160 likes | 245 Views
Administração de Sistemas (ASIST). TP 3 (English version) LINUX – Network administration. Network interfaces.
E N D
Administração de Sistemas(ASIST) TP 3 (English version) LINUX – Network administration
Network interfaces A network interface is a set of hardware components that provides a physical connection to a given network infrastructure. In relations to the OSI layers model a network interface implements levels 1 and 2, thus providing both physical and logical link. When the Linux kernel detects a network interface an appropriate label is attached to than interface for future reference. Because several interfaces of the same kind may exist, a zero starting number is appended to the label. For instance, Ethernet type interfaces will have labels like eth0; eth1; eth2; …, in the order they are detected by the kernel. In order for the kernel to be able to detect a network interface (or any other hardware) its support (driver) must be compiled in, perhaps in a kernel module.
Network interface administration - ifconfig The ifconfig command is the standard Unix command to directly manage network interfaces. -bash-3.00$ /sbin/ifconfig --help Usage: ifconfig [-a] [-v] [-s] <interface> [[<AF>] <address>] [add <endereço>[/<tam_prefixo>]] [del <endereço>[/<tam_prefixo>]] [[-]broadcast [<endereço>]] [[-]pointopoint [<endereço>]] [netmask <endereço>] [dstaddr <endereço>] [tunnel <endereço>] [outfill <NN>] [keepalive <NN>] [hw <HW> <endereço>] [metric <NN>] [mtu <NN>] [[-]trailers] [[-]arp] [[-]allmulti] [multicast] [[-]promisc] [mem_start <NN>] [io_addr <NN>] [irq <NN>] [media <tipo>] [txqueuelen <NN>] [[-]dynamic] [up|down] ... The argument <AF> (Address Family) identifies the network protocol stack to use the current default value is inet which means IPv4. Other supported values include inet6 and ipx. Many other arguments form depend on the AF argument.
Routing tables management- route The route command can be used to display and manage the kernel routing table. The routing table is critical, based on the routing table the kernel will decide what to do with each network packet it has to handle. /sbin/route [ add | del ] [ -net | -host ] [ REDE/IP-DESTINO ] [ netmask MÁSCARA-DE-REDE ] [ gw GATEWAY ] [ [dev] INTERFACE ] Without arguments the route command displays the current routing table: [root@server ~]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.16.16.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 172.16.16.4 0.0.0.0 255.255.255.255 UH 0 0 0 ppp2 193.136.62.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.62.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.3 172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1.7 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1.6 172.22.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 172.23.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1.5 172.24.0.0 192.168.62.7 255.252.0.0 UG 0 0 0 eth0.3 172.28.0.0 192.168.62.8 255.252.0.0 UG 0 0 0 eth0.3 0.0.0.0 193.136.62.1 0.0.0.0 UG 0 0 0 eth0
IPv4 configuration of a network interface To configure a IPv4 network interface only two elements of data are requires: the IPv4 address to use and the network mask. Other IPv4 parameters cab be deducted from this two. Broadcast address IPv4 address + Network mask Local network address + Network mask Routing table Even though this data is insufficient for the normal networking functions of the operating system, from the interface configuration point of view its all that is required. -bash-3.00$ /sbin/ifconfig eth0 192.168.111.150 netmask 255.255.255.0 -bash-3.00$ /sbin/route add -net 192.168.111.0 netmask 255.255.255.0 eth0 -bash-3.00$ /sbin/ifconfig eth0 eth0 Link encap:Ethernet Endereço de HW 00:0C:29:FE:E7:F8 inet end.: 192.168.111.150 Bcast:192.168.111.255 Masc:255.255.255.0 UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1 RX packets:243766872 errors:0 dropped:0 overruns:0 frame:0 TX packets:249142107 errors:0 dropped:0 overruns:0 carrier:0 colisões:0 txqueuelen:1000 RX bytes:3379540387 (3.1 GiB) TX bytes:1843450578 (1.7 GiB)
ip command The new ip command gathers the functions that were scattered by several network administration commands like ifconfig, route and adds some other capabilities. /sbin/ip [ ... ] [ link | addr | route | rule | neigh | tunnel | maddr | mroute | monitor | xfrm ] ... With the ip command, the previous demonstration would be: -bash-3.00$ /sbin/ip addr add 192.168.111.150/24 broadcast + dev eth0 -bash-3.00$ /sbin/ip route add 192.168.111.0/24 eth0 -bash-3.00$ /sbin/ip addr show dev eth0 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0C:29:FE:E7:F8 brd ff:ff:ff:ff:ff:ff inet 192.168.111.150/24 brd 192.168.111.255 scope global eth0 # /sbin/ip route show 172.16.16.11 dev ppp9 proto kernel scope link src 172.16.16.1 172.16.16.10 dev ppp8 proto kernel scope link src 172.16.16.1 193.136.62.0/24 dev eth0 proto kernel scope link src 193.136.62.11 192.168.62.0/24 dev eth0.3 proto kernel scope link src 192.168.62.11 172.18.0.0/16 dev eth1.7 proto kernel scope link src 172.18.0.1 default via 193.136.62.1 dev eth0
Default route Only the destination networks referenced in the routing table will be reachable by the system. Of course holding a line for each network in the internet is impossible. Anyway, except for the local networks, all others would have a route pointing in the same direction: the internet. If so then all this routes can be gathered in a single line in the routing table: the default route. The router that provides access to the other networks is called the default router or default gateway. Network D INTERNET (all other networks) Network A ROUTER 2 ROUTER 1 Network B Network C “Router 1” will be the default gateway for networks A and B. “Router 2” will be the default gateway for networks D and C.
Multiple address on a single interface Up to kernel version 2.4 the support for multiple addresses on a single network interface was known as ip alias, to achieve that a number was appended to the interface name in the form “:n”, for instance eth0:0, eth0:1, are “ip alias” of interface eth0, each alias has its own address independent from the eth0 interface address. Newer kernels support this feature natively, the “ip addr add …” command allows several addresses to be attached to the same interface. To keep backword compatibility with the “ifconfig” command a compatible label cam be added by with the “ip” command. [root@server]# /sbin/ip address add 192.168.199.35/24 brd + dev eth0 [root@server]# /sbin/ip address add 192.168.199.37/24 brd + dev eth0 label eth0:0 [root@server]# /sbin/ip address show dev eth0 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:80:c8:f8:4a:51 brd ff:ff:ff:ff:ff:ff inet 192.168.199.35/24 brd 192.168.199.255 scope global eth0 inet 192.168.199.37/24 brd 192.168.199.255 scope global secondary eth0:0 [root@server]# /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:80:C8:F8:4A:51 inet addr:192.168.199.35 Bcast:192.168.199.255 Mask:255.255.255.0 eth0:0 Link encap:Ethernet HWaddr 00:80:C8:F8:4A:51 inet addr:192.168.199.37 Bcast:192.168.199.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
VLAN support Multiple IP aliases are defined at network level (for instance IPv4), virtual LANs on the other hand are settled at a lower level. VLANs are created at the logical link level (for instance Ethernet), each VLAN shares the same physical medium but is independent from other VLANs, packets don’t get mixed. VLAN packets don’t get mixed because they are labeled with a tag, IEEE 802.1q sets the way to store the label in level 2 frames. The VLAN identifier (label/tag) is a 12 bits number (0 a 4095). The “vconfig” command can be used to create a VLAN on an existing interface: [root@server]# /sbin/vconfig add eth0 9 VLANID After running the command above a new interface will be available: eth0.9, all frames send by eth0.9 interface carry the IEEE 802.1q with the label “9”. Equallity this interface only receives frames with IEEE 802.1q label with value “9”. To remove a VLAN the same command can be used: # /sbin/vconfig rem eth0.9
Network automatic configuration Although not a wise option for servers, network automatic configuration is very useful for workstations and other network nodes. IPv4 automatic configuration depends on DHCP servers on directly attached network, in Linux the dhclient service gets the data from the server and uses that data to configure interfaces. Because DHCP servers lease addresses to clients the dhclient service must keep control over that and will refresh the lease before it expires. The ifplugd service detects when a network cable in plugged or unplugged and activates or deactivates the network interface. When a cable is plugged iplugd activates the interface as result of that dhclient will configure the interface.
DHCP server The DHCP server (dhcpd in Linux) receives requests from clients sent as UDP packets to the broadcast address “255.255.255.255”. DHCP servers use the client physical address (MAC address) to identify it in order to lease an IP address to it. Although static addresses clients can also be configured on the dhcp server, this kind off servers are most useful to self manage an IP addresses range. For each new client that shows up a new IP address is reserved for that client and leased to it. DHCP servers provide to clients network data beyond the IP address. Data like network mask, default gateway, domain name and domain name servers is also included in dhcp server's reply. In Linux dhcpd configuration is stored in a configuration file, normally /etc/dhcpd.conf.
Internet Daemon – INETD/XINETD Most services available on a Linux system are provided by independent processes, for each service a running process is required. This assures a high level of availability for the service. Beyond highly used and high performance services a large set of low use services also exist and are required on a Linux server. The Internet Daemon goal it replacing a large number of running processes that implement those low performance services. The Internet Daemon receives client initial requests on standard service ports, when the initial contact occurs Internet Daemon call the appropriate external program to handle the client request. Internet Daemon configuration is on /etc/inetd.conf or /etc/xinetd.conf files, depending on the version used, either way, for each service a protocol must be specified (TCP or UDP), a port number (or service identifier in /etc/services) and the external program that implements the application protocol.
DNS host name resolution – client service Depending on the “hosts” line in “nsswitch.conf” the host name resolution may start by searching /etc/hosts, but in most cases, on the bottom line, the DNS system will be used. DNS host name resolution works by sending a qualified host name to a name server and receiving the equivalent IP address. To configure the DNS client only the DNS name server IP address is required, although it's wiser to configure more than one name server, in case the first fails the second can be used. Many times users provide unqualified names (without domain name), to handle this a domain name must be added before sending the request to the name server, for this purpose a the local domain name can be defined and also a list of other domains to search in. In Linux the DNS client configuration file is /etc/resolv.conf. [root@server ~]# cat /etc/resolv.conf domain dei.isep.ipp.pt search isep.ipp.pt nameserver 192.168.60.7 nameserver 192.168.60.11 nameserver 193.136.62.3
Filtering – iptables command The iptables command interacts with the kernel traffic management features, among the filtering. There are 4 tables: filter; nat; mangle e raw, the first two are more used, for now we are interested in the first only. The default table for iptables is filter, some of the basic operations are: iptables –A - add (append) a rule to a chain iptables –D - delete a rule iptables –I - insert a rule iptables –R - replace a rule iptables –L - list rules in a chain iptables –P - set the policy for a chain Each table has its own special purpose predefined rule chains, but others can be added. For the 2 main tables predefined chains are: “filter” : “INPUT”; “FORWARD” e “OUTPUT”. “nat” : “PREROUTING”; “OUTPUT”; “POSTROUTING” In each chain a sequence of rules can be defined, there is an implicit rule numbering, starting from 1. The rule number is important to some iptables operations like delete; insert and replace.
IPTABLES – default behavior (chain policy) Each chain of rules has a default behavior (chain policy) this stands for what will happen when none of the rules in the chain matches the packet. Among the four behaviors available (ACCEPT; DROP; QUEUE e RETURN) the safest way is to set the chain policy to DROP and then use ACCEPT rules to let pass only what is meant to. iptables –P INPUT DROP iptables –P OUTPUT DROP iptables –P FORWARD DROP
IPTABLES - rules There is a wide range of tests available to be used, some of the most used are: -p [!] protocol -s [!] address[/mask] -d [!] address[/mask] -i [!] interface -o [!] interface --dport [!] port1[:port2] --sport [!] port1[:port2] When creating a rule, the action to take if a match happens must be also defined: -j BEHAVIOR -g CHAIN Sample: iptables –P FORWARD DROP iptables –A FORWARD –i eth0 –s 195.20.10.23/32 –o eth2 –p tcp –j ACCEPT iptables –A FORWARD –i eth0 –d 193.136.0.0/16 –p tcp –dport 8080:8081 –j ACCEPT