network:network_and_iptables
Table of Contents
Network Manager
example from opensuse, but works on any distro using Network Manager.
Add VLAN from CLI
nmcli con add type vlan ifname VLAN99 dev enp3s0 id 99
If you want to avoid the extra default routes that is automatically setup by nmcli, you can add the following to the above command:
ipv4.never-default true ipv6.never-default true
If you want to disable DNS entries from the extra vlan-connection, you can add the following:
ipv4.ignore-auto-dns yes
List connections
nmcli con
Modify connection
A connection can be modified using
nmcli con mod <connection> <parameters>
Apply changes
To apply changes it's necessary to bring the interface down and up again:
nmcli con down <interface> && nmcli con up <interface>
Static IPv4 address
example ubuntu 16.04
rene@azura:~$ cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto enp2s0 iface enp2s0 inet static address 10.60.1.51 netmask 255.255.0.0 gateway 10.60.1.1 dns-nameservers 10.60.1.1 # Virtual IPs for the primary network interface # akema.ld auto enp2s0:1 iface enp2s0:1 inet static address 10.60.1.53 netmask 255.255.0.0 # git.azura.ld auto enp2s0:2 iface enp2s0:2 inet static address 10.60.1.54 netmask 255.255.0.0 # The secondary network interface # zabool.dk auto enp0s25 iface enp0s25 inet static address 10.60.1.52 netmask 255.255.0.0 gateway 10.60.1.1 dns-nameservers 10.60.1.1
example Centos 7
Physical device
[rene@azura]: $ cat /etc/sysconfig/network-scripts/ifcfg-enp0s25 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=enp0s25 UUID=945e0bc9-020f-4e02-961f-0aaa11371688 DEVICE=enp0s25 ONBOOT=yes IPADDR=10.60.1.51 PREFIX=8 GATEWAY=10.60.1.1 DNS1=1.1.1.1 DOMAIN=ld
Virtual VLAN device
[rene@azura]: $ cat /etc/sysconfig/network-scripts/ifcfg-enp0s25.20 DEVICE=enp0s25.20 BOOTPROTO=none ONBOOT=yes IPADDR=192.168.20.20 PREFIX=24 NETWORK=192.168.20.0 GATEWAY=192.168.20.1 DNS2=192.168.20.1 VLAN=yes
Static IPv6 address
Take a look at https://superuser.com/questions/528523/how-can-i-figure-out-what-ipv6-to-use-if-i-want-to-set-a-static-ip-for-my-comput
Disable IPv6
Source: https://www.techrepublic.com/article/how-to-disable-ipv6-on-linux/
sudo nano /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
Reboot the machine.
IPtables IPv4
example
Source: https://paranoidix.dk/2007/09/16/arch-samba-server
#!/bin/sh IPTABLES=/usr/sbin/iptables LAN=192.168.100.0/24 OWNIP=192.168.100.3 # start by flushing the rules $IPTABLES -F # Delete all chains $IPTABLES -X # set default policy $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # allow packets coming from the machine $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # allow outgoing traffic $IPTABLES -A OUTPUT -o eth0 -j ACCEPT # allow established and related connections $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # block spoofing $IPTABLES -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP $IPTABLES -A INPUT -s $OWNIP -j DROP # stop bad packets $IPTABLES -A INPUT -m state --state INVALID -j DROP # NMAP FIN/URG/PSH $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # stop Xmas Tree type scanning $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # stop null scanning $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP # SYN/RST $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # SYN/FIN $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # stop sync flood $IPTABLES -N SYNFLOOD $IPTABLES -A SYNFLOOD -p tcp --syn -m limit --limit 1/s -j RETURN $IPTABLES -A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT -p tcp -m state --state NEW -j SYNFLOOD # stop ping flood attack $IPTABLES -N PING $IPTABLES -A PING -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN $IPTABLES -A PING -p icmp -j REJECT $IPTABLES -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j PING ################################# ## What we allow ################################# # tcp ports ## restricted tcp things ## # ssh $IPTABLES -A INPUT -p tcp -m tcp -s $LAN --dport 22 -j ACCEPT # samba (netbios) $IPTABLES -A INPUT -p tcp -m tcp -s $LAN --dport 137:139 -j ACCEPT # samba (not using netbios) $IPTABLES -A INPUT -p tcp -m tcp -s $LAN --dport 445 -j ACCEPT # samba (enabling browsing) $IPTABLES -A INPUT -p tcp -m tcp -s $LAN --sport 137 --dport 1024:65535 -j ACCEPT # udp ports ## restricted udp things ## # Samba (Netbios) $IPTABLES -A INPUT -p udp -m udp -s $LAN --dport 137:139 -j ACCEPT $IPTABLES -A INPUT -p udp -m udp --sport 137:138 -j ACCEPT # finally - drop the rest $IPTABLES -A INPUT -p tcp --syn -j DROP
IPtables IPv6
example
source: https://www.linux.com/learn/intro-to-linux/2017/8/iptables-rules-ipv6
#!/bin/bash # ip6tables single-host firewall script # Define your command variables ipt6="/sbin/ip6tables" # Flush all rules and delete all chains # for a clean startup $ipt6 -F $ipt6 -X # Zero out all counters $ipt6 -Z # Default policies: deny all incoming # Unrestricted outgoing $ipt6 -P INPUT DROP $ipt6 -P FORWARD DROP $ipt6 -P OUTPUT ACCEPT # Must allow loopback interface $ipt6 -A INPUT -i lo -j ACCEPT # Reject connection attempts not initiated from the host $ipt6 -A INPUT -p tcp --syn -j DROP # Allow return connections initiated from the host $ipt6 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept all ICMP v6 packets $ipt6 -A INPUT -p ipv6-icmp -j ACCEPT # Optional rules to allow other LAN hosts access # to services. Delete $ipt6 -A INPUT -p tcp --syn -j DROP # Allow DHCPv6 from LAN only $ipt6 -A INPUT -m state --state NEW -m udp -p udp \ -s fe80::/10 --dport 546 -j ACCEPT # Allow connections from SSH clients $ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Allow HTTP and HTTPS traffic $ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT $ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # Allow access to SMTP, POP3, and IMAP $ipt -A INPUT -m state --state NEW -p tcp -m multiport \ --dport 25,110,143 -j ACCEPT
network/network_and_iptables.txt ยท Last modified: 2022/06/10 19:19 by 127.0.0.1