====== Linux network configuration ====== \\ ===== Get information ===== Get all listening servers on a host : netstat -tapnl Scan for host on a specific network range. ===== Proxy configuration ===== **apt-get** (ubuntu). Create file /etc/apt/apt.conf.d/proxy and add inside the proxy you want like : Acquire::http::Proxy "http://proxy.spheniscus.fr:8888"; **yum** (CentOS). Edit file /etc/yum.conf and add the following under main : proxy=http://proxy.spheniscus.fr:8888 **wget**. Add/export http_proxy variable in terminal : export http_proxy=proxy.spheniscus.fr:8888 Or with a user/password : export http_proxy=http://user:pass@proxy.spheniscus.fr:8888 **git** : Same as wget, but you need to export https_proxy variable. **ssh** (ubuntu), install connect-proxy package : sudo apt-get install connect-proxy Then edit /etc/ssh/ssh_config file and add, for the specific host (thehostip) you want to ssh on, before "Host *" : host host thehostip ProxyCommand connect-proxy -H http://proxy.spheniscus.fr:8888 %h %p **X2Go-Client** (all) This one is tricky, X2Go does not support http proxy. You need to rely on ssh proxy and combine it with an ssh tunnel. After configuring ssh proxy (see above) for the specific host (thehostip), open a terminal and open a tunnel (assuming the host ssh service is listening on port 22) : ssh thehostip -p 443 -L 2222:thehostip:22 Keep this connection alive (using top for example). Then configure X2GoClient to connect on localhost and choose port 2222. Done, you can now connect using X2Go on your server. Do not forget to close the ssh connection when finished. ===== ssh/sftp ===== ==== basis ==== Connect to a server : ssh mylogin@myserver.com sftp mylogin@myserver.com Connect to a server on port 443 : ssh -p 443 mylogin@myserver.com sftp -oPort=443 mylogin@myserver.com ==== ssh forward ==== Connect to a server to use it as a web browsing relay : ssh mylogin@myserver.com -D 9999 and then in Firefox, go in settings, advanced, network, settings, and choose "manual proxy configuration", then let everything empty, and on line SOCKS Hosts, use "localhost" and "9999" for the port. Local port forwarding. I have computer A, I want to connect to computer C, but A cannot connect to C directly (IP blocking, on a network behind a firewall, etc). However, I also have an ssh account on B, that can connect to C. In this case, do : ssh my_name_on_B@B -L 2222:C:22 This will connect to B (so you use your B account), and link your localhost port 2222 to the 22 of C, through B. You now can connect to C by connecting to your localhost on 2222 : ssh my_name_on_C@localhost -p 2222 And you are on C. Another example, I have a specific service running on a computer B, and I want to connect it with my computer A. However, to make it more secure, only ssh port is open on B. Let's say I have a minecraft server on B, listening on port 25565. I will use (also work on windows with putty) : ssh my_name_on_B@B -L 25565:B:25565 So that my 25565 localhost port is linked to the 25565 port on B. Then, in minecraft, I can add a new server : localhost (or localhost:25565 if you want to specify the port). It will recognize the server running on B, and connect to it. This is very useful for LAN gaming without the risks of open ports on firewalls, but also to use remote servers like Paraview on a cluster, etc. Remote port forwarding. This technic allow you to pass through near all firewalls if you have access to a computer inside the network behind it. You have a computer A, on a network that only have internet access. You cannot connect to this computer from home with computer B or anywhere else because it is behind a firewall. The basic trick: most of firewall blocks ssh connection out and in. Trick is to use the 443 port, the one use for https connections. This port is always open (because needed), so make your B computer listen on 443 for ssh service (do not forget to secure it). Then, on A, connect to be through 443 using ssh Remote : ssh my_name_on_B@B -p 443 -R 7777:localhost:22 If you let this shell open (using top command to avoid non activity close), you can now connect to computer A through port 7777 on B. At each time, be sure to secure all systems. These manipulations can dramatically compromise the security of your network ! Others examples : http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html ==== Resume sftp transfers ==== rsync --partial --progress --rsh=ssh user@host:remote_file local_file ==== Force ssh to use specific key ==== It is possible to specify ssh client to use a specific key for a specific server. Edit ~/.ssh/config and add : Host sphen.brennik.fr IdentityFile /media/disk0/.ssh/id_dsa Host myotherser.other.com IdentityFile /home/sphen/.ssh/id_rsa Note : it is possible to add other settings for each host in this file, such as specific port number, X11 forwarding, etc. ===== Infiniband ===== Under SL 6.5 or RHEL 6.5 : yum groupinstall "Infiniband Support" yum install infiniband-diags Then edit the ib card network settings : vim /etc/sysconfig/network-scripts/ifcfg-ib0 DEVICE=ib0 TYPE=InfiniBand BOOTPROTO=static IPADDR=192.168.21.19 NETMASK=255.255.0.0 BROADCAST=192.168.255.255 ONBOOT=yes Then activate and restart services : chkconfig rdma on /etc/init.d/rdma restart /etc/init.d/network restart And check (wait 20s for ib to initialize) : # ibstatus Infiniband device 'mlx4_0' port 1 status: default gid: fe80:0000:0000:0000:0030:48c8:b16c:0001 base lid: 0xb sm lid: 0x2 state: 4: ACTIVE phys state: 5: LinkUp rate: 40 Gb/sec (4X QDR) link_layer: InfiniBand # for i in `ls /sys/class/infiniband/*/ports/*/state`; do echo $i; cat $i; done /sys/class/infiniband/mlx4_0/ports/1/state 4: ACTIVE ===== Other ===== ==== Configuring hostname via DHCP ==== OS : RHEL/CENTOS On the client nodes, edit the network file, and replace hostname provided during the install by //localhost.localdomain// : # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=localhost.localdomain ==== hosts files ==== If you can, prefer refusing all and allowing only trusted : /etc/hosts.allow # # ALL: 192.168.0.* ALL: *.spheniscus.brennik.fr sshd: 10.0.* /etc/hosts.deny # # ALL: ALL ==== Network masks and Private addresses ==== ^ CIDR ^ bits disponibles ^ Masque de sous-réseau ^ Nombre d'hôtes par sous-réseau ^ | /1 | 31 | 128.0.0.0 | 2147483646 | | /2 | 30 | 192.0.0.0 | 1073741822 | | /3 | 29 | 224.0.0.0 | 536870910 | | /4 | 28 | 240.0.0.0 | 268435454 | | /5 | 27 | 248.0.0.0 | 134217726 | | /6 | 26 | 252.0.0.0 | 67108862 | | /7 | 25 | 254.0.0.0 | 33554430 | | /8 | 24 | 255.0.0.0 | 16777214 | | /9 | 23 | 255.128.0.0 | 8388606 | | /10 | 22 | 255.192.0.0 | 4194302 | | /11 | 21 | 255.224.0.0 | 2097150 | | /12 | 20 | 255.240.0.0 | 1048574 | | /13 | 19 | 255.248.0.0 | 524286 | | /14 | 18 | 255.252.0.0 | 262142 | | /15 | 17 | 255.254.0.0 | 131070 | | /16 | 16 | 255.255.0.0 | 65534 | | /17 | 15 | 255.255.128.0 | 32766 | | /18 | 14 | 255.255.192.0 | 16382 | | /19 | 13 | 255.255.224.0 | 8190 | | /20 | 12 | 255.255.240.0 | 4094 | | /21 | 11 | 255.255.248.0 | 2046 | | /22 | 10 | 255.255.252.0 | 1022 | | /23 | 9 | 255.255.254.0 | 510 | | /24 | 8 | 255.255.255.0 | 254 | | /25 | 7 | 255.255.255.128 | 126 | | /26 | 6 | 255.255.255.192 | 62 | | /27 | 5 | 255.255.255.224 | 30 | | /28 | 4 | 255.255.255.240 | 14 | | /29 | 3 | 255.255.255.248 | 6 | | /30 | 2 | 255.255.255.252 | 2 | | /31 | 1 | 255.255.255.254 | 1 | | /32 | 0 | 255.255.255.255 | 0 | ^ RFC1918 name ^ IP address range ^ number of addresses ^ largest CIDR block (subnet mask) ^ host id size ^ mask bits ^ classful description ^ | 24-bit block | 10.0.0.0 - 10.255.255.255 | 16,777,216 | 10.0.0.0/8 (255.0.0.0) | 24 bits | 8 bits | single class A network | | 20-bit block | 172.16.0.0 - 172.31.255.255 | 1,048,576 | 172.16.0.0/12 (255.240.0.0) | 20 bits | 12 bits | 16 contiguous class B networks | | 16-bit block | 192.168.0.0 - 192.168.255.255 | 65,536 | 192.168.0.0/16 (255.255.0.0) | 16 bits | 16 bits | 256 contiguous class C networks | ===== OpenVPN ===== Update of : http://blog.nicolargo.com/2010/10/installation-dun-serveur-openvpn-sous-debianubuntu.html?PageSpeed=noscript The aim here is to configure an OpenVPN network to : * secure connection for web browsing in public networks * reach others desktop PCs for LAN gaming over internet You can of course adjust has you want to your own purposes. You need one server, we will use an Ubuntu 14.04 server x86_64, and clients, which will be on Windows 7 x64 Pro and Premium. Few interesting documentation :\\ http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange\\ http://en.wikipedia.org/wiki/OpenVPN Small tip : if your server port 443 is free, you can use it for your VPN. 443 is always open anywhere, especially on hotspot or academic wifi. === Server side === Let's start with the server side.\\ apt-get install openvpn easy-rsa First, generate keys folder: make-cadir /etc/openvpn/easy-rsa Then edit certificate informations (we go root here for more convenience): sudo su nano /etc/openvpn/easy-rsa/vars And fill these variables : export KEY_COUNTRY="FR" export KEY_PROVINCE="NO" export KEY_CITY="Bayeux" export KEY_ORG="Sphen" export KEY_EMAIL="sphen@outlook.com" export KEY_OU="MyOrganizationalUnit" Let's generate keys and certificates and create jail and clientconf directories : cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server openvpn --genkey --secret keys/ta.key mkdir /etc/openvpn/keys cp keys/ca.crt keys/ta.key keys/server.crt keys/server.key keys/dh2048.pem /etc/openvpn/keys mkdir /etc/openvpn/jail mkdir /etc/openvpn/clientconf Then edit the configuration file which will not exist yet. The file should be /etc/openvpn/openvpn.conf : vim /etc/openvpn/openvpn.conf # Server mode server port 37491 # you can choose your port here proto udp # you can choose tcp or udp here. #If you have bad connections, prefer tcp, if not, prefer udp. #I recommend tcp for browsing because hotspots are often bad, # and udp for LAN gaming to keep good performances (you will rarely play on an public hotspot) dev tun # Keys and certificates ca keys/ca.crt cert keys/server.crt #position of SSL certificate key keys/server.key #position of SSL key dh keys/dh2048.pem #position of dh file tls-auth keys/ta.key 1 key-direction 0 cipher AES-256-CBC # Network server 10.8.0.0 255.255.255.0 #ip wanted for the server on the private network ifconfig-pool-persist ipp.txt keepalive 10 120 client-to-client #allows clients to connect to each others on the private network. #Needed for LAN gaming, but for security reasons, should be deactivated for others purposes #push "redirect-gateway def1" #Set server as new gateway for clients, use only for internet browsing #push "dhcp-option DNS 10.8.0.1" #Set server as default DNS for clients # Securite comp-lzo user nobody group nogroup persist-key persist-tun chroot /etc/openvpn/jail #chroot process, better security in case of security breach # Logs status openvpn-status.log mute 20 verb 3 ; log-append /var/log/openvpn.log Note the ";" at the end, we will remove it after being sure openvpn server is working correctly. Note : you should start using TCP connection for tests, and switch to UDP (if needed) when TCP works. Now secure keys : chmod -R 400 /etc/openvpn/keys Let's test the server : cd /etc/openvpn openvpn openvpn.conf If you get something like : [...] Fri Oct 10 21:11:24 2014 Initialization Sequence Completed Then kill the process (Ctrl + C) and remove the ";" a the end of the configuration file openvpn.conf. Exit root. Now, openvpn server can be started/stopped on-demand using : #start /etc/init.d/openvpn start #stop /etc/init.d/openvpn stop === Generate client === For each client, you need to generate few files and a certificate. We choose here to setup a password for each certificate, which is much more secure. Do not forget to use long password to prevent rainbow tables attack. As root, we create here client called "benji" : cd /etc/openvpn/easy-rsa source vars ./build-key-pass benji mkdir /etc/openvpn/clientconf/benji cp /etc/openvpn/keys/ca.crt /etc/openvpn/keys/ta.key keys/benji.crt keys/benji.key /etc/openvpn/clientconf/benji/ Now lets edit the configuration file of the client (server ip is xxx.xxx.xxx.xxx, using port yyyyy, we choosed 37491 in the server configuration): vim /etc/openvpn/clientconf/benji/client.conf # Client client dev tun proto udp-client remote xxx.xxx.xxx.xxx yyyyy resolv-retry infinite cipher AES-256-CBC ; client-config-dir ccd # Cles ca ca.crt cert benji.crt key benji.key tls-auth ta.key 1 key-direction 1 # Securite nobind persist-key persist-tun comp-lzo verb 3 Duplicate the file to ovpn format for windows : cp /etc/openvpn/clientconf/benji/client.conf /etc/openvpn/clientconf/benji/client.ovpn Now, you need to provide the client with the files in /etc/openvpn/clientconf/benji, using a zip for example. === Client side === Download openvpn for windows here :\\ https://openvpn.net/index.php/open-source/downloads.html\\ Choose Installer (64-bit), Windows XP and later. Install openvpn, choose to also install gui and tape driver. Then, extract files from sever (the zip file containing certificate for the client) in Program Files/OpenVPN/config/.\\ Important : if you want to edit a text file here, you need to launch the editor with administrator rights, if not, changes will not be saved.\\ Then launch OpenVPN-GUI with administrator rights (important). The icon should be in the task bar. Right click, choose "connect", enter the password, and you should be connected in no time to the openvpn network. Try to ping the server and the other clients. Tip : you can choose in the Windows Firewall to temporary lower firewall on the openvpn interface if you trust other clients and the server, which makes LAN gaming easier, each game using a different port. More informations using google.