From a3628fc49db4d88ff3e4067268650710d1da3f6f Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Fri, 12 Feb 2021 03:59:34 +0000 Subject: initial openbsd support --- linux/network.html | 437 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 437 insertions(+) create mode 100644 linux/network.html (limited to 'linux/network.html') diff --git a/linux/network.html b/linux/network.html new file mode 100644 index 0000000..0d359f3 --- /dev/null +++ b/linux/network.html @@ -0,0 +1,437 @@ + + + + + 2.2. Network + + + Core OS Index + +

2.2. Network

+ +

Operation of the network can be handle with init scripts or with + network manager;

+ +
+
/etc/rc.d/iptables
+
Configure iptables, "start" option + loads set of rules from file /etc/iptables/(name).v4, "open" option + allows everything to outside and blocks everything from outside, + "stop" option will block and log everything.
+
/etc/rc.d/net
+
Configure Ethernet interface with static or dynamic (dhcp) + IP, set default route and add default gateway.
+
/etc/rc.d/wlan
+
Configure Wireless interface, launch wpa_supplicant to handle + wireless authenticationand dynamic (dhcp) + connection to router and add as default gateway.
+
/etc/rc.d/networkmanager
+
Use network manager to handle connections.
+
+ +

Choose wireless (wlan), cable network (net) or network manager in + /etc/rc.conf to handle configuration of the + network at startup, example using network manager;

+ + 
+        #
+        # /etc/rc.conf: system configuration
+        #
+
+        FONT=default
+        KEYMAP=dvorak
+        TIMEZONE="Europe/Lisbon"
+        HOSTNAME=machine
+        SYSLOG=sysklogd
+        SERVICES=(lo iptables networkmanager crond)
+
+        # End of file
+
+ +

If is first boot after install configure iptables and one of above + described scripts then proceed to + update system.

+ +

2.2.1. Resolver

+ +

This example will use + Chaos Computer Club + server, edit /etc/resolv.conf and make it immutable;

+ + 
+        # /etc/resolv.conf.head can replace this line
+        nameserver 2.2.73.91.35
+        # /etc/resolv.conf.tail can replace this line
+
+ + 
+        # chattr +i /etc/resolv.conf
+
+ +

2.2.2. Static IP

+ +

Current example of /etc/rc.d/net;

+ + 
+        Address:   192.168.0.1           11000000.10101000.00000000 .00000001
+        Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
+        Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
+        =>
+        Network:   192.168.0.0/24        11000000.10101000.00000000 .00000000 (Class C)
+        Broadcast: 192.168.0.255         11000000.10101000.00000000 .11111111
+        HostMin:   192.168.0.1           11000000.10101000.00000000 .00000001
+        HostMax:   192.168.0.254         11000000.10101000.00000000 .11111110
+        Hosts/Net: 254                   (Private Internet)
+
+ +

Other IP class that can used for private network;

+ + 
+        Address:   10.0.0.1              00001010.00000000.00000000 .00000001
+        Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
+        Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
+        =>
+        Network:   10.0.0.0/24           00001010.00000000.00000000 .00000000 (Class A)
+        Broadcast: 10.0.0.255            00001010.00000000.00000000 .11111111
+        HostMin:   10.0.0.1              00001010.00000000.00000000 .00000001
+        HostMax:   10.0.0.254            00001010.00000000.00000000 .11111110
+        Hosts/Net: 254                   (Private Internet)
+
+ +

Manual configuring like net script;

+ + 
+        # DEV=enp8s0
+        # ADDR=192.168.1.9
+        # MASK=24
+        # GW=192.168.1.254
+
+ + 
+        # ip addr flush dev ${DEV}
+        # ip route flush dev ${DEV}
+        # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
+        # ip link set ${DEV} up
+        # ip route add default via ${GW}
+
+ +

2.2.3. Iptables

+ +

For more information about firewall systems read arch wiki + iptables + and nftables.

+ +

Diagram of a package route throw iptables;

+ + 
+
+                                 XXXXXXXXXXXXXXXXX
+                                 XXXX Network XXXX
+                                 XXXXXXXXXXXXXXXXX
+                                         +
+                                         |
+                                         v
+   +-------------+              +------------------+
+   |table: filter| >---+        | table: nat       |
+   |chain: INPUT |     |        | chain: PREROUTING|
+   +-----+-------+     |        +--------+---------+
+         |             |                 |
+         v             |                 v
+   [local process]     |           ****************          +--------------+
+         |             +---------+ Routing decision +------< |table: filter |
+         v                         ****************          |chain: FORWARD|
+  ****************                                           +------+-------+
+  Routing decision                                                  |
+  ****************                                                  |
+         |                                                          |
+         v                        ****************                  |
+  +-------------+       +------<  Routing decision  >---------------+
+  |table: nat   |       |         ****************
+  |chain: OUTPUT|       |               +
+  +-----+-------+       |               |
+        |               |               v
+        v               |      +-------------------+
+  +--------------+      |      | table: nat        |
+  |table: filter | +----+      | chain: POSTROUTING|
+  |chain: OUTPUT |             +--------+----------+
+  +--------------+                      |
+                                        v
+                                XXXXXXXXXXXXXXXXX
+                                XXXX Network XXXX
+                                XXXXXXXXXXXXXXXXX
+
+
+ +

Command line usage;

+ + 
+        iptables [-t table] {-A|-C|-D} chain rule-specification
+        iptables [-t table] {-A|-C|-D} chain  rule-specification
+        iptables  [-t table] -I chain [rulenum] rule-specification
+        iptables [-t table] -R chain rulenum  rule-specification
+        iptables [-t table] -D chain rulenum
+        iptables [-t table] -S [chain [rulenum]]
+        iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
+        iptables [-t table] -N chain
+        iptables [-t table] -X [chain]
+        iptables [-t table] -P chain target
+        iptables [-t table]  -E  old-chain-name  new-chain-name
+        rule-specification = [matches...] [target]
+        match = -m matchname [per-match-options]
+
+ +

Targets, can be a user defined chain;

+ + 
+        ACCEPT - accepts the packet
+        DROP   - drop the packet on the floor
+        QUEUE  - packet will be stent to queue
+        RETURN - stop traversing this chain and
+                 resume ate the next rule in the
+                 previeus (calling) chain.
+
+        if packet reach the end of the chain or
+        a target RETURN, default policy for that
+        chain is applayed.
+
+ +

Target Extensions

+ + 
+        AUDIT
+        CHECKSUM
+        CLASSIFY
+        DNAT
+        DSCP
+        LOG
+            Torn on kernel logging, will print some
+            some information on all matching packets.
+            Log data can be read with dmesg or syslogd.
+            This is a non-terminating target and a rule
+            should be created with matching criteria.
+
+            --log-level level
+                  Level of logging (numeric or see sys-
+                  log.conf(5)
+
+            --log-prefix prefix
+                  Prefix log messages with specified prefix
+                  up to 29 chars log
+
+            --log-uid
+                  Log the userid of the process with gener-
+                  ated the packet
+        NFLOG
+            This target pass the packet to loaded logging
+            backend to log the packet. One or more userspace
+            processes may subscribe to the group to receive
+            the packets.
+
+        ULOG
+            This target provides userspace logging of maching
+            packets. One or more userspace processes may then
+            then subscribe to various multicast groups and
+            then receive the packets.
+
+ +

Commands

+ 
+         -A, --append chain rule-specification
+         -C, --check chain rule-specification
+         -D, --delete chain rule-specification
+         -D, --delete chain rulenum
+         -I, --insert chain [rulenum] rule-specification
+         -R, --replace chain rulenum rule-specification
+         -L, --list [chain]
+         -P, --policy chain target
+
+ +

Parameters

+ 
+         -p, --protocol protocol
+               tcp, udp, udplite, icmp, esp, ah, sctp, all
+         -s, --source address[/mask][,...]
+         -d, --destination address[/mask][,...]
+         -j, --jump target
+         -g, --goto chain
+         -i, --in-interface name
+         -o, --out-interface name
+         -f, --fragment
+         -m, --match options module-name
+               iptables can use extended packet matching
+               modules.
+         -c, --set-counters packets bytes
+
+ +

See current rules and packets counts;

+ + 
+        # iptables -L -n -v | less
+
+ +

2.2.3.1. Iptable scripts

+ +

Scripts help to setup iptables rules so they can be saved using iptables-save + and later restored using iptables-restore utilities. Init script + /etc/rc.d/iptables + loads set of rules from /etc/iptables folder at boot time. + Start option "open" option allows everything to outside + and blocks new connections from outside, "stop" will block and log + everything.

+ +

Setup init script and rules;

+ + 
+        # mkdir /etc/iptables
+        # cp core/conf/iptables/*.sh /etc/iptables/
+        # cp core/conf/rc.d/iptables /etc/rc.d/
+        # chmod +x /etc/rc.d/iptables
+
+ +

Change /etc/rc.conf and add iptables;

+ + 
+        SERVICES=(iptables lo net crond)
+
+ +

Change /etc/rc.d/iptables and define type; server, bridge or open.

+ +

Adjust /etc/iptables/ipt-conf.sh + with your network configuration, and adjust + /etc/iptables/ipt-server.sh, /etc/iptables/ipt-bridge.sh, /etc/iptables/ipt-open.sh according with host necessities.

+ +

When is everything configured run script to load the rules and save them on /etc/iptables. Example for bridge setup;

+ + 
+        # cd /etc/iptables
+        # bash ipt-bridge.sh
+
+ +

From now on use /etc/rc.d/iptables to start and stop.

+ +

2.2.4. Wpa and dhcpd

+ +

There is more information on + Wiki Wifi Start Scripts and + see /etc/rc.d/wlan. Manual or first time configuration;

+ + 
+        # ip link
+
+ + 
+        # iwlist wlp2s0 scan
+
+ + 
+        # iwconfig wlp2s0 essid NAME key s:ABCDE12345
+
+ +

2.2.4.1. Wpa Supplicant

+ +

Configure wpa supplicant edit;

+ + 
+        # vim /etc/wpa_supplicant.conf
+
+ + 
+        ctrl_interface=/var/run/wpa_supplicant
+        update_config=1
+        fast_reauth=1
+        ap_scan=1
+
+ + 
+        # wpa_passphrase <ssid> <password> >> /etc/wpa_supplicant.conf
+
+ +

Now start wpa_supplicant with:

+ + 
+        # wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant.conf
+        Successfully initialized wpa_supplicant
+
+ +

Use /etc/rc.d/wlan + init script to auto load wpa configuration and dhcp + client.

+ +

2.2.4.2. Wpa Cli

+ + 
+        # wpa_cli
+        > status
+
+ + 
+        > add_network
+        3
+
+ + 
+        > set_network 3 ssid "Crux-Network"
+        OK
+
+ + 
+        > set_network 3 psk "uber-secret-pass"
+        OK
+
+ + 
+        > enable_network 3
+        OK
+
+ + 
+        > list_networks
+
+ + 
+        > select_network 3
+
+ + 
+        > save_config
+
+ +

2.2.5. Network Manager

+ +

Wifi status;

+ + 
+        $ nmcli radio wifi
+        $ nmcli radio wifi on
+
+ +

List wifi networks;

+ + 
+        $ nmcli device wifi rescan
+        $ nmcli device wifi list
+
+ +

Connect to a wifi network;

+ + 
+        $ nmcli device wifi connect "network name" password "network password"
+
+ +

Edit and save network configuration;

+ + 
+        $ nmcli connection edit "network name"
+        nmcli> save persistent
+
+ + Core OS Index +

+ This is part of the Tribu System Documentation. + Copyright (C) 2020 + Tribu Team. + See the file Gnu Free Documentation License + for copying conditions.

+ + + -- cgit 1.4.1-2-gfad0