########################################################################### # Network Tips # # Anuradha Weeraman, 03 June 2004 # # $Id: networking-misc.txt,v 1.1 2004/06/02 21:17:53 anuradha Exp $ # ########################################################################### ----- Increasing your TCP/IP speed by Gary Barrueto It is not really increasing the speed of your TCP/IP. Its just make the default values lower so that more connections can be handled at the same time.. The following will decrease the amount of time your linux box will try finish to close a connection and the amount of time before it will kill a stale connection. This will also turn off some IP extensions that aren't needed: echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time echo 0 > tcp_window_scaling echo 0 > tcp_sack echo 0 > tcp_timestamps ----- Name that NIC by Mike Baker Did you know the IEEE is responsibe for the MAC (machine adress) of your network card? Click here and punch in the first 6 hex digits of your card (3 bytes) to see the manufacturer. On a related note, you can also have your card use a different MAC address ifconfig eth1 hw ether deadbeef0001 (this needs do be done while the card is down for obvious reasons) now your card will answer all arp requests with DE:AD:BE:EF:00:01. Note: The kernel performs this trick on most cards by setting the card into promiscous mode and using software to filter out all MACs that aren't yours which stands to reason it would be slightly slower than just using your real MAC. ----- automating with ip-up/ip-down scripts| by Marius Aamodt Eriksen When the PPP daemon makes an outside connection, it executes the script /etc/ppp/ip-up, likewise, when it goes down it executes /etc/ppp/ip-down when PPP no longer has a connection. You can put many handy things in this script, such as sending and fetching mail (with sendmail/qmail/exim/etc. // fetchmail). ----- there's more to it than meets the tcpd You've probably heard of tcpd -- it's that little wrapper almost everything in inetd runs through, it filters based on hosts.allow and hosts.deny. Did you know it can do more than that? in your hosts.deny add this line: in.ftpd: .microsoft.com: twist /bin/echo access denied for %u@%a What's that you say? This is an advanced form of deny, instead of running the command specified in the inetd for this service it will run an echo command. To make things even more complicated we've added a few variables %u is the username, %h is the hostname. suppose you want to background a process while the daemon answers the port, this might be for running a logger (hey! let's silently queso everyone who telnets in) in hosts.allow add these lines: in.telnetd: ALL: spawn /usr/local/bin/queso %a -p 113 > /var/log/scan.log & and for our final example let's get rid of anyone who uses their root account to telnet us in hosts.deny: in.telnetd: root@ALL: twist /bin/echo sorry, you're logged in as root ----- Telnet fade script by Mike Baker Here's a fun script I think you'll enjoy - It makes it so your telnet login screen fades in from black. To use this script save the following as /usr/sbin/fade.sh and be sure to set the execute bit. #!/bin/sh #clear the screen and erase all colors clear perl -e '$| = 1; for ($i=0;$i<16;$i++) {printf("\33]P%x000000\r",$i);}' #display logo cat /etc/issue.net #fade in colors perl -e '$| = 1; for ($c=0;$c<256;$c+=2) {for ($i=0;$i<16;$i++)'\ '{$p=$c*(2+($i&8)/8)/3; printf("\33]P%x%02x%02x%02x\r"'\ ',$i,$p*($i&1)/1,$p*($i&2)/2,$p*($i&4)/4);}'\ 'select(undef, undef, undef, 0.02);}' #display login prompt exec /bin/login Now to tell telnet to run the fade in script whenever someone connects - change your telnet line in inetd.conf and restart inetd. telnet stream tcp nowait telnetd.telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd -h -L /usr/sbin/fade.sh (the -h option prevents /etc/issue.net from being displayed by telnet) ----- who's that pinging? by Marius Aamodt Eriksen You can check all the icmp packets that arrive at your system by using icmpinfo. With icmpinfo you can also detect network attacks that are based on icmp. ----- Even though your across the room, it feels like your a million miles away by Larry Reckner If you have your own network at home (and these days, who doesn't?) You can utilize transportation between your own machines using ifconfig. Let's say you have a few machines networked together and you use NFS to mount those drives. I'm sure you've seen collisions like mad when moving large files despite the fact you've utilized NFS to move large packets by changing the rsize and wsize defaults. Well, here's another thing to try. Set up a Point-to-Point interface between your two machines. This sets up a direct link between two machines with no one else listening. To do this, run: /sbin/ifconfig eth0 pointopoint [dest IP] This adds the destination IP to the eth0 interface as a direct PtP link. This still allows outside connections, but will speed up connections between local machines. ----- Pump that connection by Marius Aamodt Eriksen If you use DHCP, you can change the DHCP configuration with pump. For example, to request the DHCP lease time to 24 hours, you type /sbin/pump -i eth0 -l 24. To renew the lease, type /sbin/pump -i eth0 -R and to check the status of the interface, /sbin/pump -i eth0 -s. If your interface isn't eth0, replace it with the appropriate name. ----- Quick and Easy Serial Networking by Dimitris Economou The slattach command provides a very quick and easy way to attach a network interface to a serial line. Usage: slattach [-p proto] [-s speed] [tty] Example: slattach -p cslip -s 38400 ttyS1 In this example, a network interface whose speed will be 38400 is attached to ttyS1 using the cslip protocol. For more options refer to the slattach man page. ----- Secure Remote Synchronization by Rowin Andruscavage The "rsync" program allows you to synchronize files and directories between computers easily and securely over slow links. It first compares directory listings and transfers only the files which need to be updated. A common use would be to update web pages to a server: rsync -av --delete -e ssh ~/public_html/ webserver:/home/rwa2/public_html/ You would likely want to doublecheck what's going to happen before you commit the changes, especially since the presence of ending "/"'s can drastically change the operation. You can perform a "dry run" of the rsync operations by first running your command line with the -n option. ----- Reject your enemies by Jerry Kilpatrick If you are aware someone is doing something malicious to your machine and you want to make sure they can't get access to you and you don't have ipchains or the ip_masq modules installed, you can always do this: route add -host ip.or.host.of.badguy reject This trick only works with later releases of linux. ----- TCP/IP Networking Using a Serial Cable by Dimitris Economou To start you need a null modem cable (rs232 cable) and a free serial-port on each of the computers that will be networked. After the cable is connected to both computers, all you need to do is run the following command on each of the computers. /sbin/slattach -p cslip -s {speed} {serial port} & /sbin/ifconfig sl0 {IP of host system} pointopoint {IP of other system} up Now you have networked your two computers. ----- Mirroring Websites by Dimitris Economou Using wget, you can copy the contents of a whole website to your hard disk. This is done by executing the wget command with the '-r' option. the '-r' option is, as stated in the wget man page, a "Recursive web-suck", in other words, it mirrors the URL specified at execution time. Usage: wget -r [URL] For more information about wget, refer to its man page. ----- CVS Compression by Marius Aamodt Eriksen CVS is able to compress data while downloading from CVS servers. CVS uses gzip compression for this. To use compression, simply run cvs with the -z# option, where # is the compression level (a typically used value is 3 where there is a good balance between compression and CPU usage). A simple example: cvs -z3 co mysource ----- High Volume Routing by Erik Brandsberg Jun 02, 2000 If you want to make use of Linux as a router, there are several issues that need to be taken into consideration. The first is the number of interrupts a second that a PC can in general handle. As an example, when using Tulip based NIC's, I've found that around 20K interrupts a second (as reported by vmstat) will tend to kill the performance of the box. 19K is fine, but 20K kills the cpu totally (a roadblock in effect). Considering that most NIC's create an interrupt for every packet generated, special NIC's that support interrupt coaloessing need to be used for effective high speed routing. Such NIC's include Alteon's ACENic Gigabit ethernet card. The second issue is based on the routing code that Linux uses, and how it optimizes the "fast-path" routing. In Linux, a route cache is created that allows fast lookups of the path a particular IP address should use. This lookup is performed using a hash table that utilizes linked lists for hash table collissions. The hash table is sized based on the amount of memory that is in the system, the more memory, the larger the size. By default, on a 24M system, the hash table is 256 entries, on a 256M system it is 2048M. If you are front-ending servers hit by a large number of sites on the Internet and the default expiration settings, you can end up with well over 20K routes at once, which generate long linked lists, and will eventually degrade performance and cause packet loss. In order to fix this, you need to make sure the expiration of route cache entries is more aggressive, or tune the internals of the kernel to generate a larger hash table. As an example of more aggressive expiration, the following commands in the rc.local will help: echo "5" > /proc/sys/net/ipv4/route/gc_interval echo "1" > /proc/sys/net/ipv4/route/gc_min_interval echo "30" > /proc/sys/net/ipv4/route/gc_timeout The kernel modifications are outside of the scope of this discussion, however, need to be made in /usr/src/linux/net/ipv4/route.c. ----- Printing on Network Printers by Marius Aamodt Eriksen Some HP printers, that have JetDirect network cards installed, can easily be printed on/from by simply writing a postscript file to port 9100 on the printer. Doing this is easiest with a tool like netcat. For example: nc myprinter.mydomain.com 9100 < bigmanual.ps ----- Port forwarding by Brian Jul 24, 2000 To port forward from a router to a local machine (with kernel 2.2.x + masquerading support and the portfw module) you can do this: Your static Ip: 222.222.222.22 Your local ip: 192.168.1.1 Your local machine: 192.168.1.2 First setup a masq chain: #ipchains -A forward -s 192.168.1.0/0 -j MASQ ( this is not very secure, but it will work ) or try: #ipchains -I forward -s 192.168.1.2/32 80 -j MASQ Then to forward ( in this example port 80 to a local machine ) #ipmasqadm portfw -a -P tcp -L 222.222.222.22 80 -R 192.168.1.2 80 ------------------ If it cannot find the portfw module make sure you modprobe it on boot up, or do it manually. modprobe ip_masq_portfw If it cannot find it, you have to probably recompile your kernel. ----------------- Now give it a try. NOTE: TRY IT FROM A REMOTE MACHINE, IE: A MACHINE NOT ON YOUR NETWORK!! From the local network it will not work. ----- Sharing Files with Samba by Dimitris Economou To get your linux system to share files via samba without requiring any user authentication, the security option in smb.conf must be set to 'share'. If you want all of your defined shared directories to be shared in this way, this option must be set in the global section of your smb.conf, otherwise it should be under the declaration of the specific share you wish to be accessed anonymously. Example (in smb.conf, which is usually in /etc or /etc/samba): security = share For more information about the format of the samba configuration file, refer to its man page (man smb.conf). ----- Netfilter for IP Masquerade by Mike Baker As of 2.4, ipchains is a thing of the past. The replacement for ipchains is Netfilter's iptables. What does this mean to the end user? Typically it means little beyond the fact that suddenly their ipmasq script doesn't work. So, for starters let's get into setting up ipmasq under 2.4.x kernels. First, check that you've got network packet filtering enabled, you'll find it under the networking options menu. Enabling packet filtering will add a submenu lower down called Netfilter configuration. In the Netfilter's configuration menu be sure to enable "Connection tracking", "IP Tables support" and "Full NAT" support. Connection tracking is a new feature of netfilter that allows you to accept or deny a packet based on the state of the connection rather than the strict allow/deny of ipchains. NAT of course stands for Network Address Translation, the key feature behind IP Masquerade. The other entries in this menu are optional, enable them as you please and recompile the kernel if needed. You may need to grab a copy of Netfilter here if you can't find iptables on your system. Now, to share that modem with your whole lan you just run: iptables -P FORWARD ACCEPT iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j REJECT iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward The first line sets up the forwarding allowing you to use the computer as a gateway, the next blocks any forwards that come from our internet connection. The third line enables IP Masquerade for anything going out on ppp0, and finally the last line actually enables forwarding. Later we'll get into some more advanced tricks with iptables, stay tuned. ----- More fun with Netfilter by Mike Baker So, you've just got your fast Cable or DSL connection and now you need a firewall to protect you? No problem. Your basic firewall will tend to look something like this: #accept now, deny and log later iptables -P INPUT ACCEPT #accept traffic from the lan iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT #take advantage of connection tracking iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #accept connections for ssh and http iptables -A INPUT -p tcp -m multiport --destination-port 22,80 -j ACCEPT # log and deny iptables -A INPUT -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "BLOCKED" iptables -A INPUT -j REJECT Kinda boring huh? About the only thing that's new in that script is the connection tracking for established packets. Let's see if we can liven it up with some new features. Most portscanners tend to to forget about tcp standards when generating packets, so let's look for the MSS option. iptables -A INPUT -p tcp --tcp-option \! 2 -j LOG --log-tcp-options --log-prefix "LAME:" iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with tcp-reset That takes care of the more advanced portscanners, now let's have fun with some of the dumber ones. iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour --limit-burst 500 --log-prefix "MIRROR:" iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour --limit-burst 500 The mirror target has an interesting effect, it takes the packet swaps the source and destination headers and retransmits the packet. The upshot is that that if anyone tries scanning you while mirror is active they'll end up scanning themselves. Be careful with mirror though, some ISPs regularly scan for webservers and would be rather confused if they found their own. Also remember that packets will appear to be coming from your host and going back to the original source so you may see some interesting logs of you DoS'ing someone. You might be wondering why I put that limit option there. Well, if we just accept any packet and retransmit it, it'll be possible to flood our bandwidth. Think of what would happen if I connected to a mirror and started transmitting at 10Mbit, you'd retransmit it back eating another 10Mbit. ----- Quick DHCPd primer by Tuneup Staff Want to make your subnet plug-and-play? Simply set up dhcp on your IPMasq server to autoconfigure the network settings of any machines you might plug in to your LAN. /etc/dhcpd.conf just needs to contain something like: default-lease-time 600; max-lease-time 7200; subnet 192.168.1.0 netmask 255.255.255.0 { # range of dynamic ip's, you probably want to leave # some open for statically-configured boxes range 192.168.1.100 192.168.1.150; option broadcast-address 192.168.1.255; subnet-mask 255.255.255.0; option domain-name "dyndns.org"; option routers 192.168.1.1; # your gateway/IPMasq box # if you have bind installed on the gateway server... option domain-name-servers 192.168.1.1, 128.253.180.2; # In light of the recent bind holes, it'd be more  # secure to use a separate machine behind your IPMasq  # gateway, or only use an external DNS server } On Debian, they make you edit /etc/init.d/dhcp to enable it after you finish configuration. Once you run "/etc/init.d/dhcp restart", you should be able to plug any Linux or Windows box into your LAN and have it autoconfigure its network with DHCP (on Linux, use dhcpcd or pump; on Windows 9x, run "winipcfg.exe", select the ethernet card, and hit the "renew lease" button) If you have multiple ethernet cards in your IPMasq box (which is often the case in this day and age of DSL and cable modems), dhcp defaults to run on eth0. If your LAN is actually on eth1, you'll need to specify it when you start : "dhcpd eth1" . There ought to be a dhcpd.conf directive to do this, but it's easy enough to just modify /etc/init.d/dhcp to start/restart dhcpd in this fashion. Careful, you might get spoiled and forget how to use ifconfig and route ! :) ----- Accelerating web browsing over a slow link by Tuneup Staff Here's a nice way to speed up web browsing over a modem : Use a compressed ssh tunnel to channel all of your traffic through a well-connected proxy server. On your modem host, run : export http_proxy=http://localhost:3129 export ftp_proxy=http://localhost:3129 ssh -C -L 3129:proxyhost:3128 username@fasthost.net ... where "proxyhost" is the proxy server for your well-connected friends at "fasthost.net". The tunnel will make it look like the proxy server is running from your own computer at port 3129, and everything going over the slow link will be compressed and encrypted. -----