This page looks best with JavaScript enabled

netstat Issues with IPv4/6

 ·  🎃 kr0m

There are tools like netstat that are not fully adapted to operate in a dual IPv4/6 stack. If netstat is compiled without IPv6 support, it will only show partial information, hiding mixed sockets that are listening on both IPv4 and IPv6.

This poses a problem for a system administrator as they are unable to see the complete network status.

To compile net-tools without IPv6 support:

USE="-ipv6" emerge -av sys-apps/net-tools

Check the listening sockets:

netstat -nputa|grep LISTEN

tcp        0      0 0.0.0.0:32002           0.0.0.0:*               LISTEN      5451/sshd           
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      4124/php-fpm: maste 
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      5653/python

Now recompile it with IPv6 support:

USE="ipv6" emerge -av sys-apps/net-tools

netstat -nputa|grep LISTEN
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN      20867/nginx: master 
tcp        0      0 0.0.0.0:32002           0.0.0.0:*               LISTEN      5451/sshd           
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      4124/php-fpm: maste 
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      5653/python         
tcp6       0      0 :::8000                 :::*                    LISTEN      20062/apache2       
tcp6       0      0 :::18080                :::*                    LISTEN      11286/docker-proxy  
tcp6       0      0 :::32002                :::*                    LISTEN      5451/sshd           
tcp6       0      0 :::80                   :::*                    LISTEN      11370/docker-proxy

As we can see, sockets that were not previously listed have appeared. This is because the software in question binds to both IPv6 and IPv4, creating mixed sockets.

Interestingly, this does NOT happen with sys-apps/iproute2. Compile iproute2 without IPv6 support:

USE="-ipv6" emerge -av sys-apps/iproute2

ss -lpunt|grep LISTEN

tcp     LISTEN   0        128              0.0.0.0:8001           0.0.0.0:*                                                                                     
tcp     LISTEN   0        128              0.0.0.0:32002          0.0.0.0:*                                                                                     
tcp     LISTEN   0        128            127.0.0.1:9000           0.0.0.0:*                                                                                     
tcp     LISTEN   0        5                0.0.0.0:5555           0.0.0.0:*      users:(("python",pid=5653,fd=3))                                               
tcp     LISTEN   0        128                    *:8000                 *:*                                                                                     
tcp     LISTEN   0        128                    *:18080                *:*                                                                                     
tcp     LISTEN   0        128                 [::]:32002             [::]:*                                                                                     
tcp     LISTEN   0        128                    *:80                   *:*

We can see in red that it also shows the mixed sockets.

If we compile it with IPv6 support, the output remains the same:

USE="ipv6" emerge -av sys-apps/iproute2

ss -lpunt|grep LISTEN

tcp     LISTEN   0        128              0.0.0.0:8001           0.0.0.0:*                                                                                     
tcp     LISTEN   0        128              0.0.0.0:32002          0.0.0.0:*                                                                                     
tcp     LISTEN   0        128            127.0.0.1:9000           0.0.0.0:*                                                                                     
tcp     LISTEN   0        5                0.0.0.0:5555           0.0.0.0:*      users:(("python",pid=5653,fd=3))                                               
tcp     LISTEN   0        128                    *:8000                 *:*                                                                                     
tcp     LISTEN   0        128                    *:18080                *:*                                                                                     
tcp     LISTEN   0        128                 [::]:32002             [::]:*                                                                                     
tcp     LISTEN   0        128                    *:80                   *:*

For this reason, I recommend using tools like iproute2 instead of net-tools, as if we don’t do so, an attacker with root access could potentially hide malicious connections.

If you liked the article, you can treat me to a RedBull here