This is an old revision of the document!
Router Miscellaneous
Monitoring
There are a number of linux monitoring packages available. See these links for more examples see, 13 Linux Performance Monitoring Tools – Part 2, and 30 Linux System Monitoring Tools Every SysAdmin Should Know. Below are a few that I have tried and use.
iftop
iftop - display bandwidth usage on an interface by host
Use man iftop
to see options.
Typical usage: sudo iftop -i br0
nethogs
nethogs - Net top tool grouping bandwidth per process
Use man nethogs
to see options.
Typical usage: sudo nethogs br0
darkstat
Darkstat – A Web Based Linux Network Traffic Analyser, is a relatively low resource network analyser. It has a web browser interface and can provide the perfornace statistics for the main interconnection as good or better than expected in a packaged router. Another reference: How-to monitor system bandwidth usage statistics with Darkstat on Fedora.
The darkstat output can then be seen on a web browser at 192.168.1.1:667
glances
Glances Options
The best hot key is 'h' which displays/hides the help screen
Below are the list of several hot keys.
- a – Sort processes automatically
- c – Sort processes by CPU%
- m – Sort processes by MEM%
- p – Sort processes by name
- i – Sort processes by I/O rate
- d – Show/hide disk I/O stats ols
- f – Show/hide file system statshddtemp
- n – Show/hide network stats
- s – Show/hide sensors stats
- y – Show/hide hddtemp stats
- l – Show/hide logs
- b – Bytes or bits for network I/Oools
- w – Delete warning logs
- x – Delete warning and critical logs
- 1 – Global CPU or per-CPU stats
- h – Show/hide this help screen
- t – View network I/O as combination
- u – View cumulative network I/O
- q – Quit (Esc and Ctrl-C also work)
glances as a service
Setup a systemd file for glances as a local web service sudo vim /lib/systemd/system/glances.service
[Unit] Description=Glances Documentation=man:glances(1) Documentation=https://github.com/nicolargo/glances After=network.target [Service] ExecStart=/usr/bin/glances -w -t 2 Restart=on-abort [Install] WantedBy=multi-user.target
After modifying a systemd file update systemd: systemctl daemon-reload
The glances output can then be seen on a web browser at 192.168.1.1:61208
ntopng
I tried ntopng. Unfortunately this program suite simply uses too many resources on my router which loads it up close to 100%. There are often reports of dropped packet and such, further indicating overload.
I have decided to disable. Worse than this this package suite caused difficulties with my system updates, so I removed it entirely. Note that this may be as it was previously disabled.
Another thing I do not like about this package is that the free version is a cut down of the full paid version. There is no general individual personal free full use version available.
There seem to be 2 main services to enable/disable/start/stop, nprobe and ntopng:
sudo systemctl stop ntopng
| to stop (or start)sudo systemctl disable ntopng
| to disable (or enable) starting on computer startupsudo systemctl stop nprobe
| to stop (or start)sudo systemctl disable nprobe
| to disable (or enable) starting on computer startup
We can also turn-off the redis service unless something else wnat to also use.
sudo systemctl stop redis
| to stop (or start)sudo systemctl disable redis
| to disable (or enable) starting on computer startup
Docker Setup & Basic Commands
The Docker installation instructions for Ubuntu from Docker Get Docker CE for Ubuntu.
This is pretty old, I played with it circa 2017, and have not used Docker since. I have successfully been using full KVM based VMs for my main machines and so have not had much need for Docker
That being said, I can see the benefits of containerisation, such as Docker, versus full virtual machines, such as KVM. Of course there are also benefits with full VMs!.
Docker Host Security
Docker currently by default use iptables on the host machine to allow access to images. Unfortunately the default iptables effectively fully opens up docker on the host, which is probably a significant concern when the host is also used as a router. Docker host can be configured not to update iptables on the host, in this case all routing between the host and Docker images must be performed manually.
Stephank.nl considers IPv6 with Docker and using nftables IPv6 on production Docker
Docker and iptables configuration @startup
Configure iptables for Docker manually and allow Internet access for containers
Debian Firewall when using Docker
Setting up docker containers with nat
Iptables rule-set so that a docker container can access a service on a host IP
Docker Algo Setup & Basic Commands
This is old, I played with this circa 2017 and have not used since. I certainly have no interest in Algo IPSEC VPN anymore and have been trying to get Wireguard working recently.
Comparison of VPN protocols
Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices.
“docker pull mutemule/algo” to download docker repository “docker run –cap-drop ALL -it -v /home/baumkp/algo:/data –name=algo mutemule/algo” to create and run image
- -cap-drop All [Drop all Linux extra capabilities]
- it [Keep STDIN open even if not attached, Allocate a pseudo-TTY]
- v /home/baumkp/algo:/data [bind mount a volume]
- -name=algo [give container name, can help prevent multiple containers]
mutemule/algo [name of docker image to run] docker exec -it algo bash docker start algo docker stop algo docker ps -a [list all containers, running and stopped] docker logs algo [view container log] docker port algo
After running “docker exec -it algo bash”, in the Docker Algo shell run “./algo-docker.sh ” to setup Algo.
Start container at boot:
It is assumed that the container has been previously created/run and is available to be started at boot.
sudo vim /etc/systemd/system/algo.service
[Unit] Description=Algo container Requires=docker.service After=docker.service [Service] Restart=always ExecStart=/usr/bin/docker start -a algo ExecStop=/usr/bin/docker stop -t 2 algo [Install] WantedBy=default.target
Techcrunch.com How I made my own VPN server in 15 minutes
Algo Git main page Set up a personal IPSEC VPN in the cloud and algo/config.cfg that can copied, if necessary.
The Mutemul Algo Docker page mutemule/algo. Unfortunately has no instructions on how to setup the Docker installation!!!!.
Docker Docs Use the Docker command line
OpenVPN for Docker
OpenVPN server in a Docker container complete with an EasyRSA PKI CA kylemanna/docker-openvpn
How to Geek - How to connect to a VPN from your iPhone
Reserved Ports and IPv4 Reserved Addresses
It took me some time to track down this authoritative information, but it was relatively simple as this information is authoritatively define in RFC (Request of Comments) de facto standards as noted below.
IANA Service Name and Transport Protocol Port online Number Registry
RFC 3232 replaced RFC 1700. RFC 3232 states that RFC 1700 has been replaced by an online database, see link given above. RFC 6335 also has information on Port Number Registry and the associated database.
Most Unix like operating systems have a service name database file: /etc/services
. It is assumed that nft uses the /etc/services database for named ports definition.
Some ports of interest:
Name Port Protocols Description ftp-data 20 {tcp, udp, sctp} File Transfer [Default Data] ftp 21 {tcp, udp, sctp} File Transfer Protocol [Control] ssh 22 {tcp, udp, sctp} The Secure Shell (SSH) Protocol smtp 25 {tcp, udp} Simple Mail Transfer domain 53 {tcp, udp} Domain Name Server (DNS) bootps 67 {tcp, udp} Bootstrap Protocol Server (DHCP) bootpc 68 {tcp, udp} Bootstrap Protocol Client (DHCP) http 80 {tcp, udp, sctp} World Wide Web HTTP pop3 110 {tcp, udp} Post Office Protocol Version 3 ntp 123 {tcp, udp} Network Time Protocol imap2 143 {tcp, udp} Internet Message Access Protocol ldap 389 {tcp, udp} Lightweight Directory Access Protocol https 443 {tcp, udp, sctp} http protocol over TLS/SSL urd 465 {tcp} ssmtp smtps URL Rendesvous Directory for SSM ldaps 636 {tcp, udp} ldap protocol over TLS/SSL (was sldap) rsync 873 {tcp, udp} rsync ftps-data 989 {tcp, udp} File Transfer [Default Data] ftps 990 {tcp, udp} File Transfer Protocol [Control] imaps 993 {tcp, udp} imap4 protocol over TLS/SSL pop3s 995 {tcp, udp} pop3 protocol over TLS/SSL (was spop3) openvpn 1194 {tcp, udp} OpenVPN
Notes:
- TCP = Transmission Control Protocol
- UDP = User Datagram Protocol
- SCTP = Stream Control Transmission Protocol
- The Bootstrap Protocol was a precursor to DHCP (Dynamic Host Configuration Protocol)
RFC 3330 Special-Use IPv4 Addresses, September 2002
IPv4 uses some of these special addresses for private LANs (Local Area Network)s with NAT (Network Address Translation) used to connect the LANs to the WAN (Wide/World Area Network) via a router. This was required to compensate for the limited address space in IPv4. IPv4 NAT also provide some security benefits by obscuring the private LAN addresses from the public WAN.
IPv6 does not use NAT as its native address space is suffiently large never to require in the foreseeable future.
Another interesting link, IANA https://www.iana.org/protocols
The following is a list of related commonly used commands and scripts:
- Get external IP address
wget http://ipinfo.io/ip -qO -
- To check the current network hardware configuration
ip a
- Systemd common commands (start / stop / restart / status) (enable / disable for boot control)
- To start (/stop /enable) the bind9 daemon
sudo systemctl start bind9
- To check networking status
sudo systemctl status networking
- List current Systemd operating units:
sudo systemctl list-units | grep '*
'. Change or remove the grep statement as required. - To find where systemd services scripts are located use
systemctl show -p FragmentPath nftables
- To list all systemd services:
systemctl list-unit-files
, usesystemctl list-unit-files –state=enabled
to check all enabled. A good reference from DigitalOcean for Systemctl to manage systemd services and units and for journalctl. - Some commonly used system services for router setup:
- bind9.service
- networking.service
- isc-dhcp-server.service
- isc-dhcp-server6.service
- The journalctl command shows the information stored in the system journal:
sudo journalctl -b
shows all journal entries collected since current bootjournalctl –list-boots
lists recorded boots. The default option for Storage isStorage=auto
in/etc/systemd/journald.conf
. For this option if the directory/var/log/journal
is present previous boot log files are saved. Conversely if not present, then previous boot files are not saved. Check man journalctl.conf for details. Usesudo ls -la /var/log/journal
to see if directory already exists,sudo mkdir -p /var/log/journal
to create directory if not existing, andsudo rm -R /var/log/journal
to remove directory and any contents.sudo journalctl -b -1
shows all journal entries collected from a previous boot, -2 from the boot before that, etc.sudo journalctl -b 0
is effectively the same assudo journalctl -b
sudo journalctl -u networking
and tends to give more / different format information thansudo systemctl status networking
- Links to info on the ip and ifconfig commands
- [https://p5r.uk/blog/2010/ifconfig-ip-comparison.html|[ifconfig vs ip]]
- nixCraft Linux ip Command Examples
Some related links
Linux Router Setup links
Some basic research on Linux Router led me to the following:
- The Ars guide to building a Linux router from scratch
- Lifehacker - Build Your Own Speedy Little https://www.lifehacker.com.au/2016/04/build-your-own-speedy-little-linux-powered-diy-router/
- Archlinux Router
- Kill-9 Ubuntu 16.04 based Router Part 1 Sadly this link is no loner up and has been spammed!
- Ubuntu forums Setup Ubuntu Server as a router using a PPPoE connection
- Gibson Research NAT Router Security Solutions and Multi-NAT Router Networks
- An interesting discussion on double NAT and configurations - Double NAT explained and possible solutions
NFTables links
Some basic research on NFTables led me to the following
- NFTables Wiki main page
- I like this one due to the explanation, stosb Explaining My Configs: nftables
- netfilter nftables tutorial
- Gentoo.org Nftables
- Archlinux Nftables
- LinuxQuestions.org nftables - baby steps and NFTables NAT
- Linux Audit Beginners Guide to nftables Traffic Filtering
- Debian wiki nftables
- Linux audit Beginners Guide to nftables Traffic Filtering
- home.regit.org Nftables quick howto
- A comparison between Nftables and IPTables from OpenWrt Netfilter/iptables
- Netfilter ebtables/iptables interaction on a Linux-based bridge.
- Wolfhechel github nftables router
- Kernalnewbies nftables examples
- Moutane Logging in the nftables age
- Deepspace6 Linux IPv6 Howto 18.5. Firewalling using nftables
- Redhat developer Migrating my iptables setup to nftables
Ubuntu Network Setup Links
Links relating to bridged and bonded Networking
A bridged network allows different networks to be connected, both physical, like NICs or Wifi and virtual, allowing virtual machine to connect to a physical network and even be assigned a LAN IP address. Bonding allows physical networking devices such as NICs or Wifi to be bonded to allow increased bandwidth or redundancy. Sadly there seems to be alot of information out there that is either for older version of software or other purposing.
- Debian wiki BridgeNetworkConnections and Bonding
- Unixmen Ubuntu Create Network Bonding On Ubuntu 14.10
- Gentoo Home Router
Docker Related links
- Docker Docs Get Docker CE for Ubuntu, Post-installation steps for Linux and Docker Engine user guide
- Digital Ocean How To Install and Use Docker on Ubuntu 16.04
DNS/DHCP Related links
- BigDinosaur Blog Running BIND9 and ISC-DHCP
- Kill-9 Ubuntu 16.04 based Router https://killtacknine.com/building-an-ubuntu-16-04-router-part-2-dhcp/|Part 2 - DHCP]]
- ISC Knowledge Base A Basic Guide to Configuring DHCP Failover
- Internet Systems Consortium (ISC) Kea Modern Open Source DHCPv4 & DHCPv6 Server
- Dragon Org DNS with bind9 and DHCP on Ubuntu 16.04
IPv6 Related Links
- IPV FREENET6.NET About, How to request a reverse DNS delegation for a /48 IPv6 prefix ?
- Linux IPv6 Router Advertisement Daemon (radvd)
- scottlinux.com | Linux Blog Debian Linux Home Router with IPv4 and IPv6
- nixCraft Apache IPv6 Configuration: Dual Stacked IPv4 & IPv6 Virtual Hosts
- Loyola University Chicago, on line book :- An Introduction to Computer Networks Contents, IP version 6], there is also a pdf and epub version that can be downloaded. *Ubuntu wiki [[https://wiki.ubuntu.com/IPv6|IPv6 DHCPv6
- Linux.com- Practical Networking for Linux Admins: IPv6 Routing
- Stackexchange Superuser how to configure radvd for linux ipv6 router towards upstream dsl gateway
- Gentoo Linux IPv6 router guide This one is a bit outdated.
- The Debian Administrator's Handbook 10.5. IPv6
VPN Related Links
- stosb Explaining My Configs: OpenVPN
Other Related links
- Javapipe - DDoS Protection With IPtables: The Ultimate Guide
- Followup on sslh installation guide
- Purdue Uni IPTables lesson notes Lecture 18: Packet Filtering Firewalls (Linux)
- nixCraft Linux: Check Network Connection Command
- This is old, but topical, BigDinosaur Blog - Securing ssh with iptables