vim /usr/local/sbin/ipblhole
#!/bin/bash
sudo ip route add $1/32 via 127.0.0.1
linux kill tcp connection
Leave a reply
Category Archives: Linux networking
using ipset
ipset create smtpblocks hash:net counters
ipset add smtpblocks 27.112.32.0/19
ipset add smtpblocks 204.8.87.0/24
iptables -A INPUT -p tcp –dport 25 -m set –match-set smtpblocks src -j DROP
BGP Flow
The BGP flow specification (flowspec) feature allows you to rapidly deploy and propagate filtering and policing functionality among a large number of BGP peer routers to mitigate the effects of a distributed denial-of-service (DDoS) attack over your network.
In traditional methods for DDoS mitigation, such as RTBH (remotely triggered blackhole), a BGP route is injected advertising the website address under attack with a special community. This special community on the border routers sets the next hop to a special next hop to discard/null, thus preventing traffic from suspect sources into your network. While this offers good protection, it makes the Server completely unreachable.
BGP flowspec, on the other hand, allows for a more granular approach and lets you effectively construct instructions to match a particular flow with source, destination, L4 parameters and packet specifics such as length, fragment and so on. Flowspec allows for a dynamic installation of an action at the border routers to either:
Drop the traffic
Inject it in a different VRF for analysis or
Allow it, but police it at a specific defined rate
linux add (allow) more ports
Check:
sysctl net.ipv4.ip_local_port_range
Add:
echo “net.ipv4.ip_local_port_range = 1024 65535” >> /etc/sysctl.conf
Applay:
sysctl -p
build qemu from source
wget http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2
./configure –disable-kvm [–prefix=PFX] [–target-list=”i386-softmmu x86_64-softmmu”]
make
make install
nmcli add static ip
nmcli device status
nmcli connection add type ethernet con-name NAME_OF_CONNECTION ifname interface-name ip4 IP_ADDRESS gw4 GW_ADDRESS
Set DNS:
nmcli connection modify NAME_OF_CONNECTION ipv4.dns “8.8.8.8 8.8.4.4”
Up connection:
nmcli connection up NAME_OF_CONNECTION ifname interface-name
networkmanager cli create bridge
To create a bridge, named bridge-br0, issue a command as follows as root:
nmcli con add type bridge ifname br0
Connection ‘bridge-br0’ (6ad5bba6-98a0-4f20-839d-c997ba7668ad) successfully added.
If no interface name is specified, the name will default to bridge, bridge-1, bridge-2, and so on.
To view the connections, issue the following command:
nmcli con show
NAME UUID TYPE DEVICE
bridge-br0 79cf6a3e-0310-4a78-b759-bda1cc3eef8d bridge br0
eth0 4d5c449a-a6c5-451c-8206-3c9a4ec88bca 802-3-ethernet eth0
Spanning tree protocol (STP) is enabled by default. The values used are from the IEEE 802.1D-1998 standard. To disable STP for this bridge, issue a command as follows as root:
nmcli con modify bridge-br0 bridge.stp no
To re-enable 802.1D STP for this bridge, issue a command as follows as root:
nmcli con modify bridge-br0 bridge.stp yes
The default bridge priority for 802.1D STP is 32768. The lower number is preferred in root bridge selection. For example, a bridge with priority of 28672 would be selected as the root bridge in preference to a bridge with priority value of 32768 (the default). To create a bridge with a non-default value, issue a command as follows:
nmcli con add type bridge ifname br5 stp yes priority 28672
Connection ‘bridge-br5’ (86b83ad3-b466-4795-aeb6-4a66eb1856c7) successfully added.
The allowed values are in the range 0 to 65535.
To change the bridge priority of an existing bridge to a non-default value, issue a command in the following format:
nmcli connection modify bridge-br5 bridge.priority 36864
The allowed values are in the range 0 to 65535.
To view the bridge settings, issue the following command:
nmcli -f bridge con show bridge-br0
Further options for 802.1D STP are listed in the bridge section of the nmcli(1) man page.
To add, or enslave an interface, for example eth1, to the bridge bridge-br0, issue a command as follows:
nmcli con add type bridge-slave ifname eth1 master bridge-br0
Connection ‘bridge-slave-eth1’ (70ffae80-7428-4d9c-8cbd-2e35de72476e) successfully added.
At time of writing, nmcli only supports Ethernet slaves.
To change a value using interactive mode, issue the following command:
nmcli connection edit bridge-br0
You will be placed at the nmcli prompt.
nmcli> set bridge.priority 4096
nmcli> save
Connection ‘bridge-br0’ (79cf6a3e-0310-4a78-b759-bda1cc3eef8d) successfully saved.
nmcli> quit
bmon monitor network traffic
bmon is a monitoring and debugging tool to capture networking related statistics and prepare them visually in a human friendly way. It features various output methods including an interactive curses user interface and a programmable text output for scripting.
ip bring interface up/down
ip link set dev
ip link set dev
tcpdump grep established connections
tcpdump -nn “(tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)”
iptables include multiple sources at once
iptables -A INPUT -s 192.168.0.100,192.168.100.100 -d 10.0.0.1,10.0.0.10 -j ACCEPT
iptables: No chain/target/match by that name
modprobe nf_conntrack
modprobe xt_state
this will help you if: iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT says:
iptables: No chain/target/match by that name
I have found article http://serverfault.com/questions/608870/error-iptables-no-chain-target-match-by-that-name with no answer. So the answer is above.
if you will try load incorrectly module like this: “modprobe ipt_state” you will get error:
FATAL: Module ipt_state not found.
iptables additional modules
lsmod|grep -E “nf_|xt_|ip”
centos add second IP address permanently (persistent)
Its just 3 steps:
1. cd /etc/sysconfig/network-scripts
2.
cat <<~ > ifcfg-eth0:1
DEVICE=eth0:1
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.1.1.2
NETMASK=255.255.255.0
~
3.
ifup ifcfg-eth0:1
(where 10.1.1.2 is additional IP address)
centos create PPTP VPN server
#!/bin/bash -x
#
# drewsymo/VPN
#
# Installs a PPTP VPN-only system for CentOS
#
# @package VPN 2.0
# @since VPN 1.0
# @author Drew Morris
# @url http://drewsymo.com/networking/vpn/install-ptpp/
#
# Create UDF Options
## VPN Username
#
## VPN Password
#
## VPN Local IP
#
## VPN Remote IP
#
(
VPN_IP=`curl ipv4.icanhazip.com>/dev/null 2>&1`
yum -y groupinstall “Development Tools”
rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
yum -y install policycoreutils policycoreutils
yum -y install ppp pptpd
yum -y update
echo “1” > /proc/sys/net/ipv4/ip_forward
sed -i ‘s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g’ /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
echo “localip $VPN_LOCAL” >> /etc/pptpd.conf # Local IP address of your VPN server
echo “remoteip $VPN_REMOTE” >> /etc/pptpd.conf # Scope for your home network
echo “ms-dns 8.8.8.8” >> /etc/ppp/options.pptpd # Google DNS Primary
echo “ms-dns 209.244.0.3” >> /etc/ppp/options.pptpd # Level3 Primary
echo “ms-dns 208.67.222.222” >> /etc/ppp/options.pptpd # OpenDNS Primary
echo “$VPN_USER pptpd $VPN_PASS *” >> /etc/ppp/chap-secrets
service iptables start
echo “iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE” >> /etc/rc.local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
service iptables restart
service pptpd restart
echo -e ‘\E[37;44m'”\033[1m Installation Log: /var/log/vpn-installer.log \033[0m”
echo -e ‘\E[37;44m'”\033[1m You can now connect to your VPN via your external IP ($VPN_IP)\033[0m”
echo -e ‘\E[37;44m'”\033[1m Username: $VPN_USER\033[0m”
echo -e ‘\E[37;44m'”\033[1m Password: $VPN_PASS\033[0m”
) 2>&1 | tee /var/log/vpn-installer.log