Skip to main content
czerasz.com: notes
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. czerasz.com: notes
  2. /
  3. Notes
  4. /
  5. Networking

Networking

  • list interfaces

    ip link

  • list adresses on interfaces

    ip addr

  • view route table

    $ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    600    0        0 wlpXXXX
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlpXXXX

    or

    $ ip route
default via 192.168.1.1 dev wlpXXXX proto dhcp metric 600
192.168.1.0/24 dev wlpXXXX proto kernel scope link src 192.168.1.9 metric 600

DNS

One can add local hostname resolution by editing /etc/hosts:

echo '127.0.0.53    dns' >> /etc/hosts

By default /etc/hosts is checked before reaching out to the DNS server. This behaviour is defined in /etc/nsswitch.conf:

$ cat /etc/nsswitch.conf
...
hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
...

files stands for /etc/hosts.

DNS resolution configuration file is at the path /etc/resolv.conf.

The nameserver is configured with:

$ cat /etc/resolv.conf
nameserver 127.0.0.53

The /etc/resolv.conf can have multiple entires which will work as fallback:

$ cat /etc/resolv.conf
nameserver 127.0.0.53
nameserver 8.8.8.8

To resolve only by hostname:

$ cat /etc/resolv.conf
...
search czerasz.com

Now one can blog will be also resolved as blog.czerasz.com.

search can be used with multiple domains:

$ cat /etc/resolv.conf
...
search czerasz.com czerasz.net

nslookup can be used for DNS resolution:

$ nslookup czerasz.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	czerasz.com
Address: 185.199.110.153
...

NOTE

nslookup ignores entries in /etc/hosts

ARP

  • view ARP table

    arp

Network Namespaces

  • list network namespaces

    ip netns

  • add network namespace

    ip netns add newns

  • execute an command withing the network namespace

    ip netns exec newns ip link

    or

    ip -n newns link

  • connect two network namespaces

  • create two network namespaces

    ip netns add pink
ip netns add green

  • create virtual ethernet pairs (virtual cable)s

    ip link add veth-pink type veth pairs name veth-green

    veth-pink and veth-green are new interfaces.

    NOTE

    Remove the virtual cable with:

    ip -n pink link del veth-pink

    The other end of the cable is removed automatically since this is a calbe.

  • attach each interface to the appropriate namespaces

    ip link set veth-pink netns pink
ip link set veth-green netns green

  • assign IP addresses within each namespaces

    ip -n pink addr add 192.168.0.21 dev veth-pink
ip -n green addr add 192.168.0.22 dev veth-green

  • enable interfaces

    ip -n pink link set veth-pink up
ip -n green link set veth-green up

  • ping one namespace from the other:

    ip netns exec pink ping 192.168.0.22

  • view ARP tables

    ip netns exec pink arp
ip netns exec green arp

    One can see that each namespace identified its neighbour.

    NOTE

    The host ARP table will have NO information about ARP traffic between the two namespaces

To connect more network namespaces together use a virtual switch.

Virtual switch types:

  • linux bridge
  • linux Open vSwitch

Create internal bridge network (linux bridge):

  • create new bridge interface to the host:

    ip link add v-net-0 type bridge

  • bring the bridge interface up:

    ip link set dev v-net-0 up

Establish connection between the local (host) and the bridge interface (network):

ip addr add 192.168.15.5/24 dev v-net-0

Add an “internet” gateway:

  • create a route table entry:

    ip netns exec blue ip route add default via 192.168.15.5

  • add NAT via Iptables:

    iptables -t nat -A POSTROUTING -s 192.168.15.0/24 -j MASQUE

    MASQUE is used to replace all addresses with the host address.

IP Tables

netfilter is a linux kernel module which is responsible for managin packets. iptables is a program to configure netfilter.

List the default (FILTER) table:

iptables -L -n -v
  • -L lisr
  • -n numeric
  • -v verbose

List the default table with line numbers:

iptables -L -n -v --line-numbers

List the MANGLE table:

iptables -L -n -v -t mangle

Block specific website:

iptables -A INPUT -s www.wp.pl -j DROP

Delete the rule 1:

iptables -D INPUT -

Change chain policy to DROP:

iptables -P INPUT DROP

Forward host port to container port:

iptables -t nat \
  -A DOCKER \
  -j DNAT \
  --dport 8080 \
  --to-destination 172.17.0.14:80

List rules created by Docker:

iptables -nvL -t nat

Allow packets to travel through the loopback interface:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

-i - input interface -o - output interface

Allow DHCP packets:

iptables -A INPUT -p udp --dport 67 -j ACCEPT
iptables -A INPUT -p tcp --dport 67 -j ACCEPT
iptables -A OUTPUT -p udp --dport 68 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 68 -j ACCEPT

Allow DNS packets:

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

DNS uses mostly udp but for larger packets tcp is used.

Allow client use of SSH:

iptables -A OUTPUT --dport 22 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-m is responsible for specifying iptables extensions.

(…)SSH connections does not happen in one direction only. Instead, you would send a packet to destination port 22, and the packets would come to your computer with the state of RELATED and ESTABLISHED. Connection tracker distinguishes that for you and you don’t have to worry yourself about it.(…) [1]

Allow server use of SSH:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Resources

What Is iptables and How to Use It?

Tools

gdoc_arrow_left_alt Kubernetes Networking on Linux gdoc_arrow_right_alt