Linux networking

From miki
Jump to navigation Jump to search

References

On this wiki:

External:

ARP (Address Resolution Protocol)

Links on Wikipedia:

ARP is a protocol used for resolution of network layer addresses (OSI level 3, e.g. IP addresses) into link layer addresses (OSI level 2, e.g. MAC addresses).

Example (adapted from wikipedia):

Computers A and B are in an office, connected to each other on the office local area network by Ethernet cables and network switches, with no intervening gateways or routers. A wants to send a packet to B. Through other means, it determines that B's IP address is 192.168.0.55. In order to send the message, it also needs to know B's MAC address:

  • First, A uses a cached ARP table to look up B's MAC address from B's IP address. If the MAC address is found, it sends the IP packet on the link layer to that MAC address via the local network cabling.
  • If the cache did not produce any result, A has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for B's IP address. B responds with its MAC address. B may insert an entry for A into its own ARP table for future use. The response information is cached in A's ARP table and the message can now be sent.

ARP Proxy

Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel. The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as publishing.

  • (+) simplicity. A router may extend a network without knowledge of the upstream router.
  • (-) scalability
  • (-) reliability (no fallback mechanism)

Gateway

If after routing, the selected route contains IP address of a gateway, the destination address in the IP packet is *not* changed. Instead, it tells the link layer to use the gateway's MAC address in the frame header instead of the one of the destination IP address (see [1]).

Tun/Tap devices

tun/tap are software-only interfaces, accessed through a character device (usually located at /dev/net/tun), and that allow userspace networking

Creating tun/tap devices

There are basically 3 ways to create tun/tap devices:

  • ip' (package iproute, aka iproute2) (see [2]).
    Unfortunately this is option is only available in recent distribution (not available in Ubuntu Lucid)
  • ip tuntap help
    ip tuntap add dev mytap mode tap user $USER
    
  • openvpn
  • sudo openvpn --mktun --dev tun0 --user $USER
    sudo openvpn --rmtun --dev tun0
    
  • tunctl

  • Do not use version from package uml-utilities because it can only create tap devices, not tun. Instead fetch the latest version from SourceForge.
    sudo tunctl -n -u $USER       # Create a tun device. '-n' can be replaced by '-t tun0'
    

Network setup via command line

sudo ifconfig eth0 192.168.1.1 netmask 255.255.255.0
sudo route add default gw 192.168.1.129
sudo vi /etc/resolv.conf
# nameserver 192.168.1.129
# search domainname
sudo dhclient eth0

Wake-on-LAN

See gWakeOnLan.

Firewall / iptables

References:

Summary of iptables:

  • There are several tables: filter, raw...
  • In the filter table, there are 3 builtin chains: INPUT, OUTPUT and FORWARD
  • iptables extensions provide some more chains.
  • In each chain, rules are processed in sequence. If the packet matches the rule, the counter for that rule is incremeneted; if a target is given, it is taken (if any) and process ends; otherwise process continues to next rule.
  • One can create custom chains, and use custom rules with RETURN as target for creating more elaborate rules.

Some tricks:

  • To view all current iptables rules:
sudo iptables --list -n -v
  • Save all rules in readable / restorable form:
sudo iptables-save > iptables-rules
  • iptable-restore does not like command like -N mychain to restore a chain. Instead use the following:
#-N my-chain
:my-chain - [0:0]
  • To clear all rules:
 sudo iptables -F           # flush
 sudo iptables -X           # Delete all chains but builtin

Example of script. This one was added to /etc/ufw/before.rules (see Nxl67170 - Windows and Dansguardian for more examples):

:vbox-output-logging-deny - [0:0]
:vbox-output-logging-allow - [0:0]
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.124.210 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp -m multiport --dports 135,139,389,445 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p udp -m multiport --dports 53,137,138,389 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp --dport 88 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.0.0/16 -j vbox-output-logging-deny
-A ufw-before-output -m owner --uid-owner 7000 -j ACCEPT
-A vbox-output-logging-deny -j LOG --log-prefix "[UFW BLOCK] [VBOX] "
-A vbox-output-logging-deny -j REJECT
# -A vbox-output-logging-allow -p tcp -m multiport --dports 135,139,389,445 -j RETURN
# -A vbox-output-logging-allow -p udp -m multiport --dports 53,137,138,389 -j RETURN
# -A vbox-output-logging-allow -p tcp -m multiport --dports 88 -j RETURN
# -A vbox-output-logging-allow -j LOG --log-prefix "[UFW ALLOW] [VBOX] "

UFW

On Ubuntu, the default firewall is UFW.

When deploying UFW, first move the user rules to /etc/ufw so that they can be tracked by etckeeper:

cd /lib/ufw
sudo mv user* /etc/ufw
sudo ln -s /etc/ufw/user.rules
sudo ln -s /etc/ufw/user6.rules

Then enable ufw:

sudo ufw enable

It is easy to add new rules for ufw:

sudo ufw allow from 192.168.11.2                   # Enable full access from local virtualbox
sudo ufw allow from 172.19.0.0/16 to any port 22   # Enable - from home local network - SSH
sudo ufw reload

WINS and NetBIOS

To enable WINS and NetBIOS name resolution on Ubuntu [3]:

sudo apt-get install winbind libnss-winbind             # samba must be installed as well

Edit /etc/nsswitch.conf:

-hosts:      files dns
+hosts:      files dns wins

Then reload:

sudo service winbind reload

Autofs

  • To troubleshoot autofs [4]
sudo service autofs stop
sudo automount -f -v
  • Use option --ghost to show share directories when browsing mount points [5]:
# mount point   config file        options
/-              /etc/auto.direct   --ghost
/misc           /etc/auto.misc     --timeout=30 --ghost
+auto.master

Questions

  • Difference between ifconfig(8), route(8) and ip(8)?
    From [6]: And remember: every time you use ifconfig(8), Cthulhu eats a kitten. Please, think of the kittens
    This HOW-TO says that route and ip(8) are not compatible.
    Why iproute2 says that Linux kernels 2.2 and up include a completely redesigned network system, and that legacy tools like arp, ifconfig and route are actually obsolete and show some unexpected behaviours that are only available with iproute2 ([7]).
    43. LVS: Newer networking tools: Policy Routing gives more example of ifconfig hiding (wrongly) complexity of an interface having multiple IP addresses.