Linux network configuration

Get all listening servers on a host :

netstat -tapnl

Scan for host on a specific network range.

apt-get (ubuntu). Create file /etc/apt/apt.conf.d/proxy and add inside the proxy you want like :

Acquire::http::Proxy "http://proxy.spheniscus.fr:8888";

yum (CentOS). Edit file /etc/yum.conf and add the following under main :

proxy=http://proxy.spheniscus.fr:8888

wget. Add/export http_proxy variable in terminal :

export http_proxy=proxy.spheniscus.fr:8888

Or with a user/password :

export http_proxy=http://user:pass@proxy.spheniscus.fr:8888

git : Same as wget, but you need to export https_proxy variable.

ssh (ubuntu), install connect-proxy package :

sudo apt-get install connect-proxy

Then edit /etc/ssh/ssh_config file and add, for the specific host (thehostip) you want to ssh on, before “Host *” :

host host thehostip
  ProxyCommand connect-proxy -H http://proxy.spheniscus.fr:8888 %h %p

X2Go-Client (all) This one is tricky, X2Go does not support http proxy. You need to rely on ssh proxy and combine it with an ssh tunnel. After configuring ssh proxy (see above) for the specific host (thehostip), open a terminal and open a tunnel (assuming the host ssh service is listening on port 22) :

ssh thehostip -p 443 -L 2222:thehostip:22

Keep this connection alive (using top for example). Then configure X2GoClient to connect on localhost and choose port 2222. Done, you can now connect using X2Go on your server. Do not forget to close the ssh connection when finished.

Connect to a server :

ssh mylogin@myserver.com
sftp mylogin@myserver.com

Connect to a server on port 443 :

ssh -p 443 mylogin@myserver.com
sftp -oPort=443 mylogin@myserver.com

Connect to a server to use it as a web browsing relay :

ssh mylogin@myserver.com -D 9999

and then in Firefox, go in settings, advanced, network, settings, and choose “manual proxy configuration”, then let everything empty, and on line SOCKS Hosts, use “localhost” and “9999” for the port.

Local port forwarding. I have computer A, I want to connect to computer C, but A cannot connect to C directly (IP blocking, on a network behind a firewall, etc). However, I also have an ssh account on B, that can connect to C. In this case, do :

ssh my_name_on_B@B -L 2222:C:22

This will connect to B (so you use your B account), and link your localhost port 2222 to the 22 of C, through B. You now can connect to C by connecting to your localhost on 2222 :

ssh my_name_on_C@localhost -p 2222

And you are on C.

Another example, I have a specific service running on a computer B, and I want to connect it with my computer A. However, to make it more secure, only ssh port is open on B. Let's say I have a minecraft server on B, listening on port 25565. I will use (also work on windows with putty) :

ssh my_name_on_B@B -L 25565:B:25565

So that my 25565 localhost port is linked to the 25565 port on B. Then, in minecraft, I can add a new server : localhost (or localhost:25565 if you want to specify the port). It will recognize the server running on B, and connect to it. This is very useful for LAN gaming without the risks of open ports on firewalls, but also to use remote servers like Paraview on a cluster, etc.

Remote port forwarding. This technic allow you to pass through near all firewalls if you have access to a computer inside the network behind it. You have a computer A, on a network that only have internet access. You cannot connect to this computer from home with computer B or anywhere else because it is behind a firewall. The basic trick: most of firewall blocks ssh connection out and in. Trick is to use the 443 port, the one use for https connections. This port is always open (because needed), so make your B computer listen on 443 for ssh service (do not forget to secure it). Then, on A, connect to be through 443 using ssh Remote :

ssh my_name_on_B@B -p 443 -R 7777:localhost:22

If you let this shell open (using top command to avoid non activity close), you can now connect to computer A through port 7777 on B.

At each time, be sure to secure all systems. These manipulations can dramatically compromise the security of your network !

Others examples :

http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html

rsync --partial --progress --rsh=ssh user@host:remote_file local_file

It is possible to specify ssh client to use a specific key for a specific server. Edit ~/.ssh/config and add :

Host sphen.brennik.fr
  IdentityFile /media/disk0/.ssh/id_dsa
Host myotherser.other.com
  IdentityFile /home/sphen/.ssh/id_rsa

Note : it is possible to add other settings for each host in this file, such as specific port number, X11 forwarding, etc.

Under SL 6.5 or RHEL 6.5 :

yum groupinstall "Infiniband Support"
yum install infiniband-diags

Then edit the ib card network settings :

vim  /etc/sysconfig/network-scripts/ifcfg-ib0

DEVICE=ib0
TYPE=InfiniBand
BOOTPROTO=static
IPADDR=192.168.21.19
NETMASK=255.255.0.0
BROADCAST=192.168.255.255
ONBOOT=yes

Then activate and restart services :

chkconfig rdma on
/etc/init.d/rdma restart
/etc/init.d/network restart

And check (wait 20s for ib to initialize) :

# ibstatus
Infiniband device 'mlx4_0' port 1 status:
	default gid:	 fe80:0000:0000:0000:0030:48c8:b16c:0001
	base lid:	 0xb
	sm lid:		 0x2
	state:		 4: ACTIVE
	phys state:	 5: LinkUp
	rate:		 40 Gb/sec (4X QDR)
	link_layer:	 InfiniBand
 
# for i in `ls /sys/class/infiniband/*/ports/*/state`; do echo $i; cat $i; done
/sys/class/infiniband/mlx4_0/ports/1/state
4: ACTIVE

OS : RHEL/CENTOS

On the client nodes, edit the network file, and replace hostname provided during the install by localhost.localdomain :

# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=localhost.localdomain

If you can, prefer refusing all and allowing only trusted :

/etc/hosts.allow

#
#

ALL: 192.168.0.*
ALL: *.spheniscus.brennik.fr
sshd: 10.0.*

/etc/hosts.deny

#
#

ALL: ALL

Update of : http://blog.nicolargo.com/2010/10/installation-dun-serveur-openvpn-sous-debianubuntu.html?PageSpeed=noscript

The aim here is to configure an OpenVPN network to :

• secure connection for web browsing in public networks
• reach others desktop PCs for LAN gaming over internet

You can of course adjust has you want to your own purposes.

You need one server, we will use an Ubuntu 14.04 server x86_64, and clients, which will be on Windows 7 x64 Pro and Premium.

Few interesting documentation :
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
http://en.wikipedia.org/wiki/OpenVPN

Small tip : if your server port 443 is free, you can use it for your VPN. 443 is always open anywhere, especially on hotspot or academic wifi.

Let's start with the server side.

apt-get install openvpn easy-rsa

First, generate keys folder:

make-cadir /etc/openvpn/easy-rsa

Then edit certificate informations (we go root here for more convenience):

sudo su
nano /etc/openvpn/easy-rsa/vars

And fill these variables :

export KEY_COUNTRY="FR"
export KEY_PROVINCE="NO"
export KEY_CITY="Bayeux"
export KEY_ORG="Sphen"
export KEY_EMAIL="sphen@outlook.com"
export KEY_OU="MyOrganizationalUnit"

Let's generate keys and certificates and create jail and clientconf directories :

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
openvpn --genkey --secret keys/ta.key
mkdir /etc/openvpn/keys
cp keys/ca.crt keys/ta.key keys/server.crt keys/server.key keys/dh2048.pem /etc/openvpn/keys
mkdir /etc/openvpn/jail
mkdir /etc/openvpn/clientconf

Then edit the configuration file which will not exist yet. The file should be /etc/openvpn/openvpn.conf :

vim /etc/openvpn/openvpn.conf

# Server
mode server
port 37491 # you can choose your port here
proto udp # you can choose tcp or udp here. 
#If you have bad connections, prefer tcp, if not, prefer udp. 
#I recommend tcp for browsing because hotspots are often bad, 
# and udp for LAN gaming to keep good performances (you will rarely play on an public hotspot)

dev tun

# Keys and certificates
ca keys/ca.crt
cert keys/server.crt #position of SSL certificate
key keys/server.key #position of SSL key
dh keys/dh2048.pem #position of dh file
tls-auth keys/ta.key 1
key-direction 0
cipher AES-256-CBC

# Network
server 10.8.0.0 255.255.255.0 #ip wanted for the server on the private network
ifconfig-pool-persist ipp.txt
keepalive 10 120
client-to-client #allows clients to connect to each others on the private network. 
#Needed for LAN gaming, but for security reasons, should be deactivated for others purposes 

#push "redirect-gateway def1" #Set server as new gateway for clients, use only for internet browsing
#push "dhcp-option DNS 10.8.0.1" #Set server as default DNS for clients

# Securite
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
chroot /etc/openvpn/jail #chroot process, better security in case of security breach

# Logs
status openvpn-status.log
mute 20
verb 3
; log-append /var/log/openvpn.log

Note the “;” at the end, we will remove it after being sure openvpn server is working correctly. Note : you should start using TCP connection for tests, and switch to UDP (if needed) when TCP works.

Now secure keys :

chmod -R 400 /etc/openvpn/keys

Let's test the server :

cd /etc/openvpn
openvpn openvpn.conf

If you get something like :

[...]
Fri Oct 10 21:11:24 2014 Initialization Sequence Completed

Then kill the process (Ctrl + C) and remove the “;” a the end of the configuration file openvpn.conf. Exit root. Now, openvpn server can be started/stopped on-demand using :

#start
/etc/init.d/openvpn start
#stop
/etc/init.d/openvpn stop

For each client, you need to generate few files and a certificate. We choose here to setup a password for each certificate, which is much more secure. Do not forget to use long password to prevent rainbow tables attack.

As root, we create here client called “benji” :

cd /etc/openvpn/easy-rsa
source vars
./build-key-pass benji
mkdir /etc/openvpn/clientconf/benji
cp /etc/openvpn/keys/ca.crt /etc/openvpn/keys/ta.key keys/benji.crt keys/benji.key /etc/openvpn/clientconf/benji/

Now lets edit the configuration file of the client (server ip is xxx.xxx.xxx.xxx, using port yyyyy, we choosed 37491 in the server configuration):

vim /etc/openvpn/clientconf/benji/client.conf

# Client
client
dev tun
proto udp-client
remote xxx.xxx.xxx.xxx yyyyy
resolv-retry infinite
cipher AES-256-CBC
; client-config-dir ccd

# Cles
ca ca.crt
cert benji.crt
key benji.key
tls-auth ta.key 1
key-direction 1

# Securite
nobind
persist-key
persist-tun
comp-lzo
verb 3

Duplicate the file to ovpn format for windows :

cp /etc/openvpn/clientconf/benji/client.conf /etc/openvpn/clientconf/benji/client.ovpn

Now, you need to provide the client with the files in /etc/openvpn/clientconf/benji, using a zip for example.

Download openvpn for windows here :
https://openvpn.net/index.php/open-source/downloads.html

Choose Installer (64-bit), Windows XP and later. Install openvpn, choose to also install gui and tape driver.

Then, extract files from sever (the zip file containing certificate for the client) in Program Files/OpenVPN/config/.
Important : if you want to edit a text file here, you need to launch the editor with administrator rights, if not, changes will not be saved.
Then launch OpenVPN-GUI with administrator rights (important). The icon should be in the task bar. Right click, choose “connect”, enter the password, and you should be connected in no time to the openvpn network. Try to ping the server and the other clients.

Tip : you can choose in the Windows Firewall to temporary lower firewall on the openvpn interface if you trust other clients and the server, which makes LAN gaming easier, each game using a different port.

More informations using google.