Network on Ricky

Relay V2Ray Traffic via Cloudflare

Tue, 22 Oct 2024 09:24:08 +0800

Install Script

bash <(wget -qO- -o- https://git.io/v2ray.sh)

Preparation

Add a DNS record now. Name: ai, IPv4 address: your VPS IP. The proxy status must be off, so the cloud icon is gray.

Tip: You can use v2ray ip to view your VPS IP.

Add Relay Configuration

Use v2ray add ws ai.233boy.com to add a vmess-ws-tls configuration; remember to replace ai.233boy.com with your domain.

Google Infra

Tue, 24 Sep 2024 09:04:00 +0800

Google’s 5-generation network architecture in ten years

Everything About MTU and MSS

Wed, 12 Apr 2023 12:48:12 +0800

Everything About MTU and MSS

Monitoring HTTP Requests on a Network Interface in Real Time

Thu, 23 Jun 2022 16:48:42 +0800

Monitoring HTTP Requests on a Network Interface in Real Time

tcpflow

apt/dnf install tcpflow

$ sudo tcpflow -p -c -i wlp0s20f3 port 80 | grep -oE '(GET|POST) .* HTTP/1.[01]|Host: .*'
reportfilename: ./report.xml
tcpflow: listening on wlp0s20f3
GET /alexlarsson/flatpak/ubuntu/dists/focal/InRelease HTTP/1.1

GET /mirrors.txt HTTP/1.1

-p disables promiscuous mode
-c means only print the output to the console and don’t create files
-i specifies the network interface grep receives the output of tcpflow
-o means show only the matching parts of the lines that match the pattern
-E means the pattern is an extended regular expression (ERE)

httpry

https://github.com/jbittel/httpry.git

Tcpdump Usage Summary

Thu, 05 May 2022 13:39:10 +0800

Tcpdump Usage Summary

Command usage

tcpdump uses the command line. The command format is:

tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
 [ -C file_size ] [ -F file ]
 [ -i interface ] [ -m module ] [ -M secret ]
 [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
 [ -W filecount ]
 [ -E spi@ipaddr algo:secret, ... ]
 [ -y datalinktype ] [ -Z user ]
 [ expression ]

Simple option notes for tcpdump

-E spi@ipaddr algo:secret , ... can decrypt IPsec ESP packets using spi@ipaddr algo:secret. The secret is the ESP key, expressed as an ASCII string. If it starts with 0x, the key is read as hex. In addition to the syntax above (spi@ipaddr algo:secret), you can append a syntax input filename for tcpdump to use (replace … in spi@ipaddr algo:secret, ... with a syntax filename). This file is opened when the first ESP packet arrives, so it is best to drop some privileges at that time (to reduce risk if the file is malicious).
-T type forces tcpdump to analyze packets according to the protocol structure specified by type. Known type values include:
- aodv (Ad-hoc On-demand Distance Vector protocol, used in Ad hoc peer-to-peer networks)
- cnfp (Cisco NetFlow protocol)
- rpc (Remote Procedure Call)
- rtp (Real-Time Applications protocol)
- rtcp (Real-Time Applications control protocol)
- snmp (Simple Network Management Protocol)
- tftp (Trivial File Transfer Protocol)
- vat (Visual Audio Tool, an application-layer protocol used for video conferencing on the internet)
- wb (distributed White Board, an application-layer protocol for online meetings)

Practical command examples

Capture communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3

Understanding Cilium Series (1): Introduction to Cilium

Tue, 21 Dec 2021 13:04:38 +0800

Understanding Cilium Series (1): Introduction to Cilium

Current status of k8s Service load balancing implementations

Before Cilium, Services were implemented by kube-proxy in three modes: userspace, iptables, and ipvs.

Userspace

In this mode, kube-proxy acts as a reverse proxy and listens on random ports. It redirects traffic to the proxy port via iptables rules, and kube-proxy forwards the traffic to backend pods. Service requests go from user space into kernel iptables and then back to user space, which is costly and has poor performance.

Kubernetes Without kube-proxy

Mon, 20 Dec 2021 17:57:13 +0800

Kubernetes Without kube-proxy

Quick-Start

kubeadm init --skip-phases=addon/kube-proxy

# Setup Helm repository
helm repo add cilium https://helm.cilium.io/


helm install cilium cilium/cilium --version 1.9.18 \
 --namespace kube-system \
 --set kubeProxyReplacement=strict \
 --set k8sServiceHost=REPLACE_WITH_API_SERVER_IP \
 --set k8sServicePort=REPLACE_WITH_API_SERVER_PORT

Cloudflare Traffic sequence

Wed, 03 Nov 2021 13:11:29 +0800

Traffic sequence

Traffic to your application runs through the following sequence on Cloudflare’s edge:

DDoS
URL Rewrites
Page Rules
IP Access Rules
Bots
Firewall Rules
Rate Limiting
Managed Rules
Header Modification
Access
Workers

What happens after you type a URL in the browser and press Enter?

Sun, 18 Jul 2021 23:45:45 +0800

What happens after you type a URL in the browser and press Enter?

Day 19 BGP Protocol (1)

Wed, 30 Dec 2020 20:00:33 +0800

Set interface IP with netplan on Ubuntu 18.04

Fri, 18 Sep 2020 13:00:05 +0800

Set interface IP with netplan on Ubuntu 18.04

Following the notes above, check /etc/netplan and open /etc/netplan/50-cloud-init.yaml:

# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
 ethernets:
 ens192:
 dhcp4: true
 ens224:
 dhcp4: true
 version: 2

It looks like you can disable cloud network, but I do not use cloud-init, so remove it:

BIRD and BGP: a beginner's kickoff

Mon, 22 Jun 2020 09:38:55 +0800

Aliyun CDN Cache Rules

Tue, 12 May 2020 21:51:55 +0800

Fighting ISP Cache Hijacking Again with iptables

Mon, 07 Oct 2019 10:41:08 +0800

Fighting ISP Cache Hijacking Again with iptables

Cause

The fight against the carrier cache problem started two years ago. The carrier even cached cnpm data. Worse, their cache servers were not only slow like a turtle in a marathon, they also crashed frequently, so I just wanted to write code but had to face a wall of red errors.

Fix

iptables -I FORWARD -p tcp -m tcp -m ttl --ttl-gt 20 -m ttl --ttl-lt 30 -j DROP

Simulate Network Anomalies with TC and Netem

Sat, 15 Sep 2018 16:17:26 +0800

Simulate Network Anomalies with TC and Netem

Netem and TC brief overview

Netem is a network emulation module provided by Linux 2.6 and later kernels. It can be used on a good LAN to simulate complex Internet transmission performance, such as low bandwidth, latency, packet loss, and so on. Many Linux distributions with kernel 2.6+ enable this module by default, such as Fedora, Ubuntu, Redhat, OpenSuse, CentOS, Debian, etc.

TC is a user-space tool in Linux, short for Traffic Control. TC controls the operating mode of the Netem module. In other words, to use Netem you need at least two conditions: the Netem module must be enabled in the kernel, and the corresponding user-space tool TC must be available.

Quagga Routing - Install, Configure and setup BGP

Tue, 14 Aug 2018 22:13:12 +0800

Quagga Routing - Install, Configure and setup BGP

Best V2Ray One-Click Install & Management Script

Thu, 08 Feb 2018 10:56:54 +0800

Representative HTTP Status Codes

Fri, 15 Dec 2017 15:33:14 +0800

Representative HTTP Status Codes

Switch notes

Sat, 25 Nov 2017 11:47:37 +0800

Switch

Switches are usually L2 devices

They forward packets only to the destination host (based on the MAC table), which reduces collisions and eavesdropping. Switches can also handle packets arriving at the same time, while hubs cannot.

Hubs are L1 devices

They forward packets from any host to all connected hosts, so collisions happen and cause random retries.

MAC Table

Learning
- A packet arrives on some port (network A) from MAC X destined for MAC Y. The switch records that MAC X is on network A. This is called learning.
Flooding
- The switch does not yet know where MAC Y is, so it forwards the packet to all networks except A. This is called flooding.
Forwarding
- The host with MAC Y receives the packet and sends an ACK to MAC X. The switch records that MAC Y is on that network, then forwards the ACK to MAC X. This is forwarding.
Filtering
- The switch receives a packet and finds that the source and destination MACs are on the same network, so it drops the packet. This is filtering.
Aging
- Each MAC-table entry has a timestamp of last access. Entries older than a threshold (configurable) are removed. This is aging.

Vlan

Switch interfaces must support 802.1Q

Juniper notes

Thu, 23 Nov 2017 16:00:00 +0800

[Juniper Firewall] tunnel

ACG icare@TWCHIJF01# show | compare rollback 4

[edit security policies]
 from-zone DB_12 to-zone TCT_Office { ... }
+ from-zone DB_12 to-zone JC32 {
+ policy For_Backup {
+ match {
+ source-address DB_10.11.12.0/24;
+ destination-address BACKUP_10.32.32.130;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
[edit security zones security-zone DB_12 address-book]
 address DB_10.11.12.57 { ... }
+ address DB_10.11.12.0/24 10.11.12.0/24;
[edit security zones]
 security-zone ESB_15 { ... }
+ security-zone JC32 {
+ address-book {
+ address BACKUP_10.32.32.130 10.32.32.130/32;
+ }
+ host-inbound-traffic {
+ system-services {
+ ping;
+ }
+ }
+ interfaces {
+ gr-0/0/0.32;
+ }
+ }
[edit interfaces gr-0/0/0]
+ unit 32 {
+ description To_JC32_DBBackup;
+ tunnel {
+ source 202.168.193.128;
+ destination 218.253.210.8;
+ }
+ family inet {
+ address 10.32.0.101/30;
+ }
+ }
[edit routing-options static]
 route 0.0.0.0/0 { ... }
+ route 10.32.32.130/32 next-hop 10.32.0.102;

set security policies from-zone DB_12 to-zone JC32 policy For_Backup match source-address DB_10.11.12.0/24
set security policies from-zone DB_12 to-zone JC32 policy For_Backup match destination-address BACKUP_10.32.32.130
set security policies from-zone DB_12 to-zone JC32 policy For_Backup match application any
set security policies from-zone DB_12 to-zone JC32 policy For_Backup then permit
set security zones security-zone DB_12 address-book address DB_10.11.12.0/24 10.11.12.0/24
set security zones security-zone JC32 address-book address BACKUP_10.32.32.130 10.32.32.130/32
set security zones security-zone JC32 host-inbound-traffic system-services ping
set security zones security-zone JC32 interfaces gr-0/0/0.32
set interfaces gr-0/0/0 unit 32 description To_JC32_DBBackup
set interfaces gr-0/0/0 unit 32 tunnel source 202.168.193.128
set interfaces gr-0/0/0 unit 32 tunnel destination 218.253.210.8
set interfaces gr-0/0/0 unit 32 family inet address 10.32.0.101/30
set routing-options static route 10.32.32.130/32 next-hop 10.32.0.102

icare@TWCHIJF01> show configuration | compare rollback 1

Data Center Notes

Tue, 24 Oct 2017 23:17:33 +0800

First NIC - blue cable

Second NIC - green cable

Switch interconnect - white cable

Yellow, red

Storage has disk arrays and heavy data transfer, so it uses fiber connections and fiber switches.

Fiber colors:

Multi-mode or single-mode fiber

Single-mode fiber is yellow. Multi-mode fiber (50μm or 62.5μm) is usually orange. 10GB multi-mode fiber is usually aqua.

Common spec distinctions:

OS1, OS2, 9µm, 9/125 = single-mode fiber
OM1, 62.5µm, 62.5/125 = 62.5 multi-mode fiber
OM2, 50µ, 50/125 = 50 multi-mode fiber
OM3, 10GB, 50µm, 50/125 = 10GB multi-mode fiber
OM4, 100GB, 50µm, 50/125 = 100GB multi-mode fiber

Fiber structure

Route notes

Sat, 16 Sep 2017 15:00:00 +0800

Router - a device that is good at computing routing tables, an L3 device.

Routing Table

A NIC with one IP naturally has two routes and they cannot be changed. 192.168.1.1/24
- Itself. Local route / Host route: 192.168.1.1/32
- The whole subnet. Direct route / Connect route: 192.168.1.0/24
You can add as many static routes as you want.
- 172.10.10.10/24 -> 192.168.1.2
- 2.2.2.2/26 -> 192.168.1.9
- …
Default route - only one gateway.
- 0.0.0.0/0 -> 192.168.1.10
More specific routes take precedence.
BGPv4

Arp notes

Sun, 03 Sep 2017 15:00:00 +0800

Before a packet is sent

Look up the MAC for the IP in the ARP table
- MAC found - encapsulate
- No MAC - broadcast
  - Same subnet - OK
  - Different subnet - look up the router MAC in the ARP table
    - Found - OK
    - Not found - broadcast