I want to have a generic shell script which will check network connectivity between two hosts.
I wrote shell script with host and nslookup command to get the more details of target host, with these command I can't determine if current host can talk to target host.
Also I can't use(restricted) ping command , I was wondering if can use some other command to check network connectivity betweenn two hosts
Please suggest
Given a target host to determine if source host can communicate to target host
This is too vague to be useful. To solve this problem, you need to nail down what you mean by "communicate." A host may be able to send ICMP but not TCP. It may be able to send TCP but not ICMP. It may be able to send TCP to port 80, but not to 22. It may be able to send HTTP to port 80, but not SSH to port 80. Packets you send may return an error, or they may be silently dropped. The endpoint may receive your packets, but not process them. It may process them but not respond to you. There are many levels of "communicate."
So the best thing to test with is the thing you actually want to do. So if you want to communicate with HTTP over port 80, the best test is to do that. In fact, the best test is to just do the thing you wanted to do and not check beforehand. You're going to have to deal with errors no matter way. Just because you checked beforehand doesn't mean your actual attempt will be successful.
But sometimes you do just want to check "connectivity" (for some value of "connectivity") for monitoring purposes. In that case, again, do the thing you want. The easiest shell tool for checking HTTP connectivity is to fetch something with curl. If you need some other port, then a very nice generic solution is netcat (often called nc). I like:
nc -G 1 <host> <port> </dev/null
A return code of 0 means it connected; 1 means it failed.
For more esoteric issues, you can use nmap or even hping to craft about anything you want.
But most of the time, you shouldn't check at all. And if you do check, check with the thing you really want to do.
Related
This feels like a basic question, I'm sure other people needed something like this at some point however I couldn't find anything clear on this topic and I'm not very familiar to networking so I hope following makes sense (and sorry if I am butchering the terminology)
I often need to connect to a VPN server at work. At the moment I am using Cisco AnyConnect, which upon connection asks me the host server, my username, my password and routes all my traffic through the VPN afterwards.
The problem is, depending on what I'm doing I often need to jump back and forth to VPN (some applications need local network and others dont)
What would be perfect is to create one VPN connection and just keep it on a port without routing anything to it. Then I can use it as a proxy to selectively route my traffic through VPN (eg. I override http_proxy locally on one terminal instance and run applications that require VPN through there without having to jump back and forth). Furthermore if I create this connection from the terminal I can automate most of the process, with something like:
function callExecutableThroughVPN() {
if ! is_connected_to_vpn then
echo "coulnt find the vpn connection, will attempt to connect. enter password:"
# get password input here
setup_vpn_on_port_9876 # pass password input here
echo "setting proxy to 127.0.0.1:9876"
http_proxy=127.0.0.1:9876/
https_proxy=127.0.0.1:9876/
fi
./executable_that_need_vpn
}
Then I can simply stay on my network and use a wrapper like above for few processes that require their traffic re-routed.
So in summary, my question is: Is it possible to create a single VPN process through terminal to listen a local port, so I dont have to route all my traffic at once, and I can simply kill this process when I'm done
I recommend using SSH tunnel/Socks Proxy (see ssh -D) and tsocks wrapper. For http(s) proxies I recommend the proxychains tool.
I am setting up port scanner for remote server in my application using Go. I am using DialTimeout function in Go net package to check whether a remote host port is opened or not. The result is fine with success case. But, if i/o timeout happens, I need to identify whether
The port is closed (No service is running) or
Port is blocked (Firewall filtered) or
Due to internet connectivity down in local system where the application is running.
Have tried nmap cli command, I can able to differentiate those failure 3 cases exactly.
nmap command tried: nmap -sA -p port_number host_ip
I found a Go 3rd party libray to use nmap.
But, I don't want to use nmap in my application. Are there any other alternatives in Go to exactly differentiate those 3 cases?
In the simple world
Lets assume you want to scan a Linux system.
If you get an ICMP message type 3 code 3, the firewall explicitly told you:
Hi, I am the firewall of your target host. The host is running. I hereby inform you that you (potentially amongst others) can not access this port. So now that you know you should quit your connection attempts. However, I won't tell you wether it is because there is no service running behind it (in which case my response is simply a courtesy) or because I was told to deny you access. Goodbye!
The port is closed if you do not get above answer and can not make a connection. I hence strongly advice to use context.WithTimeout to make a connection.
In the real world
However, this only applies if the admin of the target host did not change the ICMP message type to respond with - or chose just to drop any packets coming from sources which are not allowed to access the respective service. In the latter case, there is no way for you to know wether the port is closed or filtered.
All of the above only applies if we are talking of an iptables based firewall on the target system with default settings.
Now assume something which is by far more likely: A border firewall plus a local firewall. The border firewall might send other ICMP messages (or, again, simply drop your packages). Those rules apply additionally to the rules of the local firewall. So it is a misconception that you are actually scanning a host. It is more accurate to say that you scan the services reachable via a specific IP.
EDIT
Why would one send an ICMP message explicitly rejecting connection attempts?
There are various reasons to come to that decision. There is a good answer on serverfault.com
Is it possible to listen on a port and run a command when a user attempts to connect to that port? Ideal application is for a server that should only be run when someone is actually using it. Windows or Linux solutions work.
linux/unix:
man nc
NAME
nc - TCP/IP swiss army knife
some options that you may be interested
-l listen mode, for inbound connects
-p port local port number (port numbers can be individual or ranges: lo-hi [inclusive])
-e prog specify program to exec after connect (use with caution)
i think nc is also available under windows platform.
One solution could be via inetd or xinetd, specify the port number and a program to run, for you probably a shell script.
I am note sure what is the exact scope of a question but if bound to the programming-level, you could write your server in a way that when nobody is using it, no resources apart from the listening part are allocated. I would call it lazy initialization. When someone connects simply initialize the whole logic of your program. When all connections are gone, deinitialize everything.
I have been trying to find some way of redirecting outbound TCP packets under windows, but so far have not been successful. Does anyone know of any software/code bit that would do something like that?
I am not even sure it is possible with the windows stack.
I am looking at doing something similar to what "-j REDIRECT" is to iptables.
EDIT: to be more precise, what needs to be done here, is to transparently(ie without the original application having to do anything) redirect outgoing tcp packet with a certain destination port to a specific ip.(alternatively redirecting them to a local port would be fine too since I can then just use something like rinetd or any port forwarder)
Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running.
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
see BarbaTunnel here and use its port redirecting
BarbaTunnel project
I'm trying to see the results of an incoming ping on a target windows machine. This is needed to verify that the ping, which is running in a background thread, is being sent from the originator.
I have tried netstat to no avail. Are there any other approaches I could try?
Thanks.
Ping is an ICMP packet and doesn't create a TCP connection (hence you won't see it in netstat). On Linux, I'd add a rule to the firewall.
The most simple solution for your case might be to open a connection and close it. That will add it to the output of netstat with WAIT_CLOSE.
As Aaron Digulla already noted, ping is ICMP. This also means the originator even less trustable then with TCP; there's no SYN/ACK handshake. You just get an IP packet on your host, and you have to trust the header fields. Anyone can spoof those header fields, with almost no restrictions (It might be a bit challenging to get an IP claiming to come from 127.0.0.1 past a router)
Therefore, ICMP is not suitabel for verification tasks. You need a challenge/response protocol. TCP works reasoanbly well as long as you can trust the network but not necessarily all hosts on it (a reasonable assumption for the Internet. Not strong enough for financial transactions, which is why they use SSL)