Develop Reference

Have unbound use only ipv6 transport

So I wanted to have Unbound use IPv6 transport only and not use IPv4 when doing lookups. (This is for fun. I want to see all the dns look ups done in IPv6 for educationsl purpose.)
My computer has IPv6 connectivity (can do curl -6) so I created an Unbound server.
Thought adding do-ip4: no was enough but I'm not getting anything from dig.
My prediction was that my computer is trying to use systemd-resolved instead of unbound but that has nothing to do with IPv6 so I guess not?
Here are my config files and tcpdump
With IPv4 enabled (working)
$ cat /etc/unbound/unbound.conf.d/myunbound.conf
server:
port: 53
verbosity: 0
num-threads: 2
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 32m
interface: 0.0.0.0
interface: 2001:myipv6addr:20
rrset-cache-size: 64m
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 allow
username: unbound
directory: "/etc/unbound"
use-syslog: no
hide-version: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
# prefer-ip6: no
remote-control:
control-enable: yes
control-port: 953
control-interface: 0.0.0.0
tcpdump -n -vv port 53 -i any
for dig o.com
19:56:49.226291 IP6 (flowlabel 0xa269b, hlim 64, next-header UDP (17) payload length: 54) ::1.39522 > ::1.53: [bad udp cksum 0x0049 -> 0xa5ea!] 35213+ [1au] A? o.com. ar: . OPT UDPsize=4096 (46)
19:56:50.222460 IP (tos 0x0, ttl 64, id 49989, offset 0, flags [none], proto UDP (17), length 74)
127.0.0.1.52155 > 127.0.0.1.53: [bad udp cksum 0xfe49 -> 0x7690!] 35213+ [1au] A? o.com. ar: . OPT UDPsize=4096 (46)
19:56:50.222695 IP (tos 0x0, ttl 64, id 47599, offset 0, flags [none], proto UDP (17), length 62)
[myIPv4].41206 > 192.35.51.30.53: [bad udp cksum 0x4644 -> 0x5c52!] 46488% [1au] A? o.com. ar: . OPT UDPsize=4096 DO (34)
19:56:50.292985 IP (tos 0x0, ttl 54, id 26365, offset 0, flags [none], proto UDP (17), length 1153)
192.35.51.30.53 > [myIPv4].41206: [udp sum ok] 46488 NXDomain*- q: A? o.com. 0/8/1 ns: com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1653044192 1800 900 604800 86400, com. RRSIG, CK0POJMG874LJREF7EFN8430QVIT8BSM.com. Type50, CK0POJMG874LJREF7EFN8430QVIT8BSM.com. RRSIG, TE4S5DTC23DPH5M574GG84GG0Q86T3GM.com. Type50, TE4S5DTC23DPH5M574GG84GG0Q86T3GM.com. RRSIG, 3RL2Q58205687C8I9KC9MV46DGHCNS45.com. Type50, 3RL2Q58205687C8I9KC9MV46DGHCNS45.com. RRSIG ar: . OPT UDPsize=4096 DO (1125)
19:56:50.293239 IP (tos 0x0, ttl 64, id 49997, offset 0, flags [none], proto UDP (17), length 135)
127.0.0.1.53 > 127.0.0.1.52155: [bad udp cksum 0xfe86 -> 0xc2e6!] 35213 NXDomain q: A? o.com. 0/1/1 ns: com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1653044192 1800 900 604800 86400 ar: . OPT UDPsize=4096 (107)
With IPv4 disabled (not working)
$ cat /etc/unbound/unbound.conf.d/myunbound.conf
server:
port: 53
verbosity: 0
num-threads: 2
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 32m
interface: 0.0.0.0
interface: 2001:myipv6addr:20
rrset-cache-size: 64m
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 allow
username: unbound
directory: "/etc/unbound"
use-syslog: no
hide-version: yes
do-ip4: no
do-ip6: yes
do-udp: yes
do-tcp: yes
# prefer-ip6: no
remote-control:
control-enable: yes
control-port: 953
control-interface: 0.0.0.0
tcpdump
dig k.com
20:02:32.122198 IP6 (flowlabel 0x8897b, hlim 64, next-header UDP (17) payload length: 54) ::1.53805 > ::1.53: [bad udp cksum 0x0049 -> 0x676c!] 15532+ [1au] A? k.com. ar: . OPT UDPsize=4096 (46)
20:02:33.122126 IP (tos 0x0, ttl 64, id 59754, offset 0, flags [none], proto UDP (17), length 74)
127.0.0.1.35568 > 127.0.0.1.53: [bad udp cksum 0xfe49 -> 0xb0a8!] 15532+ [1au] A? k.com. ar: . OPT UDPsize=4096 (46)
20:02:38.126147 IP6 (flowlabel 0x8897b, hlim 64, next-header UDP (17) payload length: 54) ::1.53805 > ::1.53: [bad udp cksum 0x0049 -> 0x676c!] 15532+ [1au] A? k.com. ar: . OPT UDPsize=4096 (46)
20:02:39.122227 IP (tos 0x0, ttl 64, id 59906, offset 0, flags [none], proto UDP (17), length 74)
127.0.0.1.35568 > 127.0.0.1.53: [bad udp cksum 0xfe49 -> 0xb0a8!] 15532+ [1au] A? k.com. ar: . OPT UDPsize=4096 (46)
20:02:44.126099 IP6 (flowlabel 0x8897b, hlim 64, next-header UDP (17) payload length: 54) ::1.53805 > ::1.53: [bad udp cksum 0x0049 -> 0x676c!] 15532+ [1au] A? k.com. ar: . OPT UDPsize=4096 (46)
20:02:45.122363 IP (tos 0x0, ttl 64, id 60247, offset 0, flags [none], proto UDP (17), length 74)
127.0.0.1.35568 > 127.0.0.1.53: [bad udp cksum 0xfe49 -> 0xb0a8!] 15532+ [1au] A? k.com. ar: . OPT UDPsize=4096 (46)

Needed to add
interface: ::1
to the conf file

Linux OpenSuse42.3 - port status - filtered

I have a problem, which I hope somebody can point me to the right direction.
Problem >>>
A) Our external provider (connects via VPN) needs to access "OpenSuse42.3" to specific ports, which
"nmap" or "ncat" tools shows as "filtered" or "refused".
B) No services are listening on these ports.
C) No firewall is running on this server.
D) Security team opened these ports on firewall with evidence that connection get reset by server
"OpenSuse42.3".
Test runs from "10.10.10.2" to "10.10.10.1" (problem server) from provider VPN connection (from my computer)
Example 1 : from "10.10.10.2"
>>> nmap -sT -p1101,3050 10.10.10.1
>>>
PORT STATE SERVICE
1101/tcp filtered pt2-discover
3050/tcp filtered gds_db
Example 2 : from "10.10.10.2"
nc -z -v 10.10.10.1 1101
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connection refused.
nc -z -v 10.10.10.1 3050
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connection refused.
Example 3: on server "10.10.10.1"
tcpdump -n -i eth0 port 1101 or port 3050 -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:00:28.940582 IP (tos 0x0, ttl 64, id 32383, offset 0, flags [DF], proto TCP (6), length 60)
10.10.10.2.58000 > 10.10.10.1.1101: Flags [S], cksum 0xa3fc (correct), seq 3906215335, win 29200,
options [mss 1460,sackOK,TS val 1388733400 ecr 0,nop,wscale 7], length 0
13:00:28.940662 IP (tos 0x0, ttl 64, id 40440, offset 0, flags [DF], proto TCP (6), length 40)
10.10.10.1.1101 > 10.10.10.2.58000: Flags [R.], cksum 0x347b (correct), seq 0, ack 3906215336,
win 0, length 0
13:00:31.263502 IP (tos 0x0, ttl 64, id 60627, offset 0, flags [DF], proto TCP (6), length 60)
10.10.10.2.40830 > 10.10.10.1.3050: Flags [S], cksum 0x8bc2 (correct), seq 3504308280, win 29200,
options [mss 1460,sackOK,TS val 1388735723 ecr 0,nop,wscale 7], length 0
13:00:31.263569 IP (tos 0x0, ttl 64, id 40888, offset 0, flags [DF], proto TCP (6), length 40)
10.10.10.1.3050 > 10.10.10.2.40830: Flags [R.], cksum 0x2554 (correct), seq 0, ack 3504308281,
win 0, length 0
BUT
As soon as I put something on the server like - "nc -l 1101" or "nc -l 3050"
problem disappears, which probably makes sense. To my knowledge "nmap" tool usually shows port status as "closed" if port is not firewalled and service is not running and "open" if service is running on this port.
Question
Are ports opened or closed ??? What else do I check, because provider keep insisting that ports are closed on "10.10.10.1" and he cannot continue his work.
Please let me knoe if something is unclear in this situation and I will respond.
Appreciate it !!!!

Using Linux virtual ethernet interfaces (veth) to test a custom TCP stack

If have set up a pair of virtual ethernet devices veth0 and veth1:
ip link add veth0 type veth peer name veth1
# Bring the interfaces up
sudo ifconfig veth0 up
sudo ifconfig veth1 up
sudo ifconfig veth0 1.1.1.1
sudo ifconfig veth1 1.1.1.2
Inside my application I connect to veth0 using a raw socket. Incoming packets are forwarded to my own TCP/IP stack implementation. Replies from the stack are sent back to the socket.
I also have a simple HTTP server running on my stack. I try to connect to it using the curl:
sudo curl -vvv --interface veth1 1.1.1.1/1/2/10000
* Trying 1.1.1.1...
* Local Interface veth1 is ip 1.1.1.2 using address family 2
* Local port: 0
Now my custom stack receives the SYN, enters the SYN-RECEIVED state and replies a with a SYN-ACK. This is sent down the stack back to the raw socket.
However, it seems that curl is not receiving the SYN-ACK because it keeps retransmitting the original SYN.
According to tcpdump the SYN-ACK does seem to arrive on 1.1.1.2:
$ sudo tcpdump -i veth1 -vv
tcpdump: listening on veth1, link-type EN10MB (Ethernet), capture size 262144 bytes
02:43:41.680087 IP (tos 0x0, ttl 64, id 59135, offset 0, flags [DF], proto TCP (6), length 60)
1.1.1.2.41847 > 1.1.1.1.http: Flags [S], cksum 0x0433 (incorrect -> 0x38a4), seq 446675468, win 29200, options [mss 1460,sackOK,TS val 1266013534 ecr 0,nop,wscale 7], length 0
02:43:41.680345 IP (tos 0x0, ttl 64, id 30106, offset 0, flags [DF], proto TCP (6), length 52)
1.1.1.1.http > 1.1.1.2.41847: Flags [S.], cksum 0x0bbe (correct), seq 697874744, ack 446675469, win 65535, options [mss 1460,wscale 5,nop,sackOK,nop,nop], length 0
02:43:42.690344 IP (tos 0x0, ttl 64, id 59136, offset 0, flags [DF], proto TCP (6), length 60)
1.1.1.2.41847 > 1.1.1.1.http: Flags [S], cksum 0x0433 (incorrect -> 0x34b2), seq 446675468, win 29200, options [mss 1460,sackOK,TS val 1266014544 ecr 0,nop,wscale 7], length 0
02:43:44.706343 IP (tos 0x0, ttl 64, id 59137, offset 0, flags [DF], proto TCP (6), length 60)
1.1.1.2.41847 > 1.1.1.1.http: Flags [S], cksum 0x0433 (incorrect -> 0x2cd2), seq 446675468, win 29200, options [mss 1460,sackOK,TS val 1266016560 ecr 0,nop,wscale 7], length 0
02:43:46.850382 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.1 tell 1.1.1.2, length 28
02:43:46.850579 ARP, Ethernet (len 6), IPv4 (len 4), Reply 1.1.1.1 is-at 92:c6:e5:d6:03:2f (oui Unknown), length 46
02:43:47.680487 IP (tos 0x0, ttl 64, id 30107, offset 0, flags [DF], proto TCP (6), length 52)
1.1.1.1.http > 1.1.1.2.41847: Flags [S.], cksum 0x0bbe (correct), seq 697874744, ack 446675469, win 65535, options [mss 1460,wscale 5,nop,sackOK,nop,nop], length 0
02:43:48.898343 IP (tos 0x0, ttl 64, id 59138, offset 0, flags [DF], proto TCP (6), length 60)
1.1.1.2.41847 > 1.1.1.1.http: Flags [S], cksum 0x0433 (incorrect -> 0x1c72), seq 446675468, win 29200, options [mss 1460,sackOK,TS val 1266020752 ecr 0,nop,wscale 7], length 0
02:43:57.090346 IP (tos 0x0, ttl 64, id 59139, offset 0, flags [DF], proto TCP (6), length 60)
1.1.1.2.41847 > 1.1.1.1.http: Flags [S], cksum 0x0433 (incorrect -> 0xfc71), seq 446675468, win 29200, options [mss 1460,sackOK,TS val 1266028944 ecr 0,nop,wscale 7], length 0
02:43:59.680648 IP (tos 0x0, ttl 64, id 30108, offset 0, flags [DF], proto TCP (6), length 52)
1.1.1.1.http > 1.1.1.2.41847: Flags [S.], cksum 0x0bbe (correct), seq 697874744, ack 446675469, win 65535, options [mss 1460,wscale 5,nop,sackOK,nop,nop], length 0
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
Wireshark screenshot.
Does anyone know why my SYN-ACK doesn't reach the other side of the TCP connection?

The problem was that veth interfaces are using checksum offload by default so the forwarded packets had a bad checksum and were ignored by the kernel. Running 'ethtool --offload IF_NAME rx off tx off' on veth interfaces (the sender and receiver), you may fix it.

why does the host always response `RST` though the server is listening on the port?

I am using gitlab docker image to deploy a service, and the web port is 8080 on host. After running the gitlab, I can see the port is OK:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b85d87da48df genezys/gitlab:7.5.2 "/bin/sh -c 'gitlab- 25 minutes ago Up 25 minutes 0.0.0.0:2222->22/tcp, 0.0.0.0:8080->80/tcp gitlab_app
The netstat command also diplays OK:
[root#localhost backup]# netstat -nlp | grep 8080
tcp6 0 0 :::8080 :::* LISTEN 12489/docker-proxy
But the web browser can't connect the 8080 successfully (http://10.137.20.112:8080/), and the tcpdump output likes this:
[root#localhost ~]# tcpdump -i enp2s0f1 port 8080 -vv
tcpdump: listening on enp2s0f1, link-type EN10MB (Ethernet), capture size 65535 bytes
02:40:00.808034 IP (tos 0x0, ttl 128, id 4031, offset 0, flags [DF], proto TCP (6), length 52)
perfls15.americas.hpqcorp.net.53178 > 10.137.20.112.webcache: Flags [S], cksum 0x17d1 (correct), seq 997417494, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
02:40:00.808141 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
10.137.20.112.webcache > perfls15.americas.hpqcorp.net.53178: Flags [R.], cksum 0x788a (correct), seq 0, ack 997417495, win 0, length 0
02:40:01.322048 IP (tos 0x0, ttl 128, id 4032, offset 0, flags [DF], proto TCP (6), length 52)
perfls15.americas.hpqcorp.net.53178 > 10.137.20.112.webcache: Flags [S], cksum 0x17d1 (correct), seq 997417494, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
02:40:01.322123 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
10.137.20.112.webcache > perfls15.americas.hpqcorp.net.53178: Flags [R.], cksum 0x788a (correct), seq 0, ack 1, win 0, length 0
02:40:01.821289 IP (tos 0x0, ttl 128, id 4033, offset 0, flags [DF], proto TCP (6), length 48)
......
I can't see why the host always responses RST, could anyone give some debugging clues?

Check output of 'iptables -L -n'. If you do not see port 8080 opened in that ouput, you may need to do so
with RHEL7, you need to use firewall-cmd as below
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --reload

I need get a substring in Shell Script

i need help.
I need get a substring in the next line
11:46:24.851239 IP (tos 0x0, ttl 128, id 11289, offset 0, flags [none], proto UDP (17), length 229)
the result must be: ttl 128
I hope you can help me!
Thanks!

Try doing this :
echo '11:46:24.851239 IP (tos 0x0, ttl 128, id 11289, offset 0, flags [none], proto UDP (17), length 229)' |
grep -oP "\bttl\s+\d+\b"
ttl 128
NOTE
\b is a word boundary
\s is a space
+ mean at least one or more preceding character
-P switch is pcre advanced useful syntax for grep
-o switch mean to print only the matching part
EDIT
If you want to put this in a variable :
var=$(
echo '11:46:24.851239 IP (tos 0x0, ttl 128, id 11289, offset 0, flags [none], proto UDP (17), length 229)' |
grep -oP "\bttl\s+\d+\b"
)
echo "$var"

Try using grep -o 'ttl [0-9]\+':
$ echo '11:46:24.851239 IP (tos 0x0, ttl 128, id 11289, offset 0, flags [none], proto UDP (17), length 229)' | grep -o 'ttl [0-9]\+'
ttl 128

Using sed:
sed 's/.*[ ]*\(ttl[ ]*[0-9]*\).*/\1/' input