linux – Giovanni F. Mazzeo De Santolo

Linux IPv6 command cheatsheet

Giovanni — Fri, 05 Mar 2021 05:02:14 +0000

This post is intended to be a quick note to self on linux IPv6 commands, for quick reference when needed.

# Find the route decision for a given address.
ip route get 2a00:1450:4001:820::200e

ip -6 route
route -A inet6 (apt-get install net-tools) # equivalent to netstat -rn -A inet6
netstat -A inet6 -rn
netstat -r
ip -6 route show table 51820
ip -6 neigh
ip -6 neigh show proxy

# DHCPv6 release / renew
dhclient -6 -r ens18
dhclient -6 ens18

# Flush IPv6 neighbors cache
ip -family inet6 neigh flush any

# Find the route decision for a given address.
ip route get 2a00:1450:4001:820::200e

# Request a router advertisement (apt-get install -y ndisc6)
rdisc6 eth0

# Perform a Neighbor Solicitation (arp IPv4 equivalent) (apt-get install -y ndisc6)
ndisc6 2001:db8::42 eth0

# ping multicast address to have all link-local hosts to respond.
ping ff02::1%eth0

Good articles about IPv6:

IPv6 range blocks
IPv6 unicast, anycast, multicast – well known addresses.

Troubleshooting tools:

IPv6 ping from multiple locations.

Bonus section ‘ufw’ firewall

Check status of firewall and enable or disable.
# ufw status
# ufw enable
# ufw disable

View firewall rules and number to delete a specific rule.
# ufw status verbose
# ufw status numbered

Delete a firewall rule (from number of last cmd)
# ufw delete 12

Rules needed to allow IPv6 routing via wireguard to endpoint (no iptables forwarding would be needed on IPv6 as the other peer carries the public IP – they also should implement a firewall before using the below command!)
# ufw route allow in on eth0 out on wghub to 2602:xxx:730b:xxx:cafe::12

IPv4 firewall and routing rule to open Plex Media Server port 32400 and internal IPv4 space of wireguard peer.
# ufw allow in on eth0 out on wghub to 10.100.100.11 port 32400
# ufw route allow in on eth0 out on wghub to 10.100.100.11 port 32400

Add rule and get logs for matches of that rule:
# ufw allow log proto any from any to 192.168.1.x

View logs:
# tail -f /var/log/ufw.log

Extra bonus iptables NAT forwarding

On VPS (public endpoint) forward IPv4 traffic on tcp/32400 to wireguard peer. (recall IPv6 doesn’t need a rule)
# iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 32400 -j DNAT –to 10.100.100.11:32400

Test your port forwards

For IPv6 I use:
http://www.ipv6scanner.com/cgi-bin/main.py

For IPv4:
https://www.yougetsignal.com/tools/open-ports/

LXC allow non-root users to bind to port 80 (couchpotato example)

Giovanni — Thu, 29 Jun 2017 08:37:42 +0000

A follow-up to my last post dealing with unprivileged port access on linux containers.

This time, I have a couchpotato container that I want to change its default port from 5050 to port 80, so that it is as simple as http://mycouch/ to access from the local network.

Since CouchPotato is a python script, my other method of whitelisting the binary won’t work, an alternative is to use authbind to get around this by granting a user/group privileges to bind to one of those restricted ports (non-root can’t bind to ports 1024 or less).

Environment: LXC Container (Debian 9.0 Stretch) image, with couchpotato defaults running on port 5050 and systemd init script setup (couchpotato user is named gmedia)

# groupadd -g 3200 gmedia
# useradd -u 3200 -g gmedia -M gmedia
# apt-get install authbind
# touch /etc/authbind/byport/80
# chown gmedia /etc/authbind/byport/80
# chmod 500 /etc/authbind/byport/80

Now edit the startup settings (Exec/user/group):
# nano /etc/systemd/system/couchpotato.service

Should look something like this:

[Unit]
Description=CouchPotato application instance
After=network.target

[Service]
ExecStart=/usr/bin/authbind --deep /opt/CouchPotatoServer/CouchPotato.py
Type=simple
User=gmedia
Group=gmedia

[Install]
WantedBy=multi-user.target

Now its time to test:

# systemctl daemon-reload
# systemctl start couchpotato.service
# systemctl status couchpotato.service

Confirm all is hunky dory.

root@couchpotato:~# systemctl status couchpotato.service
● couchpotato.service - CouchPotato application instance
Loaded: loaded (/etc/systemd/system/couchpotato.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-06-29 08:35:32 UTC; 2s ago
Main PID: 1203 (python)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/couchpotato.service
└─1203 python /opt/CouchPotatoServer/CouchPotato.py

Jun 29 08:35:32 couchpotato systemd[1]: Started CouchPotato application instance.
root@couchpotato:~# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python 1203 gmedia 49u IPv4 6008724 0t0 TCP *:http (LISTEN)
python 1203 gmedia 52u IPv4 6024843 0t0 TCP 192.168.200.140:http->192.168.200.5:56928 (ESTABLISHED)
root@couchpotato:~#

SecureCRT mapping “Page Up” and “Page Down” for Nano/SSH

Giovanni — Wed, 23 Jun 2010 02:21:55 +0000

If you use a windows ssh terminal client, or even macosx’s terminal.app, the functionality of your page up and page down key may not behave like you want it to. For example, in SecureCRT using pageup will actually page up your scroll buffer, and pagedown will scroll down your page buffer.

You’ll need to remap your keys to send the correct signal to your terminal. Change it from the default system function to “send string” and the following strings:

PageUp = 33[5~
PageDown = 33[6~

33 is a shortcut for the ESCAPE key (esc) since in some programs you can’t type in the actualy escape key.

Here are some other codes as well in case you need to remap keys.

Pause = 32
Macro = 03 # Break (Shift-Pause)
Home = 33[1~
Insert = 33[2~
Remove = 33[3~ # Delete
End = 33[4~

In SecureCRT the area to remap your keys is Tools -> Keymap Editor.

This is especially handy if you use command line IRC clients such as Irssi or BitchX.