Linux Networking Part 3

Secure file transfer

Some simple commands:

# scp file.txt host-two:/tmp
# scp joe@host-two:/www/*.html /www/tmp
# scp -r joe@host-two:/www /www/tmp

In Konqueror or Midnight Commander it is possible to access a remote file system with the address fish://user@gate. However the implementation is very slow.

Furthermore it is possible to mount a remote folder with sshfs a file system client based on SCP. See fuse sshfshttp://fuse.sourceforge.net/sshfs.html.

Tunneling

SSH tunneling allows to forward or reverse forward a port over the SSH connection, thus securing the traffic and accessing ports which would otherwise be blocked. This only works with TCP. The general nomenclature for forward and reverse is (see also ssh and NAT example):

# ssh -L localport:desthost:destport user@gate  # desthost as seen from the gate
# ssh -R destport:desthost:localport user@gate  # forwards your localport to destination
# ssh -X user@gate   # To force X forwarding

This will connect to gate and forward the local port to the host desthost:destport. Note desthost is the destination host as seen by the gate, so if the connection is to the gate, then desthost is localhost. More than one port forward is possible.
Direct forward on the gate

Let say we want to access the CVS (port 2401) and http (port 80) which are running on the gate. This is the simplest example, desthost is thus localhost, and we use the port 8080 locally instead of 80 so we don’t need to be root. Once the ssh session is open, both services are accessible on the local ports.

# ssh -L 2401:localhost:2401 -L 8080:localhost:80 user@gate

Netbios and remote desktop forward to a second server

Let say a Windows smb server is behind the gate and is not running ssh. We need access to the smb share and also remote desktop to the server.

# ssh -L 139:smbserver:139 -L 3388:smbserver:3389 user@gate

The smb share can now be accessed with \\127.0.0.1\, but only if the local share is disabled, because the local share is listening on port 139.

It is possible to keep the local share enabled, for this we need to create a new virtual device with a new IP address for the tunnel, the smb share will be connected over this address. Furthermore the local RDP is already listening on 3389, so we choose 3388. For this example let’s use a virtual IP of 10.1.1.1.

* With putty use Source port=10.1.1.1:139. It is possible to create multiple loop devices and tunnel. On Windows 2000, only putty worked for me. On Windows Vista also forward the port 445 in addition to the port 139. Also on Vista the patch KB942624 prevents the port 445 to be forwarded, so I had to uninstall this path in Vista.

* With the ssh.com client, disable “Allow local connections only”. Since ssh.com will bind to all addresses, only a single share can be connected.

Now create the loopback interface with IP 10.1.1.1:

* # System->Control Panel->Add Hardware # Yes, Hardware is already connected
# Add a new hardware device (at bottom).

* # Install the hardware that I manually select # Network adapters # Microsoft , Microsoft Loopback Adapter.

* Configure the IP address of the fake device to 10.1.1.1 mask 255.255.255.0, no gateway.

* advanced->WINS, Enable LMHosts Lookup; Disable NetBIOS over TCP/IP.

* # Enable Client for Microsoft Networks. # Disable File and Printer Sharing for Microsoft Networks.

I HAD to reboot for this to work. Now connect to the smb share with \\10.1.1.1 and remote desktop to 10.1.1.1:3388.
Debug

If it is not working:

* Are the ports forwarded: netstat -an? Look at 0.0.0.0:139 or 10.1.1.1:139

* Does telnet 10.1.1.1 139 connect?

* You need the checkbox “Local ports accept connections from other hosts”.

* Is “File and Printer Sharing for Microsoft Networks” disabled on the loopback interface?

Connect two clients behind NAT

Suppose two clients are behind a NAT gateway and client cliadmin has to connect to client cliuser (the destination), both can login to the gate with ssh and are running Linux with sshd. You don’t need root access anywhere as long as the ports on gate are above 1024. We use 2022 on gate. Also since the gate is used locally, the option GatewayPorts is not necessary.

On client cliuser (from destination to gate):

# ssh -R 2022:localhost:22 user@gate            # forwards client 22 to gate:2022

On client cliadmin (from host to gate):

# ssh -L 3022:localhost:2022 admin@gate         # forwards client 3022 to gate:2022

Now the admin can connect directly to the client cliuser with:

# ssh -p 3022 admin@localhost                   # local:3022 -> gate:2022 -> client:22

Connect to VNC behind NAT

Suppose a Windows client with VNC listening on port 5900 has to be accessed from behind NAT.
On client cliwin to gate:

# ssh -R 15900:localhost:5900 user@gate

On client cliadmin (from host to gate):

# ssh -L 5900:localhost:15900 admin@gate

Now the admin can connect directly to the client VNC with:

# vncconnect -display :0 localhost

Dig a multi-hop ssh tunnel

Suppose you can not reach a server directly with ssh, but only via multiple intermediate hosts (for example because of routing issues). Sometimes it is still necessary to get a direct client – server connection, for example to copy files with scp, or forward other ports like smb or vnc. One way to do this is to chain tunnels together to forward a port to the server along the hops. This “carrier” port only reaches its final destination on the last connection to the server.

Suppose we want to forward the ssh port from a client to a server over two hops. Once the tunnel is build, it is possible to connect to the server directly from the client (and also add an other port forward).
Create tunnel in one shell

client -> host1 -> host2 -> server and dig tunnel 5678

client># ssh -L5678:localhost:5678 host1        # 5678 is an arbitrary port for the tunnel
host_1># ssh -L5678:localhost:5678 host2        # chain 5678 from host1 to host2
host_2># ssh -L5678:localhost:22 server         # end the tunnel on port 22 on the server

Use tunnel with an other shell

client -> server using tunnel 5678

# ssh -p 5678 localhost                         # connect directly from client to  server
# scp -P 5678 myfile localhost:/tmp/            # or copy a file directly using the tunnel
# rsync -e ’ssh -p 5678′ myfile localhost:/tmp/ # or rsync a file directly to the server

This Information is from http://cb.vu

Linux Networking Part 2

Firewall

Check if a firewall is running (typical configuration only):
Linux

# iptables -L -n -v                  # For status
Open the iptables firewall
# iptables -P INPUT       ACCEPT     # Open everything
# iptables -P FORWARD     ACCEPT
# iptables -P OUTPUT      ACCEPT
# iptables -Z                        # Zero the packet and byte counters in all chains
# iptables -F                        # Flush all chains
# iptables -X                        # Delete all chains

NAT Network Address Translation

Linux

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE    # to activate NAT
# iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 –dport 20022 -j DNAT \
–to 192.168.16.44:22           # Port forward 20022 to internal IP port ssh
# iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 –dport 993:995 -j DNAT \
–to 192.168.16.254:993-995     # Port forward of range 993-995
# ip route flush cache
# iptables -L -t nat            # Check NAT status

Delete the port forward with -D instead of -A.

DNS

On Unix the DNS entries are valid for all interfaces and are stored in /etc/resolv.conf. The domain to which the host belongs is also stored in this file. A minimal configuration is:

nameserver 130.244.21.21
search harrysukumar.net harrysukumar.com harry.sukumar.org
domain harrysukumar.com

Forward queries

Dig is you friend to test the DNS settings. For example the public DNS server 213.133.105.2 ns.second-ns.de can be used for testing. See from which server the client receives the answer (simplified answer).

# dig sleepyowl.net
sleepyowl.net.          600     IN      A       78.31.70.238
;; SERVER: 192.168.51.254#53(192.168.51.254)

The router 192.168.51.254 answered and the response is the A entry. Any entry can be queried and the DNS server can be selected with @:

# dig MX google.com
# dig @127.0.0.1 NS sun.com          # To test the local server
# dig @204.97.212.10 NS MX heise.de  # Query an external server
# dig AXFR @ns1.xname.org cb.vu      # Get the full zone (zone transfer)

The program host is also powerful.

# host -t MX cb.vu                   # Get the mail MX entry
# host -t NS -T sun.com              # Get the NS record over a TCP connection
# host -a sleepyowl.net              # Get everything

Reverse queries

Find the name belonging to an IP address (in-addr.arpa.). This can be done with dig, host and nslookup:

# dig -x 78.31.70.238
# host 78.31.70.238
# nslookup 78.31.70.238

/etc/hosts

Single hosts can be configured in the file /etc/hosts instead of running named locally to resolve the hostname queries. The format is simple, for example:

78.31.70.238   sleepyowl.net   sleepyowl

The priority between hosts and a dns query, that is the name resolution order, can be configured in /etc/nsswitch.conf AND /etc/host.conf.

Traffic analysis

Bmon is a small console bandwidth monitor and can display the flow on different interfaces.
Sniff with tcpdump

# tcpdump -nl -i bge0 not port ssh and src \(192.168.16.121 or 192.168.16.54\)
# tcpdump -n -i eth1 net 192.168.16.121           # select to/from a single IP
# tcpdump -n -i eth1 net 192.168.16.0/24          # select traffic to/from a network
# tcpdump -l > dump && tail -f dump               # Buffered output
# tcpdump -i rl0 -w traffic.rl0                   # Write traffic headers in binary file
# tcpdump -i rl0 -s 0 -w traffic.rl0              # Write traffic + payload in binary file
# tcpdump -r traffic.rl0                          # Read from file (also for ethereal
# tcpdump port 80                                 # The two classic commands
# tcpdump host google.com
# tcpdump -i eth0 -X port \(110 or 143\)          # Check if pop or imap is secure
# tcpdump -n -i eth0 icmp                         # Only catch pings
# tcpdump -i eth0 -s 0 -A port 80 | grep GET      # -s 0 for full packet -A for ASCII

Additional important options:

*   -A     Print each packets in clear text (without header)

*   -X     Print packets in hex and ASCII

*   -l     Make stdout line buffered

*   -D     Print all interfaces available

On Windows use windump from www.winpcap.org. Use windump -D to list the interfaces.

Scan with nmap

Nmaphttp://insecure.org/nmap/ is a port scanner with OS detection, it is usually installed on most distributions and is also available for Windows. If you don’t scan your servers, hackers do it for you…

# nmap 192.168.12.1               # scans all reserved TCP ports on the host
# nmap -sP 192.168.12.0/24 # Find out which IP are used and by which host on 0/24 This is really so cool try this one you will like it
# nmap -sS -sV -O 192.168.12.22    # Do a stealth SYN scan with version and OS detection ” this is one its better than the previous one you will love it

is better known as the “network Swiss Army Knife”, it can manipulate, create or read/write TCP/IP connections. Here some useful examples, there are many more on the net

Linux Networking Part 1

1. # ethtool eth0              # Show the ethernet status (replaces mii-diag)
   # ethtool -s eth0 speed 100 duplex full # Force 100Mbit Full duplex
   # ethtool -s eth0 autoneg off # Disable auto negotiation
   # ethtool -p eth1           # Blink the ethernet led – very useful when supported
   # ip link show              # Display all interfaces on Linux (similar to ifconfig)
   # ip link set eth0 up       # Bring device up (or down). Same as “ifconfig eth0 up”
   # ip addr show              # Display all IP addresses on Linux (similar to ifconfig)
   # ip neigh show             # Similar to arp -a

Routing

Print routing table

# route -n                  # Linux or use “ip route”
# netstat -rn               # Linux, BSD and UNIX
# route print               # Windows

Add and delete a route

# route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.16.254
# ip route add 192.168.20.0/24 via 192.168.16.254       # same as above with ip route
# route add -net 192.168.20.0 netmask 255.255.255.0 dev eth0
# route add default gw 192.168.51.254
# ip route add default via 192.168.51.254 dev eth0      # same as above with ip route
# route delete -net 192.168.20.0 netmask 255.255.255.0

Windows

# Route add 192.168.50.0 mask 255.255.255.0 192.168.51.253
# Route add 0.0.0.0 mask 0.0.0.0 192.168.51.254

Configure additional IP addresses

# ifconfig eth0 192.168.50.254 netmask 255.255.255.0       # First IP
# ifconfig eth0:0 192.168.51.254 netmask 255.255.255.0     # Second IP
# ip addr add 192.168.50.254/24 dev eth0                   # Equivalent ip commands
# ip addr add 192.168.51.254/24 dev eth0 label eth0:1

Change MAC address

Normally you have to bring the interface down before the change. Don’t tell me why you want to change the MAC address…

# ifconfig eth0 down
# ifconfig eth0 hw ether 00:01:02:03:04:05      # Linux
# ifconfig fxp0 link 00:01:02:03:04:05          # FreeBSD
# ifconfig hme0 ether 00:01:02:03:04:05         # Solaris
# sudo ifconfig en0 ether 00:01:02:03:04:05     # Mac OS X Tiger
# sudo ifconfig en0 lladdr 00:01:02:03:04:05    # Mac OS X Leopard

There are many tools for windows that can do this job for you with out typing commands like for example etherchange and so on

Ports in use

Listening open ports:

1. # netstat -an | grep LISTEN
2. # lsof -i                  # Linux list all Internet connections
3. # socklist                 # Linux display list of open sockets
4. # sockstat -4              # FreeBSD application listing
5. # netstat -anp –udp –tcp | grep LISTEN        # Linux
6. # netstat -tup             # List active connections to/from system (Linux)
7. # netstat -tupl            # List listening ports from system (Linux)
8. # netstat -ano             # Windows