Here is a networking tutorial with what I think are some handy CLI commands to know.
Feel free to comment and/or make suggestions. Make sure you know what a command does before
issuing it, especially in the security orientated ones.
You may also like to see my tutorial on getting to know your ubuntu system better: http://ubuntuforums.org/showthread.php?t=842307
Debugging
# Show the ethernet status
# Force 100Mbit Full duplex
Code:
ethtool -s eth0 speed 100 duplex full
# Disable auto negotiation
Code:
ethtool -s eth0 autoneg off
# Blink the ethernet led
# Display all interfaces (similar to ifconfig)
# Bring device up (or down). Same as "ifconfig eth0 up"
Code:
ip link set eth0 up
# Display all IP addresses (similar to ifconfig)
# Similar to arp -a
# Ping on ethernet layer
Code:
arping 192.168.16.254
# uses tcp instead of icmp to trace throught firewalls (install via sudo apt-get install tcptraceroute)
Code:
tcptraceroute -f 5 cb.vu
Routing
Print routing table
# use "ip route"
Add and delete a route
Code:
route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.16.254
# same as above with ip route
Code:
ip route add 192.168.20.0/24 via 192.168.16.254
Code:
route add -net 192.168.20.0 netmask 255.255.255.0 dev eth0
Code:
route add default gw 192.168.51.254
# same as above with ip route
Code:
ip route add default via 192.168.51.254 dev eth0
Code:
route delete -net 192.168.20.0 netmask 255.255.255.0
Configure additional IP addresses
# First IP
Code:
ifconfig eth0 192.168.50.254 netmask 255.255.255.0
# Second IP
Code:
ifconfig eth0:0 192.168.51.254 netmask 255.255.255.0
# Equivalent Commands:
Code:
ip addr add 192.168.50.254/24 dev eth0
Code:
ip addr add 192.168.51.254/24 dev eth0 label eth0:1
Change MAC address
#Normally you have to bring the interface down before the change.
Code:
ifconfig eth0 hw ether 00:01:02:03:04:05
Ports in use
#Listening on open ports:
Code:
netstat -an | grep LISTEN
# lists all Internet connections
# displays list of open sockets (use apt-get install procinfo)
Code:
netstat -anp --udp --tcp | grep LISTEN
# List active connections to/from system
# List listening ports from system
Firewall (iptables)
# For status
# Open everything
Code:
iptables -P INPUT ACCEPT
Code:
iptables -P FORWARD ACCEPT
Code:
iptables -P OUTPUT ACCEPT
# Zero the packet and byte counters in all chains
# Flush all chains
# Delete all chains
IP Forward for routing
# Check and then enable IP forward with:
# Check IP forward 0=off, 1=on
Code:
nano -w /proc/sys/net/ipv4/ip_forward
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
# or edit /etc/sysctl.conf with:
Code:
net.ipv4.ip_forward = 1
NAT Network Address Translation
# to activate NAT
Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Port forward 20022 to internal IP port ssh
Code:
iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 --dport 20022 -j DNAT --to 192.168.16.44:22
# Port forward of range 993-995
Code:
iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 --dport 993:995 -j DNAT --to 192.168.16.254:993-995
Code:
ip route flush cache
# Check NAT status
NOTE: You can delete a port forward with -D instead of -A.
DNS
On *nix the DNS entries are valid for all interfaces and are stored in /etc/resolv.conf.
The domain to which the host belongs is also stored in this file. A minimal configuration is:
Code:
nameserver 78.31.70.238
search mydomain.net intern.lab
domain mydomain.net
Check the system domain name with:
# Same as dnsdomainname
Forward queries
Dig is used to test the DNS settings.
See from which server the client receives the answer (simplified answer).
in this example, we use google.com
dig google.com
google.com.267INA64.233.187.99
;; SERVER: 192.168.1.254#53(192.168.1.254)
The router 192.168.1.254 answered and the response is the A entry.
Any entry can be queried and the DNS server can be selected with @:
# To test the local server
Code:
dig @127.0.0.1 NS sun.com
# Query an external server
Code:
dig @204.97.212.10 NS MX heise.de
# Get the full zone (zone transfer)
Code:
dig AXFR @ns1.xname.org cb.vu
The program host is also quite powerful.
# Get the mail MX entry
Code:
host -t MX google.com
# Get the NS record over a TCP connection
Code:
host -t NS -T google.com
# Get everything
Reverse queries
Find the name belonging to an IP address (in-addr.arpa.). This can be done with dig, host and nslookup:
Code:
dig -x 78.31.70.238
Code:
nslookup 78.31.70.238
Single hosts can be configured in the file /etc/hosts instead of running named locally
to resolve the hostname queries. The format is simple, for example:
64.233.187.99 google.com google
DHCP
The default ubuntu dhcp client is dhclient, however, i like dhcpcd a lot better,
and that is what i will use in my examples
apt-get install dhcpcd to install it.
# Trigger a renew (does not always work)
# release and shutdown
The lease with the full information is stored in:
/var/lib/dhcpcd/dhcpcd-eth0.info
For dhclient:
The lease with the full information is stored in:
/var/db/dhclient.leases.eth0
Use
/etc/dhclient.conf
to prepend options or force different options:
Code:
nano -w /etc/dhclient.conf
interface "eth0" {
prepend domain-name-servers 127.0.0.1;
default domain-name "google.com";
supersede domain-name "google.com";
}
Traffic analysis
Bmon http://people.suug.ch/~tgr/bmon/ is a small console bandwidth monitor and can display the
flow on different interfaces. You can install it on ubuntu with apt-get install bmon
Sniff with tcpdump (tcpdump comes with ubuntu)
Code:
tcpdump -nl -i eth0 not port ssh and src \(192.168.16.121 or 192.168.16.54\)
# select to/from a single IP
Code:
tcpdump -n -i eth0 net 192.168.16.121
# select traffic to/from a network
Code:
tcpdump -n -i eth0 net 192.168.16.0/24
# Buffered output
Code:
tcpdump -l > dump && tail -f dump
# Write traffic headers in binary file
Code:
tcpdump -i eth0 -w traffic.eth0
# Write traffic + payload in binary file
Code:
tcpdump -i eth0 -s 0 -w traffic.eth0
# Read from file (also for ethereal
Code:
tcpdump -r traffic.eth0
# The two classic commands
# Check if pop or imap is secure
Code:
tcpdump host google.com
Code:
tcpdump -i eth0 -X port \(110 or 143\)
# Only catch pings
Code:
tcpdump -n -i eth0 icmp
# -s 0 for full packet -A for ASCII
Code:
tcpdump -i eth0 -s 0 -A port 80 | grep GET
Additional important options:
* -A Print each packets in clear text (without header)
* -X Print packets in hex and ASCII
* -l Make stdout line buffered
* -D Print all interfaces available
Scan with nmap
Nmap http://insecure.org/nmap/ is a port scanner with OS detection,
it is usually installed on most distributions. Install it in ubuntu
with apt-get install nmap
# scans all reserved TCP ports on the host
# Find out which IP are used and by which host on 0/24
Code:
nmap -sP 192.168.16.0/24
# Do a stealth SYN scan with version and OS detection
Code:
nmap -sS -sV -O google.com
Other non standard but useful tools are hping (www.hping.org) an IP packet assembler/analyzer
and fping (fping.sourceforge.net). fping can check multiple hosts in a round-robin fashion.
Traffic control (QoS)
Traffic control manages the queuing, policing, scheduling, and other traffic parameters for a network.
The following examples are simple practical uses of the Linux capabilities to better use the available
bandwidth.
Limit upload
DSL or cable modems have a long queue to improve the upload throughput.
However filling the queue with a fast device (e.g. ethernet) will dramatically
decrease the interactivity. It is therefore useful to limit the device
upload rate to match the physical capacity of the modem, this should
greatly improve the interactivity. Set to about 90% of the modem maximal (cable) speed.
For a 512 Kbit upload modem:
Code:
tc qdisc add dev eth0 root tbf rate 480kbit latency 50ms burst 1540
# Status
Code:
tc -s qdisc ls dev eth0
# Delete the queue
Code:
tc qdisc del dev eth0 root
[code[tc qdisc change dev eth0 root tbf rate 220kbit latency 50ms burst 1540[/code]
Quality of service
Priority queuing with tc to optimize VoIP. See the full example on voip-info.org or
www.howtoforge.com. Suppose VoIP uses udp on ports 10000:11024 and device eth0
(could also be ppp0 or so). The following commands define the QoS to three queues
and force the VoIP traffic to queue 1 with QoS 0x1e (all bits set).
The default traffic flows into queue 3 and QoS Minimize-Delay flows into queue 2.
Code:
tc qdisc add dev eth0 root handle 1: prio priomap 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 0
Code:
tc qdisc add dev eth0 parent 1:1 handle 10: sfq
Code:
tc qdisc add dev eth0 parent 1:2 handle 20: sfq
Code:
tc qdisc add dev eth0 parent 1:3 handle 30: sfq
Code:
tc filter add dev eth0 protocol ip parent 1: prio 1 u32
# use server port range (added after u32 above)
Code:
match ip dport 10000 0x3C00 flowid 1:1
# or/and use server IP (added after u32 above)
Code:
match ip dst 123.23.0.1 flowid 1:1
Status and remove with
# queue status
Code:
tc -s qdisc ls dev eth0
# delete all QoS
Code:
tc qdisc del dev eth0 root
Calculate port range and mask
The tc filter defines the port range with port and mask which you have to calculate.
Find the 2^# ending of the port range, deduce the range and convert to HEX.
This is your mask. Example for 10000 -> 11024, the range is 1024.
# ending is 2^14 = 16384
Code:
2^13 (8192) < 10000 < 2^14 (16384)
# mask is 0x3C00
Code:
echo "obase=16;(2^14)-1024" | bc
NIS Debugging
Some commands which should work on a well configured NIS client:
# get the connected NIS server name (apt-get install nis to use)
# The NIS domain name as configured
# should display the group from the NIS server
# Rebuild the yp database
Is ypbind running?
Code:
ps auxww | grep ypbind
Code:
yppoll passwd.byname
Map passwd.byname has order number 1190635041. Mon Sep 24 13:57:21 2007
The master server is servername.domain.net.
Code:
nano -w /etc/yp.conf
Code:
ypserver servername
Code:
domain domain.net broadcast
Netcat
Netcat http://netcat.sourceforge.net (nc) is better known as the "network Swiss Army Knife",
it can manipulate, create or read/write TCP/IP connections. Here some useful examples,
there are many more on the net, for example g-loaded.eu[...]
http://www.g-loaded.eu/2006/11/06/ne...seful-examples and here
http://www.terminally-incoherent.com...-netcat-tricks.
File transfer
Copy a large folder over a raw tcp connection. The transfer is very quick (no protocol overhead) and you don't need to mess up with NFS or SMB or FTP or so, simply make the file available on the server, and get it from the client. Here 192.168.1.1 is the server IP address.
# Serve tar folder on port 4444
Code:
server: tar -cf - -C VIDEO_TS . | nc -l -p 4444
# Pull the file on port 4444
Code:
client: nc 192.168.1.1 4444 | tar xpf - -C VIDEO_TS
# Server a single file
Code:
server: cat largefile | nc -l 5678
# Pull the single file
Code:
client: nc 192.168.1.1 5678 > largefile
# Server partition image
Code:
server: dd if=/dev/da0 | nc -l 4444
# Pull partition to clone
Code:
client: nc 192.168.1.1 4444 | dd of=/dev/da0
# Pull partition to file
Code:
client: nc 192.168.1.1 4444 | dd of=da0.img
Other hacks
Remote shell
# Provide a remote shell on port 4444 (aserver backdoor)
[code]nc -lp 4444 -e /bin/bash[code]
Emergency web server
Serve a single file on port 80 in a loop.
Code:
while true; do nc -l -p 80 < unixtoolbox.xhtml; done
Chat
Joe and Carter can chat over a simple TCP socket. The text is transferred with the enter key.
Code:
Carter: nc 192.168.1.1 4444
AJ
Bookmarks