fabic974 random (binary) wanderings in the philament empires…

Networks: Linux IP stack, routing, iptables firewall, etc (notes)

???

host fabic.net dig curl netcat vs socat

Query the RIPE database with whois <ip>

$ ip rule list

Monitoring

VnStat

# pacman -S vnstat

Edit /etc/vnstat.conf and set the default interface (optional) :

# vim /etc/vnstat.conf  # EDIT: `Interface = eth0`

Start the service :

# systemctl start vnstat

Create the databases, one for each NIC :

# vnstat -u -i wlp4s0
# vnstat -u -i enp0s25

Query details ab

# vnstat -q  [-i wlp4s0]

Monitor live traffic :

# vnstat -l -i wlp4s0

Multi-IPs hosts

Source routing

At SO for a solution where we partition the internet address space, with a specific local source address for each :

function setup_basic_source_routing() {
  ip route add  32.0.0.0/3 via 91.134.136.1 dev ens3 src 178.32.40.98
  ip route add  64.0.0.0/3 via 91.134.136.1 dev ens3 src 92.222.48.73
  ip route add 128.0.0.0/3 via 91.134.136.1 dev ens3 src 91.134.136.248
}

Multi-IPs on one NIC and source address selection

Match packets starting a new connection, that have not yet been marked

iptables -t mangle -A OUTPUT -m conntrack --ctstate NEW \
  -m connmark --mark 0x00/0x30 \
  -m statistic --mode random --probability 0.333 \
  -j CONNMARK --set-mark 0x10/0x30  &&

iptables -t mangle -A OUTPUT -m conntrack --ctstate NEW \
  -m connmark --mark 0x00/0x30 \
  -m statistic --mode random --probability 0.500 \
  -j CONNMARK --set-mark 0x20/0x30  &&

Finally we may transfer (or not) the connmark bits to the netfilter fwmark with this rule :

# As per http://ipset.netfilter.org/iptables-extensions.man.html#lbCS :
# "Copy the ctmark to the nfmark. If a mask is specified, only those bits are copied."
iptables -t mangle -A OUTPUT -m conntrack --ctstate NEW \
  -m connmark \! --mark 0x00/0x30 \
  -j CONNMARK --restore-mark --ctmask 0x30

^ this is optional though, it depends if we’ll be using the fwmark later on (see MARK target), like for ex. with ip rule from all fwmark 0x20 priority <P> table <N>. See CONNMARK about the --restore-mark --nfmask 0x... --ctmask 0x... and the computation of the resulting nfmask = (nfmark & ~nfmask) ^ (ctmark & ctmask).

TODO: About the 2nd 0.500 probability? somewhat related to the Monty Hall problem and statistical packets classification (with e.g. fwmark, connmark) :

Vos Savant’s response was that the contestant should switch to the other door (vos Savant 1990a). Under the standard assumptions, contestants who switch have a 2/3 chance of winning the car, while contestants who stick to their initial choice have only a 1/3 chance.

Pointers, references

Finding out the source address that would be chosen for a given destination address :

ip route get 216.58.213.142 # google.com

EOF