Router Miscellaneous
Monitoring
There are a number of linux monitoring packages available. See these links for more examples see, 13 Linux Performance Monitoring Tools – Part 2, and 30 Linux System Monitoring Tools Every SysAdmin Should Know. Below are a few that I have tried and use.
iftop
iftop - display bandwidth usage on an interface by host
Use man iftop
to see options.
Typical usage: sudo iftop -i br0
nethogs
nethogs - Net top tool grouping bandwidth per process
Use man nethogs
to see options.
Typical usage: sudo nethogs br0
darkstat
Darkstat – A Web Based Linux Network Traffic Analyser, is a relatively low resource network analyser. It has a web browser interface and can provide the perfornace statistics for the main interconnection as good or better than expected in a packaged router. Another reference: How-to monitor system bandwidth usage statistics with Darkstat on Fedora.
The darkstat output can then be seen on a web browser at 192.168.1.1:667
The darkstat systemd intergration suck, it is a legacy setup. As darkstat can simply be driven from command link I made a direct systemctl service file to operate.
glances
sudo apt install pipx
(pipx — Install and Run Python Applications in Isolated Environments)pipx ensurepath
pipx install glances
(https://nicolargo.github.io/glances/|Glances]])pipx inject glances "glances[web]"
(Glances webui with pipx)
Like like the references for Debian 12 for glances install are out of date….
As can be seen glances uses pipx
this is a good reference that explains some use of pipx
commands, Pipx: Installing, Uninstalling, & Upgrading Python Packages in Virtual Envs. Some key ones are:
pipx list
to list the installed python packages under pipxpipx upgrade package
to upgrade a python package under pipxpipx uninstall package
to uninstall a pipx package
Glances Options
The best hot key is 'h' which displays/hides the help screen
Below are the list of several hot keys:
See Glances docs Configuration Location where the configuration file may be stored and the format and examples. I choose to place at ./config/glances/glances.config
.
glances as a service
After modifying a systemd file update systemd: sudo systemctl daemon-reload
The glances output can then be seen on a web browser at 192.168.1.1:61208
and will autostart with sudo systemctl enable glances.service
.
ntopng
I tried ntopng again in December 2023. I ran in a Docker container on my Router, although markedly improved since trying a few years ago this this program suite still uses uses a lot of resources on my router which loads it up close to 50%. There are occasional reports of dropped packet and such, further indicating overload.
I noted a problem with installing the Docker version. The Docker package documentation and defaults are to the latest
, yet the available package is listed as stable
, e.g. docker run -it -p 3000:3000 –net=host ntop/ntopng:stable -i br0
versus the instructed docker run -it -p 3000:3000 -v $(pwd)/ntopng.license:/etc/ntopng.license:ro –net=host ntop/ntopng:latest -i br0
Another thing I do not like about this package is that the free community version is a significantly cut down of the full paid version. The cost on the paid versions are substantial and I can simply not justify for non-commercial home use. There is no general individual personal free full use version available. The Docker container image is 2GB in size, the biggest image I have seen to date. Seems a bit bloated….
Hence I have decided not to use this software.
tl;dr
Systemd stuff, not relevant with use of Docker version
Docker Setup & Basic Commands
The Docker installation instructions for Ubuntu from Docker Get Docker CE for Ubuntu.
This is pretty old, I played with it circa 2017, and have not used Docker since. I was successfully been using full KVM based VMs for my main machines and so did not have much need for Docker
That being said, I can see the benefits of containerisation, such as Docker, versus full virtual machines, such as KVM. Of course there are also benefits with full VMs!.
In 2022 I revisited Docker and basically have move my various VM applications to Docker containers/ stacks. I run my Docker instance in a VM to isolate Docker from bare metal. This is primarily as Docker plays around with iptables. I do not like this, particularly on my main router machine that I use on bare metal nftables as the router/fire software.
Docker Host Security
Docker currently by default use iptables on the host machine to allow access to images. Unfortunately the default iptables effectively fully opens up docker on the host, which is probably a significant concern when the host is also used as a router. Docker host can be configured not to update iptables on the host, in this case all routing between the host and Docker images must be performed manually.
Stephank.nl considers IPv6 with Docker and using nftables IPv6 on production Docker
Docker and iptables configuration @startup
Configure iptables for Docker manually and allow Internet access for containers
Debian Firewall when using Docker
Setting up docker containers with nat
Iptables rule-set so that a docker container can access a service on a host IP
Docker Algo Setup & Basic Commands
This is old, I played with this circa 2017 and have not used since. I certainly have no interest in Algo IPSEC VPN anymore and have been trying to get Wireguard working recently.
Comparison of VPN protocols
Docker Docs Use the Docker command line
OpenVPN for Docker
OpenVPN server in a Docker container complete with an EasyRSA PKI CA kylemanna/docker-openvpn
How to Geek - How to connect to a VPN from your iPhone
Reserved Ports and IPv4 Reserved Addresses
It took me some time to track down this authoritative information, but it was relatively simple as this information is authoritatively define in RFC (Request of Comments) de facto standards as noted below.
IANA Service Name and Transport Protocol Port online Number Registry
RFC 3232 replaced RFC 1700. RFC 3232 states that RFC 1700 has been replaced by an online database, see link given above. RFC 6335 also has information on Port Number Registry and the associated database.
Most Unix like operating systems have a service name database file: /etc/services
. It is assumed that nft uses the /etc/services database for named ports definition.
Some ports of interest:
Name Port Protocols Description ftp-data 20 {tcp, udp, sctp} File Transfer [Default Data] ftp 21 {tcp, udp, sctp} File Transfer Protocol [Control] ssh 22 {tcp, udp, sctp} The Secure Shell (SSH) Protocol smtp 25 {tcp, udp} Simple Mail Transfer domain 53 {tcp, udp} Domain Name Server (DNS) bootps 67 {tcp, udp} Bootstrap Protocol Server (DHCP) bootpc 68 {tcp, udp} Bootstrap Protocol Client (DHCP) http 80 {tcp, udp, sctp} World Wide Web HTTP pop3 110 {tcp, udp} Post Office Protocol Version 3 ntp 123 {tcp, udp} Network Time Protocol imap2 143 {tcp, udp} Internet Message Access Protocol ldap 389 {tcp, udp} Lightweight Directory Access Protocol https 443 {tcp, udp, sctp} http protocol over TLS/SSL urd 465 {tcp} ssmtp smtps URL Rendesvous Directory for SSM ldaps 636 {tcp, udp} ldap protocol over TLS/SSL (was sldap) rsync 873 {tcp, udp} rsync ftps-data 989 {tcp, udp} File Transfer [Default Data] ftps 990 {tcp, udp} File Transfer Protocol [Control] imaps 993 {tcp, udp} imap4 protocol over TLS/SSL pop3s 995 {tcp, udp} pop3 protocol over TLS/SSL (was spop3) openvpn 1194 {tcp, udp} OpenVPN
Notes:
- TCP = Transmission Control Protocol
- UDP = User Datagram Protocol
- SCTP = Stream Control Transmission Protocol
- The Bootstrap Protocol was a precursor to DHCP (Dynamic Host Configuration Protocol)
RFC 3330 Special-Use IPv4 Addresses, September 2002
IPv4 uses some of these special addresses for private LANs (Local Area Network)s with NAT (Network Address Translation) used to connect the LANs to the WAN (Wide/World Area Network) via a router. This was required to compensate for the limited address space in IPv4. IPv4 NAT also provide some security benefits by obscuring the private LAN addresses from the public WAN.
IPv6 does not use NAT as its native address space is sufficiently large never to require in the foreseeable future.
Another interesting links:
- Redhat Appendix C. Common Ports
- Distribution List of Ports (information only)
- Archlinux DeveloperWiki:UID / GID Database
- Red Hat 37.3. Standard Users
The following is a list of related commonly used commands and scripts:
- Get external IP address
wget http://ipinfo.io/ip -qO -
- To check the current network hardware configuration
ip a
- Systemd common commands (start / stop / restart / status) (enable / disable for boot control)
- To start (/stop /enable) the bind9 daemon
sudo systemctl start bind9
- To check networking status
sudo systemctl status networking
- List current Systemd operating units:
sudo systemctl list-units | grep '*
'. Change or remove the grep statement as required. - To find where systemd services scripts are located use
systemctl show -p FragmentPath nftables
- To list all systemd services:
systemctl list-unit-files
, usesystemctl list-unit-files –state=enabled
to check all enabled. A good reference from DigitalOcean for Systemctl to manage systemd services and units and for journalctl. - Some commonly used system services for router setup:
- bind9.service
- networking.service
- isc-dhcp-server.service
- isc-dhcp-server6.service
- The journalctl command shows the information stored in the system journal:
sudo journalctl -b
shows all journal entries collected since current bootjournalctl –list-boots
lists recorded boots. The default option for Storage isStorage=auto
in/etc/systemd/journald.conf
. For this option if the directory/var/log/journal
is present previous boot log files are saved. Conversely if not present, then previous boot files are not saved. Check man journalctl.conf for details. Usesudo ls -la /var/log/journal
to see if directory already exists,sudo mkdir -p /var/log/journal
to create directory if not existing, andsudo rm -R /var/log/journal
to remove directory and any contents.sudo journalctl -b -1
shows all journal entries collected from a previous boot, -2 from the boot before that, etc.sudo journalctl -b 0
is effectively the same assudo journalctl -b
sudo journalctl -u networking
and tends to give more / different format information thansudo systemctl status networking
- Links to info on the ip and ifconfig commands
- [https://p5r.uk/blog/2010/ifconfig-ip-comparison.html|[ifconfig vs ip]]
- nixCraft Linux ip Command Examples
Some related links
Linux Router Setup links
Some basic research on Linux Router led me to the following:
- The Ars guide to building a Linux router from scratch
- Lifehacker - Build Your Own Speedy Little https://www.lifehacker.com.au/2016/04/build-your-own-speedy-little-linux-powered-diy-router/
- Archlinux Router
- Kill-9 Ubuntu 16.04 based Router Part 1 Sadly this link is no loner up and has been spammed!
- Ubuntu forums Setup Ubuntu Server as a router using a PPPoE connection
- Gibson Research NAT Router Security Solutions and Multi-NAT Router Networks
- An interesting discussion on double NAT and configurations - Double NAT explained and possible solutions
NFTables links
Some basic research on NFTables led me to the following
- NFTables Wiki main page
- I like this one due to the explanation, stosb Explaining My Configs: nftables
- netfilter nftables tutorial
- Gentoo.org Nftables
- Archlinux Nftables
- LinuxQuestions.org nftables - baby steps and NFTables NAT
- Linux Audit Beginners Guide to nftables Traffic Filtering
- Debian wiki nftables
- Linux audit Beginners Guide to nftables Traffic Filtering
- home.regit.org Nftables quick howto
- A comparison between Nftables and IPTables from OpenWrt Netfilter/iptables
- Netfilter ebtables/iptables interaction on a Linux-based bridge.
- Wolfhechel github nftables router
- Kernalnewbies nftables examples
- Moutane Logging in the nftables age
- Deepspace6 Linux IPv6 Howto 18.5. Firewalling using nftables
- Redhat developer Migrating my iptables setup to nftables
Ubuntu Network Setup Links
Links relating to bridged and bonded Networking
A bridged network allows different networks to be connected, both physical, like NICs or Wifi and virtual, allowing virtual machine to connect to a physical network and even be assigned a LAN IP address. Bonding allows physical networking devices such as NICs or Wifi to be bonded to allow increased bandwidth or redundancy. Sadly there seems to be alot of information out there that is either for older version of software or other purposing.
- Debian wiki BridgeNetworkConnections and Bonding
- Unixmen Ubuntu Create Network Bonding On Ubuntu 14.10
- Gentoo Home Router
Docker Related links
- Docker Docs Get Docker CE for Ubuntu, Post-installation steps for Linux and Docker Engine user guide
- Digital Ocean How To Install and Use Docker on Ubuntu 16.04
DNS/DHCP Related links
- BigDinosaur Blog Running BIND9 and ISC-DHCP
- Kill-9 Ubuntu 16.04 based Router https://killtacknine.com/building-an-ubuntu-16-04-router-part-2-dhcp/|Part 2 - DHCP]]
- ISC Knowledge Base A Basic Guide to Configuring DHCP Failover
- Internet Systems Consortium (ISC) Kea Modern Open Source DHCPv4 & DHCPv6 Server
- Dragon Org DNS with bind9 and DHCP on Ubuntu 16.04
IPv6 Related Links
- IPV FREENET6.NET About, How to request a reverse DNS delegation for a /48 IPv6 prefix ?
- Linux IPv6 Router Advertisement Daemon (radvd)
- scottlinux.com | Linux Blog Debian Linux Home Router with IPv4 and IPv6
- nixCraft Apache IPv6 Configuration: Dual Stacked IPv4 & IPv6 Virtual Hosts
- Loyola University Chicago, on line book :- An Introduction to Computer Networks Contents, IP version 6], there is also a pdf and epub version that can be downloaded. *Ubuntu wiki [[https://wiki.ubuntu.com/IPv6|IPv6 DHCPv6
- Linux.com- Practical Networking for Linux Admins: IPv6 Routing
- Stackexchange Superuser how to configure radvd for linux ipv6 router towards upstream dsl gateway
- Gentoo Linux IPv6 router guide This one is a bit outdated.
- The Debian Administrator's Handbook 10.5. IPv6
VPN Related Links
- stosb Explaining My Configs: OpenVPN
Other Related links
- Javapipe - DDoS Protection With IPtables: The Ultimate Guide
- Followup on sslh installation guide
- Purdue Uni IPTables lesson notes Lecture 18: Packet Filtering Firewalls (Linux)
- nixCraft Linux: Check Network Connection Command
- This is old, but topical, BigDinosaur Blog - Securing ssh with iptables