ?DynFile
EOF

service rsyslog restart

tail -F /var/log/hosts/nat.log

On nat.athome:

cat <<'EOF' > /etc/rsyslog.d/70-centralized.conf
*.* @logging.athome
EOF

service rsyslog restart

logger 'Hello world from nat!'

From my OpenWRT Config#

root@wrt:~# cat /etc/config/dhcp

config 'dnsmasq'
        option 'domainneeded' '1'
        option 'boguspriv' '1'
        option 'localise_queries' '1'
        option 'local' '/lan/'
        option 'domain' 'lan'
        option 'expandhosts' '1'
        option 'authoritative' '1'
        option 'readethers' '1'
        option 'leasefile' '/tmp/dhcp.leases'
        option 'resolvfile' '/tmp/resolv.conf.auto'
        option 'rebind_protection' '0'
        list 'server' '10.1.1.1'

config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'netmask' '255.255.255.0'
        option 'start' '10'
        option 'limit' '90'
        option 'leasetime' '168h'
        list 'dhcp_option' '3,10.1.1.1'

config 'dhcp' 'wan'
        option 'interface' 'wan'
        option 'ignore' '1'

config 'host'
        option 'name' 'enterprise'
        option 'mac' 'XX:XX:XX:XX:XX:XX'
        option 'ip' '10.1.1.3'

config 'host'
        option 'name' 'nas'
        option 'mac' 'XX:XX:XX:XX:XX:XX'
        option 'ip' '10.1.1.4'

config 'host'
        option 'name' 'fiddlers'
        option 'mac' 'XX:XX:XX:XX:XX:XX'
        option 'ip' '10.1.1.6'

config 'host'
        option 'name' 'locutus'
        option 'mac' 'XX:XX:XX:XX:XX:XX'
        option 'ip' '10.1.1.5'

list 'dhcp_option' '3,10.1.1.1' means use router 10.1.1.1 http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_options. Could have used option name here instead…

Sources#

http://askubuntu.com/questions/224982/isc-dhcp-battling-to-get-the-host-name-from-the-dhcp-script Sure, if you want to make something simple with the right tool complex with a tool that’s made to do something slightly different.

http://superuser.com/questions/410053/how-can-i-set-up-a-local-domain-so-that-everyone-on-my-local-network-can-view Not needed. See comment about IGNORE_RESOLVCONF in /etc/default/dnsmasq

http://askubuntu.com/questions/140126/how-do-i-configure-a-dhcp-server Dnsmasq fulfills all my DHCP needs, i.e. a subnet on a specific interface. It even can do PXE and other funny stuff. :>

iptables#

Enable port forwarding:

sudo vim /etc/sysctl.conf  # set net.ipv4.ip_forward = 1
sudo sysctl -p /etc/sysctl.conf

Local port redirect (listen on privileged port 80 and redirect to unprevileged port 9080):

from_port=80
to_port=9080
sudo iptables -t nat -A PREROUTING -p tcp --dport $from_port -j REDIRECT --to-ports $to_port
# so we can connect from localhost in the same way
sudo iptables -t nat -A OUTPUT -p tcp -d 127.0.0.0/8 --dport $from_port -j REDIRECT --to-port $to_port

Remember to save those:

sudo iptables-save > /etc/iptables.rules

Add them to your interface in /etc/network/interfaces, e.g.:

auto eth0
iface eth0 inet static
address ...
netmask ...
gateway ...
dns-nameservers ...
pre-up iptables-restore < /etc/iptables.rules

Sources:

Remote Port-Forwarding#

internet --eth0--> [4444]me --eth1--> [80]target
::

my_port=4444 target_ip=192.168.56.2 target_port=80

# accept forwarding for $target_ip in both directions iptables -I FORWARD -s $target_ip -m tcp -p tcp –sport $target_port -j ACCEPT iptables -I FORWARD -d $target_ip -m tcp -p tcp –dport $target_port -j ACCEPT iptables -L FORWARD –line-numbers

iptables -t nat -I PREROUTING -m tcp -p tcp –dport $my_port -j DNAT –to-destination $target_ip:$target_port iptables -t nat -I PREROUTING -L iptables -t nat -I POSTROUTING -d $target_ip -o eth1 -j MASQUERADE iptables -t nat -I POSTROUTING -L

Burn all Bridges#

After playing with virt-manager I had many bridge devices. Get rid of them:

for b in $(ls /sys/devices/virtual/net/ | grep ^br); do
    sudo ip link delete $b;
done