#StackBounty: #linux #networking #wifi RaspberryPi access point on wlan1 stopped working

Bounty: 50

I have a Raspberry Pi 3 with an external WiFi antenna wlan1 set up as an independent IoT access point without Internet connection following this tutorial, using hostap and isc-dhcp server. I omitted the Network Access Translation part.
The AP worked well up to the point when I tried connecting wlan0 to my router at home for accessing the Internet via the GUI.

My /etc/network/interfaces looks like this

auto lo
iface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0
iface wlan0 inet manual
    wpa-conf /etc/wpa/supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet static
    address 192.168.42.1
    netmask 255.255.255.0

I setup the daemon

sudo service hostapd start
sudo service isc-dhcp-server start 

and

sudo update-rc.d hostapd enable
sudo update-rc.d isc-dhcp-server enable  

and this all worked before I started messing with wlan0…. But now on boot when hovering over the GUI it says “wlan1: Disassociated from Pi3AP” and sudo service hostapd status prints

Loaded: loaded (/etc/init.d/hostapd)
Active: active (exited) since ... 31 mins ago
Process: 571 ExecStart=/etc/init.d/hostapd start (code=exited, status=0/SUCCESS)

The command

sudo service isc-dhcp-server status

returns an error

raspberrypi dhcpd[778]: receive_packet failed on wlan1: Network is down

When I run

sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf

all works again but nothing on reboot. Can someone spot at where the error lies? Somehow the network GUI and/or the two wlan interfaces seem to be interfering with each other.


Get this bounty!!!

#StackBounty: #linux #networking #virtual-machine #virtualization #debian-jessie Issues with Xen and Routed networking

Bounty: 50

I have spent the last Severn days trying to get this working but guides out there are either vague or outdated at the bottom of this post I have added links to some of the guides I tried to follow. I have a dedicated machine at hetzner and I want to setup virtualisation I can create the vm’s no problem the issue I have is with networking, on the hetzner network you can’t use a simple bridge because they route any additional subnets to your hosts main ip and won’t accept packets if the mac address does not match the host machine.

I have worked out that I need to use routed networks to route my subnet through my eth0 connection I have tried again and again and I can never get the networking to work I can never access out of my vm at all not even to dom0, I can usually ssh into the servers from the address I assigned it from dom0 I have run tcpdump and ping packets are reaching dom0 when they are mean’t for a domU but it is just stopping there and not getting to the domU.

The one solution I tried was to use virtualizor and that worked first time my idea then was to just take the config of that and replicate it without the control panel as I don’t need one and paying for something I don’t need seems pointless to me as I am the only user of this machine and its vm’s.

I am using debian based operating systems and the xl tool as I am mainly using Debian Jessie, I want to OS to be within a reasonable support range for security updates I have also tried Ubuntu from 14.04 upwards. I think the issue is the interfaces file setup but I don’t know whats wrong.

Any help would be much appreciated

Routed XEN VM based on LVM
Hetzner Xen IPv4 Subnet + IPv6 Subnet
Setting Up XEN on Hetzner Dedicated Server
Setting Up Ubuntu 12.04 and Xen on Hetzner


Get this bounty!!!

#StackBounty: #networking #debian #amazon-ec2 #sysstat Debian "sar -n DEV 1 1" is super slow

Bounty: 50

On all of my machines I’m using sar (sysstat) to get the current network bandwidth using sar -n DEV 1 1 that I parse out later, but on one of my machines this command no longer gives its output in 1 second like the other machines and takes more like 20-30 seconds. How do I debug what is happening here?


Get this bounty!!!

#StackBounty: #networking #virtual-machine #hyper-v Windows XP in Hyper V – missing internet and network connectivity with ethernet LAN

Bounty: 50

So after installing Windows 10 Pro with Hyper-V I successfully create a new virtual machine pointing to my old Windows XP Mode hard disk.

Windows XP boots but now asks to be registered/unlocked. However, I can not since it can not connect to internet. (I have original CD + license key)

I have setup a Virtual Switch Manager – external – connected to my physical ethernet network card.

In my hardware settings for the Windows XP virtual machine, I have added a network adapter which I have connec to the above mentioned switch.

But the virtual windows xp still states it can not register/unlock online as it does not have internet connectivity – how can I solve it?


Get this bounty!!!

#StackBounty: #networking #iptables #tcp-ip How to configure iptables to work with tcpcrypt?

Bounty: 50

Background

OS: Ubuntu 16.04 x64 running on VirtualBox

I am a developer with minimal Ubuntu/Linux knowledge and have been assigned to a project where the goal is to utilize tcpcrypt when communicating with certain endpoints.

tcpcrypt comes with a shell script which sets required entries in iptables to route packets to tcpcrypt for encrpt/decrypt. After execution of this script iptables looks like:

filter

Chain INPUT (policy ACCEPT 4 packets, 552 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  lo     any     anywhere             anywhere             tcp dpt:65530 tos match0x22/0xff
    0     0 NFQUEUE    tcp  --  any    any    !localhost            anywhere             tcp dpt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN NFQUEUE num 666
    0     0 NFQUEUE    tcp  --  any    any     anywhere             anywhere             multiport sports  !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 536 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 NFQUEUE    tcp  --  any    any     anywhere             anywhere             multiport dports  !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tos match0x04/0xff owner UID match tcpcryptd NFQUEUE num 666
    0     0 NFQUEUE    tcp  --  any    any     anywhere             anywhere             tcp spt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666

nat

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --                                            multiport dports  !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             multiport dports  !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s owner UID match tcpcryptd
REDIRECT   tcp  --  anywhere             anywhere             multiport dports  !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530

mangle

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
TOS        all  --  anywhere             anywhere             tos match0x04/0xff TOS and 0x00

With these entries, every packet is put on a queue where tcpcrypt picks for enc/dec.

UPDATE

This is the script for iptables:

#!/bin/sh
#DAEMON_USER DIVERT_PORT ONLY_PORTS OMIT_PORTS

# determine which operation is requested (Append or Delete)
if [ "$1" = "start" -o -z "$1" ]; then
    # during startup, bail early if any of these commands fails
    set -e
    OP="-A"
elif [ "$1" = "stop" -o "$1" = "-f" ] ; then
    OP="-D"
else
    echo "Expected "start" or "stop" as first argument" >&2
    exit 1
fi

# determine which ports should be tcpcrypt-enabled
if [ -z "$ONLY_PORTS" -a -z "$OMIT_PORTS" ] ; then
    echo "Expected either OMIT_PORTS or ONLY_PORTS environment variables to be set" >&2
    exit 1
fi
if [ -n "$ONLY_PORTS" -a -n "$OMIT_PORTS" ] ; then
    echo "Expected only one of OMIT_PORTS or ONLY_PORTS environment variables to be set" >&2
    exit 1
fi
if [ -n "$OMIT_PORTS" ] ; then
    PORT_TEST=!
    PORTS="$OMIT_PORTS"
fi
if [ -n "$ONLY_PORTS" ] ; then
    PORT_TEST=
    PORTS="$ONLY_PORTS"
fi

# more necessary configuration
if [ -z "$DAEMON_USER" ] ; then
    echo "Expected DAEMON_USER environment variable to be set" >&2
    exit 1
fi
if [ -z "$DIVERT_PORT" ] ; then
    echo "Expected DIVERT_PORT environment variable to be set" >&2
    exit 1
fi

# some shorthand to make rules more concise
from_enabled_port="-m multiport $PORT_TEST --source-ports $PORTS"
to_enabled_port="-m multiport $PORT_TEST --destination-ports $PORTS"
NFQUEUE="NFQUEUE --queue-num $DIVERT_PORT"
CRYPT_PORT="65530"
REDIRECT="REDIRECT --to-port $CRYPT_PORT"
INJECT_TOS="0x22"
HANDSHAKE_TOS="0x04"

filter="$ECHO iptables -t filter $OP"

# Injection from daemon: Accept
$filter INPUT -i lo -p tcp --dport $CRYPT_PORT 
          -m tos --tos $INJECT_TOS 
  -j ACCEPT

# SYN redirected to daemon:
#   Queue for daemon to initiate proxy connection with original destination
$filter INPUT -p tcp --dport $CRYPT_PORT --tcp-flags ALL SYN 
  -j $NFQUEUE

# SYN+ACK on proxy connection:
#   Queue for daemon to complete original handshake
$filter INPUT -p tcp $from_enabled_port --tcp-flags ALL SYN,ACK 
  -j $NFQUEUE

# Handshake packet of proxy connection from daemon:
#   Queue for daemon to set tcp options via DIVERT_MODIFY
$filter OUTPUT -p tcp $to_enabled_port 
           -m tos --tos $HANDSHAKE_TOS 
           -m owner --uid-owner $DAEMON_USER 
  -j $NFQUEUE

# SYN+ACK on redirected connection:
#   Queue for daemon to delay handshake until proxy connection succeeds
$filter OUTPUT -p tcp --sport $CRYPT_PORT --tcp-flags ALL SYN,ACK 
  -j $NFQUEUE


nat="$ECHO iptables -t nat $OP"

# Inbound connection for enabled ports:
#   Redirect to daemon (at localhost:$CRYPT_PORT) for encryption
#
# (The nat module will now translate addresses in both directions,
#  for the lifetime of this connection.)
$nat PREROUTING -p tcp $to_enabled_port 
  -j $REDIRECT


# Proxy connection from daemon to enabled port: Accept
$nat OUTPUT -p tcp $to_enabled_port 
        -m owner --uid-owner $DAEMON_USER 
  -j ACCEPT

# Outbound connections to enabled ports on remote hosts:
#   Redirect to daemon (at localhost port $CRYPT_PORT) for encryption
#
# (The nat module will now translate addresses in both directions,
#  for the lifetime of this connection.)
$nat OUTPUT ! -o lo -p tcp $to_enabled_port 
  -j $REDIRECT


mangle="$ECHO iptables -t mangle $OP"

# Packets leaving the machine with bookkeeping mark: Remove mark
$mangle POSTROUTING -m tos --tos $HANDSHAKE_TOS 
  -j TOS --set-tos 0x00

Question

How should I modify iptables with current(see above) entries to achieve the following restrictions:

  1. Only packets with a certain destination should be queued for tcpcrypt.
  2. All other packets should not be queued for tcpcrypt and must travel freely.

What I have tried

A) I tried adding desired IP address to tcp destination in OUTPUT chain which looks like:

Chain OUTPUT (policy ACCEPT 4 packets, 536 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 NFQUEUE    tcp  --  any    any     anywhere             XXX.XXX.XXX.XXX      multiport dports  !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tos match0x04/0xff owner UID match tcpcryptd NFQUEUE num 666
    0     0 NFQUEUE    tcp  --  any    any     anywhere             XXX.XXX.XXX.XXX      tcp spt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666

B) I tried adding source and destination parameters to NAT rules:

target     prot opt source               destination         
REDIRECT   tcp  --  XXX.XXX.XXX.XXX       XXX.XXX.XXX.XXX       multiport dports  !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530

But still all packets regardless of destination address, are sent to tcpcrypt.


Get this bounty!!!