Linux networking: Difference between revisions
(One intermediate revision by the same user not shown) | |||
Line 509: | Line 509: | ||
hostname --fqdn |
hostname --fqdn |
||
hostname --ip-address |
hostname --ip-address |
||
</source> |
|||
=== Enable packet forwarding === |
|||
Persistently: |
|||
<source lang="bash"> |
|||
sudo vi /etc/sysctl.conf |
|||
# Uncomment: |
|||
# |
|||
# net.ipv4.ip_forward=1 |
|||
</source> |
|||
For current session: |
|||
<source lang="bash"> |
|||
sudo sysctl -w net.ipc4.ip_forward=1 |
|||
# Or |
|||
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward |
|||
</source> |
|||
=== Setup bridge === |
|||
;References |
|||
* https://help.ubuntu.com/community/NetworkConnectionBridge |
|||
* ChatGPT |
|||
If the PC has two network ports, it can be configured as a network bridge (ie. "switch"). |
|||
;Using the '''networking''' service |
|||
* Create a file {{file|/etc/network/interfaces.d/br0}}: |
|||
<source lang="bash"> |
|||
# Make sure the file doesn't contain configuration for the interface listed in bridge_ports |
|||
# Bridge between eth0 and eth1 |
|||
auto br0 |
|||
iface br0 inet dhcp |
|||
# For static configuration delete or comment out the above line and uncomment the following: |
|||
# iface br0 inet static |
|||
# address 192.168.1.10 |
|||
# netmask 255.255.255.0 |
|||
# gateway 192.168.1.1 |
|||
# dns-nameservers 192.168.1.5 |
|||
# dns-search example.com |
|||
bridge_ports eth1 |
|||
bridge_stp off |
|||
bridge_fd 0 |
|||
bridge_maxwait 0 |
|||
</source> |
|||
* Restart the network configuration: |
|||
<source lang="bash"> |
|||
sudo systemtl restart networking |
|||
</source> |
|||
;Using NetworkManager (doesn't work): |
|||
<source lang="bash"> |
|||
sudo nmcli dev set eth1 managed no |
|||
sudo nmcli connection add type bridge autoconnect yes con-name br0 ifname br0 |
|||
sudo nmcli connection add type ethernet autoconnect yes con-name br0-port ifname eth1 master br0 |
|||
# Optional: |
|||
# sudo nmcli connection modify br0 bridge.stp true |
|||
sudo nmcli connection up br0 |
|||
# To setup eth1 to use manual address: |
|||
sudo nano /etc/NetworkManager/system-connections/br0 # ! Check the actual name |
|||
# Edit file as follows: |
|||
# [ipv4] |
|||
# method=manual |
|||
# address1=10.136.0.221/24 |
|||
sudo systemctl restart NetworkManager |
|||
</source> |
</source> |
||
Latest revision as of 12:39, 30 June 2023
References
On this wiki:
External:
- Basic HOW-TO
- Linux Networking-concepts HOWTO - Rusty Russell (basic introduction, 2001)
- Linux Networking-HOWTO (Previously the Net-3 Howto) (old HOWTO, 1999, refer to ch5 and ch6 for simple routing examples)
- Quick HOWTO : Ch03 : Linux Networking (seems more extended)
- iproute2
- Tun/Tap
Tools:
- GoAccess is an open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.
Network tools
Available tools:
nmcli
(package network-manager)ip
andss
(package iproute2)
See also Linux Commands for more tools.
nmcli
nmcli is the command-line tool for controlling NetworkManager. It can be used to enable / disable wifi, manage wired and wireless connections...
nmcli
comes with a detailed comman help:
nmcli help
nmcli c[onnection] help
nmcli c[onnection] m[odify] help
To get a clear and complete overview of network (address, route, dns) on this machine:
nmcli
# enp0s31f6: connected to Wired connection 1
# "Intel Ethernet"
# ethernet (e1000e), B0:0C:D1:C9:90:1E, hw, mtu 1500
# ip4 default
# inet4 192.168.1.9/24
# ...
#
# wlp1s0: unavailable
# "Intel 8265 / 8275"
# wifi (iwlwifi), 6E:3B:39:B9:03:78, hw, mtu 1500
#
# lo: unmanaged
# "lo"
# loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
#
# DNS configuration:
# servers: 127.0.0.1 192.168.1.1
# domains: lan
# interface: enp0s31f6
# ...
Network manager configures devices depending on predefined connections. To list these connections:
# List available connections
nmcli c[onnection] [sh[ow] [--active]]
NAME UUID TYPE DEVICE
tun0 fbc01821-9f88-4162-a514-5fe82b30ef87 tun tun0
Wired connection 1 89818eee-7bb4-4def-bc24-ad77c97b2c87 ethernet enp0s31f6
...
# Show a connection
nmcli c[onnection] [sh] "Wired connection 1" | grep ipv4
nmcli c[onnection] [sh] "Wired connection 1" | grep dns
Use nmcli c[onnection] m[odify]
or nmcli c e[dit]
to modify or edit a connection.
Note: When editing a connection, the corresponding device must be restarted.
# Set up manual connection
nmcli c mod "Wired connection 1" ipv4.method manual ipv4.addresses 192.168.20.1/24 ipv4.gateway 192.168.20.254
nmcli d reapply enp0s31f6
# Set up DHCP connection
nmcli c mod "Wired connection 1" ipv4.method auto ipv4.addresses "" ipv4.gateway ""
nmcli d reapply enp0s31f6
# Edit a connection
nmcli c edit "Wired connection 1"
View or configure devices.
Note: These settings will be overridden by connections settings on restart / connect.
# Get device list
nmcli d[evice] [list]
# Get device info
nmcli d[evice] show [enp0s31f6 | tun0 | wlp1s0]
# Connect / disconnect the device
nmcli d[evice] c[onnect] enp0s31f6
nmcli d[evice] dis[disconnect] enp0s31f6
To switch on/off the WIFI:
nmcli r[adio] # Show radio status (basically WIFI status)
nmcli r[adio] wifi off # Disable wifi (as done via the GUI)
nmcli r[adio] wifi on # Enable wifi (as done via the GUI)
To view network device configuration, like DHCP client settings:
nmcli dev show
nmcli device show eth0 | grep IP4 # View eth0 configuration (like DHCPclient settings)
To troubleshoot network-manager:
# Get NM / dnsmasq status information
systemctl status network-manager.service
ip
ip show / manipulate routing, devices, policy routing and tunnels.
- Basic uses
Use ip addr
or (shorter) ip a
to show ip configuration (roughly equivalent to ifconfig
):
ip addr
# 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
# link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
# inet 127.0.0.1/8 scope host lo
# valid_lft forever preferred_lft forever
# inet6 ::1/128 scope host
# valid_lft forever preferred_lft forever
# 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
# link/ether a0:d3:c1:9c:59:56 brd ff:ff:ff:ff:ff:ff
# inet 10.137.2.54/23 brd 10.137.3.255 scope global dynamic eth0
# valid_lft 589545sec preferred_lft 589545sec
# inet6 fe80::68ea:8b5c:bd71:f190/64 scope link
# valid_lft forever preferred_lft forever
# ...
IPETH0=$(ip addr show eth0 | perl -lne 'print for /inet[^0-9]*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/') # Get local ip address
To temporarily configure a device to use dhcp [1]:
sudo ip link set dev eth0 down
sudo dhclient eth0
To use a static address:
# Add a static address
sudo ip addr add 192.168.1.14/24 dev eth0
sudo ip link set dev eth0 up
sudo ip route add default via 192.168.1.1
# Remove the static address:
sudo ip addr del 192.168.1.14/24 dev eth0
sudo ip route del [table main] default dev enp0s31f6
- ip help
ip help
to display help summary.ip COMMAND help
to display detailed help onCOMMAND
.
- shortcuts
All ip
command can be shortened to their minimal non-ambiguous form. For instance ip a
instead of ip addr
.
ip addr
ip a # Idem, shorter
- ip rules
ip
is a policy-based packet router. Policies are defined in rules.
Use ip rule
to display current rules, by priority order.
Each rules gives the corresponding _routing_ table.
ip rule
# 0: from all lookup local
# 32766: from all lookup main
# 32767: from all lookup default
- ip routes
ip route
shows the main
route table. Use ip route list table TABLE
(or ip route show table TABLE
) to show given _TABLE_.
ip route list table local # Show local table
ip route show table local # ... same as above
ip route list table main # Show main table
ip route # ... Same as above
ip route list table default # Show default table
ip routes can be deleted. Let's get the route table:
ip route show table main
# default via 192.168.20.254 dev enp0s31f6 proto static metric 100
# default via 192.168.43.1 dev wlp1s0 proto dhcp metric 600
# 10.0.10.0/24 dev tun0 proto kernel scope link src 10.0.10.1
# ...
We can delete the first default route:
ip route del table main default dev enp0s31f6
iw / iwconfig
See Wifi.
ss
ss is the newer toolchain for network management, to be preferred over netstat and co.
ss -tupan # Roughly equivalent to netstat -lpn
WiFi
See Wifi (iwconfig, nmcli...).
Legacy network configuration
The following tools are old legacy tools (ifconfig(8)
, route(8)
, netstat
) that should no longer be used.
- From [2]: And remember: every time you use ifconfig(8), Cthulhu eats a kitten. Please, think of the kittens
- This HOW-TO says that route and ip(8) are not compatible.
- Why iproute2 says that Linux kernels 2.2 and up include a completely redesigned network system, and that legacy tools like arp, ifconfig and route are actually obsolete and show some unexpected behaviours that are only available with iproute2 ([3]).
- 43. LVS: Newer networking tools: Policy Routing gives more example of ifconfig hiding (wrongly) complexity of an interface having multiple IP addresses.
ifconfig
ifconfig configure a network devices.
To view current configuration:
ifconfig -l
To temporarily setup a network device [4]:
sudo ifconfig eth0 10.0.0.100 netmask 255.255.255.0
Note that ifconfig
is obsolete. Use ip
instead [5], [6], [7].
netstat
netstat is the legacy utility. Better use ss
from package iproute2.
- netstat on Wikipedia.
Print network connections, routing tables, interface statistics, masqurade connections, and multicast memberships
netstat -utpn #Active ports, tcp, socket program PID, numeric
netstat -lutpn #Listen ports, tcp, socket program PID, numeric
netstat -autpn #All (active and listen), tcp, socket program PID, numeric
netstat -rn #Kernel route table, numeric
When listing sockets (default output), you'll get an output like:
% netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:time *:* LISTEN tcp 0 0 localhost:mysql *:* LISTEN tcp 0 0 andLinux.local:43449 windows-host:x11 ESTABLISHED |
% netstat -atn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN tcp 0 0 192.168.11.150:43449 192.168.11.1:6000 ESTABLISHED |
- Local Address
- * or 0.0.0.0 means that the process accepts connection from any interface.
- 127.0.0.1 means it only accepts connection on localhost loopback (and so only connection that originates from local PC as well).
- Any other IP address means that the process listen on the given port at the given IP address
Firewall / iptables
References:
- http://www.cyberciti.biz/tips/linux-iptables-examples.html
- http://www.thegeekstuff.com/2011/01/iptables-fundamentals/
Summary of iptables:
- There are several tables: filter, raw...
- In the
filter
table, there are 3 builtin chains: INPUT, OUTPUT and FORWARD - iptables extensions provide some more chains.
- In each chain, rules are processed in sequence. If the packet matches the rule, the counter for that rule is incremeneted; if a target is given, it is taken (if any) and process ends; otherwise process continues to next rule.
- One can create custom chains, and use custom rules with
RETURN
as target for creating more elaborate rules.
Some tricks:
- To view all current iptables rules:
sudo iptables --list -n -v
- Save all rules in readable / restorable form:
sudo iptables-save > iptables-rules
- iptable-restore does not like command like
-N mychain
to restore a chain. Instead use the following:
#-N my-chain :my-chain - [0:0]
- To clear all rules:
sudo iptables -F # flush
sudo iptables -X # Delete all chains but builtin
Example of script. This one was added to /etc/ufw/before.rules (see Nxl67170 - Windows and Dansguardian for more examples):
:vbox-output-logging-deny - [0:0]
:vbox-output-logging-allow - [0:0]
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.124.210 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp -m multiport --dports 135,139,389,445 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p udp -m multiport --dports 53,137,138,389 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp --dport 88 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.0.0/16 -j vbox-output-logging-deny
-A ufw-before-output -m owner --uid-owner 7000 -j ACCEPT
-A vbox-output-logging-deny -j LOG --log-prefix "[UFW BLOCK] [VBOX] "
-A vbox-output-logging-deny -j REJECT
# -A vbox-output-logging-allow -p tcp -m multiport --dports 135,139,389,445 -j RETURN
# -A vbox-output-logging-allow -p udp -m multiport --dports 53,137,138,389 -j RETURN
# -A vbox-output-logging-allow -p tcp -m multiport --dports 88 -j RETURN
# -A vbox-output-logging-allow -j LOG --log-prefix "[UFW ALLOW] [VBOX] "
UFW
On Ubuntu, the default firewall is UFW.
When deploying UFW, first move the user rules to /etc/ufw so that they can be tracked by etckeeper:
cd /lib/ufw
sudo mv user* /etc/ufw
sudo ln -s /etc/ufw/user.rules
sudo ln -s /etc/ufw/user6.rules
Then enable ufw:
sudo ufw enable
It is easy to add new rules for ufw:
sudo ufw allow from 192.168.11.2 # Enable full access from local virtualbox
sudo ufw allow from 172.19.0.0/16 to any port 22 # Enable - from home local network - SSH
sudo ufw reload
Tips and How-tos
Enable WINS and NetBIOS
To enable WINS and NetBIOS name resolution on Ubuntu [8]:
sudo apt-get install winbind libnss-winbind # samba must be installed as well
Edit /etc/nsswitch.conf:
-hosts: files dns
+hosts: files dns wins
Then reload:
sudo service winbind reload
Setup Wake-on-LAN
See gWakeOnLan.
- To troubleshoot autofs [9]
sudo service autofs stop sudo automount -f -v
- Use option
--ghost
to show share directories when browsing mount points [10]:
# mount point config file options /- /etc/auto.direct --ghost /misc /etc/auto.misc --timeout=30 --ghost +auto.master
- Mount sshfs with autofs [11]
- Install necessary package
sudo apt-get install sshfs autofs
- Add current user to group fuse:
usermod -a -G fuse tjansson
- Add to /etc/auto.master:
/sshfs /etc/auto.sshfs uid=1000,gid=1000,--timeout=30,--ghost
- Add to /etc/auto.sshfs (this assumes the key is password-less):
alpha-blue -fstype=fuse,rw,nodev,nonempty,noatime,allow_other,max_read=65536,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789 :sshfs\#nightmoore@alpha-blue\:
- Troubleshoot, add first to /etc/fstab:
sshfs#nightmoore@alpha-blue:/ /mnt/sshfstab/ fuse user,_netdev,reconnect,uid=1000,gid=1000,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789,idmap=user,allow_other,default_permissions,debug,sshfs_debug 0 2
- Then
mount /mnt/sshfstab
- Add option
debug,sshfs_debug
to get really debug output [12]:
References:
- pam-mount.sourceforge.net
- wiki.ubuntu.com
- archlinux, to install manually.
- [13], add system-level share.
libpam-mount allows you to mount automatically network shares when you login, using your login password as credentials.
- The advantage is that, unlike for autofs, you don't need to store your password in a file;
- However, your username/password must be the same as the ones used to mount the network drive.
Install libpam-mount:
sudo apt-get install libpam-mount
Edit /etc/security/pam_mount.conf.xml as follow:
- Uncomment
luserconf
. - Add the necessary
allow
options to<mntoptions>
tag.
<!-- pam_mount parameters: General tunables -->
<luserconf name=".pam_mount.conf.xml" />
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,uid,gid,dmask,username,domain,iocharset,dir_mode" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<logout wait="0" hup="0" term="0" kill="0" />
Create the user file ~/.pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
<volume options="nosuid,nodev,dir_mode=0700,iocharset=utf8" user="*" mountpoint="/media/mediashare" path="sharename" server="servername" fstype="cifs" />
</pam_mount>
Network setup via command line
sudo ifconfig eth0 192.168.1.1 netmask 255.255.255.0
sudo route add default gw 192.168.1.129
sudo vi /etc/resolv.conf
# nameserver 192.168.1.129
# search domainname
sudo dhclient eth0
Tun/Tap devices
tun/tap are software-only interfaces, accessed through a character device (usually located at /dev/net/tun), and that allow userspace networking
On Linux, there are basically 3 ways to create tun/tap devices:
- ip (package iproute, aka iproute2 [14]).
Unfortunately this is option is only available in recent distribution (not available in Ubuntu Lucid) - openvpn
- tunctl
ip tuntap help
ip tuntap add dev tun0 mode tap user $USER
sudo openvpn --mktun --dev tun0 --user $USER
sudo openvpn --rmtun --dev tun0
Do not use version from package uml-utilities because it can only create tap devices, not tun. Instead fetch the latest version from SourceForge.
sudo tunctl -n -u $USER # Create a tun device. '-n' can be replaced by '-t tun0'
See the how-to section below to learn how to create VPNs with virtual devices.
Tun2socks / Transparent SOCKS proxy via tuntap device (badvpn-tun2socks)
See tun2socks.
IPv4 vs IPv6
- Define in /etc/hosts (Note that its always canonical name first, then alias names last [15]):
::1 ipv6.localdomain ipv6 127.0.0.1 ipv4.localdomain ipv4
- voilà, use
ipv4
/ipv6
hostnames where its needed (replacelocaldomain
andipv4
as needed)
Measure internet bandwidth
Sites that measure internet bandwidth:
Set / Get server hostname / domainname
See [SO]:
# Set hostname
sudoedit /etc/hostname
# ... if avahi running, check also /etc/avahi/avahi-daemon.conf
# Activate hostname
sudo hostname -F /etc/hostname
# Set server domainname and address
sudoedit /etc/hosts
# 92.168.1.2 server.domain server
# Verify
hostname --short
hostname --domain
hostname --fqdn
hostname --ip-address
Enable packet forwarding
Persistently:
sudo vi /etc/sysctl.conf
# Uncomment:
#
# net.ipv4.ip_forward=1
For current session:
sudo sysctl -w net.ipc4.ip_forward=1
# Or
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
Setup bridge
- References
If the PC has two network ports, it can be configured as a network bridge (ie. "switch").
- Using the networking service
- Create a file /etc/network/interfaces.d/br0:
# Make sure the file doesn't contain configuration for the interface listed in bridge_ports
# Bridge between eth0 and eth1
auto br0
iface br0 inet dhcp
# For static configuration delete or comment out the above line and uncomment the following:
# iface br0 inet static
# address 192.168.1.10
# netmask 255.255.255.0
# gateway 192.168.1.1
# dns-nameservers 192.168.1.5
# dns-search example.com
bridge_ports eth1
bridge_stp off
bridge_fd 0
bridge_maxwait 0
- Restart the network configuration:
sudo systemtl restart networking
- Using NetworkManager (doesn't work)
sudo nmcli dev set eth1 managed no
sudo nmcli connection add type bridge autoconnect yes con-name br0 ifname br0
sudo nmcli connection add type ethernet autoconnect yes con-name br0-port ifname eth1 master br0
# Optional:
# sudo nmcli connection modify br0 bridge.stp true
sudo nmcli connection up br0
# To setup eth1 to use manual address:
sudo nano /etc/NetworkManager/system-connections/br0 # ! Check the actual name
# Edit file as follows:
# [ipv4]
# method=manual
# address1=10.136.0.221/24
sudo systemctl restart NetworkManager
Network basic
ARP (Address Resolution Protocol)
Links on Wikipedia:
ARP is a protocol used for resolution of network layer addresses (OSI level 3, e.g. IP addresses) into link layer addresses (OSI level 2, e.g. MAC addresses).
Example (adapted from wikipedia):
Computers A and B are in an office, connected to each other on the office local area network by Ethernet cables and network switches, with no intervening gateways or routers. A wants to send a packet to B. Through other means, it determines that B's IP address is 192.168.0.55. In order to send the message, it also needs to know B's MAC address:
- First, A uses a cached ARP table to look up B's MAC address from B's IP address. If the MAC address is found, it sends the IP packet on the link layer to that MAC address via the local network cabling.
- If the cache did not produce any result, A has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for B's IP address. B responds with its MAC address. B may insert an entry for A into its own ARP table for future use. The response information is cached in A's ARP table and the message can now be sent.
ARP Proxy
Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel. The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as publishing.
- (+) simplicity. A router may extend a network without knowledge of the upstream router.
- (-) scalability
- (-) reliability (no fallback mechanism)
Gateway
If after routing, the selected route contains IP address of a gateway, the destination address in the IP packet is *not* changed. Instead, it tells the link layer to use the gateway's MAC address in the frame header instead of the one of the destination IP address (see [16]).