Linux Networking Part 2

Firewall

Check if a firewall is running (typical configuration only):
Linux

# iptables -L -n -v                  # For status
Open the iptables firewall
# iptables -P INPUT       ACCEPT     # Open everything
# iptables -P FORWARD     ACCEPT
# iptables -P OUTPUT      ACCEPT
# iptables -Z                        # Zero the packet and byte counters in all chains
# iptables -F                        # Flush all chains
# iptables -X                        # Delete all chains

NAT Network Address Translation

Linux

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE    # to activate NAT
# iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 –dport 20022 -j DNAT \
–to 192.168.16.44:22           # Port forward 20022 to internal IP port ssh
# iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 –dport 993:995 -j DNAT \
–to 192.168.16.254:993-995     # Port forward of range 993-995
# ip route flush cache
# iptables -L -t nat            # Check NAT status

Delete the port forward with -D instead of -A.

DNS

On Unix the DNS entries are valid for all interfaces and are stored in /etc/resolv.conf. The domain to which the host belongs is also stored in this file. A minimal configuration is:

nameserver 130.244.21.21
search harrysukumar.net harrysukumar.com harry.sukumar.org
domain harrysukumar.com

Forward queries

Dig is you friend to test the DNS settings. For example the public DNS server 213.133.105.2 ns.second-ns.de can be used for testing. See from which server the client receives the answer (simplified answer).

# dig sleepyowl.net
sleepyowl.net.          600     IN      A       78.31.70.238
;; SERVER: 192.168.51.254#53(192.168.51.254)

The router 192.168.51.254 answered and the response is the A entry. Any entry can be queried and the DNS server can be selected with @:

# dig MX google.com
# dig @127.0.0.1 NS sun.com          # To test the local server
# dig @204.97.212.10 NS MX heise.de  # Query an external server
# dig AXFR @ns1.xname.org cb.vu      # Get the full zone (zone transfer)

The program host is also powerful.

# host -t MX cb.vu                   # Get the mail MX entry
# host -t NS -T sun.com              # Get the NS record over a TCP connection
# host -a sleepyowl.net              # Get everything

Reverse queries

Find the name belonging to an IP address (in-addr.arpa.). This can be done with dig, host and nslookup:

# dig -x 78.31.70.238
# host 78.31.70.238
# nslookup 78.31.70.238

/etc/hosts

Single hosts can be configured in the file /etc/hosts instead of running named locally to resolve the hostname queries. The format is simple, for example:

78.31.70.238   sleepyowl.net   sleepyowl

The priority between hosts and a dns query, that is the name resolution order, can be configured in /etc/nsswitch.conf AND /etc/host.conf.

Traffic analysis

Bmon is a small console bandwidth monitor and can display the flow on different interfaces.
Sniff with tcpdump

# tcpdump -nl -i bge0 not port ssh and src \(192.168.16.121 or 192.168.16.54\)
# tcpdump -n -i eth1 net 192.168.16.121           # select to/from a single IP
# tcpdump -n -i eth1 net 192.168.16.0/24          # select traffic to/from a network
# tcpdump -l > dump && tail -f dump               # Buffered output
# tcpdump -i rl0 -w traffic.rl0                   # Write traffic headers in binary file
# tcpdump -i rl0 -s 0 -w traffic.rl0              # Write traffic + payload in binary file
# tcpdump -r traffic.rl0                          # Read from file (also for ethereal
# tcpdump port 80                                 # The two classic commands
# tcpdump host google.com
# tcpdump -i eth0 -X port \(110 or 143\)          # Check if pop or imap is secure
# tcpdump -n -i eth0 icmp                         # Only catch pings
# tcpdump -i eth0 -s 0 -A port 80 | grep GET      # -s 0 for full packet -A for ASCII

Additional important options:

*   -A     Print each packets in clear text (without header)

*   -X     Print packets in hex and ASCII

*   -l     Make stdout line buffered

*   -D     Print all interfaces available

On Windows use windump from www.winpcap.org. Use windump -D to list the interfaces.

Scan with nmap

Nmaphttp://insecure.org/nmap/ is a port scanner with OS detection, it is usually installed on most distributions and is also available for Windows. If you don’t scan your servers, hackers do it for you…

# nmap 192.168.12.1               # scans all reserved TCP ports on the host
# nmap -sP 192.168.12.0/24 # Find out which IP are used and by which host on 0/24 This is really so cool try this one you will like it
# nmap -sS -sV -O 192.168.12.22    # Do a stealth SYN scan with version and OS detection ” this is one its better than the previous one you will love it

is better known as the “network Swiss Army Knife”, it can manipulate, create or read/write TCP/IP connections. Here some useful examples, there are many more on the net