mayfrost-guides

mirror of https://github.com/mayfrost/guides
Log | Files | Refs | README | LICENSE

NETWORKING.md (8084B)

      1 # NETWORKING
      2 
      3 ## TOC
      4 1. [SETUP](#setup)  
      5 1.1 [/etc/network/interfaces](#/etc/network/interfaces)  
      6 1.2. [WiFi](#wifi)  
      7 2. [FIREWALL](#firewall)  
      8 2.1. [ufw](#ufw)  
      9 2.2. [iptables](#iptables)  
     10 3. [SSH](#ssh)  
     11 3.1. [CLIENT](#client)  
     12 3.2. [SERVER](#server)  
     13 4. [TROUBLESHOOTING](troubleshooting)  
     14 4.1. [tcpdump](#tcpdump)  
     15 4.2. [netstat](#netstat)  
     16 4.3. [traceroute](#traceroute)  
     17 4.4. [nmap](#nmap)  
     18 
     19 ## SETUP
     20 
     21 ### /etc/network/interfaces
     22 ```
     23 # use last 8 octets for hosts
     24 255.255.255.0
     25 ```  
     26 
     27 ### WiFi
     28 
     29 Use WiFi without a separate network manager with this simple guide. Needs "_dhcpcd_" or "_dhcpclient_", "_net-tools_" or "_iproute2_", "_wpa\_supplicant_", and the WiFi drivers for your wireless card (like "_iwlwifi_" and its "_ucode_"), which in part can be installed from a package usually named "_linux-firmware_", but they may not be complete (this provides "_ucode_" but not "_iwlwifi_").  
     30 __NOTE__: The "_<DEVICE_NAME>_" can be either "_wlp3s0_" or "_wlan0_". Change accordingly the following commands to suit your needs.
     31 
     32 * Create the configuration file (as "_root_", not "_sudo_"):  
     33 `wpa_passphrase <NETWORK_NAME> <PASSWORD> > /etc/wpa_supplicant.conf`  
     34 * Delete non hashed password from "_/etc/wpa_supplicant.conf_", but not the hashed one.  
     35 
     36 Each time you need to connect type the following command (as "_root_" or with "_sudo_"):  
     37 
     38 * __EXAMPLE 1__: With "_net-tools_" and "_dhcpcd_":  
     39 ```  
     40 ifconfig <DEVICE_NAME> down
     41 ifconfig <DEVICE_NAME> up
     42 wpa_supplicant -B -i<DEVICE_NAME> -c /etc/wpa_supplicant.conf -Dwext
     43 dhcpcd <DEVICE_NAME>  
     44 ```
     45 
     46 * __EXAMPLE 2__: With "_iproute2_" and "_dhclient_":  
     47 ```  
     48 ip link set <DEVICE_NAME> down
     49 ip link set <DEVICE_NAME> up
     50 wpa_supplicant -B -i<DEVICE_NAME> -c /etc/wpa_supplicant.conf -Dwext
     51 dhclient <DEVICE_NAME>  
     52 ```
     53 
     54 You can save either example in a script to activate the Wi-Fi whenever you want.  
     55 
     56 * Note: As an educational tip, the name of a network is also called "_SSID_" in other places.
     57 
     58 ## FIREWALL
     59 
     60 ### ufw
     61 * Show status  
     62 `sudo ufw status`  
     63 * Enable firewall  
     64 `sudo ufw enable`  
     65 * Disable firewall  
     66 `sudo ufw disable`  
     67 * Deny all by default  
     68 `sudo ufw default deny`  
     69 * Allow all by default  
     70 `sudo ufw default allow`  
     71 * Allow everything for specific port by default  
     72 `sudo ufw allow PORT_NUMBER`  
     73 * Delete a rule  
     74 `sudo ufw delete allow PORT_NUMBER`  
     75 * Allow everything for a specific address  
     76 `sudo ufw allow from IP_ADDRESS`  
     77 * Allow a specific port for a specific address  
     78 `sudo ufw allow from IP_ADDRESS to any port PORT_NUMBER`  
     79 
     80 ### iptables
     81 * To list all rules:  
     82 `iptables -L`  
     83 * To flush all rules (reset to blank slate):  
     84 `iptables -F`  
     85 * To flush an specific rule:  
     86 `iptables -D <THE_RULE_TO_FLUSH>`  
     87 
     88 #### BASICS
     89 * The rules are read in the order you give them and also their flags:  
     90 _-A_: appends to previous list of rules.  
     91 _-I_: inserts to previous list of rules.  
     92 
     93 * The rules are followed according to their type which is a chain. The three types of chains are:  
     94 _INPUT_: Comes from outside the firewall (commonly from another computer).  
     95 _OUTPUT_: Comes from behind the firewall (commonly from the same computer).  
     96 _FORWARD_: Goes to a third computer.  
     97 
     98 * To select the interface (can be eth0, lo, wlan0, etc.):  
     99 `--in-interface <INTERFACE>`  
    100 * or also:  
    101 `-i <INTERFACE>`  
    102 * To make the rule match all but the requested interface add an exclamation between the interface flag and the interface name:  
    103 `-i ! <INTERFACE>`  
    104 
    105 * To select source of connection:  
    106 `-s <SOURCE_IP>`  
    107 
    108 * To select the protocol (can be tcp, udp, etc.):  
    109 `-p <PROTOCOL>`  
    110 
    111 * To select the port:  
    112 `--dport <PORT>`  
    113 
    114 * Match packet rules by state (can be used instead of ports):  
    115 `-m state`  
    116 * Types of state (ESTABLISHED, RELATED, etc.), more than one can be selected by using a comman with no spaces, for example:  
    117 `--state ESTABLISHED,RELATED`  
    118 
    119 * Match packet rules by IP range (can be used instead of ports):  
    120 `-m iprange`  
    121 * To choose a range set the start IP and the end IP separated by a dash:  
    122 `--src-range <FIRST_IP>-<LAST_IP>`  
    123 
    124 * The action to enforce (ACCEPT, DROP, etc.):  
    125 `-j <ACTION>`  
    126 
    127 #### GENERAL POLICIES
    128 * Let pass all connections from inside the firewall:  
    129 `iptables -P OUTPUT ACCEPT`  
    130 * Drop all incoming connections by default:  
    131 `iptables -P INPUT DROP`  
    132 * Drop all forwarding connections by default:  
    133 `iptables -P FORWARD DROP`  
    134 
    135 * Allow all packets from loopback (your computer):  
    136 `iptables -A INPUT --in-interface lo -j ACCEPT`  
    137 
    138 * Allow connections from outisde to view your server:  
    139 `iptables -A INPUT -p tcp --dport <SERVER_PORT> -j ACCEPT`  
    140 
    141 * Allow connections to your computer through SSH (assuming the SSH server is running in port 22):  
    142 `iptables -A INPUT -p tcp --dport 22 -j ACCEPT`  
    143 
    144 * Allow SSH only from local IP using IP range (to be used instead of the above):  
    145 `iptables -A INPUT -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 22 -j ACCEPT`  
    146 
    147 * Allow connections to receive a response from the same port, for the sake of the two-way connection as in the case of web browsers:  
    148 `iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`  
    149 
    150 * Drop spoofed packets simulating as coming from the same computer:  
    151 `iptables -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP`  
    152 
    153 #### CUSTOM POLICIES
    154 
    155 * To create a custom chain:  
    156 `-N <ANY_NAME>`  
    157 
    158 * Declaring the <ANY_NAME> chain will add the deployment of rules with this chain name where this chain is called:  
    159 `iptables -A INPUT -j <ANY_NAME>`  
    160 
    161 * Using the chain <ANY_NAME> for connections from outisde to your server:  
    162 `iptables -A <ANY_NAME> -p tcp --dport <SERVER_PORT> -j ACCEPT`  
    163 
    164 * Using the chain <ANY_NAME> for connections to the SSH server:  
    165 `iptables -A <ANY_NAME> -p tcp --dport 22 -j ACCEPT`  
    166 
    167 #### PORT REDIRECTION
    168 * Redirect port 80 to port 8080 using the NAT table:  
    169 `iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080`  
    170 
    171 
    172 ## SSH
    173 ### CLIENT
    174 * login to remote host  
    175 `ssh ADDRESS`  
    176 * login to remote host as user USER  
    177 `ssh USER@ADDRESS`  
    178 
    179 ## SERVER
    180 * set ssh server configuration in /etc/ssh/sshd_config  
    181 ```
    182 Port 22 # default port is 22, can be changed
    183 PermitRootLogin without-password # change "without-password" to "no" to forbid root login
    184 AllowUsers USER_NAME # by allowing a specific user it restricts the others
    185 ```
    186 * restart "ssh" service to activate changes  
    187 
    188 ## TROUBLESHOOTING
    189 
    190 ### tcpdump
    191 * dump all  
    192 `sudo tcpdump`  
    193 * dump 5 packets  
    194 `sudo tcpdump -c 5`  
    195 * dump in ASCii format  
    196 `sudo tcpdump -A`  
    197 * dump in hexadecimal format  
    198 `sudo tcpdump -xx`  
    199 * dump from an specific interface  
    200 `sudo tcpdump -i INTERFACE_NAME`  
    201 * dump from a specific port  
    202 `sudo tcpdump port PORT_NUMBER`  
    203 * dump 5 packets in hexadecimal from an specific interface and a specific port  
    204 `sudo tcpdump -c 5 -xx -i INTERFACE port PORT_NUMBER`  
    205 
    206 ### netstat
    207 * show routing table, including gateway  
    208 `netstat -nr`  
    209 * show all ports  
    210 `netstat -tulpn`  
    211 * show network usage of devices  
    212 `netstat -i`  
    213 * show active connections  
    214 `netstat -ta`  
    215 * show active connections, but show ip addresses instead  
    216 `netstat -tan`  
    217 
    218 ### traceroute
    219 * show which route your connection takes between your computer to the destination  
    220 `traceroute WEBNAME_OR_IP`  
    221 
    222 ### nmap
    223 * scan a specific ip address (including devices)  
    224 `nmap IP_NUMBER`  
    225 * scan a specific website  
    226 `nmap WEBSITE_NAME`  
    227 * scan a specific ip address (including devices) with more information  
    228 `nmap -v IP_NUMBER`  
    229 * scan two ip address (including devices), 192.168.0.1 and 192.168.0.54  
    230 `nmap 192.168.0.1,54`  
    231 * scan a range of ip address (including devices), from 192.168.0.1 to 192.168.0.100  
    232 `nmap 192.168.0.1-100`  
    233 * scan all ip address (including devices) from network 192.168.0.0  
    234 `nmap 192.168.0.*`  
    235 * scan address from a file  
    236 `nmap -il <FILE>`  
    237 * scan address and identify OS and running services  
    238 `nmap -A IP_NUMBER`  
    239 * check if target is up  
    240 `nmap -sP IP_NUMBER`  
    241 * check reason for services states  
    242 `nmap --reason IP_NUMBER`  
    243 * show host interfaces  
    244 `nmap --iflist IP_NUMBER`