Linux networking
References
On this wiki:
External:
- Basic HOW-TO
- Linux Networking-concepts HOWTO - Rusty Russell (basic introduction, 2001)
- Linux Networking-HOWTO (Previously the Net-3 Howto) (old HOWTO, 1999, refer to ch5 and ch6 for simple routing examples)
- Quick HOWTO : Ch03 : Linux Networking (seems more extended)
- iproute2
- Tun/Tap
ARP (Address Resolution Protocol)
Links on Wikipedia:
ARP is a protocol used for resolution of network layer addresses (OSI level 3, e.g. IP addresses) into link layer addresses (OSI level 2, e.g. MAC addresses).
Example (adapted from wikipedia):
Computers A and B are in an office, connected to each other on the office local area network by Ethernet cables and network switches, with no intervening gateways or routers. A wants to send a packet to B. Through other means, it determines that B's IP address is 192.168.0.55. In order to send the message, it also needs to know B's MAC address:
- First, A uses a cached ARP table to look up B's MAC address from B's IP address. If the MAC address is found, it sends the IP packet on the link layer to that MAC address via the local network cabling.
- If the cache did not produce any result, A has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for B's IP address. B responds with its MAC address. B may insert an entry for A into its own ARP table for future use. The response information is cached in A's ARP table and the message can now be sent.
ARP Proxy
Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel. The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as publishing.
- (+) simplicity. A router may extend a network without knowledge of the upstream router.
- (-) scalability
- (-) reliability (no fallback mechanism)
Gateway
If after routing, the selected route contains IP address of a gateway, the destination address in the IP packet is *not* changed. Instead, it tells the link layer to use the gateway's MAC address in the frame header instead of the one of the destination IP address (see [1]).
Tun/Tap devices
tun/tap are software-only interfaces, accessed through a character device (usually located at /dev/net/tun), and that allow userspace networking
On Linux, there are basically 3 ways to create tun/tap devices:
- ip (package iproute, aka iproute2 [2]).
Unfortunately this is option is only available in recent distribution (not available in Ubuntu Lucid) - openvpn
- tunctl
ip tuntap help
ip tuntap add dev tun0 mode tap user $USER
sudo openvpn --mktun --dev tun0 --user $USER
sudo openvpn --rmtun --dev tun0
Do not use version from package uml-utilities because it can only create tap devices, not tun. Instead fetch the latest version from SourceForge.
sudo tunctl -n -u $USER # Create a tun device. '-n' can be replaced by '-t tun0'
See the how-to section below to learn how to create VPNs with virtual devices.
Wake-on-LAN
See gWakeOnLan.
Firewall / iptables
References:
- http://www.cyberciti.biz/tips/linux-iptables-examples.html
- http://www.thegeekstuff.com/2011/01/iptables-fundamentals/
Summary of iptables:
- There are several tables: filter, raw...
- In the
filter
table, there are 3 builtin chains: INPUT, OUTPUT and FORWARD - iptables extensions provide some more chains.
- In each chain, rules are processed in sequence. If the packet matches the rule, the counter for that rule is incremeneted; if a target is given, it is taken (if any) and process ends; otherwise process continues to next rule.
- One can create custom chains, and use custom rules with
RETURN
as target for creating more elaborate rules.
Some tricks:
- To view all current iptables rules:
sudo iptables --list -n -v
- Save all rules in readable / restorable form:
sudo iptables-save > iptables-rules
- iptable-restore does not like command like
-N mychain
to restore a chain. Instead use the following:
#-N my-chain :my-chain - [0:0]
- To clear all rules:
sudo iptables -F # flush
sudo iptables -X # Delete all chains but builtin
Example of script. This one was added to /etc/ufw/before.rules (see Nxl67170 - Windows and Dansguardian for more examples):
:vbox-output-logging-deny - [0:0]
:vbox-output-logging-allow - [0:0]
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.124.210 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp -m multiport --dports 135,139,389,445 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p udp -m multiport --dports 53,137,138,389 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp --dport 88 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.0.0/16 -j vbox-output-logging-deny
-A ufw-before-output -m owner --uid-owner 7000 -j ACCEPT
-A vbox-output-logging-deny -j LOG --log-prefix "[UFW BLOCK] [VBOX] "
-A vbox-output-logging-deny -j REJECT
# -A vbox-output-logging-allow -p tcp -m multiport --dports 135,139,389,445 -j RETURN
# -A vbox-output-logging-allow -p udp -m multiport --dports 53,137,138,389 -j RETURN
# -A vbox-output-logging-allow -p tcp -m multiport --dports 88 -j RETURN
# -A vbox-output-logging-allow -j LOG --log-prefix "[UFW ALLOW] [VBOX] "
UFW
On Ubuntu, the default firewall is UFW.
When deploying UFW, first move the user rules to /etc/ufw so that they can be tracked by etckeeper:
cd /lib/ufw
sudo mv user* /etc/ufw
sudo ln -s /etc/ufw/user.rules
sudo ln -s /etc/ufw/user6.rules
Then enable ufw:
sudo ufw enable
It is easy to add new rules for ufw:
sudo ufw allow from 192.168.11.2 # Enable full access from local virtualbox
sudo ufw allow from 172.19.0.0/16 to any port 22 # Enable - from home local network - SSH
sudo ufw reload
WINS and NetBIOS
To enable WINS and NetBIOS name resolution on Ubuntu [3]:
sudo apt-get install winbind libnss-winbind # samba must be installed as well
Edit /etc/nsswitch.conf:
-hosts: files dns
+hosts: files dns wins
Then reload:
sudo service winbind reload
IPv4 vs IPv6
- Define in /etc/hosts (Note that its always alias names last [4]):
::1 ipv6.localdomain ipv6 127.0.0.1 ipv4.localdomain ipv4
- voilà, use
ipv4
/ipv6
hostnames where its needed
Tun2socks
See Tun2socks.
Tips and How-tos
- To troubleshoot autofs [5]
sudo service autofs stop sudo automount -f -v
- Use option
--ghost
to show share directories when browsing mount points [6]:
# mount point config file options /- /etc/auto.direct --ghost /misc /etc/auto.misc --timeout=30 --ghost +auto.master
- Mount sshfs with autofs [7]
- Install necessary package
sudo apt-get install sshfs autofs
- Add current user to group fuse:
usermod -a -G fuse tjansson
- Add to /etc/auto.master:
/sshfs /etc/auto.sshfs uid=1000,gid=1000,--timeout=30,--ghost
- Add to /etc/auto.sshfs (this assumes the key is password-less):
alpha-blue -fstype=fuse,rw,nodev,nonempty,noatime,allow_other,max_read=65536,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789 :sshfs\#nightmoore@alpha-blue\:
- Troubleshoot, add first to /etc/fstab:
sshfs#nightmoore@alpha-blue:/ /mnt/sshfstab/ fuse user,_netdev,reconnect,uid=1000,gid=1000,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789,idmap=user,allow_other,default_permissions,debug,sshfs_debug 0 2
- Then
mount /mnt/sshfstab
- Add option
debug,sshfs_debug
to get really debug output [8]:
References:
- pam-mount.sourceforge.net
- wiki.ubuntu.com
- archlinux, to install manually.
- [9], add system-level share.
libpam-mount allows you to mount automatically network shares when you login, using your login password as credentials.
- The advantage is that, unlike for autofs, you don't need to store your password in a file;
- However, your username/password must be the same as the ones used to mount the network drive.
Install libpam-mount:
sudo apt-get install libpam-mount
Edit /etc/security/pam_mount.conf.xml as follow:
- Uncomment
luserconf
. - Add the necessary
allow
options to<mntoptions>
tag.
<!-- pam_mount parameters: General tunables -->
<luserconf name=".pam_mount.conf.xml" />
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,uid,gid,dmask,username,domain,iocharset,dir_mode" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<logout wait="0" hup="0" term="0" kill="0" />
Create the user file ~/.pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
<volume options="nosuid,nodev,dir_mode=0700,iocharset=utf8" user="*" mountpoint="/media/mediashare" path="sharename" server="servername" fstype="cifs" />
</pam_mount>
Network setup via command line
sudo ifconfig eth0 192.168.1.1 netmask 255.255.255.0
sudo route add default gw 192.168.1.129
sudo vi /etc/resolv.conf
# nameserver 192.168.1.129
# search domainname
sudo dhclient eth0
Transparent SOCKS proxy via tuntap device (badvpn-tun2socks)
See tun2socks.
Tools
GoAccess
GoAccess is an open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.
Questions
- Difference between ifconfig(8), route(8) and ip(8)?
From [10]: And remember: every time you use ifconfig(8), Cthulhu eats a kitten. Please, think of the kittens
This HOW-TO says that route and ip(8) are not compatible.
Why iproute2 says that Linux kernels 2.2 and up include a completely redesigned network system, and that legacy tools like arp, ifconfig and route are actually obsolete and show some unexpected behaviours that are only available with iproute2 ([11]).
43. LVS: Newer networking tools: Policy Routing gives more example of ifconfig hiding (wrongly) complexity of an interface having multiple IP addresses.