Linux Network Cheatsheet

• arp -ae
• arp -ane
• arp -e

sudo arpwatch -d eth0 # for debugging

captures bandwidth data and provices human readable data

curl -O https://zintis.ops/opening.pdf

analyzes client's ip address, subnet mask, gw, dns etc. Or, renews dhcp lease

• sudo dhclient ens3

• dig -x 55.1.2.3
• dig @8.8.8.8 cbc.ca

obsoletes vmstat, iostat, mpstat, netstat, ifstat used with python to extend its functionality To see real-time system resource statistics, you can use it with no arguments sudo dstat If not already installed sudo dnf install dstat

check settings of your NIC ethtool ens33

host cbc.ca

packet analyzing tool and capture tool. can start hping3 and then run the commands interactively. Useful for penetration testing and works with tcp, udp, icmp protocols.

To capture traffic from your ens33 interface: sudo hping hping recv ens33

Interface stats, bandwidth, or usage, received frames, discarded frames errors, statistics, etc.

• ifstat ens33
• ifstat -z ens33 # to clear the stats to zero.

from ipcisco.com plenty of usages here in addition to addr, like: ip addr show command. With this command, all the interfaces of your device will be on the screen with its networking info.

$ ip addr show

Beside checking, how can we assign an ip address to an interface? It is very simple in Linux. We can use “ip addr add” command to add an ip address to an interface. Let’s add 10.10.10.1 ip address to Ethernet 1.

$ sudo ip addr add 10.10.10.1/24 dev eth1

Like adding, removing an ip address form an interface is done with the same command with a small difference.

$ sudo ip addr del 10.10.10.1/24 dev eth1

If you would like to list all the up links, you can use the below commad:

• $ ip link ls up

List the links that are up.

• $ ip link show dev ens33

You can show the link status of your all your links with

• $ ip link show

You can show the link status of just one device

• $ ip link show eth0

You can show the link status of just one device

• $ ip link show dev ens33

You can show the link status and statistics -s of a device

• $ ip -s link show dev ens33
• ip -c ...

To add colour to any of the ip commands including all the above commands.

Very similar to arp $ ip neigh $ ip -c neigh # with colour

rules in chains

sudo iftop -n # -n to skip resolving ip addresses sudo iftop -n -i ens33

configure wireless interfaces, SSID, frequencies, etc. iwconfig eth0

- netstat -nr for open socket info (numeric)

• netstat by itself is good too to see active internet connections and active unix domain sockets
• netstat -s statistics (gives a nice summary of # of open connections) this should be looked at once a day (minimum)
• netstat -c continuous (pick other options carefully)
• netstat -e extended information
• netstat -p PID info for sockets shown show the PIDs of processes with a connection
• netstat -a all (all sockets displayed, not just default connected sockets)

- netstat -Z show SELinux security context for sockets

• netstat -tanp show =all (meaning listening AND established) tcp (t) sessions numeric (n), and show the processes (p)
• netstat -tan tcp, all (listening and established), numeric
• netstat - s -e | grep ESTAB #notice the space before the s

Give netstat -s a try. It gives you lots of info in a table form.

• netstat -s -s show statitics (second -s supresses all with zero count)
• netstat -b show byte count (in and out) of interface (need to specify -i)
• netstat -d show dropped byte count (in and out) of interface
• netstat -L show listen queues

usual

bandwidth monitoring tools nload devices ens3

check open ports on any device. For security audits. See nmap.org

• nmap
• nmap -sP 192.168.111.12 # ping scan
• nmap -sT 192.168.111.12 # TCP port scan (up to 1000)
• nmap -sT -p 80,443,22 192.168.111.12 # scanning ports 80, 443, and 22
• nmap -sS --script vuln 192.168.111.12 # silent, vuln script scan
• nmap 192.168.111.13 # your own host or others

secure copy to remote hosts. Can copy files and directories. You need scp -r to copy directories.

like scp, secure ftp to a remote host athat support SSH and sftp. Will need to generate ssh keys first.

show detail info on sockets in sue. IT is a securite ftp over Ciscls network. use the -pe option to show the processes in established connections.

usual

• sudo tcpdump -i eth0
• sudo tcpdump -i ens33 –n -s0 -v port 80 -i interface -nn numeric hosts, numeric ports -s0 snap length (of packet captured / trucated ) or size of pkt -v verbose -vv increases detail of output
  • port Only capture traffic on port 80

  -A ascii output (otherwise binary)

  • proto 17 (without the - it is
• sudo tcpdump -i ens33 upd
• sudo tcpdump -i ens33 proto 17
• sudo tcpdump -i ens33 host 172.28.105.3
• sudo tcpdump -i ens33 dst 10.0.55
• sudo tcpdump -i ens33 src 172.28.105.2
• sudo tcpdump -i ens33 -l (force line buffered)
• sudo tcpdump -i ens33 -c (force packet buffered)
• sudo tcpdump -i esn33 -s0 -l port 80 | grep "Server"
• sudo tcpdump -i ens33 -w save-my-capture.pcap
• sudo tcpdump -in ens3 -w save-my-capture.pcap -s0
• sudo tcpdump -in ens3 -w save-my-capture.pcap -c 120

and or && or or or || or not or !

detailed info on socket statistics.

• -l to list listening sockets
• -t for tcp only

- ss -tulpn tcp or udp, processes, listening, numeric - ss -tuepn tcp or udp, processes, established, numeric - ss -tue tcp or udp, established - ss -e established - ss -es established statistics

I find the most useful are -tulpn and -tue

usual

a wireshark utility

• sudo tshark -i ens33
• sudo tshark -D (display all the interfaces we are capturing)

like traceroute, but do not need superuser

usual

check current system activity. ( a longer form of who )

who is on the system

like curl but can do recursive directory tree traversals.

These files may still be there, but they may NOT to be configured directly, because they may be configured by NetworkManager.

First you should verify if NetworkManager is controlling the setup or not. i.e. is it running.

• systemctl status NetworkManager
• systemctl is-enabled NetworkManager

If NetworkManager is running, then you can use the nmcli

• /etc/protocols # list of protocols, i.e. TCP is '6'
• /etc/services # list of ports, i.d telnet is '23' dns is '53'

For changes to the config files to be in effect, you must restart the network services using the command:

sudo systemctl restart NetworkManager

systemctl --state=running

• sudo systemctl status NetworkManager.service
• sudo systemctl stop NetworkManager.service
• sudo systemctl status NetworkManager.service
• sudo systemctl start NetworkManager.service
• sudo systemctl status NetworkManager.service
• sudi systemctl restart NetworkManager.service
• You could also use nmcli to start/stop the network.
• nmcli networking off
• nmcli networking on

Since CentOS uses NetworkManager to make changes, this file is now read-only by the user. It is still a quick way to check what the current DNS server settings are though.

To change DNS use the following:

• sudo nmcli connection
• sudo nmcli connection mod {connetionName} ipv.dns "208.67.222.222 208.67.220.220"

See nmcli connection

This is the command-line tool for controlling NetworkManager.

The NAME field in the output always denotes the connection ID (name). It is not the interface name even though it might look the same.

(From the man pages of nmcli:)

COMMAND := { show | up | down | add | modify | clone | edit |
             delete | monitor | reload | load | import | export }

NetworkManager stores all network configuration as "connections", which are collections of data (Layer2 details, IP , etc.) that describe how to create or connect to a network. A connection is "active" when a device uses that connection's configuration to create or connect to a network. There may be multiple connections that apply to a device, but only one of them can be active on that device at any given time. The additional connections can be used to allow quick switching between different networks and configurations.

Consider a machine which is usually connected to a DHCP-enabled network, but sometimes connected to a testing network which uses static IP addressing. Instead of manually reconfiguring eth0 each time the network is changed, the settings can be saved as two connections which both apply to eth0, one for DHCP (called default) and one with the static addressing details (called testing). When connected to the DHCP-enabled network the user would run nmcli con up default , and when the static network the user would run nmcli con up testing.

To construct a meaningful connection you at the very least need to set the connection.type property (or use the type alias) to one of known NetworkManager connection types:

· ethernet

· wifi

· wimax

· pppoe

· gsm

· cdma

· infiniband

· bluetooth

· vlan

· bond

· bond-slave

· team

· team-slave

· bridge

· bridge-slave

· vpn

· olpc-mesh

· adsl

· tun

· ip-tunnel

Don't overlook this obvious one even on a virtual environment. At the end of the day the packets have to flow off your machine somehow.

Looking at the layer 2 of the OSI model. ip link netstat -i arp -a ip neigh # like arp -a

ip neigh  # on C8host
192.168.111.216 dev virbr0 lladdr 52:54:00:41:fa:57 STALE
192.168.111.200 dev virbr0 lladdr 52:54:ca:fe:be:ef STALE
192.168.111.251 dev virbr0 lladdr 52:54:00:59:5d:be STALE
192.168.2.1 dev ens33 lladdr 40:c7:29:ef:1f:80 DELAY

• netstat -nr
• ip route
• ip route list # these two are the same
• ip route show # these two are the same
• ip route show default # good one to start with
• ip route show table local
• ip route get 172.16.17.18 # shows where to go and from what address (source)
• ip route get 0.0.0.0]
• ip route help

or just

• ip route add default gw 192.168.111.1
• ip route add default via 192.168.128.1 dev ens09 proto static metric 101
• ip route delete default via 10.1.1.1
• ip route add 192.168.111.0/24 via 192.168.128.1 dev ens09
• ip route delete 192.168.111.0/24 via 192.168.128.1
• ip route replace 192.168.168.0/24 via 10.0.2.2 dev enp0s3

ping -4 -c 3 -n 8.8.8.8

dig cbc.ca dig senecacollege.ca dig @192.168.1.1 senecacollege.ca

open a separate terminal window and watch the iptable rule counters while attempting to run whatever does not work: i.e. ping, or ssh, or a webpage

• sudo iptables -L [INPUT] -v -n
• sudo watch -n 2 iptables -L [INPUT] -v -n

sudo dnf upgrade iproute

 ip [ OPTIONS ] OBJECT { COMMAND | help }

 ip [ -force ] -batch filename

 OBJECT := { link | address | addrlabel | *route* | rule | neigh | ntable |
          tunnel | tuntap | maddress | mroute | mrule |  monitor | xfrm |
           netns | l2tp | tcp_metrics | token | macsec }

OPTIONS := { -V[ersion] | -h[uman-readable] | -s[tatistics] | -d[etails] |
             -r[esolve] | -iec |
	     -f[amily] { inet | inet6 | ipx | dnet | link } | -4 | -6 |
	      -I | -D | -B | -0 |
	      -l[oops] { maximum-addr-flush-attempts } | -o[neline] |
             -rc[vbuf] [size] | -t[imestamp] | -ts[hort] | -n[etns] name |
	     -a[ll] | -c[olor] | -br[ief] | -j[son] | -p[retty] }


SHORTCUTS   -4     shortcut for -family inet.

            -6     shortcut for -family inet6.

	    -B     shortcut for -family bridge.

	    -D     shortcut for -family decnet.

	    -I     shortcut for -family ipx.

	    -M     shortcut for -family mpls.

	    -0     shortcut for -family link.

COMMAND      Usually just, *add*, *delete* and *show*.

EXAMPLES    ip addr
            ip neigh
	    ip link set ens33 up
	    ip route


	    ip addr show
	    ip addr show dev ens09
	    ip addr show type bridge
 	    ip -4 a s ens33
	    Use tab completion to see that the above command is really
	    ip -4 address show ens33


	    ip link
	    ip link | grep UP   
	    ip link set ens33 down|up                 # staple command

	    ip addr add 192.168.128.77/24 dev ens09   # this adds a static address
	                                              # to eth1 on the fly
	    ip addr show dev ens09
	    ip addr del 192.168.128.77/24  dev ens09

	    ip addr flush dev ens09   # removes all protocols, not just ipv4

	    ip addr del 192.168.128.77/24 dev ens09   # this removes the static address

	    ip -s link show dev ens09
	    ip -s link show dev ens09  # extra statistics  *good


	    ip route list
	    ip route add default via 192.168.128.1 dev ens09 proto static metric 101
	    ip route list
	    ip route show
	    ip route show table local

Syntax:

• ip route add {NETWORK/MASK} via {GATEWAYIP}
• ip route add {NETWORK/MASK} dev {DEVICE}
• ip route add default {NETWORK/MASK} dev {DEVICE}
• ip route add default {NETWORK/MASK} via {GATEWAYIP}

Before adding the follow route: sudo ip route add 192.168.111.0/255.255.255.0 dev ens3

My vm guest was sending local ip subnet traffic to the default gw. I was getting a icmp redirect from the gw telling my vm to go direct.

After I added the route, this was fixed.

see nmcli.org file:

• sudo nmcli connection modify ens3 ipv4.routes '192.168.111.0/24 192.168.111.11 100'
• nmcli connection modify

but in a nut-shell here, ip route should show you the route that nmcli con mod ens3 ipv4.routes added

I also ran commands such as, editing /etc/sysconfig/network-scripts/route-ens3 but I don't believe that did anything because once I nmcli network off/on to restart the network, it looks like NetworkManager automatically added /etc/sysconfig/network-scripts/route-ens3-1 that looked like this:

ADDRESS0=192.168.111.0
NETMASK0=255.255.255.0
GATEWAY0=192.168.111.13
METRIC0=100

I did not add or edit this file manually, so it was the work of NetworkManager, after I issued the command:

• sudo nmcli con mod ens3 ipv4.route "192.168.111.0/24 192.168.111.13 100"

By the way, .13 is the host's own ip address on ens3 so that packets destined for the local subnet, get out the local .13 interface.

Confirm this

• nmcli networking off
• nmcli networking on

 zintis@c8host /etc/sysconfig/network-scripts $ nmcli connection 
 NAME            UUID                                  TYPE      DEVICE 
 ens33           dae548fd-88f6-4250-ad80-deaebde0104a  ethernet  --     
 seneca-k1001    1f8bb745-52c0-4e0f-af86-6cf0a1a6b2b9  ethernet  --     
 seneca-opendns  f0ed2894-2a3d-411a-aae3-615ee2998b4d  ethernet  --     
 static          f05a8dde-6957-4baa-aa0c-3da268920f78  ethernet  --     

 zintis@c8host /etc/sysconfig/network-scripts $ sudo nmcli networking on

zintis@c8host /etc/sysconfig/network-scripts $ nmcli connection 
 NAME            UUID                                  TYPE      DEVICE 
 ens33           dae548fd-88f6-4250-ad80-deaebde0104a  ethernet  ens33  
 virbr0          359f656e-d089-46d9-9488-b591ee1228be  bridge    virbr0 
 vnet0           0740372b-2b85-4b36-bf79-9ae57bc72c2b  tun       vnet0  
 vnet1           6fd56129-3678-4cd8-8acf-38c579b36c10  tun       vnet1  
 seneca-k1001    1f8bb745-52c0-4e0f-af86-6cf0a1a6b2b9  ethernet  --     
 seneca-opendns  f0ed2894-2a3d-411a-aae3-615ee2998b4d  ethernet  --     
 static          f05a8dde-6957-4baa-aa0c-3da268920f78  ethernet  --     

• ifdown eth0
• ifup eth0 # see script below:

The basic installation of RHEL 8 provides a new version of the ifup and ifdown scripts which call the NetworkManager service through the nmcli tool.

$ which ifup
/usr/sbin/ifup

$ file /usr/sbin/ifup
/usr/sbin/ifup: symbolic link to /etc/alternatives/ifup

$ file /etc/alternatives/ifup
/etc/alternatives/ifup: symbolic link to /usr/libexec/nm-ifup

$ file /usr/libexec/nm-ifup
/usr/libexec/nm-ifup: POSIX shell script, ASCII text executable

$ cat !$
cat /usr/libexec/nm-ifup

    #!/bin/sh
    nmcli connection load "/etc/sysconfig/network-scripts/ifcfg-$1" &&
    exec nmcli connection up filename "/etc/sysconfig/network-scripts/ifcfg-$1"

zintis@c8host /usr/lib/systemd/system $ 

The custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local scripts are not executed.

sudo /etc/init.d/networking restart
sudo /etc/init.d/networking stop
sudo /etc/init.d/networking start

sudo /etc/init.d/network restart
sudo /etc/init.d/network stop
sudo /etc/init.d/network start
sudo service restart network
sudo /etc/init.d/networking restart
sudo /etc/init.d/network restart

In CentOS 8 or RHEL 8 there is no ‘network.service’ which used to serve as a legacy daemon in the earlier version. Because now all network-related commands will utilize NetworkManager Service in the backend.

network and NetworkManager are two separate services that operate network connections. If you have Network Manager running, you won't need network service - they don't work together.'

network is deprecated in RedHat and CentOS

If you use NM_CONTROLLED=no in ifcfg file then you will be unable to bring up interfaces with ‘ifup‘ command.

So, to remove an interface from the control of NetworkManager, edit the ifcfg-eth0 (or whatever the interface in question is called) and add the line : NM_CONTROLLED=no

In that case this interface will be managed by legacy network scripts

• ifconfig Still useful to see config settings.

1. set a new nmcli connection called 'wired' nmcli conn edit con-name wired ethernet # this asked for other parms and I just quit out of it but afterwards, nmcli connection showed this:

         nmcli connection show
NAME                UUID                                  TYPE      DEVICE 
Wired connection 1  4058c455-ff34-3ec2-80fc-e19ca95567b7  ethernet  ens3   
ens3                857dda65-7355-3f5c-8d85-b5c505edda9f  ethernet  --     
wired               9c1d948f-b9d0-49ec-b6a4-f2377fce6914  ethernet  --    

1. However, when I check the connection, it shows that ipv4.address is auto NOT static.

   nmcli connection show
   NAME                UUID                                  TYPE      DEVICE 
   Wired connection 1  4058c455-ff34-3ec2-80fc-e19ca95567b7  ethernet  ens3   
   ens3                857dda65-7355-3f5c-8d85-b5c505edda9f  ethernet  --     
   wired               9c1d948f-b9d0-49ec-b6a4-f2377fce6914  ethernet  --     
   root@vm5/etc/sysconfig/network-scripts[1035]$ 
   nmcli connection show "Wired connection 1"
   connection.id:                          Wired connection 1
   connection.uuid:                        4058c455-ff34-3ec2-80fc-e19ca95567b7
   connection.stable-id:                   --
   connection.type:                        802-3-ethernet
   connection.interface-name:              ens3
   connection.autoconnect:                 yes
   connection.autoconnect-priority:        -999
   connection.autoconnect-retries:         -1 (default)
   connection.multi-connect:               0 (default)
   connection.auth-retries:                -1
   connection.timestamp:                   1588106497
   connection.read-only:                   no
   connection.permissions:                 --
   connection.zone:                        --
   connection.master:                      --
   connection.slave-type:                  --
   connection.autoconnect-slaves:          -1 (default)
   connection.secondaries:                 --
   connection.gateway-ping-timeout:        0
   connection.metered:                     unknown
   connection.lldp:                        default
   connection.mdns:                        -1 (default)
   connection.llmnr:                       -1 (default)
   connection.wait-device-timeout:         -1
   802-3-ethernet.port:                    --
   802-3-ethernet.speed:                   0
   802-3-ethernet.duplex:                  --
   802-3-ethernet.auto-negotiate:          no
   802-3-ethernet.mac-address:             --
   802-3-ethernet.cloned-mac-address:      --
   802-3-ethernet.generate-mac-address-mask:--
   802-3-ethernet.mac-address-blacklist:   --
   802-3-ethernet.mtu:                     auto
   802-3-ethernet.s390-subchannels:        --
   802-3-ethernet.s390-nettype:            --
   802-3-ethernet.s390-options:            --
   802-3-ethernet.wake-on-lan:             default
   802-3-ethernet.wake-on-lan-password:    --
   ipv4.method:                            auto     #### this sould be static.
   ipv4.dns:                               --
   ipv4.dns-search:                        --
   ipv4.dns-options:                       --
   ipv4.dns-priority:                      0
   ipv4.addresses:                         --
   ipv4.gateway:                           --
   ipv4.routes:                            --
   ipv4.route-metric:                      -1
   
   

   So trying to set it to static like so:

   • nmcli connection mod ipv4.method static dev ens3

   but I got this error:

   • Error: unknown connection 'ipv4.method'.

   The follwing did NOT give me an error but ipv4.method was still 'auto'

   • nmcli connection mod ens3 ipv4.method manual

Well, actually I man ifconfig states that this is obsolete, and I should use ip link and ip addr .

• ip -4 address change 192.168.111.15/24 dev ens3

followed by

• ip -4 address del 192.168.111.159/24 dev ens3

Ths worked in the current session. I suspect this is still temporary though.

So, I tried:

• ip address save permanent

Got a funky error: "Not sending a binary stream to stdout"

Rebooted and …. NOT JOY. Still reverted to the dhcp address .159

• ip -4 address change 192.168.111.15/24 dev ens3
• ip -4 address del 192.168.111.159/24 dev ens3

It is possible that the reason it is failing is because the ifcfg file has a hardware address that does NOT match the new (cloned) vm.

Ok, so I fixed that, still NO JOY!!!

Where do I rename the nmcli dev connection? Well, I do not rename it , but I deleted it.

nmcli connection delete "Wired connection 1"
Connection 'Wired connection 1' (4058c455-ff34-3ec2-80fc-e19ca95567b7) successfully deleted.
root@vm5/etc/sysconfig/network-scripts[1019]$ 

nmcli dev
DEVICE  TYPE      STATE      CONNECTION 
ens3    ethernet  connected  ens3       
lo      loopback  unmanaged  --         
root@vm5/etc/sysconfig/network-scripts[1020]$ 

nmcli conn show
NAME  UUID                                  TYPE      DEVICE 
ens3  81b2122e-ec36-3d00-960c-14a0becea150  ethernet  ens3   
root@vm5/etc/sysconfig/network-scripts[1021]$ 

That did the trick!

I also found this bash script for something very similar:

#!/bin/bash 
# customize as necessary 
OLD="Wired connection 1" 
NEW="eth1" 
DEVICE="ens3" 
GATEWAY="192.168.111.1" 
ADDRESS="192.168.111.15/24 ${GATEWAY}" 

nmcli con delete "$OLD" 
nmcli connection add type ethernet con-name "$NEW" ifname "$DEVICE" 
nmcli connection modify "$NEW" ipv4.addresses "$ADDRESS" 
nmcli connection modify "$NEW" ipv4.method manual 
nmcli connection down "$NEW"; nmcli connection up "$NEW" exit 0

Read more: blog.fpmurphy.com

From another discussion

If you don't like the new interface naming convention it is possible to name
interfaces whatever you like.

In /etc/sysconfig/network-scripts/ create a file ifcfg-[desired-name]

Add:

DEVICE=[desired-name] HWADDR=[mac address of the interface] You can add all
the usual settings to this file as well. This will name the interface
whatever you like and pairs it up based on the MAC address of your device.
Centimane's method works also with centos 7 (redhat based).. Big thanks !

I also have in /etc/NetworkManager/NetworkManager.conf for plugings just
plugins=ifcfg-rh , not keyfile.

this is/was the simplest way to change the interface name.. and I googled a
lot!

of course NetworkManager will make a new interface so you have to configure
it again... like disable dhcp from it.. so don't block your self out.

if you put just mac and new name to the ifcfg file NetworkManager will fill
the rest.

Here is a history of the commands I ran on my centos host to create a vrf from the global namespace using veth0 to my tikls1 namespace using veth1:

• ip address
• ip link set ens33 up
• nmcli networking on
• nmcli link show ens33
• nmcli connection
• nmcli general status ens33
• edit /etc/sysconfig/network-scripts/ifcfg-ens33
• nmcli networking off
• nmcli networking on
• edit /etc/resolv.conf to add a nameserver like 8.8.8.8

Of the most useful fields returned from a whois query are:

• NetRange:
• CIDR:
• OrgName:
• Country:

For networks from China:

• inetnum:
• netname:
• descr:
• country:
• address:
• e-mail:

And here is my /etc/resolv.conf file, again, manually edited:

# Generated by NetworkManager
nameserver 172.28.105.2
nameserver 172.28.105.3
# nameserver 208.67.222.222
# nameserver 208.67.220.220

# note: 105.2 and 105.3 are my primary and secondary dns servers for my
# local kvm network.  They do recursive dns lookups to upstream dns
# servers from my dhcp setup on my production network.

In Kali linux /etc/resolv.conf should be written permanently and survive a reboot. If not, the command sudo chattr +i /etc/resolv.conf should fix it.

each interface defined in /etc/netowrk/interfaces can have these options as well, that specify commands that will execute at certain stages of an interfaces state.

These commands will execute either before or after and ifup command is run. Same for if-down etc.

These four directories contain the scripts run in an ifup and ifdown event.

1. /etc/networks/if-pre-up.d
2. /etc/networks/if-up.d
3. /etc/networks/if-down.d
4. /etc/networks/if-post-down.d

See man interfaces for more details.