Tag: network

Bash test if port is open no external tools

Posted on by admin

Assume you do not have curl/telnet/netcat (or nc does not support -z as in later versions ?? why did they remove it ?? ) the following will work on any recent Bash version.


(echo > /dev/tcp/skinner/22) >/dev/null 2>&1 && echo "Port is open" || echo "Port is closed"

nJoy 😉

Rate Limiting in iptables

Posted on by admin

iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 15 –connlimit-mask 32 -j REJECT –reject-with tcp-reset

Setting a route for a nic in Linux

Posted on by admin

In file named after the interface you want to use as gateway:

e.g. /etc/sysconfig/network-scripts/route-eth0

 

Create entries :

 

ADDRESS=192.168.4.0
NETMASK=255.255.255.0
GATEWAY=192.168.1.250

NnJoy 🙂

Limiting access iptables

Posted on by admin

This is a Script that I use to deploy and script iptables.

Sample handles ssh and mysql it’s easy to extend.

#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
 iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# SSH  rules
iptables -A INPUT -i eth0 -p tcp -s 193.50.90.251 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 212.164.176.98 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


# mysql rules
iptables -A INPUT -i eth0 -p tcp -s 193.50.90.251 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 212.164.176.98 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
#Allow frontend 1
iptables -A INPUT -i eth0 -p tcp -s 191.94.70.36 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
#Allow Frontend 2
iptables -A INPUT -i eth0 -p tcp -s 191.94.70.38 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT




#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
 iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Save settings
#
 /sbin/service iptables save
#
# List rules
#
 iptables -L -v

nJoy 🙂

Moving a machine from one VM or physical box to another

Posted on by admin

This is the simple case where all we have is one disk that needs cloning.

Assumptions for the following example

  1. Tools including backtrack distro available and permissible by company policy ( some c**ts get all agitated when sysadmins use a ‘knife’ to cut the ‘bread’ so be warned)
  2. Networking in place for the transfer preferable pre-organized IPs, gatway ,  DNS for resolving the updates like ssh etc.. , also verify the level of traffic your network guys are willing to tolerate for a long time this should be your –rate-limit value (remember this value is in Mega bytes so 9-10x the Megabit bandwidth.
  3. Cloning one disk is enough for the volumes to move. Compex LVM / software raids and concats or stripes need further steps.
  4. For the sake of example i assume this is a P2V but it’s just as good an approach in a V2V.

 

Points to perform :

  1. Download / Burn Backtrack or Knoppix
  2. Create a VM with large enough a disk and closely supported disk subsystem and NICs eg. SCSI and e1000
  3. Boot the two machines e.g. physical (source) and VM (target) with BT
  4. Enable ssh on both machines for a third person point of view even for monitoring the transfer
  5. Connect to the receiving VM booting into the live CD.
  6. Setup a screen session to avoid your disconnection from the session affecting the transit. Using screen -S transfer.
  7. run nc -l -p 19000 | bzip2 -d | dd bs=16M of =/dev/sda  replacing the 19000 with the port you want to use and /dev/sda with the disk you want to clone.
  8. Connect to the transmitting side.
  9. Setup a screen session to avoid your disconnection from the session affecting the transit. Using screen -S transfer.
  10. run dd bs=16M if=/dev/sda | pv –rate-limit 1M | bzip2 -c | nc 192.168.1.24 19000
    replacing the ip with the ip of the listener  connected in point 5, and you can skip the rate limit thingy (–rate-limit 1M) if you want full throttle..
  11. Once finished you can boot the target VM and reconfigure it as you please.

 

An extra help might be connecting to the target box in a target session and run iftop to see the transfers.

Njoy.

 

Script to list all the MAC addresses on the system

Posted on by admin

Listing the mac addresses of nic cards excluding null or loopback MACs i.e. 00:00:00:00:00:00

grep -H . /sys/class/net/*/address | awk ‘{split($0,array,”address:”);print array[2]}’ | grep -v ’00:00:00:00:00:00′

 

 

 

Wireshark: cutting the crap

Posted on by admin

DisplayFilters

Wireshark uses display filters for general packet filtering while viewing and for its ColoringRules.

The basics and the syntax of the display filters are described in the User’s Guide.

The master list of display filter protocol fields can be found in the display filter reference.

If you need a display filter for a specific protocol, have a look for it at the ProtocolReference.

 

Examples

Show only SMTP (port 25) and ICMP traffic:

  •  tcp.port eq 25 or icmp

Show only traffic in the LAN (192.168.x.x), between workstations and servers — no Internet:

  • ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

(more…)

Disable IPv6 in centOS

Posted on by admin
  • Edit /etc/sysconfig/network and set “NETWORKING_IPV6” to “no”
  • For 5.4 and later, replace in /etc/modprobe.conf

 

alias ipv6 off

by

options ipv6 disable=1

Alternative (which might be easier and works on any release with /etc/modprobe.d):

# touch /etc/modprobe.d/disable-ipv6.conf
# echo "install ipv6 /bin/true" >> /etc/modprobe.d/disable-ipv6.conf
  • For CentOS 5.3 or older, add the following to /etc/modprobe.conf :

 

alias ipv6 off
alias net-pf-10 off
  • Run /sbin/chkconfig ip6tables off to disable the IPv6 firewall
  • Reboot the system

<!> With the 5.4 update symbol/ipv6 module dependency capabilities have been introduced; therefore, if IPv6 has been previously disabled as above an upgrade to the bonding driver in 5.4 will result in the bonding kernel module failing to load. For the module to load properly use instead:

# touch /etc/modprobe.d/disable-ipv6.conf
# echo "options ipv6 disable=1" >> /etc/modprobe.d/disable-ipv6.conf

<!> <!> Upstream employee Daniel Walsh recommends not disabling the ipv6 module but adding the following to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1

In a short way this is what I do:

[root@toro.maranello.local ~]#echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf

While there I would turn off the IPV6Tables service as well

[root@toro.maranello.local ~]# service ip6tables save
[root@toro.maranello.local ~]# service ip6tables stop
[root@toro.maranello.local ~]# chkconfig ip6tables off

NOTE: SSH x11 forwarding may (and probably will) stop working if you disable the IPv6 …just a heads up :)…

nJoy 😉