Linux networking: Difference between revisions

References

On this wiki:

• Linux Commands

External:

• Basic HOW-TO
  • Linux Networking-concepts HOWTO - Rusty Russell (basic introduction, 2001)
  • Linux Networking-HOWTO (Previously the Net-3 Howto) (old HOWTO, 1999, refer to ch5 and ch6 for simple routing examples)
  • Quick HOWTO : Ch03 : Linux Networking (seems more extended)
• iproute2
  • Less widely known features of iproute
  • Linux Advanced Routing & Traffic Control HOWTO
  • Policy Routing With Linux - Online Edition - Matthew G. Marsh
• Tun/Tap
  • Tun/Tap interface tutorial
  • Configuring and using a tuntap network interface

Tools:

• GoAccess is an open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.

Network configuration and query

Available tools:

• nmcli (package network-manager)
• ip and ss (package iproute2)

See also Linux Commands for more tools.

nmcli

nmcli is the command-line tool for controlling NetworkManager. It can be used to enable / disable wifi, manage wired and wireless connections...

nmcli                            # Print usage and available objects
nmcli nm                         # Show network manager status (basically WIFI status)
nmcli nm wifi                    # Show wifi status
nmcli nm wifi {off|on}           # Disable / enable wifi (as done via the GUI)

To view network device configuration, like DHCP client settings:

nmcli dev show
nmcli device show eth0 | grep IP4   # View eth0 configuration (like DHCPclient settings)

ip

ip show / manipulate routing, devices, policy routing and tunnels.

Basic uses

Use ip addr or (shorter) ip a to show ip configuration (roughly equivalent to ifconfig):

ip addr
# 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
#     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
#     inet 127.0.0.1/8 scope host lo
#        valid_lft forever preferred_lft forever
#     inet6 ::1/128 scope host 
#        valid_lft forever preferred_lft forever
# 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
#     link/ether a0:d3:c1:9c:59:56 brd ff:ff:ff:ff:ff:ff
#     inet 10.137.2.54/23 brd 10.137.3.255 scope global dynamic eth0
#        valid_lft 589545sec preferred_lft 589545sec
#     inet6 fe80::68ea:8b5c:bd71:f190/64 scope link 
#        valid_lft forever preferred_lft forever
# ...

IPETH0=$(ip addr show eth0 | perl -lne 'print for /inet[^0-9]*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/')      # Get local ip address

To temporarily configure a device to use dhcp [1]:

sudo ip link set dev eth0 down
sudo dhclient eth0

To use a static address:

sudo ip addr add 192.168.1.14/24 dev eth0
sudo ip link set dev eth0 up
sudo ip route add default via 192.168.1.1

ip help

• ip help to display help summary.
• ip COMMAND help to display detailed help on COMMAND.

shortcuts

All ip command can be shortened to their minimal non-ambiguous form. For instance ip a instead of ip addr.

ip addr
ip a                # Idem, shorter

ip rules

ip is a policy-based packet router. Policies are defined in rules. Use ip rule to display current rules, by priority order. Each rules gives the corresponding _routing_ table.

ip rule
# 0:	from all lookup local 
# 32766:	from all lookup main 
# 32767:	from all lookup default

ip routes

ip route shows the main route table. Use ip route list table TABLE to show given _TABLE_.

ip route list table local       # Show local table
ip route list table main        # Show main table
ip route                        # ... Same as above
ip route list table default     # Show default table

ip routes can be deleted. Let's get the route table:

ip route show table main
# default via 192.168.20.254 dev enp0s31f6 proto static metric 100 
# default via 192.168.43.1 dev wlp1s0 proto dhcp metric 600 
# 10.0.10.0/24 dev tun0 proto kernel scope link src 10.0.10.1 
# ...

We can delete the first default route:

ip route del table main default dev enp0s31f6

ss

ss is the newer toolchain for network management, to be preferred over netstat and co.

ss -tupan                       # Roughly equivalent to netstat -lpn

Legacy network configuration

The following tools are old legacy tools (ifconfig(8), route(8), netstat) that should no longer be used.

• From [2]: And remember: every time you use ifconfig(8), Cthulhu eats a kitten. Please, think of the kittens
• This HOW-TO says that route and ip(8) are not compatible.
• Why iproute2 says that Linux kernels 2.2 and up include a completely redesigned network system, and that legacy tools like arp, ifconfig and route are actually obsolete and show some unexpected behaviours that are only available with iproute2 ([3]).
• 43. LVS: Newer networking tools: Policy Routing gives more example of ifconfig hiding (wrongly) complexity of an interface having multiple IP addresses.

ifconfig

ifconfig configure a network devices.

To view current configuration:

ifconfig -l

To temporarily setup a network device [4]:

sudo ifconfig eth0 10.0.0.100 netmask 255.255.255.0

Note that ifconfig is obsolete. Use ip instead [5], [6], [7].

iwconfig

iwconfig configures or queries a wireless network interface:

iwconfig
# # iwconfig
# lo        no wireless extensions.
# 
# eth0      no wireless extensions.
# 
# wlan0     IEEE 802.11abg  ESSID:off/any  
#           Mode:Managed  Access Point: Not-Associated   Tx-Power=15 dBm   
#           Retry  long limit:7   RTS thr:off   Fragment thr:off
#           Encryption key:off
#           Power Management:off

iwconfig wlan0         # Limit to wlan0

netstat

netstat is the legacy utility. Better use ss from package iproute2.

• netstat on Wikipedia.

Print network connections, routing tables, interface statistics, masqurade connections, and multicast memberships

netstat -utpn      #Active ports, tcp, socket program PID, numeric
netstat -lutpn     #Listen ports, tcp, socket program PID, numeric
netstat -autpn     #All (active and listen), tcp, socket program PID, numeric
netstat -rn        #Kernel route table, numeric

When listing sockets (default output), you'll get an output like:

% netstat -at

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:time                  *:*                     LISTEN
tcp        0      0 localhost:mysql         *:*                     LISTEN
tcp        0      0 andLinux.local:43449    windows-host:x11        ESTABLISHED

% netstat -atn

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 192.168.11.150:43449    192.168.11.1:6000       ESTABLISHED

Local Address

* or 0.0.0.0 means that the process accepts connection from any interface.

127.0.0.1 means it only accepts connection on localhost loopback (and so only connection that originates from local PC as well).

Any other IP address means that the process listen on the given port at the given IP address

Firewall / iptables

References:

• http://www.cyberciti.biz/tips/linux-iptables-examples.html
• http://www.thegeekstuff.com/2011/01/iptables-fundamentals/

Summary of iptables:

• There are several tables: filter, raw...
• In the filter table, there are 3 builtin chains: INPUT, OUTPUT and FORWARD
• iptables extensions provide some more chains.
• In each chain, rules are processed in sequence. If the packet matches the rule, the counter for that rule is incremeneted; if a target is given, it is taken (if any) and process ends; otherwise process continues to next rule.
• One can create custom chains, and use custom rules with RETURN as target for creating more elaborate rules.

Some tricks:

• To view all current iptables rules:

sudo iptables --list -n -v

• Save all rules in readable / restorable form:

sudo iptables-save > iptables-rules

• iptable-restore does not like command like -N mychain to restore a chain. Instead use the following:

#-N my-chain
:my-chain - [0:0]

• To clear all rules:

 sudo iptables -F           # flush
 sudo iptables -X           # Delete all chains but builtin

Example of script. This one was added to /etc/ufw/before.rules (see Nxl67170 - Windows and Dansguardian for more examples):

:vbox-output-logging-deny - [0:0]
:vbox-output-logging-allow - [0:0]
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.124.210 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp -m multiport --dports 135,139,389,445 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p udp -m multiport --dports 53,137,138,389 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp --dport 88 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.0.0/16 -j vbox-output-logging-deny
-A ufw-before-output -m owner --uid-owner 7000 -j ACCEPT
-A vbox-output-logging-deny -j LOG --log-prefix "[UFW BLOCK] [VBOX] "
-A vbox-output-logging-deny -j REJECT
# -A vbox-output-logging-allow -p tcp -m multiport --dports 135,139,389,445 -j RETURN
# -A vbox-output-logging-allow -p udp -m multiport --dports 53,137,138,389 -j RETURN
# -A vbox-output-logging-allow -p tcp -m multiport --dports 88 -j RETURN
# -A vbox-output-logging-allow -j LOG --log-prefix "[UFW ALLOW] [VBOX] "

UFW

On Ubuntu, the default firewall is UFW.

When deploying UFW, first move the user rules to /etc/ufw so that they can be tracked by etckeeper:

cd /lib/ufw
sudo mv user* /etc/ufw
sudo ln -s /etc/ufw/user.rules
sudo ln -s /etc/ufw/user6.rules

Then enable ufw:

sudo ufw enable

It is easy to add new rules for ufw:

sudo ufw allow from 192.168.11.2                   # Enable full access from local virtualbox
sudo ufw allow from 172.19.0.0/16 to any port 22   # Enable - from home local network - SSH
sudo ufw reload

Tips and How-tos

Enable WINS and NetBIOS

To enable WINS and NetBIOS name resolution on Ubuntu [8]:

sudo apt-get install winbind libnss-winbind             # samba must be installed as well

Edit /etc/nsswitch.conf:

-hosts:      files dns
+hosts:      files dns wins

Then reload:

sudo service winbind reload

Setup Wake-on-LAN

See gWakeOnLan.

Auto-mount network shares with autofs

• To troubleshoot autofs [9]

sudo service autofs stop
sudo automount -f -v

• Use option --ghost to show share directories when browsing mount points [10]:

# mount point   config file        options
/-              /etc/auto.direct   --ghost
/misc           /etc/auto.misc     --timeout=30 --ghost
+auto.master

• Mount sshfs with autofs [11]

Install necessary package

sudo apt-get install sshfs autofs

Add current user to group fuse:

usermod -a -G fuse tjansson

Add to /etc/auto.master:

/sshfs              /etc/auto.sshfs                 uid=1000,gid=1000,--timeout=30,--ghost

Add to /etc/auto.sshfs (this assumes the key is password-less):

alpha-blue -fstype=fuse,rw,nodev,nonempty,noatime,allow_other,max_read=65536,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789 :sshfs\#nightmoore@alpha-blue\:

Troubleshoot, add first to /etc/fstab:

sshfs#nightmoore@alpha-blue:/ /mnt/sshfstab/        fuse    user,_netdev,reconnect,uid=1000,gid=1000,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789,idmap=user,allow_other,default_permissions,debug,sshfs_debug  0   2

Then

mount /mnt/sshfstab

Add option debug,sshfs_debug to get really debug output [12]:

Auto-mount network shares with libpam-mount

References:

• pam-mount.sourceforge.net
• wiki.ubuntu.com
• archlinux, to install manually.
• [13], add system-level share.

libpam-mount allows you to mount automatically network shares when you login, using your login password as credentials.

• The advantage is that, unlike for autofs, you don't need to store your password in a file;
• However, your username/password must be the same as the ones used to mount the network drive.

Install libpam-mount:

sudo apt-get install libpam-mount

Edit /etc/security/pam_mount.conf.xml as follow:

• Uncomment luserconf.
• Add the necessary allow options to <mntoptions> tag.

<!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,uid,gid,dmask,username,domain,iocharset,dir_mode" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />

Create the user file ~/.pam_mount.conf.xml

<?xml version="1.0" encoding="utf-8" ?>

<pam_mount>
<volume options="nosuid,nodev,dir_mode=0700,iocharset=utf8" user="*" mountpoint="/media/mediashare" path="sharename" server="servername" fstype="cifs" />
</pam_mount>

Network setup via command line

sudo ifconfig eth0 192.168.1.1 netmask 255.255.255.0
sudo route add default gw 192.168.1.129
sudo vi /etc/resolv.conf
# nameserver 192.168.1.129
# search domainname
sudo dhclient eth0

Tun/Tap devices

tun/tap are software-only interfaces, accessed through a character device (usually located at /dev/net/tun), and that allow userspace networking

On Linux, there are basically 3 ways to create tun/tap devices:

• ip (package iproute, aka iproute2 [14]).
  Unfortunately this is option is only available in recent distribution (not available in Ubuntu Lucid)

ip tuntap help
ip tuntap add dev tun0 mode tap user $USER

• openvpn

sudo openvpn --mktun --dev tun0 --user $USER
sudo openvpn --rmtun --dev tun0

• tunctl

Do not use version from package uml-utilities because it can only create tap devices, not tun. Instead fetch the latest version from SourceForge.

sudo tunctl -n -u $USER       # Create a tun device. '-n' can be replaced by '-t tun0'

See the how-to section below to learn how to create VPNs with virtual devices.

Tun2socks / Transparent SOCKS proxy via tuntap device (badvpn-tun2socks)

See tun2socks.

IPv4 vs IPv6

• Define in /etc/hosts (Note that its always canonical name first, then alias names last [15]):

::1 ipv6.localdomain ipv6
127.0.0.1 ipv4.localdomain ipv4

voilà, use ipv4/ipv6 hostnames where its needed (replace localdomain and ipv4 as needed)

Network basic

ARP (Address Resolution Protocol)

Links on Wikipedia:

• Address Resolution Protocol
• Proxy ARP

ARP is a protocol used for resolution of network layer addresses (OSI level 3, e.g. IP addresses) into link layer addresses (OSI level 2, e.g. MAC addresses).

Example (adapted from wikipedia):

ARP Proxy

Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel. The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as publishing.

• (+) simplicity. A router may extend a network without knowledge of the upstream router.
• (-) scalability
• (-) reliability (no fallback mechanism)

Gateway

If after routing, the selected route contains IP address of a gateway, the destination address in the IP packet is *not* changed. Instead, it tells the link layer to use the gateway's MAC address in the frame header instead of the one of the destination IP address (see [16]).

Troubleshooting

See Network troubleshooting.