Networking

Table of Content

IP dev commands

CommandDescription
ip addr add <ip.ad.d.r>/<vlansize> dev <interface>adds an ip address to the devined interface e.g ip addr add 10.1.1.2/24 dev eth1
ip addr add <ip.ad.d.r>/<vlansize> dev <interface>:<number>adds an ip address to the virutal interface:number e.g ip addr add 10.1.1.3/24 dev eth1:1
ip addr delete <ip.ad.d.r>/<vlansize> dev <interface>removes an ip address to the devined interface e.g ip addr add 10.1.1.2/24 dev eth1
ip addr flush dev <interface>flushes config for interface

IP ARP commands

To interact with ARP table, ip gives you the parameters neigh/neighbour and ntable.

If you have net-tools installed, you can als use the binary arp and the package arpwatch would even give you more sniffing tools for ARP.

Show ARP table and cache

To list the ARP table you can run the following command:

$ ip neigh show
10.0.2.2 dev eth0   lladdr 42:42:00:42:42:ff REACHABLE

and to list the current cache use ntable show:

$ ip ntable show
inet arp_cache
    thresh1 128 thresh2 512 thresh3 1024 gc_int 30000
    refcnt 1 reachable 42888 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000

inet arp_cache
    dev lxcbr0
    refcnt 3 reachable 41816 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000

inet arp_cache
    dev eth0
    refcnt 3 reachable 15160 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000

inet arp_cache
    dev lo
    refcnt 2 reachable 37256 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000

inet6 ndisc_cache
    thresh1 128 thresh2 512 thresh3 1024 gc_int 30000
    refcnt 1 reachable 29564 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0

inet6 ndisc_cache
    dev lxcbr0
    refcnt 1 reachable 17420 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0

inet6 ndisc_cache
    dev eth0
    refcnt 4 reachable 36568 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0

inet6 ndisc_cache
    dev lo
    refcnt 3 reachable 20468 base_reachable 30000 retrans 1000
    gc_stale 60000 delay_probe 5000 queue 101
    app_probes 0 ucast_probes 3 mcast_probes 3
    anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0

Modify ARP table and cache

ip neigh gives you 5 addition parameters to interact with the ARP table

ParametersDescription
addadd new neighbour entry
changechange existing neighbour entry
deletedelete neighbour entry
flushflush neighbour entries
repaceadd or change neighbour entry

For more details, please have a look in the man page of ip

Network Namespace

Have you ever been into the situation that you had to perfrom something in the network but without using your default routs,nic,… , for sure right. Or that you maybe had to use a different exit point.

There are quite some solutions out there for things like this, like creating socks proxies over ssh tunnels and redirecting then the application into the tunnel. Sure, that works and we all know it.

Or maybe you have to run an application which not users your default route and uses a different one but does not impact the current setup of other applications on your server.

There are different ways and one of them are Network Namespaces (netns).

List Namespaces

To get a list of all active namespaces, you can use the command lsns which will show you all namepsaces. If you only want to see the network namespaces, use the command ip netns

$ ip netns
my_second
my_first_netns

Creating a Network Namespace

For createing a network namespace run ip netns add <netns_name>

$ ip netns add my_first_netns
$ ip netns add my_second

Run commands in netns

After you have created a netns, you can use ip netns exec <netns_name> <command> to do so.

The command ip -n <netns_name> is a short cut for ip netns exec <netns_name> ip

$ ip -n my_first_netns a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Loopback interface

If you need the loopback interface inside your netns you have to set the link up as per default it is down.

$ ip -n my_first_netns link set dev lo up
$ ip -n my_first_netns a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

Assign network interface from host to netns

By assigning a network interface from your host system to the netns you create the posibility to let the netns talk to the outside network.

There are several usecases for this, as already sad at the begining, e.g. to test network connectivity between vlans, let applications use different network paths and so on.

For now, lets assume we want to let an application communicate using its own interface.

After you added the interface to the netns it will not be visible any more on your host system untill you delete the netns again

$ ip link set dev eno3 netns my_first_netns
$ ip -n my_first_netns a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
4: eno3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether a4:78:da:a1:47:3c brd ff:ff:ff:ff:ff:ff
    altname enp2s0f2

Next step is to assign an IP to the interface and bring it up

$ ip -n my_first_netns addr add 10.0.0.50/24 dev eno3
$ ip -n my_first_netns link set dev eno3 up
$ ip -n my_first_netns a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
4: eno3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether b4:7a:f1:33:a7:7e brd ff:ff:ff:ff:ff:ff
    altname enp2s0f2
    inet 10.0.0.50/24 scope global eno3
       valid_lft forever preferred_lft foreve

Now we add the routing table information

$ ip -n my_first_netns route add default dev eno3
$ ip -n my_first_netns route
default dev eno3 scope link

DNS inside of netns

Not always IPs can be use and you have to use domains/fqdns/… as targerts. In order to resolve them, you have to configure a nameserver for the netns.

Create on the host system beneath /etc/netns/<netns_name> the file resolv.conf with the following content:

nameserver <ip of your DNS server used by network namespace>

You can add all the things what you are used to add to the resolv.conf on your host system too, but keep it simple ;)

After adding it, you will be able to resolve dns queries.

Running an application inside of the netns

To run an application inside an netns, use again the ip netns exec command.

Running an application directly in netns:

$ ip netns exec my_first_netns curl ifconfig.me
86.107.21.20

Run bash (shell) or tmux in netns:

$ ip netns exec my_first_netns sudo su - my_user -c "bash"
$ ip netns exec my_first_netns sudo su - my_user -c "tmx"

nmcli

nmcli is the client interface for the Network-Manager. If you execute nmcli with any parameters you will get a short overview of all interfaces

Active connection profiles

By adding connection show as parameters, you will get a list of active connection profiles like this:

$ nmcli connection show
NAME                UUID                                  TYPE       DEVICE
Wired connection 2  11111111-1111-1111-1111-111111111111  ethernet   enp1s1f2
wg0                 22222222-2222-2222-2222-222222222222  wireguard  wg0
wlan_ssid_home      33333333-3333-3333-3333-333333333333  wifi       --
my_neighbors_wifi   11111111-1111-1111-1111-111111111111  wifi       --
my_secret_wifi      11111111-1111-1111-1111-111111111111  wifi       --
your_secret_wifi    11111111-1111-1111-1111-111111111111  wifi       --
hotel_VIP_Wlan      11111111-1111-1111-1111-111111111111  wifi       --
hotel_GUEST_Wlan    11111111-1111-1111-1111-111111111111  wifi       --
Wired connection 1  11111111-1111-1111-1111-111111111111  ethernet   enp1s1f1

Reconnect to known network

To reconnect to an already known network profile, just specify the profile name

This applies for wifi and wired network profiles

$ nmcli connection up <profile name>

Dissconnection from network

To disconnect from a network, just place up from the command above with down ;)

$ nmcli connection down <profile name>

List available wifi networks

To list available networks, you can use the parameters device wifi list

$ nmcli device wifi list
IN-USE  BSSID              SSID         MODE   CHAN  RATE        SIGNAL  BARS  SECURITY
        11:11:11:11:11:11  ssid1_guest  Infra  11    195 Mbit/s  100     ▂▄▆█  WPA3
        11:11:11:11:11:11  ssid2_work   Infra  11    195 Mbit/s  100     ▂▄▆█  WPA3
        11:11:11:11:11:11  ssid3_home   Infra  11    195 Mbit/s  100     ▂▄▆█  WPA3
        11:11:11:11:11:11  ssid4_game   Infra  1     270 Mbit/s  50      ▂▄__  WPA3
        11:11:11:11:11:11  ssid5_fun    Infra  44    135 Mbit/s  25      ▂___  WPA3

Connect to new wifi network

Without pwd

$ nmcli dev wifi connect <network-ssid>

With pwd

stdin

by adding --ask as parameter, you will get asked on your screen to enter the pwd

$ nmcli --ask dev wifi connect <network-ssid>
as param
$ nmcli dev wifi connect <network-ssid> password "<network-password>"

Add mac address to connection

To ensure that a specific connection is used with a specific mac addres, you can add this like so:

$ nmcli connection modify <Connection name> ethernet.cloned-mac-address <mac address>          # for ethernet connections
$ nmcli connection modify <Connection name> 802-11-wireless.cloned-mac-address <mac address>   # for wireless connections

Rename connection

To rename an existing connection inside of your NetworkManager space use the following command:

$ nmcli connection modify <Connection name> con-name <New connection name>

Add firewalld zone to connection

This command allows you to added a filewalld zone to an existing connection.

$ nmcli connection modify <Connection name> connection.zone <firewalld zone name>

WIFI manuall setup

Scan for all wifi networks and connect to wifi (without pwd)

$ iwlist <NIC> scan
$ iwconfig <NIC> essid <essid>

if there is a pwd needed, create it first with wpa_passphrase

$ wpa_passphrase ssid pwd                 # e.g.  wpa_passphrase suchademon.tempwlan asdf
$ vim /etc/network/interface
  iface <WLANINTERFACE> inet dhcp
    wpa-ssid "<SSID>"
    wpa-psk <PSKfromWPA_PASSPHRASE>
$ ifup <WLANINTERFACE>

VPN

Wireguard

Presharedkey

To setup a PresharedKey in wireguard, you have to specify it in the wireguard config. On the server and also on the clients, the PresharedKey has to be placed in the [Peer] sektion.

For Example:

[Peer]
PresharedKey = FUhD2qtz5VumhcCbHmrTwe8OijozrKRgKir0MlY0sy4=
PublicKey = ....
Endpoint = ....
AllowedIPs = ....

To generate such a key, use the command wg genpsk which will look similar to this:

$ wg genpsk
FUhD2qtz5VumhcCbHmrTwe8OijozrKRgKir0MlY0sy4=

As this is always in the [Peer] sektion, it is very easy and recomended to use for each peer a own preshared key!

Removing RF lock

$ ifconfig wlp1s0 up
SIOCSIFFLAGS: Operation not possible due to RF-kill

list all rfkill stats fall all devices

$ rfkill list all
0: ideapad_wlan: Wireless LAN
    Soft blocked: yes
    Hard blocked: no
1: ideapad_bluetooth: Bluetooth
    Soft blocked: no
    Hard blocked: no
2: hci0: Bluetooth
    Soft blocked: no
    Hard blocked: no
3: phy0: Wireless LAN
    Soft blocked: yes
    Hard blocked: no

drop the lock for all devices

$ rfkill unblock all
$ rfkill list all
0: ideapad_wlan: Wireless LAN
    Soft blocked: no
    Hard blocked: no
1: ideapad_bluetooth: Bluetooth
    Soft blocked: no
    Hard blocked: no
2: hci0: Bluetooth
    Soft blocked: no
    Hard blocked: no
3: phy0: Wireless LAN
    Soft blocked: no
    Hard blocked: no

now the scan is working again

Change network interface name in debian

Change from ens[0-9]+ to eth0 by modifing the grub config

$ sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"/g' /etc/default/grub

$ grub-mkconfig -o /boot/grub/grub.cfg

change current network interface config

$ sed -i 's/ens[0-9]+/eth[0-9]/g' /etc/network/interfaces
$ mv /etc/network/interfaces.d/ens[0-9]+ /etc/network/interfaces.d/eth[0-9]
$ sed -i 's/ens[0-9]+/eth[0-9]/g' /etc/network/interfaces.d/eth[0-9]

Change from eth0 to wan0

$ vim /etc/udev/rules.d/70-persistent-net.rules

#interface with MAC address "00:0c:30:50:48:a1" will be assigned "eth0"
$ SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:30:50:48:a1", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="wan0"

Allow low-numbered port access to processes

Source: https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443/892391#892391

For permanent permissions:

$ setcap CAP_NET_BIND_SERVICE=+eip /path/to/binary

One-time permissions:

$ apt install authbind
$ touch /etc/authbind/byport/80
$ touch /etc/authbind/byport/443
$ chmod 777 /etc/authbind/byport/80
$ chmod 777 /etc/authbind/byport/443
#authbind --deep /path/to/binary command line args
$ authbind --deep /usr/bin/myown443apache --debug --log /var/log/myapache ...

Bluetooth

bluetoothctl

To interact with bluetooth, you can use the program bluetoothctl

$ bluetoothctl
[bluetooth]#

scann for devices

Run the commands inside of bluetoothctl or as parameter

$ bluetoothctl
[bluetooth]# pairable on
[bluetooth]# scan on
Discovery started
[CHG] Controller 88:9F:FA:F3:7A:21 Discovering: yes
[NEW] Device 7C:96:D2:62:7E:72 Teufel ROCKSTER Cross
[CHG] Device 7C:96:D2:62:7E:72 RSSI: -66
[bluetooth]# scan off

connect with device

Run the commands inside of bluetoothctl or as parameter

$ bluetoothctl
[bluetooth]# pairable on
[bluetooth]# pair mac:adr:of:device
[bluetooth]# conenct mac:adr:of:device

You can also tun trust mac:adr:of:device if you realy trust that thing.

show information about devices

Run the commands inside of bluetoothctl or as parameter

$ bluetoothctl
[bluetooth]# info mac:adr:of:device

Errors

Blocked interface

Failed to start discovery: org.bluez.Error.NotReady

or

Failed to set power on: org.bluez.Error.Blocked

check that there is no block on the interface with rfkill list

$ rfkill list
2: hci0: Bluetooth
    Soft blocked: yes
    Hard blocked: no

If it exists, just run rfkill unblock all to get rid of it

Now you should be able to interact with the interface.

Can not connect to bluetooth speaker

It can be that your audio daemon is not able to interact with bluetooth devieces.

For examle, if you use pulseaudio, you need the module pulseaudio-module-bluetooth installed

$ apt install pulseaudio-module-bluetooth

Than you need to rerun pulseaudio

$ killall pulseaudio
$ pulseaudio -D

Pulse is not switching audio

Restart pulse killall pulseaudio ; pulseaudio -D

Than check if the bluetooth devices is connected bluletoothctl info mac:adr:of:dev

If you see that it is connected, open the volume mixer of pluse pavucontrol and ajust the playback/output device

TLS

TLS 1.2

Handshake

StepClientDirectionMessageDirectionServer
1meClient Hello—>itgui.de
2me<—Server Helloitgui.de
3me<—Certificateitgui.de
4me<—Server Key Exchangeitgui.de
5me<—Server Hello Doneitgui.de
6meClient Key Exchange—>itgui.de
7meChange Cipher Spec—>itgui.de
8meFinished—>itgui.de
9me<—Change Cipher Specitgui.de
10me<—Finisheditgui.de

TLS 1.3

Handshake

StepClientDirectionMessageDirectionServer
1meClient Hello
Supported Cipher Suites
Guesses Key Agreement Protocol
Key Share
—>itgui.de
2me<—Server Hello
Key Agreement Protocol
KeyShare
Server Finished
itgui.de
3meChecks Certificate
Generates Keys
Client Finished
—>itgui.de

TLS Handshake Failed Errors

  • Cuse: Incorrect System Time
  • Description: Client device has the incorrect time & date.
  • Fix where: Client
  • Cuse: Browser Error
  • Description: A browser configuration is causing the error.
  • Fix where: Client
  • Cause: Man-in-the-Middle
  • Decription: A third party is intercepting/manipulating connection.
  • Fix where: Client
  • Cause: Protocol Mismatch
  • Description: The protocol used by client is not supported by server.
  • Fix where: Server
  • Cause: Cipher Suite Mismatch
  • Description: Cipher suite used by client is not supported by server.
  • Fix where: Server
  • Cause: Incorrect Certificate
  • Description:
    • URL host name doesn’t match host name on server certificate.
    • Incomplete/invalid certificate chain presented to client.
    • Revoked/expired SSL/TLS certificate sent to the client or server.
    • Replacement of self-signed certificates in internal networks has caused a path-building error.
  • Fix where: Server
  • Cause: SNI-Enabled Server
  • Description: Client can’t communicate with SNI-enabled server.
  • Fix where: Server