This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
fuss:networking [2015/10/06 01:48] – [Block QUIC] office | fuss:networking [2018/08/03 09:11] – [Determining Open Outbound Ports] office | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Conditionally Routing Packets ====== | ||
+ | |||
+ | < | ||
+ | +--------+ | ||
+ | | Server | | ||
+ | +--------+ | ||
+ | if: | ||
+ | | ||
+ | | | ||
+ | +------> | ||
+ | +---------+ | ||
+ | if: | ||
+ | gw: | ||
+ | port: | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | First, add the table to ''/ | ||
+ | < | ||
+ | 501 | ||
+ | </ | ||
+ | |||
+ | Set the default route of the table '' | ||
+ | <code bash> | ||
+ | ip route add default via 29.145.62.1 dev tap0 table output | ||
+ | ip rule add fwmark 501 lookup output | ||
+ | ip route flush cache | ||
+ | </ | ||
+ | |||
+ | Mark all outgoing packets from port '' | ||
+ | <code bash> | ||
+ | iptables -t mangle -A PREROUTING -s 192.168.0.5 -p tcp --sport 9999 -j MARK --set-mark 501 | ||
+ | iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 9999 -j DNAT --to 192.168.0.5 | ||
+ | # This is not needed if you masquerade: | ||
+ | iptables -t nat -A POSTROUTING -o tap0 -j SNAT --to 29.145.62.1 | ||
+ | </ | ||
+ | |||
+ | ====== Enable TSO ====== | ||
+ | |||
+ | TSO is meant for high-bandwidth networks and offloads the CPU workload by queueing up buffers and letting the network card split them into packets. | ||
+ | |||
+ | ===== Linux ===== | ||
+ | TSO can be enabled for a network card using: | ||
+ | <code bash> | ||
+ | ethtool -K eth0 tso on | ||
+ | </ | ||
+ | |||
+ | and on Debian it can be enabled by editing ''/ | ||
+ | < | ||
+ | # The primary network interface | ||
+ | allow-hotplug eth0 | ||
+ | iface eth0 inet dhcp | ||
+ | up sleep 5; ethtool -K eth0 tso on | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Windows ===== | ||
+ | |||
+ | * Go to '' | ||
+ | * Create a '' | ||
+ | * Set the value to 0. | ||
+ | * Reboot. | ||
+ | |||
+ | ====== Tuning Initial Congestion Window Size ====== | ||
+ | |||
+ | In [[http:// | ||
+ | |||
+ | <code bash> | ||
+ | #!/bin/sh -e | ||
+ | ########################################################## | ||
+ | ## (C) Wizardry and Steamworks 2014, license: GPLv3 ## | ||
+ | ########################################################## | ||
+ | |||
+ | # Do not bother to do anything if the interface does not | ||
+ | # correspond to the interface for the default route. | ||
+ | if [ " | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | ip route change $(ip route show | grep ' | ||
+ | </ | ||
+ | |||
+ | The script assumes that the default interface is '' | ||
+ | |||
+ | ====== Set Type of Service for Traffic Shaping ====== | ||
+ | |||
+ | Assuming that you have '' | ||
+ | |||
+ | <code bash> | ||
+ | ## ToS | ||
+ | for table in OUTPUT PREROUTING; do | ||
+ | # HTTP / HTTPS | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | # DNS | ||
+ | iptables -t mangle -A $table -p udp -m state --state NEW, | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | # SSH | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | # Samba | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | iptables -t mangle -A $table -p tcp -m state --state NEW, | ||
+ | done | ||
+ | </ | ||
+ | |||
+ | ====== Get Available Congestion Control Algorithms ====== | ||
+ | |||
+ | <code bash> | ||
+ | sysctl net.ipv4.tcp_available_congestion_control | ||
+ | </ | ||
+ | |||
+ | ====== Calculate Transmit Queue Length ====== | ||
+ | |||
+ | The following formula can be used to calculate the '' | ||
+ | |||
+ | \begin{eqnarray*} | ||
+ | TXQ = \frac{v_{d} * t * 0.125}{MTU} | ||
+ | \end{eqnarray*} | ||
+ | |||
+ | where: | ||
+ | |||
+ | * $v_{d}$ is the downlink speed in bits (from the gateway). | ||
+ | * $t$ is the delay in seconds (measured to the gateway using '' | ||
+ | * $MTU$ is the packet size in bytes (usually '' | ||
+ | |||
+ | The result can then be set under Linux with: | ||
+ | |||
+ | <code bash> | ||
+ | ifconfig < | ||
+ | </ | ||
+ | |||
+ | ====== Calculate Address Range from IP and Netmask ====== | ||
+ | |||
+ | Cnvert the '' | ||
+ | |||
+ | In order to obtain the first address, take the binary representation of the '' | ||
+ | |||
+ | < | ||
+ | 11000000 10101000 00000001 01100101 (IP) | ||
+ | 11111111 11111111 11111111 11100000 (Netmask) | ||
+ | ----------------------------------- AND | ||
+ | 11000000 10101000 00000001 01100000 = 192.168.1.96 (first network address) | ||
+ | </ | ||
+ | |||
+ | Then take the '' | ||
+ | |||
+ | < | ||
+ | 11111111 11111111 11111111 11100000 (Netmask) | ||
+ | ----------------------------------- NOT | ||
+ | 00000000 00000000 00000000 00011111 = 31 addresses | ||
+ | </ | ||
+ | |||
+ | Finally, the range for the '' | ||
+ | |||
+ | ====== Private Networks ====== | ||
+ | |||
+ | ^ CIDR ^ Range ^ Addresses | ||
+ | | '' | ||
+ | | '' | ||
+ | | '' | ||
+ | | '' | ||
+ | | '' | ||
+ | | '' | ||
+ | | '' | ||
+ | |||
+ | ====== Adjusting Ring Parameters ====== | ||
+ | |||
+ | On Linux you can get the ring parameters with '' | ||
+ | <code bash> | ||
+ | ethtool -g eth0 | ||
+ | </ | ||
+ | |||
+ | which lists the pre-set maximums and the current settings: | ||
+ | < | ||
+ | Ring parameters for eth0: | ||
+ | Pre-set maximums: | ||
+ | RX: 1024 | ||
+ | RX Mini: 255 | ||
+ | RX Jumbo: 255 | ||
+ | TX: 1024 | ||
+ | Current hardware settings: | ||
+ | RX: 512 | ||
+ | RX Mini: 0 | ||
+ | RX Jumbo: 128 | ||
+ | TX: 512 | ||
+ | </ | ||
+ | |||
+ | You might observe that the pre-set maximums may not match the current settings, so they can be set using '' | ||
+ | <code bash> | ||
+ | ethtool -G eth0 rx 1024 rx-mini 255 rx-jumbo 255 tx 1024 | ||
+ | </ | ||
+ | |||
+ | This can be made permanent on distribution such as Debian by editing ''/ | ||
+ | < | ||
+ | allow-hotplug eth0 | ||
+ | iface eth0 inet static | ||
+ | up sleep 5; / | ||
+ | </ | ||
+ | |||
+ | and adding the '' | ||
+ | |||
+ | ====== Port-Test without Tools ====== | ||
+ | |||
+ | The following command can be used to connect to any host and port by using ''/ | ||
+ | <code bash> | ||
+ | exec 7<>/ | ||
+ | </ | ||
+ | where: | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | The command uses '' | ||
+ | |||
+ | ====== Block QUIC ====== | ||
+ | |||
+ | QUIC is a protocol that uses UDP instead of TCP to serve content, working on port 80 and 443 and used widely by Google, Youtube, etc... Unfortunately, | ||
+ | <code bash> | ||
+ | iptables -A FORWARD -i br0 -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable | ||
+ | iptables -A FORWARD -i br0 -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable | ||
+ | iptables -A FORWARD -s 192.168.1.0/ | ||
+ | iptables -A FORWARD -s 192.168.1.0/ | ||
+ | </ | ||
+ | |||
+ | where: | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Additionally, | ||
+ | < | ||
+ | # Disable alternate protocols | ||
+ | request_header_access Alternate-Protocol deny all | ||
+ | reply_header_access Alternate-Protocol deny all | ||
+ | </ | ||
+ | to the squid configuration file. | ||
+ | ====== Disable ICP ====== | ||
+ | |||
+ | squid will broadcast ICP requests and in order to disable them, edit the squid configuration file and add: | ||
+ | < | ||
+ | # disable ICP | ||
+ | icp_port 0 | ||
+ | icp_access deny all | ||
+ | # plug ICP leaks | ||
+ | reply_header_access X-Cache-Lookup deny !localnets | ||
+ | reply_header_access X-Squid-Error deny !localnets | ||
+ | reply_header_access X-Cache deny !localnets | ||
+ | </ | ||
+ | |||
+ | where '' | ||
+ | |||
+ | ====== Determining Open Outbound Ports ====== | ||
+ | |||
+ | Using [[http:// | ||
+ | <code bash> | ||
+ | nmap portquiz.net -p 1024-65535 -Pn --reason | ||
+ | </ | ||
+ | |||
+ | where: | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | ====== Determine ISP Address Blocks ====== | ||
+ | |||
+ | Either starting from a hostname, for instance '' | ||
+ | <code bash> | ||
+ | nslookup tb1060.lon.100tb.com | ||
+ | </ | ||
+ | |||
+ | to determine the IP address, or from the IP address itself (in this case, '' | ||
+ | |||
+ | First, lookup the IP itself to determine which ISP it belongs to: | ||
+ | <code bash> | ||
+ | whois 146.185.28.59 | ||
+ | </ | ||
+ | |||
+ | Then, lookup the Autonomous System (AS) number (an ISP identifier code, if you will) of that ISP: | ||
+ | <code bash> | ||
+ | whois -h whois.radb.net 146.185.28.59 | grep ^origin | ||
+ | </ | ||
+ | |||
+ | which should output: | ||
+ | < | ||
+ | origin: | ||
+ | </ | ||
+ | |||
+ | There may be more AS numbers for small internet providers that are, in turn, customers of a larger network. | ||
+ | |||
+ | To make sure that the IP you are after is part of the AS, lookup the AS itself: | ||
+ | <code bash> | ||
+ | whois AS29302 | ||
+ | </ | ||
+ | |||
+ | and make sure that the ISP is listed. | ||
+ | |||
+ | The final step is to get all known routes for the AS: | ||
+ | <code bash> | ||
+ | whois -h whois.radb.net -- -i origin -T route AS29302 | grep ^route | awk '{ print $2 }' | ||
+ | </ | ||
+ | |||
+ | which should output all IPv4 address blocks allocated to that ISP line-by-line (easy to automate): | ||
+ | <code bash> | ||
+ | 146.185.16.0/ | ||
+ | </ | ||
+ | |||
+ | IPv6 can also be queried in the same way: | ||
+ | <code bash> | ||
+ | whois -h whois.radb.net -- -i origin -T route6 AS29302 | grep ^route | awk '{ print $2 }' | ||
+ | </ | ||
+ | |||
+ | and will yield similar results: | ||
+ | <code bash> | ||
+ | 2a01: | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||