The document discusses Linux networking commands and tools. It provides examples of using ip commands to view and configure network interfaces, routes, neighbors, and rules. It also shows tcpdump for packet capture and nmap for port scanning. Firewalls are configured using iptables to allow traffic from a specific source to a web server port.
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
[오픈소스컨설팅] Linux Network Troubleshooting
1.
2.
3.
4. Web Server
vSwitch
L4 Switch
L3 Router
Firewall
Apache,
Nginx, ..
KVM
Hypervisor
OpenvSwitch,
Linux Bridge
iptables,
nftables, bpf
iproute,
Quagga
L2 Switch
HAproxy,
Nginx …
5. Layer Protocol Data Unit(PDU) TCP/IP
Host
layers
7 Application Data Resource 공유, 원격 파일 접근 등 고급 API
6 Presentation Network service와 app간 data 번역 인코딩
5 Session Communication session 관리
4 Transport Segment, Datagram Network point간 data segment 전송
Media
layers
3 Network Packet 다중노드 network traffic control
2 Data link Frame 두 노드간의 data frame 전송
1 Physical Bit, Symbol 물리계층 raw bit를 전송
Linux에서 문제해결 가능한 계층
12. root@router1:~# ip link add link ens9 name ens9_v100 type vlan id 100
root@router1:~# ip -d link show ens9_v100
9: ens9_v100@ens9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:05:99:0b brd ff:ff:ff:ff:ff:ff promiscuity 0
vlan protocol 802.1Q id 100 <REORDER_HDR> addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536
gso_max_segs 65535
link 상태
detail 출력
MAC address
VLAN ID
ens9를 이용해서 vlan type의 sub interface를
만들고 VLAN ID100을 부여 함.
13. root@router1:~# ip route
default via 10.2.1.1 dev ens3 proto static
1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.1
2.2.2.0/24 dev ens5 proto kernel scope link src 2.2.2.1
5.5.5.0/25 via 2.2.2.13 dev ens5 metric 10
5.5.5.0/24 via 1.1.1.12 dev ens4 metric 10
10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.22
metric이 낮은것이
우선순위가 높음.
metric이 생략된것은 0
default 값 0
모든 table에서 매치되지 않으면
default로 보낸다.
defualt가 2개면 위에있는것이
우선순위가 높음.
metric이 같다면 network(subnet)가
작을수록 우선순위가 높다.
5.5.5.0 ~ 128은 2.2.2.13으로 보내고,
5.5.5.129 ~ 255는 1.1.1.12로 보낸다.
14. root@router1:~# ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@router1:~#
기본적으로 3개(local, main, defualt)
더 추가 가능함.
ID가 낮은것이 우선순위가 높다.
보통 우리가 보는것은 main table
15. root@router1:~# ip route show table main
default via 10.2.1.1 dev ens3 proto static
1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.1
2.2.2.0/24 dev ens5 proto kernel scope link src 2.2.2.1
5.5.5.0/25 via 2.2.2.13 dev ens5 metric 10
5.5.5.0/24 via 1.1.1.12 dev ens4 metric 10
10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.22
root@server1:~# ip route show table local
broadcast 10.2.1.0 dev ens3 proto kernel scope link src 10.2.1.21
local 10.2.1.21 dev ens3 proto kernel scope host src 10.2.1.21
broadcast 10.2.1.255 dev ens3 proto kernel scope link src 10.2.1.21
broadcast 10.2.2.0 dev ens4 proto kernel scope link src 10.2.2.21
local 10.2.2.21 dev ens4 proto kernel scope host src 10.2.2.21
broadcast 10.2.2.255 dev ens4 proto kernel scope link src 10.2.2.21
broadcast 10.2.3.0 dev ens5 proto kernel scope link src 10.2.3.21
local 10.2.3.21 dev ens5 proto kernel scope host src 10.2.3.21
broadcast 10.2.3.255 dev ens5 proto kernel scope link src 10.2.3.21
broadcast 10.2.4.0 dev ens6 proto kernel scope link src 10.2.4.21
local 10.2.4.21 dev ens6 proto kernel scope host src 10.2.4.21
broadcast 10.2.4.255 dev ens6 proto kernel scope link src 10.2.4.21
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
16.
17. root@router1:~# ip -4 -o a
1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever
2: ens3 inet 10.2.1.22/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever
2: ens3 inet 1.1.1.12/24 scope global ens3 valid_lft forever preferred_lft forever
3: ens4 inet 10.2.2.22/24 brd 10.2.2.255 scope global ens4 valid_lft forever preferred_lft forever
4: ens5 inet 10.2.3.22/24 brd 10.2.3.255 scope global ens5 valid_lft forever preferred_lft forever
5: ens6 inet 10.2.4.22/24 brd 10.2.4.255 scope global ens6 valid_lft forever preferred_lft forever
root@router1:~# tcpdump –n -i ens3 icmp and host 10.2.1.21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:59:39.549512 IP 10.2.1.21 > 10.2.1.22: ICMP echo request, id 10793, seq 1, length 64
15:59:39.549673 IP 10.2.1.22 > 10.2.1.21: ICMP echo reply, id 10793, seq 1, length 64
15:59:40.563168 IP 10.2.1.21 > 10.2.1.22: ICMP echo request, id 10793, seq 2, length 64
15:59:40.563222 IP 10.2.1.22 > 10.2.1.21: ICMP echo reply, id 10793, seq 2, length 64
15:59:41.566570 IP 10.2.1.21 > 10.2.1.22: ICMP echo request, id 10793, seq 3, length 64
15:59:41.566631 IP 10.2.1.22 > 10.2.1.21: ICMP echo reply, id 10793, seq 3, length 64
no resolve
IP나 port정보를 숫자 그대로
출력
interface 지정
“any”는 모든 interface
expression
protocol, host, port 등 원하는
표현식을 문법에 맞게 넣는다.
router1은 10.2.1.22의 IP를 갖고
있다.
tcpdump를
이용해서 traffic의
도달 여부를 알 수
있다.
18. root@server1:~# ss –ntpl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN0 128 127.0.0.53%lo:53 0.0.0.0:* users(“systemd-resolve”,pid=620,fd=13))
LISTEN0 128 0.0.0.0:22 0.0.0.0:* users(“sshd”,pid=911,fd=3))
LISTEN0 128 [::]:22 [::]:* users(“sshd”,pid=911,fd=4))
----------------------------------------------------------------------------------------------------------------------
root@router1:~# nmap –p 22 10.2.1.21
Starting Nmap 7.60 ( https://nmap.org ) at 2021-04-01 16:33 KST
Nmap scan report for server1 (10.2.1.21)
Host is up (0.00035s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 52:54:00:FE:C7:A2 (QEMU virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
netstat를 대체하는
tool
n: no resolve
t: tcp
p: process 출력
l: listen 하는것만 출력
Network 탐색도구
Security / Port scanner
해당 address의 22번
포트만 탐색
19. root@server1:~# ss -ntpl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=620,fd=13))
LISTEN0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=911,fd=3))
LISTEN0 128 [::]:22 [::]:* users:(("sshd",pid=911,fd=4))
LISTEN0 128 *:80 *:*
users:(("apache2",pid=11336,fd=4),("apache2",pid=11335,fd=4),("apache2",pid=11334,fd=4))
----------------------------------------------------------------------------------------------------------------------
root@router1:~# curl 10.2.1.21
curl: (7) Failed to connect to 10.2.1.21 port 80: Connection refused
root@router1:~#
root@router1:~# nmap -p 80 10.2.1.21
Starting Nmap 7.60 ( https://nmap.org ) at 2021-04-01 16:42 KST
Nmap scan report for server1 (10.2.1.21)
Host is up (0.00050s latency).
PORT STATE SERVICE
80/tcp filtered http
MAC Address: 52:54:00:FE:C7:A2 (QEMU virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
Web server 기동
Web server 접근안됨.
20. root@server1:~# iptables -L INPUT -n --line
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
root@server1:~# iptables -I INPUT -m tcp -p tcp -s 10.2.1.22 --dport 80 -j ACCEPT
root@server1:~# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.2.1.22 0.0.0.0/0 tcp dpt:80
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
-I(insert) chain의 가장 위에 넣는다.
INPUT chain에
tcp module, tcp protocol의
source address가 10.2.1.22
destination port가 80
-j(jump) <target>
action또는 특정 chain이 올 수 있다.
허용해준다.
위에서 부터 차례대로 검색한다.
REJECT가 위에 있으면 먼저 적용됨.
server1의 INPUT chain의 iptable 확인
21. root@router1:~# nmap -p 80 10.2.1.21
Starting Nmap 7.60 ( https://nmap.org ) at 2021-04-01 16:48 KST
Nmap scan report for server1 (10.2.1.21)
Host is up (0.00040s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 52:54:00:FE:C7:A2 (QEMU virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
열려 있음!
24. root@router1:~# ip a a 1.1.1.1/24 dev ens4
root@router1:~# ip l s up ens4
root@router1:~# ip a a 2.2.2.1/24 dev ens5
root@router1:~# ip l s up ens5
root@router1:~# ip -4 -o a
1: lo inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever
2: ens3 inet 10.2.1.22/24 brd 10.2.1.255 scope global ens3 valid_lft forever preferred_lft forever
3: ens4 inet 1.1.1.1/24 scope global ens4 valid_lft forever preferred_lft forever
4: ens5 inet 2.2.2.1/24 scope global ens5 valid_lft forever preferred_lft forever
root@router1:~# sysctl -w net.ipv4.conf.all.forwarding=1
net.ipv4.conf.all.forwarding = 1
root@router1:~# iptables -I FORWARD -j REJECT
root@router1:~# iptables -I FORWARD -p icmp -j ACCEPT
root@router1:~# iptables -L FORWARD -n
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
ICMP를 제외한 모든 traffic
REJECT
28. root@server1:~# ip a a 1.1.1.11/24 dev ens4
root@server1:~# ip l s up ens4
root@server1:~# ip -4 -o a
1: lo inet 127.0.0.1/8 scope host lo valid_lft forever
preferred_lft forever
2: ens3 inet 10.2.1.21/24 brd 10.2.1.255 scope global
ens3 valid_lft forever preferred_lft forever
3: ens4 inet 1.1.1.11/24 scope global ens4 valid_lft
forever preferred_lft forever
root@server1:~#
root@server1:~# ip r a 2.2.2.0/24 via 1.1.1.1
root@server1:~# ip r
default via 10.2.1.1 dev ens3 proto static
1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.11
2.2.2.0/24 via 1.1.1.1 dev ens4
10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.21
root@server2:~# ip a a 2.2.2.12/24 dev ens4
root@server2:~# ip l s up ens4
root@server2:~# ip -4 -o a
1: lo inet 127.0.0.1/8 scope host lo valid_lft forever
preferred_lft forever
2: ens3 inet 10.2.1.23/24 brd 10.2.1.255 scope global
ens3 valid_lft forever preferred_lft forever
3: ens4 inet 2.2.2.12/24 scope global ens4 valid_lft
forever preferred_lft forever
root@server2:~#
root@server2:~# ip r a 1.1.1.0/24 via 2.2.2.1
root@server2:~# ip r
default via 10.2.1.1 dev ens3 proto static
1.1.1.0/24 via 2.2.2.1 dev ens4
2.2.2.0/24 dev ens4 proto kernel scope link src 2.2.2.12
10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.23
2.2.2.0/24 Traffic을
server1로 보내기 위함.
1.1.1.0/24 Traffic을
server1로 보내기 위함.
29. root@server1:~# ip -4 -o a
1: lo inet 127.0.0.1/8 scope host lo valid_lft forever
preferred_lft forever
2: ens3 inet 10.2.1.21/24 brd 10.2.1.255 scope global
ens3 valid_lft forever preferred_lft forever
3: ens4 inet 1.1.1.11/24 scope global ens4 valid_lft
forever preferred_lft forever
root@server1:~# ping 2.2.2.12
PING 2.2.2.12 (2.2.2.12) 56(84) bytes of data.
64 bytes from 2.2.2.12: icmp_seq=1 ttl=63 time=1.71 ms
64 bytes from 2.2.2.12: icmp_seq=2 ttl=63 time=0.657 ms
64 bytes from 2.2.2.12: icmp_seq=3 ttl=63 time=0.806 ms
^C
--- 2.2.2.12 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2019ms
rtt min/avg/max/mdev = 0.657/1.060/1.719/0.470 ms
root@server2:~# tcpdump -i ens4 icmp -n
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on ens4, link-type EN10MB (Ethernet), capture size
262144 bytes
19:09:22.942341 IP 1.1.1.11 > 2.2.2.12: ICMP echo request, id
12297, seq 10, length 64
19:09:22.942422 IP 2.2.2.12 > 1.1.1.11: ICMP echo reply, id 12297,
seq 10, length 64
19:09:23.946357 IP 1.1.1.11 > 2.2.2.12: ICMP echo request, id
12297, seq 11, length 64
19:09:23.946423 IP 2.2.2.12 > 1.1.1.11: ICMP echo reply, id 12297,
seq 11, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
server1 -> server2로
ping
server2에서 tcpdump로
network 연결 확인
30. root@server1:~# ssh 2.2.2.12
ssh: connect to host 2.2.2.12 port 22: Connection refused
root@router1:~# iptables -I FORWARD -m conntrack -p tcp --ctstate ESTABLISH -j ACCEPT
root@router1:~# iptables -I FORWARD -m conntrack -p tcp --dport 22 -s 1.1.1.11/32 -d 2.2.2.12/32 --ctstate NEW -j
ACCEPT
root@router1:~# iptables -L FORWARD -n
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 1.1.1.11 2.2.2.12 ctstate NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
root@server1:~# ssh 2.2.2.12
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-136-generic x86_64)
…
Last login: Thu Apr 1 19:20:42 2021 from 1.1.1.11
root@server2:~#
2.2.2.12 tcp 22번 port 접근 안됨!!
이제 2.2.2.12 tcp 22번 port로
접근 잘 된다!
ESTABLISH는 양방향 통신을 하는 packet, tcp의establish 와
syn/ack ,ack를 포함한다.
이 구문이 없을 시 항상 src, dest IP를 양방향으로 열어줘야 하는
불편함이있다.
자세한 사용법
# man iptables-extensions
NEW는 tcp 3way handshaking 중
syn packet에 해당함.
32. root@server1:~# ip r
default via 10.2.1.1 dev ens3 proto static
1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.11
2.2.2.0/24 via 1.1.1.1 dev ens4
10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.21
root@server1:~# ip r d default
root@server1:~# ip r a default via 1.1.1.1
root@server1:~# ip r
default via 1.1.1.1 dev ens4
1.1.1.0/24 dev ens4 proto kernel scope link src 1.1.1.11
2.2.2.0/24 via 1.1.1.1 dev ens4
10.2.1.0/24 dev ens3 proto kernel scope link src 10.2.1.21
root@server1:~# ping google.com -c 1 -w 1
PING google.com (172.217.31.174) 56(84) bytes of data.
--- google.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
root@router1:~/iptables# iptables -t nat -I POSTROUTING -p all -s 1.1.1.11 -j MASQUERADE
root@router1:~/iptables# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 1.1.1.11 0.0.0.0/0
root@router1:~/iptables#
server1 routing table
변경
route1
MASQUERADE 설정
외부로 통신 안됨.
33. root@router1:~/iptables# tcpdump -i any icmp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:56:41.868313 IP 1.1.1.11 > 172.217.31.174: ICMP echo request, id 16806, seq 1, length 64
09:56:41.868507 IP 10.2.1.22 > 172.217.31.174: ICMP echo request, id 16806, seq 1, length
64
09:56:41.910354 IP 172.217.31.174 > 10.2.1.22: ICMP echo reply, id 16806, seq 1, length 64
09:56:41.910441 IP 172.217.31.174 > 1.1.1.11: ICMP echo reply, id 16806, seq 1, length 64
root@server1:~# ping google.com -c 1 -w 1
PING google.com (172.217.31.174) 56(84) bytes of data.
64 bytes from nrt12s22-in-f14.1e100.net (172.217.31.174): icmp_seq=1 ttl=112 time=42.4 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 42.426/42.426/42.426/0.000 ms
외부로 통신 잘 됨.
1.1.1.11 -> google.com
1.1.1.11 -> 10.2.1.22로
SNAT 됨.
10.2.1.22는 router1의
외부 로연결 된 interface
router1에서 packet
dump
34. server1
router1
server2
2.2.2.12 -> 2.2.2.1:2222
2.2.2.12 -> 1.1.1.11:22
1.1.1.1 -> 1.1.1.11:22
2.2.2.12 -> 2.2.2.1:2222
외부에서 내부로 한번에 접근이 불가능 할 때
중간에 DNAT기능을 할 수 있는 router가
목적지 주소를 변경하여 보내준다.
보통 DNAT를 하는경우 DNAT 대상(server1)이
출발지(server2)를 한번에 찾아갈 수 없으므로
MASQUERADE도 같이 하여 출발지 주소도
변경시켜준다.
1.1.1.11:22 -> 1.1.1.1
1.1.1.11:22 -> 1.1.1.1
1.1.1.11:22 -> 2.2.2.12
2.2.2.1:2222 ->2.2.2.12
2.2.2.1:2222 ->2.2.2.12
1.1.1.1 -> 1.1.1.11:22
외부망
내부망
server2와 server1은 서로의
network을 몰라 통신을 하지
못하는 상태라고 가정
2.2.2.1:2222 -> 1.1.1.11:22
(PREROUTING chain DNAT)
routing table을 거친 후
2.2.2.12 -> 1.1.1.1
(POSTROUTING chain SNAT)