Skip to main content

Networking

SSH Keys

info

Make sure you have openssh. Usually comes with most Linux distributions.

To use keys instead of passwords, you need first to generate the key pair on the machine that will connect to the server:

ssh-keygen

Then you need to copy the public key to the server, and add the private key to the machine identity list:

ssh-copy-id -i <path/to/publickey.pub> <user>@<host>
ssh-add <path/to/privatekey>

(ARCH-SPECIFIC) And finally on the server, you need to enable publickey authentication and disable password to avoid brute force attacks.

/etc/ssh/sshd_config.d/10-force_publickey.conf
PasswordAuthentication no
AuthenticationMethods publickey

Restart the sshd daemon on the server and it should work.

SSH Tunneling

SSH Tunnels are used to exposed ports to and from connected systems.

Forward Tunnels (or local port forwarding) are used to connect to a host and expose their ports that would othewise wouldn't be accessible creating access to webservers or services that are still not public. Forward tunnels are created with the -L flag. In this example, local will be the client and remote will be the server:

ssh -L local:localport:remote:remoteport user@serverip_or_domain_name
ssh -L localhost:888:111.222.333.444:80 [email protected]

Reverse tunnels (or remote port forwarding) let you access a computer inside a private network. In a usual scenario, you will have three computers:

  • S1: The computer inside the private network (the one you want to access).
  • S2: A public computer that both you and S1 can connect to.
  • S3: Your computer, trying to access S1.

S1 connects to S2 using SSH with the -R flag, creating a reverse tunnel. This forwards a port (like port 2222) on S2 back to S1's port 22 (SSH). Now, S3 can connect to S2 on port 2222, which forwards the connection back to S1, letting you access it as if you were inside its network.

This setup helps you bypass S1's firewall.

#FROM THE ENDPOINT SYSTEM
ssh -R S2:S2port:S1:S1port S2user@S2

#FROM THE CLIENT SYSTEM
ssh -p S2port S1user@S2
warning

In reality, you are creating a back-door to the S1 computer, exposing it to the internet; Use at your own risk!

SSH File Transfer

This should work with MacOS and any Linux distro:

scp <source path> <destination path>

Add the -r flag if it's a folder. To connect via SSH the format is user@host:/path/to/folder/ eg.:

scp -r /etc/systemd/destroyd [email protected]:/opt/something

You might need to add the SSH fingerprint and the user password. If the destination doesn't allow SSH passwords, you need to install your public key to the destination.

Network management

systemd-networkd - the system daemon running the network configuration. Is needed for ipvlans for docker.

networkctl list - show interfaces

Force close ports

nmap [host] #to see if/what ports are open
ss -tlpn | grep [port] # OR
fuser [port]/tcp

Add the flag -k to fuser to kill the task as well (needs root)

Static IP Config (requires systemd-networkd)

/etc/systemd/network/20-wired.network
[Match]
Name=enp1s0

[Network]
Address=10.1.10.9/24
Gateway=10.1.10.1
DNS=10.1.10.1

Renaming an interface (requires systemd-networkd)

A .link file can be used to rename an interface. A useful example is to set a predictable interface name for a USB-to-Ethernet adapter based on its MAC address, as those adapters are usually given different names depending on which USB port they are plugged into.

/etc/systemd/network/10-ethusb0.link
[Match]
MACAddress=12:34:56:78:90:ab

[Link]
Description=USB to Ethernet Adapter
Name=ethusb0

Reverse Proxy

There are several options for reverse-proxying, but we explore here NGINX. NGINX is a web server that handles internet traffic. It's mainly used to serve websites and route internet requests.

To make sure HTTPS works, we need to generate self-signed SSL certificates.

1. create a 2048-bit RSA private key:

openssl genrsa -out server.key 2048

2. create a self-signed request. You need to fill the prompts. If you want to leave something empty use ‘.’:

openssl req -new -key server.key -out server.csr

3. create the SSL certificate. You can adjust the expiration date of the SSL certificate here. Best practice is to the update them every year (365 days):

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

4. test the certificate:

openssl x509 -in server.crt -text -noout

You can optionally combine the key and certificate into one file; sometimes useful for some web servers:

cat server.crt server.key > server.pem

You can either use an NGINX docker container or the NGINX daemon. For the daemon, you can create your configurations in /etc/nginx/sites-available/my.conf. Example conf for a service on localhost:8080:

/etc/nginx/sites-available/page.conf
server {
    listen 443 ssl;
    server_name your_domain_or_ip;

    ssl_certificate /path/to/your/fullchain.pem;
    ssl_certificate_key /path/to/your/privkey.pem;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

server {
    listen 80;
    server_name your_domain_or_ip;
    return 301 https://$host$request_uri;
}

Replace your_domain_or_ip and the correct paths to the SSL certificates and keys. Enable then the new nginx conf:

sudo ln -s /etc/nginx/sites-available/jira.conf /etc/nginx/sites-enabled/
sudo nginx -t   # Check for syntax errors
sudo systemctl restart nginx

For the docker container version, you would again create a .conf file and pass it to the container when creating it.

Firewall

Back-end

Nftables is on it's way to replace iptables. For that, I decided to replace iptables with nftables already. As of now, Archlinux comes with both installed but is using iptables. Usually just stop/disabling iptables and enable/starting nftables is good enough.

To move rules from iptables to nftables you need to translate them. Iptables comes with a tool thankfully that does that. First you need to export to a file your iptables rules:

iptables-save > tables.txt

Then translate the rules and save them in another file:

iptables-restore-translate -f tables.txt > ruleset.nft

And then just import the rules to nft:

nft -f ruleset.nft

Nftables already comes with some basic rules. To clear the ruleset:

nft flush ruleset

Front-end

These are the firewalls that support nftables:

  • ufw
  • firewalld
  • nft-blackhole

CIDR Cheatsheet

Prefix# of former class C networksPotential HostsActual HostsNetmask# of subnets
/311/12820255.255.255.254128
/301/6442255.255.255.25264
/291/3286255.255.255.24832
/281/161614255.255.255.24016
/271/83230255.255.255.2248
/261/46462255.255.255.1924
/251/2128126255.255.255.1282
/241256254255.255.255.01
/232512510255.255.254.0128
/2241,0241,022255.255.252.064
/2182,0482,046255.255.248.032
/20164,0964,094255.255.240.016
/19328,1928,190255.255.224.08
/186416,38416,382255.255.192.04
/1712832,76832,766255.255.128.02
/16256 = 1 class B network65,53665,534255.255.0.01
/15512 = 2 B networks131,072131,070255.254.0.0128
/141,024 = 4 B networks262,144262,142255.252.0.064
/132,048 = 8 B networks524,288524,286255.248.0.032
/124,096 = 16 B networks1,048,5761,048,574255.240.0.016
/118,192 = 32 B networks2,097,1522,097,150255.224.0.08
/1016,384 = 64 B networks4,194,3044,194,302255.192.0.04
/932,768 = 128 B networks8,388,6088,388,606255.128.0.02
/865,536 = 256 B/1 A network16,777,21616,777,214255.0.0.01
/7131,072 = 2 A networks33,554,43233,554,430254.0.0.0128
/6262,144 = 4 A networks67,108,86467,108,862252.0.0.064
/5524,888 = 8 A networks134,217,728134,217,726248.0.0.032
/41,048,576 = 16 A networks268,435,456268,435,454240.0.0.016
/32,097,152 = 32 A networks536,870,912536,870,910224.0.0.08
/24,194,304 = 64 A networks1,073,741,8241,073,741,822192.0.0.04
/18,388,608 = 128 A networks2,147,483,6482,147,483,646128.0.0.02
/016,777,216 = 256 A networks4,294,967,2964,294,967,2940.0.0.01