Linux networking: Difference between revisions
(→Autofs) |
m (Mip moved page Linux Networking to Linux networking: No weird title caps) |
Revision as of 06:00, 8 June 2016
References
On this wiki:
External:
- Basic HOW-TO
- Linux Networking-concepts HOWTO - Rusty Russell (basic introduction, 2001)
- Linux Networking-HOWTO (Previously the Net-3 Howto) (old HOWTO, 1999, refer to ch5 and ch6 for simple routing examples)
- Quick HOWTO : Ch03 : Linux Networking (seems more extended)
- iproute2
- Tun/Tap
ARP (Address Resolution Protocol)
Links on Wikipedia:
ARP is a protocol used for resolution of network layer addresses (OSI level 3, e.g. IP addresses) into link layer addresses (OSI level 2, e.g. MAC addresses).
Example (adapted from wikipedia):
Computers A and B are in an office, connected to each other on the office local area network by Ethernet cables and network switches, with no intervening gateways or routers. A wants to send a packet to B. Through other means, it determines that B's IP address is 192.168.0.55. In order to send the message, it also needs to know B's MAC address:
- First, A uses a cached ARP table to look up B's MAC address from B's IP address. If the MAC address is found, it sends the IP packet on the link layer to that MAC address via the local network cabling.
- If the cache did not produce any result, A has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for B's IP address. B responds with its MAC address. B may insert an entry for A into its own ARP table for future use. The response information is cached in A's ARP table and the message can now be sent.
ARP Proxy
Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel. The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as publishing.
- (+) simplicity. A router may extend a network without knowledge of the upstream router.
- (-) scalability
- (-) reliability (no fallback mechanism)
Gateway
If after routing, the selected route contains IP address of a gateway, the destination address in the IP packet is *not* changed. Instead, it tells the link layer to use the gateway's MAC address in the frame header instead of the one of the destination IP address (see [1]).
Tun/Tap devices
tun/tap are software-only interfaces, accessed through a character device (usually located at /dev/net/tun), and that allow userspace networking
Creating tun/tap devices
There are basically 3 ways to create tun/tap devices:
- ip' (package iproute, aka iproute2) (see [2]).
Unfortunately this is option is only available in recent distribution (not available in Ubuntu Lucid) - openvpn
- tunctl
ip tuntap help
ip tuntap add dev mytap mode tap user $USER
sudo openvpn --mktun --dev tun0 --user $USER
sudo openvpn --rmtun --dev tun0
Do not use version from package uml-utilities because it can only create tap devices, not tun. Instead fetch the latest version from SourceForge.
sudo tunctl -n -u $USER # Create a tun device. '-n' can be replaced by '-t tun0'
Network setup via command line
sudo ifconfig eth0 192.168.1.1 netmask 255.255.255.0
sudo route add default gw 192.168.1.129
sudo vi /etc/resolv.conf
# nameserver 192.168.1.129
# search domainname
sudo dhclient eth0
Wake-on-LAN
See gWakeOnLan.
Firewall / iptables
References:
- http://www.cyberciti.biz/tips/linux-iptables-examples.html
- http://www.thegeekstuff.com/2011/01/iptables-fundamentals/
Summary of iptables:
- There are several tables: filter, raw...
- In the
filter
table, there are 3 builtin chains: INPUT, OUTPUT and FORWARD - iptables extensions provide some more chains.
- In each chain, rules are processed in sequence. If the packet matches the rule, the counter for that rule is incremeneted; if a target is given, it is taken (if any) and process ends; otherwise process continues to next rule.
- One can create custom chains, and use custom rules with
RETURN
as target for creating more elaborate rules.
Some tricks:
- To view all current iptables rules:
sudo iptables --list -n -v
- Save all rules in readable / restorable form:
sudo iptables-save > iptables-rules
- iptable-restore does not like command like
-N mychain
to restore a chain. Instead use the following:
#-N my-chain :my-chain - [0:0]
- To clear all rules:
sudo iptables -F # flush
sudo iptables -X # Delete all chains but builtin
Example of script. This one was added to /etc/ufw/before.rules (see Nxl67170 - Windows and Dansguardian for more examples):
:vbox-output-logging-deny - [0:0]
:vbox-output-logging-allow - [0:0]
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.124.210 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp -m multiport --dports 135,139,389,445 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p udp -m multiport --dports 53,137,138,389 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp --dport 88 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.0.0/16 -j vbox-output-logging-deny
-A ufw-before-output -m owner --uid-owner 7000 -j ACCEPT
-A vbox-output-logging-deny -j LOG --log-prefix "[UFW BLOCK] [VBOX] "
-A vbox-output-logging-deny -j REJECT
# -A vbox-output-logging-allow -p tcp -m multiport --dports 135,139,389,445 -j RETURN
# -A vbox-output-logging-allow -p udp -m multiport --dports 53,137,138,389 -j RETURN
# -A vbox-output-logging-allow -p tcp -m multiport --dports 88 -j RETURN
# -A vbox-output-logging-allow -j LOG --log-prefix "[UFW ALLOW] [VBOX] "
UFW
On Ubuntu, the default firewall is UFW.
When deploying UFW, first move the user rules to /etc/ufw so that they can be tracked by etckeeper:
cd /lib/ufw
sudo mv user* /etc/ufw
sudo ln -s /etc/ufw/user.rules
sudo ln -s /etc/ufw/user6.rules
Then enable ufw:
sudo ufw enable
It is easy to add new rules for ufw:
sudo ufw allow from 192.168.11.2 # Enable full access from local virtualbox
sudo ufw allow from 172.19.0.0/16 to any port 22 # Enable - from home local network - SSH
sudo ufw reload
WINS and NetBIOS
To enable WINS and NetBIOS name resolution on Ubuntu [3]:
sudo apt-get install winbind libnss-winbind # samba must be installed as well
Edit /etc/nsswitch.conf:
-hosts: files dns
+hosts: files dns wins
Then reload:
sudo service winbind reload
Autofs
- To troubleshoot autofs [4]
sudo service autofs stop sudo automount -f -v
- Use option
--ghost
to show share directories when browsing mount points [5]:
# mount point config file options /- /etc/auto.direct --ghost /misc /etc/auto.misc --timeout=30 --ghost +auto.master
- Mount sshfs with autofs [6]
- Install necessary package
sudo apt-get install sshfs autofs
- Add current user to group fuse:
usermod -a -G fuse tjansson
- Add to /etc/auto.master:
/sshfs /etc/auto.sshfs uid=1000,gid=1000,--timeout=30,--ghost
- Add to /etc/auto.sshfs (this assumes the key is password-less):
alpha-blue -fstype=fuse,rw,nodev,nonempty,noatime,allow_other,max_read=65536,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789 :sshfs\#nightmoore@alpha-blue\:
- Troubleshoot, add first to /etc/fstab:
sshfs#nightmoore@alpha-blue:/ /mnt/sshfstab/ fuse user,_netdev,reconnect,uid=1000,gid=1000,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789,idmap=user,allow_other,default_permissions,debug,sshfs_debug 0 2
- Then
mount /mnt/sshfstab
- Add option
debug,sshfs_debug
to get really debug output [7]:
Questions
- Difference between ifconfig(8), route(8) and ip(8)?
From [8]: And remember: every time you use ifconfig(8), Cthulhu eats a kitten. Please, think of the kittens
This HOW-TO says that route and ip(8) are not compatible.
Why iproute2 says that Linux kernels 2.2 and up include a completely redesigned network system, and that legacy tools like arp, ifconfig and route are actually obsolete and show some unexpected behaviours that are only available with iproute2 ([9]).
43. LVS: Newer networking tools: Policy Routing gives more example of ifconfig hiding (wrongly) complexity of an interface having multiple IP addresses.