NetBox
May 28, 2021 — 15:35
Author: silver  Category: network web  Comments: Off

If you ever need an IPAM and/or DCIM tool this one is highly recommended. It allows modeling all your infra including network, datacenter and virtualization using a web gui and has an extensive REST API. It can be extended by plugins and "custom fields".

Today it’s widely used and there’s plenty of docs, examples and integrations available.

Installation

The tool is build on Python/Django and uses PostgreSQL. LDAP and other auth methods can be configured. Manual installation includes installing required packages, db and http server. Upgrading to latest version is supported. There’s also Ansible playbooks available for deploying (3rd party).

Objects

There’s Sites, Racks, Devices, Virtualization, VLAN and Interfaces. VM’s and Devices are seen separately and have their own API calls, which might be something to be aware of.

Racks

Devices can be put in racks and have Connections using Cables connecting Interfaces. Same goes for Power, Console, Storage etc.

IPAM

For IPAM there’s Prefixes, IP’s (4 and 6), VLANs, VRF’s and VC’s.

Importing data

Can be done in bulk with e.g. CSV or using the API. If you’re migrating from RackTables there’s ‘racktables2netbox’ but be aware it’s not updated and not directly usable in it’s current state (e.g. API’s changed). It uses ‘pynetbox’, a client lib you can also use for own scripts.

Links

Private ranges
December 11, 2019 — 14:41
Author: silver  Category: network  Comments: Off

RFC1918 (IPv4)

  • 10.0.0.0 – 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)

https://tools.ietf.org/html/rfc1918

https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

RFC1918 (IPv6)

  • fd00::/8

Uncompressed:

fd00:0000:0000:0000:0000:0000:0000:0000

Range start-end:

fd00:0000:0000:0000:0000:0000:0000:0000
fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

https://tools.ietf.org/html/rfc4193

https://tools.ietf.org/html/draft-delong-ula-example-00

https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml

nftables
December 11, 2019 — 14:32
Author: silver  Category: linux network  Comments: Off

nftables (nft) replaces iptables:

  • Debian (10 buster) links ‘iptables’ to ‘iptables-nft’ and ‘iptables-legacy’ is actually ‘iptables’
  • RH uses nft as as preferred firewall since RHEL8 and firewalld uses nft as backend

If you haven’t switched yet you might want to ‘translate’ your current iptables rules and make other programs use nft.

config

rules are located in:

  • Debian /etc/nftables.conf
  • RedHat /etc/sysconfig/nftables.conf

list

nft list ruleset

nft list chain ip filter INPUT

nft list tables nft list table ip filter

flush

nft flush ruleset

translate

iptables-restore-translate -f /etc/iptables/rules.v4 > /etc/iptables/ruleset.nft

ip6tables-restore-translate -f /etc/iptables/rules.v6 > /etc/iptables/ruleset6.nft

netfilter-persistent

Oddly enough the only place I could find a nft plugin was here

curl https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft -o /usr/share/netfilter-persistent/plugins.d/15-nft

fail2ban

Make f2b use nft. From https://wiki.meurisse.org/wiki/Fail2Ban:

  • edit ‘/etc/fail2ban/jail.local.conf’: banaction = nftables-multiport

  • add to ‘/etc/nftables.conf’: include "/etc/fail2ban.conf"

  • create ‘/etc/fail2ban.conf’:

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
        chain input {
                # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
                type filter hook input priority 100;
        }
}

more info:

https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

https://wiki.debian.org/nftables

https://developers.redhat.com/blog/2018/08/10/firewalld-the-future-is-nftables

Windows IPv6 tunnel
March 28, 2018 — 11:39
Author: silver  Category: network windows  Comments: Off

How to create a 6to4 tunnel in Windows using CLI (for use with HE’s free Tunnel Broker service for example).

netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel TunnelName  
netsh interface ipv6 add address TunnelName 2001:a:b:c::2
netsh interface ipv6 add route ::/0 TunnelName 2001:a:b:c::1

Where:

  • “2001:a:b:c::” is your prefix
  • “2001:a:b:c::1” is the gateway
  • “2001:a:b:c::2” is your ipv6 address

Delete the tunnel:

netsh interface ipv6 delete address TunnelName 2001:a:b:c::2
netsh interface ipv6 delete route ::/0 TunnelName 2001:a:b:c::1
netsh interface ipv6 delete interface TunnelName

A HE tunnel can be requested here: https://tunnelbroker.net.

iproute2
November 27, 2016 — 14:55
Author: silver  Category: network  Comments: Off

Documentation

Linux Advanced Routing & TC: http://lartc.org/howto/index.html

Basic commands

I guess ifconfig is deprecated now…

Help:

ip a help

( a=address l=link r=route )

Show:

ip a show eth0

ip l show eth0

ip r get 8.8.8.8

( use ip -4 or -6 for ipv4/6 )

Change:

ip l set dev eth0 up

ip a add 192.168.1.2/24 dev eth0

.

Two Default Gateways

Useful to setup for hosts on multiple subnets/networks.

Howto’s:

Instructions

Add table:

echo -e "10\trt2" >> /etc/iproute2/rt_tables

Add route/rule:

ip route add 1.2.3.0/20 dev eth1 src 1.2.3.172 table rt2
ip route add default via 1.2.3.1 dev eth1 table rt2

ip rule add from 1.2.3.172/32 table rt2
ip rule add to 1.2.3.172/32 table rt2

ip rule add from 1.2.3.173/32 table rt2
ip rule add to 1.2.3.173/32 table rt2

ip route flush cache
ip route list table rt2
ip route show
ip rule show

Testing:

ping -I 1.2.3.172 8.8.8.8

Making it permanent

debian:

/etc/interfaces
/etc/network/interfaces.d/eth1

post-up ip route add 1.2.3.0/20 dev eth1 src 1.2.3.174 table rt2
post-up ip route add default via 1.2.3.1 dev eth1 table rt2
post-up ip rule add from 1.2.3.174/32 table rt2
post-up ip rule add to 1.2.3.174/32 table rt2

/etc/network/interfaces.d/eth1:0

post-up ip rule add from 1.2.3.176/32 table rt2
post-up ip rule add to 1.2.3.176/32 table rt2

redhat:

echo "1.2.3.0/20 dev eth1 src 1.2.3.172 table rt2" >> /etc/sysconfig/network-scripts/route-eth1
echo "default via 1.2.3.1 dev eth1 table rt2" >> /etc/sysconfig/network-scripts/route-eth1

echo "from 1.2.3.172/32 table rt2" >> /etc/sysconfig/network-scripts/rule-eth1
echo "to 1.2.3.172/32 table rt2" >> /etc/sysconfig/network-scripts/rule-eth1
echo "from 1.2.3.173/32 table rt2" >> /etc/sysconfig/network-scripts/rule-eth1
echo "to 1.2.3.173/32 table rt2" >> /etc/sysconfig/network-scripts/rule-eth

Cisco
September 5, 2012 — 14:56
Author: silver  Category: network  Comments: Off

Useful websites:

http://www.firewall.cx
https://www.gns3.com

Commands:

show int status (which port, vlan)
show vlan (on switch)

show int des (all descriptions)
show ip int brief (all ip interfaces)
show hard (hardware)
show ver (version)
show environment
show ? (all show cmds)
show cdp (neighbours)
show lacp
show int p0 (port/channel)
         port-c
show users
show utp status (trans/client)


We use Matomo free and open source web analytics
We also use Jetpack WordPress.com Stats which honors DNT