Networking How To

How to upgrade wpa_supplicant

Default wpa_supplicant in Ubuntu 16.04 is 2.4 and does not support some of the latest encryption protocols (like TLS 1.1)
To upgrade it:
Get wpa_supplicant 2.6 from https://w1.fi/wpa_supplicant/
Unzip. configure with

cat > wpa_supplicant/.config << "EOF"
CONFIG_BACKEND=file
CONFIG_CTRL_IFACE=y
CONFIG_DEBUG_FILE=y
CONFIG_DEBUG_SYSLOG=y
CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
CONFIG_DRIVER_NL80211=y
CONFIG_DRIVER_WEXT=y
CONFIG_DRIVER_WIRED=y
CONFIG_EAP_GTC=y
CONFIG_EAP_LEAP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_OTP=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_TLS=y
CONFIG_EAP_TTLS=y
CONFIG_IEEE8021X_EAPOL=y
CONFIG_IPV6=y
CONFIG_LIBNL32=y
CONFIG_PEERKEY=y
CONFIG_PKCS12=y
CONFIG_READLINE=y
CONFIG_SMARTCARD=y
CONFIG_WPS=y
CFLAGS += -I/usr/include/libnl3
CONFIG_CTRL_IFACE_DBUS=y
CONFIG_CTRL_IFACE_DBUS_NEW=y
CONFIG_CTRL_IFACE_DBUS_INTRO=y
EOF

Compile

cd wpa_supplicant && make BINDIR=/sbin LIBDIR=/lib

Stop wpa_supplicant service

sudo systemctl stop wpa_supplicant.service

Copy to /sbin (preserving the existing stuff)

sudo install -bv -m755 wpa_{cli,passphrase,supplicant} /sbin/

start the wpa_supplicant service back up

sudo systemctl start wpa_supplicant.service

restart network-manager service

systemctl restart network-manager.service

Verify the version

wpa_supplicant

How to run scripts when connected to a specific network

Use NetworkManager's dispatch capabilities (works in KDE and Gnome). As root create a script in /etc/NetworkManager/dispatcher.d, say "55BackupLauncher.sh"

#!/bin/sh

IF=$1
STATUS=$2
USER=username
ROUTERIP="192.168.1.1"
ROUTERMAC="00:fa:fa:fa:fa:ff"
NETMASK="192.168.1.0/24"

if [ "$IF" = "eth0" -o "$IF" = "wlan0" ] && [ "$STATUS" = "up" ]; then
       if [ -n "`/sbin/ip addr show $IF to $NETMASK`" ]; then
                if [ -n "`arp -a $ROUTERIP | grep $ROUTERMAC`" ]; then
                        /bin/su user -c "/home/user/bin/backup-launcher.sh"
                        exit $?
                fi
        fi
fi

Make it root runnable

chmod 755 55BackupLauncher.sh

An restart your network manager

sudo service network-manager restart

The sample script above verifies that it is connected to a correct router by using router's hard-coded MAC. You could also check for a host answering on a port:

nc -z -w 3 $HOST $PORT 
if [[ $? -eq 0 ]]; then ...

Or check a wireless SSID:

SSID=$(/sbin/iwconfig $IFACE | sed -r -n '/SSID/{s/.*SSID:"([^"]+)".*/\1/g;p;q}' )

and

SSID=`iwconfig $IFACE | awk -F\" '{print $2}'`

How to list active network connections

If you need to know what program has what connection open:

lsof -i

or

lsof -i -P -n

for no network and port resolution

To look at a specific port

lsof -i :80

Same thing, no process information:

netstat --ip

or

netstat -an --ip

How to list all open tcp-udp connection and corresponding processes

sudo netstat -punta

How to list and explore samba shares

 smbclient --list=//server.corp.dom/ --user=xxxx --workgroup=domain
 smbclient //server.corp.dom/f$ --user=xxxx --workgroup=domain

How to terminate an open TCP or UDP connection

for end connections use tcpkill from the dsniff package

sudo tcpkill -i lo:0 ip

For pass through connections use

apt-get install cutter
cutter {IP-address} {Port}

Examples: Cut all connections from 192.168.1.5 to server

# cutter 192.168.1.5

Cut all ssh connection from 192.168.1.5 to server

# cutter 192.168.1.5 22

Cut all ssh connection from 192.168.1.5 to ssh server 202.54.1.20

# cutter 202.54.1.20 192.168.1.5 22

How to enable an serving of X11 to any client

If client connections are rejected, run following on the server (cygwin)

xhost + 

You could add this line to c:\cygwin\usr\X11R6\bin\startx.bat Note that this means anyone can connect to your X server, so use with caution.

How to clear DNS cache

networkmanager envokes dnsmasq that does not cashe entries by default (verify by grep dnsmasq /var/log/syslog and look for the startup)

sudo /etc/init.d/dns-clean start

should help. If not, try ncsd:

sudo aptitude install nscd
sudo /etc/init.d/nscd restart

sudo /etc/init.d/dns-clean restart

or use:

sudo /etc/init.d/networking force-reload

Also, clear all private data in your browser (check "delete entire cache" )

How to Renew DHCP lease

sudo dhclient -v -r wlan0
sudo dhclient -v wlan0

or with network manager

nmcli con - to get a list of connections
nmcli con down id 'con-1'
nmcli con up id 'con-1'

How to restart networking

(may not have effect on already connected interfaces)
sudo /etc/init.d/networking restart
or
sudo systemctl restart networking.service

How to open all communication from a port on CentOs or RHEL

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.0.44.132/32" accept'

How to open multiple ports on CentOs or RHEL

firewall-cmd --zone=public --add-port=9060/tcp --add-port=9043/tcp --add-port=...

Firewalld detailed how-to

How to see the actual dns resolver behind dnsmasq

nmcli device show

How to clear dns cache

if you are running dnsmasq (ps -ef for it)
use qdbus to call on org.freedesktop.NetworkManager.dnsmasq.ClearCache()

How to connect to hidden WiFi on Kubuntu

right click on the network/wifi icon, go into settings(kde-nm-settings), create a new wifi network, put ssid then check "hidden network".
right click on the newly created item and select connect.

If it does not connect after a while of trying and you see the following in syslog
wpa_supplicant[1084]: wlan0: Failed to initiate AP scan
wpa_supplicant[1084]: wlan0: Reject scan trigger since one is

Then restart wpa_supplicant and try again
sudo pkill wpa_supplicant
or
sudo kill $(pidof wpa_supplicant)

You can also try the command line networkmanager:
nmcli -p connection up ifname wlan0 ap HIDDEN-SSID

another trick
issue a connect command and while the hidden-ssid is showing click on it in the kde panel


How to limit apt speed

For temporary limits, add the -o flag to your apt-get command:
sudo apt-get -o Acquire::http::Dl-Limit=25 install <package>
For permanent throttling, create the file /etc/apt/apt.conf.d/75lowerspeed and save the following in it:

Acquire
{
   Queue-mode "access";
   http
   {
      Dl-Limit "25";
   };
};

How to test network speed

sudo apt-get install iperf Start iperf in the server mode on a computer you want to communicate with.
iperf -s
You might need to temporarily disable ufw or open the TCP port 5001. Run iperf as a client on the computer you want to test the speed.
iperf -c <address of the ipeft server>

How to configure wireless wifi to auto connect at startup, before user login

Encode the WPA key into HEX:
sudo wpa_passphrase <Your Wifi Network SSID>  <Your Wifi WPA/WPA2 password>

Set the static IP:
sudo gedit /etc/network/interfaces

The add the following:
# The wifi network interface
auto wlan0
iface wlan0 inet static
   address 192.168.1.40
   netmask 255.255.255.0
   network 192.168.1.0
   broadcast 192.168.1.255
   gateway 192.168.1.1
   dns-nameservers 192.168.1.1, 8.8.8.8
   wpa-ssid <Your Wifi Network SSID>
   wpa-psk <Your HEX encoded Wifi WPA password>

Reboot.

How to log network traffic on Ubuntu

Setup kubuntu's rsyslogd to capture network events. Edit

sudo vi /etc/rsyslogd.conf

Uncomment:

$ModLoad imudp
$UDPServerRun 514

Create the capture rule to send all network events to a specific log file. It has to be the first rule:

sudo vi /etc/rsyslog.d/5-networklogs.conf

Configure similar to this:

if $fromhost-ip startswith '192.168.1.1' then {
       action(type="omfile" file="/var/log/network.log")
       stop
}

Open the syslog port on the firewall:

sudo ufw allow from 192.168.1.1 to any port 514 proto udp

Restart syslogd:

sudo service rsyslog restart

Finally configure your router or another network log source to forward syslogs to the server.

How to restrict outgoing access for a program

Three ways:

  1. Run under a different user and configure iptables to refuse connections for this user

iptables -A OUTPUT -m owner --uid-owner ${blocked_user_uid} -j DROP

  1. Add grsecurity to the kernel and configure iptables for the specific executable

role your_regular_user u
   ...
   subject /path/to/untrusted/program
       connect disabled
   ...
...

  1. Stub out the connect() function for the program with LD_PRELOAD:
#include <errno.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
int connect(int sockfd, struct sockaddr const* addr, socklen_t addrlen) {
    printf("connection refused\n");
    errno = ECONNREFUSED;
    return -1;
}

Compile

gcc -fPIC -shared -Wl,-soname,refuse_connect refuse_connect.c -o refuse_connect.so

Run the program with the stub

LD_PRELOAD="./librefuse_connect.so" ./program

How to configure UFW to allow NFS network sharing

First, fix the NFS port from the default floating one. Edit /etc/default/nfs-kernel-server

sudo vi /etc/default/nfs-kernel-server

change

RPCMOUNTDOPTS=--manage-gids

to

RPCMOUNTDOPTS="-p 13335"

where 13335 is just a randomly selected port. Then restart NFSd

sudo service nfs-kernel-server restart

Now configure the UFW to accept incoming connections on fixed port and ports 111 and 2049:

sudo ufw allow from 192.168.1.0/24 to any port 111
sudo ufw allow from 192.168.1.0/24 to any port 2049
sudo ufw allow from 192.168.1.0/24 to any port 13325

How to configure UFW to allow SANED scanner connections

Instruct sane daemon to use fixed data ports:

sudo vi /etc/sane.d/saned.conf

Set

data_portrange = 40000 - 40100

Restart saned

sudo service saned restart

Open up the data and server ports on your firewall

sudo ufw allow proto tcp from 192.168.1.0/24 to any port 6566
sudo ufw allow proto tcp from 192.168.1.0/24 to any port 40000:40100

Now, for the xsane client to find it edit

sudo vi /etc/sane.d/net.conf

and add your scanner server name or ip address

How to force dyndns updates for uptick

Configure it to be done once a month, at 4:45am every 14th day:

sudo crontab -e
45 04 14 * * /usr/sbin/ddclient --force --syslog

How to specify a public DNS server

For a temporary override just edit /etc/resolv.conf and set it to whatever you want. It will be active until the connection is reset or you run

sudo resolvconf -u

For a more permanent solution you can try either one of the following (I've not had success with the first two):

  • Statically add nameserver addresses via the Network Manager. Click on the network indicator -> Edit Connections... -> Edit... -> Wired -> Additional DNS servers.
  • Add the following to /etc/dhcp/dhclient.conf:

prepend domain-name-servers x.x.x.x, y.y.y.y;

  • Edit or create a /etc/resolvconf/resolv.conf.d/tail (or head) and add them there.
  • add the following to /etc/network/interfaces:

auto eth0
iface eth0 inet static
   . . .
   dns-nameservers 8.8.8.8 8.8.4.4

How to get a list of apps listening on network ports

For a quick list run
sudo ufw show listening
For a full list
sudo lsof -i -an | grep -E '(LIST|UDP)'
Note that the following command, recommended in the lsof FAQ may or may not work depending on your distro:
sudo lsof -i -stcp:listen -sudp:idle

How to enable UFW (Ubuntu's uncomplicated firewall) on boot

Edit
sudo vi /etc/ufw/ufw.conf 
Set
Enabled = yes

How to make wireshark capture traffic as non-root user

sudo dpkg-reconfigure wireshark-common 
sudo usermod -a -G wireshark $USER
Logout and login back

How to analyze Wireshark PCAP capture

First feed it through the latest version (>= 0.7.4) of ettercap
ettercap -Tqr ''<capture>''
If you know what you are looking for use grep on the package contents
ettercap -Tr ''<capture>'' | grep ''<text>''
Then get Xplico and give it a whirl. You could als try chaosreader, but it is a bit old.

How to convert NETTL network capture to PCAP format

Use the -T (encapsulation) option on editcap tool that comes with wireshark:
editcap <in_file> <out_file> -T ether
The file format (-F option) defaults to libpcap, so there is no need to specify it


How to log traffic coming through a dd-wrt router

Add the rules in the backward fasion (stack or FILO or starting from the last)

  • do the logging
iptables -I FORWARD 1 -j LOG --log-level 2 --log-tcp-sequence --log-tcp-options --log-ip-options --log-prefix "FORWARD "
iptables -I INPUT   1 -j LOG --log-level 2 --log-tcp-sequence --log-tcp-options --log-ip-options --log-prefix "INPUT "
iptables -I OUTPUT  1 -j LOG --log-level 2 --log-tcp-sequence --log-tcp-options --log-ip-options --log-prefix "OUTPUT "
  • ignore logging the logging messages and the corresponding dns resolution
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.1.1  -d 192.168.1.50 -p UDP --sport 53
iptables -I INPUT  1 -j ACCEPT -s 192.168.1.50 -d 192.168.1.1  -p UDP --dport 53
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.1.1  -d 192.168.1.50 -p UDP --dport 514
  • ignore ssh traffic
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.1.1  -d 192.168.1.90 -p TCP --sport 22
iptables -I INPUT  1 -j ACCEPT -s 192.168.1.90 -d 192.168.1.1  -p TCP --dport 22

How to set up wireshark display filter to cut out noise

not (ip.addr==noisyip || arp || ipx || eigrp || loop || cdp || stp || smb || nbns || dcerpc || nbss || dns)

How to see OpenRG firewall events in real time

Print current firewall events to console user terminal to connect to the router run
Wireless Broadband Router> log lev_on 6

How To Reconfigure OpenRG router from console

user terminal to connect to the router

Wireless Broadband Router> conf print /
Wireless Broadband Router> conf print /fw/rule/loc_srv/2/services/0/trigger/0/protocol
Wireless Broadband Router> conf set /fw/rule/loc_srv/2/services/0/trigger/0/protocol 6
Wireless Broadband Router> conf reconf 1

How To Open UFW for incoming syslog

sudo ufw allow proto udp from 192.168.1.2 to 192.168.1.10 port 514

How To Poke a hole in dd-wrt

iptables -I INPUT -p udp --dport 1194 -d doorknob -j ACCEPT

How to adjust Windows XP firewall for Cisco VPN

echo Setting ICMP (PING).....
REM **ICMP (PING):  Allow outbound source quench, inbound echo request, outbound time exceeded
netsh firewall set icmpsetting type = 4 mode = enable
netsh firewall set icmpsetting type = 8 mode = enable
netsh firewall set icmpsetting type = 11 mode = enable

echo Setting File and Print Sharing.....
REM **WINDOWS AUTHENTICATION PORT SETTINGS:  Open File and Print Sharing ports to the 22 subnet
netsh firewall set service type = FILEANDPRINT mode = ENABLE scope = CUSTOM addresses = 128.143.22.0/255.255.255.0 profile = ALL

echo Setting Cisco VPN Client.....
REM **ALLOW CISCO VPN TO WORK WITH FIREWALL ENABLED
netsh firewall set portopening protocol = UDP port = 500 name = CiscoVPN(ISAKMP) mode = ENABLE profile = ALL scope = CUSTOM addresses = 128.143.0.0/255.255.0.0,192.35.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,199.111.0.0/255.255.0.0,198.32.48.0/255.255.255.0,198.32.44.0/255.255.255.0

netsh firewall set portopening protocol = UDP port = 62515 name = CiscoVPN mode = ENABLE profile = ALL scope = CUSTOM addresses = 128.143.0.0/255.255.0.0,192.35.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,199.111.0.0/255.255.0.0,198.32.48.0/255.255.255.0,198.32.44.0/255.255.255.0

netsh firewall set allowedprogram program = "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" name = CiscoVPN2 mode = ENABLE profile = ALL scope = CUSTOM addresses = 128.143.0.0/255.255.0.0,192.35.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,199.111.0.0/255.255.0.0,198.32.48.0/255.255.255.0,198.32.44.0/255.255.255.0

echo Setting Symantec Antivirus.....
REM **SYMANTEC MANAGED ANTIVIRUS PORT SETTINGS:  Opens a port to allow communication with Symantec Antivirus Server
netsh firewall set portopening protocol = UDP port = 38293 name = SymantecManagedAVUDP38293 mode = ENABLE profile = ALL scope = CUSTOM addresses = 128.143.0.0/255.255.0.0,192.35.0.0/255.255.0.0,137.54.0.0/255.255.0.0,172.16.0.0/255.255.0.0,172.25.0.0/255.255.0.0,172.26.0.0/255.255.0.0,199.111.0.0/255.255.0.0

How to configure cisco vpn and outpost firewall

And here's a little more elegant way to manually remove the vsdatant driver:

1.) go to the device manager
2.) make the hidden devices visible (view --> show hidden devices)
3.) search for the "vsdatant" entry in the non-PNP-section
4.) right click the entry and choose "uninstall"

If I do find a way to automate this whole process then I'll post it here - just to add another variant in addition to the batch-method of dianneg (which is also fine).

How to run OpenVPN on WRT54G

  • Download and install. may need to additional libraries

iptables -A FORWARD -j logaccept -p udp --dport 443

  • change the logging to go to /tmp/somethhing instead of stdout
  • add routing on wrtg and client
  • solve the issue of loosing default gateway

iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
/jffs/usr/sbin/openvpn --dev tap0 --tls-server --key /jffs/usr/etc/homewall.key --cert /jffs/usr/etc/homewall.crt --dh /jffs/usr/etc/dh1024.pem --ca /jffs/usr/etc/ca.crt --comp-lzo --port 443 --proto tcp-server --verb 3 --daemon

How to test MPU with ping

ping -f -l 1500 someip

play with the -l value until you are satisfied


@HowTo @Networking