Linux networking: Difference between revisions

From miki
Jump to navigation Jump to search
Line 242: Line 242:


=== Transparent SOCKS proxy via tuntap device (badvpn-tun2socks) ===
=== Transparent SOCKS proxy via tuntap device (badvpn-tun2socks) ===
See [[tun2socks]].
Using '''[https://github.com/ambrop72/badvpn badvpn-tun2socks]''', one can setup a virtual <code>tun0</code> interface connected to SOCKS proxy (e.g. SSH) and through which we will route all internet packets. This way we can setup a transparent SOCKS proxy without the need to configure applications (for instance, it is no longer needed to define <code>http_proxy</code> or proxy settings in these applications).

;Build badvpn-tun2socks and badvpn-udpgw
We follow [https://github.com/ambrop72/badvpn/wiki/Tun2socks badvpn-tun2socks] wiki:
<source lang="bash">
mkdir badvpn-build
cd badvpn-build
cmake /path/to/badvpn -DBUILD_NOTHING_BY_DEFAULT=1 -DBUILD_TUN2SOCKS=1 -DBUILD_UDPGW=1
make
sudo cp tun2socks/badvpn-tun2socks /usr/local/bin
sudo cp udpgw/badvpn-tun2socks /usr/local/bin
</source>

;Start SSH SOCKS proxy
See [[SSH]]. The proxy must run on <code>127.0.0.1:1080</code>.
Typically the command is something like:
<source lang="bash">
ssh -N -n -f -D 127.0.0.1:1080 SSH_SERVER
</source>

;Create tun0 interface and start badvpn-tun2socks
We follow the wiki. See also [https://github.com/ambrop72/badvpn/issues/50 issue #50]:
<source lang="bash">
ip tuntap add dev tun0 mode tun user BADVPN_USER
ip addr add 10.0.0.1/24 dev tun0
ip link set tun0 up
su BADVPN_USER -c "setsid badvpn-tun2socks --logger syslog --loglevel warning --tundev tun0 --netif-ipaddr 10.0.0.2 --netif-netmask 255.255.255.0 --socks-server-addr 127.0.0.1:1080"
route add SSH_SERVER gw DEFAULT_GW metric 5
</source>
This configuration can be done once for all at boot.

;Create the route and set gateway
On a laptop, the route configuration will depend on the network to which the laptop is configured. We must:
* Add a route to the SSH server through the existing gateway, with a lower metric than the original default route.
* If the DNS servers are in the Internet (rather than in local network), also add routes for them (like for the SSH server). This is needed because tun2socks does not forward UDP by default (see below)
* Add default route through the virtual router in the TUN device, with a lower metric than the original default route, but higher than the SSH and DNS routes.

<source lang="bash">
route add SSH_SERVER gw DEFAULT_GW metric 5
# If DNS server not on local network: route add DNS_SERVER gw DEFAULT_GW metric 5
# to collect DNS server ip: nmcli device show eth0 | grep DNS
route add default gw 10.0.10.2 metric 6
</source>

;UDP forwarding

tun2socks can forward UDP, however this requires a daemon, badvpn-udpgw to run on the remote SSH server. To enable UDP forwarding:

* On the remote SSH server, start: <code>badvpn-udpgw --listen-addr 127.0.0.1:7300</code>.
* Add the following arguments to badvpn-tun2socks: <code>--udpgw-remote-server-addr 127.0.0.1:7300</code>.

Create the file {{file|/etc/systemd/system/udpgw.service}}:
<source lang="text">
[Unit]
Description=UDP forwarding for badvpn-tun2socks
After=nss-lookup.target

[Service]
ExecStart=/usr/local/bin/badvpn-udpgw --listen-addr 127.0.0.1:7300
User=immie

[Install]
WantedBy=multi-user.target
</source>
Enable and start the service:
<source lang="bash">
systemctl daemon-reload
systemctl enable udpgw
systemctl start udpgw
systemctl status udpgw
ss -lpn | grep 7300
</source>

;Troubleshooting
* Collect the DNS Server:
<source lang="bash">
nmcli device show eth0 | grep DNS
</source>
* View routing table
<source lang="bash">
route -n
</source>


== Questions ==
== Questions ==

Revision as of 17:44, 22 September 2017

References

On this wiki:

External:

ARP (Address Resolution Protocol)

Links on Wikipedia:

ARP is a protocol used for resolution of network layer addresses (OSI level 3, e.g. IP addresses) into link layer addresses (OSI level 2, e.g. MAC addresses).

Example (adapted from wikipedia):

Computers A and B are in an office, connected to each other on the office local area network by Ethernet cables and network switches, with no intervening gateways or routers. A wants to send a packet to B. Through other means, it determines that B's IP address is 192.168.0.55. In order to send the message, it also needs to know B's MAC address:

  • First, A uses a cached ARP table to look up B's MAC address from B's IP address. If the MAC address is found, it sends the IP packet on the link layer to that MAC address via the local network cabling.
  • If the cache did not produce any result, A has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for B's IP address. B responds with its MAC address. B may insert an entry for A into its own ARP table for future use. The response information is cached in A's ARP table and the message can now be sent.

ARP Proxy

Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel. The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as publishing.

  • (+) simplicity. A router may extend a network without knowledge of the upstream router.
  • (-) scalability
  • (-) reliability (no fallback mechanism)

Gateway

If after routing, the selected route contains IP address of a gateway, the destination address in the IP packet is *not* changed. Instead, it tells the link layer to use the gateway's MAC address in the frame header instead of the one of the destination IP address (see [1]).

Tun/Tap devices

tun/tap are software-only interfaces, accessed through a character device (usually located at /dev/net/tun), and that allow userspace networking

On Linux, there are basically 3 ways to create tun/tap devices:

  • ip (package iproute, aka iproute2 [2]).
    Unfortunately this is option is only available in recent distribution (not available in Ubuntu Lucid)
    • ip tuntap help
ip tuntap add dev tun0 mode tap user $USER
  • openvpn
    • sudo openvpn --mktun --dev tun0 --user $USER
sudo openvpn --rmtun --dev tun0
  • tunctl

    • Do not use version from package uml-utilities because it can only create tap devices, not tun. Instead fetch the latest version from SourceForge. 
    sudo tunctl -n -u $USER       # Create a tun device. '-n' can be replaced by '-t tun0'

See the how-to section below to learn how to create VPNs with virtual devices.

Wake-on-LAN

See gWakeOnLan.

Firewall / iptables

References:

Summary of iptables:

  • There are several tables: filter, raw...
  • In the filter table, there are 3 builtin chains: INPUT, OUTPUT and FORWARD
  • iptables extensions provide some more chains.
  • In each chain, rules are processed in sequence. If the packet matches the rule, the counter for that rule is incremeneted; if a target is given, it is taken (if any) and process ends; otherwise process continues to next rule.
  • One can create custom chains, and use custom rules with RETURN as target for creating more elaborate rules.

Some tricks:

  • To view all current iptables rules:
sudo iptables --list -n -v
  • Save all rules in readable / restorable form:
sudo iptables-save > iptables-rules
  • iptable-restore does not like command like -N mychain to restore a chain. Instead use the following:
#-N my-chain
:my-chain - [0:0]
  • To clear all rules:
 sudo iptables -F           # flush
 sudo iptables -X           # Delete all chains but builtin

Example of script. This one was added to /etc/ufw/before.rules (see Nxl67170 - Windows and Dansguardian for more examples): 

:vbox-output-logging-deny - [0:0]
:vbox-output-logging-allow - [0:0]
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.124.210 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp -m multiport --dports 135,139,389,445 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p udp -m multiport --dports 53,137,138,389 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp --dport 88 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.0.0/16 -j vbox-output-logging-deny
-A ufw-before-output -m owner --uid-owner 7000 -j ACCEPT
-A vbox-output-logging-deny -j LOG --log-prefix "[UFW BLOCK] [VBOX] "
-A vbox-output-logging-deny -j REJECT
# -A vbox-output-logging-allow -p tcp -m multiport --dports 135,139,389,445 -j RETURN
# -A vbox-output-logging-allow -p udp -m multiport --dports 53,137,138,389 -j RETURN
# -A vbox-output-logging-allow -p tcp -m multiport --dports 88 -j RETURN
# -A vbox-output-logging-allow -j LOG --log-prefix "[UFW ALLOW] [VBOX] "

UFW

On Ubuntu, the default firewall is UFW.

When deploying UFW, first move the user rules to /etc/ufw so that they can be tracked by etckeeper: 

cd /lib/ufw
sudo mv user* /etc/ufw
sudo ln -s /etc/ufw/user.rules
sudo ln -s /etc/ufw/user6.rules

Then enable ufw: 

sudo ufw enable

It is easy to add new rules for ufw: 

sudo ufw allow from 192.168.11.2                   # Enable full access from local virtualbox
sudo ufw allow from 172.19.0.0/16 to any port 22   # Enable - from home local network - SSH
sudo ufw reload

WINS and NetBIOS

To enable WINS and NetBIOS name resolution on Ubuntu [3]: 

sudo apt-get install winbind libnss-winbind             # samba must be installed as well

Edit /etc/nsswitch.conf: 

-hosts:      files dns
+hosts:      files dns wins

Then reload: 

sudo service winbind reload

IPv4 vs IPv6

  • Define in /etc/hosts (Note that its always alias names last [4]):
::1 ipv6.localdomain ipv6
127.0.0.1 ipv4.localdomain ipv4
voilà, use ipv4/ipv6 hostnames where its needed

Tips and How-tos

Auto-mount network shares with autofs

  • To troubleshoot autofs [5]
sudo service autofs stop
sudo automount -f -v
  • Use option --ghost to show share directories when browsing mount points [6]:
# mount point   config file        options
/-              /etc/auto.direct   --ghost
/misc           /etc/auto.misc     --timeout=30 --ghost
+auto.master
  • Mount sshfs with autofs [7]
Install necessary package
sudo apt-get install sshfs autofs
Add current user to group fuse:
usermod -a -G fuse tjansson
Add to /etc/auto.master:
/sshfs              /etc/auto.sshfs                 uid=1000,gid=1000,--timeout=30,--ghost
Add to /etc/auto.sshfs (this assumes the key is password-less):
alpha-blue -fstype=fuse,rw,nodev,nonempty,noatime,allow_other,max_read=65536,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789 :sshfs\#nightmoore@alpha-blue\:
Troubleshoot, add first to /etc/fstab:
sshfs#nightmoore@alpha-blue:/ /mnt/sshfstab/        fuse    user,_netdev,reconnect,uid=1000,gid=1000,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789,idmap=user,allow_other,default_permissions,debug,sshfs_debug  0   2
Then
mount /mnt/sshfstab
Add option debug,sshfs_debug to get really debug output [8]:

Auto-mount network shares with libpam-mount

References:

libpam-mount allows you to mount automatically network shares when you login, using your login password as credentials.

  • The advantage is that, unlike for autofs, you don't need to store your password in a file;
  • However, your username/password must be the same as the ones used to mount the network drive.

Install libpam-mount: 

sudo apt-get install libpam-mount

Edit /etc/security/pam_mount.conf.xml as follow:

  • Uncomment luserconf.
  • Add the necessary allow options to <mntoptions> tag.
<!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,uid,gid,dmask,username,domain,iocharset,dir_mode" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />

Create the user file ~/.pam_mount.conf.xml 

<?xml version="1.0" encoding="utf-8" ?>

<pam_mount>
<volume options="nosuid,nodev,dir_mode=0700,iocharset=utf8" user="*" mountpoint="/media/mediashare" path="sharename" server="servername" fstype="cifs" />
</pam_mount>

Network setup via command line

sudo ifconfig eth0 192.168.1.1 netmask 255.255.255.0
sudo route add default gw 192.168.1.129
sudo vi /etc/resolv.conf
# nameserver 192.168.1.129
# search domainname
sudo dhclient eth0

Transparent SOCKS proxy via tuntap device (badvpn-tun2socks)

See tun2socks.

Questions

  • Difference between ifconfig(8), route(8) and ip(8)?
    From [10]: And remember: every time you use ifconfig(8), Cthulhu eats a kitten. Please, think of the kittens
    This HOW-TO says that route and ip(8) are not compatible.
    Why iproute2 says that Linux kernels 2.2 and up include a completely redesigned network system, and that legacy tools like arp, ifconfig and route are actually obsolete and show some unexpected behaviours that are only available with iproute2 ([11]).
    43. LVS: Newer networking tools: Policy Routing gives more example of ifconfig hiding (wrongly) complexity of an interface having multiple IP addresses.

Troubleshooting

See Network troubleshooting.

Retrieved from "https://miki.immie.org/mediawiki/index.php?title=Linux_networking&oldid=9734"