Skip to content

2023

Linux dnsmasq options, dns-server and more

Linux dnsmasq options, dns-server and more.

More about dnsmasq in here - https://en.wikipedia.org/wiki/Dnsmasq


Starting with an example of a DHCP pool definition for dnsmasq

(...)

 dhcp-range=192.168.100.101,192.168.100.199,255.255.255.0,8h   # dhcp range
 dhcp-option=3,192.168.100.20                                  # default-gateway
 dhcp-option=6,1.1.1.3,1.0.0.3                                 # dns
 dhcp-option=15,mylocalnetwork.local                           # local-domain
 dhcp-option=44,0.0.0.0                                        # netbios server. Disabling NetBIOS over TCP/IP can improve security by reducing the attack surface of a system. However, it may also impact the functionality of certain legacy applications and networked devices that rely on NetBIOS

(...)

and with the command dnsmasq --help dhcp you get the below output, which shows what options are available and what they are.

Known DHCP options:
  1 netmask
  2 time-offset
  3 router
  6 dns-server
  7 log-server
  9 lpr-server
 13 boot-file-size
 15 domain-name
 16 swap-server
 17 root-path
 18 extension-path
 19 ip-forward-enable
 20 non-local-source-routing
 21 policy-filter
 22 max-datagram-reassembly
 23 default-ttl
 26 mtu
 27 all-subnets-local
 31 router-discovery
 32 router-solicitation
 33 static-route
 34 trailer-encapsulation
 35 arp-timeout
 36 ethernet-encap
 37 tcp-ttl
 38 tcp-keepalive
 40 nis-domain
 41 nis-server
 42 ntp-server
 44 netbios-ns
 45 netbios-dd
 46 netbios-nodetype
 47 netbios-scope
 48 x-windows-fs
 49 x-windows-dm
 58 T1
 59 T2
 60 vendor-class
 64 nis+-domain
 65 nis+-server
 66 tftp-server
 67 bootfile-name
 68 mobile-ip-home
 69 smtp-server
 70 pop3-server
 71 nntp-server
 74 irc-server
 77 user-class
 80 rapid-commit
 93 client-arch
 94 client-interface-id
 97 client-machine-id
119 domain-search
120 sip-server
121 classless-static-route
125 vendor-id-encap
150 tftp-server-address
255 server-ip-address

Happy learning,

Antonio Feijao UK

AWS CLI command-line script - How to automatically delete the Default-VPCs in all AWS regions

AWS CLI command-line script to automatically delete all Default-VPCs in all AWS regions.

The script needs to have enough permissions to run the actions.

The script will fail if there are other dependencies than the ones dealt with in the script.


linux-bash-script

USE AT YOUR OWN RISK

#!/bin/bash

## uncomment to see the commands as they are executed.
#set -x

## gets a list of all AWS regions

LIST_OF_REGIONS=$(aws ec2 describe-regions --all-regions --query "Regions[].{Name:RegionName}" --output text)

## for-loop to cycle through all regions

for REGION in ${LIST_OF_REGIONS}; do
    echo "---------"
    echo "Region: ${REGION}"

    RESULT=$(aws ec2 describe-vpcs --region ${REGION} --query "Vpcs[].[VpcId,IsDefault]" --output text 2>/dev/null)
    if [ -z "${RESULT}" ];
        then
            echo "NULL - No Default-VPC in the region: ${REGION}"
        else
            echo "Not NULL - There is a Default-VPC in the region: ${REGION}"
            ##
            ## --- use AT YOUR OWN RISK ---
            ##
            ## Uncomment the `aws ec2 ...` lines below to delete the default VPC in all regions.
            ## The script still needs to have enough permission to run the commands.
            ##
            
            VPCID=${RESULT:0:-5}
            echo "${REGION} : ${VPCID}"
            
            ## We need to detach AND delete the correct Internet Gateway (IGW), before we can delete the Default-VPC.
            
            IGW=$(aws ec2 describe-internet-gateways --region ${REGION} --filters "Name=attachment.vpc-id,Values=${VPCID}" --query 'InternetGateways[].InternetGatewayId' --output text)
            
            ## IF IGW exists, then detach and delete the IGW from the Default-VPC
            if [ -z "${IGW}" ];
                then
                    echo "NULL - IGW already removed."
                else
                    echo "Removing and deleting the IGW: ${IGW}, from the Default-VPC: ${VPCID}."
                    #aws ec2 detach-internet-gateway --region ${REGION} --internet-gateway-id ${IGW} --vpc-id ${VPCID}
                    #aws ec2 delete-internet-gateway --region ${REGION} --internet-gateway-id ${IGW}
            fi
            
            ## From my own experience, also need to delete any subnets associated with the Default-VPC.

            LIST_OF_SUBNETS=$(aws ec2 describe-subnets --region ${REGION} --filters "Name=vpc-id,Values=${VPCID}" --query "Subnets[*].[SubnetId]" --output text)

            echo "List of subnets on the Default-VPC: ${LIST_OF_SUBNETS}"

            ## could add an if loop here too...

            for SUBNET in ${LIST_OF_SUBNETS}; do
                #aws ec2 delete-subnet --region ${REGION} --subnet-id ${SUBNET}
            done

            ## Finally, delete the Default-VPC.

            #aws ec2 delete-vpc --vpc-id ${VPCID} --region ${REGION} 2>/dev/null && echo "Default-VPC removed succesfully." || echo "Something is still not right..."
    fi

done

aws-documentation


Happy learning,

Antonio Feijao UK

AWS boto3 credentials, boto session and boto3 available clients in python for the region the session was created.

About AWS credentials, boto3.session, list boto3 available clients in python3, load and access AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN.

Documentation here https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html.

My notes below.


aws-boto3-session

Example of AWS boto session credentials.

import boto3

help(boto3.session.Session)
  • output of help(...)
Help on class Session in module boto3.session:

class Session(builtins.object)
 |  Session(aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None, region_name=None, botocore_session=None, profile_name=None)
 |
 |  A session stores configuration state and allows you to create service
 |  clients and resources.
 |
 |  :type aws_access_key_id: string
 |  :param aws_access_key_id: AWS access key ID
 |  :type aws_secret_access_key: string
 |  :param aws_secret_access_key: AWS secret access key
 |  :type aws_session_token: string
 |  :param aws_session_token: AWS temporary session token
 |  :type region_name: string
 |  :param region_name: Default region when creating new connections
 |  :type botocore_session: botocore.session.Session
 |  :param botocore_session: Use this Botocore session instead of creating
 |                           a new default one.
 |  :type profile_name: string
 |  :param profile_name: The name of a profile to use. If not given, then
 |                       the default profile is used.
 |
 |  Methods defined here:
 
 (...)

creating-aws-boto3-session-with-aws-access-keys-secret-access-key-and-token

In this method, you must pass the AWS_ACCESS_KEY, SECRET and TOKEN through environment variables. It is not recommended to hard-code credentials.

session = boto3.session.Session(
    aws_access_key_id     = AWS_ACCESS_KEY_ID,
    aws_secret_access_key = AWS_SECRET_ACCESS_KEY,
    aws_session_token     = AWS_SESSION_TOKEN,
    region_name='eu-west-2',
    botocore_session=None,
    profile_name=None
)

In this method, the boto3, session will look for credentials in various locations based on predefined order, as described in the documentation https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html.

session = boto3.session.Session(
    region_name='eu-west-2'
)

using-the-session-list-available-clients

services = session.get_available_services()

print(services)
['accessanalyzer', 'account', 'acm', 'acm-pca', 'alexaforbusiness', 'amp', 'amplify', 'amplifybackend', 'amplifyuibuilder', 'apigateway', 'apigatewaymanagementapi', 'apigatewayv2', 'appconfig', 'appconfigdata', 'appflow', 'appintegrations', 'application-autoscaling', 'application-insights', 'applicationcostprofiler', 'appmesh', 'apprunner', 'appstream', 'appsync', 'arc-zonal-shift', 'athena', 'auditmanager', 'autoscaling', 'autoscaling-plans', 'backup', 'backup-gateway', 'backupstorage', 'batch', 'billingconductor', 'braket', 'budgets', 'ce', 'chime', 'chime-sdk-identity', 'chime-sdk-media-pipelines', 'chime-sdk-meetings', 'chime-sdk-messaging', 'chime-sdk-voice', 'cleanrooms', 'cloud9', 'cloudcontrol', 'clouddirectory', 'cloudformation', 'cloudfront', 'cloudhsm', 'cloudhsmv2', 'cloudsearch', 'cloudsearchdomain', 'cloudtrail', 'cloudtrail-data', 'cloudwatch', 'codeartifact', 'codebuild', 'codecatalyst', 'codecommit', 'codedeploy', 'codeguru-reviewer', 'codeguru-security', 'codeguruprofiler', 'codepipeline', 'codestar', 'codestar-connections', 'codestar-notifications', 'cognito-identity', 'cognito-idp', 'cognito-sync', 'comprehend', 'comprehendmedical', 'compute-optimizer', 'config', 'connect', 'connect-contact-lens', 'connectcampaigns', 'connectcases', 'connectparticipant', 'controltower', 'cur', 'customer-profiles', 'databrew', 'dataexchange', 'datapipeline', 'datasync', 'dax', 'detective', 'devicefarm', 'devops-guru', 'directconnect', 'discovery', 'dlm', 'dms', 'docdb', 'docdb-elastic', 'drs', 'ds', 'dynamodb', 'dynamodbstreams', 'ebs', 'ec2', 'ec2-instance-connect', 'ecr', 'ecr-public', 'ecs', 'efs', 'eks', 'elastic-inference', 'elasticache', 'elasticbeanstalk', 'elastictranscoder', 'elb', 'elbv2', 'emr', 'emr-containers', 'emr-serverless', 'es', 'events', 'evidently', 'finspace', 'finspace-data', 'firehose', 'fis', 'fms', 'forecast', 'forecastquery', 'frauddetector', 'fsx', 'gamelift', 'gamesparks', 'glacier', 'globalaccelerator', 'glue', 'grafana', 'greengrass', 'greengrassv2', 'groundstation', 'guardduty', 'health', 'healthlake', 'honeycode', 'iam', 'identitystore', 'imagebuilder', 'importexport', 'inspector', 'inspector2', 'internetmonitor', 'iot', 'iot-data', 'iot-jobs-data', 'iot-roborunner', 'iot1click-devices', 'iot1click-projects', 'iotanalytics', 'iotdeviceadvisor', 'iotevents', 'iotevents-data', 'iotfleethub', 'iotfleetwise', 'iotsecuretunneling', 'iotsitewise', 'iotthingsgraph', 'iottwinmaker', 'iotwireless', 'ivs', 'ivs-realtime', 'ivschat', 'kafka', 'kafkaconnect', 'kendra', 'kendra-ranking', 'keyspaces', 'kinesis', 'kinesis-video-archived-media', 'kinesis-video-media', 'kinesis-video-signaling', 'kinesis-video-webrtc-storage', 'kinesisanalytics', 'kinesisanalyticsv2', 'kinesisvideo', 'kms', 'lakeformation', 'lambda', 'lex-models', 'lex-runtime', 'lexv2-models', 'lexv2-runtime', 'license-manager', 'license-manager-linux-subscriptions', 'license-manager-user-subscriptions', 'lightsail', 'location', 'logs', 'lookoutequipment', 'lookoutmetrics', 'lookoutvision', 'm2', 'machinelearning', 'macie', 'macie2', 'managedblockchain', 'marketplace-catalog', 'marketplace-entitlement', 'marketplacecommerceanalytics', 'mediaconnect', 'mediaconvert', 'medialive', 'mediapackage', 'mediapackage-vod', 'mediapackagev2', 'mediastore', 'mediastore-data', 'mediatailor', 'memorydb', 'meteringmarketplace', 'mgh', 'mgn', 'migration-hub-refactor-spaces', 'migrationhub-config', 'migrationhuborchestrator', 'migrationhubstrategy', 'mobile', 'mq', 'mturk', 'mwaa', 'neptune', 'network-firewall', 'networkmanager', 'nimble', 'oam', 'omics', 'opensearch', 'opensearchserverless', 'opsworks', 'opsworkscm', 'organizations', 'osis', 'outposts', 'panorama', 'payment-cryptography', 'payment-cryptography-data', 'personalize', 'personalize-events', 'personalize-runtime', 'pi', 'pinpoint', 'pinpoint-email', 'pinpoint-sms-voice', 'pinpoint-sms-voice-v2', 'pipes', 'polly', 'pricing', 'privatenetworks', 'proton', 'qldb', 'qldb-session', 'quicksight', 'ram', 'rbin', 'rds', 'rds-data', 'redshift', 'redshift-data', 'redshift-serverless', 'rekognition', 'resiliencehub', 'resource-explorer-2', 'resource-groups', 'resourcegroupstaggingapi', 'robomaker', 'rolesanywhere', 'route53', 'route53-recovery-cluster', 'route53-recovery-control-config', 'route53-recovery-readiness', 'route53domains', 'route53resolver', 'rum', 's3', 's3control', 's3outposts', 'sagemaker', 'sagemaker-a2i-runtime', 'sagemaker-edge', 'sagemaker-featurestore-runtime', 'sagemaker-geospatial', 'sagemaker-metrics', 'sagemaker-runtime', 'savingsplans', 'scheduler', 'schemas', 'sdb', 'secretsmanager', 'securityhub', 'securitylake', 'serverlessrepo', 'service-quotas', 'servicecatalog', 'servicecatalog-appregistry', 'servicediscovery', 'ses', 'sesv2', 'shield', 'signer', 'simspaceweaver', 'sms', 'sms-voice', 'snow-device-management', 'snowball', 'sns', 'sqs', 'ssm', 'ssm-contacts', 'ssm-incidents', 'ssm-sap', 'sso', 'sso-admin', 'sso-oidc', 'stepfunctions', 'storagegateway', 'sts', 'support', 'support-app', 'swf', 'synthetics', 'textract', 'timestream-query', 'timestream-write', 'tnb', 'transcribe', 'transfer', 'translate', 'verifiedpermissions', 'voice-id', 'vpc-lattice', 'waf', 'waf-regional', 'wafv2', 'wellarchitected', 'wisdom', 'workdocs', 'worklink', 'workmail', 'workmailmessageflow', 'workspaces', 'workspaces-web', 'xray']

import-pretty-print-pprint-as-pp-for-list-ouput

```py from pprint import pprint as pp

pp(session.get_available_services()) ['accessanalyzer', 'account', 'acm', 'acm-pca', 'alexaforbusiness', 'amp', 'amplify', 'amplifybackend', 'amplifyuibuilder', 'apigateway', 'apigatewaymanagementapi', 'apigatewayv2', 'appconfig', 'appconfigdata', 'appflow', 'appintegrations', 'application-autoscaling', 'application-insights', 'applicationcostprofiler', 'appmesh', 'apprunner', 'appstream', 'appsync', 'arc-zonal-shift', 'athena', 'auditmanager', 'autoscaling', 'autoscaling-plans', 'backup', 'backup-gateway', 'backupstorage', 'batch', 'billingconductor', 'braket', 'budgets', 'ce', 'chime', 'chime-sdk-identity', 'chime-sdk-media-pipelines', 'chime-sdk-meetings', 'chime-sdk-messaging', 'chime-sdk-voice', 'cleanrooms', 'cloud9', 'cloudcontrol', 'clouddirectory', 'cloudformation', 'cloudfront', 'cloudhsm', 'cloudhsmv2', 'cloudsearch', 'cloudsearchdomain', 'cloudtrail', 'cloudtrail-data', 'cloudwatch', 'codeartifact', 'codebuild', 'codecatalyst', 'codecommit', 'codedeploy', 'codeguru-reviewer', 'codeguru-security', 'codeguruprofiler', 'codepipeline', 'codestar', 'codestar-connections', 'codestar-notifications', 'cognito-identity', 'cognito-idp', 'cognito-sync', 'comprehend', 'comprehendmedical', 'compute-optimizer', 'config', 'connect', 'connect-contact-lens', 'connectcampaigns', 'connectcases', 'connectparticipant', 'controltower', 'cur', 'customer-profiles', 'databrew', 'dataexchange', 'datapipeline', 'datasync', 'dax', 'detective', 'devicefarm', 'devops-guru', 'directconnect', 'discovery', 'dlm', 'dms', 'docdb', 'docdb-elastic', 'drs', 'ds', 'dynamodb', 'dynamodbstreams', 'ebs', 'ec2', 'ec2-instance-connect', 'ecr', 'ecr-public', 'ecs', 'efs', 'eks', 'elastic-inference', 'elasticache', 'elasticbeanstalk', 'elastictranscoder', 'elb', 'elbv2', 'emr', 'emr-containers', 'emr-serverless', 'es', 'events', 'evidently', 'finspace', 'finspace-data', 'firehose', 'fis', 'fms', 'forecast', 'forecastquery', 'frauddetector', 'fsx', 'gamelift', 'gamesparks', 'glacier', 'globalaccelerator', 'glue', 'grafana', 'greengrass', 'greengrassv2', 'groundstation', 'guardduty', 'health', 'healthlake', 'honeycode', 'iam', 'identitystore', 'imagebuilder', 'importexport', 'inspector', 'inspector2', 'internetmonitor', 'iot', 'iot-data', 'iot-jobs-data', 'iot-roborunner', 'iot1click-devices', 'iot1click-projects', 'iotanalytics', 'iotdeviceadvisor', 'iotevents', 'iotevents-data', 'iotfleethub', 'iotfleetwise', 'iotsecuretunneling', 'iotsitewise', 'iotthingsgraph', 'iottwinmaker', 'iotwireless', 'ivs', 'ivs-realtime', 'ivschat', 'kafka', 'kafkaconnect', 'kendra', 'kendra-ranking', 'keyspaces', 'kinesis', 'kinesis-video-archived-media', 'kinesis-video-media', 'kinesis-video-signaling', 'kinesis-video-webrtc-storage', 'kinesisanalytics', 'kinesisanalyticsv2', 'kinesisvideo', 'kms', 'lakeformation', 'lambda', 'lex-models', 'lex-runtime', 'lexv2-models', 'lexv2-runtime', 'license-manager', 'license-manager-linux-subscriptions', 'license-manager-user-subscriptions', 'lightsail', 'location', 'logs', 'lookoutequipment', 'lookoutmetrics', 'lookoutvision', 'm2', 'machinelearning', 'macie', 'macie2', 'managedblockchain', 'marketplace-catalog', 'marketplace-entitlement', 'marketplacecommerceanalytics', 'mediaconnect', 'mediaconvert', 'medialive', 'mediapackage', 'mediapackage-vod', 'mediapackagev2', 'mediastore', 'mediastore-data', 'mediatailor', 'memorydb', 'meteringmarketplace', 'mgh', 'mgn', 'migration-hub-refactor-spaces', 'migrationhub-config', 'migrationhuborchestrator', 'migrationhubstrategy', 'mobile', 'mq', 'mturk', 'mwaa', 'neptune', 'network-firewall', 'networkmanager', 'nimble', 'oam', 'omics', 'opensearch', 'opensearchserverless', 'opsworks', 'opsworkscm', 'organizations', 'osis', 'outposts', 'panorama', 'payment-cryptography', 'payment-cryptography-data', 'personalize', 'personalize-events', 'personalize-runtime', 'pi', 'pinpoint', 'pinpoint-email', 'pinpoint-sms-voice', 'pinpoint-sms-voice-v2', 'pipes', 'polly', 'pricing', 'privatenetworks', 'proton', 'qldb', 'qldb-session', 'quicksight', 'ram', 'rbin', 'rds', 'rds-data', 'redshift', 'redshift-data', 'redshift-serverless', 'rekognition', 'resiliencehub', 'resource-explorer-2', 'resource-groups', 'resourcegroupstaggingapi', 'robomaker', 'rolesanywhere', 'route53', 'route53-recovery-cluster', 'route53-recovery-control-config', 'route53-recovery-readiness', 'route53domains', 'route53resolver', 'rum', 's3', 's3control', 's3outposts', 'sagemaker', 'sagemaker-a2i-runtime', 'sagemaker-edge', 'sagemaker-featurestore-runtime', 'sagemaker-geospatial', 'sagemaker-metrics', 'sagemaker-runtime', 'savingsplans', 'scheduler', 'schemas', 'sdb', 'secretsmanager', 'securityhub', 'securitylake', 'serverlessrepo', 'service-quotas', 'servicecatalog', 'servicecatalog-appregistry', 'servicediscovery', 'ses', 'sesv2', 'shield', 'signer', 'simspaceweaver', 'sms', 'sms-voice', 'snow-device-management', 'snowball', 'sns', 'sqs', 'ssm', 'ssm-contacts', 'ssm-incidents', 'ssm-sap', 'sso', 'sso-admin', 'sso-oidc', 'stepfunctions', 'storagegateway', 'sts', 'support', 'support-app', 'swf', 'synthetics', 'textract', 'timestream-query', 'timestream-write', 'tnb', 'transcribe', 'transfer', 'translate', 'verifiedpermissions', 'voice-id', 'vpc-lattice', 'waf', 'waf-regional', 'wafv2', 'wellarchitected', 'wisdom', 'workdocs', 'worklink', 'workmail', 'workmailmessageflow', 'workspaces', 'workspaces-web', 'xray'] ```


Happy learning,

Antonio Feijao UK

AWS Console information. Reading the userInfo cookie information to display, alert, or anything else you want.
For example, include a banner on your AWS console with highlighting when you login as "AWS Administrator" role.
This can then be used in various applications.


sample code that "grabs" the userInfo and create an banner alert

javascript:(function () {
    function fullDecode (input) {
        let decoded = decodeURIComponent(input);
        return (decoded == input ? decoded : fullDecode(decoded))
    };
    let userInfo = document.cookie.replace(/(?:(?:^|.*;\s*)aws-userInfo\s*\=\s*([^;]*).*$)|^.*$/, "$1");
    alert(JSON.stringify(JSON.parse(fullDecode(userInfo)), null, 4))
})();

source code https://gist.github.com/ajkerrigan/0e2348d4ed960409b462e8aaca230d36


sample code that "grabs" the userInfo and outputs in the console

let userInfo = document.cookie.replace(/(?:(?:^|.*;\s*)aws-userInfo\s*\=\s*([^;]*).*$)|^.*$/, "$1");
let decoded = decodeURIComponent(userInfo);
JSON.stringify(JSON.parse(decoded), null, 1);

TBC...


Happy learning,

Antonio Feijao UK

Using a Raspberry Pi 4 as a router with iptables

Using a Raspberry Pi 4 as a router with iptables. With iptables we need to know more about what we are doing. ufw is great, it works as a leayer on top of iptables for with easy management, however you will not learn the real "thing", the network flow details, the beauty of "source" and "destination", and more...

So, I want to learn more, therefore I went on to learn the details of iptables and source destination IPs, NAT (MASQUERADE), source and destination ports, states...

the raspberry pi 4 basics

raspberry pi 4 updates

apt update && apt upgrade -y

apt autoremove -y

## useful

apt install dnsutils

raspberry pi 4 disable ipv6 at boot

vim /boot/cmdline.txt and add ipv6.disable=1 to the end of the line

example

console=tty1 root=PARTUUID=xxxxXXxx-xx rootfstype=ext4 fsck.repair=yes rootwait ipv6.disable=1

raspberry pi 4 enable IPv4 forward and disable IPv6

  • cat /etc/sysctl.d/local.conf
net.ipv4.ip_forward=1

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

raspberry pi 4 nat with iptables

  • cat reset-iptables.sh
#!/bin/bash -x
##
## source - https://www.linode.com/docs/guides/linux-router-and-ip-forwarding/
##
## 2023-06 - adapted and tweaked by AntonioFeijaoUK
##

## reset iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

## enable forwarding packets
iptables -A FORWARD -j ACCEPT

## detecting the default route interface
GATEWAY_INTERFACE=$(route -n | grep ^'0.0.0.0' | rev | cut -f 1 -d ' ' | rev | head -n1)
echo "your gateway interface is : ${GATEWAY_INTERFACE}"

## enable NAT on the outside interface for the internal subnet SOURCE_SUBNET
SOURCE_SUBNET="192.168.0.0/24"
iptables -t nat -s ${SOURCE_SUBNET} -I POSTROUTING -o ${GATEWAY_INTERFACE} -j MASQUERADE

## other good sources with details info
# - https://raspberrytips.com/raspberry-pi-firewall/
# - https://www.packetswitch.co.uk/raspberry/
## - enabled established connections - this is not needed as the FORWARD is set to default ACCEPT
#iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -i eth0 -d ${SOURCE_SUBNET} -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

## save IPv4 iptables
iptables-save | sudo tee /etc/iptables/rules.v4


##################################################################
### similar but for IPv6 and to block by default
ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
#ip6tables -t mangle -F
#ip6tables -t mangle -X
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

## enable forwarding packets
ip6tables -A FORWARD -j DROP

## enable NAT on the outside interface
#iptables -t nat -s 192.168.0.0/24 -I POSTROUTING -o enp0s3 -j MASQUERADE

## save IPv6 iptables
ip6tables-save | sudo tee /etc/iptables/rules.v6


## USEFUL COMMANDS

echo "

useful command to check your NAT MASQUERADE is working

	\`iptables -t nat -L -nv\`

"

raspberry pi 4 static IP, dhcp and gateway metrics

  • cat /etc/dhcpcd.conf | egrep -v '^#|^$'
hostname
clientid
persistent
option rapid_commit
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
option interface_mtu
require dhcp_server_identifier
slaac private
interface wlan0
metric 300
static domain_name_servers=94.140.14.15 94.140.15.16
interface eth0
domain antoniofeijaouk.local
search antoniofeijaouk.local
metric 200
static ip_address=192.168.0.4/24
static routers=192.168.0.1
static domain_name_servers=94.140.14.15 94.140.15.16

raspberry pi 4 - verify the dns upstream servers

resolvconf -l

resolvectl status

Happy learning,

Antonio Feijao UK

Raspberry Pi 4 as a router with ufw rules

Raspberry Pi 4 as a basic "router" with ufw rules.

requirements

  • update rpi
apt update && apt upgrade -y

apt autoremove -y

apt install ufw

## useful

apt install dnsutils
  • raspberry pi 4 disable ipv6 at boot

vim /boot/cmdline.txt and add ipv6.disable=1 to the end of the line

example

console=tty1 root=PARTUUID=xxxxXXxx-xx rootfstype=ext4 fsck.repair=yes rootwait ipv6.disable=1
  • vim /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
  • cat /etc/sysctl.d/local.conf
net.ipv4.ip_forward=1

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

raspberry pi 4 nat with ufw

  • vim /etc/ufw/before.rules
(...)
#------------------------------------------------------------------------
## sources
## https://gist.github.com/kimus/9315140
## https://www.server-world.info/en/note?os=Ubuntu_22.04&p=ufw&f=2
#
# add to the end
# NAT
*nat
-F
:POSTROUTING ACCEPT [0:0]

# Forward traffic through wlan0
-A POSTROUTING -s 192.168.0.0/24 -o wlan0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT

sample of basic ufw rules

  • eth0 - "internal" network with static IP

    • metric 300, for lower priority for default gw
  • wlan0 - "external" network with DHCP

    • metric 200, for default gw priority
## in routes - FROM and TO rules

ufw allow from 192.168.0.0/24 to 192.168.0.0/24 port 22 proto tcp



## out rules

ufw allow out on wlan0 from 192.168.0.0/24 to 94.140.14.15 port 53 proto udp
ufw allow out on wlan0 from 192.168.0.0/24 to 94.140.14.15 port 53 proto udp

ufw allow out on eth0 from 192.168.0.0/24 to 94.140.14.15 port 53 proto udp
ufw allow out on eth0 from 192.168.0.0/24 to 94.140.14.15 port 53 proto udp

ufw allow out on wlan0 from 192.168.0.0/24 to any port 443 proto tcp
ufw allow out on eth0 from 192.168.0.0/24 to any port 443 proto tcp

ufw allow out from 192.168.0.0/24 to any port 443 proto tcp
ufw allow out from 192.168.0.0/24 to any port 80 proto tcp


## enable ufw logging

ufw logging on

other usefull ufw commands

# ufw reset

ufw disable

ufw enable

ufw status numbered

ufw delete RUL_NUM

raspberry pi 4 static IP, dhcp and gateway metrics

  • cat /etc/dhcpcd.conf | egrep -v '^#|^$'
hostname
clientid
persistent
option rapid_commit
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
option interface_mtu
require dhcp_server_identifier
slaac private
interface wlan0
metric 200
static domain_name_servers=94.140.14.15 94.140.15.16
interface eth0
domain feijaouk.local
search feijaouk.local
metric 300
static ip_address=192.168.0.4/24
static routers=192.168.0.1
static domain_name_servers=94.140.14.15 94.140.15.16

raspberry pi 4 - verify the dns upstream servers

resolvconf -l

Happy learning,

Antonio Feijao UK

2023-06-09-raspberry-pi-4-as-a-router-with-ufw-rules.md

AWS advanced networking playing with AWS Gateway Load balancer

AWS advanced networking, playing with AWS Gateway Load balancer (GWLB).

tag: workshop-gwlb

possible-source

  • https://catalog.workshops.aws/networking/en-US/gwlb

documents-info-blog-posts

https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/

https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/

poc-with-aws-gateway-load-balancer-gwlb

proof of concept with AWS Gateway Load Balancer GWLB

cd /tmp

curl --silent http://169.254.169.254/latest/dynamic/instance-identity/document > /home/ec2-user/iid;

export instance_interface=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/);

export instance_vpcid=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/$instance_interface/vpc-id);

export instance_az=$(cat /home/ec2-user/iid |grep 'availability' | awk -F': ' '{print $2}' | awk -F',' '{print $1}');

export instance_ip=$(cat /home/ec2-user/iid |grep 'privateIp' | awk -F': ' '{print $2}' | awk -F',' '{print $1}' | awk -F'"' '{print$2}');

export instance_region=$(cat /home/ec2-user/iid |grep 'region' | awk -F': ' '{print $2}' | awk -F',' '{print $1}' | awk -F'"' '{print$2}');

export gwlb_ip=$(aws --region $instance_region ec2 describe-network-interfaces --filters Name=vpc-id,Values=$instance_vpcid | jq ' .NetworkInterfaces[] | select(.AvailabilityZone=='$instance_az') | select(.InterfaceType=="gateway_load_balancer") |.PrivateIpAddress' -r);
  • Start httpd and configure index.html
systemctl start httpd;
touch /var/www/html/index.html;
echo > /var/www/html/index.html;
echo "<html>" >> /var/www/html/index.html
echo "  <head>" >> /var/www/html/index.html
echo "    <title>Gateway Load Balancer POC</title>" >> /var/www/html/index.html
echo "    <meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-1'>" >> /var/www/html/index.html
echo "  </head>" >> /var/www/html/index.html
echo "  <body>" >> /var/www/html/index.html
echo "    <h1>Welcome to Gateway Load Balancer POC:</h1>" >> /var/www/html/index.html
echo "  </body>" >> /var/www/html/index.html
echo "</html>" >> /var/www/html/index.html
  • Start and configure iptables
systemctl enable iptables;
systemctl start iptables;
  • Configuration below allows all traffic
# Set the default policies for each of the built-in chains to ACCEPT:
iptables -P INPUT ACCEPT;
iptables -P FORWARD ACCEPT;
iptables -P OUTPUT ACCEPT;
  • Flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X):
iptables -t nat -F;
iptables -t mangle -F;
iptables -F;
iptables -X;
  • Configure nat table to hairpin traffic back to GWLB
iptables -t nat -A PREROUTING -p udp -s $gwlb_ip -d $instance_ip -i eth0 -j DNAT --to-destination $gwlb_ip:6081;
iptables -t nat -A POSTROUTING -p udp --dport 6081 -s $gwlb_ip -d $gwlb_ip -o eth0 -j MASQUERADE;
  • Save iptables
    service iptables save;
       
    iptables -L -n
    

antonio-feijao-uk

Thank you, and happy learning.

Antonio Feijao UK

AWS Route53 Domains via the AWS CLI with aws route53 list-prices

AWS Route53 Domains via the AWS CLI with aws route53 list-prices

ReadOnly role is enough to run these commands.

getting-the-results-aws-route53domains-list-prices

I redirected the API results into a local text file so I can work with the file much quicker locally.

the --region=us-east-1 is only needed if your default region is not us-east-1.

aws route53domains list-prices --region=us-east-1 > 2023-02-17-prices-as-of-this-date.txt

result-from-query-for-aws-route53-list-prices

Initially I was getting Null results for some query RegistrationPrice,
so I check for diference between the jquery values and realised that not all domains have the RegistrationPrice value.

So I went with the output from RenewalPrice as that seemed to match the value on the AWS console.

See if you can spot the differnce on the outputs below :)

cat 2023-02-17-prices-as-of-this-date.txt | jq -r '.Prices[]' | egrep "RegistrationPrice|TransferPrice|RenewalPrice|ChangeOwnershipPrice|RestorationPrice" | cut -f 2 -d '"' | sort | uniq -c | sort -n
 302 RegistrationPrice
 302 TransferPrice
 315 RestorationPrice
 316 ChangeOwnershipPrice
 316 RenewalPrice

aws-domains-price-from-cheapest-to-the-most-expective

aws route53domains list-prices --region=us-east-1 | jq -r '.Prices[] | "\(.RenewalPrice.Price) USD;\t .\(.Name)  "' | sort | uniq | sort -n

3 USD;	 .click
5 USD;	 .link
8 USD;	 .me.uk
9 USD;	 .be
9 USD;	 .co.uk
9 USD;	 .de
9 USD;	 .name
9 USD;	 .org.uk
9 USD;	 .uk
10 USD;	 .cz
10 USD;	 .es
10 USD;	 .nl
10 USD;	 .pictures
11 USD;	 .net
12 USD;	 .academy
12 USD;	 .boutique
12 USD;	 .cc
12 USD;	 .consulting
12 USD;	 .fr
12 USD;	 .futbol
12 USD;	 .life
12 USD;	 .live
12 USD;	 .media
12 USD;	 .news
12 USD;	 .org
12 USD;	 .rocks
12 USD;	 .services
12 USD;	 .social
12 USD;	 .solutions
12 USD;	 .studio
12 USD;	 .world
13 USD;	 .audio
13 USD;	 .ca
13 USD;	 .ch
13 USD;	 .co.za
13 USD;	 .com
13 USD;	 .eu
13 USD;	 .juegos
13 USD;	 .xyz
15 USD;	 .au
15 USD;	 .com.au
15 USD;	 .in
15 USD;	 .it
15 USD;	 .net.au
15 USD;	 .onl
15 USD;	 .qpon
15 USD;	 .uno
15 USD;	 .us
15 USD;	 .website
16 USD;	 .club
16 USD;	 .help
16 USD;	 .lol
16 USD;	 .photo
16 USD;	 .pics
17 USD;	 .rip
18 USD;	 .business
18 USD;	 .company
18 USD;	 .ninja
19 USD;	 .agency
19 USD;	 .biz
19 USD;	 .city
19 USD;	 .diet
19 USD;	 .exposed
19 USD;	 .football
19 USD;	 .gifts
19 USD;	 .gratis
19 USD;	 .im
19 USD;	 .network
19 USD;	 .reisen
19 USD;	 .report
19 USD;	 .schule
19 USD;	 .supplies
19 USD;	 .supply
20 USD;	 .fyi
20 USD;	 .gift
20 USD;	 .run
20 USD;	 .soccer
21 USD;	 .center
21 USD;	 .directory
21 USD;	 .education
21 USD;	 .equipment
21 USD;	 .gallery
21 USD;	 .graphics
21 USD;	 .institute
21 USD;	 .international
21 USD;	 .lighting
21 USD;	 .management
21 USD;	 .photography
21 USD;	 .photos
21 USD;	 .support
21 USD;	 .systems
21 USD;	 .technology
21 USD;	 .tips
21 USD;	 .today
22 USD;	 .band
22 USD;	 .blue
22 USD;	 .dance
22 USD;	 .kim
22 USD;	 .moda
22 USD;	 .pink
22 USD;	 .pub
22 USD;	 .red
22 USD;	 .reviews
22 USD;	 .shiksha
22 USD;	 .video
23 USD;	 .info
23 USD;	 .se
24 USD;	 .co.nz
24 USD;	 .fi
24 USD;	 .net.nz
24 USD;	 .org.nz
25 USD;	 .cloud
25 USD;	 .co
25 USD;	 .email
25 USD;	 .flowers
25 USD;	 .guru
25 USD;	 .me
25 USD;	 .online
25 USD;	 .pro
27 USD;	 .training
28 USD;	 .wedding
29 USD;	 .associates
29 USD;	 .auction
29 USD;	 .cards
29 USD;	 .care
29 USD;	 .cash
29 USD;	 .catering
29 USD;	 .chat
29 USD;	 .church
29 USD;	 .community
29 USD;	 .deals
29 USD;	 .digital
29 USD;	 .direct
29 USD;	 .discount
29 USD;	 .exchange
29 USD;	 .fail
29 USD;	 .fish
29 USD;	 .fitness
29 USD;	 .forsale
29 USD;	 .gripe
29 USD;	 .guide
29 USD;	 .haus
29 USD;	 .hosting
29 USD;	 .immo
29 USD;	 .industries
29 USD;	 .ink
29 USD;	 .limited
29 USD;	 .money
29 USD;	 .parts
29 USD;	 .place
29 USD;	 .property
29 USD;	 .republican
29 USD;	 .sale
29 USD;	 .sarl
29 USD;	 .school
29 USD;	 .style
29 USD;	 .tools
29 USD;	 .town
29 USD;	 .trade
29 USD;	 .vision
29 USD;	 .wtf
30 USD;	 .bargains
30 USD;	 .cheap
30 USD;	 .cool
30 USD;	 .democrat
30 USD;	 .events
30 USD;	 .foundation
30 USD;	 .guitars
30 USD;	 .immobilien
30 USD;	 .kaufen
30 USD;	 .mobi
30 USD;	 .productions
30 USD;	 .properties
30 USD;	 .rentals
30 USD;	 .ruhr
30 USD;	 .singles
30 USD;	 .wiki
30 USD;	 .works
31 USD;	 .cafe
31 USD;	 .express
31 USD;	 .loan
31 USD;	 .mba
31 USD;	 .plus
31 USD;	 .show
31 USD;	 .team
32 USD;	 .bike
32 USD;	 .builders
32 USD;	 .cab
32 USD;	 .clothing
32 USD;	 .coffee
32 USD;	 .computer
32 USD;	 .construction
32 USD;	 .contractors
32 USD;	 .domains
32 USD;	 .enterprises
32 USD;	 .estate
32 USD;	 .farm
32 USD;	 .florist
32 USD;	 .house
32 USD;	 .kiwi
32 USD;	 .land
32 USD;	 .marketing
32 USD;	 .repair
32 USD;	 .tv
32 USD;	 .zone
33 USD;	 .vc
34 USD;	 .com.mx
35 USD;	 .careers
35 USD;	 .codes
35 USD;	 .diamonds
35 USD;	 .holdings
35 USD;	 .holiday
35 USD;	 .recipes
35 USD;	 .vacations
35 USD;	 .vg
36 USD;	 .irish
36 USD;	 .ru
37 USD;	 .buzz
37 USD;	 .watch
39 USD;	 .sexy
43 USD;	 .mortgage
46 USD;	 .camera
46 USD;	 .camp
46 USD;	 .cleaning
46 USD;	 .dog
46 USD;	 .glass
46 USD;	 .kitchen
46 USD;	 .plumbing
46 USD;	 .shoes
46 USD;	 .solar
46 USD;	 .toys
47 USD;	 .apartments
47 USD;	 .bingo
47 USD;	 .capital
47 USD;	 .claims
47 USD;	 .clinic
47 USD;	 .coach
47 USD;	 .com.sg
47 USD;	 .delivery
47 USD;	 .dental
47 USD;	 .engineering
47 USD;	 .finance
47 USD;	 .financial
47 USD;	 .fund
47 USD;	 .furniture
47 USD;	 .healthcare
47 USD;	 .insure
47 USD;	 .lease
47 USD;	 .legal
47 USD;	 .memorial
47 USD;	 .pizza
47 USD;	 .restaurant
47 USD;	 .sg
47 USD;	 .surgery
47 USD;	 .tattoo
47 USD;	 .tax
47 USD;	 .tennis
47 USD;	 .university
47 USD;	 .ventures
47 USD;	 .villas
49 USD;	 .condos
49 USD;	 .cruises
49 USD;	 .dating
49 USD;	 .expert
49 USD;	 .flights
49 USD;	 .maison
49 USD;	 .partners
49 USD;	 .viajes
50 USD;	 .limo
50 USD;	 .tienda
50 USD;	 .voyage
50 USD;	 .wien
51 USD;	 .coupons
51 USD;	 .golf
51 USD;	 .hockey
51 USD;	 .jewelry
51 USD;	 .taxi
51 USD;	 .theater
51 USD;	 .tours
55 USD;	 .lgbt
57 USD;	 .mx
57 USD;	 .vegas
58 USD;	 .com.br
64 USD;	 .qa
65 USD;	 .host
66 USD;	 .berlin
66 USD;	 .black
66 USD;	 .poker
69 USD;	 .college
71 USD;	 .global
71 USD;	 .green
71 USD;	 .io
74 USD;	 .ceo
75 USD;	 .gg
76 USD;	 .ac
76 USD;	 .com.ar
76 USD;	 .sh
90 USD;	 .jp
92 USD;	 .fm
93 USD;	 .cl
94 USD;	 .accountants
94 USD;	 .credit
94 USD;	 .energy
94 USD;	 .investments
94 USD;	 .loans
94 USD;	 .tires
100 USD;	 .adult
100 USD;	 .porn
100 USD;	 .sex
101 USD;	 .gold
101 USD;	 .reise
141 USD;	 .casino
141 USD;	 .creditcard
254 USD;	 .hiv
282 USD;	 .sucks
306 USD;	 .movie

Of course, you can manipulate the list above and sort it in alphabetic order if you wish.

aws-route53domains-help

There is a lot more you can do with this API :)

Imagination is the limit.

Type aws route53domains help to get the help on the CLI

or go to the documentation page https://awscli.amazonaws.com/v2/documentation/api/latest/reference/route53domains/list-domains.html

antonio-feijao-uk

Thank you, and happy learning.

Antonio Feijao UK

Linux bash script, basic script that records the website availability HTTP code 200s, 300s, 400s, 500s

Linux bash script, basic script that records the website availability HTTP code 200s, 300s, 400s, 500s

"Linux bash script, basic script that records the website availability HTTP code 200s, 300s, 400s, 500s"

To do next... color coding alerts maybe?!

the-linux-bash-script

#!/bin/bash

IFS='
'

LIST_URLs="https://www.antoniofeijao.com/
https://www.antoniofeijao.pt/
https://www.antoniocloud.com/
https://antonio.cloud/
https://www.cyberantonio.com/
https://www.cloudsecurity.cc/
https://www.securitygames.net/
https://www.root.pt/
https://www.ninja.pt/
https://www.ntp.pt/"


for URL in $(echo ${LIST_URLs} | tr '\ ' '\n'); do
    while true; do
        LOGS="${URL:8:-1}-$(date +%F).txt" && \
        DATE=$(date +%F-%H%M-%Ss) && \
        RESULT=$(curl -I ${URL} --silent | head -n 1) && \
        echo -e "${DATE}; \t ${URL}; \t ${RESULT}" >> ${LOGS} && \
        sleep 15
    done &
done

Happy learning,

Antonio Feijao

cyberantonioctf