We have lot of applications that run on Linux server using Docker. As an example, let us say my application runs on **ServerA** as a container (Docker). CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES df68695a00f1 app/myapp:latest "/run.sh" 2 weeks ago Up 2 days 0.0.0.0:50423->3000/tcp reallymyapp The app is listening on the port 50423 on the host (mapped to port 3000 on the container). The DNS (endpoint) that is used to access the app is pointing to the HAProxy host (say **ServerB**), that routes the traffic to **ServerA:50423**. Everything works well so far. The security team in our org raised a concern that all external source IPs are potentially allowed to connect to such Docker hosts (like **ServerA**) and they want us to restrict traffic to allow only a specific IP (**ServerB** which is a load balancer) to access the containers and vice versa (**ServerA** to **ServerB**). We would then allow connectivity from our users' machines to **ServerB**/load balancer only. Now, I followed Docker documentation and tried to insert the following rule using iptables to DOCKER-USER chain: iptables -I DOCKER-USER -i ekf192 -s 10.1.2.10, 10.1.2.11, 10.1.2.12 -j ACCEPT iptables -I DOCKER-USER -i ekf192 -j DROP ACCEPT all -- 10.1.2.10 anywhere ACCEPT all -- 10.1.2.11 anywhere ACCEPT all -- 10.1.2.12 anywhere LOG all -- anywhere anywhere LOG level info prefix "IPTables Dropped: " DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Please note that we need both incoming and outgoing traffic from/to these hosts (10.1.2.10, 10.1.2.11, 10.1.2.12). Now, as per my (limited) knowledge on iptables, these rules should drop all incoming requests except for when it is origination from the mentioned IP addresses and vice versa i.e. allow outgoing traffic to mentioned IPs. The incoming traffic works as expected but the outgoing traffic to these HOSTS is getting dropped. I am scratching my head over this and cannot figure out what is going wrong...and not to mention that I absolutely suck at understanding how iptables rules work. Jan 12 16:24:43 sms100394 kernel: IPTables Dropped: IN=docker0 OUT=ekf192 MAC=02:42:09:37:a0:14:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=10.1.2.10 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=40235 DF PROTO=TCP SPT=3000 DPT=42579 WINDOW=242 RES=0x00 ACK FIN URGP=0 Jan 12 16:24:44 sms100394 kernel: IPTables Dropped: IN=docker0 OUT=ekf192 MAC=02:42:09:37:a0:14:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=10.1.2.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=3000 DPT=45182 WINDOW=29200 RES=0x00 ACK SYN URGP=0 Jan 12 16:24:45 sms100394 kernel: IPTables Dropped: IN=docker0 OUT=ekf192 MAC=02:42:09:37:a0:14:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=10.1.2.12 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=3000 DPT=45182 WINDOW=29200 RES=0x00 ACK SYN URGP=0

Provisioning a new linux server but when I tried to set the IP I get the error '192.168.0.7' is not contained in 255.255.255.0/24. But when I set it up on the server after initial set up through the config file it works just fine.

I just installed Kali Linux recently, and I’m facing weird internet issues. When I check my speed on fast.com, it shows around 7–10 Mbps, but whenever I actually try to download anything (like using wget, apt-get, or browser), the speed drops to around 1–2 Mbps or even less. Sometimes it’s just in KB/s. Here’s what I know: * Same Wi-Fi connection gives full speed on Windows and mobile. * No VPN or proxy is being used. * Happening on both terminal and browser downloads. * Using built-in Wi-Fi adapter on a fresh Kali install. What could be throttling the real download speed on Kali? Is it a driver issue, DNS problem, or something else?

As a matter of study I'm using VirtualBox with Debian 8 to learn basics of networking with the interface in bridge mode. I deactivated dhcp of my network interface eth0 on /etc/network/interfaces: # ... # iface eth0 inet manual Now I'm configuring the interface by my own: # ifconfig eth0 192.168.0.99/24 And then, I test my gateway (which is 192.168.0.1) with ping and it works perfectly. Then I add the default gateway to my routes table: # route add default gateway 192.168.0.1 netmask 255.255.255.0 dev eth0 After some tests, downloads, etc. I see that everything is OK. Then decided to learn how to delete routes and tested it with my default gateway. It works. ### Here is my problem After trying to add my gateway again with the same line above I got the "**SIOCADDRT: Network is unreachable**" error. ### What I tried to solve? 1. ifdown and ifup my interface; 2. Reconfigure the interface with ifconfig; 3. Restarting the networking daemon. The only thing that works is **restarting** the machine. **Is there a way to add my route again without the need of restarting the machine?**

Scanning the machine on the LAN with my laptop, I got this: gabriele @ osiris { ~ } [ Tue Oct 07 ] [ 08:49 PM] nmap -sP 192.168.1.236 Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-07 20:50 CEST Nmap scan report for ---.homenet.telecomitalia.it (192.168.1.236) Host is up (0.0044s latency). Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds nmap won't recognize the nostname, putting—in place of "mercury" and I assume is not a problem of nmap because it doesn't even access in this way: root@mercury when I changed the hostname I follow these steps sudo nano /etc/hostname and I wrote a single line with "mercury", then: sudo nano /etc/hosts with this configuration: 127.0.0.1 localhost 127.0.1.1 mercury localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters and finally: sudo /etc/init.d/hostname.sh start am I doing something wrong?

I've got a virtual machine running under virtualbox, and in that virtual machine I've got an LXC container I'm trying to bridge to virtualbox's NAT interface: ------------- ----------- ----------- ---------- ---------- | LXC | ---> | Host OS | ---> | Virtual | ---> | Laptop | ---> | Router | | Container | | Linxu | | Box | | | | | ------------- ----------- ----------- ---------- ---------- eth0 10.1.0.35 br0 eth0 NAT GW: 192.168.1.33 GW: gw 10.1.0.2 br0 10.1.0.5 10.1.0.2/16 192.168.1.1 gw 10.1.0.2 Ping 10.1.0.2 ping 10.1.0.2 FAIL OK I cannot ping from the LXC container to the virtualbox gateway, but I can from the Host OS. Note: running tcpdump on the host OS, I can sing pings being sent from the container to the router, and the reply from the router to the container, but tcpdump on the container shows no traffic. **LXC eth0** eth0 Link encap:Ethernet HWaddr 00:16:3e:ed:82:b8 inet addr:10.1.0.35 Bcast:10.1.255.255 Mask:255.255.0.0 inet6 addr: fe80::216:3eff:feed:82b8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:585 errors:0 dropped:0 overruns:0 frame:0 TX packets:588 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:58003 (58.0 KB) TX bytes:56447 (56.4 KB) **Host OS:** root@ubuntuserver:/# ifconfig br0 Link encap:Ethernet HWaddr 08:00:27:ca:5f:7a inet addr:10.1.0.5 Bcast:10.1.255.255 Mask:255.255.0.0 inet6 addr: fe80::a00:27ff:feca:5f7a/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:2012 errors:0 dropped:0 overruns:0 frame:0 TX packets:882 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:158794 (158.7 KB) TX bytes:139083 (139.0 KB) eth0 Link encap:Ethernet HWaddr 08:00:27:ca:5f:7a UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:2968 errors:0 dropped:0 overruns:0 frame:0 TX packets:2404 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:281188 (281.1 KB) TX bytes:312109 (312.1 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:180 errors:0 dropped:0 overruns:0 frame:0 TX packets:180 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:14376 (14.3 KB) TX bytes:14376 (14.3 KB) vethStvXMU Link encap:Ethernet HWaddr fe:9a:36:3a:84:1c inet6 addr: fe80::fc9a:36ff:fe3a:841c/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:557 errors:0 dropped:0 overruns:0 frame:0 TX packets:554 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:53465 (53.4 KB) TX bytes:55003 (55.0 KB) root@ubuntuserver:/# brctl show bridge name bridge id STP enabled interfaces br0 8000.080027ca5f7a no eth0 vethStvXMU

I have an embedded linux system compiled with Yocto, using systemd. I have a network configuration file at

/etc/systemd/network/20-wired.network

. The contents of that file are: [Match] Name=eth0 [Network] Address=192.168.5.40/24 Gateway=192.168.5.1 DNS=192.168.5.1 However, when I reboot my machine, the eth0 interface is successfully configured using DHCP instead of assigning the static IP address. The

a

command shows: 2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether f8:dc:7a:3c:27:82 brd ff:ff:ff:ff:ff:ff inet 10.1.1.223/16 brd 10.1.255.255 scope global dynamic noprefixroute eth0 valid_lft 85898sec preferred_lft 85898sec inet6 fe80::43ec:fd39:e1c0:3c05/64 scope link noprefixroute valid_lft forever preferred_lft forever However, if I then wait 5 seconds or so after boot, and do a

restart systemd-networkd

the system will usually be configured correctly like so: 2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether f8:dc:7a:3c:27:82 brd ff:ff:ff:ff:ff:ff inet 192.168.5.40/24 brd 192.168.5.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::43ec:fd39:e1c0:3c05/64 scope link noprefixroute valid_lft forever preferred_lft forever Lastly, with the right timing on the restart of the network service, I can seemingly even get this result (both the intended static address and the unwanted DHCP address): 2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether f8:dc:7a:3c:27:82 brd ff:ff:ff:ff:ff:ff inet 192.168.5.40/24 brd 192.168.5.255 scope global eth0 valid_lft forever preferred_lft forever inet 10.1.1.223/16 brd 10.1.255.255 scope global dynamic noprefixroute eth0 valid_lft 86246sec preferred_lft 86246sec inet6 fe80::43ec:fd39:e1c0:3c05/64 scope link noprefixroute valid_lft forever preferred_lft forever Does anyone know what is going on here or how to debug this? Is there something obvious wrong with my configuration?

status systemd-networkd

shows the following immediately after boot (specifically after network-online.target): * systemd-networkd.service - Network Service Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; vendor preset: enabled) Active: activating (start) since Tue 2021-07-20 12:58:52 UTC; 65ms ago TriggeredBy: * systemd-networkd.socket Docs: man:systemd-networkd.service(8) Main PID: 282 ((networkd)) Tasks: 1 (limit: 3576) Memory: 416.0K CGroup: /system.slice/systemd-networkd.service `-282 (networkd) Some number of seconds later it looks like this: * systemd-networkd.service - Network Service Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-07-20 12:58:52 UTC; 3min 20s ago TriggeredBy: * systemd-networkd.socket Docs: man:systemd-networkd.service(8) Main PID: 282 (systemd-network) Status: "Processing requests..." Tasks: 1 (limit: 3576) Memory: 2.0M CGroup: /system.slice/systemd-networkd.service `-282 /lib/systemd/systemd-networkd So it looks like the service is still "activating" when the network-online.target services run. I'm not sure what that means, though, or if it's a problem.

I've got a home server with music files stored locally on said server. I've got MPD & ncmpcpp installed on this home server. I'm trying to prototype this so I can go the extra trivial step of forwarding ports so this can be accessed anywhere, but I'm having quite a bit of trouble even getting this to work locally. I'm working on a remote machine, but all the work I've done this morning has been in a remote shell *inside* the home server... I've killed and disabled the daemon for mpd, and started it like so: mpd --stdout --no-daemon --verbose ~/.config/mpd/mpd.conf and gotten this output: config_file: loading file .config/mpd/mpd.conf path: SetFSCharset: fs charset is: libsamplerate: libsamplerate converter 'Fastest Sinc Interpolator' vorbis: Xiph.Org libVorbis 1.3.5 opus: libopus 1.1.4 sndfile: libsndfile-1.0.27 simple_db: reading DB curl: version 7.52.1 curl: with OpenSSL/1.0.2k avahi: Initializing interface avahi: Client changed to state 101 avahi: Client is CONNECTING state_file: Loading state file /home/dale/.config/mpd/state The port appears to be doing something, or at least ready to do something for MPD: ~ ➭ sudo netstat -lnp | sudo grep 8002 tcp 0 0 127.0.0.1:8002 0.0.0.0:* LISTEN 21596/mpd However, when I run ncmpcpp (from within the same machine that is running MPD, the home server....remember, I'm ssh'ed in), I get the following complaint: ncmpcpp: Failed to resolve host name I've got the following ~/.config/mpd/mpd.conf file: music_directory "/mnt/media/Music" playlist_directory "~/.config/mpd/playlists" db_file "~/.config/mpd/database" log_file "~/.config/mpd/log" pid_file "~/.config/mpd/pid" state_file "~/.config/mpd/state" sticker_file "~/.config/mpd/sticker.sql" #mixer_type "software" #█▓▒░ opts bind_to_address "127.0.0.1" port "6601" log_level "default" gapless_mp3_playback "yes" filesystem_charset "UTF-8" #█▓▒░ io input { plugin "curl" } audio_output { type "alsa" name "My ALSA Device" device "hw:0,0" # optional mixer_type "hardware" # optional mixer_device "default" # optional mixer_control "PCM" # optional mixer_index "0" # optional } #audio_output { # type "alsa" # name "audio" #} audio_output { type "fifo" name "visualizer" path "/tmp/mpd.fifo" format "44100:16:2" } audio_output { type "httpd" name "My HTTP Stream" encoder "vorbis" # optional bind_to_address "127.0.0.1" port "8002" # quality "5.0" # do not define if bitrate is defined bitrate "128" # do not define if quality is defined format "44100:16:1" always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped. tags "yes" # httpd supports sending tags to listening streams. } ` I've got this in my ~/.ncmpcpp/config file: ncmpcpp_directory = "~/.ncmpcpp" #lyrics_directory = "~/.lyrics" external_editor = "/usr/bin/vim" # █▓▒░ MPD Settings mpd_crossfade_time = "3" mpd_music_dir = "/mnt/media/Music" mpd_host = "127.0.0.1:8002" mpd_port = "8002" Any ideas which property(ies) I've misconfigured? Thanks

Issue Summary: Multiple worldwide ThinkPad models with WCN6855 hw2.1 fail to properly handle regulatory domain settings, defaulting to incorrect country codes and causing regulatory compliance issues in EU. Affected Hardware: - Primary: Lenovo ThinkPad P16s Gen 2, QCNFA765 (WCN6855 hw2.1) - Secondary: Lenovo ThinkPad T14s Gen 4, same WCN6855 hw2.1 chip - Location: Czech Republic (EU) - Common pattern: Both models have worldwide country codes (00/WW suffix) Firmware versions tested: - Custom kernel: WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 (2024-04-17) - Debian Live: WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.9 (2022-04-18) Problem Description: Despite kernel regulatory domain settings, both laptops fail to apply correct regulatory rules: 1. Boot errors (consistent across all systems): ath11k_pci 0000:02:00.0: Failed to set the requested Country regulatory setting ath11k_pci 0000:02:00.0: Failed to set the requested Country regulatory setting 2. Incorrect regulatory domains applied: - P16s defaults to Brazil (BR) despite CZ kernel parameter - T14s defaults to United States (US) - Both ignore proper EU regulatory requirements 3. Regulatory compliance issues in EU: - All 5GHz channels marked "No IR" (No Initiate Radiation) - 6GHz power levels incorrect (30dBm instead of EU limit 23dBm) - Wrong DFS requirements (DFS-UNSET/DFS-FCC instead of DFS-ETSI) Test Results: ThinkPad P16s (21K9S0DC00) with kernel parameter cfg80211.ieee80211_regdom=CZ: global: country CZ: DFS-ETSI [correct] phy#0 (self-managed): country BR: DFS-UNSET [incorrect] ThinkPad T14s (21F8CT01WW) - stock configuration: global: country 00: DFS-UNSET phy#0 (self-managed): country US: DFS-FCC [incorrect for EU] Debian Live CD test (P16s) - proves cross-distribution issue: global: country 00: DFS-UNSET phy#0 (self-managed): country 00: DFS-UNSET 6GHz: 20dBm with "no IR" on ALL channels [overly restrictive] What I tried: 1. Kernel parameter cfg80211.ieee80211_regdom=CZ - Sets global domain but chip remains on wrong country 2. Kernel source modification - Changed default regulatory domain in net/wireless/reg.c: -static char *ieee80211_regdom = "00"; +static char *ieee80211_regdom = "CZ"; 2. Result: Global domain correctly set to CZ, but phy#0 still remains BR - firmware ignores kernel setting 3. Runtime iw reg set CZ - No effect on self-managed phy#0 4. Different distributions - Debian Live CD shows identical boot errors 5. Multiple hardware - Issue affects different worldwide ThinkPad models consistently Analysis: - Both laptops have worldwide country codes in model numbers (00/WW suffix) - SMBIOS likely contains "00" (worldwide) which firmware doesn't handle properly - Firmware falls back to hardcoded regional defaults instead of respecting kernel settings - Issue appears related to SMBIOS country code handling patch for WCN6855 (commit referencing reading country code from SMBIOS) - Problem affects multiple Linux distributions and kernel versions - Kernel-level regulatory changes are completely ignored by self-managed firmware Next Plan: Patching /usr/lib/firmware/ath11k/WCN6855/hw2.1/regdb.bin to replace incorrect regulatory data resolves the issue, but this shouldn't be necessary. Expected behavior: at the very least, it should be possible to change regulatory domain configuration via standard Linux methods Impact: This affects regulatory compliance for EU users with worldwide ThinkPad models, potentially causing interference and legal issues due to incorrect power levels and frequency usage.

I'm currently trying to update and install packages and other things on a FreeBSD server, but I’m blocked by my proxy. I'm in an university, and there are a few proxies before to go on the internet. To allow us ty bypass the proxy on our main PC (Debian 7) we need to enter the path of a config file in the networks settings (auto mode in proxy menu) But I can't manage to do this to my FreeBSD server. What can I get this to work?

OS is Debian on both servers. I found some examples showing how to measure TCP latency with nmap: nmap --packet-trace -p 22 192.168.0.10 But I'm getting some negative results for latency. ie, it will print some output like: Host is up (-0.0023s latency) at the end. What is nmap doing? Is it measuring the time difference between SYN and SYN-ACK? If so, how is it getting a negative result sometimes? Does it require clocks to be very precisely synced between the two servers? And in addition, can I use ssh as a good TCP test server or should I use a different service? Is there another tool I can use to measure TCP latency? I don't know if I trust nmap due to the negative results for the latency measurement.

Im trying to add a secondary IP on an old Debian 8 server at work and have an issue. The setup look like this (just the IP parts in /etc/networking/interfaces):

auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.0.10
    netmask 255.255.255.0
    gateway 192.168.0.1

auto eth0:0
allow-hotplug eth0:0
iface eth0:0 inet static
    address 10.10.0.10
    netmask 255.255.255.0
    gateway 10.10.0.1

When I restart the networking services everything seems to work as a charm and ifconfig shows everything as it should. Its also correct when i loook at the routing-table with "route -n". The problem is that I cant access the server using the new IP. I cant ping it and I cant access it through http/https (its a webserver). Even Nutanix is showing that the server got two IPs. Am I missing something or is this something that might have to be fixed in the firewall (not on the server)?

RHEL9 Sometimes server 1 has the secondary address 10.143.170.80/24, and sometimes server 2 has that secondary address. My script needs to test which server has that secondary address. However, ip address show dev ${VirtDev} secondary always returns 0, whether or not the secondary address exists or not. Server 1: ip address show dev $VirtDev secondary echo $? 0 Server 2: ip address show dev $VirtDev secondary 2: ens33: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:8e:73:35 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 10.143.170.80/24 scope global secondary ens33:0 valid_lft forever preferred_lft forever echo $? 0 This works, but seems janky: Exists=$(ip address show dev $VirtDev secondary) [ -n "$Exists" ] && echo exists || echo not exists Is there a better way? EDIT: when parsing json... ip -j -4 a ls to 10.143.170.80 | jq -e .[].addr_info [ {}, { "family": "inet", "local": "10.143.170.80", "prefixlen": 24, "scope": "global", "secondary": true, "label": "ens33:0", "valid_life_time": 4294967295, "preferred_life_time": 4294967295 } ] ip -j -4 a ls to 10.143.170.80 | jq -e .[].addr_info.local jq: error (at :1): Cannot index array with string "local"

I have a Dell PowerEdge R740 server with an Intel Corporation Ethernet Controller x710 for 10GbE SFP+ network interface. I have installed RHEL 8 on it. I am trying to enable UDP Fragmentation Offload (UFO): $ sudo ethtool --offload eno1 ufo on I get this message:

Cannot change UDP fragmentation offload  
Cannot change any device features.

eno1 has SFP+ DAC cable. Is the issue because of SFP+ cable? or any driver that I might be missing?

I did sudo apt-get update and sudo apt-get upgrade, and installed the rpi-installer. And after that, I lost all network connectivity. After that, it seemed like my network had been disabled. No access to the internet or local file shares. The networking service is not running. At the boot screen, when I see advanced options, if I select the "...(systemd)" option, I have network again. Does anyone have any ideas on how to fix this so I don't need to go into the advanced options?

I wrote some C code having a rudimentary software licensing function within, where the executable will only run if the MAC address of the system I whitelisted in my C code. I only want this to work in linux. I was accessing /sys/class/net/eth0/address which contains something like a0:b1:c2:d3:e4:f5 all in lower case on one line, making it very easy to get the MAC address. This works only if you have eth0 because I hard coded fopen( "/sys/class/net/eth0/address", "r" ); The problem I am realizing is the **eth0** part. With BiosDevName and/or Predictable Network Interface Naming being the default now [in RHEL/CentOS 7] I am seeing something like eno1 rather than eth0 as the first network device having a MAC address. And this can vary greatly from system to system. So I am dealing with /sys/class/net//address. What is the most portable and reliable, and not to hard, of a way to get the MAC address(es) of a linux system? Oftentimes the servers I deal with have quad port Intel NIC's, but I really only need the first one. And my code doesn't care what the network interface names are, I just need to know one or more MAC addresses that are present.

I've been stuck on this problem all day and am keeping my fingers crossed some iptables expert reads this and can help me please. I would like to force all my docker containers's outbound traffic to go through a socks5 proxy. This is the closest I've come:

iptables -t nat -N REDSOCKS
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 240.0.0.0/4 -j RETURN

iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -p tcp -j DNAT --to-destination 172.17.0.1:12345
iptables -t nat -A OUTPUT -s 172.20.0.0/16 -j REDSOCKS
iptables -t nat -A PREROUTING -s 172.20.0.0/16 -j REDSOCKS

It works almost perfectly, but the socks5 proxy is unable to tell the originating IP address. The remote address is always '127.0.0.1' Is there any way I can keep the originating IP address? # Example Scenario 1) I have applied the iptables rules above to my docker host 2) I have a docker container with the address 172.20.0.2 2) Inside that container, I do a curl to example.com 3) The traffic is forwarded to 172.17.0.1:12345 (the docker host machine) 4) The server running on 12345 shows the remote IP address as being '127.0.0.1' 5) I would like the remote IP address to show as 172.20.0.2 Thank to anyway who can try and help me with this.

Suppose I have this situation where I wrote a program to poison the ARP cache of 2 devices (let's say A and B), both in the local network to successfully able to MITM from device M. The program runs on device M. When I enable IP forwarding with the command sysctl net.ipv4.ip_forward=1 on device M, HTTP connection from device A to B can be established without any issues, and I am able to see the traffic on device M. But, the same situation where ARP caches are poisoned after I disable the IP forwarding with the command sysctl net.ipv4.ip_forward=0 on device M, HTTP connection can't be established from device A to B. I can see the TCP SYN packet from device A on device M. In my program, after receiving the SYN packet on device M, I modify the src MAC address in the packet with M's MAC address (from A's MAC address) and dst MAC address to B's MAC address (from M's MAC address) and inject it into the network. I don't modify anything from the network layer onwards. I can see the packet at B with new src and dst MACs with TCPdump command, which means the packet gets to the B. But B doesn't respond to that packet, which I can't comprehend why. So, the question is what special does ip_forward=1 does that makes this kind of MITM situation work? To clarify, all the machines are linux. With forwarding enabled on device M, I don't need to modify the MAC addresses in the packets. I just poison the cache and things work fine from there.

How to use nmap and dns resolution of nmap over proxy? I tried proxychains, but for dns resolution it doesn't work, it's known bug as I read on some forums. It works well without dns_proxy feature in proxychains config. But I need to proxy dns resolution requests. sudo proxychains nmap -T4 -sV -Pn -A --reason -v scanme.nmap.org I tried proxychains4 (or proxychains-ng), but with nmap it does scanning and send all the packets synchronously, so for example for scan of one host it's needed to wait for 30 min or ever longer. So it's not the option, but it works well. sudo proxychains4 nmap -T4 -sV -Pn -A --reason -v scanme.nmap.org I tried just like this with inside nmap proxy function: sudo nmap --proxy socks4://127.0.0.1:9050 -T4 -sV -Pn -A --reason -v scanme.nmap.org But does it dns resolution requests over the tor proxy 127.0.0.1:9050 or only scan? It seems it doesn't. What is the solution?

I have a ALMA9 Linux server with a quad BCM57414 NetXtreme-E 10Gb/25Gb RDMA Ethernet Controller NIC. I have two interfaces teamed using LACP and connected to a Cisco 9336C-FX2 switch running (NX-OS) Software 7.0(3)I7(6). The two interfaces are connected at 25Gbps speed each. Can I aggregate them so that the total throughput is 50Gbps? Here is what my network guys sent me regarding the interfaces and port channel: SWITCH-ACCESS02-9336C# show int status | i ppg Eth1/14/1 ... Sto connected trunk full 25G QSFP100G-4SFP25G-CU3M Eth1/14/2 ... Sto connected trunk full 25G QSFP100G-4SFP25G-CU3M Po160 ... Sto connected trunk full 25G -- He says, "It turns out that the server is sending LACP packets to the switch telling it that it can only load balance using MAC address and Layer 4 destination port. Those two modes do NOT support bundling the throughput." How then do I bundle the throughput? Is that possible on the Linux side? My bond state looks like this: [root@linux-host ~]# teamdctl bond1 state setup: runner: lacp ports: bcom1 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up down count: 1 runner: aggregator ID: 5, Selected selected: yes state: current bcom2 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up down count: 1 runner: aggregator ID: 5, Selected selected: yes state: current runner: active: yes fast rate: yes Thanks.