TCP/IP basics and practical UNIX network tools

2021-01-25

(last time edited: 2021-10-19)

tags: internet, tcp/ip, networks

I'm writing this blog to share and log some basic knowledge.

The Internet protocol suite is the conceptual model and set of communications protocols used in the Internet and similar computer networks. It is commonly known as TCP/IP because the foundational protocols in the suite are the Transmission Control Protocol (TCP) and the Internet Protocol (IP). During its development, versions of it were known as the Department of Defense (DoD) model because the development of the networking method was funded by the United States Department of Defense through DARPA. Its implementation is a protocol stack.

The Transmission Control Protocol and the Internet Protocol is a suite of communication protocols developed for military purposes *ehem and mass surveillance ehem* between 1969 and 1975 then later propagated to the civil and commercial world as we now see. There are other set of communication protocols that didn't prosper but we aren't gonna waste time on that.

The architecture model of TCP/IP consists in four layers. The Link Layer, the Internet Layer, the Transport Layer, and the Application Layer.

  1. At application layer level we use lots of different protocols that play with TCP/IP. This is the first and most user friendly layer. In this post I'll play around with DHCP, TELNET, DNS, Dynamic DNS and more!

  2. At transport layer level we will find protocols such as TCP, UDP and many others. We will stick to those.

  3. At internet layer level we find another set of protocols. We'll take a look at IPv4, IPv6.

  4. At link layer level we only will be messing around with Ethernet protocol. This layer is the physical and logical network component used to connect.

It is not necessary to learn every set of protocols from each layer but it's good to look at the big picture and grasp an idea. The order is important.

The best way to learn about networking is messing around with your own modem and router.

Other useful terms you need to understand are:

  1. Local Area Network (LAN)

  2. Wide Area Network (WAN)

  3. Network Address Translation (NAT)

I'll add some basic explanations of protocols and services that work on top of the TCP/IP suite. Then I'll add some UNIX tools you can play with.

Ports

In computer networking, a port is a communication endpoint. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. A port is identified for each transport protocol and address combination by a 16-bit unsigned number, known as the port number. The most common transport protocols that use port numbers are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).

Ports are a gateway for transferring messages one way to another and viceversa.

In UNIX systems if you take a look at the /etc/services file you'll find a list of ports reserved for specific software and protocols. This list of ports in your system is mantained by the IANA. Usually comes installed under a package with the name of iana-etc or just plain iana.

There are common misconceptions about ports. If a program with lots of vulnerabilities is running and listening on specific port, yes, it can be compromised. But life isn't a Hollywood movie. Don't be scared if you're not running a firewall. Remember your program has to be listening.

This is how ports are registered.

  1. System (privileged - well-known) ports: 0 to 1023

  2. User (non-privileged - registered) ports: 1024 to 49151

  3. Ephemeral (dynamic - private) ports: 49152 to 65535

UPnP

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices.

UPnP is not a protocol. UPnP is a service your programs use to automatically create port forwarding rules. Usually programs have their own way to communicate to the UPnP service, sometimes they depend of a client such as miniupnpc.

First enable UPnP on your router or modem and then install miniupnpc in your *NIX system. Miniupnpc will be called by your programs. There is no need to run it manually or start it as a daemon.

If you wanna retrieve all current forwarded ports by UPnP run the next command:

$ upnpc -l

You can also see your public IP by using a binary that comes inside that package.

$ external-ip

By the way, I don't really recommend using UPnP but if you have many programs that relay on opening ports then use it. UPnP still could be very insecure. It's an old technology, but if your *NIX system is not bloated and you have true idea of what is going on inside your computer, then it's fine to enable it.

Port forwarding (Virtual servers)

Port forwarding, or tunneling, is the behind-the-scenes process of intercepting data traffic headed for a computer's IP/port combination and redirecting it to a different IP and/or port. A program that's running on the destination computer (host) usually causes the redirection, but sometimes it can also be an intermediate hardware component, such as a router, proxy server or firewall.

So you wanna forward ports manually instead of letting UPnP doing it automatically, huh? Connect to your router web admin and let's add some new rules, they need look something like this.

blogimg

Service name will be your program's name but it doesn't really matter what you put here.

External port is the port that an outside client will be using along your public IP to connect. The public IP is the unique IP your ISP gives to your router. ISPs tends to just give one public IP.

Internal IP will be your LAN address of your device. If you want to mantain port forwarding rules for X amount of time you don't wanna be looking which LAN address your device has been assigned to by the router DHCP server. You might want to take a look at Address Reservation + IP & MAC Binding and add your device's MAC address so it never loses its assigned IP.

Internal port will be the same port as the external port. Not necessary to enter any input.

Protocol can be TCP, UDP or both. Programs can listen to both protocols or just one. It depends on the program. For example most online video games use UDP, connections are lossy. Torrents use TCP, connection needs to be reliable.

I'll show you some basic difference between TCP and UDP. I know this info is easy to find on the Internet, but it's good to have it here too for fast reference.

TCP vs UDP

TCP UDP
Connected Connectionless
State Memory Stateless
Byte Stream Packet/Datagram
Ordered Data Delivery No Sequence Guarantee
Reliable Lossy
Error Free Error Packets Discarded
Handshake No Handshake
Flow Control No Flow Control
Relatively Slow Relatively Fast
Point to Point Supports Multicast
Security: TLS/SSL Security: DTLS

Port forwarding on a VPN

A common case for port forwarding is for web development and netplay. Especially with programs such as RetroArch using the Libretro.

There are some VPN that don't offer port forwarding.

You should only be using port forwarding on VPN if by some reason the modem/router your ISP gave you is giving you trouble to open ports and you cannot set up modem in bridge mode, etc.

It's very easy to set up a VPN using OpenVPN command-line program. Usually the VPN provider gives you their own configuration to launch OpenVPN to make the process automatic and simple.

I don't really recommend paying for a VPN since they are just bandwidth resellers and snake-oil. They also lie about not preserving logs and who knows their association. Yes, there are multiple uses for privacy (not anonimity), avoiding IP rangebans and such. But if you're truly paranoid your computer shouldn't be connected to the Internet.

If you want privacy avoid VPNs, disconnect your Ethernet cable and return to monkey.

Anyways VPNs work great for port forwarding.

DMZ

DMZ stands for demilitarized zone.

Don't. Avoid it like the plague. Keep this setting disabled at all costs.

DDNS

Dynamic DNS or DDNS is not a protocol but a service offered by Internet commercial companies to mantain your dynamic IP being linked to a subdomain.

It's useful when your dynamic IP changes over time and you need to share that address. Most common usage I know of is for homemade game servers.

I have used No-IP before and it works great. TP-Link routers usually comes with DynDNS and No-IP as default providers for this service.

These type of services are offered free, sometimes for more enhanced options you need to pay. It's understandable I guess.

Basically, comfort and easy sharing of your public IP at cost of your privacy and personal security.

I don't recommend using this method.

Access Control setting in routers

If you have ever seen this option in your routers, they are a gift from God itself. Start using it.

They let you block or accept incoming connections from specific MAC addresses.

It's a nice practice to whitelist your LAN devices. All WAN connection requests won't be able to reach you.


UNIX network utils

If you wanna get some basic info of your networks you can use some of these programs I will list below.

Keep in mind these are just a few commands that pops up on my head. There are lots! But for entry level management and analysis these are fine and very useful.

ss

ss is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and state information than other tools.

ss comes inside the package iproute2 distributed across all Linux distros. It's most likely that your base distro package already comes with it. Does not require root permissions.

To check for established connections from specific LAN address.

$ ss dst -n 192.168.1.109

The argument -n is to show ports in numeric format rather than human readable format.

Check for TCP listening ports in our host machine.

$ ss -lnt

-l for listening, -n for numeric, -t for tcp.

Check for established TCP connections to our host machine.

$ ss -lnt -o state established

Check for established TCP connections to our specific listening port.

$ ss -lnt -o state established '( sport = :445 )'

It's good to use these commands in combination with watch to refresh data with 1 second intervals.

For example:

$ watch -n1 ss -lnt -o "state established '( sport = :445 )'"

nc / ncat

Install nc / netcat by installing nmap, openbsd-netcat, libressl-netcat or GNU netcat. There are multiple variants.

Check if specific UDP ports in a system are open and listening. Does not need root permissions.

$ nc -vu 142.32x.23x.41 20595

or

$ nc -vu <domain> 53

Telnet

Telnet is part of inetutils-telnet package and also comes included in the busybox binary.

There are multiple ways to check if a program is listening behind a port.

A manual and rude way to check is using the telnet client program. It's part of the GNU network utilities bundle. You can install it by installing inetutils-telnet in your Linux distribution, be sure to double check, programs are packaged differently depending the distribution. Maybe you can find it under the name of telnet.

$ telnet <ip> <port>

If it keeps on Trying... and nothing happens, then no program is listening on the other side.

Nmap

This network auditing little tool can save your life. You can run it on IP or a domain and will scan ports. Nmap requires lots of dependencies to be run despite of its small size. I don't really recommend it, but it's a good tool.

$ nmap <ip>

or

$ nmap <domain>

or

$ nmap localhost

You can even specify it to run on specific port, or specific listening protocol.

$ nmap -p <port> <ip>

Traceroute

This tool will help you find out how your packets are traveling through the network. Does not need root permissions.

It can also help you verifying if you are behind double NAT or not.

Example:

$ traceroute <domain>

traceroute to randomwebsite.com (172.207.xx.38), 30 hops max, 60 byte packets
1  192.168.1.1 (192.168.1.1)  0.308 ms  0.479 ms  0.605 ms
2  * * *
3  10.xxx.111.33 (10.xxx.111.33)  18.142 ms  18.213 ms  18.130 ms
...

In the case above shows my local IP as first item. This is where the routing begins. With that info we can detect that I'm using a router connected to a bridged modem.

Otherwise if we connected our system straight to the bridged modem we would get something like this. Of course, all other LAN sockets from the bridged modem won't get Internet connection.

$ traceroute <domain>

traceroute to randomwebsite.com (172.207.xx.38), 30 hops max, 60 byte packets
1  * * *
2  10.101.111.33 (10.101.111.33)  18.632 ms  18.699 ms  13.492 ms
3  10.100.26.14 (10.100.26.14)  19.733 ms 10.100.5.178 (10.100.5.178)  19.607 ms 10.100.26.14 (10.100.26.14)  19.434 ms
...

Netstat

Similar tool. Comes in net-tools package. Does not need root permissions.

Usage:

$ netstat --tcp --udp --listening --program

shorter is:

$ netstat -tulp

curl

You can use curl to see your current public IP.

$ curl icanhazip.com

Termshark

If you wanna read the incoming packets from an specific port in your server you can use Termshark. It is a terminal based interface for Wireshark.

Example to read connections. Does not need root permissions. This program also has lots of dependencies.

$ tshark -i ethernet-device-here -f "tcp port 55435"

or an example reading SOCKS5 connections on Loopback virtual device.

$ tshark -i lo -f "port 9050"


There are lots and lots more useful tools than these, I just listed the ones I use regularly for most port scanning.

I truly recommend tldr or its Rust implementation called tealdeer. It's an alternative to man-pages and it will help you save time looking for specific network analysis commands.

blogimg

Welcome to the Internet.