User Tools

Site Tools


network-and-communication

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
network-and-communication [2019/04/12 17:42]
Miroslav Bernát
network-and-communication [2019/09/16 22:32] (current)
Miroslav Bernát
Line 3: Line 3:
 ^ NETWORK & COMMUNICATION ^ ^ ^ NETWORK & COMMUNICATION ^ ^
 | **hostname**\\ **hostname** <​hostname>​ | prints the system'​s host name, **-I** all IP addresses of the host, **-d** DNS domain name, **-y** NIS domain name\\ sets the system’s host name (permanent settings in ///​etc/​sysconfig/​network//​) | | **hostname**\\ **hostname** <​hostname>​ | prints the system'​s host name, **-I** all IP addresses of the host, **-d** DNS domain name, **-y** NIS domain name\\ sets the system’s host name (permanent settings in ///​etc/​sysconfig/​network//​) |
-| **hostnamectl --transient**\\ (implemented ​in Red Hat Enterprise Linux 7)\\ **hostnamectl ​ set-hostname** <​hostname>​\\ (implemented ​in Red Hat Enterprise Linux 7) | prints the system'​s host name\\ \\ sets a permanent system’s host name (edits ///​etc/​hostname//​),​ **--transient** sets a temporary system’s host name | +| **hostnamectl --transient**\\ (implemented ​from RHEL 7)\\ **hostnamectl ​ set-hostname** <​hostname>​\\ (implemented ​from RHEL 7) | prints the system'​s host name\\ \\ sets a permanent system’s host name (edits ///​etc/​hostname//​),​ **--transient** sets a temporary system’s host name | 
-| **hostnamectl** (**status**)\\ (implemented ​in Red Hat Enterprise Linux 7) | prints the permanent, possibly temporary system’s host name, hardware type, machine ID, boot ID, operating system name, name and version of the kernel and processor architecture |+| **hostnamectl** (**status**)\\ (implemented ​from RHEL 7) | prints the permanent, possibly temporary system’s host name, hardware type, machine ID, boot ID, operating system name, name and version of the kernel and processor architecture |
 | **domainname**\\ **domainname** <​nisdomain>​ | prints the system’s NIS domain name, **-I** all IP addresses of the host, **-d** DNS domain name\\ sets the system’s NIS domain name (permanent settings in ///​etc/​sysconfig/​network//​) | | **domainname**\\ **domainname** <​nisdomain>​ | prints the system’s NIS domain name, **-I** all IP addresses of the host, **-d** DNS domain name\\ sets the system’s NIS domain name (permanent settings in ///​etc/​sysconfig/​network//​) |
 | **hostid** | prints the numeric identifier for the current host | | **hostid** | prints the numeric identifier for the current host |
Line 12: Line 12:
 | **cat /​etc/​hosts** | prints a list of IP addresses with associated names, possibly aliases of the remote systems that the local system connects to without using DNS or NIS | | **cat /​etc/​hosts** | prints a list of IP addresses with associated names, possibly aliases of the remote systems that the local system connects to without using DNS or NIS |
 | **host** <​IP_address / hostname>​ | prints a name or IP address of the remote system, **-a** all available information\\ ''​$ host fedora.com''​ | | **host** <​IP_address / hostname>​ | prints a name or IP address of the remote system, **-a** all available information\\ ''​$ host fedora.com''​ |
-| **nslookup** <​IP_address / hostname>​ | prints an IP address of the DNS server and name or IP address of the remote system; depending on particular options additional DNS records are displayed; without ​a parameter ​it works interactively |+| **nslookup** <​IP_address / hostname>​ | prints an IP address of the DNS server and name or IP address of the remote system; depending on particular options additional DNS records are displayed; without ​an argument ​it works interactively |
 | **dig** <​hostname>​ | prints an IP address of the remote system and the DNS server, **-x** <​IP_address>​ prints a name of the remote system; depending on particular options additional DNS records are displayed | | **dig** <​hostname>​ | prints an IP address of the remote system and the DNS server, **-x** <​IP_address>​ prints a name of the remote system; depending on particular options additional DNS records are displayed |
 | **whois** <​domain_name>​ | prints information about an internet domain registration\\ ''​$ whois redhat.com''​ | | **whois** <​domain_name>​ | prints information about an internet domain registration\\ ''​$ whois redhat.com''​ |
 | **ping** <​IP_address / hostname>​ | detects a host's availability in the network, **-c** <n> sets the number of connection attempts, **-i** <n> sets the interval between attempts in seconds (1 s by default)\\ ''​$ ping -c 5 google.com''​ | | **ping** <​IP_address / hostname>​ | detects a host's availability in the network, **-c** <n> sets the number of connection attempts, **-i** <n> sets the interval between attempts in seconds (1 s by default)\\ ''​$ ping -c 5 google.com''​ |
 | **route** / **netstat -r**\\ **route** <​option>​ (<​parameter>​) (<​target>​) (<​option>​) (<​parameter>​) | prints the IP routing table\\ **-n** prints IP addresses, **add** adds a static route, **del** removes a static route, **-net** the target is a network, **-host** the target is a host, **netmask** defines a network mask, **gw** defines a network gateway, **dev** defines a network card; (permanent settings in ///​etc/​sysconfig/​network-scripts/​route-eth*//​)\\ ''#​ route add -host 95.139.140.42 gw 89.229.34.178''​\\ (adds a route for a particular host)\\ ''#​ route add default gw 192.168.122.255''​\\ (assigns the gateway a particular IP address)\\ ''#​ route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0''​\\ (adds a route for the particular network and specifies a network card) | | **route** / **netstat -r**\\ **route** <​option>​ (<​parameter>​) (<​target>​) (<​option>​) (<​parameter>​) | prints the IP routing table\\ **-n** prints IP addresses, **add** adds a static route, **del** removes a static route, **-net** the target is a network, **-host** the target is a host, **netmask** defines a network mask, **gw** defines a network gateway, **dev** defines a network card; (permanent settings in ///​etc/​sysconfig/​network-scripts/​route-eth*//​)\\ ''#​ route add -host 95.139.140.42 gw 89.229.34.178''​\\ (adds a route for a particular host)\\ ''#​ route add default gw 192.168.122.255''​\\ (assigns the gateway a particular IP address)\\ ''#​ route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0''​\\ (adds a route for the particular network and specifies a network card) |
-| **traceroute** <​IP_address / hostname>​ | prints the route packets trace to a remote host, **-m** <n> specifies the max. number of hops – max. time-to-live value (30 by default), **-n** prints IP addresses, **-w** <n> sets the interval to wait for a response in seconds (5 s by default)\\ ''​$ traceroute yahoo.com''​ |+| **traceroute** <​IP_address / hostname>​ | prints the network path to a remote host, **-m** <n> specifies the max. number of hops – max. time-to-live value (30 by default), **-n** prints IP addresses, **-w** <n> sets the interval to wait for a response in seconds (5 s by default)\\ ''​$ traceroute yahoo.com'' ​
 +| **tracepath** <​IP_address / hostname>​ | prints the network path to a remote host, **-m** <n> specifies the max. number of hops – max. time-to-live value (30 by default), **-n** prints IP addresses, **-b** prints both host names and IP addresses ​|
 | **mtr** <​IP_address / hostname>​ | prints the route packets trace to a remote host interactively (the packet information changes according to the current state), **-m** <n> specifies the max. number of hops – max. time-to-live value (30 by default), **-n** prints IP addresses | | **mtr** <​IP_address / hostname>​ | prints the route packets trace to a remote host interactively (the packet information changes according to the current state), **-m** <n> specifies the max. number of hops – max. time-to-live value (30 by default), **-n** prints IP addresses |
-| **whatmask** <netmask / IP/​netmask>​ | prints the number of usable IP addresses in a specified network\\ ''​$ whatmask /24 / 192.168.165.23/​24''​ |+| **whatmask** <netmask / IP/​netmask>​ | prints the number of usable IP addresses in a specified network\\ ''​$ whatmask /24'' ​''​192.168.165.23/​24''​ |
 | **ethtool** <​device>​\\ **ethtool -s** <​device>​ <​option>​ | prints ethernet card settings\\ alters ethernet card settings; option e.g. **duplex half** or **full**, **speed 10**, **100**, or **1000**\\ ''#​ ethtool -s eth0 duplex full speed 100''​\\ (sets a duplex mode with full speed of 100 Mb/s) | | **ethtool** <​device>​\\ **ethtool -s** <​device>​ <​option>​ | prints ethernet card settings\\ alters ethernet card settings; option e.g. **duplex half** or **full**, **speed 10**, **100**, or **1000**\\ ''#​ ethtool -s eth0 duplex full speed 100''​\\ (sets a duplex mode with full speed of 100 Mb/s) |
-| **ip** (<​option>​) <​object>​ <​command>​ (<​parameter>​) | prints or configures network parameters\\ ''​$ ip addr show''​\\ (prints the current ​network ​configuration)\\ ''#​ ip addr add 192.168.0.100/​24 dev eth0''​\\ (assigns another IP address for a particular ​interface)\\ ''#​ ip addr del 192.168.0.100/​24 dev eth0''​\\ (removes ​the IP address from a particular ​interface)\\ ''#​ ip route show''​\\ (prints a routing table) | +| **ip** (<​option>​) <​object>​ <​command>​ (<​parameter>​) | prints or configures network parameters, **-s** displays traffic statistics for a network interface\\ ''​$ ip link show''​\\ (prints the properties of all or specified network interfaces – their status, MAC address and other network parameters)\\ ''​$ ip -s link show enp3s0''​\\ (prints the number of received and transmitted packets, packets errors and packets that were dropped for a specified network interface)\\ ''​$ ip addr show''​\\ (prints the properties of all or specified ​network ​interfaces – their status, MAC address, IP address, network mask and other network parameters)\\ ''#​ ip addr add 192.168.0.100/​24 dev eth0''​\\ (assigns another IP address for the network ​interface)\\ ''#​ ip addr del 192.168.0.100/​24 dev eth0''​\\ (removes ​an IP address from network ​interface)\\ ''#​ ip route show''​\\ (prints a routing table) | 
-| **ifconfig** (<​device>​)\\ \\ **ifconfig** <​device>​ (<IP address>​) <​option>​ | prints the status ​of the currently ​active or specified interfaces – IP address, MAC address, network mask and other network parameters, **-a** prints ​the status of all (including ​inactiveinterfaces\\ configures a specified network interface, options e.g. **up**, **down**, **hw ether** <​MAC_address>,​ **netmask** <​netmask>​ (permanent settings in ///​etc/​sysconfig/​network-scripts/​ifcfg-eth*//​)\\ ''#​ ifconfig eth0 up/​down''​\\ (activates/​deactivates a network ​card)\\ ''#​ ifconfig eth0 192.168.0.10 netmask 255.255.255.0''​\\ (sets a static IP address and network mask)\\ ''#​ ifconfig eth0 hw ether 00:​11:​09:​D6:​DC:​3C''​\\ (sets a particular ​MAC address for the network ​card) | +| **ifconfig** (<​device>​)\\ \\ **ifconfig** <​device>​ (<IP address>​) <​option>​ | prints the properties ​of all active or specified ​network ​interfaces – their status, MAC address, IP address, network mask and other network parameters, **-a** prints inactive ​network ​interfaces ​too\\ configures a specified network interface, options e.g. **up**, **down**, **hw ether** <​MAC_address>,​ **netmask** <​netmask>​ (permanent settings in ///​etc/​sysconfig/​network-scripts/​ifcfg-eth*//​)\\ ''#​ ifconfig eth0 up/​down''​\\ (activates/​deactivates a network ​interface)\\ ''#​ ifconfig eth0 192.168.0.10 netmask 255.255.255.0''​\\ (sets a static IP address and network mask for the network interface)\\ ''#​ ifconfig eth0 hw ether 00:​11:​09:​D6:​DC:​3C''​\\ (sets a specified ​MAC address for the network ​interface) | 
-| **ifup** <​device>​ | activates a network ​card\\ ''#​ ifup eth0''​ | +| **ifup** <​device>​ | activates a network ​interface\\ ''#​ ifup eth0''​ | 
-| **ifdown** <​device>​ | deactivates a network ​card\\ ''#​ ifdown eth1''​ | +| **ifdown** <​device>​ | deactivates a network ​interface\\ ''#​ ifdown eth1''​ | 
-| **iwconfig** <​device>​\\ **iwconfig** <​device>​ <​option>​ | prints the status of a wireless network interface\\ configures a wireless network interface, **essid** <​network_name>​ network name, **ap** <​AP_address>​ access point address, **mode** <​mode>​ card mode („Managed“ = client, „Master“ = access point), **key** <key> encrypted transfer\\ ''#​ iwconfig eth1 essid AP_profik ap 00:​60:​1D:​01:​23:​45 key 0123-4567-89 ​ mode Managed''​ |+| **iwconfig** <​device>​\\ **iwconfig** <​device>​ <​option>​ | prints the status of a wireless network interface\\ configures a wireless network interface, **essid** <​network_name>​ network name, **ap** <​AP_address>​ access point address, **mode** <​mode>​ card mode („Managed“ = client, „Master“ = access point), **key** <key> encrypted transfer\\ ''#​ iwconfig eth1 essid AP_profik ap 00:​60:​1D:​01:​23:​45 key 0123-4567-89 mode Managed''​ |
 | **iwlist** <​device>​ <​option>​ | prints detailed information from a wireless interface, **scan** prints available wireless networks including IP addresses of access points, frequency, mode, encryption and quality | | **iwlist** <​device>​ <​option>​ | prints detailed information from a wireless interface, **scan** prints available wireless networks including IP addresses of access points, frequency, mode, encryption and quality |
 +| **nmcli** (<​object>​ <​command>​ (<​argument>​%%))%% | controls NetworkManager (creates, deletes, displays, edits, activates and deactivates network profiles, as well as controls and displays network device status); profile (connection) = collection of settings that can be configured for a specified device, each profile has a name or ID that identifies it\\ ''​$ nmcli dev status''​\\ (displays device status)\\ ''​$ nmcli dev show enp3s0''​\\ (displays the settings for a specified device)\\ ''​$ nmcli con show''​\\ (displays all profiles)\\ ''​$ nmcli con show --active''​\\ (displays only the active profiles)\\ ''​$ nmcli con show enp3s0''​\\ (displays all configuration settings for a specified profile)\\ ''#​ nmcli con add con-name static ifname enp3s0 type ethernet ipv4.method manual ipv4.address 192.168.15.105/​24 ipv4.gateway 192.168.15.1 ipv4.dns 192.168.15.1''​\\ (creates a new profile "​static"​ with a specified IP address, network prefix, default gateway and DNS)\\ ''#​ nmcli con mod static +ipv4.address 192.168.15.106/​24''​\\ (modifies a profile adding another IP address)\\ ''#​ nmcli con up static''​\\ (activates a profile)\\ ''#​ nmcli con mod enp3s0 autoconnect no''​\\ (disables the original profile from autostarting at boot)\\ ''#​ nmcli con reload''​\\ (reloads the configuration file changes) |
 | **tcpdump** | prints traffic on a network, **-i** <​device>​ specifies a specified interface (the first one by default), **port** <​port>​ specified port, **tcp**/​**udp**/​**icmp** particular protocol, **host** <​host>​ between a specified host, **ether host** <​MAC_address>​ between a specified MAC address, **-n** prints IP addresses, **-v** detailed output\\ ''#​ tcpdump -i eth0 -nv port 22''​\\ ''#​ tcpdump -nv ether host 00:​02:​3F:​09:​FA:​F1''​ | | **tcpdump** | prints traffic on a network, **-i** <​device>​ specifies a specified interface (the first one by default), **port** <​port>​ specified port, **tcp**/​**udp**/​**icmp** particular protocol, **host** <​host>​ between a specified host, **ether host** <​MAC_address>​ between a specified MAC address, **-n** prints IP addresses, **-v** detailed output\\ ''#​ tcpdump -i eth0 -nv port 22''​\\ ''#​ tcpdump -nv ether host 00:​02:​3F:​09:​FA:​F1''​ |
-| **ifstat** (<​device>​) | displays ​network traffic – the size of received and sent data on all or specified network interfaces |+| **ifstat** (<​device>​) | displays network traffic ​statistics ​– the size of received and transmitted ​data on all or specified network interfaces |
 | **iftop** | displays a network traffic in an interactive way – source and destination addresses, the size of transferred data and a total summary (the output changes according to the current state), **-i** <​device>​ specifies a particular interface (the first one by default), interactive option **n** prints IP addresses, **p** displays ports, **S** source port, **D** destination port, **N** service listening on the destination port, **q** quits the program | | **iftop** | displays a network traffic in an interactive way – source and destination addresses, the size of transferred data and a total summary (the output changes according to the current state), **-i** <​device>​ specifies a particular interface (the first one by default), interactive option **n** prints IP addresses, **p** displays ports, **S** source port, **D** destination port, **N** service listening on the destination port, **q** quits the program |
-| **netstat** | prints a list of open sockets including port numbers, protocol types and IP addresses, **-a** all current connections,​ **-l** listening ports only, **-t** TCP ports only (used with option "​-a"​ or "​-l"​),​ **-u** UDP ports only (used with option "​-a"​ or "​-l"​),​ **-e** users and i-nodes, **-n** IP addresses, **-p** the PID and name of the program ​to which each socket belongs, **-i** the table of network interfaces, **-r** the kernel routing table, **-s** summary statistics for each protocol\\ ''​$ ports="​echo discard systat daytime netstat chargen finger nntp"; echo="​7";​ discard="​9";​ systat="​11";​ daytime="​13";​ netstat="​15";​ chargen="​19";​ finger="​79";​ nntp="​119";​ for port in $ports; do open_ports=$(netstat -an | egrep ":​${!port}[ ]"); if %%[[ -n "​$open_ports"​ ]]%%; then echo "​${port} --> YES"; else echo "​${port} --> NO"; fi; done''​\\ (prints the names of particular processes and whether their standard ports are open or not) |+| **netstat** / **ss** | prints a list of open sockets including port numbers, protocol types and IP addresses, **-a** all current connections,​ **-l** listening ports only, **-t** TCP ports only (used with option "​-a"​ or "​-l"​),​ **-u** UDP ports only (used with option "​-a"​ or "​-l"​),​ **-e** users and i-nodes, **-n** IP addresses, **-p** the PID and name of the program ​using a particular port, **-i** the table of network interfaces, **-r** the kernel routing table, **-s** summary statistics for each protocol\\ ''​$ ports="​echo discard systat daytime netstat chargen finger nntp"; echo="​7";​ discard="​9";​ systat="​11";​ daytime="​13";​ netstat="​15";​ chargen="​19";​ finger="​79";​ nntp="​119";​ for port in $ports; do open_ports=$(netstat -an | egrep ":​${!port}[ ]"); if %%[[ -n "​$open_ports"​ ]]%%; then echo "​${port} --> YES"; else echo "​${port} --> NO"; fi; done''​\\ (prints the names of particular processes and whether their standard ports are open or not) |
 | **nmap** (<​scan>​ <​option>​) <​target>​ | explores ports availability of a remote host in order to identify running services and possibly the operating system type; the scan type can be **-sS** (TCP SYN scan – the most used scan, does not open a full TCP connection, sends a SYN packet and receives SYN/ACK – port is open, or RST – port is closed), **-sA** (TCP ACK scan, maps out firewall rulesets determining whether they are state or not and which ports are filtered), **-sU** (UDP scan), **-sP** (ping scan, checks a host's availability only and its MAC address in the local network); **-sV** prints a program used by the particular service, **-p** <​port>​ specifies the ports, **-O** identifies the OS, **-PN** does not send ping requests (useful when ping is not allowed by the firewall), **-D** <​IP_address>​ a „decoy“ scan to mystify the target, **-iL** <​file>​ reads the target from a file, **-v** detailed output\\ ''​$ nmap root.cz''​\\ ''​$ nmap -sP 10.0.0.0/​24''​\\ ''#​ nmap -sA -v 147.229.28.4''​\\ ''#​ nmap -sS -sV -v 147.229.28.4 > scan.txt''​\\ ''#​ nmap -sS -PN -p 1-65000 192.168.0.247''​\\ ''#​ nmap -sS -sU -iL server_list''​\\ ''#​ nmap -sS -O -D 192.168.0.1,​192.168.0.2 192.168.0.3''​\\ (TCP SYN port scan with OS detection of the target 192.168.0.3,​ pretended to be executed from previous IP addresses) | | **nmap** (<​scan>​ <​option>​) <​target>​ | explores ports availability of a remote host in order to identify running services and possibly the operating system type; the scan type can be **-sS** (TCP SYN scan – the most used scan, does not open a full TCP connection, sends a SYN packet and receives SYN/ACK – port is open, or RST – port is closed), **-sA** (TCP ACK scan, maps out firewall rulesets determining whether they are state or not and which ports are filtered), **-sU** (UDP scan), **-sP** (ping scan, checks a host's availability only and its MAC address in the local network); **-sV** prints a program used by the particular service, **-p** <​port>​ specifies the ports, **-O** identifies the OS, **-PN** does not send ping requests (useful when ping is not allowed by the firewall), **-D** <​IP_address>​ a „decoy“ scan to mystify the target, **-iL** <​file>​ reads the target from a file, **-v** detailed output\\ ''​$ nmap root.cz''​\\ ''​$ nmap -sP 10.0.0.0/​24''​\\ ''#​ nmap -sA -v 147.229.28.4''​\\ ''#​ nmap -sS -sV -v 147.229.28.4 > scan.txt''​\\ ''#​ nmap -sS -PN -p 1-65000 192.168.0.247''​\\ ''#​ nmap -sS -sU -iL server_list''​\\ ''#​ nmap -sS -O -D 192.168.0.1,​192.168.0.2 192.168.0.3''​\\ (TCP SYN port scan with OS detection of the target 192.168.0.3,​ pretended to be executed from previous IP addresses) |
 | **service iptables start** / **stop** / **status** | starts / stops the firewall or prints its settings | | **service iptables start** / **stop** / **status** | starts / stops the firewall or prints its settings |
Line 36: Line 38:
 | **iptables-save** | exports configured (not even saved) firewall rules from memory to STDOUT\\ ''#​ iptables-save > iprules''​\\ (saves new firewall rules into a particular file) | | **iptables-save** | exports configured (not even saved) firewall rules from memory to STDOUT\\ ''#​ iptables-save > iprules''​\\ (saves new firewall rules into a particular file) |
 | **iptables-restore** | imports firewall rules from STDIN to memory\\ ''#​ iptables-restore < iprules''​\\ (reads the firewall rules from a particular file) | | **iptables-restore** | imports firewall rules from STDIN to memory\\ ''#​ iptables-restore < iprules''​\\ (reads the firewall rules from a particular file) |
-| **iptables** (**-t** <​table>​) <​option>​ <​chain>​ <​specification>​ <​target>​ | sets up and maintains firewall rules in the network; table „filter“ is used for packets filtering (default) and contains builtin chains „INPUT“ for incoming packets, „OUTPUT“ for outgoing packets and „FORWARD“ for packet forwarding between the networks, table „nat“ is used for IP address translations and port forwarding with chain „PREROUTING“ for incoming packets, „OUTPUT“ for altering locally-generated packets before routing and „POSTROUTING“ for outgoing packets, table „mangle“ is used for specialized packet alterations and contains all the above chains; the correct firewall setup strictly depends on the particular rules order listed in ///​etc/​sysconfig/​iptables//;​ option **-I** (<n>) inserts a rule at the head of the chain or in the selected chain given by the rule number, **-A** appends a rule to the end of the selected chain, **-D** (<n>) deletes a rule from the selected chain, **-L** lists all rules in the selected chain, if no chain is selected, all chains are listed; option **-n** prints IP addresses and ports in a numeric format, **-v** prints the number of packets and bytes for each rule including the protocol and interface, **--line-numbers** numbers the rules of a particular chain (useful for further use with option „-I“ or „-D“), **-F** removes the rules for a particular chain, if no chain is selected, all rules are removed, **-P** sets the default policy for the chain (all is allowed by default), **-N** creates a new user-defined chain by the given name, usually used for more detailed specifications of the rules (a default policy cannot be applied for these chains), **-X** removes a user-defined chain; follows the rule specification **-i** <​interface>​ input interface, **-o** <​interface>​ output interface, **-s** <​address>​ source address, **-d** <​address>​ destination address, **-p** <​protocol>​ type of protocol, **-m** <​module>​ rule extension (**state** --state <​connection_type>​ specifies the connection type – NEW new connection, ESTABLISHED existing connection, RELATED new connection related to an already existing communication,​ INVALID invalid connection meaning the packets cannot be identified; **time** specifies the time of connection --timestart <​hh:​mm>,​ --timestop <​hh:​mm>,​ --monthdays <​day_in_month>,​ --weekdays <​day_in_week>;​ **iprange** --src-range / --dst-range <​IP-IP>​ specifies the range of source/​destination addresses; **limit** --limit <​n>/<​**s** / **m** / **h** / **d**> specifies the time value, --limit-burst <n> specifies the number of packets), **--sport** <​port>​ source port, **--dport** <​port>​ destination port; and finally **-j** <​target>​ specifies how to deal with the packets – for table „filter“ ACCEPT = accept, DROP = drop, LOG = log the packets, REJECT = send back an error packet in response to the matched packet, for table „nat“ SNAT --to <​IP_address>​ = change the source address, DNAT --to <​IP_address>​ = change the destination address, REDIRECT --to-ports <​port>​ = redirect the port\\ ''#​ iptables -nvL --line-numbers''​\\ (prints the firewall rules in detailed output)\\ ''#​ iptables -P INPUT DROP''​\\ (drops all incoming packets)\\ ''#​ iptables -I INPUT -s 147.229.28.4 -j DROP''​\\ (drops all packets incoming from the particular IP address)\\ ''#​ iptables -A INPUT -p tcp --dport 22 -j DROP''​\\ (drops all packets incoming to the particular port)\\ ''#​ iptables -A INPUT -p tcp --dport 443 -j REJECT''​\\ (sends information about the service unavailability)\\ ''#​ iptables -I OUTPUT -d '​!'​ 147.229.28.4 -j DROP''​\\ (allows only packets outgoing to the particular IP address)\\ ''#​ iptables -A OUTPUT -o eth0 -d 192.168.0.0/​24 -j ACCEPT''​\\ (allows only packets outgoing from the particular interface to the local network)\\ ''#​ iptables -A OUTPUT -d upc.cz -p tcp --dport 80 -j DROP''​\\ (disallows to display the particular URL)\\ ''#​ iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport '​!'​ 80 -j DROP''​\\ (allows packet redirections only to port 80)\\ ''#​ iptables -A INPUT -p tcp –dport 50:55 -m iprange --src-range 192.168.0.1-192.168.0.10 -j ACCEPT''​\\ (allows port range of 50-55 for particular IP addresses)\\ ''#​ iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT''​\\ (limits the number of „ping“ requests to 2 per 1s)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3250''​\\ (redirects the particular port)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2:​8080''​\\ (alters the destination IP address and port of the service)\\ ''#​ iptables -A INPUT -j LOG''​\\ (logs all packets that do not meet any of the configured rules to ///​var/​log/​messages//​)\\ ''#​ iptables -D INPUT 5''​\\ (drops a rule on the 5th order in the list of „INPUT“ chain) | +| **iptables** (**-t** <​table>​) <​option>​ <​chain>​ <​specification>​ <​target>​ | sets up and maintains firewall rules in the network; table „filter“ is used for packets filtering (default) and contains builtin chains „INPUT“ for incoming packets, „OUTPUT“ for outgoing packets and „FORWARD“ for packet forwarding between the networks, table „nat“ is used for IP address translations and port forwarding with chain „PREROUTING“ for incoming packets, „OUTPUT“ for altering locally-generated packets before routing and „POSTROUTING“ for outgoing packets, table „mangle“ is used for specialized packet alterations and contains all the above chains; the correct firewall setup strictly depends on the particular rules order listed in ///​etc/​sysconfig/​iptables//;​ option **-I** (<n>) inserts a rule at the head of the chain or in the selected chain specified ​by the rule number, **-A** appends a rule to the end of the selected chain, **-D** (<n>) deletes a rule from the selected chain, **-L** lists all rules in the selected chain, if no chain is selected, all chains are listed; option **-n** prints IP addresses and ports in a numeric format, **-v** prints the number of packets and bytes for each rule including the protocol and interface, **--line-numbers** numbers the rules of a particular chain (useful for further use with option „-I“ or „-D“), **-F** removes the rules for a particular chain, if no chain is selected, all rules are removed, **-P** sets the default policy for the chain (all is allowed by default), **-N** creates a new user-defined chain by the specified ​name, usually used for more detailed specifications of the rules (a default policy cannot be applied for these chains), **-X** removes a user-defined chain; follows the rule specification **-i** <​interface>​ input interface, **-o** <​interface>​ output interface, **-s** <​address>​ source address, **-d** <​address>​ destination address, **-p** <​protocol>​ type of protocol, **-m** <​module>​ rule extension (**state** --state <​connection_type>​ specifies the connection type – NEW new connection, ESTABLISHED existing connection, RELATED new connection related to an already existing communication,​ INVALID invalid connection meaning the packets cannot be identified; **time** specifies the time of connection --timestart <​hh:​mm>,​ --timestop <​hh:​mm>,​ --monthdays <​day_in_month>,​ --weekdays <​day_in_week>;​ **iprange** --src-range / --dst-range <​IP-IP>​ specifies the range of source/​destination addresses; **limit** --limit <​n>/<​**s** / **m** / **h** / **d**> specifies the time value, --limit-burst <n> specifies the number of packets), **--sport** <​port>​ source port, **--dport** <​port>​ destination port; and finally **-j** <​target>​ specifies how to deal with the packets – for table „filter“ ACCEPT = accept, DROP = drop, LOG = log the packets, REJECT = send back an error packet in response to the matched packet, for table „nat“ SNAT --to <​IP_address>​ = change the source address, DNAT --to <​IP_address>​ = change the destination address, REDIRECT --to-ports <​port>​ = redirect the port\\ ''#​ iptables -nvL --line-numbers''​\\ (prints the firewall rules in detailed output)\\ ''#​ iptables -P INPUT DROP''​\\ (drops all incoming packets)\\ ''#​ iptables -I INPUT -s 147.229.28.4 -j DROP''​\\ (drops all packets incoming from the particular IP address)\\ ''#​ iptables -A INPUT -p tcp --dport 22 -j DROP''​\\ (drops all packets incoming to the particular port)\\ ''#​ iptables -A INPUT -p tcp --dport 443 -j REJECT''​\\ (sends information about the service unavailability)\\ ''#​ iptables -I OUTPUT -d '​!'​ 147.229.28.4 -j DROP''​\\ (allows only packets outgoing to the particular IP address)\\ ''#​ iptables -A OUTPUT -o eth0 -d 192.168.0.0/​24 -j ACCEPT''​\\ (allows only packets outgoing from the particular interface to the local network)\\ ''#​ iptables -A OUTPUT -d upc.cz -p tcp --dport 80 -j DROP''​\\ (disallows to display the particular URL)\\ ''#​ iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport '​!'​ 80 -j DROP''​\\ (allows packet redirections only to port 80)\\ ''#​ iptables -A INPUT -p tcp –dport 50:55 -m iprange --src-range 192.168.0.1-192.168.0.10 -j ACCEPT''​\\ (allows port range of 50-55 for particular IP addresses)\\ ''#​ iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT''​\\ (limits the number of „ping“ requests to 2 per 1s)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3250''​\\ (redirects the particular port)\\ ''#​ iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2:​8080''​\\ (alters the destination IP address and port of the service)\\ ''#​ iptables -A INPUT -j LOG''​\\ (logs all packets that do not meet any of the configured rules to ///​var/​log/​messages//​)\\ ''#​ iptables -D INPUT 5''​\\ (drops a rule on the 5th order in the list of „INPUT“ chain) | 
-| **ssh** <host> / <​user>​@<​host>​ (<​command>​) | initializes an encrypted logging in to an existing account on the remote host using the same user name on both systems / using different user names; ssh is also used for executing commands on a remote host whose outputs are displayed on STDOUT of the local computer, **-l** <​user>​ logs on under a specified user, **-p** <​port>​ uses a nonstandard port, **-v** detailed output\\ ''​$ ssh 192.168.0.20''​\\ ''​$ ssh norton@mx.webs.cz''​ / ''​ssh -l norton mx.webs.cz''​\\ ''​$ ssh 192.168.0.20 uname -a''​ | +| **firewall-cmd**\\ (implemented from RHEL 7) | manages runtime and permanent firewall configuration,​ **--get-default-zone** prints default zone for connections and interfaces, **--set-default-zone=**<zone> sets default zone for connections and interfaces, **--get-active-zones** prints currently active zones altogether with interfaces and sources used in these zones, **--get-zones** lists all available zones, **--list-all-zones** lists detailed information about all zones, **--zone=**<​zone>​ specifies a zone (if not specified, the default zone is used), **--list-all** lists detailed information about the zone, **--get-services** lists all available services, **--list-services** lists services added for the zone, **--list-ports** lists ports added for the zone, **--add-source=**<​IP_address>/<​network/​netmask>​ routes all traffic coming from the IP address or network/​netmask to the zone, **--remove-source=**<​IP_address>/<​network/​netmask>​ removes the rule routing all traffic from the zone coming from the IP address or network/​netmask network, **--add-interface=**<​interface>​ routes all traffic coming from an interface to the zone, **--change-interface=**<​interface>​ changes an interface for the zone, **--add-service=**<​service>​ adds a service for the zone, **--remove-service=**<​service>​ removes a service from the zone, **--add-port=**<​port>/<​protocol>​ adds a port/​protocol for the zone, **--remove-port=**<​port>/<​protocol>​ removes a port/​protocol from the zone, **--permanent** performs a permanent configuration,​ **--reload** applies the permanent configuration,​ **--runtime-to-permanent** saves the current runtime configuration as permanent\\ ''#​ firewall-cmd --add-service=http --permanent''​\\ (permits a permanent access by HTTP clients for the default zone)\\ ''#​ firewall-cmd --add-port=2222/​tcp --permanent''​\\ (opens TCP port 2222 for the default zone)\\ ''#​ firewall-cmd --zone=internal --add-source=192.168.0.0/​24 --permanent''​\\ (routes all traffic coming from the 192.168.0.0/​24 network to the internal zone)\\ ''#​ firewall-cmd --zone=internal --list-all --permanent''​\\ (lists detailed information about the internal zone)\\ ''#​ firewall-cmd --add-rich-rule='​rule family=ipv4 source address=183.131.80.130 reject'​ --permanent''​\\ (blocks a specific IP address for the default zone)\\ ''#​ firewall-cmd --reload''​\\ (reloads the changes in the firewall settings) | 
-| **ssh-keygen** | generates a pair of authentication keys – private and public which provide a secure user identification during the ssh connection without the necessity to enter the logging name and password; the private key is by default located in //​~/​.ssh/​id_rsa//​ či //​~/​.ssh/​id_dsa//,​ the public key in //​~/​.ssh/​id_rsa.pub//​ or //​~/​.ssh/​id_dsa.pub//​ and its contents need to be put into //​~/​.ssh/​authorized_keys//​ of the remote host; the program also asks the user to enter a „passphrase“ (string of arbitrary characters, including white spaces, protecting the private key against abuse) which, if not empty, is required from the user for identification at the beginning of each connection, **-t** <key> specifies the type of key – „rsa“ or „dsa“ (by default „rsa“), **-p** alters a „passphrase“,​ **-v** detailed output |+| **ssh** (<​user>​@)<​host>​ (<​command>​) | initializes an encrypted logging in to an existing account on the remote host using the same user name on both systems / using different user names; ssh is also used for executing commands on a remote host whose outputs are displayed on STDOUT of the local computer, **-l** <​user>​ logs on under a specified user, **-i** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa//​ is used), **-p** <​port>​ uses a nonstandard port, **-o** <​option>​ uses a specified option to override the default configuration, **-v** detailed output\\ ''​$ ssh 192.168.0.20''​\\ ''​$ ssh norton@mx.webs.cz''​ / ''​ssh -l norton mx.webs.cz''​\\ ''​$ ssh 192.168.0.20 uname -a''​\\ ''​$ ssh -o PubkeyAuthentication=no norton@192.168.0.20''​\\ ''​$ echo "​insert hostname":;​ while read hostname; do ssh $hostname 'echo "​Hostname":​ $(hostname);​ echo "Linux version":​ $(uname -a; cat /​etc/​redhat-release)'>​ ${hostname}_version.log && echo "​insert hostname":;​ done''​ | 
 +| **ssh-keygen** | generates a pair of authentication keys – private and public which provide a secure user identification during the ssh connection without the necessity to enter the logging name and password; the private key is by default located in //​~/​.ssh/​id_rsa//​ či //​~/​.ssh/​id_dsa//,​ the public key in //​~/​.ssh/​id_rsa.pub//​ or //​~/​.ssh/​id_dsa.pub//​ and its contents need to be put into //​~/​.ssh/​authorized_keys//​ of the remote host; the program also asks the user to enter a „passphrase“ (string of arbitrary characters, including white spaces, protecting the private key against abuse) which, if not empty, is required from the user for identification at the beginning of each connection, **-t** <key> specifies the type of key – „rsa“ or „dsa“ (by default „rsa“), **-f** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa//​ is used), **-p** alters a „passphrase“,​ **-v** detailed output |
 | **ssh-copy-id** (<​user>​@)<​host>​ | copies a public key of the user from the local computer into //​~/​.ssh/​authorized_keys//​ of the host, **-i** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa.pub//​ is used)\\ ''​$ ssh-copy-id -i ~/​.ssh/​id_dsa.pub dookie@94.112.152.47''​ | | **ssh-copy-id** (<​user>​@)<​host>​ | copies a public key of the user from the local computer into //​~/​.ssh/​authorized_keys//​ of the host, **-i** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa.pub//​ is used)\\ ''​$ ssh-copy-id -i ~/​.ssh/​id_dsa.pub dookie@94.112.152.47''​ |
-| **ssh-add** (<file>) | delivers temporarily a private key and „passphrase“ under „ssh-agent“ management | +| **ssh-agent** (<command>) | provides a secure logging based on authentication keys without the necessity to enter a „passphrase“ for user identification at the beginning of each connection (useful especially for commands executing on more remote servers via a script); ssh-agent is thus executed as first before the connection, by „ssh-add“ the private key is delivered and only once a „passphrase“ is required\\ ''​$ ssh-agent sh **<​-'​**''​\\ ''​$ ssh-add **<​-'​**''​\\ ''>​ <​passphrase>​ **<​-'​**'' ​
-| **ssh-agent** <​command> ​| provides a secure logging based on authentication keys without the necessity to enter a „passphrase“ for user identification at the beginning of each connection (useful especially for commands executing on more remote servers via a script); ssh-agent is thus executed as first before the connection, by „ssh-add“ the private key is delivered and only once a „passphrase“ is required\\ ''​$ ssh-agent sh **<​-'​**''​\\ ''​$ ssh-add **<​-'​**''​\\ ''>​ <​passphrase>​ **<​-'​**''​ | +| **ssh-add** (<​file>​) | provides temporarily a private key and passphrase under „ssh-agent“ management ​
-| **scp** (<​host>:​ / <​user>​@<​host>:​)<​source>​ (<​host>:​ / <​user>​@<​host>:​)<​target>​ | initializes an encrypted data transfer between remote hosts using the same user name on both systems / using different user names, **-p** preserves file attributes, **-r** recursively,​ **-v** detailed output, **-P** <​port>​ uses a nonstandard port, **-l** limits the used bandwidth specified in kB/s, **-C** compression\\ ''​$ scp -rv mx.webs.cz:/​home/​kuba/​data .''​\\ (copies directory „data“ from the remote host to the working directory on the local computer)\\ ''​$ scp ~/​.ssh/​id_rsa.pub ​norton@192.168.0.1:​.ssh/​authorized_keys''​\\ (copies file „id_rsa.pub“ from the local computer to „.ssh/“ in the home directory on the remote host)\\ ''​$ scp norton@arnold:soubor.txt 192.168.20.1:''​\\ (copies file „file.txt“ from one remote host to another, in both cases from and to user's home directory) | +| **scp** (<​host>:​ / <​user>​@<​host>:​)<​source>​ (<​host>:​ / <​user>​@<​host>:​)<​target>​ | initializes an encrypted data transfer between remote hosts using the same user name on both systems / using different user names, **-p** preserves file attributes, **-r** recursively, **-i** <​file>​ specifies the file with the keys (otherwise //​~/​.ssh/​id_rsa//​ is used), **-v** detailed output, **-P** <​port>​ uses a nonstandard port, **-l** limits the used bandwidth specified in kB/s, **-C** compression\\ ''​$ scp -rv 192.168.0.20:/​home/​kuba/​data .''​\\ (copies directory „data“ from the remote host to the working directory on the local computer)\\ ''​$ scp ~/​.ssh/​id_rsa.pub ​kuba@192.168.0.20:​.ssh/​authorized_keys''​\\ (copies file „id_rsa.pub“ from the local computer to „.ssh/“ in the home directory on the remote host)\\ ''​$ scp kuba@192.168.0.20:soubor.txt 192.168.0.21:''​\\ (copies file „file.txt“ from one remote host to another, in both cases from and to user's home directory) | 
-| **sftp** ​<​host>​ / <​user>​@<​host>​ | initializes an interactive encrypted data transfer between remote hosts using the same user name on both systems / using different user names, **-P** <​port>​ uses a nonstandard port; the following commands are used: **!** <​command>​ executes a specified command on the local computer, **help** or **?** help, **get** <​file>​ copies a remote file to the local computer, **mget** <​fil*>​ copies more files using wildcards, ​for the opposite direction ​**put** <​file> ​or **mput** <​fil*>,​ **bye**/​**quit**/​**exit** ​termination ​+| **sftp** ​(<​user>​@)<​host>​ | initializes an interactive encrypted data transfer between remote hosts using the same user name on both systems / using different user names, **-P** <​port>​ uses a nonstandard port; the following commands are used: **!** <​command>​ executes a specified command on the local computer, **help** or **?** help, **get** <​file>​ copies a remote file to the local computer, **mget** <​fil*>​ copies more remote ​files using wildcards, **put** <​file> ​copies a local file to the remote computer, ​**mput** <​fil*> ​copies more local files using wildcards, **bye**/​**quit**/​**exit** ​quits the program ​
-| **telnet** <​host>​ (<​port>​) | initializes an unencrypted logging in to an existing account on the remote host or detects a specified port availability;​ without ​a parameter ​it works interactively\\ ''​$ telnet 192.168.0.20 80''​ | +| **telnet** <​host>​ (<​port>​) | initializes an unencrypted logging in to an existing account on the remote host or detects a specified port availability;​ without ​an argument ​it works interactively\\ ''​$ telnet 192.168.0.20 80''​ | 
-| **ftp** <​host>​ | initializes an interactive unencrypted data transfer between remote hosts; the following commands are used: **!** <​command>​ executes a specified command on the local computer, **help** or **?** help, **get** <​file>​ copies a remote file to the local computer, **mget** <​fil*>​ copies more files using wildcards, ​for the opposite direction ​**put** <​file> ​or **mput** <​fil*>,​ **bye**/​**quit**/​**exit** ​termination ​+| **ftp** <​host>​ | initializes an interactive unencrypted data transfer between remote hosts; the following commands are used: **!** <​command>​ executes a specified command on the local computer, **help** or **?** help, **get** <​file>​ copies a remote file to the local computer, **mget** <​fil*>​ copies more remote ​files using wildcards, **put** <​file> ​copies a local file to the remote computer, ​**mput** <​fil*> ​copies more local files using wildcards, **bye**/​**quit**/​**exit** ​quits the program ​
-| **lynx** <URL> | displays the contents of the URL, **q** terminates ​the program\\ ''​$ lynx centos.org''​ |+| **lynx** <URL> | displays the contents of the URL, **q** quits the program\\ ''​$ lynx centos.org''​ |
 | **wget** <URL> | downloads the contents of the URL into the working directory, **-c** continues downloading a partially-downloaded file after the transfer is interrupted,​ **-r** recursive download, **-t** <n> specifies the number of download attempts | | **wget** <URL> | downloads the contents of the URL into the working directory, **-c** continues downloading a partially-downloaded file after the transfer is interrupted,​ **-r** recursive download, **-t** <n> specifies the number of download attempts |
 | **curl** <URL> | copies data from or to a specified URL, **-o** <​file>​ specifies a target file (by default STDOUT), **-F** <​item>​**=**<​contents>​ specifies outgoing data („@“ represents a source file)\\ ''#​ curl -o /​etc/​yum.repos.d/​data.repo set.cz/​data.repo''​ | | **curl** <URL> | copies data from or to a specified URL, **-o** <​file>​ specifies a target file (by default STDOUT), **-F** <​item>​**=**<​contents>​ specifies outgoing data („@“ represents a source file)\\ ''#​ curl -o /​etc/​yum.repos.d/​data.repo set.cz/​data.repo''​ |
-| **mail** | displays the contents of the logged-in user's mailbox (///​var/​spool/​mail/<​user>//​),​ **-f** displays the contents of mailbox with already read messages (///​home/<​user>/​mbox//​);​ commands related to work with the mailbox: **p**/​**p**(n) displays the oldest message / particular message, **r** replies to the message, **d**/​**d**(m-n)/​**d*** deletes particular/​all messages, **q** terminates ​the program |+| **mail** | displays the contents of the logged-in user's mailbox (///​var/​spool/​mail/<​user>//​),​ **-f** displays the contents of mailbox with already read messages (///​home/<​user>/​mbox//​);​ commands related to work with the mailbox: **p**/​**p**(n) displays the oldest message / particular message, **r** replies to the message, **d**/​**d**(m-n)/​**d*** deletes particular/​all messages, **q** quits the program |
 | **mail** <​address>​ | sends a message to the specified address, **-s** <​subject>​ subject, **-c** <​address>​ carbon copy (CC), **-b** <​address>​ blind carbon copy (BCC)\\ ''​$ mail root''​ / ''​tom@atlas.cz < offer.txt''​\\ ''​$ cat file | mail -s "​offer"​ james -c root''​\\ ''​$ echo "Hello James" | mail -s "​greeting"​ james''​\\ the message can also be sent this way:\\ ''​$ mail <​address>​ **<​-'​**''​\\ ''//​Subject://​ <​subject>​ **<​-'​**''​\\ ''<​text>​ **<​-'​**''​\\ ''​.**<​-'​**''​ or ''​**ctrl**+**d**''​\\ ''//​Cc://​ <​address>​ **<​-'​**''​ | | **mail** <​address>​ | sends a message to the specified address, **-s** <​subject>​ subject, **-c** <​address>​ carbon copy (CC), **-b** <​address>​ blind carbon copy (BCC)\\ ''​$ mail root''​ / ''​tom@atlas.cz < offer.txt''​\\ ''​$ cat file | mail -s "​offer"​ james -c root''​\\ ''​$ echo "Hello James" | mail -s "​greeting"​ james''​\\ the message can also be sent this way:\\ ''​$ mail <​address>​ **<​-'​**''​\\ ''//​Subject://​ <​subject>​ **<​-'​**''​\\ ''<​text>​ **<​-'​**''​\\ ''​.**<​-'​**''​ or ''​**ctrl**+**d**''​\\ ''//​Cc://​ <​address>​ **<​-'​**''​ |
 | **wall** <​message>​ | sends messages to all open terminals of logged-in users with their mesg permission set to "​yes"​ | | **wall** <​message>​ | sends messages to all open terminals of logged-in users with their mesg permission set to "​yes"​ |
Last modified: 2019/04/12 17:42 by Miroslav Bernát

visits: